CISCO-IKE-FLOW-MIB
This is a MIB module for monitoring the structures and status of IPsec control flows based on Internet Key Exchange protocol. The MIB models standard aspects of the IKE protocol. Synopsis This MIB module models status, performance and failures of the IKEv1- and IKEv2-based signaling in IPsec, FC-SP(and similar) protocols. In practice, the security protocols such as IPsec, FC-SP and CTS use a signaling protocol such as IKE, KINK, or some such. A number of characteristics of these signaling protocols are generic. The generic attributes and status of signaling activity has been modeled in CISCO-IPSEC-SIGNALING-MIB. This MIB module augments CISCO-IPSEC-SIGNALING-MIB with IKE-specific MIB objects. (Signaling protocols are also referred to this document as 'Control Protocols', since they perform session control.) History of the MIB A precursor to this MIB was written by Tivoli and implemented in IBM Nways routers in 1999. That MIB instrumented both IKE(v1) and IPsec in a single module. During late 1999, Cisco adopted the MIB and together with Tivoli published the IPsec Flow Monitor MIB in IETF IPsec WG in draft-ietf-ipsec-flow-monitoring-mib-00.txt. In 2000, the MIB was Cisco-ized and implemented this draft as CISCO-IPSEC-FLOW-MONITOR-MIB in IOS and VPN3000 platforms. With the evolution of IKEv2, the MIB was modified and presented to the IPsec WG again in May 2003 in draft-ietf-ipsec-flow-monitoring-mib-02.txt. This version of the draft is a Cisco-ized version that culls out the IKE-specific aspects of the IPsec Flow Monitor MIB. Overview of MIB The MIB contains five major groups of objects which are used to manage the IKE protocol activity. These groups include the global statistics, IKE tunnel table, IKE History Group and a notification Group. The tunnel table and the history table have a sparse-table relationship with the corresponding tables in the CISCO-IPSEC-SIGNALING-MIB (details in the DESCRIPTION of the respective tables). Acronyms The following acronyms are used in this document: Flow, Tunnel: An ISAKMP SA can be regarded as representing a flow of ISAKMP/IKE traffic. Hence an ISAKMP is referred to as a 'Phase 1 Tunnel' in this document. IPsec: Secure IP Protocol ISAKMP: Internet Security Association and Key Management Protocol IKE: Internet Key Exchange Protocol MM: Main Mode - the process of setting up a Phase 1 SA to secure the exchanges required to setup Phase 2 SAs Phase 2 Tunnel: AN instance of a non-ISAKMP SA bundle in which all the SA share the same proxy identifiers (IDii,IDir) protect the same stream of application traffic. Such an SA bundle is termed a 'Phase 2 Tunnel'. Note that a Phase 2 tunnel may comprise different SA bundles and different number of SA bundles at different times (due to key refresh). QM: Quick Mode - the process of setting up Phase 2 Security Associations using a Phase 1 SA. SA: Security Association (ref: rfc2408). VPN: Virtual Private Network.