Re: Export IPsec flows via snmpd(8)
> Am 07.02.2018 um 12:39 schrieb Martin Pieuchot : > > On 07/02/18(Wed) 12:18, Reyk Floeter wrote: Am 07.02.2018 um 11:23 schrieb Martin Pieuchot : On 07/02/18(Wed) 01:37, Reyk Floeter wrote: >>> Am 02.01.2018 um 15:23 schrieb Martin Pieuchot : >>> >>> On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: >>> On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: >>> I'd like to see some information about my tunnels in my NMS. >> >> Nice. I would find that very useful :) >> >>> The problem is that there's not standard MIB for this and most vendor >>> MIBs are huge and are not easy to implement. >> >> What about https://tools.ietf.org/html/rfc4807 ? > > This MIB is about the "Policy Database Configuration" which, as far as I > understand, would be useful to export the content of isakmpd.policy(5). The Security Policy Database has nothing to do with isakmpd.policy or keynote. >>> You forgot the word "Configuration". Here's what the RFC abstract says: >>> >>> "This document defines a Structure of Management Information Version 2 >>> (SMIv2) Management Information Base (MIB) module for configuring the >>> security policy database of a device implementing the IPsec protocol." >>> >> >> It is still not related to isakmpd.policy ;) > > What are filters then? To me they map to policies defined in isakmpd.policy. > Yes and no. Our flows do have some filter actions (eg. „deny“) but it is not like the standard SPD. In some ways our IPsec is special because it predated all of this crap. And the filters seem to have some pf-like rules. But the SPD is what we call flows, no matter the differences. There are n other places where this matters, for example compare pfkeyv2 KAME vs. OpenBSD. >> You could implement it as read-only: > > Sure I could, but why should I? It is always better to implement standard MIBs instead of custom or semi-official ones. snmpd shouldn’t have too many special ones. But if you carefully considered it, while understanding some basic IPsec terms, and opted for the other MIB for good reasons than I have no problems with it. Reyk
Re: Export IPsec flows via snmpd(8)
On 07/02/18(Wed) 12:18, Reyk Floeter wrote: > > Am 07.02.2018 um 11:23 schrieb Martin Pieuchot : > >> On 07/02/18(Wed) 01:37, Reyk Floeter wrote: > > Am 02.01.2018 um 15:23 schrieb Martin Pieuchot : > > > > On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: > > On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: > > I'd like to see some information about my tunnels in my NMS. > > Nice. I would find that very useful :) > > > The problem is that there's not standard MIB for this and most vendor > > MIBs are huge and are not easy to implement. > > What about https://tools.ietf.org/html/rfc4807 ? > >>> > >>> This MIB is about the "Policy Database Configuration" which, as far as I > >>> understand, would be useful to export the content of isakmpd.policy(5). > >> > >> The Security Policy Database has nothing to do with isakmpd.policy or > >> keynote. > > You forgot the word "Configuration". Here's what the RFC abstract says: > > > > "This document defines a Structure of Management Information Version 2 > > (SMIv2) Management Information Base (MIB) module for configuring the > > security policy database of a device implementing the IPsec protocol." > > > > It is still not related to isakmpd.policy ;) What are filters then? To me they map to policies defined in isakmpd.policy. > You could implement it as read-only: Sure I could, but why should I?
