1-- ***************************************************************** 2-- CISCO-IP-ENCRYPTION-MIB.my: Cisco IP encryption MIB file. 3-- 4-- April 1996, Subodh Nijsure 5-- 6-- Copyright (c) 1996 by cisco Systems, Inc. 7-- All rights reserved. 8-- ***************************************************************** 9-- 10 11CISCO-IP-ENCRYPTION-MIB DEFINITIONS ::= BEGIN 12 13-- MIB definitions for Cisco Crypto management. 14-- 15-- 16IMPORTS 17 MODULE-IDENTITY, OBJECT-TYPE, Counter32, Integer32, IpAddress, 18 Gauge32, NOTIFICATION-TYPE 19 FROM SNMPv2-SMI 20 DisplayString, TruthValue,TimeStamp, RowStatus 21 FROM SNMPv2-TC 22 MODULE-COMPLIANCE, OBJECT-GROUP 23 FROM SNMPv2-CONF 24 OwnerString 25 FROM IF-MIB 26 ciscoMgmt 27 FROM CISCO-SMI; 28 29-- *************************************************************** 30-- Define IP encryption MIB object 31-- *************************************************************** 32 33ciscoIpEncryptionMIB MODULE-IDENTITY 34 LAST-UPDATED "9508150000Z" 35 ORGANIZATION "Cisco Systems, Inc." 36 CONTACT-INFO 37 " Cisco Systems 38 Customer Service 39 40 Postal: 170 West Tasman Drive 41 San Jose, CA 95134 42 USA 43 44 Tel: +1 800 553-NETS 45 46 E-mail: cs-snmp@cisco.com" 47 DESCRIPTION 48 "Used to manage the encryption feature." 49 ::= { ciscoMgmt 52 } 50 51ciscoIpEncryptionMIBObjects OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 1 } 52 53-- 54-- Define cisco encryption mib objects 55-- 56 57cieConfig OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 1 } 58cieEngineStatus OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 2 } 59cieConnections OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 3 } 60cieTestConnection OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 4 } 61 62 63cieConfiguredAlgorithms OBJECT-TYPE 64 SYNTAX OCTET STRING (SIZE (16)) 65 66 MAX-ACCESS read-only 67 STATUS current 68 DESCRIPTION 69 "Type of encryption configured on a particular router, 70 encoded as a bit-string. 71 A router can support multiple encryption algorithms 72 i.e. 56 bit des with 8 bit cipher feedback AND 40 bit des 73 with 64 bit cipher feedback. 74 " 75 ::= { cieConfig 1 } 76 77cieEncryptionKeyTimeout OBJECT-TYPE 78 SYNTAX Integer32 79 UNITS "minutes" 80 MAX-ACCESS read-only 81 STATUS current 82 DESCRIPTION 83 "Interval at which keys expire for a session and they are is 84 re-negotiated." 85 ::= { cieConfig 2 } 86 87cieNumberOfCryptoEngines OBJECT-TYPE 88 SYNTAX Gauge32 89 MAX-ACCESS read-only 90 STATUS current 91 DESCRIPTION 92 "Total number of encryption engines." 93 ::= { cieConfig 3 } 94 95cieEngineStatusTable OBJECT-TYPE 96 SYNTAX SEQUENCE OF CieEngineStatusEntry 97 MAX-ACCESS not-accessible 98 STATUS current 99 DESCRIPTION 100 "A table describing status of all encryption engines present 101 within the router." 102 ::= { cieEngineStatus 1 } 103 104cieEngineStatusEntry OBJECT-TYPE 105 SYNTAX CieEngineStatusEntry 106 MAX-ACCESS not-accessible 107 STATUS current 108 DESCRIPTION 109 "Each entry in this table describes public key associated with 110 each engine, with its unique ID. In case of hardware assisted 111 encryption each entry also describes status of encryption port 112 adaptor." 