-- *****************************************************************
-- CISCO-IP-ENCRYPTION-MIB.my: Cisco IP encryption MIB file.
--
-- April 1996, Subodh Nijsure
--
-- Copyright (c) 1996 by cisco Systems, Inc.
-- All rights reserved.
-- *****************************************************************
--CISCO-IP-ENCRYPTION-MIB DEFINITIONS::=BEGIN-- MIB definitions for Cisco Crypto management.
--
--IMPORTSMODULE-IDENTITY,OBJECT-TYPE,Counter32,Integer32,IpAddress,Gauge32,NOTIFICATION-TYPEFROM SNMPv2-SMI
DisplayString,TruthValue,TimeStamp,RowStatusFROM SNMPv2-TC
MODULE-COMPLIANCE,OBJECT-GROUPFROM SNMPv2-CONF
OwnerStringFROM IF-MIB
ciscoMgmt
FROM CISCO-SMI;-- ***************************************************************
-- Define IP encryption MIB object
-- ***************************************************************ciscoIpEncryptionMIB MODULE-IDENTITYLAST-UPDATED"9508150000Z"ORGANIZATION"Cisco Systems, Inc."CONTACT-INFO" Cisco Systems
Customer Service
Postal: 170 West Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-snmp@cisco.com"DESCRIPTION"Used to manage the encryption feature."
::={ ciscoMgmt 52}ciscoIpEncryptionMIBObjects OBJECTIDENTIFIER::={ ciscoIpEncryptionMIB 1}--
-- Define cisco encryption mib objects
--cieConfig OBJECTIDENTIFIER::={ ciscoIpEncryptionMIBObjects 1}cieEngineStatus OBJECTIDENTIFIER::={ ciscoIpEncryptionMIBObjects 2}cieConnections OBJECTIDENTIFIER::={ ciscoIpEncryptionMIBObjects 3}cieTestConnection OBJECTIDENTIFIER::={ ciscoIpEncryptionMIBObjects 4}cieConfiguredAlgorithms OBJECT-TYPESYNTAXOCTETSTRING(SIZE(16))MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Type of encryption configured on a particular router,
encoded as a bit-string.
A router can support multiple encryption algorithms
i.e. 56 bit des with 8 bit cipher feedback AND 40 bit des
with 64 bit cipher feedback.
"::={ cieConfig 1}cieEncryptionKeyTimeout OBJECT-TYPESYNTAXInteger32UNITS"minutes"MAX-ACCESSread-only
STATUScurrentDESCRIPTION"Interval at which keys expire for a session and they are is
re-negotiated."::={ cieConfig 2}cieNumberOfCryptoEngines OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Total number of encryption engines."::={ cieConfig 3}cieEngineStatusTable OBJECT-TYPESYNTAXSEQUENCEOF CieEngineStatusEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A table describing status of all encryption engines present
within the router."::={ cieEngineStatus 1}cieEngineStatusEntry OBJECT-TYPESYNTAX CieEngineStatusEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry in this table describes public key associated with
each engine, with its unique ID. In case of hardware assisted
encryption each entry also describes status of encryption port
adaptor."INDEX{ cieEngineID }::={ cieEngineStatusTable 1}
CieEngineStatusEntry ::=SEQUENCE{
cieEngineID
Integer32,
cieEngineCardIndex
Integer32,
cieEnginePublicKey
OCTETSTRING,
cieEsaTampered
TruthValue,
cieEsaAuthenticated
TruthValue,
cieEsaMode
INTEGER}cieEngineID OBJECT-TYPESYNTAXInteger32(1..2147483647)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Unique value identifying the crypto engine, in case
of RP and other software only platforms, this is the
processor ID. In case of ESA, this will be a unique ID
retrieved from ESA."::={ cieEngineStatusEntry 1}cieEngineCardIndex OBJECT-TYPESYNTAXInteger32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Corresponds to cardIndex in the chassis mib, if value is 0
then this is a software encryption engine."::={ cieEngineStatusEntry 2}cieEnginePublicKey OBJECT-TYPESYNTAXOCTETSTRING(SIZE(0..1024))MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Public key for a particular crypto engine."
::={ cieEngineStatusEntry 3}cieEsaTampered OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates whether encryption port adaptor has been tampered
with.
NOTE: This object is not present for software encryption
engines."::={ cieEngineStatusEntry 4}cieEsaAuthenticated OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates whether encryption port adaptor has been properly
authenticated for this router.
NOTE: This object is not present for software encryption
engines."::={ cieEngineStatusEntry 5}cieEsaMode OBJECT-TYPESYNTAXINTEGER{enableActive(1),boot(2),error(3)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates current operating mode of the ESA card.
This variable directly corresponds to LED status shown on ESA.
