smilint output for ./IPSEC-SA-MON-MIB
| Message Severities |
|---|
| Severity | Count |
|---|
| error | 6 |
| minor error | 8 |
| warning | 5 |
| Message Types |
|---|
| Type | Count |
|---|
| date-value (error) | 4 |
| date-year-2digits (warning) | 4 |
| invalid-format (error) | 2 |
| node-implicit (warning) | 1 |
| revision-after-update (minor error) | 3 |
| revision-missing (minor error) | 1 |
| revision-not-descending (minor error) | 4 |
Messages:
IPSEC-SA-MON-MIB
1: -- extracted from draft-ietf-ipsec-monitor-mib-06.txt
2: -- at Tue Apr 22 06:12:44 2003
3:
4: IPSEC-SA-MON-MIB DEFINITIONS ::= BEGIN
5:
6: IMPORTS
7: MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32,
8: Integer32, Unsigned32, NOTIFICATION-TYPE,
9: OBJECT-IDENTITY, Counter64
10: -- remove this and next line before release
11: , experimental
12: FROM SNMPv2-SMI
13: TEXTUAL-CONVENTION, TruthValue
14: FROM SNMPv2-TC
15: OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE
16: FROM SNMPv2-CONF
17: ifIndex FROM IF-MIB
18: -- uncomment next line before release (and remove this one)
19: -- mib-2 FROM RFC1213-MIB
20: InetAddressType, InetAddress
21: FROM INET-ADDRESS-MIB
22: IpsecDoiIdentType,
23: IpsecDoiEncapsulationMode,
24: IpsecDoiEspTransform,
25: IpsecDoiAhTransform,
26: IpsecDoiAuthAlgorithm,
27: IpsecDoiIpcompTransform,
28: IpsecDoiSecProtocolId
29: FROM IPSEC-ISAKMP-IKE-DOI-TC;
30:
31: ipsecSaMonModule MODULE-IDENTITY
32: LAST-UPDATED "0110031200Z"
32: warning -
warning: date specification `0110031200Z' contains a two-digit year representing `1901'
32: error -
date specification `0110031200Z' contains an illegal value
33: ORGANIZATION "IETF IPsec Working Group"
34: CONTACT-INFO
35: " Tim Jenkins
36: Catena Networks
37: 307 Legget Drive
38: Kanata, ON
39: Canada
40: K2K 3C8
41:
42: +1 (613) 599-6430
43: tjenkins@catena.com
44:
45:
46: John Shriver
47: Intel Corporation
48: 28 Crosby Drive Bedford, MA
49: 01730
50:
51: +1 (781) 687-1329
52: John.Shriver@intel.com
53: "
54:
55: DESCRIPTION
56: "The MIB module to describe generic IPsec objects, and
57: entity level objects and events for those types."
58: REVISION "9906031200Z"
58: minor error -
revision date after last update
59: DESCRIPTION
60: "Initial revision."
61: REVISION "9906251200Z"
61: minor error -
revision not in reverse chronological order
61: minor error -
revision date after last update
62: DESCRIPTION
63: "Add module compliance requirements.
64: Added common textual conventions.
65: Other minor edits and clarifications."
66: REVISION "9910211200Z"
66: minor error -
revision not in reverse chronological order
66: minor error -
revision date after last update
67: DESCRIPTION
68: "Group and compliance statements added.
69: OID value under experimental tree added.
70: Authentication algorithm key length values added."
71: REVISION "0007101200Z"
71: warning -
warning: date specification `0007101200Z' contains a two-digit year representing `1900'
71: error -
date specification `0007101200Z' contains an illegal value
72: DESCRIPTION
73: "Added optional replay counter tables.
74: Added more statistics to IPcomp SAs.
75: Make packet and traffic counts definitions more explicit.
76: Use Internet address formats from INET-ADDRESS-MIB.
77: Added and used selector table."
78: REVISION "0102071200Z"
78: warning -
warning: date specification `0102071200Z' contains a two-digit year representing `1901'
78: error -
date specification `0102071200Z' contains an illegal value
78: minor error -
revision not in reverse chronological order
79: DESCRIPTION
80: "Change MAX-ACCESS clause of all index object to
81: not-accessible. This lead to other changes due to
82: restrictions on the use of objects with MAX-ACCESS clauses
83: of not-accessible."
84: REVISION "0110031200Z"
84: warning -
warning: date specification `0110031200Z' contains a two-digit year representing `1901'
84: error -
date specification `0110031200Z' contains an illegal value
84: minor error -
revision not in reverse chronological order
85: DESCRIPTION
86: "A number of typo errors corrected. Also:
87: -- selectorGroup made mandatory
88: -- add (SIZE (4|16|20)) to ipsecLocalAddress and
89: ipsecPeerAddress
90: -- change kilobytes to Kilobytes and make it 1024 bytes
91: -- used plurals in names in replay tables"
92:
93:
94: -- replace xxx in next line before release and uncomment it
95: -- ::= { mib-2 xxx }
96: -- delete this and next line before release
97: ::= { experimental 98 }
97: minor error -
revision for last update is missing
98:
99: IpsecSaCreatorIdent::= TEXTUAL-CONVENTION
99: error -
invalid format specification `d'
100: DISPLAY-HINT "d"
101: STATUS current
102: DESCRIPTION
103: "A value indicating how an SA was created."
104: SYNTAX INTEGER {
105: unknown(0),
106: static(1), -- statically created
107: ike(2), -- IKE
108: other(3)
109: }
110:
111: IpsecRawId ::= TEXTUAL-CONVENTION
111: error -
invalid format specification `x'
112: DISPLAY-HINT "x"
113: STATUS current
114: DESCRIPTION
115: "This data type is used to model the ID values used by
116: entities that have negotiated and created SAs.
117:
118: The values are taken directly from any payloads exchanged,
119: independent of the type of ID transmitted.
120:
121: In some cases, the payload may be truncated. Note also that
122: some IDs have human readable forms that are not used by this
123: textual convention."
124: SYNTAX OCTET STRING (SIZE (0..255))
125:
126:
127: -- the main MIB branch
128:
129: ipsecSaMonitorMIB OBJECT-IDENTITY
130: STATUS current
131: DESCRIPTION
132: "This is the base object identifier for all IPsec branches."
133: ::= { ipsecSaMonModule 1 }
134:
135: -- significant branches
136:
137: saTables OBJECT-IDENTITY
138: STATUS current
139: DESCRIPTION
140: "This is the base object identifier for all SA tables."
141: ::= { ipsecSaMonitorMIB 1 }
142:
143: saStatistics OBJECT-IDENTITY
144: STATUS current
145: DESCRIPTION
146: "This is the base object identifier for all objects which
147: are global counters for IPsec security associations."
148: ::= { ipsecSaMonitorMIB 2 }
149:
150: saErrors OBJECT-IDENTITY
151: STATUS current
152: DESCRIPTION
153: "This is the base object identifier for all objects which
154: are global error counters for IPsec security associations."
155: ::= { ipsecSaMonitorMIB 3 }
156:
157: saTraps OBJECT-IDENTITY
158: STATUS current
159: DESCRIPTION
160: "This is the base object identifier for all objects which
161: are traps for IPsec security associations."
162: ::= { ipsecSaMonitorMIB 4 }
163:
164: saTrapObjects OBJECT-IDENTITY
165: STATUS current
166: DESCRIPTION
167: "This is the base object identifier for objects which are
168: used as part of traps."
169: ::= { ipsecSaMonitorMIB 5 }
170:
171: saTrapControl OBJECT-IDENTITY
172: STATUS current
173: DESCRIPTION
174: "This is the base object identifier for all objects which
175: are trap controls for IPsec security associations."
176: ::= { ipsecSaMonitorMIB 6 }
177:
178: saGroups OBJECT-IDENTITY
179: STATUS current
180: DESCRIPTION
181: "This is the base object identifier for all objects which
182: describe the groups in this MIB."
183: ::= { ipsecSaMonitorMIB 7 }
184:
185: saConformance OBJECT-IDENTITY
186: STATUS current
187:
188:
189:
190: DESCRIPTION
191: "This is the base object identifier for all objects which
192: describe the conformance for this MIB."
193: ::= { ipsecSaMonitorMIB 8 }
194:
195:
196: --
197: -- the Selector MIB-Group
198: --
199: -- a collection of objects providing information about
200: -- the phase 2 selectors in the entity
201: --
202:
203: selectorTable OBJECT-TYPE
204: SYNTAX SEQUENCE OF SelectorEntry
205: MAX-ACCESS not-accessible
206: STATUS current
207: DESCRIPTION
208: "The (conceptual) table containing the phase 2 selectors.
209:
210: The number of rows in this table is the same as the number
211: of selectors in the entity. The enity may create rows for
212: any purpose; no corresponding phase 2 SA or SA suite is
213: required.
214:
215: The maximum number of rows is implementation dependent."
216: ::= { saTables 1 }
217:
218: selectorEntry OBJECT-TYPE
219: SYNTAX SelectorEntry
220: MAX-ACCESS not-accessible
221: STATUS current
222: DESCRIPTION
223: "An entry (conceptual row) containing the information on a
224: particular phase 2 selector.
225:
226: A row in this table cannot be created or deleted by SNMP
227: operations on columns of the table."
228: INDEX { selectorIndex }
229: ::= { selectorTable 1 }
230:
231: SelectorEntry ::= SEQUENCE {
232: -- index
233: selectorIndex Unsigned32,
234:
235: -- the values
236: selectorLocalId IpsecRawId,
237: selectorLocalIdType IpsecDoiIdentType,
238: selectorRemoteId IpsecRawId,
239: selectorRemoteIdType IpsecDoiIdentType,
240: selectorProtocol Integer32,
241: selectorLocalPort Integer32,
242: selectorRemotePort Integer32
243: }
244:
245: selectorIndex OBJECT-TYPE
246: SYNTAX Unsigned32 (1..16777215)
247: MAX-ACCESS not-accessible
248: STATUS current
249: DESCRIPTION
250: "A unique value, greater than zero, for each selector. It is
251: recommended that values are assigned contiguously starting
252: from 1."
253: ::= { selectorEntry 1 }
254:
255: selectorLocalId OBJECT-TYPE
256: SYNTAX IpsecRawId
257: MAX-ACCESS read-only
258: STATUS current
259: DESCRIPTION
260: "The local identifier of the selector.
261:
262: This corresponds to the source identifier of outbound SAs
263: that use this selector, and to the destination identifier of
264: inbound SAs that use this selector.
265:
266: This value is taken directly from the optional ID payloads
267: that are exchanged during phase 2 negotiations.
268:
269: If those negotiations are for transport mode SAs, then this
270: value should be the IP address of the local entity."
271: REFERENCE "RFC 2401 section 4.4.2"
272: ::= { selectorEntry 2 }
273:
274: selectorLocalIdType OBJECT-TYPE
275: SYNTAX IpsecDoiIdentType
276: MAX-ACCESS read-only
277: STATUS current
278: DESCRIPTION
279: "The type of ID used for 'selectorLocalId'.
280:
281: This value is taken directly from the optional ID payloads
282: that are exchanged during phase 2 negotiations.
283:
284:
285:
286: If those negotiations are for transport mode SAs, then this
287: value should indicate that an IP address is used by the
288: local entity."
289: REFERENCE "RFC 2401 section 4.4.2"
290: ::= { selectorEntry 3 }
291:
292: selectorRemoteId OBJECT-TYPE
293: SYNTAX IpsecRawId
294: MAX-ACCESS read-only
295: STATUS current
296: DESCRIPTION
297: "The remote identifier of the selector.
298:
299: This corresponds to the destination identifier of outbound
300: SAs that use this selector, and to the source identifier of
301: inbound SAs that use this selector.
302:
303: This value is taken directly from the optional ID payloads
304: that are exchanged during phase 2 negotiations of SAs.
305:
306: If those negotiations are for transport mode SAs, then this
307: value should be the IP address of the remote peer."
308: REFERENCE "RFC 2401 section 4.4.2"
309: ::= { selectorEntry 4 }
310:
311: selectorRemoteIdType OBJECT-TYPE
312: SYNTAX IpsecDoiIdentType
313: MAX-ACCESS read-only
314: STATUS current
315: DESCRIPTION
316: "The type of ID used for 'selectorRemoteId'.
317:
318: This value is taken directly from the optional ID payloads
319: that are exchanged during phase 2 negotiations of SAs.
320:
321: If those negotiations are for transport mode SAs, then this
322: value should indicate that an IP address is used by the
323: remote peer."
324: REFERENCE "RFC 2401 section 4.4.2"
325: ::= { selectorEntry 5 }
326:
327: selectorProtocol OBJECT-TYPE
328: SYNTAX Integer32 (0..255)
329: MAX-ACCESS read-only
330: STATUS current
331: DESCRIPTION
332: "The transport-layer protocol number that to which this
333: selector allows, or 0 if it selects any protocol.
334:
335: This value is taken directly from the optional ID payloads
336: that are exchanged during phase 2 negotiations of SAs."
337: REFERENCE "RFC 2401 section 4.4.2"
338: ::= { selectorEntry 6 }
339:
340: selectorLocalPort OBJECT-TYPE
341: SYNTAX Integer32 (0..65535)
342: MAX-ACCESS read-only
343: STATUS current
344: DESCRIPTION
345: "The local port number of the protocol that this selector
346: uses, or 0 if it carries any port number.
347:
348: This corresponds to the source port number of outbound SAs
349: that use this selector, and to the destination port number
350: of inbound SAs that use this selector.
351:
352: This value is taken directly from the optional ID payloads
353: that are exchanged during phase 2 negotiations of SAs."
354: REFERENCE "RFC 2401 section 4.4.2"
355: ::= { selectorEntry 7 }
356:
357: selectorRemotePort OBJECT-TYPE
358: SYNTAX Integer32 (0..65535)
359: MAX-ACCESS read-only
360: STATUS current
361: DESCRIPTION
362: "The remote port number of the protocol that this selector
363: uses, or 0 if it allows any port number.
364:
365: This corresponds to the destination port number of outbound
366: SAs that use this selector, and to the source port number of
367: inbound SAs that use this selector.
368:
369: This value is taken directly from the optional ID payloads
370: that are exchanged during phase 2 negotiations of SA
371: suites."
372: REFERENCE "RFC 2401 section 4.4.2"
373: ::= { selectorEntry 8 }
374:
375:
376: -- the IPsec Inbound ESP MIB-Group
377: --
378: -- a collection of objects providing information about
379: -- IPsec Inbound ESP SAs
380:
381:
382: ipsecSaEspInTable OBJECT-TYPE
383: SYNTAX SEQUENCE OF IpsecSaEspInEntry
384: MAX-ACCESS not-accessible
385: STATUS current
386: DESCRIPTION
387: "The (conceptual) table containing information on IPsec
388: inbound ESP SAs.
389:
390: There should be one row for every inbound ESP security
391: association that exists in the entity. The maximum number of
392: rows is implementation dependent."
393: ::= { saTables 2 }
394:
395: ipsecSaEspInEntry OBJECT-TYPE
396: SYNTAX IpsecSaEspInEntry
397: MAX-ACCESS not-accessible
398: STATUS current
399: DESCRIPTION
400: "An entry (conceptual row) containing the information on a
401: particular IPsec inbound ESP SA.
402:
403: A row in this table cannot be created or deleted by SNMP
404: operations on columns of the table."