113 INDEX { cieEngineID } 114 ::= { cieEngineStatusTable 1 } 115 116CieEngineStatusEntry ::= 117 SEQUENCE { 118 cieEngineID 119 Integer32, 120 cieEngineCardIndex 121 Integer32, 122 cieEnginePublicKey 123 OCTET STRING, 124 cieEsaTampered 125 TruthValue, 126 cieEsaAuthenticated 127 TruthValue, 128 cieEsaMode 129 INTEGER 130 } 131 132cieEngineID OBJECT-TYPE 133 SYNTAX Integer32 (1..2147483647) 134 MAX-ACCESS read-only 135 STATUS current 136 DESCRIPTION 137 "Unique value identifying the crypto engine, in case 138 of RP and other software only platforms, this is the 139 processor ID. In case of ESA, this will be a unique ID 140 retrieved from ESA." 141 ::= { cieEngineStatusEntry 1 } 142 143cieEngineCardIndex OBJECT-TYPE 144 SYNTAX Integer32 145 MAX-ACCESS read-only 146 STATUS current 147 DESCRIPTION 148 "Corresponds to cardIndex in the chassis mib, if value is 0 149 then this is a software encryption engine." 150 ::= { cieEngineStatusEntry 2 } 151 152 153cieEnginePublicKey OBJECT-TYPE 154 SYNTAX OCTET STRING (SIZE (0..1024)) 155 MAX-ACCESS read-only 156 STATUS current 157 DESCRIPTION 158 "Public key for a particular crypto engine." 159 ::= { cieEngineStatusEntry 3 } 160 161cieEsaTampered OBJECT-TYPE 162 SYNTAX TruthValue 163 MAX-ACCESS read-only 164 STATUS current 165 DESCRIPTION 166 "Indicates whether encryption port adaptor has been tampered 167 with. 168 NOTE: This object is not present for software encryption 169 engines." 170 ::= { cieEngineStatusEntry 4 } 171 172cieEsaAuthenticated OBJECT-TYPE 173 SYNTAX TruthValue 174 MAX-ACCESS read-only 175 STATUS current 176 DESCRIPTION 177 "Indicates whether encryption port adaptor has been properly 178 authenticated for this router. 179 NOTE: This object is not present for software encryption 180 engines." 181 ::= { cieEngineStatusEntry 5 } 182 183cieEsaMode OBJECT-TYPE 184 SYNTAX INTEGER { 185 enableActive(1), 186 boot(2), 187 error(3) 188 } 189 MAX-ACCESS read-only 190 STATUS current 191 DESCRIPTION 192 "Indicates current operating mode of the ESA card. 193 This variable directly corresponds to LED status shown on ESA. 194 NOTE: This object is not present for software encryption 195 engines." 196 197 ::= { cieEngineStatusEntry 6 } 198 199cieNumberOfConnections OBJECT-TYPE 200 SYNTAX Gauge32 201 MAX-ACCESS read-only 202 STATUS current 203 DESCRIPTION 204 "Total number of active, pending and dead crypto connections." 205 ::= { cieConnections 1 } 206 207cieConnTable OBJECT-TYPE 208 SYNTAX SEQUENCE OF CieConnEntry 209 MAX-ACCESS not-accessible 210 STATUS current 211 DESCRIPTION 212 "A table that describes all encrypted IP traffic 213 created by the router, between the protected entity 214 (cieProtectedAddr) and the unprotected entity 215 (cieUnprotectedAddr). Each entry in this table 216 describes a virtual encrypted IP tunnel." 217 ::= { cieConnections 2 } 218 219cieConnEntry OBJECT-TYPE 220 SYNTAX CieConnEntry 221 MAX-ACCESS not-accessible 222 STATUS current 223 DESCRIPTION 224 "This entry describes a connection viz. the protected and 225 unprotected node, status of the connection and number of 226 packets encrypted, decrypted per connection and algorithm 227 used for encrypting data. 228 Each entry also contains a pointer to crypto engine that is 229 performing the encryption." 230 INDEX { cieEngineID, cieConnIndex } 231 ::= { cieConnTable 1 } 232 233CieConnEntry ::= 234 SEQUENCE { 235 cieConnIndex 236 Integer32, 237 cieProtectedAddr 238 IpAddress, 239 cieUnprotectedAddr 240 IpAddress, 241 cieConnStatus 242 INTEGER, 243 ciePktsEncrypted 244 Counter32, 245 ciePktsDecrypted 246 Counter32, 247 ciePktsDropped 248 Counter32, 249 cieLocalTimeEstablished 250 TimeStamp, 251 cieAlgorithmType INTEGER 252 } 253 254cieConnIndex OBJECT-TYPE 255 SYNTAX Integer32 (1..2147483647) 256 MAX-ACCESS not-accessible 257 STATUS current 258 DESCRIPTION 259 "A monotonically increasing integer for the sole purpose of 260 indexing the cieConnTable. When it reaches the 261 maximum value, the agent wraps the value back to 1 and 262 may flush existing entries." 