1-- *****************************************************************
2-- CISCO-IP-ENCRYPTION-MIB.my:  Cisco IP encryption MIB file.
3--
4-- April 1996, Subodh Nijsure
5--
6-- Copyright (c) 1996 by cisco Systems, Inc.
7-- All rights reserved.
8-- *****************************************************************
9--
10
11CISCO-IP-ENCRYPTION-MIB DEFINITIONS ::= BEGIN
12
13-- MIB definitions for Cisco Crypto management.
14--
15--
16IMPORTS
17	MODULE-IDENTITY, OBJECT-TYPE, Counter32, Integer32, IpAddress,
18	Gauge32, NOTIFICATION-TYPE
19		FROM SNMPv2-SMI
20	DisplayString, TruthValue,TimeStamp, RowStatus
21		FROM SNMPv2-TC
22	MODULE-COMPLIANCE, OBJECT-GROUP
23		FROM SNMPv2-CONF
24	OwnerString
25		FROM IF-MIB
26	ciscoMgmt
27		FROM CISCO-SMI;
28
29-- ***************************************************************
30-- Define IP encryption MIB object
31-- ***************************************************************
32
33ciscoIpEncryptionMIB MODULE-IDENTITY
34	LAST-UPDATED	"9508150000Z"
35	ORGANIZATION	"Cisco Systems, Inc."
36	CONTACT-INFO
37		"	Cisco Systems
38		Customer Service
39
40		Postal: 170 West Tasman Drive
41		San Jose, CA  95134
42		USA
43
44		Tel: +1 800 553-NETS
45
46		E-mail: cs-snmp@cisco.com"
47	DESCRIPTION
48		"Used to manage the encryption feature."
49	::= { ciscoMgmt 52 }
50
51ciscoIpEncryptionMIBObjects OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 1 }
52
53--
54-- Define cisco encryption mib objects
55--
56
57cieConfig		OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 1 }
58cieEngineStatus		OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 2 }
59cieConnections		OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 3 }
60cieTestConnection	OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIBObjects 4 }
61
62
63cieConfiguredAlgorithms OBJECT-TYPE
64        SYNTAX  OCTET STRING  (SIZE  (16))
65
66	MAX-ACCESS  read-only
67	STATUS  current
68	DESCRIPTION
69		"Type of encryption configured on a particular router,
70		encoded as a bit-string.
71		A router can support multiple encryption algorithms
72		i.e. 56 bit des with 8 bit cipher feedback AND 40 bit des
73		with 64 bit cipher feedback.
74		"
75	::= { cieConfig 1 }
76
77cieEncryptionKeyTimeout OBJECT-TYPE
78	SYNTAX  Integer32
79	UNITS   "minutes"
80	MAX-ACCESS  read-only
81	STATUS  current
82	DESCRIPTION
83		"Interval at which keys expire for a session and they are is
84		re-negotiated."
85	::= { cieConfig 2 }
86
87cieNumberOfCryptoEngines OBJECT-TYPE
88	SYNTAX	Gauge32
89	MAX-ACCESS read-only
90	STATUS current
91	DESCRIPTION
92		"Total number of encryption engines."
93	::= { cieConfig 3 }
94
95cieEngineStatusTable OBJECT-TYPE
96	SYNTAX     SEQUENCE OF CieEngineStatusEntry
97	MAX-ACCESS not-accessible
98	STATUS     current
99	DESCRIPTION
100		"A table describing status of all encryption engines present
101		within the router."
102	::= { cieEngineStatus 1 }
103
104cieEngineStatusEntry OBJECT-TYPE
105	SYNTAX CieEngineStatusEntry
106	MAX-ACCESS not-accessible
107	STATUS     current
108	DESCRIPTION
109		"Each entry in this table describes public key associated with
110		each engine, with its unique ID. In case of hardware assisted
111		encryption each entry also describes status of encryption port
112		adaptor."