NOTE: This object is not present for software encryption
engines."::={ cieEngineStatusEntry 6}
cieNumberOfConnections OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Total number of active, pending and dead crypto connections."::={ cieConnections 1}cieConnTable OBJECT-TYPESYNTAXSEQUENCEOF CieConnEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A table that describes all encrypted IP traffic
created by the router, between the protected entity
(cieProtectedAddr) and the unprotected entity
(cieUnprotectedAddr). Each entry in this table
describes a virtual encrypted IP tunnel."::={ cieConnections 2}cieConnEntry OBJECT-TYPESYNTAX CieConnEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This entry describes a connection viz. the protected and
unprotected node, status of the connection and number of
packets encrypted, decrypted per connection and algorithm
used for encrypting data.
Each entry also contains a pointer to crypto engine that is
performing the encryption."INDEX{ cieEngineID, cieConnIndex }::={ cieConnTable 1}
CieConnEntry ::=SEQUENCE{
cieConnIndex
Integer32,
cieProtectedAddr
IpAddress,
cieUnprotectedAddr
IpAddress,
cieConnStatus
INTEGER,
ciePktsEncrypted
Counter32,
ciePktsDecrypted
Counter32,
ciePktsDropped
Counter32,
cieLocalTimeEstablished
TimeStamp,
cieAlgorithmType INTEGER}cieConnIndex OBJECT-TYPESYNTAXInteger32(1..2147483647)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A monotonically increasing integer for the sole purpose of
indexing the cieConnTable. When it reaches the
maximum value, the agent wraps the value back to 1 and
may flush existing entries."::={ cieConnEntry 1}cieProtectedAddr OBJECT-TYPESYNTAXIpAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address for protected (secure) node."::={ cieConnEntry 2}cieUnprotectedAddr OBJECT-TYPESYNTAXIpAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"The IP address of the unprotected (insecure) node in
the network."::={ cieConnEntry 3}cieConnStatus OBJECT-TYPESYNTAXINTEGER{pendingConnection(1),openConnection(2),exchangeKeys(3),badConnection(4)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Integer describing status/type of connection. The pending
and bad connections may be removed after 4 minutes of
non-activity. Open (active) connections may be removed if
they have not transmitted/received traffic in the last
cieEncryptionKeyTimeout minutes."::={ cieConnEntry 4}ciePktsEncrypted OBJECT-TYPESYNTAXCounter32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Total number of packets encrypted for this connection."::={ cieConnEntry 5}ciePktsDecrypted OBJECT-TYPESYNTAXCounter32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Total number of packets decrypted for this connection."::={ cieConnEntry 6}
ciePktsDropped OBJECT-TYPESYNTAXCounter32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Total number of packets dropped for this connection. The
packets are dropped only in cases where encryption keys are
not established between the protected entity and the
unprotected entity. An increase in this value indicates the
possibility of mis-configured keys."::={ cieConnEntry 7}cieLocalTimeEstablished OBJECT-TYPESYNTAXTimeStampMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Value of sysUpTime at which the connection was established or
re-established."::={ cieConnEntry 8}cieAlgorithmType OBJECT-TYPESYNTAXINTEGER{des56bitCfb64(1),des56bitCfb8(2),des40bitCfb64(3),des40bitdesCfb8(4)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Type of encryption algorithm used for this connection."::={ cieConnEntry 9}cieTestConnTable OBJECT-TYPE
SYNTAXSEQUENCEOF CieTestConnEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A table of test crypto session entries."::={ cieTestConnection 1}cieTestConnEntry OBJECT-TYPESYNTAX CieTestConnEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A encryption test entry.
A management station wishing to create an entry should
first generate a pseudo-random serial number to be used
as the index to this sparse table. The station should
then create the associated instance of the row status
and row owner objects. It must also, either in the same
or in successive PDUs, create the associated instance of
the address objects.
Once the appropriate instance of all the configuration
objects have been created, either by an explicit SNMP
set request, the row status should be set
to active to initiate the request. Note that this entire
procedure may be initiated via a single set request which
specifies a row status of createAndGo.
Once the connection sequence has been activated, it cannot be
stopped -- it will run until a crypto connection has been
established between source and destination.
Once the sequence completes, the management station should
retrieve the values of the status objects of interest, and
should then delete the entry. In order to prevent old
entries from clogging the table, entries will be aged out
30 minutes after they are created."INDEX{ cieTestConnSerialNumber }::={ cieTestConnTable 1}
CieTestConnEntry ::=SEQUENCE{-- index
cieTestConnSerialNumber
Integer32,-- configuration items
cieTestConnProtectedAddr
IpAddress,
cieTestConnUnprotectedAddr
IpAddress,
cieTestConnTrapOnCompletion
TruthValue,
cieTestConnCryptoMapName
DisplayString,
cieTestConnCryptoMapTagNumber
Integer32,-- status items
cieTestConnSessionStatus
INTEGER,
cieTestConnEntryOwner
OwnerString,
cieTestConnEntryStatus
RowStatus}cieTestConnSerialNumber OBJECT-TYPESYNTAXInteger32(1..2147483647)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Object which specifies a unique entry in the
cieTestConnTable. A management station wishing
to initiate a crypto session test operation should use a
pseudo-random value for this object when creating
an instance of a cieTestConnEntry.