263 ::= { cieConnEntry 1 } 264 265cieProtectedAddr OBJECT-TYPE 266 SYNTAX IpAddress 267 MAX-ACCESS read-only 268 STATUS current 269 DESCRIPTION 270 "The IP address for protected (secure) node." 271 ::= { cieConnEntry 2 } 272 273cieUnprotectedAddr OBJECT-TYPE 274 SYNTAX IpAddress 275 MAX-ACCESS read-only 276 STATUS current 277 DESCRIPTION 278 "The IP address of the unprotected (insecure) node in 279 the network." 280 ::= { cieConnEntry 3 } 281 282cieConnStatus OBJECT-TYPE 283 SYNTAX INTEGER { 284 pendingConnection(1), 285 openConnection(2), 286 exchangeKeys(3), 287 badConnection(4) 288 } 289 MAX-ACCESS read-only 290 STATUS current 291 DESCRIPTION 292 "Integer describing status/type of connection. The pending 293 and bad connections may be removed after 4 minutes of 294 non-activity. Open (active) connections may be removed if 295 they have not transmitted/received traffic in the last 296 cieEncryptionKeyTimeout minutes." 297 ::= { cieConnEntry 4 } 298 299ciePktsEncrypted OBJECT-TYPE 300 SYNTAX Counter32 301 MAX-ACCESS read-only 302 STATUS current 303 DESCRIPTION 304 "Total number of packets encrypted for this connection." 305 ::= { cieConnEntry 5 } 306 307ciePktsDecrypted OBJECT-TYPE 308 SYNTAX Counter32 309 MAX-ACCESS read-only 310 STATUS current 311 DESCRIPTION 312 "Total number of packets decrypted for this connection." 313 ::= { cieConnEntry 6 } 314 315ciePktsDropped OBJECT-TYPE 316 SYNTAX Counter32 317 MAX-ACCESS read-only 318 STATUS current 319 DESCRIPTION 320 "Total number of packets dropped for this connection. The 321 packets are dropped only in cases where encryption keys are 322 not established between the protected entity and the 323 unprotected entity. An increase in this value indicates the 324 possibility of mis-configured keys." 325 ::= { cieConnEntry 7 } 326 327cieLocalTimeEstablished OBJECT-TYPE 328 SYNTAX TimeStamp 329 MAX-ACCESS read-only 330 STATUS current 331 DESCRIPTION 332 "Value of sysUpTime at which the connection was established or 333 re-established." 334 ::= { cieConnEntry 8 } 335 336cieAlgorithmType OBJECT-TYPE 337 SYNTAX INTEGER { 338 des56bitCfb64(1), 339 des56bitCfb8(2), 340 des40bitCfb64(3), 341 des40bitdesCfb8(4) 342 } 343 MAX-ACCESS read-only 344 STATUS current 345 DESCRIPTION 346 "Type of encryption algorithm used for this connection." 347 ::= { cieConnEntry 9 } 348 349cieTestConnTable OBJECT-TYPE 350 SYNTAX SEQUENCE OF CieTestConnEntry 351 MAX-ACCESS not-accessible 352 STATUS current 353 DESCRIPTION 354 "A table of test crypto session entries." 355 ::= { cieTestConnection 1 } 356 357cieTestConnEntry OBJECT-TYPE 358 SYNTAX CieTestConnEntry 359 MAX-ACCESS not-accessible 360 STATUS current 361 DESCRIPTION 362 "A encryption test entry. 363 A management station wishing to create an entry should 364 first generate a pseudo-random serial number to be used 365 as the index to this sparse table. The station should 366 then create the associated instance of the row status 367 and row owner objects. It must also, either in the same 368 or in successive PDUs, create the associated instance of 369 the address objects. 