113	INDEX { cieEngineID }
114	::= { cieEngineStatusTable 1 }
115
116CieEngineStatusEntry ::=
117	SEQUENCE {
118		cieEngineID
119			Integer32,
120		cieEngineCardIndex
121			Integer32,
122		cieEnginePublicKey
123			OCTET STRING,
124		cieEsaTampered
125			TruthValue,
126		cieEsaAuthenticated
127			TruthValue,
128		cieEsaMode
129			INTEGER
130	}
131
132cieEngineID OBJECT-TYPE
133	SYNTAX  Integer32 (1..2147483647)
134	MAX-ACCESS read-only
135	STATUS	current
136	DESCRIPTION
137		"Unique value identifying the crypto engine, in case
138		of RP and other software only platforms, this is the
139		processor ID. In case of ESA, this will be a unique ID
140		retrieved from ESA."
141	::= {  cieEngineStatusEntry 1 }
142
143cieEngineCardIndex  OBJECT-TYPE
144	SYNTAX	Integer32
145	MAX-ACCESS read-only
146	STATUS current
147	DESCRIPTION
148		"Corresponds to cardIndex in the chassis mib, if value is 0
149		then this is a software encryption engine."
150	::= { cieEngineStatusEntry 2 }
151
152
153cieEnginePublicKey OBJECT-TYPE
154	SYNTAX	OCTET STRING (SIZE (0..1024))
155	MAX-ACCESS read-only
156	STATUS	current
157	DESCRIPTION
158		"Public key for a particular crypto engine."
159	::= { cieEngineStatusEntry 3 }
160
161cieEsaTampered OBJECT-TYPE
162	SYNTAX  TruthValue
163	MAX-ACCESS read-only
164	STATUS current
165	DESCRIPTION
166		"Indicates whether encryption port adaptor has been tampered
167		with.
168		NOTE: This object is not present for software encryption
169		engines."
170	::= { cieEngineStatusEntry 4 }
171
172cieEsaAuthenticated OBJECT-TYPE
173	SYNTAX TruthValue
174	MAX-ACCESS read-only
175	STATUS current
176	DESCRIPTION
177		"Indicates whether encryption port adaptor has been properly
178		authenticated for this router.
179		NOTE: This object is not present for software encryption
180		engines."
181	::= { cieEngineStatusEntry 5 }
182
183cieEsaMode OBJECT-TYPE
184	SYNTAX	INTEGER {
185		enableActive(1),
186		boot(2),
187		error(3)
188	}
189	MAX-ACCESS read-only
190	STATUS current
191	DESCRIPTION
192		"Indicates current operating mode of the ESA card.
193		This variable directly corresponds to LED status shown on ESA.
194		NOTE: This object is not present for software encryption
195		engines."
196
197	::= { cieEngineStatusEntry 6 }
198
199cieNumberOfConnections OBJECT-TYPE
200	SYNTAX	Gauge32
201	MAX-ACCESS read-only
202	STATUS current
203	DESCRIPTION
204		"Total number of active, pending and dead crypto connections."
205	::= { cieConnections 1 }
206
207cieConnTable OBJECT-TYPE
208	SYNTAX     SEQUENCE OF CieConnEntry
209	MAX-ACCESS not-accessible
210	STATUS     current
211	DESCRIPTION
212		"A table that describes all encrypted IP traffic
213		created by the router, between the protected entity
214		(cieProtectedAddr) and the unprotected entity
215		(cieUnprotectedAddr). Each entry in this table
216		describes a virtual encrypted IP tunnel."
217	::= { cieConnections 2 }
218
219cieConnEntry OBJECT-TYPE
220	SYNTAX  CieConnEntry
221	MAX-ACCESS  not-accessible
222	STATUS  current
223	DESCRIPTION
224		"This entry describes a connection viz. the protected and
225		unprotected node, status of the connection and number of
226		packets encrypted, decrypted per connection and algorithm
227		used for encrypting data.
228		Each entry also contains a pointer to crypto engine that is
229		performing the encryption."
