This MIB Module models status, performance and failures
of a protocol with the generic characteristics of signalling
protocols used with IPsec and FC-SP protocols. Examples
of such protocols include IKE, KINK, etc. This MIB views the
common attributes of such protocols. Signaling protocols are
also referred in this document as 'Control Protocols', since
they perform session control.
This MIB is an attempt to capture the generic aspects
of the signaling activity. The protocol-specific aspects
of a signaling protocol still need to be captured
in a protocol-specific MIB (e.g., CISCO-IKE-FLOW-MIB, etc.).
The following acronyms are used in this document:
IPsec: Secure IP Protocol
VPN: Virtual Private Network
ISAKMP: Internet Security Association and Key Exchange
IKE: Internet Key Exchange Protocol
SA: Security Association
Phase 1 Tunnel:
An ISAKMP SA can be regarded as representing
a flow of ISAKMP/IKE traffic. Hence an ISAKMP
is referred to as a 'Phase 1 Tunnel' in this
Another term for a Phase 1 Tunnel.
Phase 2 Tunnel:
An instance of a non-ISAKMP SA bundle in which all
the SA share the same proxy identifiers (IDii,IDir)
protect the same stream of application traffic.
Such an SA bundle is termed a 'Phase 2 Tunnel'.
Note that a Phase 2 tunnel may comprise different
SA bundles and different number of SA bundles at
different times (due to key refresh).
History of the MIB
A precursor to this MIB was the IPsec Flow Monitor MIB, which
combined the objects pertaining to IKE and IPsec (Phase-2)
into a single MIB module. Furthermore, the MIB supported only
one signaling protocol, IKEv1, in addition to manual keying.
The MIB was written by Tivoli and implemented in IBM Nways
routers in 1999. During late 1999, Cisco adopted the MIB and
together with Tivoli publised the IPsec Flow Monitor MIB in
IETF IPsec WG in draft-ietf-ipsec-flow-monitoring-mib-00.txt.
In 2000, the MIB was Cisco-ized and implemented as
CISCO-IPSEC-FLOW-MONITOR-MIB in IOS and VPN3000 platforms.
With the evolution of IKEv2, the MIB was modified and
presented to the IPsec WG again in May 2003 in
With the emergence to multiple signaling protocols, it has
further evolved to define separate set of MIB modules to
instrument IPsec signaling alone. Thus, this MIB module
is now the generic IPsec signaling MIB.
Overview of MIB
The MIB contains major groups of objects which are
used to manage the generic aspects of IPsec signaling.
These groups include a global statistics, control tunnel table,
Peer association group, control tunnel history group,
signaling failure group and notification group.
The global statistics, tunnel table and peer association
groups aid in the real-time monitoring of IPsec signaling
The History group is to aid applications that do
The Failure group is to enable an operator to
do troubleshooting and debugging.
Further, counters are supported to aid detection
of potential security violations.
The notifications are modeled as generic IPsec control
notifications and are parameterized by the identity of the
specific signaling protocol which caused the notification
to be issued.