370 371 Once the appropriate instance of all the configuration 372 objects have been created, either by an explicit SNMP 373 set request, the row status should be set 374 to active to initiate the request. Note that this entire 375 procedure may be initiated via a single set request which 376 specifies a row status of createAndGo. 377 378 Once the connection sequence has been activated, it cannot be 379 stopped -- it will run until a crypto connection has been 380 established between source and destination. 381 382 Once the sequence completes, the management station should 383 retrieve the values of the status objects of interest, and 384 should then delete the entry. In order to prevent old 385 entries from clogging the table, entries will be aged out 386 30 minutes after they are created." 387 INDEX { cieTestConnSerialNumber } 388 ::= { cieTestConnTable 1 } 389 390CieTestConnEntry ::= 391 SEQUENCE { 392-- index 393 cieTestConnSerialNumber 394 Integer32, 395-- configuration items 396 cieTestConnProtectedAddr 397 IpAddress, 398 cieTestConnUnprotectedAddr 399 IpAddress, 400 cieTestConnTrapOnCompletion 401 TruthValue, 402 cieTestConnCryptoMapName 403 DisplayString, 404 cieTestConnCryptoMapTagNumber 405 Integer32, 406-- status items 407 cieTestConnSessionStatus 408 INTEGER, 409 cieTestConnEntryOwner 410 OwnerString, 411 cieTestConnEntryStatus 412 RowStatus 413} 414 415cieTestConnSerialNumber OBJECT-TYPE 416 SYNTAX Integer32 (1..2147483647) 417 MAX-ACCESS not-accessible 418 STATUS current 419 DESCRIPTION 420 "Object which specifies a unique entry in the 421 cieTestConnTable. A management station wishing 422 to initiate a crypto session test operation should use a 423 pseudo-random value for this object when creating 424 an instance of a cieTestConnEntry. 425 The RowStatus semantics of the cieTestConnEntryStatus 426 object will prevent access conflicts." 427 ::= { cieTestConnEntry 1 } 428 429cieTestConnProtectedAddr OBJECT-TYPE 430 SYNTAX IpAddress 431 MAX-ACCESS read-create 432 STATUS current 433 DESCRIPTION 434 "The IP address of the protected (secure) node, for 435 the test connection." 436 ::= { cieTestConnEntry 2 } 437 438cieTestConnUnprotectedAddr OBJECT-TYPE 439 SYNTAX IpAddress 440 MAX-ACCESS read-create 441 STATUS current 442 DESCRIPTION 443 "The IP address of the unprotected (insecure) node for 444 the test connection." 445 446 ::= { cieTestConnEntry 3 } 447 448cieTestConnTrapOnCompletion OBJECT-TYPE 449 SYNTAX TruthValue 450 MAX-ACCESS read-create 451 STATUS current 452 DESCRIPTION 453 "Specifies whether or not a cieTestCompletion 454 trap should be issued on completion of test crypto session. 455 If such a trap is desired, it is the responsibility of the 456 management entity to ensure that the SNMP administrative 457 model is configured in such a way as to allow the trap to 458 be delivered." 459 DEFVAL { false } 460 ::= { cieTestConnEntry 4 } 461 462cieTestConnCryptoMapName OBJECT-TYPE 463 SYNTAX DisplayString 464 MAX-ACCESS read-create 465 STATUS current 466 DESCRIPTION 467 "Specifies name of the crypto map already configured on the 468 router. A crypto map along with its tag number fully 469 specifies the enryption policy, such as type of algorithm to 470 be used, the name of the peer router and access list." 471 ::= { cieTestConnEntry 5 } 472 473cieTestConnCryptoMapTagNumber OBJECT-TYPE 474 SYNTAX Integer32 (1..2147483647) 475 MAX-ACCESS read-create 476 STATUS current 477 DESCRIPTION 478 "Specifies tag number of the crypto map already configured on 479 the router. A crypto map along with its tag number fully 480 specifies the enryption policy, such as type of algorithm to 481 be used, the name of the peer router and access list." 482 ::= { cieTestConnEntry 6 } 483 484cieTestConnSessionStatus OBJECT-TYPE 485 SYNTAX INTEGER { 486 inProgress(1), 487 fail(2), 488 success(3), 489 badCryptoMapName(4) 490 } 491 MAX-ACCESS read-only 492 STATUS current 493 DESCRIPTION 494 "Set to a value that indicates whether a crypto session was 495 successfully established, failed or the connection 496 establishment process is in progress. If the specified crypto 497 map is not configured, value is set to badCryptoMapName." 498 ::= { cieTestConnEntry 7 } 499 500cieTestConnEntryOwner OBJECT-TYPE 501 SYNTAX OwnerString 502 MAX-ACCESS read-create 503 STATUS current 504 DESCRIPTION 505 "The entity that configured this entry." 506 ::= { cieTestConnEntry 8 } 507 508cieTestConnEntryStatus OBJECT-TYPE 509 SYNTAX RowStatus 510 MAX-ACCESS read-create 511 STATUS current 512 DESCRIPTION 513 "The status of this table entry. Once the entry status is 514 set to active, the associate entry cannot be modified until 515 the sequence completes (cieTestConnSessionStatus has 516 value other than inprogress )." 517 DEFVAL { createAndGo } 518 ::= { cieTestConnEntry 9 } 519 520 521cieMIBTrapPrefix OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 2 } 522cieMIBTraps OBJECT IDENTIFIER ::= { cieMIBTrapPrefix 0 } 523 524cieTestCompletion NOTIFICATION-TYPE 525 OBJECTS { 526 cieTestConnSessionStatus, 527 cieTestConnProtectedAddr, 528 cieTestConnUnprotectedAddr 529 } 530 STATUS current 531 DESCRIPTION 532 "A cieTestCompletion trap is sent at the completion 533 of a crypto session establishment if such a trap was requested 534 when the sequence was initiated. " 535 ::= { cieMIBTraps 1 } 536 537-- conformance information 538 539cieMIBConformance OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 3 } 540 541cieMIBCompliances OBJECT IDENTIFIER ::= { cieMIBConformance 1 } 542 543cieMIBGroups OBJECT IDENTIFIER ::= { cieMIBConformance 2 } 544 545 546-- compliance statements 547 548cieMIBCompliance MODULE-COMPLIANCE 549 STATUS current 550 DESCRIPTION 551 "The compliance statement for entities which implement 552 the Cisco Encryption MIB" 553 MODULE -- this module 554 MANDATORY-GROUPS { cieMIBGroup } 555 ::= { cieMIBCompliances 1 } 556 557-- units of conformance 558 559cieMIBGroup OBJECT-GROUP 560 OBJECTS { 561 cieConfiguredAlgorithms, 562 cieEncryptionKeyTimeout, 563 cieNumberOfCryptoEngines, 564 cieEngineID, 565 cieEngineCardIndex, 566 cieEnginePublicKey, 567 cieEsaTampered, 568 cieEsaAuthenticated, 569 cieEsaMode, 570 cieNumberOfConnections, 571 cieProtectedAddr, 572 cieUnprotectedAddr, 573 cieConnStatus, 574 ciePktsEncrypted, 575 ciePktsDecrypted, 576 ciePktsDropped, 577 cieLocalTimeEstablished, 578 cieAlgorithmType, 579 cieTestConnProtectedAddr, 580 cieTestConnUnprotectedAddr, 581 cieTestConnTrapOnCompletion, 582 cieTestConnCryptoMapName, 583 cieTestConnCryptoMapTagNumber, 584 cieTestConnSessionStatus, 585 cieTestConnEntryOwner, 586 cieTestConnEntryStatus 587 } 588 STATUS current 589 DESCRIPTION 590 "A collection of objects providing information about 591 IP crypto subsystem." 592 ::= { cieMIBGroups 1 } 593 594END 595