Re: Export IPsec flows via snmpd(8)
> Am 07.02.2018 um 11:23 schrieb Martin Pieuchot : > >> On 07/02/18(Wed) 01:37, Reyk Floeter wrote: >> > Am 02.01.2018 um 15:23 schrieb Martin Pieuchot : > > On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: > On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: > I'd like to see some information about my tunnels in my NMS. Nice. I would find that very useful :) > The problem is that there's not standard MIB for this and most vendor > MIBs are huge and are not easy to implement. What about https://tools.ietf.org/html/rfc4807 ? >>> >>> This MIB is about the "Policy Database Configuration" which, as far as I >>> understand, would be useful to export the content of isakmpd.policy(5). >> >> The Security Policy Database has nothing to do with isakmpd.policy or >> keynote. > > You forgot the word "Configuration". Here's what the RFC abstract says: > > "This document defines a Structure of Management Information Version 2 > (SMIv2) Management Information Base (MIB) module for configuring the > security policy database of a device implementing the IPsec protocol." > It is still not related to isakmpd.policy ;) You could implement it as read-only: -- ReadOnly Compliances -- spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation with Endpoint, Rules, and filters support. If this MIB is implemented without support for read-create (i.e., in read-only), it is not in full compliance, but it can claim read-only compliance. Such a device can then be monitored, but cannot be configured with this MIB." Reyk >> SPD is the standard term for what we call, for historic reasons, flows. In >> other words: an IPsec flow in OpenBSD is an IPsec policy in other operating >> systems. >> >> So RFC 4807 might be the right thing after all. > > I doubt it is, but I'm might have read the RFC differently than you did.
Re: Export IPsec flows via snmpd(8)
On 2018/02/07 11:23, Martin Pieuchot wrote: > On 07/02/18(Wed) 01:37, Reyk Floeter wrote: > > > > >> Am 02.01.2018 um 15:23 schrieb Martin Pieuchot : > > >> > > >>> On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: > > >>> On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: > > >>> I'd like to see some information about my tunnels in my NMS. > > >> > > >> Nice. I would find that very useful :) > > >> > > >>> The problem is that there's not standard MIB for this and most vendor > > >>> MIBs are huge and are not easy to implement. > > >> > > >> What about https://tools.ietf.org/html/rfc4807 ? > > > > > > This MIB is about the "Policy Database Configuration" which, as far as I > > > understand, would be useful to export the content of isakmpd.policy(5). > > > > The Security Policy Database has nothing to do with isakmpd.policy or > > keynote. > > You forgot the word "Configuration". Here's what the RFC abstract says: > > "This document defines a Structure of Management Information Version 2 >(SMIv2) Management Information Base (MIB) module for configuring the >security policy database of a device implementing the IPsec protocol." > > > SPD is the standard term for what we call, for historic reasons, flows. In > > other words: an IPsec flow in OpenBSD is an IPsec policy in other operating > > systems. > > > > So RFC 4807 might be the right thing after all. > > I doubt it is, but I'm might have read the RFC differently than you did. > I haven't dug into the extensions mentioned (" This MIB is structured to allow for reuse through the future creation of extension tables that provide additional filters and/or actions. In fact, the companion documents to this one ([IPsec-ACTION] and [IKE-ACTION]) do just that and define IPsec- and IKE-specific actions to be used within this SPD configuration MIB. ") but from what I've read of 4807 it really looks more like something intended for people using SNMP to set and display configuration (which I think the world has _mostly_ moved on from now in favour of simpler mechanisms..), rather than using it to monitor current activity. And the actual parts included directly in 4807 itself look more like firewall rule setting (drop, accept) than anything which looks like our flows or keynote. It's not uncommon with SNMP for the committee-specified MIBs to be quite overcomplicated and a poor match to any particular implementation (they often seem to try to please everyone and not really managing to please anyone) so it's not really a surprise that outside a few of the older areas, pretty much everyone just makes up their own. An example of this from a different area. You'd imagine it would be pretty straightforward to report sensor temperatures. The standard temperature/sensor mib (ENTITY-SENSOR-MIB) depends on ENTITY-MIB which needs fairly deep knowledge of the hardware platform and is all very complicated. So in the real world this is what we have: $ grep -Rli temperature /var/www/librenms/mibs | wc -l 331 Of course it's worth investigating to see if some standard can be used. But it's often not the case. For practical use unless there's something which is a pretty close fit already, the only useful options are to emulate a popular vendor (-> more likely to be handled by NMS), or DIY (will need work to handle, but at least you get sane data without having to squeeze it into a different shaped box)..
