Internet Engineering Task Force C. Madson, Cisco Systems Inc. IPsec Working Group L. Temoshenko, Cisco Systems. INTERNET-DRAFT: C. Pellecuru, Cisco Systems. Expires in six months B. Harrison, Tivoli Systems. S. Ramakrishnan, Cisco Systems. 02 Mar 2003 IPsec Flow Monitoring MIB Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. This document is a submission to the IETF Internet Protocol Security Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@lists.tislabs.com) or to the editor(s). Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. To learn the current status of any Internet-Draft, please check the "id- abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2001-03). All Rights Reserved. Abstract IPsec Working Group Expires August 2003 [Page 1] Internet Draft IPsec Flow Monitoring MIB 17 Feb 2003 This document describes a high-level MIB for monitoring, accounting trending and failure detection for IPsec-based networks. Optional features of the MIB include trending of IPsec-related metrics and archiving of VPN failures. Table of Contents 1. Introduction ..............................................3 1.1 Overview ..................................................3 1.2 The SNMPv2 Network Management Framework ...................4 2. Architecture of the MIB ...................................5 2.1 Support for Different Control Protocols ...................6 3.1 IPsec Levels Group ........................................6 3.2 IPsec Phase-1 Group .......................................6 3.3 IPsec Phase-2 Group .......................................8 3.4 IPsec History Group .......................................9 3.4.1 Journaling Active Tunnels ...............................10 3.5 IPsec Failure Group ......................................10 3.6 IPsec Trap Control Group .................................11 4. Elements Deferred to Future Versions ....................11 5. MIB Definitions ..........................................12 6. Intellectual Property ...................................147 7. Acknowledgments .........................................148 8. Security Considerations .................................148 9. References ..............................................148 10. Editors' Addresses ......................................150 11. Expiration ..............................................151 12. Full Copyright Statement ................................151 IPsec Working Group Expires August 2003 [Page 2] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 1. Introduction 1.1. Overview As VPN technology in the shape of IPsec is deployed, customers, particularly large enterprise and Service Providers, are requiring a standard way to monitor their VPNs. Service Providers in particular are often required to maintain service level agreements (SLAs) that guarantee quality and performance to their customers. In addition to this the provider must be able to accurately bill customers. Both enterprise customers and providers collect usage statistics for capacity planning and to ensure sufficient resources are available for redundancy and high availability. This document defines a high level MIB for monitoring, trending and troubleshooting IPsec connections. The metrics defined by thi MIB may be used to identify trends and enforce service level agreements. The troubleshooting functionality is in the form of records of failure events and traps sent as a result of operational failures during the setting up, tearing down and normal lifetime of IPsec flows. It is meant as an indication of failure to the personnel of a Network Operation Center. This MIB does not present in-depth low level debugging and diagnostic support that may be used by implementers of IPsec, but rather, it may be seen as complementary to such a MIB. This MIB does not provide support for the configuration of IPsec-capable devices. The definition presented is driven by customer requirements for a MIB encompassing statistics collection that may be used for accounting purposes, trending as well as status monitoring, error collection and real-time alerting via traps. The MIB has been designed based on specific requirements from service providers that want to offer an outsourced VPN service to customers, with the main focuses being: provision of services in such a way that satisfies Service Level Agreements, support for a multi-vendor environment, and incorporation with existing network management software. The MIB was designed in 1999 and has since evolved with the experience in its deployment in the field. While the MIB is likely to be deployed for managing IPsec VPNs, the MIB is not specifi to this application of IPsec. The MIB may be used equally well t manage any IPsec-based network. Section 2 describes the architecture and abstractions defined by the MIB. This section is important for understanding the remaining IPsec Working Group Expires September 2003 [Page 3] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 sections. Section 3 describes various object groups defined in the MIB. These include the Levels group, the IPsec Phase-1 group, IPsec Phase-2 group, the history group, the VPN failure group and finally the notifications group. Important relationships between the groups have also been highlighted. Section 4 lists the items that are planned to be included in the MI in the next revision. Section 5 defines a collection of managed objects used to instrument IPsec structures and activities in the managed entity. Sections 6, 7, 8, 9, 10 and 11 are administrative in nature. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. The SNMPv2 Network Management Framework The SNMP Management Framework presently consists of five major components: 1) An overall architecture, described in RFC 2271 [2271]. 2) Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second version, called SMIv2, is described in RFC 1902 [1902],RFC 1903 [1903] and RFC 1904 [1904]. 3) Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [1901] and RFC 1906 [1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] and RFC 2274 [2274]. 4) Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [1905]. IPsec Working Group Expires September 2003 [Page 4] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 5) A set of fundamental applications described in RFC 2273 [2273] and the view-based access control mechanism described in RFC 2275 [2275]. 2. Architecture of the MIB This section provides a view of the overall architecture, and describes the major MIB groups and table definitions. The MIB covers both Phase 1 Security Associations (SAs) and Phase 2 or IPsec SAs. An example of Phase 1 structures are the SAs created by the Interne Key Exchange (IKE) protocol. The key component of this MIB is the abstraction of a traffic flow or a "tunnel". A tunnel signifies a sustained application traffic flow. A Phase 1 tunnel (IKE tunnel) is represented by a single ISAKMP SA which has been established after a successful completion of Phase 1. When the ISAKMP SA expires or is terminated, the tunnel is deeme to cease to exist as well. (ISAKMP SA (ISAKMP SA created) expires) |<----------------[ISAKMP SA]------------------>| |<--------------- Phase 1 Tunnel -------------->| In the context of Phase 2 SAs, an "IPsec tunnel" is defined as the virtual link formed by successsive Phase 2 SA bundles that share the same Phase 2 proxy identifiers. When the last SA budle expires and is not replaced by a new set of SA bundle, the tunnel is said to expire. (Start of application traffic) [SA bundle 1]----->| [SA bundle 2]----->| [SA bundle 3]----->| (End of application traffic) |<---------------- Phase 2 Tunnel ---------------->| Another key component of this MIB is the monitoring of large numbers of dynamic tunnels. In the case of clients initiating connections to a gateway, it is not usually possible for the gateway to have IPsec Working Group Expires September 2003 [Page 5] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 knowledge of all the attributes of the client, in particular the identity of the client, before the start of the session. The MIB must support these dynamic connections in addition to static tunnels that usually exist between gateway devices. The information provided in the MIB includes statistics on individual SAs as well as global totals which allows the provider to report on individual customer SLAs as well as monitoring the overall health of the VPN service. Statistics are provided on packet counts and drops, notify messages, failures, deletes and exchanges between peers. This information is presented in the form of groups that cover specific aspects of the VPN to facilitate accurate evaluation of performance and the generation of meaningful reports. 2.1 Support for Different Control Protocols This document uses the term Control Protocol to denote the protocol used to setup and maintain the IPsec (Phase 2) SAs. The architecture of the MIB supports the instrumentation of any control protocol. Th current version of the MIB defines an IKE group to support th deployment of IPsec with IKE. This is an optional group and henc need not be implemented to claim compliance with the MIB. As newe control protocols are standardized (IKEv2, KINK, etc), the module for these protocols can be plugged into this MIB as other optiona groups. 3. MIB Group Definitions This section outlines the major MIB groups and table definitions. The MIB covers both Phase 1 or Internet key Exchange SAs and Phase 2 or IPsec SAs. 3.1. IPsec Levels Group The Levels Group consists of global single instance objects accessed using an index of zero. Currently, the MIB Level object is the only object contained in this group. Initially the value of this object will be one (1) and incremented as changes are made to the MIB. 3.2. IPsec Phase-1 Group Provides global statistics for all phase 1 tunnels, active and previous. The Internet Key Exchange Peer Table defines the peers involved in any Phase 1 tunnel associated with active Phase 2 tunnels. Statistics for each active phase 1 tunnel (including policy attributes) are contained in the IKE Tunnel table, and the IKE Peer IPsec Working Group Expires September 2003 [Page 6] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 Association to Phase 2 Tunnel Correlation Table provides a link between each Phase 1 peer entry and any associated active Phase 2 tunnels. ikeGlobalStats All Phase 1 Tunnel Stats including statistics pertaining to IKE mode configuration. ikeTunnelTable IkeTunnelEntry -----> ikePeerEntryTable IkePeerEntry -----> ikePeerCorrTable IkePeerCorrEntry -----> ipSecTunnelTable IpSecTunnelEntry The relationships modeled in Phase-1 group are as follows: .--------------. .----------------. | Phase1 | |Control Protocol| | Peer |---------->> | (IKE) Tunnel | | Table | | Table | `--------------' `----------------' ^ ^ ^ ^ | . | . .--------------. .--------------. | Phase1 Peer | | IPsec | | Correlation |-----------> | Tunnel | | Table | | Table | `--------------' `--------------' Single arrow (>) represents a 1:1 relation. Double arrow represents a 1:n relationship. Dotted arrow (...) represents a relationship that is defined as a "softlink", i.e., a relationship that is implemented in the software but which is not enforced by SMI. The relationship between an IPsec tunnel and the Control tunnel that negotiated that IPsec tunnel is implemented using a softlink i order to facilitate "dangling" IPsec implementations (i.e. implementations where an ISAKMP SA may expire prior to the expiry o the Phase-2 SAs that were negotiated using the ISAKMP SA). Note tha control tunnel types other than IKE can be accomodated using thi architecture. IPsec Working Group Expires September 2003 [Page 7] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 As the diagram above illustrates, there can be one or more IKE tunnels between a Phase 1 peer pair. There can be one or more IPsec tunnels between a given Phase 1 peer pair. When there are no Control (such as IKE) or IPsec tunnels to a peer, the peer entr corresponding to that peer is removed from the Phase 1 Peer table. 3.3. IPsec Phase-2 Group This group defines six subgroups. The first is a Global Statistics table that accumulates statistics pertaining to various Phase-2 activities and tunnel statistics from all active and previous Phase 2 tunnels. The second group defines the active Phase 2 IPsec tunnel table. Each entry in this table corresponds to a single active Phase-2 IPsec flow on the managed entity and includes the algorithms used and counts of activities such as number of packets successfully encrypted or number of encryption failures. The tunnel endpoint table forms the third subgroup under Phase 2 group. This table identifies the clients using the active IPsec flows and the protocols riding on the flows. The clients are subnets, hosts or collection of IP addresses. The protocol for which the flow as setup is identified using the id of the protocol and the port number (eg: SMTP = TCP/25). Since endpoints are associated with active IPsec tunnels, each entry in te endpoint table refers to an entry in the active IPsec tunnel table. The fourth subgroup under Phase-2 group is the IPsec security association table (ipSecSaTable). This table identifies the structure of each active IPsec tunnel by mapping the active IPsec tunnel into its component security associations. This table deprecates the previously defined ipSecSpiTable. ipSecGlobalStats All Phase 2 Tunnel Stats IpSecTunnelTable IpSecTunnelEntry -----> ipSecEndptTable IpSecEntptEntry -----> ipSecSaTable IpSecSaEntry (Inbound) IpSecSaEntry (Outbound) IPsec Working Group Expires September 2003 [Page 8] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 The relationships modeled in Phase-1 group are as follows: .----------------. |Control Protocol| | (IKE) Tunnel | | Table | `----------------' ^ ^ . . .--------------. .--------------. | IPsec | | End Point | | Tunnel |<----------- | Table | | Table | | | `--------------' `--------------' ^ ^ | | .--------------. | IPsec | | SA | | Table | `--------------' As the diagram above illustrates, for every entry in the End Point table, there is a unique entry in the active IPsec tunnel table. A number of entries in the IPsec SA table map to a specific entry in t he IPsec tunnel table. This is because an IPsec tunnel is composed of at least two Phase-2 security associations. Note also, that th relationshop between Phase-2 IPsec tunnels and Phase 2 IKE tunnels is n:1 and is implemented as a softlink, to accomodate dangling IPsec implementations. 3.4. IPsec History Group This group includes tables for Phase-1 Tunnel History, Phase-2 Tunnel History, and Phase-2 Endpoint History. The number of entries in each table defined by the value of ipSecHistTablSize. The tables cover phase 1 and phase 2 statistics based on accumulating packet and octet counts and failures based on security policy parameters and tunnel lifetimes. Examples are a count of the total number of octets IPsec Working Group Expires September 2003 [Page 9] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 encrypted using 3DES, or the number of authentication failures when the algorithm used was MD5. The relationships modeled in Phase-1 group are as follows: .--------------. | IKE Tunnel | | History | | Table | `--------------' ^ ^ . . . .--------------. .--------------. | IPsec Tunnel | | Phase 2 | | History | <---------- | EndPoint | | Table | | History Table| `--------------' `--------------' For every entry in the End Point History table, there is a unique entry in the IPsec Tunnel History table. This is because when an IPsec tunnel expires, the end point entry associated with the tunnel expires also. Also note that the IKE tunnel that negotiated an expired instance of IPsec tunnel may not be present in the IKE Tunnel History table; the IKE tunnel may instead be still in the active IKE tunnel table. Implementation Hint: The failure group may be implemented using ring buffers of the prescribed maximum size. This will automatically cause the oldest entry to be phased out to accomodate a new entry, should the buffer be full. 3.4.1. Journaling Active Tunnels The history group also allows for journaling active Phase 1 and Phase 2 sessions by taking a snapshot of the active tunnels into the respective history tables whenever required. By setting an appropriate value in the MIB object ipSecHistCheckPoint, the operator may initiate a snapshot operation. 3.5. IPsec Failure Group IPsec Working Group Expires September 2003 [Page 10] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 This group includes tables for phase 1 and phase 2 failures. Failures include 1) tunnel setup failures (the failure of a tunnel to be setup) 2) tunnel operational failures (the tunnel was setip, but was terminated before the negotiated lifetime expired). The size of each table is dependent on the value of the ipSecFailTa- bleSize object. Each failure entry for either phase 1 or 2 includes the specific reason for the failure, for example a CRL failure, and the time of the failure. There are two tables in the failure group - one corresponding to failure of Phase-1 operations (IKE failures) and the second correspondign to Phase-2 failures. There is no specific relationship between the two tables modeled in this group. Note, however, that for every tunnel failure recorded in the failure group, there is an entry in the corresponding (IKE or IPsec) Tunnel History table (unless such an entry has been phased out to accomodate a new entry). Implementation Hint: The failure group may be implemented using ring buffers of the prescribed maximum size. This will automatically cause the oldest entry to be phased out to accomodate a new entry, should the buffer be full. 3.6. IPsec Trap Control Group This group controls the sending of IPsec traps. Traps are considered to include both error conditions, and any events that cause a change in state on the device. Events that trigger traps include normal events such as tunnel starts and stops and failure events such as early tunnel terminations, receipt of an invalid SPI, system errors, failure to establish tunnels, certificate failures and protocol errors. 4. Elements Deferred to Future Versions A number of information elements relevant to the management of IPsec-based VPNs have been postponed to the next revision of this document. These include the following. 1) Support for Stream Control Transmission Protocol Apart from the inclusion of a new IKE ID type, SCTP requires that an IKE/IPsec tunnel be able to support multiple endpoint entries (selectors). IPsec Working Group Expires September 2003 [Page 11] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 Hence the mapping between IPsec tunnel table and the End Point table must be made 1:n. 2) Support for KINK As details pertaining to KINK are resolved, Phase 1 group in the MIB will be redefined to support multiple key management protocols. 3) Multicast/GDOI A future version if this MIB will include support for group key-negotiations and multicast over IPsec. 4) NAT with IPsec Many implementations use UDP encapsulation to support NAT with IPsec. The Phase-1 and Phase-2 tunnel tables will be expanded to include attributes pertaining to this configuration. 