Internet Engineering Task Force Tim Jenkins IP Security Working Group TimeStep Corporation Internet Draft January 25, 1999 IPSec Monitoring MIB Status of this Memo This document is a submission to the IETF Internet Protocol Security (IPSEC) Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@tis.com) or to the editor. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Copyright Notice This document is a product of the IETF's IPSec Working Group. Copyright (C) The Internet Society (1998). All Rights Reserved. IPSec Working Group [Page 1] Internet Draft IPSec Monitoring MIB January 1999 Table of Contents 1. Introduction.....................................................2 2. The SNMPv2 Network Management Framework..........................2 2.1 Object Definitions .............................................3 3. IPSec MIB Objects Architecture...................................4 3.1 MIB Tables .....................................................4 3.2 Phase 1 Security Association Table .............................4 3.3 Phase 2 Protection Suite Table .................................4 3.3.1 Asymmetric Use ...............................................5 3.3.2 Security Association Bundles .................................5 3.4 Notify Messages ................................................5 3.5 IPSec MIB Traps ................................................5 3.6 IPSec Entity Level Objects .....................................6 4. MIB Definitions..................................................7 5. Security Considerations.........................................38 6. Acknowledgments.................................................38 7. Revision History................................................38 8. References......................................................38 9. Appendix A - Some Related Assigned Numbers......................40 1. Introduction This document defines low level monitoring and status MIBs for IPSec. It does not define MIBs that may be used for configuring IPSec implementations or for providing low-level diagnostic or debugging information. It assumes no specific use of IPSec. Further, it does not provide policy information. The purpose of the MIBs is to allow system administrators to determine operating conditions and perform system operational level monitoring of the IPSec portion of their network. Statistics are provided as well. Additionally, it may be used as the basis for application specific MIBs for specific uses of IPSec. 2. The SNMPv2 Network Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2271 [2271]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in IPSec Working Group [Page 2] Internet Draft IPSec Monitoring MIB January 1999 RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second version, called SMIv2, is described in RFC 1902 [1902], RFC 1903 [1903] and RFC 1904 [1904]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [1901] and RFC 1906 [1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] and RFC 2274 [2274]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [1905]. o A set of fundamental applications described in RFC 2273 [2273] and the view-based access control mechanism described in RFC 2275 [2275]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2.1 Object Definitions Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) defined in the SMI. In particular, each object type is named by an OBJECT IDENTIFIER, an administratively assigned name. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the descriptor, to refer to the object type. IPSec Working Group [Page 3] Internet Draft IPSec Monitoring MIB January 1999 3. IPSec MIB Objects Architecture The IPSec MIB provides information related to both phase 1 or Internet Key Exchange (IKE) security associations (SAs) and phase 2 (or IPSec) SAs. Configuration about the SAs is provided as are statistics related to the SAs themselves. Additionally, the MIB provides a number of entity level aggregate totals for the SAs. There are also traps defined. These may be used by system administrators to help detect mis-configurations or possible attacks. 3.1 MIB Tables The MIB uses two tables to show phase 1 SAs and phase 2 SAs. The IPSec SAs appear in the IPSec protection suite table. IPSec protection suites are as defined by [ISAKMP]. An SA is effectively a protection suite that provides only a single security service. 3.2 Phase 1 Security Association Table Phase 1 SAs presented in the table contain information about their services provided, lifetime, end point authentication and some aggregate performance statistics. 3.3 Phase 2 Protection Suite Table As stated above, phase 2 SAs appear in the protection suite table. Since both protection suites and SAs are negotiated within IKE using a single proposal payload during a single quick mode, SAs are considered a subset of protection suites. [ISAKMP] also requires that attributes negotiated within a protection suite apply to all SAs. Therefore, the protection suite table provides expiration values, selectors and statistics only once for all SAs in a protection suite. Further, it is assumed that protection suites have only a single occurrence of any one of the three defined security services. (IP compression is considered a security service for the purposes of this MIB.) The order of these services within the protection suite is assumed to be compression before ESP before AH (in the encrypting/hashing direction) as also stated in [ISAKMP] and [SECARCH]. IPSec Working Group [Page 4] Internet Draft IPSec Monitoring MIB January 1999 Entries in the protection suite table are uniquely identified by the SPI, remote IP address and security protocol. The table shows the security services, expiration values and SA statistics. Note that both statically keyed SAs and SAs created by a key exchange protocol may be shown in the table. 