Midcom working Group P. Srisuresh INTERNET-DRAFT Caymas Systems, Inc. Category: Standards Track Expires: April 20, 2003 October 2003 SNMP managed objects for Middlebox Communications (MIDCOM) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Middlebox communication (midcom) was conceived to move application level gateway (ALG) intelligence out of middleboxes into application specific midcom agents. Midcom agents will be assumed to use midcom to control middlebox resources so as to permit applications to traverse a middlebox. The scope of the middleboxes is limited to NAT and firewall devices. This document defines SNMP managed midcom objects to control middlebox resources and justifies adapting SNMPv3 as the midcom protocol. Srisuresh [Page 1] Internet-Draft Midcom MIB October 2003 Table of Contents 1. Overview.......................................................2 2. Terminology....................................................3 2.1. "Midcom agent" or "agent"....................................3 2.2. SNMP agent...................................................3 2.3. NAT session..................................................3 3. SNMP Management Framework......................................4 4. MIDCOM Overview and SNMP Applicability.........................4 5. SNMP and the MIDCOM data model.................................5 5.1 Secure Communications......................................7 5.2 Device Configuration.......................................8 5.3 Service Configuration......................................8 5.4 Midcom compatibility requirements on NAT and Firewall......9 6. Midcom MIB....................................................10 7. Security Considerations.......................................45 8. Acknowledgements..............................................45 9. References....................................................45 Normative References.............................................45 Informative References...........................................47 Author's address.................................................48 Full Copyright Statement.........................................48 1. Overview The principal objective of the document is to describe how SNMPv3 may be adapted as the MIDCOM protocol. MIDCOM MIB is defined to facilitate transactions between a midcom agent and a middlebox. The scope of the middleboxes considered in the document is limited to NAT and Firewall devices. This document refers external documents for NAT and firewall MIBs and states the compliance criteria for the external MIBS to be MIDCOM compliant. Section 1 provides an overview of the SNMP Management Framework. Section 2 provides further background on SNMP and its applicability to the MIDCOM Protocol Framework, Requirements and semantics. Section 3 provides a high level overview of the SNMPv3 protocol, the MIB data model and its applicability tigether as a MIDCOM protocol. Section 6 has the midcom mib described in detail. 2. Terminology Srisuresh [Page 2] Internet-Draft Midcom MIB October 2003 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. The Midcom terms used throughout this document are mostly as per RFC 3303. The NAT terms used in the document are mostly as per RFC 2663. Definition for the term "Symmetric NAT" may be found in RFC 3489. Symmetric NAT is a variation of NAPT in that a port bind is not retained across multiple sessions from the same private source port. The following terms used extensively in the document are reiterated here for clarity. 2.1. "Midcom agent" or "agent" Midcom agent, hereafter refered simply as agent, is an entity performing ALG functions, logically external to a middlebox. MIDCOM agents possess a combination of application awareness and knowledge of the middlebox function. A midcom agent may be located anywhere in the end-2-end path of an application path, including the middlebox itself. The exact interface through which a midcom agent engages in a midcom session with the middlebox is irrelevant to the enforcement of midcom. 2.2. SNMP agent SNMP agent is an entity on middlebox servicing SNMP requests from SNMP applications, including midcom agents. 2.3. NAT session A NAT session is an association between a session as seen in the private realm and a session as seen in the public realm, by virtue of NAT translation. If a session in the private realm were to be represented as (PrivateSrcAddr, PrivateDstAddr, TransportProtocol, PrivateSrcPort, PrivateDstPort) and the same session in the public realm were to be represented as (PublicSrcAddr, PublicDstAddr, TransportProtocol, PublicSrcPort, PublicDstPort), the NAT session will provide the translation glue between the two session representations. 3. SNMP Management Framework For a detailed overview of the documents that describe the current Internet-Standard (SNMP) Management Framework, please refer to Srisuresh [Page 3] Internet-Draft Midcom MIB October 2003 section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580[RFC2580]. 