405: INDEX {
406: ipsecSaEspInAddressType,
407: ipsecSaEspInAddress,
408: ipsecSaEspInSpi
409: }
410: ::= { ipsecSaEspInTable 1 }
411:
412: IpsecSaEspInEntry::= SEQUENCE {
413:
414: -- identification
415: ipsecSaEspInAddressType InetAddressType,
416: ipsecSaEspInAddress InetAddress,
417: ipsecSaEspInSpi Unsigned32,
418:
419: -- selector
420: ipsecSaEspInSelector Unsigned32,
421:
422: -- how created
423: ipsecSaEspInCreator IpsecSaCreatorIdent,
424:
425: -- security services description
426: ipsecSaEspInEncapsulation IpsecDoiEncapsulationMode,
427: ipsecSaEspInEncAlg IpsecDoiEspTransform,
428: ipsecSaEspInEncKeyLength Unsigned32,
429: ipsecSaEspInAuthAlg IpsecDoiAuthAlgorithm,
430: ipsecSaEspInAuthKeyLength Unsigned32,
431: ipsecSaEspInRepWinSize Unsigned32,
432:
433: -- expiration limits
434: ipsecSaEspInLimitSeconds Unsigned32, -- sec., 0 if none
435: ipsecSaEspInLimitKbytes Unsigned32, -- 0 if none
436:
437: -- current operating statistics
438: ipsecSaEspInAccSeconds Counter32,
439: ipsecSaEspInAccKbytes Counter32,
440: ipsecSaEspInUserOctets Counter64,
441: ipsecSaEspInPackets Counter64,
442:
443: -- error statistics
444: ipsecSaEspInDecryptErrors Counter32,
445: ipsecSaEspInAuthErrors Counter32,
446: ipsecSaEspInReplayErrors Counter32,
447: ipsecSaEspInPolicyErrors Counter32,
448: ipsecSaEspInPadErrors Counter32,
449: ipsecSaEspInOtherReceiveErrors Counter32
450:
451: }
452:
453: ipsecSaEspInAddressType OBJECT-TYPE
454: SYNTAX InetAddressType
455: MAX-ACCESS not-accessible
456: STATUS current
457: DESCRIPTION
458: "The type of address used for the destination address of the
459: SA."
460: ::= { ipsecSaEspInEntry 1 }
461:
462: ipsecSaEspInAddress OBJECT-TYPE
463: SYNTAX InetAddress (SIZE(4|16|20))
464: MAX-ACCESS not-accessible
465: STATUS current
466: DESCRIPTION
467: "The destination address of the SA."
468: ::= { ipsecSaEspInEntry 2 }
469:
470: ipsecSaEspInSpi OBJECT-TYPE
471: SYNTAX Unsigned32
472: MAX-ACCESS not-accessible
473: STATUS current
474: DESCRIPTION
475: "The security parameters index of the SA."
476: REFERENCE "RFC 2406 Section 2.1"
477: ::= { ipsecSaEspInEntry 3 }
478:
479:
480: ipsecSaEspInSelector OBJECT-TYPE
481: SYNTAX Unsigned32
482: MAX-ACCESS read-only
483: STATUS current
484: DESCRIPTION
485: "The index of the selector table row for this SA. In other
486: words, the value of 'selectorIndex' for the appropriate row
487: ('SelectorEntry') from the 'selectorTable'"
488: ::= { ipsecSaEspInEntry 4 }
489:
490: ipsecSaEspInCreator OBJECT-TYPE
491: SYNTAX IpsecSaCreatorIdent
492: MAX-ACCESS read-only
493: STATUS current
494: DESCRIPTION
495: "The creator of this SA.
496:
497: This MIB makes no assumptions about how the SAs are created.
498: They may be created statically, or by a key exchange
499: protocol such as IKE, or by some other method."
500: ::= { ipsecSaEspInEntry 5 }
501:
502: ipsecSaEspInEncapsulation OBJECT-TYPE
503: SYNTAX IpsecDoiEncapsulationMode
504: MAX-ACCESS read-only
505: STATUS current
506: DESCRIPTION
507: "The type of encapsulation used by this SA."
508: ::= { ipsecSaEspInEntry 6 }
509:
510: ipsecSaEspInEncAlg OBJECT-TYPE
511: SYNTAX IpsecDoiEspTransform
512: MAX-ACCESS read-only
513: STATUS current
514: DESCRIPTION
515: "A unique value representing the encryption algorithm
516: applied to traffic."
517: ::= { ipsecSaEspInEntry 7 }
518:
519: ipsecSaEspInEncKeyLength OBJECT-TYPE
520: SYNTAX Unsigned32 (0..65531)
521: UNITS "bits"
522: MAX-ACCESS read-only
523: STATUS current
524:
525:
526: DESCRIPTION
527: "The length of the encryption key in bits used for the
528: algorithm specified in the ipsecSaEspInEncAlg object. It may
529: be 0 if the key length is implicit in the specified
530: algorithm or there is no encryption specified."
531: ::= { ipsecSaEspInEntry 8 }
532:
533: ipsecSaEspInAuthAlg OBJECT-TYPE
534: SYNTAX IpsecDoiAuthAlgorithm
535: MAX-ACCESS read-only
536: STATUS current
537: DESCRIPTION
538: "A unique value representing the hash algorithm applied to
539: traffic."
540: ::= { ipsecSaEspInEntry 9 }
541:
542: ipsecSaEspInAuthKeyLength OBJECT-TYPE
543: SYNTAX Unsigned32 (0..65531)
544: UNITS "bits"
545: MAX-ACCESS read-only
546: STATUS current
547: DESCRIPTION
548: "The length of the authentication key in bits used for the
549: algorithm specified in the ipsecSaEspInAuthAlg. It may be 0
550: if the key length is implicit in the specified algorithm or
551: there is no authentication specified."
552: ::= { ipsecSaEspInEntry 10 }
553:
554: ipsecSaEspInRepWinSize OBJECT-TYPE
555: SYNTAX Unsigned32
556: MAX-ACCESS read-only
557: STATUS current
558: DESCRIPTION
559: "The size of the anti-replay window used by this SA, or 0 if
560: anti-replay checking is not being done."
561: REFERENCE "Section 3.4.3 of RFC 2406"
562: ::= { ipsecSaEspInEntry 11 }
563:
564: ipsecSaEspInLimitSeconds OBJECT-TYPE
565: SYNTAX Unsigned32
566: UNITS "seconds"
567: MAX-ACCESS read-only
568: STATUS current
569: DESCRIPTION
570: "The maximum lifetime in seconds of the SA, or 0 if there is
571: no time constraint on its expiration, or 4294967295 if the
572: maximum lifetime is 4294967295 seconds or more but not
573: infinite."
574: ::= { ipsecSaEspInEntry 12 }
575:
576: ipsecSaEspInLimitKbytes OBJECT-TYPE
577: SYNTAX Unsigned32
578: UNITS "Kilobytes"
579: MAX-ACCESS read-only
580: STATUS current
581: DESCRIPTION
582: "The maximum lifetime in Kilobytes (1024 bytes) of the SA,
583: or 0 if there is no traffic constraint on its expiration, or
584: 4294967295 if the maximum lifetime is 4294967295 Kilobytes
585: or more but not infinite."
586: ::= { ipsecSaEspInEntry 13 }
587:
588: ipsecSaEspInAccSeconds OBJECT-TYPE
589: SYNTAX Counter32
590: UNITS "seconds"
591: MAX-ACCESS read-only
592: STATUS current
593: DESCRIPTION
594: "The number of seconds accumulated against the SA's
595: expiration by time.
596:
597: This is also the number of seconds that the SA has existed."
598: ::= { ipsecSaEspInEntry 14 }
599:
600: ipsecSaEspInAccKbytes OBJECT-TYPE
601: SYNTAX Counter32
602: UNITS "Kilobytes"
603: MAX-ACCESS read-only
604: STATUS current
605: DESCRIPTION
606: "The amount of traffic handled by the SA that could
607: accumulate against a traffic expiration limit, measured in
608: Kilobytes (1024 bytes).
609:
610: If the SA expires based on traffic, this value counts
611: against the SA's expiration by traffic limitation. If the SA
612: does not expire based on traffic, this value may be 0 to
613: indicate that the counter is not being used."
614: ::= { ipsecSaEspInEntry 15 }
615:
616:
617: ipsecSaEspInUserOctets OBJECT-TYPE
618: SYNTAX Counter64
619: UNITS "bytes"
620: MAX-ACCESS read-only
621: STATUS current
622: DESCRIPTION
623: "The amount of user level traffic measured in bytes
624: successfully handled by the SA. This is the number of bytes
625: of the decrypted IP packet, including the original IP header
626: of that decrypted packet.
627:
628: This is not necessarily the same as the amount of traffic
629: applied against the traffic expiration limit due to padding
630: or other protocol specific overhead."
631: ::= { ipsecSaEspInEntry 16 }
632:
633: ipsecSaEspInPackets OBJECT-TYPE
634: SYNTAX Counter64
635: UNITS "packets"
636: MAX-ACCESS read-only
637: STATUS current
638: DESCRIPTION
639: "The number of packets received and succcessfully processed
640: by the SA. This does not include received packets that were
641: discarded during processing by the SA."
642: ::= { ipsecSaEspInEntry 17 }
643:
644: ipsecSaEspInDecryptErrors OBJECT-TYPE
645: SYNTAX Counter32
646: UNITS "packets"
647: MAX-ACCESS read-only
648: STATUS current
649: DESCRIPTION
650: "The number of packets discarded by the SA due to detectable
651: decryption errors. Not all decryption errors are detectable
652: within SA processing, so this count should not be considered
653: definitive."
654: ::= { ipsecSaEspInEntry 18 }
655:
656: ipsecSaEspInAuthErrors OBJECT-TYPE
657: SYNTAX Counter32
658: UNITS "packets"
659: MAX-ACCESS read-only
660: STATUS current
661: DESCRIPTION
662: "The number of packets discarded by the SA due to
663: authentication errors."
664: ::= { ipsecSaEspInEntry 19 }
665:
666: ipsecSaEspInReplayErrors OBJECT-TYPE
667: SYNTAX Counter32
668: UNITS "packets"
669: MAX-ACCESS read-only
670: STATUS current
671: DESCRIPTION
672: "The number of packets discarded by the SA due to replay
673: errors."
674: ::= { ipsecSaEspInEntry 20 }
675:
676: ipsecSaEspInPolicyErrors OBJECT-TYPE
677: SYNTAX Counter32
678: UNITS "packets"
679: MAX-ACCESS read-only
680: STATUS current
681: DESCRIPTION
682: "The number of packets discarded by the SA due to policy
683: errors. This includes packets where the next protocol is
684: invalid."
685: ::= { ipsecSaEspInEntry 21 }
686:
687: ipsecSaEspInPadErrors OBJECT-TYPE
688: SYNTAX Counter32
689: UNITS "packets"
690: MAX-ACCESS read-only
691: STATUS current
692: DESCRIPTION
693: "The number of packets discarded by the SA due to pad value
694: errors.
695:
696: Implementations that do not check this must not support this
697: object."
698: REFERENCE "RFC 2406 section 2.4"
699: ::= { ipsecSaEspInEntry 22 }
700:
701: ipsecSaEspInOtherReceiveErrors OBJECT-TYPE
702: SYNTAX Counter32
703: UNITS "packets"
704: MAX-ACCESS read-only
705: STATUS current
706: DESCRIPTION
707: "The number of packets discarded by the SA due to errors
708: other than decryption, authentication, replay errors or,
709: when supported, invalid padding errors. This may include
710:
711:
712:
713: packets dropped due to a lack of receive buffers, and may
714: include packets dropped due to congestion at the decryption
715: element."
716: ::= { ipsecSaEspInEntry 23 }
717:
718:
719: -- the IPsec Inbound AH MIB-Group
720: --
721: -- a collection of objects providing information about
722: -- IPsec Inbound AH SAs
723:
724: ipsecSaAhInTable OBJECT-TYPE
725: SYNTAX SEQUENCE OF IpsecSaAhInEntry
726: MAX-ACCESS not-accessible
727: STATUS current
728: DESCRIPTION
729: "The (conceptual) table containing information on IPsec
730: inbound AH SAs.
731:
732: There should be one row for every inbound AH security
733: association that exists in the entity. The maximum number of
734: rows is implementation dependent."
735: ::= { saTables 3 }
736:
737: ipsecSaAhInEntry OBJECT-TYPE
738: SYNTAX IpsecSaAhInEntry
739: MAX-ACCESS not-accessible
740: STATUS current
741: DESCRIPTION
742: "An entry (conceptual row) containing the information on a
743: particular IPsec inbound AH SA.
744:
745: A row in this table cannot be created or deleted by SNMP
746: operations on columns of the table."
747: INDEX {
748: ipsecSaAhInAddressType,
749: ipsecSaAhInAddress,
750: ipsecSaAhInSpi
751: }
752: ::= { ipsecSaAhInTable 1 }
753:
754: IpsecSaAhInEntry::= SEQUENCE {
755:
756: -- identification
757: ipsecSaAhInAddressType InetAddressType,
758: ipsecSaAhInAddress InetAddress,
759: ipsecSaAhInSpi Unsigned32,
760:
761: -- SA selector
762: ipsecSaAhInSelector Unsigned32,
763:
764: -- how created
765: ipsecSaAhInCreator IpsecSaCreatorIdent,
766:
767: -- security services description
768: ipsecSaAhInEncapsulation IpsecDoiEncapsulationMode,
769: ipsecSaAhInAuthAlg IpsecDoiAhTransform,
770: ipsecSaAhInAuthKeyLength Unsigned32,
771: ipsecSaAhInRepWinSize Unsigned32,
772:
773: -- expiration limits
774: ipsecSaAhInLimitSeconds Unsigned32, -- sec., 0 if none
775: ipsecSaAhInLimitKbytes Unsigned32, -- 0 if none
776:
777: -- current operating statistics
778: ipsecSaAhInAccSeconds Counter32,
779: ipsecSaAhInAccKbytes Counter32,
780: ipsecSaAhInUserOctets Counter64,
781: ipsecSaAhInPackets Counter64,
782:
783: -- error statistics
784: ipsecSaAhInAuthErrors Counter32,
785: ipsecSaAhInReplayErrors Counter32,
786: ipsecSaAhInPolicyErrors Counter32,
787: ipsecSaAhInOtherReceiveErrors Counter32
788: }
789:
790: ipsecSaAhInAddressType OBJECT-TYPE
791: SYNTAX InetAddressType
792: MAX-ACCESS not-accessible
793: STATUS current
794: DESCRIPTION
795: "The type of address that is the destination address of the
796: SA."
797: ::= { ipsecSaAhInEntry 1 }
798:
799: ipsecSaAhInAddress OBJECT-TYPE
800: SYNTAX InetAddress (SIZE(4|16|20))
801: MAX-ACCESS not-accessible
802: STATUS current
803: DESCRIPTION
804: "The destination address of the SA."
805: ::= { ipsecSaAhInEntry 2 }
806:
807: ipsecSaAhInSpi OBJECT-TYPE
808: SYNTAX Unsigned32
809: MAX-ACCESS not-accessible
810: STATUS current
811: DESCRIPTION
812: "The security parameters index of the SA."
813: REFERENCE "RFC 2402 Section 2.4"
814: ::= { ipsecSaAhInEntry 3 }
815:
816: ipsecSaAhInSelector OBJECT-TYPE
817: SYNTAX Unsigned32
818: MAX-ACCESS read-only
819: STATUS current
820: DESCRIPTION
821: "The index of the selector table row for this SA. In other
822: words, the value of 'selectorIndex' for the appropriate row
823: ('SelectorEntry') from the 'selectorTable'"
824: ::= { ipsecSaAhInEntry 4 }
825:
826: ipsecSaAhInCreator OBJECT-TYPE
827: SYNTAX IpsecSaCreatorIdent
828: MAX-ACCESS read-only
829: STATUS current
830: DESCRIPTION
831: "The creator of this SA.