Re: Export IPsec flows via snmpd(8)
On 07/02/18(Wed) 01:37, Reyk Floeter wrote: > > >> Am 02.01.2018 um 15:23 schrieb Martin Pieuchot : > >> > >>> On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: > >>> On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: > >>> I'd like to see some information about my tunnels in my NMS. > >> > >> Nice. I would find that very useful :) > >> > >>> The problem is that there's not standard MIB for this and most vendor > >>> MIBs are huge and are not easy to implement. > >> > >> What about https://tools.ietf.org/html/rfc4807 ? > > > > This MIB is about the "Policy Database Configuration" which, as far as I > > understand, would be useful to export the content of isakmpd.policy(5). > > The Security Policy Database has nothing to do with isakmpd.policy or keynote. You forgot the word "Configuration". Here's what the RFC abstract says: "This document defines a Structure of Management Information Version 2 (SMIv2) Management Information Base (MIB) module for configuring the security policy database of a device implementing the IPsec protocol." > SPD is the standard term for what we call, for historic reasons, flows. In > other words: an IPsec flow in OpenBSD is an IPsec policy in other operating > systems. > > So RFC 4807 might be the right thing after all. I doubt it is, but I'm might have read the RFC differently than you did.
Re: Export IPsec flows via snmpd(8)
>> Am 02.01.2018 um 15:23 schrieb Martin Pieuchot : >> >>> On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: >>> On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: >>> I'd like to see some information about my tunnels in my NMS. >> >> Nice. I would find that very useful :) >> >>> The problem is that there's not standard MIB for this and most vendor >>> MIBs are huge and are not easy to implement. >> >> What about https://tools.ietf.org/html/rfc4807 ? > > This MIB is about the "Policy Database Configuration" which, as far as I > understand, would be useful to export the content of isakmpd.policy(5). The Security Policy Database has nothing to do with isakmpd.policy or keynote. SPD is the standard term for what we call, for historic reasons, flows. In other words: an IPsec flow in OpenBSD is an IPsec policy in other operating systems. So RFC 4807 might be the right thing after all. Reyk > I'm more interested into something like the "IPsec Flow Monitoring" > https://www.ietf.org/archive/id/draft-ietf-ipsec-flow-monitoring-mib-02.txt > However this is an archived & expired draft. > > So I looked at both Cisco & Juniper MIBs, but implementing any of them > is a lot of work and do not always make sense with our IPsec stack. > That's why I'm asking for inputs :) >
Re: Export IPsec flows via snmpd(8)
On 19/12/17(Tue) 12:43, Martin Pieuchot wrote: > I'd like to see some information about my tunnels in my NMS. The > problem is that there's not standard MIB for this and most vendor > MIBs are huge and are not easy to implement. > > So here's a diff that export the equivalent of "$ ipsecctl -s flow". > I'm basically gluing ipsecctl(8) internals into snmpd(8). > > It can be considered as a first step towards a more complete solution. > So I'd like to hear from people interested to export IPsec information > via SNMP, what would like to see and do you have a preferred format? Here's an updated diff including a MIB. I'm still looking for comments and inputs. I'm now considering implementing CISCO-IPSEC-FLOW-MONITOR mib since that would give us out of the box support for many NMS, including libreNMS. However this is a lot of work. Index: usr.sbin/snmpd/Makefile === RCS file: /cvs/src/usr.sbin/snmpd/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- usr.sbin/snmpd/Makefile 3 Jul 2017 22:21:47 - 1.15 +++ usr.sbin/snmpd/Makefile 17 Oct 2017 12:04:16 - @@ -4,7 +4,8 @@ PROG= snmpd MAN= snmpd.8 snmpd.conf.5 SRCS= parse.y ber.c log.c control.c snmpe.c \ mps.c trap.c mib.c smi.c kroute.c snmpd.c timer.c \ - pf.c proc.c usm.c agentx.c