5. MIB Definitions IPSEC-FLOW-MONITOR-MIB DEFINITIONS ::= BEGIN -- PREFACE: -- IPSEC-FLOW-MONITOR-MIB Module models -- the standard, dynamic aspects of IPsec. -- These include counters and objects that are of -- management interest in a standard IPSec -- implementation. The MIB does not define -- vendor-specific IPSec attributes. IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32, Counter64, Gauge32, Integer32, experimental FROM SNMPv2-SMI TEXTUAL-CONVENTION, DisplayString, TimeStamp, TimeInterval, TruthValue FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF ControlProtocol, Phase1PeerIdentityType, IkeNegoMode, IkeHashAlgo, IkeAuthMethod, DiffHellmanGrp, EncapMode, EncryptAlgo, Spi, IPsec Working Group Expires September 2003 [Page 12] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 AuthAlgo, CompAlgo, EndPtType FROM IPSEC-FLOW-MIB-TC; ipSecFlowMonitorMIB MODULE-IDENTITY LAST-UPDATED "200302171158Z" ORGANIZATION "Tivoli Systems and Cisco Systems" CONTACT-INFO "Tivoli Systems Research Triangle Park, NC Cisco Systems 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: harrisob@us.ibm.com cs-ipsecmib@external.cisco.com" DESCRIPTION "This is a MIB Module for monitoring the structure and status of IPSec-based networks. The MIB has bee designed to be adopted as an IETF standard. Henc vendor-specific features of IPSec protocol are exclude from this MIB. Acronyms The following acronyms are used in this document: IPSec: Secure IP Protocol VPN: Virtual Private Network ISAKMP: Internet Security Association and Key Exchange Protocol IKE: Internet Key Exchange Protocol SA: Security Association MM: Main Mode - the process of setting up a Phase 1 SA to secure the exchanges required to setup Phase 2 SAs IPsec Working Group Expires September 2003 [Page 13] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 QM: Quick Mode - the process of setting up Phase 2 Security Associations using a Phase 1 SA. Phase 1 Tunnel: An ISAKMP SA can be regarded as representing a flow of ISAKMP/IKE traffic. Hence an ISAKMP is referred to as a 'Phase 1 Tunnel' in this document Control Tunnel: Another term for a Phase 1 Tunnel. Phase 2 Tunnel: AN instance of a non-ISAKMP SA bundle in which all the SA share the same proxy identifiers (IDii,IDir) protect the same stream of application traffic. Such an SA bundle is termed a 'Phase 2 Tunnel'. Note that a Phase 2 tunnel may comprise different SA bundles and different number of SA bundles at different times (due to key refresh). Overview of IPsec MIB The MIB contains six major groups of objects which are used to manage the IPSec Protocol. These groups include a Levels Group, a Phase-1 Group, a Phase-2 Group, a History Group, a Failure Group and a TRAP Control Group. The following table illustrates the structure of the IPSec MIB. The Phase 1 group models objects pertaining to IKE negotiations and Phase 1 tunnels. The Phase 2 group models objects pertaining to IPSec data tunnels. The History group is to aid applications that do trending analysis. The Failure group is to enable an operator to do troubleshooting and debugging of the VPN Router. Further, counters are supported to aid detection of potential security violations. In addition to the five major MIB Groups, there are IPsec Working Group Expires September 2003 [Page 14] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 a number of Notifications. The following table illustrates the name and description of the IPSec TRAPs. For a detailed discussion, please refer to the IETF draft draft-ietf-ipsec-flow-monitoring-mib-01.txt. " REVISION "9911041800Z" DESCRIPTION "Initial version of this MIB module proposed to IETF." REVISION "2001031200Z" DESCRIPTION "Phase-1 group updated with mode config metrics in globals as well as IKE peer table. Phase-2 group updated with new group metrics. New grou failures added to Failure group. Notifications pertaining to new group added. SPI table deprecated and an updated IPsec SA table added. Compliance clauses updated." REVISION "200303021158Z" DESCRIPTION "Third submission of the draft to IETF. Changes incorporated based on comments received on the second draft. Highlights: 1) IKE Group made optional 2) Provision to accomodate other Phase 1 protocols. 3) Phase 1 Peer Association table decoupled from IKE group. 4) Local and Remote value indices to Phase 1 Pee Association table constrained to 128-bit length by MD5 hashing. 5) Mapping of Phase 2 tunnels to Phase 1 tunnels made generic (non-IKE). 6) Phase 1 traps redefined as `Control Channel' traps. 7) High capacity counters defined for Phase-1 and Phase-2 expired counters." -- Placeholder anchor --::= { xxx 171 } ::= { experimental 171 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++ -- Local Textual Conventions -- +++++++++++++++++++++++++++++++++++++++++++++++++++ HashedString ::= TEXTUAL-CONVENTION IPsec Working Group Expires September 2003 [Page 15] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "128-bit MD5 output string of an input string" SYNTAX OCTET STRING(SIZE(16)) IPSIpAddress ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An IP V4 or V6 Address." SYNTAX OCTET STRING(SIZE(4 | 16)) -- IP V4 or V6 Address IkePeerType ::= TEXTUAL-CONVENTION STATUS deprecated DESCRIPTION "The type of IPsec Phase-1 IKE peer identity. The IKE peer may be identified by one of the ID types defined in IPSEC DOI. This textual convention has been deprecated in favour of the more generic `Phase1PeerType'. (defined in module IPSEC-FLOW-MIB-TC)." SYNTAX INTEGER { reserved(0), id_ipv4_addr(1), id_fqdn(2), id_dn(3), id_ipv6_addr(4) } KeyType ::= TEXTUAL-CONVENTION STATUS deprecated DESCRIPTION "The type of key used by an IPsec Phase-2 Tunnel. This textual convention has been deprecated and has been repaced by the standard textual convention ControlProtocol (defined in module IPSEC-FLOW-MIB-TC)." SYNTAX INTEGER{ reserved(0), key_ike(1), key_manual(2), key_kink(3), key_ikev2(4) } IPsec Working Group Expires September 2003 [Page 16] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 TunnelStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The status of a Tunnel. Objects of this type may be used to bring the tunnel down by setting value of this object to destroy(4). Objects of this type cannot be used to create a Tunnel." SYNTAX INTEGER { reserved(0), awaitXauth(1), -- in Phase 1.5 awaitCommit(2), -- waiting for commit bit active(3), -- ready for QM destroy(4) } TrapStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The administrative status for sending a TRAP." SYNTAX INTEGER { reserved(0), enabled(1), disabled(2) } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec MIB Object Groups -- -- This MIB module contains the following groups: -- 1) IPsec Levels Group -- 2) IPsec Phase-1 Group -- 3) IPsec Phase-2 Group -- 4) IPsec History Group -- 5) IPsec Failure Group -- 6) IPsec TRAP Control Group -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecMIBObjects OBJECT IDENTIFIER ::= {ipSecFlowMonitorMIB 1} ipSecLevels OBJECT IDENTIFIER ::= { ipSecMIBObjects 1 } ipSecPhaseOne OBJECT IDENTIFIER ::= { ipSecMIBObjects 2 } ipSecPhaseTwo OBJECT IDENTIFIER ::= { ipSecMIBObjects 3 } IPsec Working Group Expires September 2003 [Page 17] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecHistory OBJECT IDENTIFIER ::= { ipSecMIBObjects 4 } ipSecFailures OBJECT IDENTIFIER ::= { ipSecMIBObjects 5 } ipSecTrapCntl OBJECT IDENTIFIER ::= { ipSecMIBObjects 6 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec Levels Group -- -- This group consists of a: -- 1) IPsec MIB Level -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecMibLevel OBJECT-TYPE SYNTAX Integer32 (1..4096) MAX-ACCESS read-only STATUS current DESCRIPTION "The version of the IPsec MIB." ::= { ipSecLevels 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-1 Internet Key Exchange (IKE) Group -- -- This group consists of: -- 1) IPsec Phase-1 Global Statistics -- 2) IPsec Phase-1 Peer Table -- 3) IPsec Phase-1 Tunnel Table -- 4) IPsec Phase-1 Correlation Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-1 Global Statistics -- This entire group is optional and needs to be implemented -- only if the managed entity supports IKE. -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ikeGroup OBJECT IDENTIFIER ::= { ipSecPhaseOne 1 } ikeGlobalStats OBJECT IDENTIFIER ::= { ikeGroup 1 } ikeGlobalActiveTunnels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current IPsec Working Group Expires September 2003 [Page 18] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "The number of currently active IPsec Phase-1 IKE Tunnels. This is equal to the number of ISAKMP SAs currently active." ::= { ikeGlobalStats 1 } ikeGlobalPreviousTunnels OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of previously active IPsec Phase-1 IKE Tunnels. This is equal to the total number of ISAKMP SAs that were active since the bootup of the device but which have since expired." ::= { ikeGlobalStats 2 } ikeGlobalInOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 3 } ikeGlobalInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 4 } ikeGlobalInDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets which were IPsec Working Group Expires September 2003 [Page 19] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 dropped during receive processing by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 5 } ikeGlobalInNotifys OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 6 } ikeGlobalInP2Exchgs OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 7 } ikeGlobalInP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were received and found to be contain references to unrecognized security parameters. This value is accumulated across all currently and previously active IPsec ISAKMP SAs." ::= { ikeGlobalStats 8 } ikeGlobalInP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges IPsec Working Group Expires September 2003 [Page 20] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 which were received and validated but were rejected by the local policy. This value is accumulated across all currently and previously active IPsec ISAKMP SAs." ::= { ikeGlobalStats 9 } ikeGlobalInP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests received by all currently and previously active and IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 10 } ikeGlobalOutOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by all currently and previously active and IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 11 } ikeGlobalOutPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all currently and previously active and IPsec Phase-1 Tunnels." ::= { ikeGlobalStats 12 } ikeGlobalOutDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets which were dropped IPsec Working Group Expires September 2003 [Page 21] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 during send processing by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 13 } ikeGlobalOutNotifys OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys sent by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 14 } ikeGlobalOutP2Exchgs OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were sent by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 15 } ikeGlobalOutP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were sent and were flagged by the peer to contain references to unrecognized security parameters. This value is accumulated across all currently and previously active IPsec ISAKMP SAs." ::= { ikeGlobalStats 16 } ikeGlobalOutP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were sent, validated by the peer but were IPsec Working Group Expires September 2003 [Page 22] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 rejected by the peer's policy. This value is accumulated across all currently and previously active IPsec ISAKMP SAs." ::= { ikeGlobalStats 17 } ikeGlobalOutP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 SA delete requests sent by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 18 } ikeGlobalInitTunnels OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-1 IKE Tunnels which were locally initiated." ::= { ikeGlobalStats 19 } ikeGlobalInitTunnelFails OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-1 IKE Tunnels which were locally initiated and failed to activate." ::= { ikeGlobalStats 20 } ikeGlobalRespTunnelFails OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-1 IKE Tunnels which were remotely initiated and failed to activate." ::= { ikeGlobalStats 21 } ikeGlobalSysCapFails OBJECT-TYPE IPsec Working Group Expires September 2003 [Page 23] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of system capcity failures which occurred during processing of all current and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 22 } ikeGlobalAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of authentications which ended in failure by all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 23 } ikeGlobalDecryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decryptions which ended in failure by all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 24 } ikeGlobalHashValidFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of hash validations which ended in failure by all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 25 } ikeGlobalNoSaFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 24] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of non-existent Security Association in failures which occurred during processing of all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 26 } ikeGlobalRespTunnels OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-1 IKE Tunnels which were remotely initiated." ::= { ikeGlobalStats 27 } ikeGlobalInXauthFailures OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the extended authentication information supplied by an IKE peer was found to be invalid by the local entity." ::= { ikeGlobalStats 28 } ikeGlobalOutXauthFailures OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the extended authentication information supplied by the managed entity to an IKE peer was found to be invalid by the remote peer." ::= { ikeGlobalStats 29 } ikeGlobalInP1SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of ISAKMP security association delete requests received by all currently and IPsec Working Group Expires September 2003 [Page 25] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 previously active and ISAKMP security associations." ::= { ikeGlobalStats 30 } ikeGlobalOutP1SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of ISAKMP security association delete requests sent by all currently and previously active and ISAKMP security associations." ::= { ikeGlobalStats 31 } ikeGlobalInConfigs OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings received (either CFG_REPLY or CFG_SET payloads) by this entity." ::= { ikeGlobalStats 32 } ikeGlobalOutConfigs OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings dispatched (either CFG_REPLY or CFG_SET payloads) by this entity." ::= { ikeGlobalStats 33 } ikeGlobalInConfigsRejects OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Acknowledgements" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings which were received (either CFG_REPLY or CFG_SET payloads) by this entity and which were rejected by the local entity." ::= { ikeGlobalStats 34 } IPsec Working Group Expires September 2003 [Page 26] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeGlobalOutConfigsRejects OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Acknowledgements" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings which were dispatched (either CFG_REPLY or CFG_SET payloads) by this entity and which were rejected by the client peer." ::= { ikeGlobalStats 35 } ikeGlobalHcPreviousTunnels OBJECT-TYPE SYNTAX Counter64 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of previously active IPsec Phase-1 IKE Tunnels. This i equal to the total number of ISAKMP SAs that were active since the bootup of the device but which have since expired." ::= { ikeGlobalStats 36 } ikeGlobalPreviousTunnelsWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the quantit `ikeGlobalPreviousTunnels' (previously active IPse Phase-1 IKE tunnels) has wrapped." ::= { ikeGlobalStats 37 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-1 Internet Key Exchange Tunnel Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ikeTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Internet Key Exchange Tunnel Table. IPsec Working Group Expires September 2003 [Page 27] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 There is one entry in this table for each active IPsec Phase-1 IKE Tunnel." ::= { ikeGroup 2 } ikeTunnelEntry OBJECT-TYPE SYNTAX IkeTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an active IPsec Phase-1 IKE Tunnel." INDEX { ikeTunIndex } ::= { ikeTunnelTable 1} IkeTunnelEntry ::= SEQUENCE { ikeTunIndex Integer32, ikeTunLocalType Phase1PeerIdentityType, ikeTunLocalValue DisplayString, ikeTunLocalAddr IPSIpAddress, ikeTunLocalName DisplayString, ikeTunRemoteType Phase1PeerIdentityType, ikeTunRemoteValue DisplayString, ikeTunRemoteAddr IPSIpAddress, ikeTunRemoteName DisplayString, ikeTunNegoMode IkeNegoMode, ikeTunDiffHellmanGrp DiffHellmanGrp, ikeTunEncryptAlgo EncryptAlgo, ikeTunHashAlgo IkeHashAlgo, ikeTunAuthMethod IkeAuthMethod, ikeTunLifeTime Integer32, ikeTunActiveTime TimeInterval, ikeTunSaRefreshThreshold Integer32, ikeTunTotalRefreshes Counter32, ikeTunInOctets Counter32, ikeTunInPkts Counter32, ikeTunInDropPkts Counter32, ikeTunInNotifys Counter32, ikeTunInP2Exchgs Counter32, ikeTunInP2ExchgInvalids Counter32, ikeTunInP2ExchgRejects Counter32, ikeTunInP2SaDelRequests Counter32, ikeTunOutOctets Counter32, ikeTunOutPkts Counter32, ikeTunOutDropPkts Counter32, ikeTunOutNotifys Counter32, ikeTunOutP2Exchgs Counter32, ikeTunOutP2ExchgInvalids Counter32, IPsec Working Group Expires September 2003 [Page 28] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunOutP2ExchgRejects Counter32, ikeTunOutP2SaDelRequests Counter32, ikeTunStatus TunnelStatus, ikeTunInNewGrpReqs Counter32, ikeTunOutNewGrpReqs Counter32, ikeTunInNewGrpReqsRejected Counter32, ikeTunOutNewGrpReqsRejected Counter32, ikeTunInConfigs Counter32, ikeTunOutConfigs Counter32, ikeTunInConfigsRejects Counter32, ikeTunOutConfigsRejects Counter32, ikeTunEncryptKeySize Integer32 } ikeTunIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-1 IKE Tunnel Table. The value of the index is a number which begins at one and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647." ::= { ikeTunnelEntry 1 } ikeTunLocalType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of local peer identity. The local peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name string. 3. or a distinguished name string." ::= { ikeTunnelEntry 2 } ikeTunLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. IPsec Working Group Expires September 2003 [Page 29] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 If the local peer type is id_fqdn, then this is the FQDN of the remote peer. If the local peer type is a id_dn, then this is the distinguished name string of the local peer." ::= { ikeTunnelEntry 3 } ikeTunLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 4 } ikeTunLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local IP address for the IPsec Phase-1 IKE Tunnel. If the DNS name associated with the local tunnel endpoint is not known, then the value of this object will be a NULL string." ::= { ikeTunnelEntry 5 } ikeTunRemoteType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name string. 