832:
833: This MIB makes no assumptions about how the SAs are created.
834: They may be created statically, or by a key exchange
835: protocol such as IKE, or by some other method."
836: ::= { ipsecSaAhInEntry 5 }
837:
838: ipsecSaAhInEncapsulation OBJECT-TYPE
839: SYNTAX IpsecDoiEncapsulationMode
840: MAX-ACCESS read-only
841: STATUS current
842: DESCRIPTION
843: "The type of encapsulation used by this SA."
844: ::= { ipsecSaAhInEntry 6 }
845:
846: ipsecSaAhInAuthAlg OBJECT-TYPE
847: SYNTAX IpsecDoiAhTransform
848: MAX-ACCESS read-only
849: STATUS current
850: DESCRIPTION
851: "A unique value representing the hash algorithm applied to
852: traffic carried by this SA."
853: ::= { ipsecSaAhInEntry 7 }
854:
855: ipsecSaAhInAuthKeyLength OBJECT-TYPE
856: SYNTAX Unsigned32 (0..65531)
857: UNITS "bits"
858: MAX-ACCESS read-only
859: STATUS current
860: DESCRIPTION
861: "The length of the authentication key in bits used for the
862: algorithm specified in the ipsecSaAhInAuthAlg object. It may
863: be 0 if the key length is implicit in the specified
864: algorithm."
865: ::= { ipsecSaAhInEntry 8 }
866:
867: ipsecSaAhInRepWinSize OBJECT-TYPE
868: SYNTAX Unsigned32
869: MAX-ACCESS read-only
870: STATUS current
871: DESCRIPTION
872: "The size of the anti-replay window used by this SA, or 0 if
873: anti-replay checking is not being done."
874: REFERENCE "Section 3.4.3 of RFC 2402"
875: ::= { ipsecSaAhInEntry 9 }
876:
877: ipsecSaAhInLimitSeconds OBJECT-TYPE
878: SYNTAX Unsigned32
879: UNITS "seconds"
880: MAX-ACCESS read-only
881: STATUS current
882: DESCRIPTION
883: "The maximum lifetime in seconds of the SA, or 0 if there is
884: no time constraint on its expiration, or 4294967295 if the
885: maximum lifetime is 4294967295 seconds or more but not
886: infinite."
887: ::= { ipsecSaAhInEntry 10 }
888:
889: ipsecSaAhInLimitKbytes OBJECT-TYPE
890: SYNTAX Unsigned32
891: UNITS "Kilobytes"
892: MAX-ACCESS read-only
893: STATUS current
894: DESCRIPTION
895: "The maximum lifetime in Kilobytes (1024 bytes) of the SA,
896: or 0 if there is no traffic constraint on its expiration, or
897: 4294967295 if the maximum lifetime is 4294967295 Kilobytes
898: or more but not infinite."
899: ::= { ipsecSaAhInEntry 11 }
900:
901: ipsecSaAhInAccSeconds OBJECT-TYPE
902: SYNTAX Counter32
903: UNITS "seconds"
904: MAX-ACCESS read-only
905: STATUS current
906: DESCRIPTION
907: "The number of seconds accumulated against the SA's
908: expiration by time.
909:
910: This is also the number of seconds that the SA has existed."
911: ::= { ipsecSaAhInEntry 12 }
912:
913: ipsecSaAhInAccKbytes OBJECT-TYPE
914: SYNTAX Counter32
915: UNITS "Kilobytes"
916: MAX-ACCESS read-only
917: STATUS current
918: DESCRIPTION
919: "The amount of traffic handled by the SA that could
920: accumulate against a traffic expiration limit, measured in
921: Kilobytes (1024 bytes).
922:
923: If the SA expires based on traffic, this value counts
924: against the SA's expiration by traffic limitation. If the SA
925: does not expire based on traffic, this value may be 0 to
926: indicate that the counter is not being used."
927: ::= { ipsecSaAhInEntry 13 }
928:
929: ipsecSaAhInUserOctets OBJECT-TYPE
930: SYNTAX Counter64
931: UNITS "bytes"
932: MAX-ACCESS read-only
933: STATUS current
934: DESCRIPTION
935: "The amount of user level traffic measured in bytes handled
936: successfully by the SA. This is the number of bytes of the
937: de-processed IP packet, including the original IP header of
938: that de-processed packet.
939:
940: This is not necessarily the same as the amount of traffic
941: applied against the traffic expiration limit due to padding
942: or other protocol specific overhead."
943: ::= { ipsecSaAhInEntry 14 }
944:
945: ipsecSaAhInPackets OBJECT-TYPE
946: SYNTAX Counter64
947: UNITS "packets"
948: MAX-ACCESS read-only
949: STATUS current
950:
951:
952:
953: DESCRIPTION
954: "The number of packets received and succcessfully processed
955: by the SA. This does not include packets that were discarded
956: during processing by the SA."
957: ::= { ipsecSaAhInEntry 15 }
958:
959: ipsecSaAhInAuthErrors OBJECT-TYPE
960: SYNTAX Counter32
961: UNITS "packets"
962: MAX-ACCESS read-only
963: STATUS current
964: DESCRIPTION
965: "The number of packets discarded by the SA due to
966: authentication errors."
967: ::= { ipsecSaAhInEntry 16 }
968:
969: ipsecSaAhInReplayErrors OBJECT-TYPE
970: SYNTAX Counter32
971: UNITS "packets"
972: MAX-ACCESS read-only
973: STATUS current
974: DESCRIPTION
975: "The number of packets discarded by the SA due to replay
976: errors."
977: ::= { ipsecSaAhInEntry 17 }
978:
979: ipsecSaAhInPolicyErrors OBJECT-TYPE
980: SYNTAX Counter32
981: UNITS "packets"
982: MAX-ACCESS read-only
983: STATUS current
984: DESCRIPTION
985: "The number of packets discarded by the SA due to policy
986: errors. This includes packets where the next protocol is
987: invalid."
988: ::= { ipsecSaAhInEntry 18 }
989:
990: ipsecSaAhInOtherReceiveErrors OBJECT-TYPE
991: SYNTAX Counter32
992: UNITS "packets"
993: MAX-ACCESS read-only
994: STATUS current
995: DESCRIPTION
996: "The number of packets discarded by the SA due to errors
997: other than decryption, authentication or replay errors. This
998: may include packets dropped due to a lack of receive
999:
1000:
1001: buffers, and may include packets dropped due to congestion
1002: at the authentication element."
1003: ::= { ipsecSaAhInEntry 19 }
1004:
1005:
1006: -- the IPsec Inbound IPcomp MIB-Group
1007: --
1008: -- a collection of objects providing information about
1009: -- IPsec Inbound IPcomp SAs
1010:
1011: ipsecSaIpcompInTable OBJECT-TYPE
1012: SYNTAX SEQUENCE OF IpsecSaIpcompInEntry
1013: MAX-ACCESS not-accessible
1014: STATUS current
1015: DESCRIPTION
1016: "The (conceptual) table containing information on IPsec
1017: inbound IPcomp SAs.
1018:
1019: There should be one row for every inbound IPcomp (security)
1020: association that exists in the entity. The maximum number of
1021: rows is implementation dependent."
1022: ::= { saTables 4 }
1023:
1024: ipsecSaIpcompInEntry OBJECT-TYPE
1025: SYNTAX IpsecSaIpcompInEntry
1026: MAX-ACCESS not-accessible
1027: STATUS current
1028: DESCRIPTION
1029: "An entry (conceptual row) containing the information on a
1030: particular IPsec inbound IPcomp SA.
1031:
1032: A row in this table cannot be created or deleted by SNMP
1033: operations on columns of the table."
1034: INDEX {
1035: ipsecSaIpcompInAddressType,
1036: ipsecSaIpcompInAddress,
1037: ipsecSaIpcompInCpi
1038: }
1039: ::= { ipsecSaIpcompInTable 1 }
1040:
1041: IpsecSaIpcompInEntry::= SEQUENCE {
1042:
1043: -- identification
1044: ipsecSaIpcompInAddressType InetAddressType,
1045: ipsecSaIpcompInAddress InetAddress,
1046: ipsecSaIpcompInCpi IpsecDoiIpcompTransform,
1047:
1048:
1049: -- SA selector (if needed)
1050: ipsecSaIpcompInSelector Unsigned32,
1051:
1052: -- how created
1053: ipsecSaIpcompInCreator IpsecSaCreatorIdent,
1054:
1055: -- security services description
1056: ipsecSaIpcompInEncapsulation IpsecDoiEncapsulationMode,
1057: ipsecSaIpcompInDecompAlg IpsecDoiIpcompTransform,
1058:
1059: -- current operating statistics
1060: ipsecSaIpcompInSeconds Counter32,
1061: ipsecSaIpcompInUserOctets Counter64,
1062: ipsecSaIpcompInUserPackets Counter64,
1063: ipsecSaIpcompInCompressedOctets Counter64,
1064: ipsecSaIpcompInCompressedPackets Counter64,
1065: ipsecSaIpcompInInputOctets Counter64,
1066:
1067: -- error statistics
1068: ipsecSaIpcompInDecompErrors Counter32,
1069: ipsecSaIpcompInOtherReceiveErrors Counter32
1070: }
1071:
1072: ipsecSaIpcompInAddressType OBJECT-TYPE
1073: SYNTAX InetAddressType
1074: MAX-ACCESS not-accessible
1075: STATUS current
1076: DESCRIPTION
1077: "The type of address used for the destination address of the
1078: SA.
1079:
1080: If the IPcomp SA is shared across multiple SAs in security
1081: association suites, this value may be 0."
1082: ::= { ipsecSaIpcompInEntry 1 }
1083:
1084: ipsecSaIpcompInAddress OBJECT-TYPE
1085: SYNTAX InetAddress (SIZE(0|4|16|20))
1086: MAX-ACCESS not-accessible
1087: STATUS current
1088: DESCRIPTION
1089: "The destination address of the SA.
1090:
1091: If the IPcomp SA is shared across multiple SAs in security
1092: association suites, this value may be zero-length."
1093: ::= { ipsecSaIpcompInEntry 2 }
1094:
1095: ipsecSaIpcompInCpi OBJECT-TYPE
1096: SYNTAX IpsecDoiIpcompTransform
1097: MAX-ACCESS not-accessible
1098: STATUS current
1099: DESCRIPTION
1100: "The CPI of the SA. Since the lower values of CPIs are
1101: reserved to be the same as the algorithm, the syntax for
1102: this object is the same as the transform."
1103: REFERENCE "RFC 2393 Section 3.3"
1104: ::= { ipsecSaIpcompInEntry 3 }
1105:
1106: ipsecSaIpcompInSelector OBJECT-TYPE
1107: SYNTAX Unsigned32
1108: MAX-ACCESS read-only
1109: STATUS current
1110: DESCRIPTION
1111: "The index of the selector table row for this SA. In other
1112: words, the value of 'selectorIndex' for the appropriate row
1113: ('SelectorEntry') from the 'selectorTable'
1114:
1115: This value may be 0 if this SA is used with multiple SAs in
1116: security association suites."
1117: ::= { ipsecSaIpcompInEntry 4 }
1118:
1119: ipsecSaIpcompInCreator OBJECT-TYPE
1120: SYNTAX IpsecSaCreatorIdent
1121: MAX-ACCESS read-only
1122: STATUS current
1123: DESCRIPTION
1124: "The creator of this SA.
1125:
1126: This MIB makes no assumptions about how the SAs are created.
1127: They may be created statically, or by a key exchange
1128: protocol such as IKE, or by some other method."
1129: ::= { ipsecSaIpcompInEntry 5 }
1130:
1131: ipsecSaIpcompInEncapsulation OBJECT-TYPE
1132: SYNTAX IpsecDoiEncapsulationMode
1133: MAX-ACCESS read-only
1134: STATUS current
1135: DESCRIPTION
1136: "The type of encapsulation used by this SA."
1137: ::= { ipsecSaIpcompInEntry 6 }
1138:
1139: ipsecSaIpcompInDecompAlg OBJECT-TYPE
1140: SYNTAX IpsecDoiIpcompTransform
1141: MAX-ACCESS read-only
1142: STATUS current
1143:
1144:
1145: DESCRIPTION
1146: "A unique value representing the decompression algorithm
1147: applied to traffic."
1148: ::= { ipsecSaIpcompInEntry 7 }
1149:
1150: ipsecSaIpcompInSeconds OBJECT-TYPE
1151: SYNTAX Counter32
1152: UNITS "seconds"
1153: MAX-ACCESS read-only
1154: STATUS current
1155: DESCRIPTION
1156: "The number of seconds that the SA has existed."
1157: ::= { ipsecSaIpcompInEntry 8 }
1158:
1159: ipsecSaIpcompInUserOctets OBJECT-TYPE
1160: SYNTAX Counter64
1161: UNITS "bytes"
1162: MAX-ACCESS read-only
1163: STATUS current
1164: DESCRIPTION
1165: "The amount of user level traffic measured in bytes handled
1166: by the SA. This includes traffic on packets that were both
1167: compressed and uncompressed. Packets that were not
1168: compressed that count in this total may include packets that
1169: were received in a security association suite that included
1170: IPcomp."
1171: ::= { ipsecSaIpcompInEntry 9 }
1172:
1173: ipsecSaIpcompInUserPackets OBJECT-TYPE
1174: SYNTAX Counter64
1175: UNITS "packets"
1176: MAX-ACCESS read-only
1177: STATUS current
1178: DESCRIPTION
1179: "The number of packets sent from the SA after inbound
1180: processing, whether they were compressed or not.
1181:
1182: When used in a security association suite, this value is the
1183: total number of packets sent by the suite. If this SA is
1184: shared across multiple SA suites, this value is the sum of
1185: the number of packets sent from those suites."
1186: ::= { ipsecSaIpcompInEntry 10 }
1187:
1188: ipsecSaIpcompInCompressedOctets OBJECT-TYPE
1189: SYNTAX Counter64
1190: UNITS "bytes"
1191: MAX-ACCESS read-only
1192: STATUS current
1193: DESCRIPTION
1194: "The amount of traffic measured in bytes that is received by
1195: the SA that was compressed. This includes the IPcomp and IP
1196: headers that are not compressed.
1197:
1198: The amount of traffic that is not compressed (for any
1199: reason) is the value of ipsecSaIpcompInInputOctets minus
1200: ipsecSaIpcompInCompressedOctets."
1201: ::= { ipsecSaIpcompInEntry 11 }
1202:
1203: ipsecSaIpcompInCompressedPackets OBJECT-TYPE
1204: SYNTAX Counter64
1205: UNITS "packets"
1206: MAX-ACCESS read-only
1207: STATUS current
1208: DESCRIPTION
1209: "The number of packets received by the SA that were
1210: compressed.
1211:
1212: The number of packets that were not compressed (for any
1213: reason) is the value of ipsecSaIpcompInUserPackets minus
1214: ipsecSaIpcompInCompressedPackets.
1215:
1216: When used in a security association suite, this value is the
1217: total number of compressed packets received by the suite. If
1218: this SA is shared across multiple SA suites, this value is
1219: the sum of the number of compressed packets received by
1220: those suites."
1221: ::= { ipsecSaIpcompInEntry 12 }
1222:
1223: ipsecSaIpcompInInputOctets OBJECT-TYPE
1224: SYNTAX Counter64
1225: UNITS "bytes"
1226: MAX-ACCESS read-only
1227: STATUS current
1228: DESCRIPTION
1229: "The total amount of traffic measured in bytes that is
1230: received by the SA, compressed or not. This includes the
1231: IPcomp header if present and the IP header of each packet.