traphandler.c util.c + pf.c proc.c usm.c agentx.c traphandler.c util.c \ + ipsec.c pfkey.c LDADD= -levent -lutil -lkvm -lcrypto DPADD= ${LIBEVENT} ${LIBUTIL} Index: usr.sbin/snmpd/ipsec.c === RCS file: usr.sbin/snmpd/ipsec.c diff -N usr.sbin/snmpd/ipsec.c --- /dev/null 1 Jan 1970 00:00:00 - +++ usr.sbin/snmpd/ipsec.c 6 Feb 2018 16:12:41 - @@ -0,0 +1,105 @@ +/* $OpenBSD$ */ + +/* + * Copyright (c) 2004, 2005 Hans-Joerg Hoexer + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include + +#include +#include + +#include +#include +#include +#include + +#include "snmpd.h" +#include "ipsec.h" + +const char *direction[] = {"?", "in", "out"}; +const char *flowtype[] = {"?", "use", "acquire", "require", "deny", +"bypass", "dontacq"}; +const char *satype[] = {"?", "esp", "ah", "ipcomp", "tcpmd5", "ipip"}; +const char *auth[] = {"?", "psk", "rsa"}; + +struct ipsec_rule * +ipsec_get_rule(uint32_t idx) +{ + struct ipsecctl ipsec; + struct ipsec_rule *r, *rule = NULL; + + memset(&ipsec, 0, sizeof(ipsec)); + TAILQ_INIT(&ipsec.rule_queue); + ipsec_get_rules(&ipsec); + + while ((r = TAILQ_FIRST(&ipsec.rule_queue)) != NULL) { + TAILQ_REMOVE(&ipsec.rule_queue, r, rule_entry); + if ((r->nr + 1) == idx) + rule = r; + else + free(r); + } + + return rule; +} + +void +ipsec_get_rules(struct ipsecctl *ipsec) +{ + struct sadb_msg *msg; + struct ipsec_rule *rule; + int mib[4]; + size_t need; + char*buf, *lim, *next; + + mib[0] = CTL_NET; + mib[1] = PF_KEY; + mib[2] = PF_KEY_V2; + mib[3] = NET_KEY_SPD_DUMP; + + if (sysctl(mib, 4, NULL, &need, NULL, 0) == -1) + err(1, "%s: sysctl", __func__); + if (need == 0) + return; + if ((buf = malloc(need)) == NULL) + err(1, "%s: malloc", __func__); + if (sysctl(mib, 4, buf, &need, NULL, 0) == -1) + err(1, "%s: sysctl", __func__); + lim = buf + need; + + for (next = buf; next < lim; next += msg->sadb_msg_len * + PFKEYV2_CHUNK) { + msg = (struct sadb_msg *)next; + if (msg->sadb_msg_len == 0) + break; + + rule = calloc(1, sizeof(struct ipsec_rule)); + if (rule == NULL) + err(1, "%s: calloc", __func__); + rule->nr = ipsec->rule_nr++; + rule->type |= RULE_FLOW; + + if (pfkey_parse(msg, rule)) + errx(1, "%s: failed to parse PF_KEY message", __func__); + +
Re: Export IPsec flows via snmpd(8)
On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: > On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: > > I'd like to see some information about my tunnels in my NMS. > > Nice. I would find that very useful :) > > > The problem is that there's not standard MIB for this and most vendor > > MIBs are huge and are not easy to implement. > > What about https://tools.ietf.org/html/rfc4807 ? This MIB is about the "Policy Database Configuration" which, as far as I understand, would be useful to export the content of isakmpd.policy(5). I'm more interested into something like the "IPsec Flow Monitoring" https://www.ietf.org/archive/id/draft-ietf-ipsec-flow-monitoring-mib-02.txt However this is an archived & expired draft. So I looked at both Cisco & Juniper MIBs, but implementing any of them is a lot of work and do not always make sense with our IPsec stack. That's why I'm asking for inputs :)
Re: [EXTERNAL] Export IPsec flows via snmpd(8)
Marco's reference to RFC4807 looks interesting. I started reading it yesterday afternoon, it appears to be much more extensive, including packet filter information. -Original Message- From: Martin Pieuchot [mailto:m...@openbsd.org] Sent: Wednesday, December 20, 2017 4:22 AM To: Eichert, Diana Cc: tech@openbsd.org Subject: Re: [EXTERNAL] Export IPsec flows via snmpd(8) On 19/12/17(Tue) 13:40, Eichert, Diana wrote: > tech lurker here, long time NMS/EMS admin > > I did not see diffs to an OpenBSD MIB file. I assume that will be included > in a "more complete solution"? Yes, I did not want to spend some time writing a MIB if the format is going to change. I know that many readers on this list already have their own way to export IPsecs data via SNMP, so I hope to get some inputs/recommendations.