4. MIDCOM Overview and SNMP Applicability The MIDCOM architecture and framework [RFC3303] defines a model in which trusted third parties can be delegated to assist middleboxes in performing their operations, without requiring application intelligence be embedded in the middleboxes. This trusted third party is referred to as the MIDCOM Agent. The MIDCOM protocol is defined between the MIDCOM agent and middlebox. The SNMP management framework provides functions equivalent to those defined by the MIDCOM framework, although there are a few architectural differences. For SNMP, application intelligence is captured in MIB modules, rather than in the messaging protocol. MIB modules define a data model of the information that can be collected and configured for managed functionality. The SNMP messaging protocol transports the data in a standardized format without needing to understand the semantics of the data being transferred. The endpoints of the communication understand the semantics of the data. Traditionally, the SNMP endpoints have been called Manager and Agent. An SNMP manager is an entity capable of generating requests and receiving notifications, and a SNMP agent is an entity capable of responding to requests and generating notifications. As applied to the MIDCOM framework, the SNMP Manager corresponds to the MIDCOM agent and the SNMP Agent corresponds to the Middlebox. The MIDCOM protocol is divided into three phases, per section 4 of [RFC3303]: . Session Setup . Run-time (involving real-time configuration of the middlebox) . Session Termination A MIDCOM session is defined to be a lasting association between a MIDCOM agent and a middlebox. The MIDCOM agent should initiate Srisuresh [Page 4] Internet-Draft Midcom MIB October 2003 the session prior to the start of the application. Although the SNMP management framework does not have the concept of a session, session-like associations can be established through the use of managed objects. Requests from the MIDCOM agent to the Middlebox are performed using Read/write access to managed objects defined in MIB modules. The middlebox (SNMP agent) responds to requests by sending an SNMP response message indicating the success or failure of the request. The MIDCOM agent (SNMP manager) MAY verify this information by reading or polling the corresponding managed objects. The MIDCOM Protocol semantics [MDCSEM] defines two basic transaction types: request transactions and notify transactions. SNMPv3 uses the architecture detailed in [RFC3411], where all SNMP entities are capable of performing certain functions, such as the generation of requests, response to requests, the generation of asynchronous notifications and the receipt of notifications. SNMP is used to read and manipulate a virtual database (the MIB) which is composed of objects representing commands, controls, status, and statistics, which are defined in managed-application-specific MIB modules. 5. SNMPv3 for use as MIDCOM protocol The following diagram (Figure 1) is an operational model assumed by the MIDCOM protocol. Requirements on the Midcom protocol is identified by the MIDCOM protocol framework, requirements and semantics documents. Specification of policies via the MIDCOM PDP is outside the scope of the MIDCOM protocol and is omitted in the discussion in the remainder of this document. Srisuresh [Page 5] Internet-Draft Midcom MIB October 2003 +----------------------+ | Application | | | | +---------------+ | | | MIDCOM agent | | | | | | | +---------------+ | +------------+ +------------^---------+ | | . | Policy | . | | . | +--------+ | Application . Asynchronous | | MIDCOM | | Requests . Notifications /+-| PDP | | . / | +--------+ | . / +------------+ . / . / . / . | v v +-------------------------------------------+ | Middlebox * * | | * a. * b. | | v v | | +-------------------------------+ | | | Middlebox Communication | | | | Protocol (MIDCOM) Interface | | | +-------------------------------+ | | * | | * c. | | v | | +-------------------------------+ | | | Dynamic Device/Service | | | | Configuration | | | +-------------------------------+ | | | +-------------------------------------------+ Legend: .... Middlebox Communication Protocol (MIDCOM) //// MIDCOM PDP Interface (outside scope of this document) **** Managed objects relevant to the MIDCOM Interface (with the associated letters referencing the MIB modules potentially applicable summarized below: Figure 1: operational model assumed by the MIDCOM protocol Srisuresh [Page 6] Internet-Draft Midcom MIB October 2003 5.1 SNMP MIB data model on a middlebox The following diagram (Figure 2) restates the Midcom operational model when SNMPv3 is adapted as the Midcom protocol. The SNMP based model below includes midcom MIB and middlebox function MIBs objects. These MIBs are described in detail in the remainder of this document. +----------------------+ | Application | | | | +---------------+ | | | MIDCOM agent | | | | | | | +---------------+ | +------------^---------+ . Application . Asynchronous Requests . Notifications (via SNMPv3) . (via SNMPv3) . v +-----------------------------------------------+ | Middlebox . | | v a. | | +------------+ +-------------+ | | | SNMP-v3 |---| SNMP object | | | | Agent | | Database | | | +------------+ +-------------+ | | | | | | | | | +---------------+ | | | +---------+ | | | v | | | | +-----------------+ | | | | | MIDCOM MIB | | | | | | & MIB methods | | | | | +-----------------+ | | | | * * | | | | * ****************** | | | * | * | | | * +------+ * | | | * | * | | | v v v v | | +------------------+ +------------------+ | | | MIDCOM-compliant | | MIDCOM-compliant | | | | Nat MIB & | | Firewall MIB & | | | | MIB methods | | MIB methods | | | +------------------+ +------------------+ | Srisuresh [Page 7] Internet-Draft Midcom MIB October 2003 +-----------------------------------------------+ Legend: .... SNMP used as the MIDCOM protocol ---- Interface between the SNMP agent and the MIB modules. **** The MIB methods of the Midcom MIB accessing middlebox function specific objects. Figure 2: SNMPv3 operating as the Midcom protocol 5.2 Secure Communications MIDCOM requirements include mutual authentication, message integrity checking, timeliness checking to prevent replay, message encryption, and authorization controls to ensure only certain agents can modify certain subsets of middlebox configurations. MIDCOM requires secure request-response capabilities and secure notifications. SNMPv3 is designed to provide secure communications between two end-points. SNMPv3 defines MIB modules to allow the monitoring and configuration of all these security features. They are defined in RFC3411-RFC3418, and RFC3410 provides an overview of these capabilities. 