1232:
1233: When the IPcomp SA is shared across multiple security
1234: association suites, this value is the sum of the output of
1235: all SAs before this SA in those SA suites.
1236:
1237: When used in a security association suite, this value is the
1238: same as the traffic sent from the previous SA in the suite.
1239: If this SA is shared across multiple SA suites, this value
1240:
1241: is the sum of all traffic sent from the previous SAs in
1242: those suites "
1243: ::= { ipsecSaIpcompInEntry 13 }
1244:
1245: ipsecSaIpcompInDecompErrors OBJECT-TYPE
1246: SYNTAX Counter32
1247: UNITS "packets"
1248: MAX-ACCESS read-only
1249: STATUS current
1250: DESCRIPTION
1251: "The number of packets discarded by the SA due to
1252: decompression errors."
1253: ::= { ipsecSaIpcompInEntry 14 }
1254:
1255: ipsecSaIpcompInOtherReceiveErrors OBJECT-TYPE
1256: SYNTAX Counter32
1257: UNITS "packets"
1258: MAX-ACCESS read-only
1259: STATUS current
1260: DESCRIPTION
1261: "The number of packets discarded by the SA due to errors
1262: other than decompression errors. This may include packets
1263: dropped due to a lack of receive buffers, and packets
1264: dropped due to congestion at the decompression element."
1265: ::= { ipsecSaIpcompInEntry 15 }
1266:
1267:
1268: -- the IPsec Outbound ESP MIB-Group
1269: --
1270: -- a collection of objects providing information about
1271: -- IPsec Outbound ESP SAs
1272:
1273: ipsecSaEspOutTable OBJECT-TYPE
1274: SYNTAX SEQUENCE OF IpsecSaEspOutEntry
1275: MAX-ACCESS not-accessible
1276: STATUS current
1277: DESCRIPTION
1278: "The (conceptual) table containing information on IPsec
1279: Outbound ESP SAs.
1280:
1281: There should be one row for every outbound ESP security
1282: association that exists in the entity. The maximum number of
1283: rows is implementation dependent."
1284: ::= { saTables 5 }
1285:
1286: ipsecSaEspOutEntry OBJECT-TYPE
1287: SYNTAX IpsecSaEspOutEntry
1288: MAX-ACCESS not-accessible
1289: STATUS current
1290: DESCRIPTION
1291: "An entry (conceptual row) containing the information on a
1292: particular IPsec Outbound ESP SA.
1293:
1294: A row in this table cannot be created or deleted by SNMP
1295: operations on columns of the table."
1296: INDEX {
1297: ipsecSaEspOutAddressType,
1298: ipsecSaEspOutAddress,
1299: ipsecSaEspOutSpi
1300: }
1301: ::= { ipsecSaEspOutTable 1 }
1302:
1303: IpsecSaEspOutEntry::= SEQUENCE {
1304:
1305: -- identification
1306: ipsecSaEspOutAddressType InetAddressType,
1307: ipsecSaEspOutAddress InetAddress,
1308: ipsecSaEspOutSpi Unsigned32,
1309:
1310: -- SA selector
1311: ipsecSaEspOutSelector Unsigned32,
1312:
1313: -- how created
1314: ipsecSaEspOutCreator IpsecSaCreatorIdent,
1315:
1316: -- security services description
1317: ipsecSaEspOutEncapsulation IpsecDoiEncapsulationMode,
1318: ipsecSaEspOutEncAlg IpsecDoiEspTransform,
1319: ipsecSaEspOutEncKeyLength Unsigned32,
1320: ipsecSaEspOutAuthAlg IpsecDoiAuthAlgorithm,
1321: ipsecSaEspOutAuthKeyLength Unsigned32,
1322:
1323: -- expiration limits
1324: ipsecSaEspOutLimitSeconds Unsigned32, -- sec., 0 if none
1325: ipsecSaEspOutLimitKbytes Unsigned32, -- 0 if none
1326:
1327: -- current operating statistics
1328: ipsecSaEspOutAccSeconds Counter32,
1329: ipsecSaEspOutAccKbytes Counter32,
1330: ipsecSaEspOutUserOctets Counter64,
1331: ipsecSaEspOutPackets Counter64,
1332:
1333: -- error statistics
1334: ipsecSaEspOutSendErrors Counter32
1335:
1336: }
1337:
1338:
1339: ipsecSaEspOutAddressType OBJECT-TYPE
1340: SYNTAX InetAddressType
1341: MAX-ACCESS not-accessible
1342: STATUS current
1343: DESCRIPTION
1344: "The type of address used by the destination address of the
1345: SA."
1346: ::= { ipsecSaEspOutEntry 1 }
1347:
1348: ipsecSaEspOutAddress OBJECT-TYPE
1349: SYNTAX InetAddress (SIZE(4|16|20))
1350: MAX-ACCESS not-accessible
1351: STATUS current
1352: DESCRIPTION
1353: "The destination address of the SA."
1354: ::= { ipsecSaEspOutEntry 2 }
1355:
1356: ipsecSaEspOutSpi OBJECT-TYPE
1357: SYNTAX Unsigned32
1358: MAX-ACCESS not-accessible
1359: STATUS current
1360: DESCRIPTION
1361: "The security parameters index of the SA."
1362: REFERENCE"RFC 2406 Section 2.1"
1363: ::= { ipsecSaEspOutEntry 3 }
1364:
1365: ipsecSaEspOutSelector OBJECT-TYPE
1366: SYNTAX Unsigned32
1367: MAX-ACCESS read-only
1368: STATUS current
1369: DESCRIPTION
1370: "The index of the selector table row for this suite. In
1371: other words, the value of 'selectorIndex' for the
1372: appropriate row ('SelectorEntry') from the 'selectorTable'"
1373: ::= { ipsecSaEspOutEntry 4 }
1374:
1375: ipsecSaEspOutCreator OBJECT-TYPE
1376: SYNTAX IpsecSaCreatorIdent
1377: MAX-ACCESS read-only
1378: STATUS current
1379: DESCRIPTION
1380: "The creator of this SA.
1381:
1382:
1383:
1384:
1385: This MIB makes no assumptions about how the SAs are created.
1386: They may be created statically, or by a key exchange
1387: protocol such as IKE, or by some other method."
1388: ::= { ipsecSaEspOutEntry 5 }
1389:
1390: ipsecSaEspOutEncapsulation OBJECT-TYPE
1391: SYNTAX IpsecDoiEncapsulationMode
1392: MAX-ACCESS read-only
1393: STATUS current
1394: DESCRIPTION
1395: "The type of encapsulation used by this SA."
1396: ::= { ipsecSaEspOutEntry 6 }
1397:
1398: ipsecSaEspOutEncAlg OBJECT-TYPE
1399: SYNTAX IpsecDoiEspTransform
1400: MAX-ACCESS read-only
1401: STATUS current
1402: DESCRIPTION
1403: "A unique value representing the encryption algorithm
1404: applied to traffic."
1405: ::= { ipsecSaEspOutEntry 7 }
1406:
1407: ipsecSaEspOutEncKeyLength OBJECT-TYPE
1408: SYNTAX Unsigned32 (0..65531)
1409: UNITS "bits"
1410: MAX-ACCESS read-only
1411: STATUS current
1412: DESCRIPTION
1413: "The length of the encryption key in bits used for the
1414: algorithm specified in the ipsecSaEspOutEncAlg object. It
1415: may be 0 if the key length is implicit in the specified
1416: algorithm or there is no encryption specified."
1417: ::= { ipsecSaEspOutEntry 8 }
1418:
1419: ipsecSaEspOutAuthAlg OBJECT-TYPE
1420: SYNTAX IpsecDoiAuthAlgorithm
1421: MAX-ACCESS read-only
1422: STATUS current
1423: DESCRIPTION
1424: "A unique value representing the hash algorithm applied to
1425: traffic."
1426: ::= { ipsecSaEspOutEntry 9 }
1427:
1428: ipsecSaEspOutAuthKeyLength OBJECT-TYPE
1429: SYNTAX Unsigned32 (0..65531)
1430: UNITS "bits"
1431: MAX-ACCESS read-only
1432: STATUS current
1433: DESCRIPTION
1434: "The length of the authentication key in bits used for the
1435: algorithm specified in the ipsecSaEspOutAuthAlg object. It
1436: may be 0 if the key length is implicit in the specified
1437: algorithm or there is no authentication specified."
1438: ::= { ipsecSaEspOutEntry 10 }
1439:
1440: ipsecSaEspOutLimitSeconds OBJECT-TYPE
1441: SYNTAX Unsigned32
1442: UNITS "seconds"
1443: MAX-ACCESS read-only
1444: STATUS current
1445: DESCRIPTION
1446: "The maximum lifetime in seconds of the SA, or 0 if there is
1447: no time constraint on its expiration.
1448:
1449: The display value is limited to 4294967295 seconds (more
1450: than 136 years); values greater than that value will be
1451: truncated."
1452: ::= { ipsecSaEspOutEntry 11 }
1453:
1454: ipsecSaEspOutLimitKbytes OBJECT-TYPE
1455: SYNTAX Unsigned32
1456: UNITS "Kilobytes"
1457: MAX-ACCESS read-only
1458: STATUS current
1459: DESCRIPTION
1460: "The maximum traffic in Kilobytes (1024 bytes) that the SA
1461: is allowed to process, or 0 if there is no traffic
1462: constraint on its expiration.
1463:
1464: The display value is limited to 4294967295 Kilobytes; values
1465: greater than that value will be truncated."
1466: ::= { ipsecSaEspOutEntry 12 }
1467:
1468: ipsecSaEspOutAccSeconds OBJECT-TYPE
1469: SYNTAX Counter32
1470: UNITS "seconds"
1471: MAX-ACCESS read-only
1472: STATUS current
1473: DESCRIPTION
1474: "The number of seconds accumulated against the SA's
1475: expiration by time.
1476:
1477: This is also the number of seconds that the SA has existed."
1478: ::= { ipsecSaEspOutEntry 13 }
1479:
1480:
1481: ipsecSaEspOutAccKbytes OBJECT-TYPE
1482: SYNTAX Counter32
1483: UNITS "Kilobytes"
1484: MAX-ACCESS read-only
1485: STATUS current
1486: DESCRIPTION
1487: "The amount of traffic handled by the SA that could
1488: accumulate against a traffic expiration limit, measured in
1489: Kilobytes (1024 bytes).
1490:
1491: If the SA expires based on traffic, this value counts
1492: against the SA's expiration by traffic limitation. If the SA
1493: does not expire based on traffic, this value may be 0 to
1494: indicate that the counter is not being used."
1495: ::= { ipsecSaEspOutEntry 14 }
1496:
1497: ipsecSaEspOutUserOctets OBJECT-TYPE
1498: SYNTAX Counter64
1499: UNITS "bytes"
1500: MAX-ACCESS read-only
1501: STATUS current
1502: DESCRIPTION
1503: "The amount of user level traffic measured in bytes handled
1504: by the SA. This is the number of bytes of the unencrypted IP
1505: packet, including the original IP header of that unencrypted
1506: packet.
1507:
1508: Traffic from packets dropped due to errors is not included
1509: in this total.
1510:
1511: This is not necessarily the same as the amount of traffic
1512: applied against the traffic expiration limit due to padding
1513: or other protocol specific overhead."
1514: ::= { ipsecSaEspOutEntry 15 }
1515:
1516: ipsecSaEspOutPackets OBJECT-TYPE
1517: SYNTAX Counter64
1518: UNITS "packets"
1519: MAX-ACCESS read-only
1520: STATUS current
1521: DESCRIPTION
1522: "The number of packets successfully handled by the SA.
1523: Packets dropped due to errors are not included in this
1524: count."
1525: ::= { ipsecSaEspOutEntry 16 }
1526:
1527: ipsecSaEspOutSendErrors OBJECT-TYPE
1528: SYNTAX Counter32
1529: UNITS "packets"
1530: MAX-ACCESS read-only
1531: STATUS current
1532: DESCRIPTION
1533: "The number of packets discarded by the SA due to any error.
1534: This may include errors due to a lack of transmit buffers."
1535: ::= { ipsecSaEspOutEntry 17 }
1536:
1537:
1538: -- the IPsec Outbound AH MIB-Group
1539: --
1540: -- a collection of objects providing information about
1541: -- IPsec Outbound AH SAs
1542:
1543: ipsecSaAhOutTable OBJECT-TYPE
1544: SYNTAX SEQUENCE OF IpsecSaAhOutEntry
1545: MAX-ACCESS not-accessible
1546: STATUS current
1547: DESCRIPTION
1548: "The (conceptual) table containing information on IPsec
1549: Outbound AH SAs.
1550:
1551: There should be one row for every outbound AH security
1552: association that exists in the entity. The maximum number of
1553: rows is implementation dependent."
1554: ::= { saTables 6 }
1555:
1556: ipsecSaAhOutEntry OBJECT-TYPE
1557: SYNTAX IpsecSaAhOutEntry
1558: MAX-ACCESS not-accessible
1559: STATUS current
1560: DESCRIPTION
1561: "An entry (conceptual row) containing the information on a
1562: particular IPsec Outbound AH SA.
1563:
1564: A row in this table cannot be created or deleted by SNMP
1565: operations on columns of the table."
1566: INDEX {
1567: ipsecSaAhOutAddressType,
1568: ipsecSaAhOutAddress,
1569: ipsecSaAhOutSpi
1570: }
1571: ::= { ipsecSaAhOutTable 1 }
1572:
1573: IpsecSaAhOutEntry::= SEQUENCE {
1574:
1575: -- identification
1576: ipsecSaAhOutAddressType InetAddressType,
1577: ipsecSaAhOutAddress InetAddress,
1578: ipsecSaAhOutSpi Unsigned32,
1579:
1580: -- SA selector
1581: ipsecSaAhOutSelector Unsigned32,
1582:
1583: -- how created
1584: ipsecSaAhOutCreator IpsecSaCreatorIdent,
1585:
1586: -- security services description
1587: ipsecSaAhOutEncapsulation IpsecDoiEncapsulationMode,
1588: ipsecSaAhOutAuthAlg IpsecDoiAhTransform,
1589: ipsecSaAhOutAuthKeyLength Unsigned32,
1590:
1591: -- expiration limits
1592: ipsecSaAhOutLimitSeconds Unsigned32, -- sec., 0 if none
1593: ipsecSaAhOutLimitKbytes Unsigned32, -- 0 if none
1594:
1595: -- current operating statistics
1596: ipsecSaAhOutAccSeconds Counter32,
1597: ipsecSaAhOutAccKbytes Counter32,
1598: ipsecSaAhOutUserOctets Counter64,
1599: ipsecSaAhOutPackets Counter64,
1600:
1601: -- error statistics
1602: ipsecSaAhOutSendErrors Counter32
1603:
1604: }
1605:
1606:
1607: ipsecSaAhOutAddressType OBJECT-TYPE
1608: SYNTAX InetAddressType
1609: MAX-ACCESS not-accessible
1610: STATUS current
1611: DESCRIPTION
1612: "The type of address used by the destination address of the
1613: SA."
1614: ::= { ipsecSaAhOutEntry 1 }
1615:
1616: ipsecSaAhOutAddress OBJECT-TYPE
1617: SYNTAX InetAddress (SIZE(4|16|20))
1618: MAX-ACCESS not-accessible
1619: STATUS current
1620: DESCRIPTION
1621: "The destination address of the SA."