3.3.1 Asymmetric Use This MIB is defined assuming symmetric use of SAs and protection suites. That is to say that it assumes that an inbound SA is always set up with a corresponding outbound SA that provides the same security service. In cases where this MIB is required for asymmetric use, the corresponding objects that describe the unused direction may be set to the equivalent of the unknown or zero state. 3.3.2 Security Association Bundles This MIB does not explicitly show SA bundles or any combination of layered SAs that do not meet the protection suite definition as defined in [ISAKMP]. However, these may be represented in this MIB by separate protections suites with the appropriate set of selectors. 3.4 Notify Messages Notify messages sent from peer to peer are not necessarily sent as traps. However, they are collected as they occur and accumulated in a parse table structure. A notify message object is defined. This object is used as the index into the table of accumulated notify messages. This helps system administrators determine if there are potential configuration problems or attacks on their network. 3.5 IPSec MIB Traps Traps are provided to let system administrators know about the existence of error conditions occurring in the entity. Errors are associated with the creation and deletion of SAs, and also IPSec Working Group [Page 5] Internet Draft IPSec Monitoring MIB January 1999 operational errors that may indicate the presence of attacks on the system. Traps are not provided when SAs come up or go down, unless they cannot be negotiated or go down due to error conditions. The causes of SA negotiation failure are indicated by a notify message object. 3.6 IPSec Entity Level Objects This part of the MIB carries statistics global to the IPSec device. Statistics included are aggregate usage and aggregate errors for both phase 1 SAs and phase 2 protection suites. The statistics are provided as objects in a tree below these groups. IPSec Working Group [Page 6] Internet Draft IPSec Monitoring MIB January 1999 4. MIB Definitions IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Integer32, Unsigned32, experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI DateAndTime, TruthValue FROM SNMPv2-TC; ipsecMIB MODULE-IDENTITY LAST-UPDATED "9901251200Z" ORGANIZATION "IETF IPSec Working Group" CONTACT-INFO " Tim Jenkins TimeStep Corporation 362 Terry Fox Drive Kanata, ON K0A 2H0 Canada 613-599-3610 tjenkins@timestep.com" DESCRIPTION "The MIB module to describe generic IPSec objects, and entity level IPSec objects and events." REVISION "9901251200Z" DESCRIPTION "Initial revision." -- ::= { mib-2 ?? } ::= { experimental 500 } ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 } ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 } -- the IPSec Protection Suites MIB-Group -- -- a collection of objects providing information about -- IPSec protection suites ipsecProtSuiteTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProtSuiteEntry MAX-ACCESS not-accessible IPSec Working Group [Page 7] Internet Draft IPSec Monitoring MIB January 1999 STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec protection suites." ::= { ipsec 1 } ipsecProtSuiteEntry OBJECT-TYPE SYNTAX IpsecProtSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPSec protection suite." INDEX { ipsecProtSuiteIndex } ::= { ipsecProtSuiteTable 1 } IpsecProtSuiteEntry ::= SEQUENCE { ipsecProtSuiteIndex Integer32, -- identification ipsecProtSuiteLocalAddress OCTET STRING, ipsecProtSuiteRemoteAddress OCTET STRING, ipsecProtSuiteInboundEspSpi Unsigned32, ipsecProtSuiteOutboundEspSpi Unsigned32, ipsecProtSuiteInboundAhSpi Unsigned32, ipsecProtSuiteOutboundAhSpi Unsigned32, ipsecProtSuiteInboundCompCpi INTEGER, ipsecProtSuiteOutboundCompCpi INTEGER, -- protection suite selectors ipsecProtSuiteLocalId OCTET STRING, ipsecProtSuiteLocalIdType Unsigned32, ipsecProtSuiteRemoteId OCTET STRING, ipsecProtSuiteRemoteIdType Unsigned32, ipsecProtSuiteProtocol Integer32, ipsecProtSuiteLocalPort Integer32, ipsecProtSuiteRemotePort Integer32, -- creation mechanism ipsecProtSuiteDifHelGroupDesc Integer32, ipsecProtSuiteDifHelGroupType Integer32, ipsecProtSuitePFS TruthValue, -- security services description ipsecProtSuiteEncapsulation INTEGER, ipsecProtSuiteEspEncAlg Integer32, ipsecProtSuiteEspEncKeyLength Unsigned32, ipsecProtSuiteEspAuthAlg Integer32, IPSec Working Group [Page 8] Internet Draft IPSec Monitoring MIB January 1999 ipsecProtSuiteAhAuthAlg Integer32, ipsecProtSuiteCompAlg Integer32, -- expiration limits ipsecProtSuiteCreationTime DateAndTime, ipsecProtSuiteTimeLimit OCTET STRING, -- sec., 0 if none ipsecProtSuiteTrafficLimit OCTET STRING, -- 0 if none ipsecProtSuiteInTrafficCount OCTET STRING, ipsecProtSuiteOutTrafficCount OCTET STRING, -- current operating statistics ipsecProtSuiteInboundTraffic Counter64, ipsecProtSuiteOutboundTraffic Counter64, ipsecProtSuiteInboundPackets Counter64, ipsecProtSuiteOutboundPackets Counter64, -- error statistics ipsecProtSuiteDecryptErrors Counter32, ipsecProtSuiteAuthErrors Counter32, ipsecProtSuiteReplayErrors Counter32, ipsecProtSuitePolicyErrors Counter32, ipsecProtSuiteOtherReceiveErrors Counter32, ipsecProtSuiteSendErrors