Re: [EXTERNAL] Export IPsec flows via snmpd(8)
On 19/12/17(Tue) 13:40, Eichert, Diana wrote: > tech lurker here, long time NMS/EMS admin > > I did not see diffs to an OpenBSD MIB file. I assume that will be included > in a "more complete solution"? Yes, I did not want to spend some time writing a MIB if the format is going to change. I know that many readers on this list already have their own way to export IPsecs data via SNMP, so I hope to get some inputs/recommendations.
Re: Export IPsec flows via snmpd(8)
On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: > I'd like to see some information about my tunnels in my NMS. Nice. I would find that very useful :) > The problem is that there's not standard MIB for this and most vendor > MIBs are huge and are not easy to implement. What about https://tools.ietf.org/html/rfc4807 ? Marco
Re: [EXTERNAL] Export IPsec flows via snmpd(8)
If I can find a free hour or so I can put something together for the MIB file. That seems about the right sort of information to me anyway - lifetimes might be useful too though. On 2017/12/19 13:40, Eichert, Diana wrote: > tech lurker here, long time NMS/EMS admin > > I did not see diffs to an OpenBSD MIB file. I assume that will be included > in a "more complete solution"? > > diana > > -Original Message- > From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of > Martin Pieuchot > Sent: Tuesday, December 19, 2017 4:44 AM > To: tech@openbsd.org > Subject: [EXTERNAL] Export IPsec flows via snmpd(8) > > I'd like to see some information about my tunnels in my NMS. The problem is > that there's not standard MIB for this and most vendor MIBs are huge and are > not easy to implement. > > So here's a diff that export the equivalent of "$ ipsecctl -s flow". > I'm basically gluing ipsecctl(8) internals into snmpd(8). > > It can be considered as a first step towards a more complete solution. > So I'd like to hear from people interested to export IPsec information via > SNMP, what would like to see and do you have a preferred format? > > Comments? Oks? > > SNIP > > === > RCS file: /cvs/src/usr.sbin/snmpd/mib.c,v retrieving revision 1.85 diff -u -p > -r1.85 mib.c > --- mib.c 18 Dec 2017 05:51:53 - 1.85 > +++ mib.c 19 Dec 2017 11:29:01 - > @@ -1422,6 +1422,7 @@ int mib_carpifnum(struct oid *, struct > struct carpif > *mib_carpifget(u_int); > int mib_memiftable(struct oid *, struct ber_oid *, struct ber_element **); > +int mib_ipsecflow(struct oid *, struct ber_oid *, struct ber_element **); > > static struct oid openbsd_mib[] = { > { MIB(pfMIBObjects),OID_MIB }, > @@ -1633,6 +1634,26 @@ static struct oid openbsd_mib[] = { > { MIB(carpIfAdvbase), OID_TRD, mib_carpiftable }, > { MIB(carpIfAdvskew), OID_TRD, mib_carpiftable }, > { MIB(carpIfState), OID_TRD, mib_carpiftable }, > + { MIB(ipsecMIBObjects), OID_MIB }, > + { MIB(ipsecFlowSAType), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowDirection), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowFromAddr), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowFromMask), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowSPort), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowToAddr), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowToMask), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowDPort), OID_TRD, mib_ipsecflow }, > +#if notyet > + /* Unprivileged user cannot see commented out information. */ > + { MIB(ipsecFlowLocal), OID_TRD, mib_ipsecflow }, > +#endif > + { MIB(ipsecFlowPeer), OID_TRD, mib_ipsecflow }, > +#if notyet > + { MIB(ipsecFlowAuthSrcID), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowAuthDstID), OID_TRD, mib_ipsecflow }, > + { MIB(ipsecFlowAuthType), OID_TRD, mib_ipsecflow }, > +#endif > + { MIB(ipsecFlowType), OID_TRD, mib_ipsecflow }, > { MIB(memMIBObjects), OID_MIB }, > { MIB(memMIBVersion), OID_RD, mps_getint, NULL, NULL, > OIDVER_OPENBSD_MEM }, > @@ -2831,7 +2852,6 @@ mib_carpiftable(struct oid *oid, struct > > /* Get and verify the current row index */ > idx = o->bo_id[OIDIDX_carpIfEntry]; > - > if ((cif = mib_carpifget(idx)) == NULL) > return (1); > > @@ -2877,10 +2897,12 @@ mib_memiftable(struct oid *oid, struct b > u_int32_tidx = 0; > struct kif *kif; > > + /* Get and verify the current row index */ > idx = o->bo_id[OIDIDX_memIfEntry]; > if ((kif = mib_ifget(idx)) == NULL) > return (1); > > + /* Tables need to prepend the OID on their own */ > o->bo_id[OIDIDX_memIfEntry] = kif->if_index; > ber = ber_add_oid(ber, o); > > @@ -2891,6 +2913,110 @@ mib_memiftable(struct oid *oid, struct b > case 2: > ber = ber_add_integer(ber, 0); > ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64); > + break; > + default: > + return (-1); > + } > + > + return (0); > +} > + > +#include "ipsec.h" > + > +int > +mib_ipsecflow(struct oid *oid, struct ber_oid *o, struct ber_element > +**elm) { > + struct ber_element *ber = *elm; > + struct ipsec_rule *
Re: [EXTERNAL] Export IPsec flows via snmpd(8)
tech lurker here, long time NMS/EMS admin I did not see diffs to an OpenBSD MIB file. I assume that will be included in a "more complete solution"? diana -Original Message- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Martin Pieuchot Sent: Tuesday, December 19, 2017 4:44 AM To: tech@openbsd.org Subject: [EXTERNAL] Export IPsec flows via snmpd(8) I'd like to see some information about my tunnels in my NMS. The problem is that there's not standard MIB for this and most vendor MIBs are huge and are not easy to implement. So here's a diff that export the equivalent of "$ ipsecctl -s flow". I'm basically gluing ipsecctl(8) internals into snmpd(8). It can be considered as a first step towards a more complete solution. So I'd like to hear from people interested to export IPsec information via SNMP, what would like to see and do you have a preferred format? Comments? Oks? SNIP === RCS file: /cvs/src/usr.sbin/snmpd/mib.c,v retrieving revision 1.85 diff -u -p -r1.85 mib.c --- mib.c 18 Dec 2017 05:51:53 - 1.85 +++ mib.c 19 Dec 2017 11:29:01 - @@ -1422,6 +1422,7 @@ intmib_carpifnum(struct oid *, struct struct carpif *mib_carpifget(u_int); int mib_memiftable(struct oid *, struct ber_oid *, struct ber_element **); +int mib_ipsecflow(struct oid *, struct ber_oid *, struct ber_element **); static struct oid openbsd_mib[] = { { MIB(pfMIBObjects),OID_MIB }, @@ -1633,6 +1634,26 @@ static struct oid openbsd_mib[] = { { MIB(carpIfAdvbase), OID_TRD, mib_carpiftable }, { MIB(carpIfAdvskew), OID_TRD, mib_carpiftable }, { MIB(carpIfState), OID_TRD, mib_carpiftable }, + { MIB(ipsecMIBObjects), OID_MIB }, + { MIB(ipsecFlowSAType), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowDirection), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowFromAddr), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowFromMask), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowSPort), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowToAddr), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowToMask), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowDPort), OID_TRD, mib_ipsecflow }, +#if notyet + /* Unprivileged user cannot see commented out information. */ + { MIB(ipsecFlowLocal), OID_TRD, mib_ipsecflow }, +#endif + { MIB(ipsecFlowPeer), OID_TRD, mib_ipsecflow }, +#if notyet + { MIB(ipsecFlowAuthSrcID), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowAuthDstID), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowAuthType), OID_TRD, mib_ipsecflow }, +#endif + { MIB(ipsecFlowType), OID_TRD, mib_ipsecflow }, { MIB(memMIBObjects), OID_MIB }, { MIB(memMIBVersion), OID_RD, mps_getint, NULL, NULL, OIDVER_OPENBSD_MEM }, @@ -2831,7 +2852,6 @@ mib_carpiftable(struct oid *oid, struct /* Get and verify the current row index */ idx = o->bo_id[OIDIDX_carpIfEntry]; - if ((cif = mib_carpifget(idx)) == NULL) return (1); @@ -2877,10 +2897,12 @@ mib_memiftable(struct oid *oid, struct b u_int32_tidx = 0; struct kif *kif; + /* Get and verify the current row index */ idx = o->bo_id[OIDIDX_memIfEntry]; if ((kif = mib_ifget(idx)) == NULL) return (1); + /* Tables need to prepend the OID on their own */ o->bo_id[OIDIDX_memIfEntry] = kif->if_index; ber = ber_add_oid(ber, o); @@ -2891,6 +2913,110 @@ mib_memiftable(struct oid *oid, struct b case 2: ber = ber_add_integer(ber, 0); ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64); + break; + default: + return (-1); + } + + return (0); +} + +#include "ipsec.h" + +int +mib_ipsecflow(struct oid *oid, struct ber_oid *o, struct ber_element +**elm) { + struct ber_element *ber = *elm; + struct ipsec_rule *r; + u_int32_tval, idx = 0; + + /* Get and verify the current row index */ + idx = o->bo_id[OIDIDX_ipsecFlowEntry]; + if ((r = ipsec_get_rule(idx)) == NULL) + return (1); + + /* Tables need to prepend the OID on their own */ + o->bo_id[OIDIDX_ipsecFlowEntry] = r->nr; + ber = ber_add_oid(ber, o); + + switch (o->bo_id[OIDIDX_ipsecFlow]) { + case 1: /* satype */ + ber = ber_add_string(ber, satype[r->satype]); + break; + case 2: /* direction */ + ber = ber_add_string(ber, direction[r->direction]); + brea
Export IPsec flows via snmpd(8)