1622: ::= { ipsecSaAhOutEntry 2 }
1623:
1624:
1625: ipsecSaAhOutSpi OBJECT-TYPE
1626: SYNTAX Unsigned32
1627: MAX-ACCESS not-accessible
1628: STATUS current
1629: DESCRIPTION
1630: "The security parameters index of the SA."
1631: REFERENCE"RFC 2402 Section 2.4"
1632: ::= { ipsecSaAhOutEntry 3 }
1633:
1634: ipsecSaAhOutSelector OBJECT-TYPE
1635: SYNTAX Unsigned32
1636: MAX-ACCESS read-only
1637: STATUS current
1638: DESCRIPTION
1639: "The index of the selector table row for this suite. In
1640: other words, the value of 'selectorIndex' for the
1641: appropriate row ('SelectorEntry') from the 'selectorTable'"
1642: ::= { ipsecSaAhOutEntry 4 }
1643:
1644: ipsecSaAhOutCreator OBJECT-TYPE
1645: SYNTAX IpsecSaCreatorIdent
1646: MAX-ACCESS read-only
1647: STATUS current
1648: DESCRIPTION
1649: "The creator of this SA.
1650:
1651: This MIB makes no assumptions about how the SAs are created.
1652: They may be created statically, or by a key exchange
1653: protocol such as IKE, or by some other method."
1654: ::= { ipsecSaAhOutEntry 5 }
1655:
1656: ipsecSaAhOutEncapsulation OBJECT-TYPE
1657: SYNTAX IpsecDoiEncapsulationMode
1658: MAX-ACCESS read-only
1659: STATUS current
1660: DESCRIPTION
1661: "The type of encapsulation used by this SA."
1662: ::= { ipsecSaAhOutEntry 6 }
1663:
1664: ipsecSaAhOutAuthAlg OBJECT-TYPE
1665: SYNTAX IpsecDoiAhTransform
1666: MAX-ACCESS read-only
1667: STATUS current
1668: DESCRIPTION
1669: "A unique value representing the hash algorithm applied to
1670: traffic carried by this SA."
1671: ::= { ipsecSaAhOutEntry 7 }
1672:
1673: ipsecSaAhOutAuthKeyLength OBJECT-TYPE
1674: SYNTAX Unsigned32 (0..65531)
1675: UNITS "bits"
1676: MAX-ACCESS read-only
1677: STATUS current
1678: DESCRIPTION
1679: "The length of the authentication key in bits used for the
1680: algorithm specified in the ipsecSaAhOutAuthAlg object. It
1681: may be 0 if the key length is implicit in the specified
1682: algorithm."
1683: ::= { ipsecSaAhOutEntry 8 }
1684:
1685: ipsecSaAhOutLimitSeconds OBJECT-TYPE
1686: SYNTAX Unsigned32
1687: UNITS "seconds"
1688: MAX-ACCESS read-only
1689: STATUS current
1690: DESCRIPTION
1691: "The maximum lifetime in seconds of the SA, or 0 if there is
1692: no time constraint on its expiration.
1693:
1694: The display value is limited to 4294967295 seconds (more
1695: than 136 years); values greater than that value will be
1696: truncated."
1697: ::= { ipsecSaAhOutEntry 9 }
1698:
1699: ipsecSaAhOutLimitKbytes OBJECT-TYPE
1700: SYNTAX Unsigned32
1701: UNITS "Kilobytes"
1702: MAX-ACCESS read-only
1703: STATUS current
1704: DESCRIPTION
1705: "The maximum traffic in Kilobytes (1024 bytes) that the SA
1706: is allowed to process, or 0 if there is no traffic
1707: constraint on its expiration.
1708:
1709: The display value is limited to 4294967295 Kilobytes; values
1710: greater than that value will be truncated."
1711: ::= { ipsecSaAhOutEntry 10 }
1712:
1713: ipsecSaAhOutAccSeconds OBJECT-TYPE
1714: SYNTAX Counter32
1715: UNITS "seconds"
1716: MAX-ACCESS read-only
1717: STATUS current
1718: DESCRIPTION
1719: "The number of seconds accumulated against the SA's
1720: expiration by time.
1721:
1722: This is also the number of seconds that the SA has existed."
1723: ::= { ipsecSaAhOutEntry 11 }
1724:
1725: ipsecSaAhOutAccKbytes OBJECT-TYPE
1726: SYNTAX Counter32
1727: UNITS "Kilobytes"
1728: MAX-ACCESS read-only
1729: STATUS current
1730: DESCRIPTION
1731: "The amount of traffic handled by the SA that could
1732: accumulate against a traffic expiration limit, measured in
1733: Kilobytes (1024 bytes).
1734:
1735: If the SA expires based on traffic, this value counts
1736: against the SA's expiration by traffic limitation. If the SA
1737: does not expire based on traffic, this value may be 0 to
1738: indicate that the counter is not being used."
1739: ::= { ipsecSaAhOutEntry 12 }
1740:
1741: ipsecSaAhOutUserOctets OBJECT-TYPE
1742: SYNTAX Counter64
1743: UNITS "bytes"
1744: MAX-ACCESS read-only
1745: STATUS current
1746: DESCRIPTION
1747: "The amount of user level traffic measured in bytes handled
1748: by the SA. This is the number of bytes of the unprocessed IP
1749: packet, including the original IP header of that unprocessed
1750: packet.
1751:
1752: Traffic from packets dropped due to errors is not included
1753: in this total.
1754:
1755: This is not necessarily the same as the amount of traffic
1756: applied against the traffic expiration limit due to padding
1757: or other protocol specific overhead."
1758: ::= { ipsecSaAhOutEntry 13 }
1759:
1760: ipsecSaAhOutPackets OBJECT-TYPE
1761: SYNTAX Counter64
1762: UNITS "packets"
1763: MAX-ACCESS read-only
1764: STATUS current
1765:
1766:
1767:
1768:
1769: DESCRIPTION
1770: "The number of packets successfully handled by the SA.
1771: Packets dropped due to errors are not included in this
1772: count."
1773: ::= { ipsecSaAhOutEntry 14 }
1774:
1775: ipsecSaAhOutSendErrors OBJECT-TYPE
1776: SYNTAX Counter32
1777: UNITS "packets"
1778: MAX-ACCESS read-only
1779: STATUS current
1780: DESCRIPTION
1781: "The number of packets discarded by the SA due to any error.
1782: This may include errors due to a lack of transmit buffers."
1783: ::= { ipsecSaAhOutEntry 15 }
1784:
1785:
1786: -- the IPsec Outbound IPcomp MIB-Group
1787: --
1788: -- a collection of objects providing information about
1789: -- IPsec Outbound IPcomp SAs
1790:
1791: ipsecSaIpcompOutTable OBJECT-TYPE
1792: SYNTAX SEQUENCE OF IpsecSaIpcompOutEntry
1793: MAX-ACCESS not-accessible
1794: STATUS current
1795: DESCRIPTION
1796: "The (conceptual) table containing information on IPsec
1797: Outbound IPcomp SAs.
1798:
1799: There should be one row for every outbound IPcomp (security)
1800: association that exists in the entity. The maximum number of
1801: rows is implementation dependent."
1802: ::= { saTables 7 }
1803:
1804: ipsecSaIpcompOutEntry OBJECT-TYPE
1805: SYNTAX IpsecSaIpcompOutEntry
1806: MAX-ACCESS not-accessible
1807: STATUS current
1808: DESCRIPTION
1809: "An entry (conceptual row) containing the information on a
1810: particular IPsec Outbound IPcomp SA.
1811:
1812: A row in this table cannot be created or deleted by SNMP
1813: operations on columns of the table."
1814: INDEX {
1815: ipsecSaIpcompOutAddressType,
1816: ipsecSaIpcompOutAddress,
1817: ipsecSaIpcompOutCpi
1818: }
1819: ::= { ipsecSaIpcompOutTable 1 }
1820:
1821: IpsecSaIpcompOutEntry::= SEQUENCE {
1822:
1823: -- identification
1824: ipsecSaIpcompOutAddressType InetAddressType,
1825: ipsecSaIpcompOutAddress InetAddress,
1826: ipsecSaIpcompOutCpi IpsecDoiIpcompTransform,
1827:
1828: -- SA selector
1829: ipsecSaIpcompOutSelector Unsigned32,
1830:
1831: -- how created
1832: ipsecSaIpcompOutCreator IpsecSaCreatorIdent,
1833:
1834: -- security services description
1835: ipsecSaIpcompOutEncapsulation IpsecDoiEncapsulationMode,
1836: ipsecSaIpcompOutCompAlg IpsecDoiIpcompTransform,
1837:
1838: -- current operating statistics
1839: ipsecSaIpcompOutSeconds Counter32,
1840: ipsecSaIpcompOutUserOctets Counter64,
1841: ipsecSaIpcompOutUserPackets Counter64,
1842: ipsecSaIpcompOutOutputOctets Counter64,
1843: ipsecSaIpcompOutCompressedPackets Counter64,
1844: ipsecSaIpcompOutCompressedOctets Counter64
1845:
1846: }
1847:
1848:
1849: ipsecSaIpcompOutAddressType OBJECT-TYPE
1850: SYNTAX InetAddressType
1851: MAX-ACCESS not-accessible
1852: STATUS current
1853: DESCRIPTION
1854: "The type of address used by the destination address of the
1855: SA.
1856:
1857: If the IPcomp SA is shared across multiple SAs in security
1858: association suites, this value may be 0 to indicate that the
1859: addresses to which this SA apply cannot be expressed with a
1860: single InetAddressType/InetAddress pair."
1861: ::= { ipsecSaIpcompOutEntry 1 }
1862:
1863: ipsecSaIpcompOutAddress OBJECT-TYPE
1864: SYNTAX InetAddress (SIZE(0|4|16|20))
1865: MAX-ACCESS not-accessible
1866: STATUS current
1867: DESCRIPTION
1868: "The destination address of the SA.
1869:
1870: If the IPcomp SA is shared across multiple SAs in security
1871: association suites, this value may be zero-length to
1872: indicate that the addresses to which this SA apply cannot be
1873: expressed with a single InetAddressType/InetAddress pair."
1874: ::= { ipsecSaIpcompOutEntry 2 }
1875:
1876: ipsecSaIpcompOutCpi OBJECT-TYPE
1877: SYNTAX IpsecDoiIpcompTransform
1878: MAX-ACCESS not-accessible
1879: STATUS current
1880: DESCRIPTION
1881: "The CPI of the SA. Since the lower values of CPIs are
1882: reserved to be the same as the algorithm, the syntax for
1883: this object is the same as the transform."
1884: REFERENCE "RFC 2393 Section 3.3"
1885: ::= { ipsecSaIpcompOutEntry 3 }
1886:
1887: ipsecSaIpcompOutSelector OBJECT-TYPE
1888: SYNTAX Unsigned32
1889: MAX-ACCESS read-only
1890: STATUS current
1891: DESCRIPTION
1892: "The index of the selector table row for this suite. In
1893: other words, the value of 'selectorIndex' for the
1894: appropriate row ('SelectorEntry') from the 'selectorTable'
1895:
1896: This value may be 0 if this SA is used with multiple SAs in
1897: security association suites to indicate that this SA is
1898: applied to multiple rows from the 'selectorTable'."
1899: ::= { ipsecSaIpcompOutEntry 4 }
1900:
1901: ipsecSaIpcompOutCreator OBJECT-TYPE
1902: SYNTAX IpsecSaCreatorIdent
1903: MAX-ACCESS read-only
1904: STATUS current
1905: DESCRIPTION
1906: "The creator of this SA.
1907:
1908: This MIB makes no assumptions about how the SAs are created.
1909: They may be created statically, or by a key exchange
1910: protocol such as IKE, or by some other method."
1911: ::= { ipsecSaIpcompOutEntry 11 }
1912:
1913: ipsecSaIpcompOutEncapsulation OBJECT-TYPE
1914: SYNTAX IpsecDoiEncapsulationMode
1915: MAX-ACCESS read-only
1916: STATUS current
1917: DESCRIPTION
1918: "The type of encapsulation used by this SA."
1919: ::= { ipsecSaIpcompOutEntry 12 }
1920:
1921: ipsecSaIpcompOutCompAlg OBJECT-TYPE
1922: SYNTAX IpsecDoiIpcompTransform
1923: MAX-ACCESS read-only
1924: STATUS current
1925: DESCRIPTION
1926: "A unique value representing the compression algorithm
1927: applied to traffic."
1928: ::= { ipsecSaIpcompOutEntry 13 }
1929:
1930: ipsecSaIpcompOutSeconds OBJECT-TYPE
1931: SYNTAX Counter32
1932: UNITS "seconds"
1933: MAX-ACCESS read-only
1934: STATUS current
1935: DESCRIPTION
1936: "The number of seconds that the SA has existed."
1937: ::= { ipsecSaIpcompOutEntry 14 }
1938:
1939: ipsecSaIpcompOutUserOctets OBJECT-TYPE
1940: SYNTAX Counter64
1941: UNITS "bytes"
1942: MAX-ACCESS read-only
1943: STATUS current
1944: DESCRIPTION
1945: "The amount of user level traffic measured in bytes received
1946: by the SA. This is the number of bytes of the uncompressed
1947: IP packet, including the original IP header of that
1948: uncompressed packet."
1949: ::= { ipsecSaIpcompOutEntry 15 }
1950:
1951: ipsecSaIpcompOutUserPackets OBJECT-TYPE
1952: SYNTAX Counter64
1953: UNITS "packets"
1954: MAX-ACCESS read-only
1955: STATUS current
1956: DESCRIPTION
1957: "The number of packets received for handling by the SA. This
1958: includes packets that were both compressed and not
1959: compressed."
1960: ::= { ipsecSaIpcompOutEntry 16 }
1961:
1962: ipsecSaIpcompOutOutputOctets OBJECT-TYPE
1963: SYNTAX Counter64
1964: UNITS "bytes"
1965: MAX-ACCESS read-only
1966: STATUS current
1967: DESCRIPTION
1968: "The amount of traffic measured in bytes output by the SA.
1969: This includes byte counts from packets compressed by the SA
1970: and also packets not modified by the SA.
1971:
1972: This object can be divided into the
1973: ipsecSaIpcompOutUserOctets object to get a compression
1974: performance metric for the SA."
1975: ::= { ipsecSaIpcompOutEntry 17 }
1976:
1977: ipsecSaIpcompOutCompressedPackets OBJECT-TYPE
1978: SYNTAX Counter64
1979: UNITS "packets"
1980: MAX-ACCESS read-only
1981: STATUS current
1982: DESCRIPTION
1983: "The number of packets sent from the SA that were
1984: compressed.
1985:
1986: The number of packets sent from the SA that were not
1987: compressed can be calculated by subtracting the value of
1988: this object from the value of ipsecSaIpcompOutUserPackets."
1989: ::= { ipsecSaIpcompOutEntry 18 }
1990:
1991: ipsecSaIpcompOutCompressedOctets OBJECT-TYPE
1992: SYNTAX Counter64
1993: UNITS "bytes"
1994: MAX-ACCESS read-only
1995: STATUS current
1996: DESCRIPTION
1997: "The amount of traffic measured in bytes output by the SA
1998: that is in packets that were compressed.
1999:
2000: The amount of uncompressed traffic can be calculated by
2001: subtracting the value of this object from the value of
2002: ipsecSaIpcompOutOutputOctets."
2003: ::= { ipsecSaIpcompOutEntry 19 }
2004:
2005:
2006: --
2007: -- optional tables for monitoring network performance via statistics
2008: -- on the anti-replay counter mechanisms in incoming ESP and AH SAs.