3. or a distinguished name string." ::= { ikeTunnelEntry 6 } ikeTunRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remote peer identity. IPsec Working Group Expires September 2003 [Page 30] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is id_fqdn, then this is the FQDN of the remote peer. If the remote peer type is a id_dn, then this is the distinguished named string of the remote peer." ::= { ikeTunnelEntry 7 } ikeTunRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 8 } ikeTunRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote IP address of IPsec Phase-1 IKE Tunnel. If the DNS name associated with the remote tunnel endpoint is not known, then the value of this object will be a NULL string." ::= { ikeTunnelEntry 9 } ikeTunNegoMode OBJECT-TYPE SYNTAX IkeNegoMode MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiation mode of the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 10 } ikeTunDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 11 } IPsec Working Group Expires September 2003 [Page 31] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 12 } ikeTunHashAlgo OBJECT-TYPE SYNTAX IkeHashAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 13 } ikeTunAuthMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 14 } ikeTunLifeTime OBJECT-TYPE SYNTAX Integer32 (1..2147483647) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel in seconds." ::= { ikeTunnelEntry 15 } ikeTunActiveTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-1 IKE tunnel has been active in hundredths of seconds." ::= { ikeTunnelEntry 16 } IPsec Working Group Expires September 2003 [Page 32] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunSaRefreshThreshold OBJECT-TYPE SYNTAX Integer32 (1..2147483647) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The security assoication refresh threshold in seconds." ::= { ikeTunnelEntry 17 } ikeTunTotalRefreshes OBJECT-TYPE SYNTAX Counter32 UNITS "QM Exchanges" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations refreshes performed." ::= { ikeTunnelEntry 18 } ikeTunInOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 19 } ikeTunInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 20 } ikeTunInDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during IPsec Working Group Expires September 2003 [Page 33] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 receive processing." ::= { ikeTunnelEntry 21 } ikeTunInNotifys OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 22 } ikeTunInP2Exchgs OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 23 } ikeTunInP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received on this tunnel that were found to contain references to unrecognized security parameters." ::= { ikeTunnelEntry 24 } ikeTunInP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received on this tunnel that were validated but were rejected by the local policy." ::= { ikeTunnelEntry 25 } IPsec Working Group Expires September 2003 [Page 34] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunInP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 26 } ikeTunOutOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 27 } ikeTunOutPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 28 } ikeTunOutDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during send processing." ::= { ikeTunnelEntry 29 } ikeTunOutNotifys OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION IPsec Working Group Expires September 2003 [Page 35] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 "The total number of notifys sent by this IPsec Phase-1 Tunnel." ::= { ikeTunnelEntry 30 } ikeTunOutP2Exchgs OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 31 } ikeTunOutP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent on this tunnel that were found by the peer to contain references to security parameters not recognized by the peer." ::= { ikeTunnelEntry 32 } ikeTunOutP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent on this tunnel that were validated by the peer but were rejected by the peer's policy." ::= { ikeTunnelEntry 33 } ikeTunOutP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 34 } IPsec Working Group Expires September 2003 [Page 36] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunStatus OBJECT-TYPE SYNTAX TunnelStatus MAX-ACCESS read-write STATUS current DESCRIPTION "The status of the MIB table row. This object can be used to bring the tunnel down by setting value of this object to destroy(2). This object cannot be used to create a MIB table row." ::= { ikeTunnelEntry 35 } ikeTunInNewGrpReqs OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated remotely using this IKE tunnel." ::= { ikeTunnelEntry 36 } ikeTunOutNewGrpReqs OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated locally using this IKE tunnel." ::= { ikeTunnelEntry 37 } ikeTunInNewGrpReqsRejected OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated remotely using this IKE tunnel that ended in a failure." ::= { ikeTunnelEntry 38 } ikeTunOutNewGrpReqsRejected OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" IPsec Working Group Expires September 2003 [Page 37] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated locally using this IKE tunnel that ended in a failure." ::= { ikeTunnelEntry 39 } ikeTunInConfigs OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings received (either CFG_REPLY or CFG_SET payloads) by the local entity on the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelEntry 40 } ikeTunOutConfigs OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings dispatched (either CFG_REPLY or CFG_SET payloads) by the local entity on the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelEntry 41 } ikeTunInConfigsRejects OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings which were received (either CFG_REPLY or CFG_SET payloads) and rejected by this entity using the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelEntry 42 } ikeTunOutConfigsRejects OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 38] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of Mode Configuration settings which were dispatched (either CFG_REPLY or CFG_SET payloads) by this entity and were rejected by the peer (client) using the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelEntry 43 } ikeTunEncryptKeySize OBJECT-TYPE SYNTAX Integer32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The key size in bits of the negotiated key to be used with the algorithm denoted by the column 'ikeTunEncryptAlgo'. For DES and 3DES the key size i respectively 56 and 168. For AES, this will denote th negotiated key size." ::= { ikeTunnelEntry 44 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-1 Internet Key Exchange Peer Table. -- This is a mandatory group. If all IPsec flows are manually -- administred, this table would be empty. -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ phase1PeerTable OBJECT-TYPE SYNTAX SEQUENCE OF Phase1PeerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Key Exchange Peer Table. Ther is one entry in this table for each IPsec Phase-1 pee with which the managed entity is currently associate by virtue of an active IPsec Phase-1 Control Tunnel. peer has an entry in this table, if and only if ther is at least one Phase-1 or Phase-2 tunnel terminatin on the managed entity from the peer. When all Phase- and Phase-2 tunnels to a peer have expired, the entr for the peer is deleted off this table." ::= { ipSecPhaseOne 2 } phase1PeerEntry OBJECT-TYPE SYNTAX Phase1PeerEntry MAX-ACCESS not-accessible STATUS current IPsec Working Group Expires September 2003 [Page 39] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "Each entry contains the attributes associated with an IPsec Phase-1 IKE peer association." INDEX { phase1PeerLocalType, phase1PeerHLocalValue, phase1PeerRemoteType, phase1PeerHRemoteValue, phase1PeerIntIndex } ::= { phase1PeerTable 1} Phase1PeerEntry ::= SEQUENCE { phase1PeerLocalType Phase1PeerIdentityType, phase1PeerLocalValue DisplayString, phase1PeerHLocalValue HashedString, phase1PeerRemoteType Phase1PeerIdentityType, phase1PeerRemoteValue DisplayString, phase1PeerHRemoteValue HashedString, phase1PeerIntIndex Integer32, phase1PeerLocalAddr IPSIpAddress, phase1PeerRemoteAddr IPSIpAddress, phase1PeerActiveTime TimeInterval, phase1PeerActiveTunnelIndex Integer32, phase1PeerConfigAppVersion DisplayString, phase1PeerConfigAddress IPSIpAddress, phase1PeerConfigNetmask IPSIpAddress, phase1PeerConfigDns IPSIpAddress, phase1PeerConfigNbns IPSIpAddress, phase1PeerConfigDhcp IPSIpAddress, phase1Protocol ControlProtocol } phase1PeerLocalType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of local peer identity. The local peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name. 3. or a distinguished name." ::= { phase1PeerEntry 1 } phase1PeerLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current IPsec Working Group Expires September 2003 [Page 40] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is a id_fqdn, then this is the FQDN of the local peer. If the local peer type is id_dn, then this is the DN string of the local peer. Value of this object could be arbitrarily large making this object unsuitable to be used for indexing this table (please refer to the definition of 'phase1PeerHLocalValue'." ::= { phase1PeerEntry 2 } phase1PeerHLocalValue OBJECT-TYPE SYNTAX HashedString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The 128-bit MD5 hash output of the value represente by the element phase1PeerLocalValue. The hashing is required to restrict the length of the SNMP index to a legal size: phase1PeerHRemoteValue = MD5(phase1PeerLocalValue)." ::= { phase1PeerEntry 3 } phase1PeerRemoteType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name. 3. or a distinguished name." ::= { phase1PeerEntry 4 } phase1PeerRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remote peer identity. IPsec Working Group Expires September 2003 [Page 41] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is id_fqdn, then this is the FQDN of the remote peer. If the remote peer type is a id_dn, then this is the DN string of the remote peer. Value of this object could be arbitrarily large making this object unsuitable to be used for indexing this table (please refer to the definition of 'phase1PeerHRemoteValue'." ::= { phase1PeerEntry 5 } phase1PeerHRemoteValue OBJECT-TYPE SYNTAX HashedString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The 128-bit MD5 hash output of the value represente by the element phase1PeerRemoteValue. The hashing is required to restrict the length of the SNMP index to a legal size: phase1PeerHRemoteValue = MD5(phase1PeerRemoteValue)." ::= { phase1PeerEntry 6 } phase1PeerIntIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The internal index of the local-remote peer association. This internal index is used to uniquely identify multiple associations between the local and remote peer." ::= { phase1PeerEntry 7 } phase1PeerLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local peer." ::= { phase1PeerEntry 8 } phase1PeerRemoteAddr OBJECT-TYPE IPsec Working Group Expires September 2003 [Page 42] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote peer." ::= { phase1PeerEntry 9 } phase1PeerActiveTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time that the peer association has existed in hundredths of a second." ::= { phase1PeerEntry 10 } phase1PeerActiveTunnelIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the active IPsec Phase-1 IKE Tunnel (ikeTunIndex in the ikeTunnelTable) for this peer association. If an IPsec Phase-1 IKE Tunnel is not currently active, then the value of this object will be zero." ::= { phase1PeerEntry 11 } phase1PeerConfigAppVersion OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The NULL terminated printable application version of the peer. If the peer did not issue the APPLICATION_VERSION attribute, this field is NULL." ::= { phase1PeerEntry 12 } phase1PeerConfigAddress OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address configured by the peer on this entity. If the local entity did not receive either INTERNAL_IP4_ADDRESS or INTERNAL_IP6_ADDRESS from the peer, this field should have the NULL IP address." IPsec Working Group Expires September 2003 [Page 43] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { phase1PeerEntry 13 } phase1PeerConfigNetmask OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The netmask configured by the peer on this entity. If the local entity did not receive either INTERNAL_V4_MASK or INTERNAL_IP6_MASK from the peer, this field should have the NULL IP address." ::= { phase1PeerEntry 14 } phase1PeerConfigDns OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The address of the DNS server configured by the peer on the local entity using CFG_SET or CFG_REPLY. If the local entity did not receive either INTERNAL_V4_DNS or INTERNAL_IP6_DNS from the peer, this field should have the NULL IP address." ::= { phase1PeerEntry 15 } phase1PeerConfigNbns OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The address of the NetBios Name Server configured by the peer on the local entity using CFG_SET or CFG_REPLY. If the local entity did not receive either INTERNAL_V4_NBNS INTERNAL_IP6_NBNS from the peer, this field should have the NULL IP address." ::= { phase1PeerEntry 16 } phase1PeerConfigDhcp OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The address of the DHCP Server configured by the peer on the local entity using CFG_SET or CFG_REPLY. If the local entity did not receive either INTERNAL_V4_DHCP INTERNAL_IP6_DHCP from the peer, this field should have the NULL IP address." IPsec Working Group Expires September 2003 [Page 44] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { phase1PeerEntry 17 } phase1Protocol OBJECT-TYPE SYNTAX ControlProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The keying and control protocol used to setup and administer Phase-1 and Phase-2 tunnels to this peer." ::= { phase1PeerEntry 18 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The Phase-1 Peer Association to Phase-2 Tunnel Correlatio -- Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ phase1PeerCorrTable OBJECT-TYPE SYNTAX SEQUENCE OF Phase1PeerCorrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Peer Association to IPsec Phase- Tunnel Correlation Table. There is one entry in this tabl for each active IPsec Phase-2 Tunnel." ::= { ipSecPhaseOne 3 } phase1PeerCorrEntry OBJECT-TYPE SYNTAX Phase1PeerCorrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes of an IPsec Phase-1 Peer Association to IPsec Phase- Tunnel Correlation." INDEX { phase1PeerCorrLocalType, phase1PeerCorrLocalValue, phase1PeerCorrRemoteType, phase1PeerCorrRemoteValue, phase1PeerCorrIntIndex, phase1PeerCorrSeqNum } ::= { phase1PeerCorrTable 1} Phase1PeerCorrEntry ::= SEQUENCE { phase1PeerCorrLocalType Phase1PeerIdentityType, phase1PeerCorrLocalValue DisplayString, phase1PeerCorrRemoteType Phase1PeerIdentityType, phase1PeerCorrRemoteValue DisplayString, IPsec Working Group Expires September 2003 [Page 45] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 phase1PeerCorrIntIndex Integer32, phase1PeerCorrSeqNum Integer32, phase1PeerCorrIpSecTunIndex Integer32, phase1PeerCorrControlProtocol ControlProtocol } phase1PeerCorrLocalType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of local peer identity. The local peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name. 3. or a distinguished name." ::= { phase1PeerCorrEntry 1 } phase1PeerCorrLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is id_fqdn, then this is the FQDN of the local entity. If the local peer type is a id_dn, then this is the distinguished named string of the local peer." ::= { phase1PeerCorrEntry 2 } phase1PeerCorrRemoteType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name. 3. or a distinguished name." ::= { phase1PeerCorrEntry 3 } IPsec Working Group Expires September 2003 [Page 46] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 phase1PeerCorrRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is id_fqdn, then this is the FQDN of the remote peer. If the remote peer type is a id_dn, then this is the distinguished named string of the remote peer." ::= { phase1PeerCorrEntry 4 } phase1PeerCorrIntIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The internal index of the local-remote peer association. This internal index is used to uniquely identify multiple associations between the local and remote peer." ::= { phase1PeerCorrEntry 5 } phase1PeerCorrSeqNum OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The sequence number of the local-remote peer association. This sequence number is used to uniquely identify multiple instances of an unique association between the local and remote peer." ::= { phase1PeerCorrEntry 6 } phase1PeerCorrIpSecTunIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the active IPsec Phase-2 Tunnel (ipSecTunIndex in the ipSecTunnelTable) for this IPsec Working Group Expires September 2003 [Page 47] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 IPsec Phase-1 IKE Peer Association." ::= { phase1PeerCorrEntry 7 } phase1PeerCorrControlProtocol OBJECT-TYPE SYNTAX ControlProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The keying and control protocol used to setup and administer the Phase-1 and Phase-2 tunnels thi table entry refers to." ::= { phase1PeerCorrEntry 8 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec Phase-2 Group -- -- This group consists of: -- 1) IPsec Phase-2 Global Statistics -- 2) IPsec Phase-2 Tunnel Table -- 3) IPsec Phase-2 Endpoint Table -- 4) IPsec Phase-2 Security Protection Index Table -- 4) IPsec Phase-2 Security Protection Index Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Global Tunnel Statistics -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecGlobalStats OBJECT IDENTIFIER ::= { ipSecPhaseTwo 1 } ipSecGlobalActiveTunnels OBJECT-TYPE SYNTAX Gauge32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of currently active IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 1 } ipSecGlobalPreviousTunnels OBJECT-TYPE SYNTAX Counter32 UNITS "Phase-2 Tunnels" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of previously active IPsec Working Group Expires September 2003 [Page 48] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 2 } ipSecGlobalInOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE determining whether or not the packet should be decompressed. See also ipSecGlobalInOctWraps for the number of times this counter has wrapped." ::= { ipSecGlobalStats 3 } ipSecGlobalHcInOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { ipSecGlobalStats 4 } ipSecGlobalInOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global octets received counter (ipSecGlobalInOctets) has wrapped." ::= { ipSecGlobalStats 5 } ipSecGlobalInDecompOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decompressed octets received IPsec Working Group Expires September 2003 [Page 49] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ipSecGlobalInOctets. See also ipSecGlobalInDecompOctWraps for the number of times this counter has wrapped." ::= { ipSecGlobalStats 6 } ipSecGlobalHcInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ipSecGlobalHcInOctets." ::= { ipSecGlobalStats 7 } ipSecGlobalInDecompOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global decompressed octets received counter (ipSecGlobalInDecompOctets) has wrapped." ::= { ipSecGlobalStats 8 } ipSecGlobalInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 9 } ipSecGlobalInDrops OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 50] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of packets dropped during receive processing by all current and previous IPsec Phase-2 Tunnels. This count does NOT include packets dropped due to Anti-Replay processing." ::= { ipSecGlobalStats 10 } ipSecGlobalInReplayDrops OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 11 } ipSecGlobalInAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 12 } ipSecGlobalInAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 13 } ipSecGlobalInDecrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 51] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of inbound decryption's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 14 } ipSecGlobalInDecryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 15 } ipSecGlobalOutOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER determining whether or not the packet should be compressed. See also ipSecGlobalOutOctWraps for the number of times this counter has wrapped." ::= { ipSecGlobalStats 16 } ipSecGlobalHcOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { ipSecGlobalStats 17 } ipSecGlobalOutOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" IPsec Working Group Expires September 2003 [Page 52] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global octets sent counter (ipSecGlobalOutOctets) has wrapped." ::= { ipSecGlobalStats 18 } ipSecGlobalOutUncompOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of uncompressed octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ipSecGlobalOutOctets. See also ipSecGlobalOutDecompOctWraps for the number of times this counter has wrapped." ::= { ipSecGlobalStats 19 } ipSecGlobalHcOutUncompOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ipSecGlobalHcOutOctets." ::= { ipSecGlobalStats 20 } ipSecGlobalOutUncompOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global uncompressed octets sent counter (ipSecGlobalOutUncompOctets) has wrapped." ::= { ipSecGlobalStats 21 } IPsec Working Group Expires September 2003 [Page 53] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecGlobalOutPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 22 } ipSecGlobalOutDrops OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 23 } ipSecGlobalOutAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 24 } ipSecGlobalOutAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 25 } ipSecGlobalOutEncrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" IPsec Working Group Expires September 2003 [Page 54] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 26 } ipSecGlobalOutEncryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 27 } ipSecGlobalOutCompressedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The cumulative number of outbound packets across all IPsec flows terminating at this device which were successfully compressed. This number is cumulative since the last system start." ::= { ipSecGlobalStats 28 } ipSecGlobalOutCompSkippedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets across all IPsec flows terminating at this devices that were to be compressed but which were skipped due to the compression hysteresis. This number is cumulative since the last system start." ::= { ipSecGlobalStats 29 } ipSecGlobalOutCompFailPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current IPsec Working Group Expires September 2003 [Page 55] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "The total number of outbound packets across all IPsec flows terminating at this device that failed compression because they grew in size after compression. This number is cumulative since the last system start." ::= { ipSecGlobalStats 30 } ipSecGlobalOutCompTooSmallPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets across all IPsec flows terminating at this device that were to be compressed but were smaller than the compression threshold size. This number is cumulative since the last system start." ::= { ipSecGlobalStats 31 } ipSecGlobalProtocolUseFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of protocol use failures which occurred during processing of all current and previously active IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 32 } ipSecGlobalNoSaFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of non-existent Security Assocication in failures which occurred during processing of all current and previous IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 33 } ipSecGlobalSysCapFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION IPsec Working Group Expires September 2003 [Page 56] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 "The total number of system capacity failures which occurred during processing of all current and previously active IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 34 } ipSecGlobalHcPreviousTunnels OBJECT-TYPE SYNTAX Counter64 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of previously active IPsec Phase-2 Tunnels." ::= { ipSecGlobalStats 35 } ipSecGlobalPreviousTunnelsWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the quantit `ipSecGlobalPreviousTunnels' (previously active IPse Phase-2 tunnels) has wrapped." ::= { ipSecGlobalStats 36 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Table. There is one entry in this table for each active IPsec Phase-2 Tunnel." ::= { ipSecPhaseTwo 2 } ipSecTunnelEntry OBJECT-TYPE SYNTAX IpSecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an active IPsec Phase-2 Tunnel." IPsec Working Group Expires September 2003 [Page 57] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 INDEX { ipSecTunIndex } ::= { ipSecTunnelTable 1 } IpSecTunnelEntry ::= SEQUENCE { ipSecTunIndex Integer32, ipSecTunIkeTunnelIndex Integer32, ipSecTunIkeTunnelAlive TruthValue, ipSecTunLocalAddr IPSIpAddress, ipSecTunRemoteAddr IPSIpAddress, ipSecTunKeyType KeyType, ipSecTunEncapMode EncapMode, ipSecTunLifeSize Integer32, ipSecTunLifeTime Integer32, ipSecTunActiveTime TimeInterval, ipSecTunSaLifeSizeThreshold Integer32, ipSecTunSaLifeTimeThreshold Integer32, ipSecTunTotalRefreshes Counter32, ipSecTunExpiredSaInstances Counter32, ipSecTunCurrentSaInstances Gauge32, ipSecTunInSaDiffHellmanGrp DiffHellmanGrp, ipSecTunInSaEncryptAlgo EncryptAlgo, ipSecTunInSaAhAuthAlgo AuthAlgo, ipSecTunInSaEspAuthAlgo AuthAlgo, ipSecTunInSaDecompAlgo CompAlgo, ipSecTunOutSaDiffHellmanGrp DiffHellmanGrp, ipSecTunOutSaEncryptAlgo EncryptAlgo, ipSecTunOutSaAhAuthAlgo AuthAlgo, ipSecTunOutSaEspAuthAlgo AuthAlgo, ipSecTunOutSaCompAlgo CompAlgo, ipSecTunPmtu Integer32, ipSecTunInOctets Counter32, ipSecTunHcInOctets Counter64, ipSecTunInOctWraps Counter32, ipSecTunInDecompOctets Counter32, ipSecTunHcInDecompOctets Counter64, ipSecTunInDecompOctWraps Counter32, ipSecTunInPkts Counter32, ipSecTunInDropPkts Counter32, ipSecTunInReplayDropPkts Counter32, ipSecTunInAuths Counter32, ipSecTunInAuthFails Counter32, ipSecTunInDecrypts Counter32, ipSecTunInDecryptFails Counter32, ipSecTunOutOctets Counter32, ipSecTunHcOutOctets Counter64, ipSecTunOutOctWraps Counter32, ipSecTunOutUncompOctets Counter32, IPsec Working Group Expires September 2003 [Page 58] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunHcOutUncompOctets Counter64, ipSecTunOutUncompOctWraps Counter32, ipSecTunOutPkts Counter32, ipSecTunOutDropPkts Counter32, ipSecTunOutAuths Counter32, ipSecTunOutAuthFails Counter32, ipSecTunOutEncrypts Counter32, ipSecTunOutEncryptFails Counter32, ipSecTunOutCompressedPkts Counter32, ipSecTunOutCompSkippedPkts Counter32, ipSecTunOutCompFailPkts Counter32, ipSecTunOutCompTooSmallPkts Counter32, ipSecTunStatus TunnelStatus, ipSecTunControlProtocol ControlProtocol, ipSecTunControlTunnelIndex Integer32, ipSecTunControlTunnelAlive TruthValue, ipSecTunInSaEncryptKeySize Integer32, ipSecTunOutSaEncryptKeySize Integer32 } ipSecTunIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-2 Tunnel Table. The value of the index is a number which begins at one and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647." ::= { ipSecTunnelEntry 1 } ipSecTunIkeTunnelIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The index of the associated IPsec Phase-1 IKE Tunnel. (ikeTunIndex in the ikeTunnelTable)" ::= { ipSecTunnelEntry 2 } ipSecTunIkeTunnelAlive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS deprecated DESCRIPTION IPsec Working Group Expires September 2003 [Page 59] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 "An indicator which specifies whether or not the IPsec Phase-1 IKE Tunnel currently exists. This object has been deprecated in favour of more generic pointers to the control tunnel (ipSecTunControlTunnelIndex)." ::= { ipSecTunnelEntry 3 } ipSecTunLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 4 } ipSecTunRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 5 } ipSecTunKeyType OBJECT-TYPE SYNTAX KeyType MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The type of key used by the IPsec Phase-2 Tunnel. This object has been deprecated in favour o ipSecTunControlProtocol." ::= { ipSecTunnelEntry 6 } ipSecTunEncapMode OBJECT-TYPE SYNTAX EncapMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation mode used by the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 7 } ipSecTunLifeSize OBJECT-TYPE SYNTAX Integer32 (1..2147483647) UNITS "KBytes" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 60] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The negotiated LifeSize of the IPsec Phase-2 Tunnel in kilobytes." ::= { ipSecTunnelEntry 8 } ipSecTunLifeTime OBJECT-TYPE SYNTAX Integer32 (0..2147483647) UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase- Tunnel in seconds. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ipSecTunnelEntry 9 } ipSecTunActiveTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-2 Tunnel has been active in hundredths of seconds." ::= { ipSecTunnelEntry 10 } ipSecTunSaLifeSizeThreshold OBJECT-TYPE SYNTAX Integer32 (0..2147483647) UNITS "KBytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The security association LifeSize refresh threshold in kilobytes. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ipSecTunnelEntry 11 } ipSecTunSaLifeTimeThreshold OBJECT-TYPE SYNTAX Integer32 (0..2147483647) UNITS "Seconds" MAX-ACCESS read-only STATUS current IPsec Working Group Expires September 2003 [Page 61] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "The security association LifeTime refresh threshold in seconds. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ipSecTunnelEntry 12 } ipSecTunTotalRefreshes OBJECT-TYPE SYNTAX Counter32 UNITS "QM Exchanges" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security association refreshes performed." ::= { ipSecTunnelEntry 13 } ipSecTunExpiredSaInstances OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations which have expired. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ipSecTunnelEntry 14 } ipSecTunCurrentSaInstances OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of security associations which are currently active or expiring." ::= { ipSecTunnelEntry 15 } ipSecTunInSaDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the inbound security association of the IPsec Working Group Expires September 2003 [Page 62] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 IPsec Phase-2 Tunnel. If the tunnel was setup manually, the value of this MIB element would be `none'." ::= { ipSecTunnelEntry 16 } ipSecTunInSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 17 } ipSecTunInSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 18 } ipSecTunInSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 19 } ipSecTunInSaDecompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The decompression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 20 } ipSecTunOutSaDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 63] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The Diffie Hellman Group used by the outbound security association of the IPsec Phase-2 Tunnel. If the tunnel was setup manually, the value of this MIB element would be 'none'." ::= { ipSecTunnelEntry 21 } ipSecTunOutSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 22 } ipSecTunOutSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the outbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 23 } ipSecTunOutSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound encapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 24 } ipSecTunOutSaCompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The compression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 25 } IPsec Working Group Expires September 2003 [Page 64] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunPmtu OBJECT-TYPE SYNTAX Integer32 (68..1500) UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The Path MTU for this IPsec Phase-2 tunnel, which ha been either learnt from the network or which has been specified by the administrator. The lower end of the range is 68 which is the minimum MTU for IPv4." ::= { ipSecTunnelEntry 26 } ipSecTunInOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed. See also ipSecTunInOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelEntry 27 } ipSecTunHcInOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { ipSecTunnelEntry 28 } ipSecTunInOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the octets received counter (ipSecTunInOctets) has wrapped." ::= { ipSecTunnelEntry 29 } IPsec Working Group Expires September 2003 [Page 65] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunInDecompOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ipSecTunInOctets. See also ipSecTunInDecompOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelEntry 30 } ipSecTunHcInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ipSecTunHcInOctets." ::= { ipSecTunnelEntry 31 } ipSecTunInDecompOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the decompressed octets received counter (ipSecTunInDecompOctets) has wrapped." ::= { ipSecTunnelEntry 32 } ipSecTunInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-2 Tunnel." IPsec Working Group Expires September 2003 [Page 66] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecTunnelEntry 33 } ipSecTunInDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by this IPsec Phase-2 Tunnel. This count does NOT include packets dropped due to Anti-Replay processing." ::= { ipSecTunnelEntry 34 } ipSecTunInReplayDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 35 } ipSecTunInAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 36 } ipSecTunInAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by this IPsec Phase-2 Tunnel ." ::= { ipSecTunnelEntry 37 } IPsec Working Group Expires September 2003 [Page 67] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunInDecrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 38 } ipSecTunInDecryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 39 } ipSecTunOutOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed. See also ipSecTunOutOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelEntry 40 } ipSecTunHcOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { ipSecTunnelEntry 41 } ipSecTunOutOctWraps OBJECT-TYPE IPsec Working Group Expires September 2003 [Page 68] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the out octets counter (ipSecTunOutOctets) has wrapped." ::= { ipSecTunnelEntry 42 } ipSecTunOutUncompOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ipSecTunOutOctets. See also ipSecTunOutDecompOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelEntry 43 } ipSecTunHcOutUncompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ipSecTunHcOutOctets." ::= { ipSecTunnelEntry 44 } ipSecTunOutUncompOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the uncompressed octets sent counter (ipSecTunOutUncompOctets) has wrapped." ::= { ipSecTunnelEntry 45 } IPsec Working Group Expires September 2003 [Page 69] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunOutPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 46 } ipSecTunOutDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 47 } ipSecTunOutAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 48 } ipSecTunOutAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 49 } ipSecTunOutEncrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION IPsec Working Group Expires September 2003 [Page 70] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 "The total number of outbound encryption's performed by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 50 } ipSecTunOutEncryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelEntry 51 } ipSecTunOutCompressedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets which were successfully compressed." ::= { ipSecTunnelEntry 52 } ipSecTunOutCompSkippedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but which were skipped due to the compression hysteresis." ::= { ipSecTunnelEntry 53 } ipSecTunOutCompFailPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that failed compression because they grew in size after compression." ::= { ipSecTunnelEntry 54 } ipSecTunOutCompTooSmallPkts OBJECT-TYPE SYNTAX Counter32 IPsec Working Group Expires September 2003 [Page 71] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but were smaller than the compression threshold size." ::= { ipSecTunnelEntry 55 } ipSecTunStatus OBJECT-TYPE SYNTAX TunnelStatus MAX-ACCESS read-write STATUS current DESCRIPTION "The status of the MIB table row. This object can be used to bring the tunnel down by setting value of this object to destroy(2). When the value is set to destroy(2), the SA bundle is destroyed and this row is deleted from this table. When this MIB value is queried, the value of active(1) is always returned, if the instance exists. This object cannot be used to create a MIB table row." ::= { ipSecTunnelEntry 56 } ipSecTunControlProtocol OBJECT-TYPE SYNTAX ControlProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "Identifies the protocol used to setup and administer this Phase-2 Ipsec tunnel. If IKE was used to setup this tunnel, then this value of this column would be `cp_ike'. A value of cp_none is indicative of a manually installed and administered Phase-2 tunnel." ::= { ipSecTunnelEntry 57 } ipSecTunControlTunnelIndex OBJECT-TYPE SYNTAX Integer32 (0..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION IPsec Working Group Expires September 2003 [Page 72] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 "The index of the associated IPsec Phase-1 Tunnel (in case of IKE, this value would refer t ikeTunIndex in the ikeTunnelTable). A value of 0 identifies that this Phase-2 tunne was setup manually." ::= { ipSecTunnelEntry 58 } ipSecTunControlTunnelAlive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "An indicator which specifies whether or not the IPsec Phase-1 Tunnel that spawned this Phase-2 tunnel currently exists." ::= { ipSecTunnelEntry 59 } ipSecTunInSaEncryptKeySize OBJECT-TYPE SYNTAX Integer32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The key size in bits of the negotiated key to be used with the algorithm denoted by ipSecTunInSaEncryptAlgo. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size." ::= { ipSecTunnelEntry 60 } ipSecTunOutSaEncryptKeySize OBJECT-TYPE SYNTAX Integer32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The key size in bits of the negotiated key to be used with the algorithm denoted by ipSecTunOutSaEncryptAlgo. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size." ::= { ipSecTunnelEntry 61 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel Endpoint Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecEndPtTable OBJECT-TYPE IPsec Working Group Expires September 2003 [Page 73] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 SYNTAX SEQUENCE OF IpSecEndPtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Endpoint Table. This table contains an entry for each active endpoint associated with an IPsec Phase-2 Tunnel." ::= { ipSecPhaseTwo 3 } ipSecEndPtEntry OBJECT-TYPE SYNTAX IpSecEndPtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An IPsec Phase-2 Tunnel Endpoint entry." INDEX { ipSecTunIndex, -- from ipSecTunnelTable ipSecEndPtIndex } ::= { ipSecEndPtTable 1 } IpSecEndPtEntry ::= SEQUENCE { ipSecEndPtIndex Integer32, ipSecEndPtLocalName DisplayString, ipSecEndPtLocalType EndPtType, ipSecEndPtLocalAddr1 IPSIpAddress, ipSecEndPtLocalAddr2 IPSIpAddress, ipSecEndPtLocalProtocol Integer32, ipSecEndPtLocalPort Integer32, ipSecEndPtRemoteName DisplayString, ipSecEndPtRemoteType EndPtType, ipSecEndPtRemoteAddr1 IPSIpAddress, ipSecEndPtRemoteAddr2 IPSIpAddress, ipSecEndPtRemoteProtocol Integer32, ipSecEndPtRemotePort Integer32 } ipSecEndPtIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The number of the Endpoint associated with the IPsec Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each Endpoint associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 2,147,483,647." IPsec Working Group Expires September 2003 [Page 74] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecEndPtEntry 1 } ipSecEndPtLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local Endpoint." ::= { ipSecEndPtEntry 2 } ipSecEndPtLocalType OBJECT-TYPE SYNTAX EndPtType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the local Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or 3) an IP subnet." ::= { ipSecEndPtEntry 3 } ipSecEndPtLocalAddr1 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's first IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet. If the local Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { ipSecEndPtEntry 4 } ipSecEndPtLocalAddr2 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's second IP address specification. IPsec Working Group Expires September 2003 [Page 75] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet mask. If the local Endpoint type is IP address range, then this is the value of ending IP address of the range." ::= { ipSecEndPtEntry 5 } ipSecEndPtLocalProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the local Endpoint's traffic." ::= { ipSecEndPtEntry 6 } ipSecEndPtLocalPort OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the local Endpoint's traffic." ::= { ipSecEndPtEntry 7 } ipSecEndPtRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote Endpoint." ::= { ipSecEndPtEntry 8 } ipSecEndPtRemoteType OBJECT-TYPE SYNTAX EndPtType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the remote Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or 3) an IP subnet." ::= { ipSecEndPtEntry 9 } IPsec Working Group Expires September 2003 [Page 76] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecEndPtRemoteAddr1 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's first IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet. If the remote Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { ipSecEndPtEntry 10 } ipSecEndPtRemoteAddr2 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's second IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet mask. If the remote Endpoint type is IP address range, then this is the value of ending IP address of the range." ::= { ipSecEndPtEntry 11 } ipSecEndPtRemoteProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the remote Endpoint's traffic." ::= { ipSecEndPtEntry 12 } ipSecEndPtRemotePort OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 77] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The port number of the remote Endpoint's traffic." ::= { ipSecEndPtEntry 13 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Security Protection Index Table (deprecated) -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The tunnel SA decomposition table: This table has been deprecaterd -- and has been replaced ipSecSaTable. New IPsec devices will not -- support this table. Older products will continue to support -- this table for some time in order to be backwards compatible with -- existing network management applications. ipSecSpiTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSpiEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "The IPsec Phase-2 Security Protection Index Table. This table contains an entry for each active and expiring security association." ::= { ipSecPhaseTwo 4 } ipSecSpiEntry OBJECT-TYPE SYNTAX IpSecSpiEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "Each entry contains the attributes associated with active and expiring IPsec Phase-2 security associations." INDEX { ipSecTunIndex, -- from ipSecTunnelTable ipSecSpiIndex } ::= { ipSecSpiTable 1 } IpSecSpiEntry ::= SEQUENCE { ipSecSpiIndex Integer32, ipSecSpiDirection INTEGER, ipSecSpiValue Spi, ipSecSpiProtocol INTEGER, ipSecSpiStatus INTEGER } ipSecSpiIndex OBJECT-TYPE IPsec Working Group Expires September 2003 [Page 78] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "The number of the SPI associated with the Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each SPI associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 2,147,483,647." ::= { ipSecSpiEntry 1 } ipSecSpiDirection OBJECT-TYPE SYNTAX INTEGER{ in(1), out(2) } MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The direction of the SPI." ::= { ipSecSpiEntry 2 } ipSecSpiValue OBJECT-TYPE SYNTAX Spi MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The value of the SPI." ::= { ipSecSpiEntry 3 } ipSecSpiProtocol OBJECT-TYPE SYNTAX INTEGER{ ah(1), esp(2), ipcomp(3) } MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The protocol of the SPI." ::= { ipSecSpiEntry 4 } ipSecSpiStatus OBJECT-TYPE SYNTAX INTEGER{ active(1), expiring(2) IPsec Working Group Expires September 2003 [Page 79] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 } MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The status of the SPI." ::= { ipSecSpiEntry 5 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec New Group metrics -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecGlobalNewGrpStats OBJECT IDENTIFIER ::= { ipSecPhaseTwo 5 } ipSecGlobalInNewGrpReqs OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated remotely." ::= { ipSecGlobalNewGrpStats 1 } ipSecGlobalOutNewGrpReqs OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated locally." ::= { ipSecGlobalNewGrpStats 2 } ipSecGlobalInNewGrpReqsRejected OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated remotely that ended in a failure." ::= { ipSecGlobalNewGrpStats 3 } ipSecGlobalOutNewGrpReqsRejected OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 80] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of New Group exchanges initiated locally that ended in a failure." ::= { ipSecGlobalNewGrpStats 4 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Security Association Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The tunnel SA decomposition table: This table replaces the -- now deprecated ipSecSpiTable. ipSecSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Security Association Table. This table identifies the structure (in terms of component SAs) of each active Phase-2 IPsec tunnel. This table contains an entry for each active and expiring security association and maps each entry in the active Phase-2 tunnel table (ipSecTunTable) into a number of entries in this table. The index of this table reflects the rule for identifying Security Associations." ::= { ipSecPhaseTwo 6 } ipSecSaEntry OBJECT-TYPE SYNTAX IpSecSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with active and expiring IPsec Phase-2 security associations." INDEX { ipSecTunIndex, -- from ipSecTunnelTable ipSecSaProtocol, ipSecSaIndex } ::= { ipSecSaTable 1 } IpSecSaEntry ::= SEQUENCE { ipSecSaIndex Integer32, IPsec Working Group Expires September 2003 [Page 81] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecSaDirection INTEGER, ipSecSaValue Spi, ipSecSaProtocol INTEGER, ipSecSaStatus INTEGER } ipSecSaIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index, in the context of the IPsec tunnel ipSecTunIndex, of the security association represented by this table entry. The value of this index is a number which begins at one and is incremented with each SPI associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 2,147,483,647." ::= { ipSecSaEntry 1 } ipSecSaDirection OBJECT-TYPE SYNTAX INTEGER{ in(1), out(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "Phase-2 IPsec security associations are simplex. Hence a particular security association is used either for securing outgoing traffic or decoding incoming traffic. This column identifies the direction of the security association represented by this entry." ::= { ipSecSaEntry 2 } ipSecSaValue OBJECT-TYPE SYNTAX Spi MAX-ACCESS read-only STATUS current DESCRIPTION "This is the value of the Security Protection Index (SPI) assigned by the system to the security association represented by this entry." ::= { ipSecSaEntry 3 } ipSecSaProtocol OBJECT-TYPE SYNTAX INTEGER{ reserved(0), ah(1), IPsec Working Group Expires September 2003 [Page 82] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 esp(2), ipcomp(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This column represents the security protocol (AH, ESP or IPComp) for which this security association was setup." ::= { ipSecSaEntry 4 } ipSecSaStatus OBJECT-TYPE SYNTAX INTEGER{ unknown(0), active(1), expiring(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This column represents the status of the security association represented by this tabel entry. If the status of the SA is 'active', the SA is ready for active use. The status 'expiring' represents any of the various states that the security association transitions through before being purged." ::= { ipSecSaEntry 5 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec History Group -- -- This group consists of a: -- 1) IPsec History Global Objects -- 2) IPsec Phase-1 History Objects -- 3) IPsec Phase-2 History Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecHistGlobal OBJECT IDENTIFIER ::= { ipSecHistory 1 } ipSecHistPhaseOne OBJECT IDENTIFIER ::= { ipSecHistory 2 } ipSecHistPhaseTwo OBJECT IDENTIFIER ::= { ipSecHistory 3 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec History Global Control Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecHistGlobalCntl OBJECT IDENTIFIER ::= { ipSecHistGlobal 1 } IPsec Working Group Expires September 2003 [Page 83] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecHistTableSize OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "The window size of the IPsec Phase-1 and Phase-2 History Tables. The IPsec Phase-1 and Phase-2 History Tables are implemented as a sliding window in which only the last n entries are maintained. This object is used specify the number of entries which will be maintained in the IPsec Phase-1 and Phase-2 History Tables. An implementation may choose suitable minimum and maximum values for this element based on the local policy and available resources. If an SNMP SET request specifies a value outside this window for this element, a BAD VALUE may be returned." ::= { ipSecHistGlobalCntl 1 } ipSecHistCheckPoint OBJECT-TYPE SYNTAX INTEGER { ready(1), checkPoint(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The current state of check point processing. This object will return ready when the agent is ready to create on-demand history entries for active IPsec Tunnels or checkPoint when the agent is currently creating on-demand history entries for active IPsec Tunnels. By setting this value to checkPoint, the agent will create: a) an entry in the IPsec Phase-1 Tunnel History for each active IPsec Phase-1 Tunnel and b) an entry in the IPsec Phase-2 Tunnel History Table and an entry in the IPsec Phase-2 IPsec Working Group Expires September 2003 [Page 84] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 Tunnel EndPoint History Table for each active IPsec Phase-2 Tunnel." ::= { ipSecHistGlobalCntl 2 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-1 Tunnel History Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ikeTunnelHistTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Internet Key Exchange Tunnel History Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the ipSecHistTableSize object." ::= { ipSecHistPhaseOne 1 } ikeTunnelHistEntry OBJECT-TYPE SYNTAX IkeTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-1 IKE Tunnel." INDEX { ikeTunHistIndex } ::= { ikeTunnelHistTable 1} IkeTunnelHistEntry ::= SEQUENCE { ikeTunHistIndex Integer32, ikeTunHistTermReason INTEGER, ikeTunHistActiveIndex Integer32, ikeTunHistPeerLocalType Phase1PeerIdentityType, ikeTunHistPeerLocalValue DisplayString, ikeTunHistPeerIntIndex Integer32, ikeTunHistPeerRemoteType Phase1PeerIdentityType, ikeTunHistPeerRemoteValue DisplayString, ikeTunHistLocalAddr IPSIpAddress, ikeTunHistLocalName DisplayString, ikeTunHistRemoteAddr IPSIpAddress, ikeTunHistRemoteName DisplayString, ikeTunHistNegoMode IkeNegoMode, ikeTunHistDiffHellmanGrp DiffHellmanGrp, ikeTunHistEncryptAlgo EncryptAlgo, ikeTunHistHashAlgo IkeHashAlgo, IPsec Working Group Expires September 2003 [Page 85] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunHistAuthMethod IkeAuthMethod, ikeTunHistLifeTime Integer32, ikeTunHistStartTime TimeStamp, ikeTunHistActiveTime TimeInterval, ikeTunHistTotalRefreshes Counter32, ikeTunHistTotalSas Counter32, ikeTunHistInOctets Counter32, ikeTunHistInPkts Counter32, ikeTunHistInDropPkts Counter32, ikeTunHistInNotifys Counter32, ikeTunHistInP2Exchgs Counter32, ikeTunHistInP2ExchgInvalids Counter32, ikeTunHistInP2ExchgRejects Counter32, ikeTunHistInP2SaDelRequests Counter32, ikeTunHistOutOctets Counter32, ikeTunHistOutPkts Counter32, ikeTunHistOutDropPkts Counter32, ikeTunHistOutNotifys Counter32, ikeTunHistOutP2Exchgs Counter32, ikeTunHistOutP2ExchgInvalids Counter32, ikeTunHistOutP2ExchgRejects Counter32, ikeTunHistOutP2SaDelRequests Counter32, ikeTunHistInNewGrpReqs Counter32, ikeTunHistOutNewGrpReqs Counter32, ikeTunHistInNewGrpReqsRejected Counter32, ikeTunHistOutNewGrpReqsRejected Counter32, ikeTunHistInConfigs Counter32, ikeTunHistOutConfigs Counter32, ikeTunHistInConfigsRejects Counter32, ikeTunHistOutConfigsRejects Counter32, ikeTunHistEncryptKeySize Integer32 } ikeTunHistIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-1 IKE Tunnel History Table. The value of the index is a number which begins at one and is incremented with each tunnel that ends. The value of this object will wrap at 2,147,483,647." ::= { ikeTunnelHistEntry 1 } ikeTunHistTermReason OBJECT-TYPE SYNTAX INTEGER { IPsec Working Group Expires September 2003 [Page 86] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 other(1), normal(2), operRequest(3), peerDelRequest(4), peerLost(5), applicationInitiated(6), xauthFailure(7), localFailure(8), checkPointReg(9) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason the IPsec Phase-1 IKE Tunnel was terminated. Possible reasons include: 1 = other 2 = normal termination 3 = operator request 4 = peer delete request was received 5 = contact with peer was lost 6 = applicationInitiated (eg: L2TP requesting the termination) 7 = failure of extended authentication 8 = local failure occurred. 9 = operator initiated check point request" ::= { ikeTunnelHistEntry 2 } ikeTunHistActiveIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 3 } ikeTunHistPeerLocalType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of local peer identity. The local peer may be indentified by: 1. an IP address, or 2. or a fully qualified domain name. 3. or a distinguished name." ::= { ikeTunnelHistEntry 4 } IPsec Working Group Expires September 2003 [Page 87] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunHistPeerLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is id_fqdn, then this is the FQDN of the local entity. If the local peer type is a id_dn, then this is the distinguished named string of the local entity." ::= { ikeTunnelHistEntry 5 } ikeTunHistPeerIntIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The internal index of the local-remote peer association. This internal index is used to uniquely identify multiple associations between the local and remote peer." ::= { ikeTunnelHistEntry 6 } ikeTunHistPeerRemoteType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be indentified by: 1. an IP address, or 2. or a fully qualified domain name. 3. or a distinguished name." ::= { ikeTunnelHistEntry 7 } ikeTunHistPeerRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remote peer identity. IPsec Working Group Expires September 2003 [Page 88] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is id_fqdn, then this is the FQDN of the remote peer. If the remote peer type is a id_dn, then this is the distinguished named string of the remote peer." ::= { ikeTunnelHistEntry 8 } ikeTunHistLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 9 } ikeTunHistLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local IP address for the IPsec Phase-1 IKE Tunnel. If the DNS name associated with the local tunnel endpoint is not known, then the value of this object will be a NULL string." ::= { ikeTunnelHistEntry 10 } ikeTunHistRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 11 } ikeTunHistRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote IP address of IPsec Phase-1 IKE Tunnel. If the DNS name associated with the remote IPsec Working Group Expires September 2003 [Page 89] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 tunnel endpoint is not known, then the value of this object will be a NULL string." ::= { ikeTunnelHistEntry 12 } ikeTunHistNegoMode OBJECT-TYPE SYNTAX IkeNegoMode MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiation mode of the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 13 } ikeTunHistDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 14 } ikeTunHistEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 15 } ikeTunHistHashAlgo OBJECT-TYPE SYNTAX IkeHashAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 16 } ikeTunHistAuthMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 17 } IPsec Working Group Expires September 2003 [Page 90] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunHistLifeTime OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel in seconds." ::= { ikeTunnelHistEntry 18 } ikeTunHistStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime in hundredths of seconds when the IPsec Phase-1 IKE tunnel was started." ::= { ikeTunnelHistEntry 19 } ikeTunHistActiveTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-1 IKE tunnel was been active in hundredths of seconds." ::= { ikeTunnelHistEntry 20 } ikeTunHistTotalRefreshes OBJECT-TYPE SYNTAX Counter32 UNITS "QM Exchanges" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations refreshes performed." ::= { ikeTunnelHistEntry 21 } ikeTunHistTotalSas OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations used during the life of the IPsec Phase-1 IKE Tunnel." IPsec Working Group Expires September 2003 [Page 91] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ikeTunnelHistEntry 22 } ikeTunHistInOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 23 } ikeTunHistInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 24 } ikeTunHistInDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during receive processing." ::= { ikeTunnelHistEntry 25 } ikeTunHistInNotifys OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 26 } ikeTunHistInP2Exchgs OBJECT-TYPE SYNTAX Counter32 IPsec Working Group Expires September 2003 [Page 92] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 27 } ikeTunHistInP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received on this tunnel that were found to contain references to unrecognized security parameters." ::= { ikeTunnelHistEntry 28 } ikeTunHistInP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received on this tunnel that were validated but were rejected by the local policy." ::= { ikeTunnelHistEntry 29 } ikeTunHistInP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 30 } ikeTunHistOutOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 93] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 31 } ikeTunHistOutPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 32 } ikeTunHistOutDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during send processing." ::= { ikeTunnelHistEntry 33 } ikeTunHistOutNotifys OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 34 } ikeTunHistOutP2Exchgs OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 35 } IPsec Working Group Expires September 2003 [Page 94] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeTunHistOutP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent on this tunnel that were found by the peer to contain references to security parameters not recognized by the peer." ::= { ikeTunnelHistEntry 36 } ikeTunHistOutP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 UNITS "SA Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent on this tunnel that were validated by the peer but were rejected by the peer's policy." ::= { ikeTunnelHistEntry 37 } ikeTunHistOutP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 UNITS "Notification Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 38 } ikeTunHistInNewGrpReqs OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated remotely using this IKE tunnel during its lifetime." ::= { ikeTunnelHistEntry 39 } ikeTunHistOutNewGrpReqs OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 95] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of New Group exchanges initiated locally using this IKE tunnel during its lifetime." ::= { ikeTunnelHistEntry 40 } ikeTunHistInNewGrpReqsRejected OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated remotely using this IKE tunnel during its lifetime that ended in a failure." ::= { ikeTunnelHistEntry 41 } ikeTunHistOutNewGrpReqsRejected OBJECT-TYPE SYNTAX Counter32 UNITS "Negotiations" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of New Group exchanges initiated locally using this IKE tunnel during its lifetime that ended in a failure." ::= { ikeTunnelHistEntry 42 } ikeTunHistInConfigs OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings received (either CFG_REPLY or CFG_SET payloads) by the local entity on the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelHistEntry 43 } ikeTunHistOutConfigs OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings IPsec Working Group Expires September 2003 [Page 96] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 dispatched (either CFG_REPLY or CFG_SET payloads) by the local entity on the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelHistEntry 44 } ikeTunHistInConfigsRejects OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings which were received (either CFG_REPLY or CFG_SET payloads) and rejected by this entity using the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelHistEntry 45 } ikeTunHistOutConfigsRejects OBJECT-TYPE SYNTAX Counter32 UNITS "Mode Configuration Setting Payloads" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of Mode Configuration settings which were dispatched (either CFG_REPLY or CFG_SET payloads) by this entity and were rejected by the peer (client) using the ISAKMP SA represented by this IKE tunnel." ::= { ikeTunnelHistEntry 46 } ikeTunHistEncryptKeySize OBJECT-TYPE SYNTAX Integer32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size in bits of the key which was negotiated for the IKE tunnel to be used with the algorithm denote by the column 'ikeTunEncryptAlgo'. For DES and 3DES the ke size is respectively 56 and 168. For AES, this will denot the negotiated key size." ::= { ikeTunnelHistEntry 47 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel History Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ IPsec Working Group Expires September 2003 [Page 97] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunnelHistTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel History Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the ipSecHistTableSize object." ::= { ipSecHistPhaseTwo 1 } ipSecTunnelHistEntry OBJECT-TYPE SYNTAX IpSecTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-2 Tunnel." INDEX { ipSecTunHistIndex } ::= { ipSecTunnelHistTable 1 } IpSecTunnelHistEntry ::= SEQUENCE { ipSecTunHistIndex Integer32, ipSecTunHistTermReason INTEGER, ipSecTunHistActiveIndex Integer32, ipSecTunHistIkeTunnelIndex Integer32, ipSecTunHistLocalAddr IPSIpAddress, ipSecTunHistRemoteAddr IPSIpAddress, ipSecTunHistKeyType KeyType, ipSecTunHistEncapMode EncapMode, ipSecTunHistLifeSize Integer32, ipSecTunHistLifeTime Integer32, ipSecTunHistStartTime TimeStamp, ipSecTunHistActiveTime TimeInterval, ipSecTunHistTotalRefreshes Counter32, ipSecTunHistTotalSas Counter32, ipSecTunHistInSaDiffHellmanGrp DiffHellmanGrp, ipSecTunHistInSaEncryptAlgo EncryptAlgo, ipSecTunHistInSaAhAuthAlgo AuthAlgo, ipSecTunHistInSaEspAuthAlgo AuthAlgo, ipSecTunHistInSaDecompAlgo CompAlgo, ipSecTunHistOutSaDiffHellmanGrp DiffHellmanGrp, ipSecTunHistOutSaEncryptAlgo EncryptAlgo, ipSecTunHistOutSaAhAuthAlgo AuthAlgo, ipSecTunHistOutSaEspAuthAlgo AuthAlgo, IPsec Working Group Expires September 2003 [Page 98] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunHistOutSaCompAlgo CompAlgo, ipSecTunHistPmtu Integer32, ipSecTunHistInOctets Counter32, ipSecTunHistHcInOctets Counter64, ipSecTunHistInOctWraps Counter32, ipSecTunHistInDecompOctets Counter32, ipSecTunHistHcInDecompOctets Counter64, ipSecTunHistInDecompOctWraps Counter32, ipSecTunHistInPkts Counter32, ipSecTunHistInReplayDropPkts Counter32, ipSecTunHistInDropPkts Counter32, ipSecTunHistInAuths Counter32, ipSecTunHistInAuthFails Counter32, ipSecTunHistInDecrypts Counter32, ipSecTunHistInDecryptFails Counter32, ipSecTunHistOutOctets Counter32, ipSecTunHistHcOutOctets Counter64, ipSecTunHistOutOctWraps Counter32, ipSecTunHistOutUncompOctets Counter32, ipSecTunHistHcOutUncompOctets Counter64, ipSecTunHistOutUncompOctWraps Counter32, ipSecTunHistOutPkts Counter32, ipSecTunHistOutDropPkts Counter32, ipSecTunHistOutAuths Counter32, ipSecTunHistOutAuthFails Counter32, ipSecTunHistOutEncrypts Counter32, ipSecTunHistOutEncryptFails Counter32, ipSecTunHistOutCompressedPkts Counter32, ipSecTunHistOutCompSkippedPkts Counter32, ipSecTunHistOutCompFailPkts Counter32, ipSecTunHistOutCompTooSmallPkts Counter32, ipSecTunHistControlProtocol ControlProtocol, ipSecTunHistControlTunnelIndex Integer32, ipSecTunHistInSaEncryptKeySize Integer32, ipSecTunHistOutSaEncryptKeySize Integer32 } ipSecTunHistIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-2 Tunnel History Table. The value of the index is a number which begins at one and is incremented with each tunnel that ends. The value of this object will wrap at 2,147,483,647." IPsec Working Group Expires September 2003 [Page 99] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecTunnelHistEntry 1 } ipSecTunHistTermReason OBJECT-TYPE SYNTAX INTEGER { other(1), normal(2), operRequest(3), peerDelRequest(4), peerLost(5), applicationInitiated(6), xauthFailure(7), seqNumRollOver(8), checkPointReq(9) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason the IPsec Phase-2 Tunnel was terminated. Possible reasons include: 1 = other 2 = normal termination 3 = operator request 4 = peer delete request was received 5 = contact with peer was lost 6 = applicationInitiated (eg: L2TP requesting the termination) 7 = failure of extended authentication 8 = local failure occurred 9 = operator initiated check point request" ::= { ipSecTunnelHistEntry 2 } ipSecTunHistActiveIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 3 } ipSecTunHistIkeTunnelIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The index of the associated IPsec Phase-1 Tunnel (ikeTunIndex in the ikeTunnelTable)." ::= { ipSecTunnelHistEntry 4 } IPsec Working Group Expires September 2003 [Page 100] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunHistLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 5 } ipSecTunHistRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 6 } ipSecTunHistKeyType OBJECT-TYPE SYNTAX KeyType MAX-ACCESS read-only STATUS deprecated DESCRIPTION "The type of key used by the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 7 } ipSecTunHistEncapMode OBJECT-TYPE SYNTAX EncapMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation mode used by the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 8 } ipSecTunHistLifeSize OBJECT-TYPE SYNTAX Integer32 (1..2147483647) UNITS "KBytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeSize of the IPsec Phase-2 Tunnel in kilobytes." ::= { ipSecTunnelHistEntry 9 } ipSecTunHistLifeTime OBJECT-TYPE IPsec Working Group Expires September 2003 [Page 101] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 SYNTAX Integer32 (1..2147483647) UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-2 Tunnel in seconds." ::= { ipSecTunnelHistEntry 10 } ipSecTunHistStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime in hundredths of seconds when the IPsec Phase-2 Tunnel was started." ::= { ipSecTunnelHistEntry 11 } ipSecTunHistActiveTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-2 Tunnel has been active in hundredths of seconds." ::= { ipSecTunnelHistEntry 12 } ipSecTunHistTotalRefreshes OBJECT-TYPE SYNTAX Counter32 UNITS "QM Exchanges" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security association refreshes performed." ::= { ipSecTunnelHistEntry 13 } ipSecTunHistTotalSas OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations used during the life of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 14 } IPsec Working Group Expires September 2003 [Page 102] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunHistInSaDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 15 } ipSecTunHistInSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 16 } ipSecTunHistInSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 17 } ipSecTunHistInSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound encapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 18 } ipSecTunHistInSaDecompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The decompression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." IPsec Working Group Expires September 2003 [Page 103] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecTunnelHistEntry 19 } ipSecTunHistOutSaDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 20 } ipSecTunHistOutSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 21 } ipSecTunHistOutSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the outbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 22 } ipSecTunHistOutSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 23 } ipSecTunHistOutSaCompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The compression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." IPsec Working Group Expires September 2003 [Page 104] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecTunnelHistEntry 24 } ipSecTunHistPmtu OBJECT-TYPE SYNTAX Integer32 (21..576) UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The Path MTU that was determined for this IPsec Phase-2 tunnel." ::= { ipSecTunnelHistEntry 25 } ipSecTunHistInOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed. See also ipSecTunInOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelHistEntry 26 } ipSecTunHistHcInOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { ipSecTunnelHistEntry 27 } ipSecTunHistInOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the octets received counter (ipSecTunInOctets) has wrapped." ::= { ipSecTunnelHistEntry 28 } ipSecTunHistInDecompOctets OBJECT-TYPE IPsec Working Group Expires September 2003 [Page 105] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ipSecTunInOctets. See also ipSecTunInDecompOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelHistEntry 29 } ipSecTunHistHcInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ipSecTunHcInOctets." ::= { ipSecTunnelHistEntry 30 } ipSecTunHistInDecompOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the decompressed octets received counter (ipSecTunInDecompOctets) has wrapped." ::= { ipSecTunnelHistEntry 31 } ipSecTunHistInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 32 } ipSecTunHistInDropPkts OBJECT-TYPE SYNTAX Counter32 IPsec Working Group Expires September 2003 [Page 106] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by this IPsec Phase-2 Tunnel. This count does NOT include packets dropped due to Anti-Replay processing." ::= { ipSecTunnelHistEntry 33 } ipSecTunHistInReplayDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 34 } ipSecTunHistInAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 35 } ipSecTunHistInAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by this IPsec Phase-2 Tunnel ." ::= { ipSecTunnelHistEntry 36 } ipSecTunHistInDecrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 107] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The total number of inbound decryption's performed by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 37 } ipSecTunHistInDecryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 38 } ipSecTunHistOutOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed. See also ipSecTunOutOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelHistEntry 39 } ipSecTunHistHcOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { ipSecTunnelHistEntry 40 } ipSecTunHistOutOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only IPsec Working Group Expires September 2003 [Page 108] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "The number of times the octets sent counter (ipSecTunOutOctets) has wrapped." ::= { ipSecTunnelHistEntry 41 } ipSecTunHistOutUncompOctets OBJECT-TYPE SYNTAX Counter32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ipSecTunOutOctets. See also ipSecTunOutDecompOctWraps for the number of times this counter has wrapped." ::= { ipSecTunnelHistEntry 42 } ipSecTunHistHcOutUncompOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ipSecTunHcOutOctets." ::= { ipSecTunnelHistEntry 43 } ipSecTunHistOutUncompOctWraps OBJECT-TYPE SYNTAX Counter32 UNITS "Integral units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the uncompressed octets sent counter (ipSecTunOutUncompOctets) has wrapped." ::= { ipSecTunnelHistEntry 44 } ipSecTunHistOutPkts OBJECT-TYPE SYNTAX Counter32 IPsec Working Group Expires September 2003 [Page 109] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 45 } ipSecTunHistOutDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 46 } ipSecTunHistOutAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 47 } ipSecTunHistOutAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 48 } ipSecTunHistOutEncrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed IPsec Working Group Expires September 2003 [Page 110] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 49 } ipSecTunHistOutEncryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ipSecTunnelHistEntry 50 } ipSecTunHistOutCompressedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets which were successfully compressed." ::= { ipSecTunnelHistEntry 51 } ipSecTunHistOutCompSkippedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but which were skipped due to the compression hysteresis." ::= { ipSecTunnelHistEntry 52 } ipSecTunHistOutCompFailPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that failed compression because they grew in size after compression." ::= { ipSecTunnelHistEntry 53 } ipSecTunHistOutCompTooSmallPkts OBJECT-TYPE SYNTAX Counter32 IPsec Working Group Expires September 2003 [Page 111] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but were smaller than the compression threshold size." ::= { ipSecTunnelHistEntry 54 } ipSecTunHistControlProtocol OBJECT-TYPE SYNTAX ControlProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "Identifies the protocol that was used to setup and administer Phase-2 IPsec tunnel. If IKE was used to setup this tunnel, then this value of this column would be `cp_ike'." ::= { ipSecTunnelHistEntry 55 } ipSecTunHistControlTunnelIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the IPsec Phase-1 Tunnel that spawned this Phase-2 tunnel (in case of IKE, this value would refer t ikeTunIndex in the ikeTunnelTable)" ::= { ipSecTunnelHistEntry 56 } ipSecTunHistInSaEncryptKeySize OBJECT-TYPE SYNTAX Integer32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size in bits of the key which was negotiated to be use with the encryption transform used with this tunnel denote by ipSecTunHistInSaEncryptAlgo. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size." ::= { ipSecTunnelHistEntry 57 } ipSecTunHistOutSaEncryptKeySize OBJECT-TYPE SYNTAX Integer32 UNITS "Bits" MAX-ACCESS read-only STATUS current IPsec Working Group Expires September 2003 [Page 112] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "The size in bits of the key which was negotiated to be use with the encryption transform used with this tunnel denote by ipSecTunHistOutSaEncryptAlgo. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size." ::= { ipSecTunnelHistEntry 58 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel Endpoint History Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecEndPtHistTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEndPtHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Endpoint History Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the ipSecHistTableSize object." ::= { ipSecHistPhaseTwo 2 } ipSecEndPtHistEntry OBJECT-TYPE SYNTAX IpSecEndPtHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-2 Tunnel Endpoint." INDEX { ipSecEndPtHistIndex } ::= { ipSecEndPtHistTable 1 } IpSecEndPtHistEntry ::= SEQUENCE { ipSecEndPtHistIndex Integer32, ipSecEndPtHistTunIndex Integer32, ipSecEndPtHistActiveIndex Integer32, ipSecEndPtHistLocalName DisplayString, ipSecEndPtHistLocalType EndPtType, ipSecEndPtHistLocalAddr1 IPSIpAddress, ipSecEndPtHistLocalAddr2 IPSIpAddress, ipSecEndPtHistLocalProtocol Integer32, ipSecEndPtHistLocalPort Integer32, ipSecEndPtHistRemoteName DisplayString, ipSecEndPtHistRemoteType EndPtType, IPsec Working Group Expires September 2003 [Page 113] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecEndPtHistRemoteAddr1 IPSIpAddress, ipSecEndPtHistRemoteAddr2 IPSIpAddress, ipSecEndPtHistRemoteProtocol Integer32, ipSecEndPtHistRemotePort Integer32 } ipSecEndPtHistIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The number of the previously active Endpoint associated with a IPsec Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each Endpoint associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 2,147,483,647." ::= { ipSecEndPtHistEntry 1 } ipSecEndPtHistTunIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-2 Tunnel Table." ::= { ipSecEndPtHistEntry 2 } ipSecEndPtHistActiveIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active Endpoint." ::= { ipSecEndPtHistEntry 3 } ipSecEndPtHistLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local Endpoint." ::= { ipSecEndPtHistEntry 4 } ipSecEndPtHistLocalType OBJECT-TYPE SYNTAX EndPtType IPsec Working Group Expires September 2003 [Page 114] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 --INTEGER { --singleIpAddr(1), --ipAddrRange(2), --ipSubnet(3) --} MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the local Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or 3) an IP subnet." ::= { ipSecEndPtHistEntry 5 } ipSecEndPtHistLocalAddr1 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's first IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet. If the local Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { ipSecEndPtHistEntry 6 } ipSecEndPtHistLocalAddr2 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's second IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet mask. If the local Endpoint type is IP address range, IPsec Working Group Expires September 2003 [Page 115] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 then this is the value of ending IP address of the range." ::= { ipSecEndPtHistEntry 7 } ipSecEndPtHistLocalProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the local Endpoint's