This is a MIB module for monitoring the structures
and status of IPsec control flows based on Internet
Key Exchange protocol. The MIB models standard
aspects of the IKE protocol.
Synopsis
This MIB module models status, performance and
failures of the IKEv1- and IKEv2-based signaling in
IPsec, FC-SP(and similar) protocols. In practice,
the security protocols such as IPsec, FC-SP and
CTS use a signaling protocol such as IKE, KINK,
or some such. A number of characteristics of these
signaling protocols are generic.
The generic attributes and status of signaling
activity has been modeled in
CISCO-IPSEC-SIGNALING-MIB. This MIB module augments
CISCO-IPSEC-SIGNALING-MIB with IKE-specific
MIB objects.
(Signaling protocols are also referred to this
document as 'Control Protocols', since they perform
session control.)
History of the MIB
A precursor to this MIB was written by Tivoli and
implemented in IBM Nways routers in 1999. That
MIB instrumented both IKE(v1) and IPsec in a
single module. During late 1999, Cisco adopted
the MIB and together with Tivoli published the
IPsec Flow Monitor MIB in IETF IPsec WG in
draft-ietf-ipsec-flow-monitoring-mib-00.txt.
In 2000, the MIB was Cisco-ized and implemented
this draft as CISCO-IPSEC-FLOW-MONITOR-MIB in
IOS and VPN3000 platforms.
With the evolution of IKEv2, the MIB was modified
and presented to the IPsec WG again in May 2003
in draft-ietf-ipsec-flow-monitoring-mib-02.txt.
This version of the draft is a Cisco-ized version
that culls out the IKE-specific aspects of the
IPsec Flow Monitor MIB.
Overview of MIB
The MIB contains five major groups of objects which
are used to manage the IKE protocol activity. These
groups include the global statistics, IKE tunnel
table, IKE History Group and a notification Group.
The tunnel table and the history table have a
sparse-table relationship with the corresponding
tables in the CISCO-IPSEC-SIGNALING-MIB
(details in the DESCRIPTION of the respective
tables).
Acronyms
The following acronyms are used in this document:
Flow, Tunnel:
An ISAKMP SA can be regarded as representing
a flow of ISAKMP/IKE traffic. Hence an ISAKMP
is referred to as a 'Phase 1 Tunnel' in this
document.
IPsec:
Secure IP Protocol
ISAKMP:
Internet Security Association and Key
Management Protocol
IKE:
Internet Key Exchange Protocol
MM:
Main Mode - the process of setting up
a Phase 1 SA to secure the exchanges
required to setup Phase 2 SAs
Phase 2 Tunnel:
AN instance of a non-ISAKMP SA bundle in
which all the SA share the same proxy
identifiers (IDii,IDir) protect the same
stream of application traffic.
Such an SA bundle is termed a 'Phase 2 Tunnel'.
Note that a Phase 2 tunnel may comprise
different SA bundles and different number of
SA bundles at different
times (due to key refresh).
QM:
Quick Mode - the process of setting up
Phase 2 Security Associations using a
Phase 1 SA.
SA:
Security Association (ref: rfc2408).
VPN:
Virtual Private Network.
ciscoIkeFlowMIB
ciscoIkeFlowInNewGrpRejected 
cifIkeGlobalStatsTable 
cifIkeGlobalStatsEntry 
cifIkeGlobalInP2Exchgs 
cifIkeNotifCntlInNewGrpRejected