Counter32 } ipsecProtSuiteIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IPSec protection suite. It is recommended that values are assigned contiguously starting from 1." ::= { ipsecProtSuiteEntry 1 } ipsecProtSuiteLocalAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address used by the protection suite. The size of this object is 4 if the address is an IPv4 address, or 16 if the address is an IPv6 address." ::= { ipsecProtSuiteEntry 2 } ipsecProtSuiteRemoteAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) IPSec Working Group [Page 9] Internet Draft IPSec Monitoring MIB January 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The peer IP address used by the protection suite. The size of this object is 4 if the address is an IPv4 address, or 16 if the address is an IPv6 address." ::= { ipsecProtSuiteEntry 3 } ipsecProtSuiteInboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 4 } ipsecProtSuiteOutboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 5 } ipsecProtSuiteInboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 6 } ipsecProtSuiteOutboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 7 } IPSec Working Group [Page 10] Internet Draft IPSec Monitoring MIB January 1999 ipsecProtSuiteInboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the inbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 8 } ipsecProtSuiteOutboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the outbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 9 } ipsecProtSuiteLocalId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The local identifier of the protection suite, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 10 } ipsecProtSuiteLocalIdType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelLocalId', or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 11 } IPSec Working Group [Page 11] Internet Draft IPSec Monitoring MIB January 1999 ipsecProtSuiteRemoteId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote identifier of the protection suite, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 12 } ipsecProtSuiteRemoteIdType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelRemoteId', or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 13 } ipsecProtSuiteProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP protocol number that this protection suite carries, or 0 if it carries any protocol." ::= { ipsecProtSuiteEntry 14 } ipsecProtSuiteLocalPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local UDP or TCP port number that this protection suite carries, or 0 if it carries any port number." ::= { ipsecProtSuiteEntry 15 } ipsecProtSuiteRemotePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current IPSec Working Group [Page 12] Internet Draft IPSec Monitoring MIB January 1999 DESCRIPTION "The remote UDP or TCP port number that this protection suite carries, or 0 if it carries any port number." ::= { ipsecProtSuiteEntry 16 } ipsecProtSuiteDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used to set up this protection suite, or 0 if the description is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecProtSuiteEntry 17 } ipsecProtSuiteDifHelGroupType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group type used to set up this protection suite, or 0 if the type is unknown. Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecProtSuiteEntry 18 } ipsecProtSuitePFS OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "'true' if the protection suite was created using perfect forward secrect." ::= { ipsecProtSuiteEntry 19 } ipsecProtSuiteEncapsulation OBJECT-TYPE SYNTAX INTEGER { transport(1), tunnel(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this protection suite." IPSec Working Group [Page 13] Internet Draft IPSec Monitoring MIB January 1999 ::= { ipsecProtSuiteEntry 20 } ipsecProtSuiteEspEncAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this protection suite if it uses ESP or 0 if there is no encryption applied by ESP or if ESP is not used. Specific values are taken from section 4.4.4 of [IPDOI]." ::= { ipsecProtSuiteEntry 21 } ipsecProtSuiteEspEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'ipsecTunnelEspEncAlg' object, or 0 if the key length is implicit in the specified algorithm or there is no encryption specified." ::= { ipsecProtSuiteEntry 22 } ipsecProtSuiteEspAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this protection suite if it uses ESP or 0 if there is no authentication applied by ESP or if ESP is not used. Specific values are taken from the Authentication Algorithm attribute values of Section 4.5 of [IPDOI]." ::= { ipsecProtSuiteEntry 23 } ipsecProtSuiteAhAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this protection suite if it uses AH or 0 if AH is not used. IPSec Working Group [Page 14] Internet Draft IPSec Monitoring MIB January 1999 Specific values are taken from Section 4.4.3 of [IPDOI]." ::= { ipsecProtSuiteEntry 24 } ipsecProtSuiteCompAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the compression algorithm applied to traffic carried by this protection suite if it uses IPCOMP. Specific values are taken from Section 4.4.5 of [IPDOI]." ::= { ipsecProtSuiteEntry 25 } ipsecProtSuiteCreationTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current protection suite was set up." ::= { ipsecProtSuiteEntry 26 } ipsecProtSuiteTimeLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the protection suite, or 0 if there is no time constraint on its expiration." ::= { ipsecProtSuiteEntry 27 } ipsecProtSuiteTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the protection suite is allowed to support, or 0 if there is no traffic constraint on its expiration." ::= { ipsecProtSuiteEntry 28 } ipsecProtSuiteInTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" IPSec Working Group [Page 15] Internet Draft IPSec Monitoring MIB January 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of inbound traffic accumulated that counts against the protection suite's expiration by traffic limitation, measured in 1024-byte blocks. This value may be 0 if the protection suite does not expire based on traffic. In the case of multiple SAs within a protection suite, this value is the maximum of any traffic accumulation values applied to any of the individual SAs within the protection suite." ::= { ipsecProtSuiteEntry 29 } ipsecProtSuiteOutTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of outbound traffic accumulated that counts against the protection suite's expiration by traffic limitation, measured in 1024-byte blocks. This value may be 0 if the protection suite does not expire based on traffic. In the case of multiple SAs within a protection suite, this value is the maximum of any traffic accumulation values applied to any of the individual SAs within the protection suite." ::= { ipsecProtSuiteEntry 30 } ipsecProtSuiteInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the inbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 31 } IPSec Working Group [Page 16] Internet Draft IPSec Monitoring MIB January 1999 ipsecProtSuiteOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the outbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 32 } ipsecProtSuiteInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the inbound direction." ::= { ipsecProtSuiteEntry 33 } ipsecProtSuiteOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the outbound direction." ::= { ipsecProtSuiteEntry 34 } ipsecProtSuiteDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to decryption errors." ::= { ipsecProtSuiteEntry 35 } ipsecProtSuiteAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current IPSec Working Group [Page 17] Internet Draft IPSec Monitoring MIB January 1999 DESCRIPTION "The number of inbound packets discarded by the protection suite due to authentication errors. This includes hash failures in both ESP and AH." ::= { ipsecProtSuiteEntry 36 } ipsecProtSuiteReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to replay errors. This includes replay failures both ESP and AH." ::= { ipsecProtSuiteEntry 37 } ipsecProtSuitePolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to policy errors." ::= { ipsecProtSuiteEntry 38 } ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to errors other than decryption, authentication or replay errors. This may include decompression errors or errors due to a lack of receive buffers." ::= { ipsecProtSuiteEntry 39 } ipsecProtSuiteSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the protection suite due to any error. This may include compression errors or errors due to a lack of transmit buffers." ::= { ipsecProtSuiteEntry 40 } IPSec Working Group [Page 18] Internet Draft IPSec Monitoring MIB January 1999 -- the IPSec IKE MIB-Group -- -- a collection of objects providing information about -- IPSec's IKE SAs ipsecIkeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec's IKE SAs." ::= { ipsec 2 } ipsecIkeSaEntry OBJECT-TYPE SYNTAX IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA." INDEX { ipsecIkeSaIndex } ::= { ipsecIkeSaTable 1 } IpsecIkeSaEntry ::= SEQUENCE { ipsecIkeSaIndex Integer32, -- identifier information ipsecIkeSaInitiatorCookie OCTET STRING, ipsecIkeSaResponderCookie OCTET STRING, ipsecIkeSaLocalIpAddress OCTET STRING, ipsecIkeSaLocalPortNumber INTEGER, ipsecIkeSaLocalIdType Integer32, ipsecIkeSaLocalId OCTET STRING, -- peer information ipsecIkeSaPeerIpAddress OCTET STRING, ipsecIkeSaPeerPortNumber INTEGER, ipsecIkeSaAuthMethod Integer32, ipsecIkeSaPeerIdType Integer32, ipsecIkeSaPeerId OCTET STRING, ipsecIkeSaPeerCertSerialNum OCTET STRING, ipsecIkeSaPeerCertIssuer OCTET STRING, -- security algorithm information IPSec Working Group [Page 19] Internet Draft IPSec Monitoring MIB January 1999 ipsecIkeSaEncAlg INTEGER, ipsecIkeSaEncKeyLength Integer32, ipsecIkeSaHashAlg Integer32, ipsecIkeSaDifHelGroupDesc Integer32, ipsecIkeSaDifHelGroupType Integer32, ipsecIkeSaDifHelFieldSize Integer32, ipsecIkeSaPRF Integer32, ipsecIkeSaPFS TruthValue, -- expiration limits ipsecIkeSaTimeStart DateAndTime, ipsecIkeSaTimeLimit OCTET STRING, -- in seconds ipsecIkeSaTrafficLimit OCTET STRING, -- in kbytes -- operating statistics ipsecIkeSaInboundTraffic Counter64, -- in bytes ipsecIkeSaOutboundTraffic Counter64, -- in bytes ipsecIkeSaInboundPackets Counter32, ipsecIkeSaOutboundPackets Counter32, ipsecIkeProtSuitesCreated Counter32, ipsecIkeProtSuitesDeleted Counter32, -- error statistics ipsecIkeSaDecryptErrors Counter32, ipsecIkeSaAuthErrors Counter32, ipsecIkeSaOtherReceiveErrors Counter32, ipsecIkeSaSendErrors Counter32 } ipsecIkeSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each phase 1 SA. It is recommended that values are assigned contiguously starting from 1. The value for each entry must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { ipsecIkeSaEntry 1 } ipsecIkeSaInitiatorCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current IPSec Working Group [Page 20] Internet Draft IPSec Monitoring MIB January 1999 DESCRIPTION "The value of the cookie used by the initiator for the phase 1 SA." ::= { ipsecIkeSaEntry 2 } ipsecIkeSaResponderCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the responder for the phase 1 SA." ::= { ipsecIkeSaEntry 3 } ipsecIkeSaLocalIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address used to negotiated the SA. The size of the object is 4 if the address is an IPv4 address and 16 if an IPv6 address." ::= { ipsecIkeSaEntry 4 } ipsecIkeSaLocalPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local UDP port number that this SA was negotiated with." ::= { ipsecIkeSaEntry 5 } ipsecIkeSaLocalIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local end of this SA. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeSaEntry 8 } ipsecIkeSaLocalId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only IPSec Working Group [Page 21] Internet Draft IPSec Monitoring MIB January 1999 STATUS current DESCRIPTION "The ID of the local host that negotiated this SA. The length may require truncation under some conditions." ::= { ipsecIkeSaEntry 9 } ipsecIkeSaPeerIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the peer that this SA was negotiated with. The size of the object is 4 if the address is an IPv4 address and 16 if it is an IPv6 address." ::= { ipsecIkeSaEntry 10 } ipsecIkeSaPeerPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The UDP port number of the peer that this SA was negotiated with." ::= { ipsecIkeSaEntry 11 } ipsecIkeSaAuthMethod OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used to authenticate the peer. Note that this does not include the specific method of authentication if extended authenticated is used. Specific values are used as described in the ISAKMP Class Values of Authentication Method from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 12 } ipsecIkeSaPeerIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 22] Internet Draft IPSec Monitoring MIB January 1999 "The type of ID used by the peer. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeSaEntry 13 } ipsecIkeSaPeerId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the peer this SA was negotiated with. The length may require truncation under some conditions." ::= { ipsecIkeSaEntry 14 } ipsecIkeSaPeerCertSerialNum OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..63)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate of the peer this SA was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeSaEntry 15 } ipsecIkeSaPeerCertIssuer OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The issuer of the certificate of the peer this SA was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeSaEntry 16 } ipsecIkeSaEncAlg OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this SA. IPSec Working Group [Page 23] Internet Draft IPSec Monitoring MIB January 1999 Specific values are used as described in the ISAKMP Class Values of Encryption Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 17 } ipsecIkeSaEncKeyLength OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for algorithm specified in the ipsecIkeSaEncAlg object or 0 if the key length is implicit in the specified algorithm." ::= { ipsecIkeSaEntry 18 } ipsecIkeSaHashAlg OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this SA. Specific values are used as described in the ISAKMP Class Values of Hash Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 19 } ipsecIkeSaDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 20 } ipsecIkeSaDifHelGroupType OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group type used or 0 if the group is unknown. IPSec Working Group [Page 24] Internet Draft IPSec Monitoring MIB January 1999 Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 21 } ipsecIkeSaDifHelFieldSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The field size, in bits, of the Diffie-Hellman group used to generate the key-pair, or 0 if unknown." ::= { ipsecIkeSaEntry 22 } ipsecIkeSaPRF OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The pseudo-random functions used, or 0 if not used or if unknown. Specific values are used as described in the ISAKMP Class Values of PRF from Appendix A of [IKE] (which specifies none at the present time)." ::= { ipsecIkeSaEntry 23 } ipsecIkeSaPFS OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "A value that indicates that perfect forward secrecy is used for all IPSec SAs created by this IKE SA." ::= { ipsecIkeSaEntry 24 } ipsecIkeSaTimeStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the SA was set up." ::= { ipsecIkeSaEntry 25 } ipsecIkeSaTimeLimit OBJECT-TYPE SYNTAX OCTET STRING UNITS "seconds" MAX-ACCESS read-only STATUS current IPSec Working Group [Page 25] Internet Draft IPSec Monitoring MIB January 1999 DESCRIPTION "The maximum lifetime in seconds of the SA, or 0 if there is no time constraint on its expiration." ::= { ipsecIkeSaEntry 26 } ipsecIkeSaTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the SA is allowed to carry, or 0 if there is no traffic constraint on its expiration." ::= { ipsecIkeSaEntry 27 } ipsecIkeSaInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the SA in the inbound direction." ::= { ipsecIkeSaEntry 28 } ipsecIkeSaOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the SA in the outbound direction." ::= { ipsecIkeSaEntry 29 } ipsecIkeSaInboundPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled in the SA in the inbound direction." ::= { ipsecIkeSaEntry 30 } ipsecIkeSaOutboundPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only IPSec Working Group [Page 26] Internet Draft IPSec Monitoring MIB January 1999 STATUS