230	INDEX   { cieEngineID, cieConnIndex }
231	::= { cieConnTable 1 }
232
233CieConnEntry ::=
234	SEQUENCE {
235		cieConnIndex
236			Integer32,
237		cieProtectedAddr
238			IpAddress,
239		cieUnprotectedAddr
240			IpAddress,
241		cieConnStatus
242			INTEGER,
243		ciePktsEncrypted
244			Counter32,
245		ciePktsDecrypted
246			Counter32,
247		ciePktsDropped
248			Counter32,
249		cieLocalTimeEstablished
250			TimeStamp,
251		cieAlgorithmType INTEGER
252	}
253
254cieConnIndex OBJECT-TYPE
255	SYNTAX  Integer32 (1..2147483647)
256	MAX-ACCESS not-accessible
257	STATUS current
258	DESCRIPTION
259		"A monotonically increasing integer for the sole purpose of
260		indexing the cieConnTable. When it reaches the
261		maximum value, the agent wraps the value back to 1 and
262		may flush existing entries."
263	::= { cieConnEntry 1 }
264
265cieProtectedAddr OBJECT-TYPE
266	SYNTAX  IpAddress
267	MAX-ACCESS  read-only
268	STATUS  current
269	DESCRIPTION
270		"The IP address for protected (secure) node."
271	::= { cieConnEntry 2 }
272
273cieUnprotectedAddr OBJECT-TYPE
274	SYNTAX  IpAddress
275	MAX-ACCESS  read-only
276	STATUS  current
277	DESCRIPTION
278		"The IP address of  the unprotected (insecure) node in
279		the network."
280	::= { cieConnEntry 3 }
281
282cieConnStatus OBJECT-TYPE
283	SYNTAX  INTEGER {
284		pendingConnection(1),
285		openConnection(2),
286		exchangeKeys(3),
287		badConnection(4)
288	}
289	MAX-ACCESS  read-only
290	STATUS  current
291	DESCRIPTION
292		"Integer describing status/type of connection. The pending
293		and bad connections may be removed after 4 minutes of
294		non-activity. Open (active) connections may be removed if
295		they have not transmitted/received traffic in the last
296		cieEncryptionKeyTimeout minutes."
297	::= { cieConnEntry 4 }
298
299ciePktsEncrypted OBJECT-TYPE
300	SYNTAX  Counter32
301	MAX-ACCESS  read-only
302	STATUS  current
303	DESCRIPTION
304		"Total number of packets encrypted for this connection."
305	::= { cieConnEntry 5 }
306
307ciePktsDecrypted OBJECT-TYPE
308	SYNTAX  Counter32
309	MAX-ACCESS  read-only
310	STATUS  current
311	DESCRIPTION
312		"Total number of packets decrypted for this connection."
313	::= { cieConnEntry 6 }
314
315ciePktsDropped OBJECT-TYPE
316	SYNTAX  Counter32
317	MAX-ACCESS  read-only
318	STATUS  current
319	DESCRIPTION
320                "Total number of packets dropped for this connection.  The
321		packets are dropped only in cases where encryption keys are
322		not established between the protected entity and the
323		unprotected entity. An increase in this value indicates the
324		possibility of mis-configured keys."
325	::= { cieConnEntry 7 }
326
327cieLocalTimeEstablished OBJECT-TYPE
328	SYNTAX  TimeStamp
329	MAX-ACCESS  read-only
330	STATUS  current
331	DESCRIPTION
332		"Value of sysUpTime at which the connection was established or
333		re-established."
334	::= { cieConnEntry 8 }
335
336cieAlgorithmType OBJECT-TYPE
337	SYNTAX  INTEGER {
338		des56bitCfb64(1),
339		des56bitCfb8(2),
340		des40bitCfb64(3),
341		des40bitdesCfb8(4)
342	}
343	MAX-ACCESS read-only
344	STATUS  current
345	DESCRIPTION
346		"Type of encryption algorithm used for this connection."
347	::= { cieConnEntry 9 }
348
349cieTestConnTable OBJECT-TYPE
350	SYNTAX     SEQUENCE OF CieTestConnEntry
351	MAX-ACCESS not-accessible
352	STATUS     current
353	DESCRIPTION
354		"A table of test crypto session entries."
355	::= { cieTestConnection 1 }
356
357cieTestConnEntry OBJECT-TYPE
358	SYNTAX CieTestConnEntry
359	MAX-ACCESS not-accessible
360	STATUS     current
361	DESCRIPTION
362		"A encryption test entry.