The RowStatus semantics of the cieTestConnEntryStatus
object will prevent access conflicts."::={ cieTestConnEntry 1}cieTestConnProtectedAddr OBJECT-TYPESYNTAXIpAddressMAX-ACCESSread-create
STATUScurrentDESCRIPTION"The IP address of the protected (secure) node, for
the test connection."::={ cieTestConnEntry 2}cieTestConnUnprotectedAddr OBJECT-TYPESYNTAXIpAddressMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The IP address of the unprotected (insecure) node for
the test connection."::={ cieTestConnEntry 3}cieTestConnTrapOnCompletion OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-createSTATUScurrentDESCRIPTION"Specifies whether or not a cieTestCompletion
trap should be issued on completion of test crypto session.
If such a trap is desired, it is the responsibility of the
management entity to ensure that the SNMP administrative
model is configured in such a way as to allow the trap to
be delivered."DEFVAL{ false }::={ cieTestConnEntry 4}cieTestConnCryptoMapName OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-createSTATUScurrentDESCRIPTION"Specifies name of the crypto map already configured on the
router. A crypto map along with its tag number fully
specifies the enryption policy, such as type of algorithm to
be used, the name of the peer router and access list."
::={ cieTestConnEntry 5}cieTestConnCryptoMapTagNumber OBJECT-TYPESYNTAXInteger32(1..2147483647)MAX-ACCESSread-createSTATUScurrentDESCRIPTION"Specifies tag number of the crypto map already configured on
the router. A crypto map along with its tag number fully
specifies the enryption policy, such as type of algorithm to
be used, the name of the peer router and access list."::={ cieTestConnEntry 6}cieTestConnSessionStatus OBJECT-TYPESYNTAXINTEGER{inProgress(1),fail(2),success(3),badCryptoMapName(4)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Set to a value that indicates whether a crypto session was
successfully established, failed or the connection
establishment process is in progress. If the specified crypto
map is not configured, value is set to badCryptoMapName."::={ cieTestConnEntry 7}cieTestConnEntryOwner OBJECT-TYPESYNTAXOwnerStringMAX-ACCESSread-createSTATUScurrent
DESCRIPTION"The entity that configured this entry."::={ cieTestConnEntry 8}cieTestConnEntryStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The status of this table entry. Once the entry status is
set to active, the associate entry cannot be modified until
the sequence completes (cieTestConnSessionStatus has
value other than inprogress )."DEFVAL{ createAndGo }::={ cieTestConnEntry 9}cieMIBTrapPrefix OBJECTIDENTIFIER::={ ciscoIpEncryptionMIB 2}cieMIBTraps OBJECTIDENTIFIER::={ cieMIBTrapPrefix 0}cieTestCompletion NOTIFICATION-TYPEOBJECTS{
cieTestConnSessionStatus,
cieTestConnProtectedAddr,
cieTestConnUnprotectedAddr
}STATUScurrentDESCRIPTION"A cieTestCompletion trap is sent at the completion
of a crypto session establishment if such a trap was requested
when the sequence was initiated. "::={ cieMIBTraps 1}-- conformance informationcieMIBConformance OBJECTIDENTIFIER::={ ciscoIpEncryptionMIB 3}
cieMIBCompliances OBJECTIDENTIFIER::={ cieMIBConformance 1}cieMIBGroups OBJECTIDENTIFIER::={ cieMIBConformance 2}-- compliance statementscieMIBCompliance MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for entities which implement
the Cisco Encryption MIB"MODULE-- this moduleMANDATORY-GROUPS{ cieMIBGroup }::={ cieMIBCompliances 1}-- units of conformancecieMIBGroup OBJECT-GROUPOBJECTS{
cieConfiguredAlgorithms,
cieEncryptionKeyTimeout,
cieNumberOfCryptoEngines,
cieEngineID,
cieEngineCardIndex,
cieEnginePublicKey,
cieEsaTampered,
cieEsaAuthenticated,
cieEsaMode,
cieNumberOfConnections,
cieProtectedAddr,
cieUnprotectedAddr,
cieConnStatus,
ciePktsEncrypted,
ciePktsDecrypted,
ciePktsDropped,
cieLocalTimeEstablished,
cieAlgorithmType,
cieTestConnProtectedAddr,
cieTestConnUnprotectedAddr,
cieTestConnTrapOnCompletion,
cieTestConnCryptoMapName,
cieTestConnCryptoMapTagNumber,
cieTestConnSessionStatus,
cieTestConnEntryOwner,
cieTestConnEntryStatus
}STATUScurrentDESCRIPTION"A collection of objects providing information about
IP crypto subsystem."::={ cieMIBGroups 1}END