2009: --
2010:
2011: --
2012: -- ESP table
2013: --
2014:
2015: ipsecSaEspReplayTable OBJECT-TYPE
2016: SYNTAX SEQUENCE OF IpsecSaEspReplayEntry
2017: MAX-ACCESS not-accessible
2018: STATUS current
2019: DESCRIPTION
2020: "The (conceptual) table containing information on the replay
2021: counter events on IPsec inbound ESP SAs.
2022:
2023: There should be one row in this table for every inbound ESP
2024: security association where ipsecSaEspInRepWinSize is non-
2025: zero in ipsecSaEspInTable. The maximum number of rows is
2026: implementation dependent.
2027:
2028: If any variable in this table is non-zero, it indicates that
2029: the underlying IP network is reordering, losing, or
2030: duplicating packets. While these are perfectly legal things
2031: for it to do, they can and will affect the performance of
2032: this security association."
2033: ::= { saTables 8 }
2034:
2035: ipsecSaEspReplayEntry OBJECT-TYPE
2036: SYNTAX IpsecSaEspReplayEntry
2037: MAX-ACCESS not-accessible
2038: STATUS current
2039: DESCRIPTION
2040: "An entry (conceptual row) containing the information on the
2041: replay counter events in a particular IPsec inbound ESP SA.
2042:
2043: A row in this table cannot be created or deleted by SNMP
2044: operations on columns of the table."
2045: INDEX {
2046: ipsecSaEspInAddressType,
2047: ipsecSaEspInAddress,
2048: ipsecSaEspInSpi
2049: }
2050: ::= { ipsecSaEspReplayTable 1 }
2051:
2052: IpsecSaEspReplayEntry::= SEQUENCE {
2053:
2054: -- event counters
2055: ipsecSaEspReplaysBeyondWindow Counter32,
2056: ipsecSaEspReplaysOutOfOrder Counter32,
2057:
2058: -- error counters
2059: ipsecSaEspReplaysBeforeWindow Counter32,
2060: ipsecSaEspReplaysDuplicate Counter32,
2061: ipsecSaEspReplaysZero Counter32
2062: }
2063:
2064: ipsecSaEspReplaysBeyondWindow OBJECT-TYPE
2065: SYNTAX Counter32
2066: UNITS "packets"
2067: MAX-ACCESS read-only
2068: STATUS current
2069: DESCRIPTION
2070: "The number of packets received on this SA where the anti-
2071: replay value in the packet was greater than the previous
2072: highest received anti-replay value by the replay window size
2073: or greater.
2074:
2075: This may be caused by either significant packet losses by
2076: the IP network, or by major reordering of packets."
2077: REFERENCE "RFC 2401 Appendix C: /* This packet has a 'way
2078: larger' */ "
2079: ::= { ipsecSaEspReplayEntry 1 }
2080:
2081: ipsecSaEspReplaysOutOfOrder OBJECT-TYPE
2082: SYNTAX Counter32
2083: UNITS "packets"
2084: MAX-ACCESS read-only
2085: STATUS current
2086: DESCRIPTION
2087: "The number of packets received on this SA where the anti-
2088: replay value in the packet was less than the highest
2089: received value, but was within the replay window.
2090:
2091: This may be caused by packet reordering by the IP network."
2092: REFERENCE "RFC 2401 Appendix C: /* out of order but good */ "
2093: ::= { ipsecSaEspReplayEntry 2 }
2094:
2095: ipsecSaEspReplaysBeforeWindow OBJECT-TYPE
2096: SYNTAX Counter32
2097: UNITS "packets"
2098: MAX-ACCESS read-only
2099: STATUS current
2100: DESCRIPTION
2101: "The number of packets received on this SA where the anti-
2102: replay value in the packet was less than the previous
2103: highest received anti-replay value by at least the replay
2104: window size.
2105:
2106: This may be caused by significant packet reordering by the
2107: IP network, very delayed packet duplication, or by a replay
2108: attack.
2109:
2110: The object ipsecSaEspInReplayErrors (of same INDEX) will be
2111: incremented by one each time this object is incremented."
2112: REFERENCE "RFC 2401 Appendix C: /* too old or wrapped */ "
2113: ::= { ipsecSaEspReplayEntry 3 }
2114:
2115: ipsecSaEspReplaysDuplicate OBJECT-TYPE
2116: SYNTAX Counter32
2117: UNITS "packets"
2118: MAX-ACCESS read-only
2119: STATUS current
2120: DESCRIPTION
2121: "The number of packets received on this SA where the anti-
2122: replay value in the packet was within the replay window
2123: size, and the same anti-replay value had already been seen.
2124:
2125: This may be caused by packet duplication by the IP network,
2126: or by a replay attack.
2127:
2128: The object ipsecSaEspInReplayErrors (of same INDEX) will be
2129: incremented by one each time this object is incremented."
2130: REFERENCE "RFC 2401 Appendix C: /* already seen */ "
2131: ::= { ipsecSaEspReplayEntry 4 }
2132:
2133: ipsecSaEspReplaysZero OBJECT-TYPE
2134: SYNTAX Counter32
2135: UNITS "packets"
2136: MAX-ACCESS read-only
2137: STATUS current
2138: DESCRIPTION
2139: "The number of packets received on this SA where the anti-
2140: replay value in the packet is zero.
2141:
2142: This may be caused by a programming error at the remote node
2143: causing it to send an initial anti-replay value of 0, or
2144: continuing to transmit after the anti-replay counter wraps.
2145:
2146:
2147:
2148: The object ipsecSaEspInReplayErrors (of same INDEX) will be
2149: incremented by one each time this object is incremented."
2150: REFERENCE "RFC 2401 Appendix C: /* first == 0 or wrapped */ "
2151: ::= { ipsecSaEspReplayEntry 5 }
2152:
2153: --
2154: -- AH table
2155: --
2156:
2157: ipsecSaAhReplayTable OBJECT-TYPE
2158: SYNTAX SEQUENCE OF IpsecSaAhReplayEntry
2159: MAX-ACCESS not-accessible
2160: STATUS current
2161: DESCRIPTION
2162: "The (conceptual) table containing information on the replay
2163: counter events on IPsec inbound AH SAs.
2164:
2165: There should be one row in this table for every inbound AH
2166: security association where ipsecSaAhInRepWinSize is non-zero
2167: in ipsecSaAhInTable. The maximum number of rows is
2168: implementation dependent.
2169:
2170: If any variable in this table is non-zero, it indicates that
2171: the underlying IP network is reordering, losing, or
2172: duplicating packets. While these are perfectly legal things
2173: for it to do, they can and will affect the performance of
2174: this security association."
2175: ::= { saTables 9 }
2176:
2177: ipsecSaAhReplayEntry OBJECT-TYPE
2178: SYNTAX IpsecSaAhReplayEntry
2179: MAX-ACCESS not-accessible
2180: STATUS current
2181: DESCRIPTION
2182: "An entry (conceptual row) containing the information on the
2183: replay counter events in a particular IPsec inbound AH SA.
2184:
2185: A row in this table cannot be created or deleted by SNMP
2186: operations on columns of the table."
2187: INDEX {
2188: ipsecSaAhInAddressType,
2189: ipsecSaAhInAddress,
2190: ipsecSaAhInSpi
2191: }
2192: ::= { ipsecSaAhReplayTable 1 }
2193:
2194:
2195:
2196: IpsecSaAhReplayEntry::= SEQUENCE {
2197:
2198: -- event counters
2199: ipsecSaAhReplaysBeyondWindow Counter32,
2200: ipsecSaAhReplaysOutOfOrder Counter32,
2201:
2202: -- error counters
2203: ipsecSaAhReplaysBeforeWindow Counter32,
2204: ipsecSaAhReplaysDuplicate Counter32,
2205: ipsecSaAhReplaysZero Counter32
2206: }
2207:
2208: ipsecSaAhReplaysBeyondWindow OBJECT-TYPE
2209: SYNTAX Counter32
2210: UNITS "packets"
2211: MAX-ACCESS read-only
2212: STATUS current
2213: DESCRIPTION
2214: "The number of packets received on this SA where the anti-
2215: replay value in the packet was greater than the previous
2216: highest received anti-replay value by the replay window size
2217: or greater.
2218:
2219: This may be caused by either significant packet losses by
2220: the IP network, or by major reordering of packets."
2221: REFERENCE "RFC 2401 Appendix C: /* This packet has a way
2222: larger */ "
2223: ::= { ipsecSaAhReplayEntry 1 }
2224:
2225: ipsecSaAhReplaysOutOfOrder OBJECT-TYPE
2226: SYNTAX Counter32
2227: UNITS "packets"
2228: MAX-ACCESS read-only
2229: STATUS current
2230: DESCRIPTION
2231: "The number of packets received on this SA where the anti-
2232: replay value in the packet was less than the highest
2233: received value, but was within the replay window.
2234:
2235: This may be caused by packet reordering by the IP network."
2236: REFERENCE "RFC 2401 Appendix C: /* out of order but good */ "
2237: ::= { ipsecSaAhReplayEntry 2 }
2238:
2239: ipsecSaAhReplaysBeforeWindow OBJECT-TYPE
2240: SYNTAX Counter32
2241: UNITS "packets"
2242: MAX-ACCESS read-only
2243: STATUS current
2244: DESCRIPTION
2245: "The number of packets received on this SA where the anti-
2246: replay value in the packet was less than the previous
2247: highest received anti-replay value by at least the replay
2248: window size.
2249:
2250: This may be caused by significant packet reordering by the
2251: IP network, very delayed packet duplication, or by a replay
2252: attack.
2253:
2254: The object ipsecSaAhInReplayErrors (of same INDEX) will be
2255: incremented by one each time this object is incremented."
2256: REFERENCE "RFC 2401 Appendix C: /* too old or wrapped */ "
2257: ::= { ipsecSaAhReplayEntry 3 }
2258:
2259: ipsecSaAhReplaysDuplicate OBJECT-TYPE
2260: SYNTAX Counter32
2261: UNITS "packets"
2262: MAX-ACCESS read-only
2263: STATUS current
2264: DESCRIPTION
2265: "The number of packets received on this SA where the anti-
2266: replay value in the packet was within the replay window
2267: size, and the same anti-replay value had already been seen.
2268:
2269: This may be caused by packet duplication by the IP network,
2270: or by a replay attack.
2271:
2272: The object ipsecSaAhInReplayErrors (of same INDEX) will be
2273: incremented by one each time this object is incremented."
2274: REFERENCE "RFC 2401 Appendix C: /* already seen */ "
2275: ::= { ipsecSaAhReplayEntry 4 }
2276:
2277:
2278: ipsecSaAhReplaysZero OBJECT-TYPE
2279: SYNTAX Counter32
2280: UNITS "packets"
2281: MAX-ACCESS read-only
2282: STATUS current
2283: DESCRIPTION
2284: "The number of packets received on this SA where the anti-
2285: replay value in the packet is zero.
2286:
2287: This may be caused by a programming error at the remote node
2288: causing it to send an initial anti-replay value of 0, or
2289: continuing to transmit after the anti-replay counter wraps.
2290:
2291:
2292: The object ipsecSaAhInReplayErrors (of same INDEX) will be
2293: incremented by one each time this object is incremented."
2294: REFERENCE "RFC 2401 Appendix C: /* first == 0 or wrapped */ "
2295: ::= { ipsecSaAhReplayEntry 5 }
2296:
2297: --
2298: -- entity IPsec statistics
2299: --
2300:
2301: ipsecEspCurrentInboundSAs OBJECT-TYPE
2302: SYNTAX Gauge32
2303: MAX-ACCESS read-only
2304: STATUS current
2305: DESCRIPTION
2306: "The current number of inbound ESP SAs in the entity."
2307: ::= { saStatistics 1 }
2308:
2309: ipsecEspTotalInboundSAs OBJECT-TYPE
2310: SYNTAX Counter32
2311: MAX-ACCESS read-only
2312: STATUS current
2313: DESCRIPTION
2314: "The total number of inbound ESP SAs created in the entity
2315: since boot time."
2316: ::= { saStatistics 2 }
2317:
2318: ipsecEspCurrentOutboundSAs OBJECT-TYPE
2319: SYNTAX Gauge32
2320: MAX-ACCESS read-only
2321: STATUS current
2322: DESCRIPTION
2323: "The current number of outbound ESP SAs in the entity."
2324: ::= { saStatistics 3 }
2325:
2326: ipsecEspTotalOutboundSAs OBJECT-TYPE
2327: SYNTAX Counter32
2328: MAX-ACCESS read-only
2329: STATUS current
2330: DESCRIPTION
2331: "The total number of outbound ESP SAs created in the entity
2332: since boot time."
2333: ::= { saStatistics 4 }
2334:
2335: ipsecAhCurrentInboundSAs OBJECT-TYPE
2336: SYNTAX Gauge32
2337: MAX-ACCESS read-only
2338: STATUS current
2339:
2340: DESCRIPTION
2341: "The current number of inbound AH SAs in the entity."
2342: ::= { saStatistics 5 }
2343:
2344: ipsecAhTotalInboundSAs OBJECT-TYPE
2345: SYNTAX Counter32
2346: MAX-ACCESS read-only
2347: STATUS current
2348: DESCRIPTION
2349: "The total number of inbound AH SAs created in the entity
2350: since boot time."
2351: ::= { saStatistics 6 }
2352:
2353: ipsecAhCurrentOutboundSAs OBJECT-TYPE
2354: SYNTAX Gauge32
2355: MAX-ACCESS read-only
2356: STATUS current
2357: DESCRIPTION
2358: "The current number of outbound AH SAs in the entity."
2359: ::= { saStatistics 7 }
2360:
2361: ipsecAhTotalOutboundSAs OBJECT-TYPE
2362: SYNTAX Counter32
2363: MAX-ACCESS read-only
2364: STATUS current
2365: DESCRIPTION
2366: "The total number of outbound AH SAs created in the entity
2367: since boot time."
2368: ::= { saStatistics 8 }
2369:
2370: ipsecIpcompCurrentInboundSAs OBJECT-TYPE
2371: SYNTAX Gauge32
2372: MAX-ACCESS read-only
2373: STATUS current
2374: DESCRIPTION
2375: "The current number of inbound IPcomp SAs in the entity."
2376: ::= { saStatistics 9 }
2377:
2378: ipsecIpcompTotalInboundSAs OBJECT-TYPE
2379: SYNTAX Counter32
2380: MAX-ACCESS read-only
2381: STATUS current
2382: DESCRIPTION
2383: "The total number of inbound IPcomp SAs created in the
2384: entity since boot time."
2385: ::= { saStatistics 10 }
2386:
2387:
2388: ipsecIpcompCurrentOutboundSAs OBJECT-TYPE
2389: SYNTAX Gauge32
2390: MAX-ACCESS read-only
2391: STATUS current
2392: DESCRIPTION
2393: "The current number of outbound IPcomp SAs in the entity."
2394: ::= { saStatistics 11 }
2395:
2396: ipsecIpcompTotalOutboundSAs OBJECT-TYPE
2397: SYNTAX Counter32
2398: MAX-ACCESS read-only
2399: STATUS current
2400: DESCRIPTION
2401: "The total number of outbound IPcomp SAs created in the
2402: entity since boot time."
2403: ::= { saStatistics 12 }
2404:
2405:
2406: --
2407: -- IPsec error counts
2408: --
2409:
2410: ipsecDecryptionErrors OBJECT-TYPE
2411: SYNTAX Counter32
2412: UNITS "packets"
2413: MAX-ACCESS read-only
2414: STATUS current
2415: DESCRIPTION
2416: "The total number of packets received by the entity in SAs
2417: since boot time with detectable decryption errors. Not all
2418: decryption errors are detectable within SA processing, so
2419: this count should not be considered definitive."