traffic." ::= { ipSecEndPtHistEntry 8 } ipSecEndPtHistLocalPort OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the local Endpoint's traffic." ::= { ipSecEndPtHistEntry 9 } ipSecEndPtHistRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote Endpoint." ::= { ipSecEndPtHistEntry 10 } ipSecEndPtHistRemoteType OBJECT-TYPE SYNTAX EndPtType --INTEGER { --singleIpAddr(1), --ipAddrRange(2), --ipSubnet(3) --} MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the remote Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or 3) an IP subnet." ::= { ipSecEndPtHistEntry 11 } ipSecEndPtHistRemoteAddr1 OBJECT-TYPE SYNTAX IPSIpAddress IPsec Working Group Expires September 2003 [Page 116] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's first IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet. If the remote Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { ipSecEndPtHistEntry 12 } ipSecEndPtHistRemoteAddr2 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's second IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet mask. If the remote Endpoint type is IP address range, then this is the value of ending IP address of the range." ::= { ipSecEndPtHistEntry 13 } ipSecEndPtHistRemoteProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the remote Endpoint's traffic." ::= { ipSecEndPtHistEntry 14 } ipSecEndPtHistRemotePort OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current IPsec Working Group Expires September 2003 [Page 117] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "The port number of the remote Endpoint's traffic." ::= { ipSecEndPtHistEntry 15 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Failure Group -- -- This group consists of a: -- 1) IPsec Failure Global Objects -- 2) IPsec Phase-1 Tunnel Failure Table -- 3) IPsec Phase-2 Tunnel Failure Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecFailGlobal OBJECT IDENTIFIER ::= { ipSecFailures 1 } ipSecFailPhaseOne OBJECT IDENTIFIER ::= { ipSecFailures 2 } ipSecFailPhaseTwo OBJECT IDENTIFIER ::= { ipSecFailures 3 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Failure Global Control Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecFailGlobalCntl OBJECT IDENTIFIER ::= { ipSecFailGlobal 1 } ipSecFailTableSize OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "The window size of the IPsec Phase-1 and Phase-2 Failure Tables. The IPsec Phase-1 and Phase-2 Failure Tables are implemented as a sliding window in which only the last N entries are maintained. This object is used specify the number of entries which will be maintained in the IPsec Phase-1 and Phase-2 Failure Tables. An implementation may choose suitable minimum and maximum values for this element based on the local policy and available resources. If an SNMP SET request specifies a value outside this window for this element, a BAD VALUE may be returned." ::= { ipSecFailGlobalCntl 1 } IPsec Working Group Expires September 2003 [Page 118] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-1 Failure Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ikeFailTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Failure Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the ipSecFailTableSize object." ::= { ipSecFailPhaseOne 1 } ikeFailEntry OBJECT-TYPE SYNTAX IkeFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an IPsec Phase-1 failure." INDEX { ikeFailIndex } ::= { ikeFailTable 1 } IkeFailEntry ::= SEQUENCE { ikeFailIndex Integer32, ikeFailReason INTEGER, ikeFailTime TimeStamp, ikeFailLocalType Phase1PeerIdentityType, ikeFailLocalValue DisplayString, ikeFailRemoteType Phase1PeerIdentityType, ikeFailRemoteValue DisplayString, ikeFailLocalAddr IPSIpAddress, ikeFailRemoteAddr IPSIpAddress } ikeFailIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Failure Table index. The value of the index is a number which begins at one and is incremented with each IPsec Phase-1 failure. The value IPsec Working Group Expires September 2003 [Page 119] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 of this object will wrap at 2,147,483,647." ::= { ikeFailEntry 1 } ikeFailReason OBJECT-TYPE SYNTAX INTEGER{ other(1), peerDelRequest(2), peerLost(3), localFailure(4), authFailure(5), hashValidation(6), encryptFailure(7), internalError(8), sysCapExceeded(9), proposalFailure(10), peerCertUnavailable(11), peerCertNotValid(12), localCertExpired(13), crlFailure(14), peerEncodingError(15), nonExistentSa(16), xauthFailure(17), operRequest(18) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason for the failure. Possible reasons include: 1 = other 2 = peer delete request was received 3 = contact with peer was lost 4 = local failure occurred 5 = authentication failure 6 = hash validation failure 7 = encryption failure 8 = internal error occurred 9 = system capacity failure 10 = proposal failure 11 = peer's certificate is unavailable 12 = peer's certificate was found invalid 13 = local certificate expired 14 = certificate revoke list (crl) failure 15 = peer encoding error 16 = ISAKMP PDU has pointer to non-existent cookie 17 = operator requested termination." ::= { ikeFailEntry 2 } IPsec Working Group Expires September 2003 [Page 120] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeFailTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime in hundredths of seconds at the time of the failure." ::= { ikeFailEntry 3 } ikeFailLocalType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of local peer identity. The local peer may be indentified by: 1. an IP address, or 2. or a fully qualified domain name. 3. or a distinguished name." ::= { ikeFailEntry 4 } ikeFailLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is id_fqdn, then this is the FQDN of the local entity. If the local peer type is a id_dn, then this is the distinguished named string of the local entity." ::= { ikeFailEntry 5 } ikeFailRemoteType OBJECT-TYPE SYNTAX Phase1PeerIdentityType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name. IPsec Working Group Expires September 2003 [Page 121] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 3. or a distinguished name." ::= { ikeFailEntry 6 } ikeFailRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is id_fqdn, then this is the FQDN of the remote peer. If the remote peer type is a id_dn, then this is the distinguished named string of the remote peer." ::= { ikeFailEntry 7 } ikeFailLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local peer." ::= { ikeFailEntry 8 } ikeFailRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote peer." ::= { ikeFailEntry 9 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Failure Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecFailTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Failure Table. This table is implemented as a sliding window in which only the last n entries are maintained. IPsec Working Group Expires September 2003 [Page 122] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 The maximum number of entries is specified by the ipSecFailTableSize object." ::= { ipSecFailPhaseTwo 1 } ipSecFailEntry OBJECT-TYPE SYNTAX IpSecFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an IPsec Phase-1 failure." INDEX { ipSecFailIndex } ::= { ipSecFailTable 1 } IpSecFailEntry ::= SEQUENCE { ipSecFailIndex Integer32, ipSecFailReason INTEGER, ipSecFailTime TimeStamp, ipSecFailTunnelIndex Integer32, ipSecFailSaSpi Integer32, ipSecFailPktSrcAddr IPSIpAddress, ipSecFailPktDstAddr IPSIpAddress } ipSecFailIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Failure Table index. The value of the index is a number which begins at one and is incremented with each IPsec Phase-1 failure. The value of this object will wrap at 2,147,483,647." ::= { ipSecFailEntry 1 } ipSecFailReason OBJECT-TYPE SYNTAX INTEGER{ other(1), internalError(2), peerEncodingError(3), proposalFailure(4), protocolUseFail(5), nonExistentSa(6), decryptFailure(7), encryptFailure(8), inAuthFailure(9), IPsec Working Group Expires September 2003 [Page 123] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 outAuthFailure(10), compression(11), sysCapExceeded(12), peerDelRequest(13), peerLost(14), seqNumRollOver(15), operRequest(16) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason for the failure. Possible reasons include: 1 = other 2 = internal error occurred 3 = peer encoding error 4 = proposal failure 5 = protocol use failure 6 = non-existent security association 7 = decryption failure 8 = encryption failure 9 = inbound authentication failure 10 = outbound authentication failure 11 = compression failure 12 = system capacity failure 13 = peer delete request was received 14 = contact with peer was lost 15 = sequence number rolled over 16 = operator requested termination." ::= { ipSecFailEntry 2 } ipSecFailTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime in hundredths of seconds at the time of the failure." ::= { ipSecFailEntry 3 } ipSecFailTunnelIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The Phase-2 Tunnel index (ipSecTunIndex)." ::= { ipSecFailEntry 4 } IPsec Working Group Expires September 2003 [Page 124] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecFailSaSpi OBJECT-TYPE SYNTAX Integer32 (0..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The security association SPI value." ::= { ipSecFailEntry 5 } ipSecFailPktSrcAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The packet's source IP address." ::= { ipSecFailEntry 6 } ipSecFailPktDstAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The packet's destination IP address." ::= { ipSecFailEntry 7 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec TRAP Control Group -- -- This group of objects controls the sending of IPsec TRAPs. -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecTrapCntlIkeTunnelStart OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 Tunnel Start TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 1 } ipSecTrapCntlIkeTunnelStop OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Working Group Expires September 2003 [Page 125] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 IPsec IKE Phase-1 Tunnel Stop TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 2 } ipSecTrapCntlIkeSysFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 System Failure TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 3 } ipSecTrapCntlIkeCertCrlFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 Certificate/CRL Failure TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 4 } ipSecTrapCntlIkeProtocolFail OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 Protocol Failure TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 5 } ipSecTrapCntlIkeNoSa OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 No Security Association TRAP." DEFVAL { disabled } ::= { ipSecTrapCntl 6 } IPsec Working Group Expires September 2003 [Page 126] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTrapCntlIpSecTunnelStart OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Tunnel Start TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 7 } ipSecTrapCntlIpSecTunnelStop OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Tunnel Stop TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 8 } ipSecTrapCntlIpSecSysFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 System Failure TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 9 } ipSecTrapCntlIpSecSetUpFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Set Up Failure TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 10 } ipSecTrapCntlIpSecEarlyTunTerm OBJECT-TYPE SYNTAX TrapStatus IPsec Working Group Expires September 2003 [Page 127] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Early Tunnel Termination TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 11 } ipSecTrapCntlIpSecProtocolFail OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Protocol Failure TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 12 } ipSecTrapCntlIpSecNoSa OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 No Security Association TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 13 } ipSecTrapCntlInNewGrpRejected OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 No Security Association TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 14 } ipSecTrapCntlOutNewGrpRejected OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION IPsec Working Group Expires September 2003 [Page 128] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 "This object defines the administrative state of sending the IPsec Phase-2 No Security Association TRAP " DEFVAL { disabled } ::= { ipSecTrapCntl 15 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec Notifications - TRAPs -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecMIBNotificationPrefix OBJECT IDENTIFIER ::= {ipSecFlowMonitorMIB 2} ipSecMIBNotifications OBJECT IDENTIFIER ::= { ipSecMIBNotificationPrefix 0} ikeTunnelStart NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr, ikeTunLifeTime } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-1 IKE Tunnel becomes active." ::= { ipSecMIBNotifications 1 } ikeTunnelStop NOTIFICATION-TYPE OBJECTS { ikeTunHistTermReason, phase1PeerLocalAddr, phase1PeerRemoteAddr, ikeTunActiveTime } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-1 IKE Tunnel becomes inactive." ::= { ipSecMIBNotifications 2 } ikeSysFailure NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr } STATUS current IPsec Working Group Expires September 2003 [Page 129] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 DESCRIPTION "This notification is generated when the processing for an IPsec Phase-1 IKE Tunnel experiences an internal or system capacity error." ::= { ipSecMIBNotifications 3 } ikeCertCrlFailure NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-1 IKE Tunnel experiences a Certificate or a Certificate Revoke List (CRL) related error." ::= { ipSecMIBNotifications 4 } ikeProtocolFailure NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-1 IKE Tunnel experiences a protocol related error." ::= { ipSecMIBNotifications 5 } ikeNoSa NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr } STATUS current DESCRIPTION "This notification is generated when the IKE entity recieves an ISAKMP PDU with a reference to a non-existent cookie." ::= { ipSecMIBNotifications 6 } ipSecTunnelStart NOTIFICATION-TYPE OBJECTS { ipSecTunLifeTime, ipSecTunLifeSize } IPsec Working Group Expires September 2003 [Page 130] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-2 Tunnel becomes active." ::= { ipSecMIBNotifications 7 } ipSecTunnelStop NOTIFICATION-TYPE OBJECTS { ipSecTunHistTermReason, ipSecTunActiveTime } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-2 Tunnel becomes inactive." ::= { ipSecMIBNotifications 8 } ipSecSysFailure NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr, ipSecTunActiveTime, ipSecSpiProtocol } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-2 Tunnel experiences an internal or system capacity error." ::= { ipSecMIBNotifications 9 } ipSecSetUpFailure NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr } STATUS current DESCRIPTION "This notification is generated when the setup for an IPsec Phase-2 Tunnel fails." ::= { ipSecMIBNotifications 10 } ipSecEarlyTunTerm NOTIFICATION-TYPE OBJECTS { ipSecTunActiveTime, ipSecSpiProtocol } IPsec Working Group Expires September 2003 [Page 131] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 STATUS current DESCRIPTION "This notification is generated when an an IPsec Phase-2 Tunnel is terminated earily or before expected." ::= { ipSecMIBNotifications 11 } ipSecProtocolFailure NOTIFICATION-TYPE OBJECTS { ipSecTunActiveTime, ipSecSpiProtocol } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-2 Tunnel experiences a protocol related error." ::= { ipSecMIBNotifications 12 } ipSecNoSa NOTIFICATION-TYPE STATUS current DESCRIPTION "This notification is generated when the managed entity receives an IPsec packet with a non-existent SPI." ::= { ipSecMIBNotifications 13 } ipSecInNewGrpRejected NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr } STATUS current DESCRIPTION "This notification is generated when the managed entity receives and rejects an incoming new group proposal from an IKE peer (ikePeerRemoteAddr). The ISAKMP context of the exchange can be obtained from the IKE tunnel index which is contained in the index of the varbind objects of this trap." ::= { ipSecMIBNotifications 14 } ipSecOutNewGrpRejected NOTIFICATION-TYPE OBJECTS { phase1PeerLocalAddr, phase1PeerRemoteAddr } STATUS current DESCRIPTION IPsec Working Group Expires September 2003 [Page 132] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 "This notification is generated when the managed entity issues a new group proposal to the peer (ikePeerRemoteAddr) and the peer rejects the proposal. The ISAKMP context of the exchange can be obtained from the IKE tunnel index which is contained in the index of the varbind objects of this trap." ::= { ipSecMIBNotifications 15 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- Conformance Information -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecMIBConformance OBJECT IDENTIFIER ::= { ipSecFlowMonitorMIB 3 } ipSecMIBGroups OBJECT IDENTIFIER ::= { ipSecMIBConformance 1 } ipSecMIBCompliances OBJECT IDENTIFIER ::= { ipSecMIBConformance 2 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- Compliance Statements -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities the IP Security Protocol." MODULE -- this module MANDATORY-GROUPS { ipSecLevelsGroup, ipSecPeerAssociationGroup, ipSecPhaseTwoGroup } --GROUP ipSecLevelsGroup --DESCRIPTION "The ipSecLevelsGroup is a mandatory group --containing objects providing meta-information --about the MIB itself and its version." --GROUP ipSecPhaseOneGroup --DESCRIPTION "The ipSecPhaseOneGroup is a mandatory group --containing objects providing information --about IKE and ISAKMP activity and structures --resulting from such activity in the managed --entity." IPsec Working Group Expires September 2003 [Page 133] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 GROUP ipSecIkeGroup DESCRIPTION "The ipSecIkeGroup is a conditional group containing objects providing information about IKE and ISAKMP activity and structures resulting from such activity in the managed entity." --GROUP ipSecPeerAssociationGroup --DESCRIPTION "The ipSecPeerAssociationGroup is a mandator --group containing objects providing information --about association of the managed entity --with peers in Phase 1." --GROUP ipSecIkeGroup --DESCRIPTION "The ipSecIkeGroup encloses all thge IKE --related MIB elements. This is an optional --group and needs to be implemented only if --the managed entity implements IKE protocol." --GROUP ipSecPhaseTwoGroup --DESCRIPTION "The ipSecPhaseTwoGroup is a mandatory group --containing objects providing information --about Phase-2 IPsec (Quick Mode & New Grp --Grp Mode) activity and structures resulting --from such --activity in the managed entity." GROUP ipSecHistoryGroup DESCRIPTION "The ipSecHistoryGroup is an optional group containing objects providing information about expired structures pertaining to Phase-1 (IKE & ISAKMP) and Phase-2 IPsec (Quick Mode & New Grp Mode) activity. This group consists of: 1) IPsec History Global Objects 2) IPsec Phase-1 History Objects 3) IPsec Phase-2 History Objects" GROUP ipSecFailuresGroup DESCRIPTION "The ipSecFailuresGroup is an optional group containing objects providing information about failures of operations pertaining to Phase-1 (IKE & ISAKMP) and Phase-2 IPsec (Quick Mode & New Grp Mode) activity. This group consists of: IPsec Working Group Expires September 2003 [Page 134] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 1) IPsec Failure Global Objects 2) IPsec Phase-1 Tunnel Failure Table 3) IPsec Phase-2 Tunnel Failure Table" GROUP ipSecTrapCntlGroup DESCRIPTION "The ipSecTrapCntlGroup is an optional group containing objects providing control of notifications pertaining to Phase-1 (IKE & ISAKMP) and Phase-2 IPsec (Quick Mode & New Grp Mode) activity." GROUP ipSecModeConfigGroup DESCRIPTION "The ipSecModeConfigGroup is an optional group containing objects providing information about the IKE Mode Configuration activity on the managed entity. This group consists of: 1) Global metrics about IKE Mod Configuration activity 2) Phase-1 IKE Tunnel-wise Mode Configuration metrics 3) Historical IKE Mode Configuration metrics on a per expired tunnel basis." GROUP ipSecNewGrpGroup DESCRIPTIO "The ipSecNewGrpGroup is an optional group containing objects providing information about the Phase-2 New Group activity on the managed entity. This group consists of: 1) Global metrics about new group negotiations 2) Phase-1 IKE Tunnel-wise new group metrics 3) Historical new group metrics on a per tunnel basis. 