current DESCRIPTION "The number of packets handled in the SA in the outbound direction." ::= { ipsecIkeSaEntry 31 } ipsecIkeProtSuitesCreated OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suites created by the SA." ::= { ipsecIkeSaEntry 32 } ipsecIkeProtSuitesDeleted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suites deleted by the SA." ::= { ipsecIkeSaEntry 33 } ipsecIkeSaDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the phase1 SA due to decryption errors." ::= { ipsecIkeSaEntry 34 } ipsecIkeSaAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the phase 1 SA due to authentication errors." ::= { ipsecIkeSaEntry 35 } ipsecIkeSaOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 27] Internet Draft IPSec Monitoring MIB January 1999 "The number of inbound packets discarded by the phase 1 SA due to errors other than decryption or authentication errors. This may include errors due to a lack of receive buffers." ::= { ipsecIkeSaEntry 36 } ipsecIkeSaSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the phase 1 SA due to any error. This may include errors due to a lack of transmit buffers." ::= { ipsecIkeSaEntry 37 } -- the IPSec Entity MIB-Group -- -- a collection of objects providing information about overall IPSec -- status in the entity -- -- Definitions of significant branches -- ipsecTrapsA OBJECT IDENTIFIER ::= { ipsec 3 } ipsecTraps OBJECT IDENTIFIER ::= { ipsecTrapsA 0 } ipsecIpsecStats OBJECT IDENTIFIER ::= { ipsec 4 } ipsecIpsecErrorStats OBJECT IDENTIFIER ::= { ipsec 5 } ipsecIkeStats OBJECT IDENTIFIER ::= { ipsec 6 } ipsecIkeErrorStats OBJECT IDENTIFIER ::= { ipsec 7 } ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 8 } -- -- entity IPSec statistics -- ipsecIpsecTotalProtSuites OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suites established by the entity since boot time." ::= { ipsecIpsecStats 1 } ipsecIpsecNegFailures OBJECT-TYPE IPSec Working Group [Page 28] Internet Draft IPSec Monitoring MIB January 1999 SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suite negotiations that failed that occurred in the entity since boot time." ::= { ipsecIpsecStats 2 } ipsecIpsecTotalInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets carried on IPSec protection suites since boot time." ::= { ipsecIpsecStats 3 } ipsecIpsecTotalTransOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets carried on IPSec protection suites since boot time." ::= { ipsecIpsecStats 4 } ipsecIpsecTotalTransInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic carried on IPSec protection suites since boot time, measured in 1024-octet blocks." ::= { ipsecIpsecStats 5 } ipsecIpsecTotalTransOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic carried on IPSec protection suites since boot time, measured in 1024-octet blocks." ::= { ipsecIpsecStats 6 } IPSec Working Group [Page 29] Internet Draft IPSec Monitoring MIB January 1999 -- -- IPSec error counts -- ipsecIpsecDecryptionErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with decryption errors." ::= { ipsecIpsecErrorStats 1 } ipsecIpsecAuthenticationErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with authentication errors. This includes all packets in which the hash value is determined to be invalid." ::= { ipsecIpsecErrorStats 2 } ipsecIpsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with replay errors." ::= { ipsecIpsecErrorStats 3 } ipsecIpsecPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time and discarded due to policy errors. This includes packets that had selectors that were invalid for the SA or protection suite that carried them." IPSec Working Group [Page 30] Internet Draft IPSec Monitoring MIB January 1999 ::= { ipsecIpsecErrorStats 4 } ipsecIpsecOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time and discarded due to errors not due to decryption, authentication, replay or policy." ::= { ipsecIpsecErrorStats 5 } ipsecIpsecSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets to be sent by the entity in the IPSec protection suites since boot time and discarded due to errors." ::= { ipsecIpsecErrorStats 6 } ipsecUnknownSpiErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with SPIs or CPIs that were not valid." ::= { ipsecIpsecErrorStats 7 } -- -- entity IKE statistics -- ipsecIkeTotalSAs OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 SAs successfully established by the entity since boot time." ::= { ipsecIkeStats 1 } ipsecIkeNegFailures OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only IPSec Working Group [Page 31] Internet Draft IPSec Monitoring MIB January 1999 STATUS current DESCRIPTION "The total number of phase 1 SA negotiations that failed that occurred in the entity since boot time." ::= { ipsecIkeStats 2 } ipsecIkeTotalInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets carried on phase 1 SAs since boot time." ::= { ipsecIkeStats 3 } ipsecIkeTotalTransOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets carried on phase 1 SAs since boot time." ::= { ipsecIkeStats 4 } ipsecIkeTotalTransInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic carried on phase 1 SAs since boot time, measured in 1024-octet blocks." ::= { ipsecIkeStats 5 } ipsecIkeTotalTransOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic carried on phase 1 SAs since boot time, measured in 1024-octet blocks." ::= { ipsecIkeStats 6 } -- -- IKE error counts -- IPSec Working Group [Page 32] Internet Draft IPSec Monitoring MIB January 1999 ipsecIkeProtocolErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with