2420: ::= { saErrors 1 }
2421:
2422: ipsecAuthenticationErrors OBJECT-TYPE
2423: SYNTAX Counter32
2424: UNITS "packets"
2425: MAX-ACCESS read-only
2426: STATUS current
2427: DESCRIPTION
2428: "The total number of packets received by the entity in SAs
2429: since boot time with authentication errors.
2430:
2431: This includes all packets in which the hash value is
2432: determined to be invalid, for both ESP and AH SAs."
2433: ::= { saErrors 2 }
2434:
2435:
2436: ipsecReplayErrors OBJECT-TYPE
2437: SYNTAX Counter32
2438: UNITS "packets"
2439: MAX-ACCESS read-only
2440: STATUS current
2441: DESCRIPTION
2442: "The total number of packets received by the entity in SAs
2443: since boot time with replay errors."
2444: ::= { saErrors 3 }
2445:
2446: ipsecPolicyErrors OBJECT-TYPE
2447: SYNTAX Counter32
2448: UNITS "packets"
2449: MAX-ACCESS read-only
2450: STATUS current
2451: DESCRIPTION
2452: "The total number of packets received by the entity in SAs
2453: since boot time and discarded due to policy errors. This
2454: includes packets that had selectors that were invalid for
2455: the SA that carried them, and also includes packets that
2456: arrived at the entity in the clear and that should have been
2457: protected by IPsec or should have been dropped."
2458: ::= { saErrors 4 }
2459:
2460: ipsecOtherReceiveErrors OBJECT-TYPE
2461: SYNTAX Counter32
2462: UNITS "packets"
2463: MAX-ACCESS read-only
2464: STATUS current
2465: DESCRIPTION
2466: "The total number of packets received by the entity in SAs
2467: since boot time and discarded due to errors not due to
2468: decryption, authentication, replay or policy."
2469: ::= { saErrors 5 }
2470:
2471: ipsecSendErrors OBJECT-TYPE
2472: SYNTAX Counter32
2473: UNITS "packets"
2474: MAX-ACCESS read-only
2475: STATUS current
2476: DESCRIPTION
2477: "The total number of packets to be sent by the entity in SAs
2478: since boot time and discarded due to errors."
2479: ::= { saErrors 6 }
2480:
2481: ipsecUnknownSpiErrors OBJECT-TYPE
2482: SYNTAX Counter32
2483: UNITS "packets"
2484: MAX-ACCESS read-only
2485: STATUS current
2486: DESCRIPTION
2487: "The total number of packets received by the entity since
2488: boot time with SPIs or CPIs that were not valid."
2489: ::= { saErrors 7 }
2490:
2491:
2492: --
2493: -- traps
2494: --
2495:
2496: --
2497: -- some objects used in trap reporting
2498: --
2499:
2500: ipsecSecurityProtocol OBJECT-TYPE
2501: SYNTAX IpsecDoiSecProtocolId
2502: MAX-ACCESS accessible-for-notify
2503: STATUS current
2504: DESCRIPTION
2505: "A security protocol associated with the trap."
2506: ::= { saTrapObjects 1 }
2507:
2508: ipsecSPI OBJECT-TYPE
2509: SYNTAX Unsigned32
2510: MAX-ACCESS accessible-for-notify
2511: STATUS current
2512: DESCRIPTION
2513: "An SPI associated with a trap. Where the security protocol
2514: associated with the trap is IPcomp, this value has a maximum
2515: of 65535."
2516: ::= { saTrapObjects 2 }
2517:
2518: ipsecLocalAddressType OBJECT-TYPE
2519: SYNTAX InetAddressType
2520: MAX-ACCESS accessible-for-notify
2521: STATUS current
2522: DESCRIPTION
2523: "The type of a local IP address associated with a trap."
2524: ::= { saTrapObjects 3 }
2525:
2526: ipsecLocalAddress OBJECT-TYPE
2527: SYNTAX InetAddress (SIZE (4|16|20))
2528: MAX-ACCESS accessible-for-notify
2529: STATUS current
2530:
2531:
2532: DESCRIPTION
2533: "A local IP address associated with a trap."
2534: ::= { saTrapObjects 4 }
2535:
2536: ipsecPeerAddressType OBJECT-TYPE
2537: SYNTAX InetAddressType
2538: MAX-ACCESS accessible-for-notify
2539: STATUS current
2540: DESCRIPTION
2541: "The type of a peer IP address associated with a trap."
2542: ::= { saTrapObjects 5 }
2543:
2544: ipsecPeerAddress OBJECT-TYPE
2545: SYNTAX InetAddress (SIZE (4|16|20))
2546: MAX-ACCESS accessible-for-notify
2547: STATUS current
2548: DESCRIPTION
2549: "A peer IP address associated with a trap."
2550: ::= { saTrapObjects 6 }
2551:
2552: --
2553: -- trap control
2554: --
2555:
2556: espAuthFailureTrapEnable OBJECT-TYPE
2557: SYNTAX TruthValue
2558: MAX-ACCESS read-write
2559: STATUS current
2560: DESCRIPTION
2561: "Indicates whether espAuthFailureTrap traps should be
2562: generated."
2563: DEFVAL { false }
2564: ::= { saTrapControl 1 }
2565:
2566: ahAuthFailureTrapEnable OBJECT-TYPE
2567: SYNTAX TruthValue
2568: MAX-ACCESS read-write
2569: STATUS current
2570: DESCRIPTION
2571: "Indicates whether ahAuthFailureTrap traps should be
2572: generated."
2573: DEFVAL { false }
2574: ::= { saTrapControl 2 }
2575:
2576: espReplayFailureTrapEnable OBJECT-TYPE
2577: SYNTAX TruthValue
2578: MAX-ACCESS read-write
2579: STATUS current
2580: DESCRIPTION
2581: "Indicates whether espReplayFailureTrap traps should be
2582: generated."
2583: DEFVAL { false }
2584: ::= { saTrapControl 3 }
2585:
2586: ahReplayFailureTrapEnable OBJECT-TYPE
2587: SYNTAX TruthValue
2588: MAX-ACCESS read-write
2589: STATUS current
2590: DESCRIPTION
2591: "Indicates whether ahReplayFailureTrap traps should be
2592: generated."
2593: DEFVAL { false }
2594: ::= { saTrapControl 4 }
2595:
2596: espPolicyFailureTrapEnable OBJECT-TYPE
2597: SYNTAX TruthValue
2598: MAX-ACCESS read-write
2599: STATUS current
2600: DESCRIPTION
2601: "Indicates whether espPolicyFailureTrap traps should be
2602: generated."
2603: DEFVAL { false }
2604: ::= { saTrapControl 5 }
2605:
2606: ahPolicyFailureTrapEnable OBJECT-TYPE
2607: SYNTAX TruthValue
2608: MAX-ACCESS read-write
2609: STATUS current
2610: DESCRIPTION
2611: "Indicates whether ahPolicyFailureTrap traps should be
2612: generated."
2613: DEFVAL { false }
2614: ::= { saTrapControl 6 }
2615:
2616: invalidSpiTrapEnable OBJECT-TYPE
2617: SYNTAX TruthValue
2618: MAX-ACCESS read-write
2619: STATUS current
2620: DESCRIPTION
2621: "Indicates whether invalidSpiTrap traps should be
2622: generated."
2623: DEFVAL { false }
2624: ::= { saTrapControl 7 }
2625:
2626: otherPolicyFailureTrapEnable OBJECT-TYPE
2627: SYNTAX TruthValue
2628: MAX-ACCESS read-write
2629: STATUS current
2630: DESCRIPTION
2631: "Indicates whether otherPolicyFailureTrap traps should be
2632: generated."
2633: DEFVAL { false }
2634: ::= { saTrapControl 8 }
2635:
2636: --
2637: -- the traps themselves
2638: --
2639:
2640: espAuthFailureTrap NOTIFICATION-TYPE
2641: OBJECTS {
2642: ipsecSaEspInAuthErrors
2643: }
2644: STATUS current
2645: DESCRIPTION
2646: "IPsec packets with invalid hashes were found in an inbound
2647: ESP SA. The total number of authentication errors
2648: accumulated is sent for the specific row of the
2649: ipsecSaEspInTable table for the SA; this provides the
2650: identity of the SA in which the error occurred.
2651:
2652: Implementations SHOULD send one trap per SA (within a
2653: reasonable time period), rather than sending one trap per
2654: packet."
2655: ::= { saTraps 0 1 }
2655: warning -
warning: implicit node definition
2656:
2657: ahAuthFailureTrap NOTIFICATION-TYPE
2658: OBJECTS {
2659: ipsecSaAhInAuthErrors
2660: }
2661: STATUS current
2662: DESCRIPTION
2663: "IPsec packets with invalid hashes were found in an inbound
2664: AH SA. The total number of authentication errors accumulated
2665: is sent for the specific row of the ipsecSaAhInTable table
2666: for the SA; this provides the identity of the SA in which
2667: the error occurred.
2668:
2669: Implementations SHOULD send one trap per SA (within a
2670: reasonable time period), rather than sending one trap per
2671: packet."
2672: ::= { saTraps 0 2 }
2673:
2674: espReplayFailureTrap NOTIFICATION-TYPE
2675: OBJECTS {
2676: ipsecSaEspInReplayErrors
2677: }
2678: STATUS current
2679: DESCRIPTION
2680: "IPsec packets with invalid sequence numbers were found in
2681: an inbound ESP SA. The total number of replay errors
2682: accumulated is sent for the specific row of the
2683: ipsecSaEspInTable table for the SA; this provides the
2684: identity of the SA in which the error occurred.
2685:
2686: Implementations SHOULD send one trap per SA (within a
2687: reasonable time period), rather than sending one trap per
2688: packet."
2689: ::= { saTraps 0 3 }
2690:
2691: ahReplayFailureTrap NOTIFICATION-TYPE
2692: OBJECTS {
2693: ipsecSaAhInReplayErrors
2694: }
2695: STATUS current
2696: DESCRIPTION
2697: "IPsec packets with invalid sequence numbers were found in
2698: the specified AH SA. The total number of replay errors
2699: accumulated is sent for the specific row of the
2700: ipsecSaAhInTable table for the SA; this provides the
2701: identity of the SA in which the error occurred.
2702:
2703: Implementations SHOULD send one trap per SA (within a
2704: reasonable time period), rather than sending one trap per
2705: packet."
2706: ::= { saTraps 0 4 }
2707:
2708: espPolicyFailureTrap NOTIFICATION-TYPE
2709: OBJECTS {
2710: ipsecSaEspInPolicyErrors
2711: }
2712: STATUS current
2713: DESCRIPTION
2714: "IPsec packets carrying packets with invalid selectors for
2715: the specified ESP SA were found. The total number of policy
2716: errors accumulated is sent for the specific row of the
2717: ipsecSaEspInTable table for the SA; this provides the
2718: identity of the SA in which the error occurred.
2719:
2720: Implementations SHOULD send one trap per SA (within a
2721: reasonable time period), rather than sending one trap per
2722: packet."
2723: ::= { saTraps 0 5 }
2724:
2725: ahPolicyFailureTrap NOTIFICATION-TYPE
2726: OBJECTS {
2727: ipsecSaAhInPolicyErrors
2728: }
2729: STATUS current
2730: DESCRIPTION
2731: "IPsec packets carrying packets with invalid selectors for
2732: the specified AH SA were found. The total number of policy
2733: errors accumulated is sent for the specific row of the
2734: ipsecSaAhInTable table for the SA; this provides the
2735: identity of the SA in which the error occurred.
2736:
2737: Implementations SHOULD send one trap per SA (within a
2738: reasonable time period), rather than sending one trap per
2739: packet."
2740: ::= { saTraps 0 6 }
2741:
2742: espInvalidSpiTrap NOTIFICATION-TYPE
2743: OBJECTS {
2744: ipsecLocalAddress,
2745: ipsecSecurityProtocol,
2746: ipsecPeerAddress,
2747: ipsecSPI,
2748: ifIndex
2749: }
2750: STATUS current
2751: DESCRIPTION
2752: "A packet with an unknown SPI was detected from the
2753: specified peer with the specified SPI using the specified
2754: protocol. The destination address of the received packet is
2755: specified by ipsecLocalAddress.
2756:
2757: The value ifIndex may be 0 if this optional linkage is
2758: unsupported.
2759:
2760: If the object ipsecSecurityProtocol has the value for
2761: IPcomp, then the ipsecSPI object is the CPI of the packet.
2762:
2763: Implementations SHOULD send one trap per peer (within a
2764: reasonable time period), rather than sending one trap per
2765: packet."
2766: ::= { saTraps 0 7 }
2767:
2768: otherPolicyFailureTrap NOTIFICATION-TYPE
2769: OBJECTS {
2770: ipsecPolicyErrors,
2771: ipsecPeerAddress,
2772: ipsecLocalAddress
2773: }
2774: STATUS current
2775: DESCRIPTION
2776: "Clear packets were found that should not have been sent to
2777: the entity in the clear. The total number of policy errors
2778: accumulated by the entity is sent, along with the source and
2779: destination addresses of the packet that triggered the trap.
2780:
2781: Implementations SHOULD send one trap per source address pair
2782: (within a reasonable time period), rather than sending one
2783: trap per packet."
2784: ::= { saTraps 0 8 }
2785:
2786: --
2787: -- Units of Conformance (Object Groups)
2788: --
2789:
2790: --
2791: -- Authors' note: Index objects are commented out, since the current
2792: -- SMI does not allow objects with a MAX-ACCESS clause of
2793: -- 'not-accessible' to be put in groups.
2794: --
2795:
2796: selectorGroup OBJECT-GROUP
2797: OBJECTS
2798: {
2799: -- selectorIndex,
2800: selectorLocalId, selectorLocalIdType, selectorRemoteId,
2801: selectorRemoteIdType, selectorProtocol, selectorLocalPort,
2802: selectorRemotePort
2803: }
2804: STATUS current
2805: DESCRIPTION
2806: "A collection of objects that describe IKE phase 2
2807: selectors."
2808: ::= { saGroups 1 }
2809:
2810: ipsecSaEspGroup OBJECT-GROUP
2811: OBJECTS {
2812: -- ipsecSaEspInAddressType, ipsecSaEspInAddress,
2813: -- ipsecSaEspInSpi,
2814: ipsecSaEspInSelector, ipsecSaEspInCreator,
2815: ipsecSaEspInEncapsulation, ipsecSaEspInEncAlg,
2816: ipsecSaEspInEncKeyLength, ipsecSaEspInAuthAlg,
2817: ipsecSaEspInAuthKeyLength, ipsecSaEspInRepWinSize,
2818: ipsecSaEspInLimitSeconds, ipsecSaEspInLimitKbytes,
2819: ipsecSaEspInAccSeconds, ipsecSaEspInAccKbytes,
2820: ipsecSaEspInUserOctets, ipsecSaEspInPackets,
2821: ipsecSaEspInDecryptErrors, ipsecSaEspInAuthErrors,
2822: ipsecSaEspInReplayErrors, ipsecSaEspInPolicyErrors,
2823: ipsecSaEspInPadErrors, ipsecSaEspInOtherReceiveErrors,
2824: -- ipsecSaEspOutAddressType, ipsecSaEspOutAddress,
2825: -- ipsecSaEspOutSpi,
2826: ipsecSaEspOutSelector, ipsecSaEspOutCreator,
2827: ipsecSaEspOutEncapsulation, ipsecSaEspOutEncAlg,
2828: ipsecSaEspOutAuthKeyLength, ipsecSaEspOutEncKeyLength,
2829: ipsecSaEspOutAuthAlg, ipsecSaEspOutLimitSeconds,
2830: ipsecSaEspOutLimitKbytes, ipsecSaEspOutAccSeconds,
2831: ipsecSaEspOutAccKbytes, ipsecSaEspOutUserOctets,
2832: ipsecSaEspOutPackets, ipsecSaEspOutSendErrors,
2833: ipsecEspCurrentInboundSAs, ipsecEspTotalInboundSAs,
2834: ipsecEspCurrentOutboundSAs, ipsecEspTotalOutboundSAs
2835: }
2836: STATUS current
2837: DESCRIPTION
2838: "A collection of objects that describe the state of the
2839: security associations of the ESP protocol."