4) Notifications pertaining to new grp failures." OBJECT ikeTunStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ipSecTunStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." IPsec Working Group Expires September 2003 [Page 135] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecMIBCompliances 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- Units of Conformance -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ipSecLevelsGroup OBJECT-GROUP OBJECTS { ipSecMibLevel } STATUS current DESCRIPTION "This group consists of a: 1) IPsec MIB Level" ::= { ipSecMIBGroups 1 } ipSecIkeGroup OBJECT-GROUP OBJECTS { -- The IPsec Phase-1 Global Statistics ikeGlobalActiveTunnels, ikeGlobalPreviousTunnels, ikeGlobalHcPreviousTunnels, ikeGlobalPreviousTunnelsWraps, ikeGlobalInOctets, ikeGlobalInPkts, ikeGlobalInDropPkts, ikeGlobalInNotifys, ikeGlobalInP2Exchgs, ikeGlobalInP2ExchgInvalids, ikeGlobalInP2ExchgRejects, ikeGlobalInP2SaDelRequests, ikeGlobalOutOctets, ikeGlobalOutPkts, ikeGlobalOutDropPkts, ikeGlobalOutNotifys, ikeGlobalOutP2Exchgs, ikeGlobalOutP2ExchgInvalids, ikeGlobalOutP2ExchgRejects, ikeGlobalOutP2SaDelRequests, ikeGlobalInitTunnels, ikeGlobalInitTunnelFails, ikeGlobalRespTunnelFails, ikeGlobalSysCapFails, ikeGlobalAuthFails, ikeGlobalDecryptFails, ikeGlobalHashValidFails, ikeGlobalNoSaFails, IPsec Working Group Expires September 2003 [Page 136] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeGlobalRespTunnels, ikeGlobalInP1SaDelRequests, ikeGlobalOutP1SaDelRequests, -- The IPsec Phase-1 Internet Key Exchange -- Tunnel Table ikeTunLocalType, ikeTunLocalValue, ikeTunLocalAddr, ikeTunLocalName, ikeTunRemoteType, ikeTunRemoteValue, ikeTunRemoteAddr, ikeTunRemoteName, ikeTunNegoMode, ikeTunDiffHellmanGrp, ikeTunEncryptAlgo, ikeTunHashAlgo, ikeTunAuthMethod, ikeTunLifeTime, ikeTunActiveTime, ikeTunSaRefreshThreshold, ikeTunTotalRefreshes, ikeTunInOctets, ikeTunInPkts, ikeTunInDropPkts, ikeTunInNotifys, ikeTunInP2Exchgs, ikeTunInP2ExchgInvalids, ikeTunInP2ExchgRejects, ikeTunInP2SaDelRequests, ikeTunOutOctets, ikeTunOutPkts, ikeTunOutDropPkts, ikeTunOutNotifys, ikeTunOutP2Exchgs, ikeTunOutP2ExchgInvalids, ikeTunOutP2ExchgRejects, ikeTunOutP2SaDelRequests, ikeTunStatus, ikeTunEncryptKeySize } STATUS current DESCRIPTION "This group consists of: 1) IKE Global Objects 2) IKE Tunnel table." IPsec Working Group Expires September 2003 [Page 137] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecMIBGroups 2 } ipSecPeerAssociationGroup OBJECT-GROUP OBJECTS { -- The Phase-1 Peer Association group phase1PeerLocalValue, phase1PeerRemoteValue, phase1PeerLocalAddr, phase1PeerRemoteAddr, phase1PeerActiveTime, phase1PeerActiveTunnelIndex, phase1PeerConfigAppVersion, phase1PeerConfigAddress, phase1PeerConfigNetmask, phase1PeerConfigDns, phase1PeerConfigNbns, phase1PeerConfigDhcp, phase1Protocol, -- --phase1PeerCorrLocalType, --phase1PeerCorrLocalValue, --phase1PeerCorrRemoteType, --phase1PeerCorrRemoteValue, --phase1PeerCorrIntIndex, --phase1PeerCorrSeqNum, phase1PeerCorrIpSecTunIndex, phase1PeerCorrControlProtocol } STATUS current DESCRIPTION "This group consists of: 1) IPsec Phase-1 Peer Association table. 2) IPsec Phase-1 Correlation Table" ::= { ipSecMIBGroups 3 } ipSecXauthGroup OBJECT-GROUP OBJECTS { -- The IPsec extended authentication (Phase-1.5) -- Global Statistics ikeGlobalInXauthFailures, ikeGlobalOutXauthFailures } STATUS current DESCRIPTION "This group consists of metrics pertaining to IKE extended authentication. Devices that do not support Xauth need not implement this group." IPsec Working Group Expires September 2003 [Page 138] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ::= { ipSecMIBGroups 4 } ipSecPhaseTwoGroup OBJECT-GROUP OBJECTS { -- The IPsec Phase-2 Global Tunnel Statistics ipSecGlobalActiveTunnels, ipSecGlobalPreviousTunnels, ipSecGlobalHcPreviousTunnels, ipSecGlobalPreviousTunnelsWraps, ipSecGlobalInOctets, ipSecGlobalHcInOctets, ipSecGlobalInOctWraps, ipSecGlobalInDecompOctets, ipSecGlobalHcInDecompOctets, ipSecGlobalInDecompOctWraps, ipSecGlobalInPkts, ipSecGlobalInDrops, ipSecGlobalInReplayDrops, ipSecGlobalInAuths, ipSecGlobalInAuthFails, ipSecGlobalInDecrypts, ipSecGlobalInDecryptFails, ipSecGlobalOutOctets, ipSecGlobalHcOutOctets, ipSecGlobalOutOctWraps, ipSecGlobalOutUncompOctets, ipSecGlobalHcOutUncompOctets, ipSecGlobalOutUncompOctWraps, ipSecGlobalOutPkts, ipSecGlobalOutDrops, ipSecGlobalOutAuths, ipSecGlobalOutAuthFails, ipSecGlobalOutEncrypts, ipSecGlobalOutEncryptFails, ipSecGlobalProtocolUseFails, ipSecGlobalNoSaFails, ipSecGlobalSysCapFails, ipSecGlobalOutCompressedPkts, ipSecGlobalOutCompSkippedPkts, ipSecGlobalOutCompFailPkts, ipSecGlobalOutCompTooSmallPkts, -- The IPsec Phase-2 Tunnel Table -- ipSecTunIndex, -- ipSecTunIkeTunnelIndex, -- ipSecTunIkeTunnelAlive, ipSecTunLocalAddr, IPsec Working Group Expires September 2003 [Page 139] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunRemoteAddr, -- ipSecTunKeyType, ipSecTunEncapMode, ipSecTunLifeSize, ipSecTunLifeTime, ipSecTunActiveTime, ipSecTunSaLifeSizeThreshold, ipSecTunSaLifeTimeThreshold, ipSecTunTotalRefreshes, ipSecTunExpiredSaInstances, ipSecTunCurrentSaInstances, ipSecTunInSaDiffHellmanGrp, ipSecTunInSaEncryptAlgo, ipSecTunInSaAhAuthAlgo, ipSecTunInSaEspAuthAlgo, ipSecTunInSaDecompAlgo, ipSecTunOutSaDiffHellmanGrp, ipSecTunOutSaEncryptAlgo, ipSecTunOutSaAhAuthAlgo, ipSecTunOutSaEspAuthAlgo, ipSecTunOutSaCompAlgo, ipSecTunPmtu, ipSecTunInOctets, ipSecTunHcInOctets, ipSecTunInOctWraps, ipSecTunInDecompOctets, ipSecTunHcInDecompOctets, ipSecTunInDecompOctWraps, ipSecTunInPkts, ipSecTunInDropPkts, ipSecTunInReplayDropPkts, ipSecTunInAuths, ipSecTunInAuthFails, ipSecTunInDecrypts, ipSecTunInDecryptFails, ipSecTunOutOctets, ipSecTunHcOutOctets, ipSecTunOutOctWraps, ipSecTunOutUncompOctets, ipSecTunHcOutUncompOctets, ipSecTunOutUncompOctWraps, ipSecTunOutPkts, ipSecTunOutDropPkts, ipSecTunOutAuths, ipSecTunOutAuthFails, ipSecTunOutEncrypts, ipSecTunOutEncryptFails, IPsec Working Group Expires September 2003 [Page 140] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunOutCompressedPkts, ipSecTunOutCompSkippedPkts, ipSecTunOutCompFailPkts, ipSecTunOutCompTooSmallPkts, ipSecTunStatus, ipSecTunControlTunnelIndex, ipSecTunControlProtocol, ipSecTunControlTunnelAlive, ipSecTunInSaEncryptKeySize, ipSecTunOutSaEncryptKeySize, -- The IPsec Phase-2 Tunnel Endpoint Table -- ipSecEndPtIndex, ipSecEndPtLocalName, ipSecEndPtLocalType, ipSecEndPtLocalAddr1, ipSecEndPtLocalAddr2, ipSecEndPtLocalProtocol, ipSecEndPtLocalPort, ipSecEndPtRemoteName, ipSecEndPtRemoteType, ipSecEndPtRemoteAddr1, ipSecEndPtRemoteAddr2, ipSecEndPtRemoteProtocol, ipSecEndPtRemotePort, -- The IPsec Phase-2 Security Assocaition Table -- ipSecTunIndex ipSecSaDirection, ipSecSaValue, ipSecSaProtocol, ipSecSaStatus } STATUS current DESCRIPTION "This group consists of: 1) IPsec Phase-2 Global Statistics 2) IPsec Phase-2 Tunnel Table 3) IPsec Phase-2 Endpoint Table 4) IPsec Phase-2 Security Protection Index Table" ::= { ipSecMIBGroups 5 } ipSecHistoryGroup OBJECT-GROUP OBJECTS { -- IPsec History Global Control Objects ipSecHistTableSize, ipSecHistCheckPoint, IPsec Working Group Expires September 2003 [Page 141] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 -- The IPsec Phase-1 Tunnel History Table ikeTunHistTermReason, ikeTunHistActiveIndex, ikeTunHistPeerLocalType, ikeTunHistPeerLocalValue, ikeTunHistPeerIntIndex, ikeTunHistPeerRemoteType, ikeTunHistPeerRemoteValue, ikeTunHistLocalAddr, ikeTunHistLocalName, ikeTunHistRemoteAddr, ikeTunHistRemoteName, ikeTunHistNegoMode, ikeTunHistDiffHellmanGrp, ikeTunHistEncryptAlgo, ikeTunHistEncryptKeySize, ikeTunHistHashAlgo, ikeTunHistAuthMethod, ikeTunHistLifeTime, ikeTunHistStartTime, ikeTunHistActiveTime, ikeTunHistTotalRefreshes, ikeTunHistTotalSas, ikeTunHistInOctets, ikeTunHistInPkts, ikeTunHistInDropPkts, ikeTunHistInNotifys, ikeTunHistInP2Exchgs, ikeTunHistInP2ExchgInvalids, ikeTunHistInP2ExchgRejects, ikeTunHistInP2SaDelRequests, ikeTunHistOutOctets, ikeTunHistOutPkts, ikeTunHistOutDropPkts, ikeTunHistOutNotifys, ikeTunHistOutP2Exchgs, ikeTunHistOutP2ExchgInvalids, ikeTunHistOutP2ExchgRejects, ikeTunHistOutP2SaDelRequests, -- The IPsec Phase-2 Tunnel History Table -- ipSecTunHistIndex, ipSecTunHistTermReason, ipSecTunHistActiveIndex, --ipSecTunHistIkeTunnelIndex, ipSecTunHistLocalAddr, IPsec Working Group Expires September 2003 [Page 142] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunHistRemoteAddr, -- ipSecTunHistKeyType, ipSecTunHistEncapMode, ipSecTunHistLifeSize, ipSecTunHistLifeTime, ipSecTunHistStartTime, ipSecTunHistActiveTime, ipSecTunHistTotalRefreshes, ipSecTunHistTotalSas, ipSecTunHistInSaDiffHellmanGrp, ipSecTunHistInSaEncryptAlgo, ipSecTunHistInSaAhAuthAlgo, ipSecTunHistInSaEspAuthAlgo, ipSecTunHistInSaDecompAlgo, ipSecTunHistOutSaDiffHellmanGrp, ipSecTunHistOutSaEncryptAlgo, ipSecTunHistOutSaAhAuthAlgo, ipSecTunHistOutSaEspAuthAlgo, ipSecTunHistOutSaCompAlgo, ipSecTunHistPmtu, ipSecTunHistInOctets, ipSecTunHistHcInOctets, ipSecTunHistInOctWraps, ipSecTunHistInDecompOctets, ipSecTunHistHcInDecompOctets, ipSecTunHistInDecompOctWraps, ipSecTunHistInPkts, ipSecTunHistInDropPkts, ipSecTunHistInReplayDropPkts, ipSecTunHistInAuths, ipSecTunHistInAuthFails, ipSecTunHistInDecrypts, ipSecTunHistInDecryptFails, ipSecTunHistOutOctets, ipSecTunHistHcOutOctets, ipSecTunHistOutOctWraps, ipSecTunHistOutUncompOctets, ipSecTunHistHcOutUncompOctets, ipSecTunHistOutUncompOctWraps, ipSecTunHistOutPkts, ipSecTunHistOutDropPkts, ipSecTunHistOutAuths, ipSecTunHistOutAuthFails, ipSecTunHistOutEncrypts, ipSecTunHistOutEncryptFails, ipSecTunHistOutCompressedPkts, ipSecTunHistOutCompSkippedPkts, IPsec Working Group Expires September 2003 [Page 143] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecTunHistOutCompFailPkts, ipSecTunHistOutCompTooSmallPkts, ipSecTunHistControlProtocol, ipSecTunHistControlTunnelIndex, ipSecTunHistInSaEncryptKeySize, ipSecTunHistOutSaEncryptKeySize, -- The IPsec Phase-2 End Point History Table -- ipSecEndPtHistIndex, ipSecEndPtHistTunIndex, ipSecEndPtHistActiveIndex, ipSecEndPtHistLocalName, ipSecEndPtHistLocalType, ipSecEndPtHistLocalAddr1, ipSecEndPtHistLocalAddr2, ipSecEndPtHistLocalProtocol, ipSecEndPtHistLocalPort, ipSecEndPtHistRemoteName, ipSecEndPtHistRemoteType, ipSecEndPtHistRemoteAddr1, ipSecEndPtHistRemoteAddr2, ipSecEndPtHistRemoteProtocol, ipSecEndPtHistRemotePort } STATUS current DESCRIPTION "This group consists of: 1) IPsec History Global Objects 2) IPsec Phase-1 History Objects 3) IPsec Phase-2 History Objects" ::= { ipSecMIBGroups 6 } ipSecFailuresGroup OBJECT-GROUP OBJECTS { -- The IPsec Failure Global Control Objects ipSecFailTableSize, -- The IPsec Phase-1 Failure Table ikeFailReason, ikeFailTime, ikeFailLocalType, ikeFailLocalValue, ikeFailRemoteType, ikeFailRemoteValue, ikeFailLocalAddr, ikeFailRemoteAddr, IPsec Working Group Expires September 2003 [Page 144] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 -- The IPsec Phase-2 Failure Table -- ipSecFailIndex, ipSecFailReason, ipSecFailTime, ipSecFailTunnelIndex, ipSecFailSaSpi, ipSecFailPktSrcAddr, ipSecFailPktDstAddr } STATUS current DESCRIPTION "This group consists of: 1) IPsec Failure Global Objects 2) IPsec Phase-1 Tunnel Failure Table 3) IPsec Phase-2 Tunnel Failure Table" ::= { ipSecMIBGroups 7 } ipSecTrapCntlGroup OBJECT-GROUP OBJECTS { ipSecTrapCntlIkeTunnelStart, ipSecTrapCntlIkeTunnelStop, ipSecTrapCntlIkeSysFailure, ipSecTrapCntlIkeCertCrlFailure, ipSecTrapCntlIkeProtocolFail, ipSecTrapCntlIkeNoSa, ipSecTrapCntlIpSecTunnelStart, ipSecTrapCntlIpSecTunnelStop, ipSecTrapCntlIpSecSysFailure, ipSecTrapCntlIpSecSetUpFailure, ipSecTrapCntlIpSecEarlyTunTerm, ipSecTrapCntlIpSecProtocolFail, ipSecTrapCntlIpSecNoSa, ipSecTrapCntlInNewGrpRejected, ipSecTrapCntlOutNewGrpRejected } STATUS current DESCRIPTION "This group of objects controls the sending of IPsec TRAPs." ::= { ipSecMIBGroups 8 } ipSecNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { ikeTunnelStart, ikeTunnelStop, ikeSysFailure, ikeCertCrlFailure, ikeProtocolFailure, IPsec Working Group Expires September 2003 [Page 145] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ikeNoSa, ipSecTunnelStart, ipSecTunnelStop, ipSecSysFailure, ipSecSetUpFailure, ipSecEarlyTunTerm, ipSecProtocolFailure, ipSecNoSa, ipSecInNewGrpRejected, ipSecOutNewGrpRejected } STATUS current DESCRIPTION "This group contains the notifications for the IPsec MIB." ::= { ipSecMIBGroups 9 } ipSecModeConfigGroup OBJECT-GROUP OBJECTS { -- The IPsec Mode Configuration group ikeGlobalInConfigs, ikeGlobalOutConfigs, ikeGlobalInConfigsRejects, ikeGlobalOutConfigsRejects, --ikePeerConfigAppVersion, --ikePeerConfigAddress, --ikePeerConfigNetmask, --ikePeerConfigDns, --ikePeerConfigNbns, --ikePeerConfigDhcp, ikeTunInConfigs, ikeTunOutConfigs, ikeTunInConfigsRejects, ikeTunOutConfigsRejects, ikeTunHistInConfigs, ikeTunHistOutConfigs, ikeTunHistInConfigsRejects, ikeTunHistOutConfigsRejects } STATUS current DESCRIPTION "This group consists of: 1) Global metrics about IKE Mode Configuration activity 2) Phase-1 IKE Tunnel-wise Mode Configuration metrics 3) Historical IKE Mode Configuration metrics on a per expired tunnel basis." ::= { ipSecMIBGroups 10 } IPsec Working Group Expires September 2003 [Page 146] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 ipSecNewGrpGroup OBJECT-GROUP OBJECTS { -- The IPsec New Group negotiation group ikeTunInNewGrpReqs, ikeTunOutNewGrpReqs, ikeTunInNewGrpReqsRejected, ikeTunOutNewGrpReqsRejected, ikeTunHistInNewGrpReqs, ikeTunHistOutNewGrpReqs, ikeTunHistInNewGrpReqsRejected, ikeTunHistOutNewGrpReqsRejected, ipSecGlobalInNewGrpReqs, ipSecGlobalOutNewGrpReqs, ipSecGlobalInNewGrpReqsRejected, ipSecGlobalOutNewGrpReqsRejected } STATUS current DESCRIPTION "This group consists of: 1) Global metrics about new group negotiations 2) Phase-1 IKE Tunnel-wise new group metrics 3) Historical new group metrics on a per tunnel basis. 4) Notifications pertaining to new grp failures." ::= { ipSecMIBGroups 11 } deprecatedObjectGroup OBJECT-GROUP OBJECTS { -- The deprecated table 'ipSecSpiTable' ipSecSpiDirection, ipSecSpiValue, ipSecSpiProtocol, ipSecSpiStatus, ipSecTunIkeTunnelIndex, ipSecTunIkeTunnelAlive, ipSecTunKeyType, ipSecTunHistIkeTunnelIndex, ipSecTunHistKeyType } STATUS deprecated DESCRIPTION "A collection of objects that have bee deprecated." ::= { ipSecMIBGroups 12 } END 6. Intellectual Property IPsec Working Group Expires September 2003 [Page 147] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 7. Acknowledgements The editors would like to thank: Ajay Dankar, Jamal Mohamed, Mayank Jain, Roy Pereira, David McGrew and Lauren Heintz. 8. Security Considerations This document describes how a management station can monitor structure and acivity of IPsec based VPNs. Applications have access to data which is not secured. Applications SHOULD take reasonable steps to protect the data from disclosure. This document also contains a MIB definition module. The information contained in this MIB describes a VPN service whose variables may be read and in some cases set. It is important that access to the MIB is limited to the appropriate users, and that information exchanges between users, management stations, agents and any other devices is provided via a secure mechanism such as an encrypted session. 9. References IPsec Working Group Expires September 2003 [Page 148] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [RFC2401] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [RFC2409] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE), RFC 2409, November 1998. [RFC2408] Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)_,RFC 2408, November 1998. [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB using SMIv2", RFC2233 [RFC1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [RFC2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998 [RFC1155] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP- based internets", STD 16, RFC 1155, May 1990. [RFC1212] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. [RFC1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [RFC1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903,January 1996. [RFC1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904,January 1996. [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1157, May IPsec Working Group Expires September 2003 [Page 149] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 1990. [RFC1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [RFC1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906,January 1996. [RFC2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January 1998. [RFC2274] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2274, January 1998. [RFC1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. 10. Editor's Addresses Cheryl Madson Cisco Systems 170 W Tasman Drive San Jose, Ca 95134 Phone: +1 (408) 527 2817 EMail: cmadson@cisco.com Leo Temoshenko Cisco Systems 170 W Tasman Drive San Jose, Ca 95134 USA Phone: +1 (919) 392 8381 EMail: leot@cisco.com Chinna Narasimha Reddy Pellacuru Cisco Systems 170 W Tasman Drive San Jose, Ca 95134 IPsec Working Group Expires September 2003 [Page 150] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 USA Phone: +1 (408) 527 3109 EMail: pcn@cisco.com Bret Harrison Tivoli Systems Inc. 3901 S. Miami Blvd Durham, NC. 27703 Phone: +1 (919) 224-1000 EMail: bret_harrison@tivoli.com S Ramakrishnan Cisco Systems 170 W Tasman Drive San Jose, Ca 95134 USA Phone: +1 (408) 527 7309 EMail: rks@cisco.com 11. Expiration This draft expires Aug 16, 2003. 12. Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished t others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, publishe and distributed, in whole or in part, without restriction of an kind, provided that the above copyright notice and this paragraph ar included on all such copies and derivative works. However, thi document itself may not be modified in any way, such as by removin the copyright notice or references to the Internet Society or othe Internet organizations, except as needed for the purpose o developing Internet standards in which case the procedures fo copyrights defined in the Internet Standards process must b followed, or as required to translate it into languages other tha English. The limited permissions granted above are perpetual and will not b revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERIN IPsec Working Group Expires September 2003 [Page 151] Internet Draft IPsec Flow Monitoring MIB 3 Mar 2003 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATIO HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IPsec Working Group Expires September 2003 [Page 150]