363		A management station wishing to create an entry should
364		first generate a pseudo-random serial number to be used
365		as the index to this sparse table.  The station should
366		then create the associated instance of the row status
367		and row owner objects.  It must also, either in the same
368		or in successive PDUs, create the associated instance of
369		the address objects.
370
371		Once the appropriate instance of all the configuration
372		objects have been created, either by an explicit SNMP
373		set request, the row status should be set
374		to active to initiate the request.  Note that this entire
375		procedure may be initiated via a single set request which
376		specifies a row status of createAndGo.
377
378		Once the connection sequence has been activated, it cannot be
379		stopped -- it will run until a crypto connection has been
380		established between source and destination.
381
382		Once the sequence completes, the management station should
383		retrieve the values of the status objects of interest, and
384		should then delete the entry.  In order to prevent old
385		entries from clogging the table, entries will be aged out
386		30 minutes after they are created."
387	INDEX { cieTestConnSerialNumber }
388	::= { cieTestConnTable 1 }
389
390CieTestConnEntry ::=
391	SEQUENCE {
392-- 		index
393		cieTestConnSerialNumber
394			Integer32,
395-- configuration items
396		cieTestConnProtectedAddr
397			IpAddress,
398		cieTestConnUnprotectedAddr
399			IpAddress,
400		cieTestConnTrapOnCompletion
401			TruthValue,
402                cieTestConnCryptoMapName
403			DisplayString,
404                cieTestConnCryptoMapTagNumber
405			Integer32,
406-- status items
407		cieTestConnSessionStatus
408			INTEGER,
409		cieTestConnEntryOwner
410			OwnerString,
411		cieTestConnEntryStatus
412			RowStatus
413}
414
415cieTestConnSerialNumber OBJECT-TYPE
416	SYNTAX     Integer32 (1..2147483647)
417	MAX-ACCESS not-accessible
418	STATUS     current
419	DESCRIPTION
420		"Object which specifies a unique entry in the
421		cieTestConnTable.  A management station wishing
422		to initiate a crypto session test operation should use a
423		pseudo-random value for this object when creating
424		an instance of a cieTestConnEntry.
425		The RowStatus semantics of the cieTestConnEntryStatus
426		object will prevent access conflicts."
427	::= { cieTestConnEntry 1 }
428
429cieTestConnProtectedAddr OBJECT-TYPE
430	SYNTAX     IpAddress
431	MAX-ACCESS read-create
432	STATUS     current
433	DESCRIPTION
434		"The IP address of the protected (secure) node, for
435		the test connection."
436	::= { cieTestConnEntry 2 }
437
438cieTestConnUnprotectedAddr OBJECT-TYPE
439	SYNTAX     IpAddress
440	MAX-ACCESS read-create
441	STATUS     current
442	DESCRIPTION
443		"The IP address of the unprotected (insecure) node for
444		the test connection."
445
446	::= { cieTestConnEntry 3 }
447
448cieTestConnTrapOnCompletion OBJECT-TYPE
449	SYNTAX     TruthValue
450	MAX-ACCESS read-create
451	STATUS     current
452	DESCRIPTION
453		"Specifies whether or not a cieTestCompletion
454		trap should be issued on completion of test crypto session.
455		If such a trap is desired, it is the responsibility of the
456		management entity to ensure that the SNMP administrative
457		model is configured in such a way as to allow the trap to
458		be delivered."
459	DEFVAL { false }
460	::= { cieTestConnEntry 4 }
461
462cieTestConnCryptoMapName OBJECT-TYPE
463	SYNTAX     DisplayString
464	MAX-ACCESS read-create
465	STATUS     current
466	DESCRIPTION
467		"Specifies name of the crypto map already configured on the
468		router. A crypto map along with its tag number fully
469		specifies the enryption policy, such as type of algorithm to
470		be used, the name of the peer router and access list."
471	::= { cieTestConnEntry 5 }
472
473cieTestConnCryptoMapTagNumber OBJECT-TYPE
474	SYNTAX     Integer32 (1..2147483647)
475	MAX-ACCESS read-create
476	STATUS     current
477	DESCRIPTION
478		"Specifies tag number of the crypto map already configured on
479		the router. A crypto map along with its tag number fully
480		specifies the enryption policy, such as type of algorithm to
481		be used, the name of the peer router and access list."