2840: ::= { saGroups 2 }
2841:
2842: ipsecSaAhGroup OBJECT-GROUP
2843: OBJECTS {
2844: -- ipsecSaAhInAddressType, ipsecSaAhInAddress,
2845: -- ipsecSaAhInSpi,
2846: ipsecSaAhInSelector, ipsecSaAhInCreator,
2847: ipsecSaAhInEncapsulation, ipsecSaAhInAuthAlg,
2848: ipsecSaAhInAuthKeyLength, ipsecSaAhInRepWinSize,
2849: ipsecSaAhInLimitSeconds, ipsecSaAhInLimitKbytes,
2850: ipsecSaAhInAccSeconds, ipsecSaAhInAccKbytes,
2851: ipsecSaAhInUserOctets, ipsecSaAhInPackets,
2852: ipsecSaAhInAuthErrors, ipsecSaAhInReplayErrors,
2853: ipsecSaAhInPolicyErrors, ipsecSaAhInOtherReceiveErrors,
2854: -- ipsecSaAhOutAddressType, ipsecSaAhOutAddress,
2855: -- ipsecSaAhOutSpi,
2856: ipsecSaAhOutSelector, ipsecSaAhOutCreator,
2857: ipsecSaAhOutEncapsulation, ipsecSaAhOutAuthAlg,
2858: ipsecSaAhOutAuthKeyLength, ipsecSaAhOutLimitSeconds,
2859: ipsecSaAhOutLimitKbytes, ipsecSaAhOutAccSeconds,
2860: ipsecSaAhOutAccKbytes, ipsecSaAhOutUserOctets,
2861: ipsecSaAhOutPackets, ipsecSaAhOutSendErrors,
2862: ipsecAhCurrentInboundSAs, ipsecAhTotalInboundSAs,
2863: ipsecAhCurrentOutboundSAs, ipsecAhTotalOutboundSAs
2864: }
2865: STATUS current
2866:
2867:
2868: DESCRIPTION
2869: "A collection of objects that describe the state of the
2870: security associations of the AH protocol."
2871: ::= { saGroups 3 }
2872:
2873: ipsecSaIpcompGroup OBJECT-GROUP
2874: OBJECTS {
2875: -- ipsecSaIpcompInAddressType, ipsecSaIpcompInAddress,
2876: -- ipsecSaIpcompInCpi,
2877: ipsecSaIpcompInSelector, ipsecSaIpcompInCreator,
2878: ipsecSaIpcompInEncapsulation, ipsecSaIpcompInDecompAlg,
2879: ipsecSaIpcompInSeconds, ipsecSaIpcompInInputOctets,
2880: ipsecSaIpcompInUserOctets, ipsecSaIpcompInUserPackets,
2881: ipsecSaIpcompInCompressedPackets,
2882: ipsecSaIpcompInCompressedOctets,
2883: ipsecSaIpcompInDecompErrors,
2884: ipsecSaIpcompInOtherReceiveErrors,
2885: -- ipsecSaIpcompOutAddressType, ipsecSaIpcompOutAddress,
2886: -- ipsecSaIpcompOutCpi,
2887: ipsecSaIpcompOutSelector, ipsecSaIpcompOutCreator,
2888: ipsecSaIpcompOutEncapsulation, ipsecSaIpcompOutCompAlg,
2889: ipsecSaIpcompOutSeconds, ipsecSaIpcompOutUserOctets,
2890: ipsecSaIpcompOutOutputOctets, ipsecSaIpcompOutUserPackets,
2891: ipsecSaIpcompOutCompressedPackets,
2892: ipsecSaIpcompOutCompressedOctets,
2893: ipsecIpcompCurrentInboundSAs, ipsecIpcompTotalInboundSAs,
2894: ipsecIpcompCurrentOutboundSAs, ipsecIpcompTotalOutboundSAs
2895: }
2896: STATUS current
2897: DESCRIPTION
2898: "A collection of objects that describe the state of the
2899: security associations of the IPcomp protocol."
2900: ::= { saGroups 4 }
2901:
2902: ipsecSaErrorsGroup OBJECT-GROUP
2903: OBJECTS {
2904: ipsecDecryptionErrors, ipsecAuthenticationErrors,
2905: ipsecReplayErrors, ipsecPolicyErrors,
2906: ipsecOtherReceiveErrors, ipsecUnknownSpiErrors,
2907: ipsecSendErrors
2908: }
2909: STATUS current
2910: DESCRIPTION
2911: "A collection of objects providing global IPsec error
2912: counters."
2913: ::= { saGroups 5 }
2914:
2915:
2916: ipsecSaFailureTrapEnableGroup OBJECT-GROUP
2917: OBJECTS {
2918: espAuthFailureTrapEnable, ahAuthFailureTrapEnable,
2919: espReplayFailureTrapEnable, ahReplayFailureTrapEnable,
2920: espPolicyFailureTrapEnable, ahPolicyFailureTrapEnable,
2921: invalidSpiTrapEnable, otherPolicyFailureTrapEnable
2922: }
2923: STATUS current
2924: DESCRIPTION
2925: "A collection of objects providing control over trap
2926: generation."
2927: ::= { saGroups 6 }
2928:
2929: ipsecSaTrapArgumentGroup OBJECT-GROUP
2930: OBJECTS {
2931: ipsecSecurityProtocol, ipsecSPI, ipsecLocalAddressType,
2932: ipsecLocalAddress, ipsecPeerAddressType, ipsecPeerAddress
2933: }
2934: STATUS current
2935: DESCRIPTION
2936: "A collection of objects used only as arguments in traps."
2937: ::= { saGroups 7 }
2938:
2939: ipsecSaEspReplayGroup OBJECT-GROUP
2940: OBJECTS {
2941: ipsecSaEspReplaysBeyondWindow, ipsecSaEspReplaysOutOfOrder,
2942: ipsecSaEspReplaysBeforeWindow, ipsecSaEspReplaysDuplicate,
2943: ipsecSaEspReplaysZero
2944: }
2945: STATUS current
2946: DESCRIPTION
2947: "A collection of objects used to monitor anti-replay events
2948: on inbound ESP SAs."
2949: ::= { saGroups 8 }
2950:
2951: ipsecSaAhReplayGroup OBJECT-GROUP
2952: OBJECTS {
2953: ipsecSaAhReplaysBeyondWindow, ipsecSaAhReplaysOutOfOrder,
2954: ipsecSaAhReplaysBeforeWindow, ipsecSaAhReplaysDuplicate,
2955: ipsecSaAhReplaysZero
2956: }
2957: STATUS current
2958: DESCRIPTION
2959: "A collection of objects used to monitor anti-replay events
2960: on inbound AH SAs."
2961: ::= { saGroups 9 }
2962:
2963:
2964: ipsecSaFailureTrapGroup NOTIFICATION-GROUP
2965: NOTIFICATIONS {
2966: espAuthFailureTrap, ahAuthFailureTrap, espReplayFailureTrap,
2967: ahReplayFailureTrap, espPolicyFailureTrap,
2968: ahPolicyFailureTrap, espInvalidSpiTrap,
2969: otherPolicyFailureTrap
2970: }
2971: STATUS current
2972: DESCRIPTION
2973: "A collection of traps."
2974: ::= { saGroups 10 }
2975:
2976:
2977: --
2978: -- Compliance statements
2979: --
2980:
2981: ipsecSaMonitorCompliance MODULE-COMPLIANCE
2982: STATUS current
2983: DESCRIPTION
2984: "The compliance statement for SNMPv2 entities which
2985: implement the IPsec Monitoring MIB."
2986: MODULE -- this module
2987: MANDATORY-GROUPS {
2988: selectorGroup, ipsecSaEspGroup, ipsecSaAhGroup,
2989: ipsecSaErrorsGroup, ipsecSaFailureTrapEnableGroup,
2990: ipsecSaTrapArgumentGroup, ipsecSaFailureTrapGroup
2991: }
2992:
2993:
2994: -- Anti-replay monitoring tables are optional
2995:
2996: GROUP ipsecSaEspReplayGroup
2997: DESCRIPTION
2998: "This group is optional, to be implemented on those
2999: systems which want to provide detailed counters for
3000: specific unusual and error events in the anti-replay
3001: monitoring function for ESP SAs."
3002:
3003: GROUP ipsecSaAhReplayGroup
3004: DESCRIPTION
3005: "This group is optional, to be implemented on those
3006: systems which want to provide detailed counters for
3007: specific unusual and error events in the anti-replay
3008: monitoring function for AH SAs."
3009:
3010:
3011:
3012: GROUP ipsecSaIpcompGroup
3013: DESCRIPTION
3014: "This group is mandatory only for those systems that
3015: implement the IPcomp protocol as a part of the IPsec
3016: suite."
3017:
3018: -- DNS names support is not required
3019:
3020: -- Authors' note: The following statements are commented out,
3021: -- since the current SMI does not allow objects with a
3022: -- MAX-ACCESS clause of not-accessible to be put in groups,
3023: -- and objects that are not in groups cannot be in
3024: -- compliance statements.
3025:
3026: -- OBJECT ipsecSaEspInAddressType
3027: -- SYNTAX INTEGER { ipv4(1), ipv6(2) }
3028: -- DESCRIPTION
3029: -- "An implementation is only required to support IPv4
3030: -- and IPv6 addresses."
3031:
3032: -- OBJECT ipsecSaAhInAddressType
3033: -- SYNTAX INTEGER { ipv4(1), ipv6(2) }
3034: -- DESCRIPTION
3035: -- "An implementation is only required to support IPv4
3036: -- and IPv6 addresses."
3037:
3038: -- OBJECT ipsecSaIpcompInAddressType
3039: -- SYNTAX INTEGER { unknown(0), ipv4(1), ipv6(2) }
3040: -- DESCRIPTION
3041: -- "An implementation is only required to support IPv4
3042: -- and IPv6 addresses. Also, if it supports IPcomp SAs,
3043: -- it must be able to support an unknown address type
3044: -- for IPcomp SAs that may be shared across security
3045: -- association suites."
3046:
3047: -- OBJECT ipsecSaEspOutAddressType
3048: -- SYNTAX INTEGER { ipv4(1), ipv6(2) }
3049: -- DESCRIPTION
3050: -- "An implementation is only required to support IPv4
3051: -- and IPv6 addresses."
3052:
3053: -- OBJECT ipsecSaAhOutAddressType
3054: -- SYNTAX INTEGER { ipv4(1), ipv6(2) }
3055: -- DESCRIPTION
3056: -- "An implementation is only required to support IPv4
3057: -- and IPv6 addresses."
3058:
3059: -- OBJECT ipsecSaIpcompOutAddressType
3060: -- SYNTAX INTEGER { unknown(0), ipv4(1), ipv6(2) }
3061: -- DESCRIPTION
3062: -- "An implementation is only required to support IPv4
3063: -- and IPv6 addresses. Also, if it supports IPcomp SAs,
3064: -- it must be able to support an unknown address type
3065: -- for IPcomp SAs that may be shared across security
3066: -- association suites."
3067:
3068: -- OBJECT ipsecLocalAddressType
3069: -- SYNTAX INTEGER { ipv4(1), ipv6(2) }
3070: -- DESCRIPTION
3071: -- "An implementation is only required to support IPv4
3072: -- and IPv6 addresses."
3073:
3074: -- OBJECT ipsecPeerAddressType
3075: -- SYNTAX INTEGER { ipv4(1), ipv6(2) }
3076: -- DESCRIPTION
3077: -- "An implementation is only required to support IPv4
3078: -- and IPv6 addresses."
3079:
3080: -- Allow all the trap controls to be read-only
3081:
3082: OBJECT espAuthFailureTrapEnable
3083: MIN-ACCESS read-only
3084: DESCRIPTION
3085: "If an implementation cannot properly secure this
3086: variable against unauthorized write access, it
3087: SHOULD implement it as read-only, to prevent the
3088: security risk of enabling the traps. Of course,
3089: there must be other means of controlling the
3090: generation of the associated trap."
3091:
3092: OBJECT ahAuthFailureTrapEnable
3093: MIN-ACCESS read-only
3094: DESCRIPTION
3095: "If an implementation cannot properly secure this
3096: variable against unauthorized write access, it
3097: SHOULD implement it as read-only, to prevent the
3098: security risk of enabling the traps. Of course,
3099: there must be other means of controlling the
3100: generation of the associated trap."
3101:
3102: OBJECT espReplayFailureTrapEnable
3103: MIN-ACCESS read-only
3104: DESCRIPTION
3105: "If an implementation cannot properly secure this
3106: variable against unauthorized write access, it
3107: SHOULD implement it as read-only, to prevent the
3108: security risk of enabling the traps. Of course,
3109: there must be other means of controlling the
3110: generation of the associated trap."
3111:
3112: OBJECT ahReplayFailureTrapEnable
3113: MIN-ACCESS read-only
3114: DESCRIPTION
3115: "If an implementation cannot properly secure this
3116: variable against unauthorized write access, it
3117: SHOULD implement it as read-only, to prevent the
3118: security risk of enabling the traps. Of course,
3119: there must be other means of controlling the
3120: generation of the associated trap."
3121:
3122: OBJECT espPolicyFailureTrapEnable
3123: MIN-ACCESS read-only
3124: DESCRIPTION
3125: "If an implementation cannot properly secure this
3126: variable against unauthorized write access, it
3127: SHOULD implement it as read-only, to prevent the
3128: security risk of enabling the traps. Of course,
3129: there must be other means of controlling the
3130: generation of the associated trap."
3131:
3132: OBJECT ahPolicyFailureTrapEnable
3133: MIN-ACCESS read-only
3134: DESCRIPTION
3135: "If an implementation cannot properly secure this
3136: variable against unauthorized write access, it
3137: SHOULD implement it as read-only, to prevent the
3138: security risk of enabling the traps. Of course,
3139: there must be other means of controlling the
3140: generation of the associated trap."
3141:
3142: OBJECT invalidSpiTrapEnable
3143: MIN-ACCESS read-only
3144: DESCRIPTION
3145: "If an implementation cannot properly secure this
3146: variable against unauthorized write access, it
3147: SHOULD implement it as read-only, to prevent the
3148: security risk of enabling the traps. Of course,
3149: there must be other means of controlling the
3150: generation of the associated trap."
3151:
3152: OBJECT otherPolicyFailureTrapEnable
3153: MIN-ACCESS read-only
3154: DESCRIPTION
3155:
3156: "If an implementation cannot properly secure this
3157: variable against unauthorized write access, it
3158: SHOULD implement it as read-only, to prevent the
3159: security risk of enabling the traps. Of course,
3160: there must be other means of controlling the
3161: generation of the associated trap."
3162:
3163: ::= { saConformance 1 }
3164:
3165:
3166: END