IKE protocol errors. This includes packets with invalid cookies, but does not include errors that are associated with specific IKE SAs." ::= { ipsecIkeErrorStats 1 } ipsecIkeDecryptionErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with decryption errors." ::= { ipsecIkeErrorStats 2 } ipsecIkeAuthenticationErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with authentication errors. This includes all packets in which the hash value is determined to be invalid." ::= { ipsecIkeErrorStats 3 } ipsecIkeOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in phase 1 SAs since boot time and discarded due to errors not due to decryption or authentication." ::= { ipsecIkeErrorStats 4 } ipsecIkeSendErrors OBJECT-TYPE SYNTAX Counter32 IPSec Working Group [Page 33] Internet Draft IPSec Monitoring MIB January 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets to be sent by the entity in phase 1 SAs since boot time and discarded due to errors." ::= { ipsecIkeErrorStats 5 } -- the IPSec Notify Message MIB-Group -- -- a collection of objects providing information about -- the occurrences of notify messages ipsecNotifyMessageTotalCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of all types of notify messages sent or received by the entity since boot time. It is the sum of all occurrences in the 'ipsecNotifyCountTable'." ::= { ipsecNotifications 1 } ipsecNotifyCountTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec notify message counts. This table MAY be sparsely populated; that is, rows for which the count is 0 may be absent." ::= { ipsecNotifications 2 } ipsecNotifyCountEntry OBJECT-TYPE SYNTAX IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the total number of occurrences of a notify message." INDEX { ipsecNotifyMessage } ::= { ipsecNotifyCountTable 1 } IPSec Working Group [Page 34] Internet Draft IPSec Monitoring MIB January 1999 IpsecNotifyCountEntry::= SEQUENCE { ipsecNotifyMessage INTEGER, ipsecNotifyMessageCount Counter32 } ipsecNotifyMessage OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value representing a specific IPSec notify message, or 0 if unknown. Values are assigned from the set of notify message types as defined in Section 3.14.1 of [ISAKMP]. In addition, the value 0 may be used for this object when the object is used as a trap cause, and the cause is unknown." ::= { ipsecNotifyCountEntry 1 } ipsecNotifyMessageCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been received or sent by the entity since system boot." ::= { ipsecNotifyCountEntry 2 } -- -- traps -- ipsecTrapIkeNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeSaLocalIdType, ipsecIkeSaLocalId, ipsecIkeSaPeerIdType, ipsecIkeSaPeerId, ipsecIkeSaLocalIpAddress, ipsecIkeSaLocalPortNumber, ipsecIkeSaPeerIpAddress, ipsecIkeSaPeerPortNumber, ipsecIkeSaAuthMethod, ipsecIkeSaPeerCertSerialNum, ipsecIkeSaPeerCertIssuer, IPSec Working Group [Page 35] Internet Draft IPSec Monitoring MIB January 1999 ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 SA failed." ::= { ipsecTraps 1 } ipsecTrapInvalidCookie NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress, ipsecIkeSaPeerPortNumber } STATUS current DESCRIPTION "IKE packets with invalid cookies were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period, rather than sending one trap per packet." ::= { ipsecTraps 2 } ipsecTrapIpsecNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeSaIndex, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 2 protection suite within the specified IKE SA failed." ::= { ipsecTraps 3 } ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid hashes were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 4 } IPSec Working Group [Page 36] Internet Draft IPSec Monitoring MIB January 1999 ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid sequence numbers were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 5 } ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets carrying packets with invalid selectors for the specified protection suite were found. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 6 } ipsecTrapInvalidSpi NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress } STATUS current DESCRIPTION "ESP, AH or IPCOMP packets with unknown SPIs (or CPIs) were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 7 } END IPSec Working Group [Page 37] Internet Draft IPSec Monitoring MIB January 1999 5. Security Considerations This MIB contains readable objects whose values provide information related to IKE SAs and IPSec protection suites. There are no objects with MAX-ACCESS clauses of read-write or read-create. While unauthorized access to the readable objects is relatively innocuous, unauthorized access to those objects through an insecure channel can provide attackers with more information about a system than an administrator may desire. 6. Acknowledgments This document is based in part on an earlier proposal titled "draft- ietf-ipsec-mib-xx.txt". That series was abandoned, since it included application specific constructs in addition to the IPSec only objects. Portions of the original document's origins were based on the working paper "IP Security Management Information Base" by R. Thayer and U. Blumenthal. Significant contribution to the IPSec MIB series of documents comes from Charles Brooks and Carl Powell, both of GTE Internetworking. Obviously, the IPSec working group made signification contributions, specifically including M. Daniele, T. Kivinen, J. Shriver, J. Walker, S. Kelly, J. Leonard and M. Richardson. Additionally, thanks are extended to Gabriella Dinescu for assistance in the preparation of the MIB structures. 