I'd like to see some information about my tunnels in my NMS. The problem is that there's not standard MIB for this and most vendor MIBs are huge and are not easy to implement. So here's a diff that export the equivalent of "$ ipsecctl -s flow". I'm basically gluing ipsecctl(8) internals into snmpd(8). It can be considered as a first step towards a more complete solution. So I'd like to hear from people interested to export IPsec information via SNMP, what would like to see and do you have a preferred format? Comments? Oks? Index: Makefile === RCS file: /cvs/src/usr.sbin/snmpd/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- Makefile3 Jul 2017 22:21:47 - 1.15 +++ Makefile17 Oct 2017 12:04:16 - @@ -4,7 +4,8 @@ PROG= snmpd MAN= snmpd.8 snmpd.conf.5 SRCS= parse.y ber.c log.c control.c snmpe.c \ mps.c trap.c mib.c smi.c kroute.c snmpd.c timer.c \ - pf.c proc.c usm.c agentx.c traphandler.c util.c + pf.c proc.c usm.c agentx.c traphandler.c util.c \ + ipsec.c pfkey.c LDADD= -levent -lutil -lkvm -lcrypto DPADD= ${LIBEVENT} ${LIBUTIL} Index: ipsec.c === RCS file: ipsec.c diff -N ipsec.c --- /dev/null 1 Jan 1970 00:00:00 - +++ ipsec.c 19 Dec 2017 11:31:51 - @@ -0,0 +1,105 @@ +/* $OpenBSD$ */ + +/* + * Copyright (c) 2004, 2005 Hans-Joerg Hoexer + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include + +#include +#include + +#include +#include +#include +#include + +#include "snmpd.h" +#include "ipsec.h" + +const char *direction[] = {"?", "in", "out"}; +const char *flowtype[] = {"?", "use", "acquire", "require", "deny", +"bypass", "dontacq"}; +const char *satype[] = {"?", "esp", "ah", "ipcomp", "tcpmd5", "ipip"}; +const char *auth[] = {"?", "psk", "rsa"}; + +struct ipsec_rule * +ipsec_get_rule(uint32_t idx) +{ + struct ipsecctl ipsec; + struct ipsec_rule *r, *rule = NULL; + + memset(&ipsec, 0, sizeof(ipsec)); + TAILQ_INIT(&ipsec.rule_queue); + ipsec_get_rules(&ipsec); + + while ((r = TAILQ_FIRST(&ipsec.rule_queue)) != NULL) { + TAILQ_REMOVE(&ipsec.rule_queue, r, rule_entry); + if (r->nr == idx) + rule = r; + else + free(r); + } + + return rule; +} + +void +ipsec_get_rules(struct ipsecctl *ipsec) +{ + struct sadb_msg *msg; + struct ipsec_rule *rule; + int mib[4]; + size_t need; + char*buf, *lim, *next; + + mib[0] = CTL_NET; + mib[1] = PF_KEY; + mib[2] = PF_KEY_V2; + mib[3] = NET_KEY_SPD_DUMP; + + if (sysctl(mib, 4, NULL, &need, NULL, 0) == -1) + err(1, "%s: sysctl", __func__); + if (need == 0) + return; + if ((buf = malloc(need)) == NULL) + err(1, "%s: malloc", __func__); + if (sysctl(mib, 4, buf, &need, NULL, 0) == -1) + err(1, "%s: sysctl", __func__); + lim = buf + need; + + for (next = buf; next < lim; next += msg->sadb_msg_len * + PFKEYV2_CHUNK) { + msg = (struct sadb_msg *)next; + if (msg->sadb_msg_len == 0) + break; + + rule = calloc(1, sizeof(struct ipsec_rule)); + if (rule == NULL) + err(1, "%s: calloc", __func__); + rule->nr = ipsec->rule_nr++; + rule->type |= RULE_FLOW; + + if (pfkey_parse(msg, rule)) + errx(1, "%s: failed to parse PF_KEY message", __func__); + + TAILQ_INSERT_TAIL(&ipsec->rule_queue, rule, rule_entry); + } + + free(buf); +} Index: ipsec.h === RCS file: ipsec.h diff -N ipsec.h --- /dev/null 1 Jan 1970 00:00:00 - +++ ipsec.h 19 Dec 2017 11:33:09 - @@ -0,0 +1,116 @@ +/* $OpenBSD: ipsecctl.h,v 1.71 2017/04/19 15:59:38 bluhm Exp $ */ +/* + * Copyright (c) 2004