482	::= { cieTestConnEntry 6 }
483
484cieTestConnSessionStatus OBJECT-TYPE
485	SYNTAX  INTEGER {
486		inProgress(1),
487		fail(2),
488		success(3),
489		badCryptoMapName(4)
490	}
491	MAX-ACCESS read-only
492	STATUS     current
493	DESCRIPTION
494		"Set to a value that indicates whether a crypto session was
495		successfully established, failed or the connection
496		establishment process is in progress.  If the specified crypto
497		map is not configured, value is set to badCryptoMapName."
498	::= { cieTestConnEntry 7 }
499
500cieTestConnEntryOwner OBJECT-TYPE
501	SYNTAX     OwnerString
502	MAX-ACCESS read-create
503	STATUS     current
504	DESCRIPTION
505		"The entity that configured this entry."
506	::= { cieTestConnEntry 8 }
507
508cieTestConnEntryStatus OBJECT-TYPE
509	SYNTAX     RowStatus
510	MAX-ACCESS read-create
511	STATUS     current
512	DESCRIPTION
513		"The status of this table entry.  Once the entry status is
514		set to active, the associate entry cannot be modified until
515		the sequence completes (cieTestConnSessionStatus has
516		value other than inprogress )."
517	DEFVAL { createAndGo }
518	::= { cieTestConnEntry 9 }
519
520
521cieMIBTrapPrefix OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 2 }
522cieMIBTraps OBJECT IDENTIFIER ::= { cieMIBTrapPrefix 0 }
523
524cieTestCompletion NOTIFICATION-TYPE
525	OBJECTS    {
526		cieTestConnSessionStatus,
527		cieTestConnProtectedAddr,
528		cieTestConnUnprotectedAddr
529	}
530	STATUS     current
531	DESCRIPTION
532		"A cieTestCompletion trap is sent at the completion
533		of a crypto session establishment if such a trap was requested
534		when the sequence was initiated.  "
535	::= { cieMIBTraps 1 }
536
537-- conformance information
538
539cieMIBConformance OBJECT IDENTIFIER ::= { ciscoIpEncryptionMIB 3 }
540
541cieMIBCompliances OBJECT IDENTIFIER ::= { cieMIBConformance 1 }
542
543cieMIBGroups      OBJECT IDENTIFIER ::= { cieMIBConformance 2 }
544
545
546-- compliance statements
547
548cieMIBCompliance MODULE-COMPLIANCE
549	STATUS  current
550	DESCRIPTION
551		"The compliance statement for entities which implement
552		the Cisco Encryption MIB"
553	MODULE  -- this module
554	MANDATORY-GROUPS { cieMIBGroup }
555	::= { cieMIBCompliances 1 }
556
557-- units of conformance
558
559cieMIBGroup OBJECT-GROUP
560	OBJECTS {
561		cieConfiguredAlgorithms,
562		cieEncryptionKeyTimeout,
563		cieNumberOfCryptoEngines,
564                cieEngineID,
565		cieEngineCardIndex,
566		cieEnginePublicKey,
567		cieEsaTampered,
568		cieEsaAuthenticated,
569		cieEsaMode,
570		cieNumberOfConnections,
571		cieProtectedAddr,
572		cieUnprotectedAddr,
573		cieConnStatus,
574		ciePktsEncrypted,
575		ciePktsDecrypted,
576		ciePktsDropped,
577		cieLocalTimeEstablished,
578		cieAlgorithmType,
579		cieTestConnProtectedAddr,
580		cieTestConnUnprotectedAddr,
581		cieTestConnTrapOnCompletion,
582                cieTestConnCryptoMapName,
583                cieTestConnCryptoMapTagNumber,
584		cieTestConnSessionStatus,
585		cieTestConnEntryOwner,
586		cieTestConnEntryStatus
587	}
588	STATUS  current
589	DESCRIPTION
590		"A collection of objects providing information about
591		IP crypto subsystem."
592	::= { cieMIBGroups 1 }
593
594END
595