7. Revision History This section will be removed before publication. January 15, 1999 Initial Release. 1) Group and Compliance statements? 2) Sub-identifier under the experimental tree? 8. References [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC2407, November 1998 IPSec Working Group [Page 38] Internet Draft IPSec Monitoring MIB January 1999 [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", RFC2401, November 1998 [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)", RFC2409, November 1998 [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)", RFC2408, November 1998 [IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib- 02.txt, work in progress. [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB using SMIv2", RFC2233 [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "draft- ietf-ippcp-protocol-06.txt", work in progress [1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998 [1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", RFC 1155, May 1990 [1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, March 1991 [1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903, January 1996. [1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904, January 1996. IPSec Working Group [Page 39] Internet Draft IPSec Monitoring MIB January 1999 [1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1157, May 1990. [1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January 1998. [2274] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2274, January 1998. [1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco Systems, January 1998. [2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2275, January 1998. 9. Appendix A - Some Related Assigned Numbers This appendix reproduces the assigned numbers from the referenced IPSec documents that are used in the MIB. They are to be used as a reference only and are not part of this specification. As the IPSec protocol evolves, this list is almost certain to become incomplete. Portions are blatantly copied from [IKE],[IPDOI] and [ISAKMP]. ipsecIkeSaEncAlg - Encryption Algorithm DES-CBC 1 IDEA-CBC 2 Blowfish-CBC 3 RC5-R16-B64-CBC 4 IPSec Working Group [Page 40] Internet Draft IPSec Monitoring MIB January 1999 3DES-CBC 5 CAST-CBC 6 DES40-CBC 65001 ipsecIkeSaPeerIdType ID Type Value ------- ----- RESERVED 0 ID_IPV4_ADDR 1 ID_FQDN 2 ID_USER_FQDN 3 ID_IPV4_ADDR_SUBNET 4 ID_IPV6_ADDR 5 ID_IPV6_ADDR_SUBNET 6 ID_IPV4_ADDR_RANGE 7 ID_IPV6_ADDR_RANGE 8 ID_DER_ASN1_DN 9 ID_DER_ASN1_GN 10 ID_KEY_ID 11 ipsecIkeSaHashAlg - Hash Algorithm MD5 1 SHA 2 Tiger 3 ipsecIkeSaAuthMethod - Authentication Method pre-shared key 1 DSS signatures 2 RSA signatures 3 Encryption with RSA 4 Revised encryption with RSA 5 ipsecIkeSaDifHelGroupDesc - Group Description default 768-bit MODP group 1 alternate 1024-bit MODP group 2 EC2N group on GP[2^155] 3 EC2N group on GP[2^185] 4 ipsecIkeSaDifHelGroupType - Group Type MODP (modular exponentiation group) 1 ECP (elliptic curve group over GF[P]) 2 EC2N (elliptic curve group over GF[2^N]) 3 IPSec Working Group [Page 41] Internet Draft IPSec Monitoring MIB January 1999 ipsecTunnelEspEncAlg Transform ID Value ------------ ----- RESERVED 0 ESP_DES_IV64 1 ESP_DES 2 ESP_3DES 3 ESP_RC5 4 ESP_IDEA 5 ESP_CAST 6 ESP_BLOWFISH 7 ESP_3IDEA 8 ESP_DES_IV32 9 ESP_RC4 10 ESP_NULL 11 ESP_DES40 249 ipsecTunnelEspAuthAlg - Authentication Algorithm RESERVED 0 HMAC-MD5 1 HMAC-SHA 2 DES-MAC 3 KPDK 4 ipsecTunnelAhAuthAlg Transform ID Value ------------ ----- RESERVED 0-1 AH_MD5 2 AH_SHA 3 AH_DES 4 ipsecTunnelCompAlg Transform ID Value ------------ ----- RESERVED 0 IPCOMP_OUI 1 IPCOMP_DEFLATE 2 IPCOMP_LZS 3 IPSec Working Group [Page 42] Internet Draft IPSec Monitoring MIB January 1999 IPCOMP_V42BIS 4 NOTIFY MESSAGES - ERROR TYPES ___________Errors______________Value_____ INVALID-PAYLOAD-TYPE 1 DOI-NOT-SUPPORTED 2 SITUATION-NOT-SUPPORTED 3 INVALID-COOKIE 4 INVALID-MAJOR-VERSION 5 INVALID-MINOR-VERSION 6 INVALID-EXCHANGE-TYPE 7 INVALID-FLAGS 8 INVALID-MESSAGE-ID 9 INVALID-PROTOCOL-ID 10 INVALID-SPI 11 INVALID-TRANSFORM-ID 12 ATTRIBUTES-NOT-SUPPORTED 13 NO-PROPOSAL-CHOSEN 14 BAD-PROPOSAL-SYNTAX 15 PAYLOAD-MALFORMED 16 INVALID-KEY-INFORMATION 17 INVALID-ID-INFORMATION 18 INVALID-CERT-ENCODING 19 INVALID-CERTIFICATE 20 CERT-TYPE-UNSUPPORTED 21 INVALID-CERT-AUTHORITY 22 INVALID-HASH-INFORMATION 23 AUTHENTICATION-FAILED 24 INVALID-SIGNATURE 25 ADDRESS-NOTIFICATION 26 NOTIFY-SA-LIFETIME 27 CERTIFICATE-UNAVAILABLE 28 UNSUPPORTED-EXCHANGE-TYPE 29 UNEQUAL-PAYLOAD-LENGTHS 30 RESERVED (Future Use) 31 - 8191 Private Use 8192 - 16383 NOTIFY MESSAGES - STATUS TYPES _________Status_____________Value______ CONNECTED 16384 RESERVED (Future Use) 16385 - 24575 DOI-specific codes 24576 - 32767 Private Use 32768 - 40959 RESERVED (Future Use) 40960 - 65535 Notify Messages - Status Types Value IPSec Working Group [Page 43] Internet Draft IPSec Monitoring MIB January 1999 ------------------------------ ----- RESPONDER-LIFETIME 24576 REPLAY-STATUS 24577 INITIAL-CONTACT 24578 Editor's Address Tim Jenkins tjenkins@timestep.com TimeStep Corporation 362 Terry Fox Drive Kanata, ON Canada K2K 2P5 +1 (613) 599-3610 The IPSec working group can be contacted via the IPSec working group's mailing list (ipsec@tis.com) or through its chairs: Robert Moskowitz rgm@icsa.net International Computer Security Association Theodore Y. Ts'o tytso@MIT.EDU Massachusetts Institute of Technology IPSec Working Group [Page 44]