5.3. Midcom functions Midcom MIB does not assume a middlebox to have implemented MIBs (standard or vendor proprietary) for NAT and firewall functions. Middlebox functions may be configured and managed independently of the midcom MIB. However, midcom MIB will have rule-change parameters and a pointer to the FW/NAT MIB objects (even if vendor proprietary). The FW and NAT MIBS actually contain the detailed objects. For instance, multiple agents might end up using the same NAT BIND, yet each agent might define their own Lifetime parameter and directionality for the bind. As a result, the agent specific Bind identifier is set uniquely, independent of the NAT native bind. Yet, the agent specific bind has a pointer to the NAt bind. Midcom MIB below is designed to meet the midcom requirements (RFC 3304). A set of MIB objects, one per each middlebox resource type, are defined to run midcom transactions. The resulting resources, along with rule-changing parameters and a pointer to FW/NAT MIB objects are maintained as MIB tables, one for each resource type. Also defined are group based transaction objects and group tables, as required by RFC Srisuresh [Page 8] Internet-Draft Midcom MIB October 2003 3304. 5.3.1. Agent registration for notification midcomAgentTable is designed to include all the agents that engage in a midcom session with the middlebox. Each active row of the table corresponds to a midcom agent. The agent includes the notify parameters within this row to allow middleboxes to send asynchronous notifications back to the agent. Also included is an agent-unique Middlebox Identifier a middlebox should use to identify itself during the notifications. 5.3.2. Middlebox Configuration for midcom Not every middlebox is required to enable midcom on all its interfaces. midcomConfig is designed to configure midcom on a per-interface basis on a middlebox. 5.3.3. Midcom transactions and relevant tables Midcom transactions may be divided into group transactions and resource transactions. A transaction is atomic and the results of a transaction are saved into relevant tables at the end of the transaction. Results of a transaction conducted by an agent may be reviewed anytime prior to executing another transaction of the same kind by the same agent. midcomTransGroupTable is defined to allow multiple agents to simultaneously add or delete Group identifiers and set group-wide parameters such as LifeTime and MaxIdletime. Results of the transaction are transferred into midcomGroupTable for later reference and further parameter modification by the agent. midcomTransBindTable, midcomTransNatSessionTable, and midcomTransFilterTable are defined to allow multiple agents to simultaneously request middlebox resources and set parameters such as LifeTime and MaxIdletime. Results of the transactions are transferred respectively into the relevant resource table, namely midcomBindTable, midcomNatSessionTable and midcomFiltertable for later reference and further parameter modification by the agent. 5.4. Midcom compatibility requirements on NAT and Firewall Middlebox function resources (bind, NatSession and firewall Srisuresh [Page 9] Internet-Draft Midcom MIB October 2003 filter) are now required to carry an additional LifeTime parameter. Given that there may be several agents refering the same resource (ex: bind) and each agent may choose to control lifetime, MaxIdleTime and Bind orientation as appropriate for the agent, the middlebox function is now required to use a superset of the settings. Further, a new AgentCount will be required to track the number of agents refering a certain resource. As for notification, middlebox functions might retain a pointer to the first active agent and the active agents referign the same resource might link between themselves. Doing this will ensure that Midcom is able to send notifications to all effected agents when required to do by the middlebox function. Agent precedence and inter-agent overlap on the use of resources could be particularly tricky in the case of firewall rules. For example, essentially the same filter can be configured by multiple agents with different priorities (assume, highest or lowest is all that a midcom transaction will specify). The last rule will take precedence, potentially overruling the previous agent transactions. Further, when some of the filters are specific and some are more general, there can be undesired ordering of the filters. Agents are advised to include specific rules, so as not to overrule or be overriden by other filter rules. 6.0. Midcom MIB Midcom MIB provides a means for midcom agents to control middlebox resources and for middlebox to asynchronously notify the midcom agents of relevant state changes. Midcom agents learn of the functions present on the middlebox using this MIB. midcom-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, Unsigned32, Gauge32, Srisuresh [Page 10] Internet-Draft Midcom MIB October 2003 Counter64, TimeTicks, mib-2 FROM SNMPv2-SMI -- RFC 2578 TEXTUAL-CONVENTION, StorageType, RowStatus, TimeInterval FROM SNMPv2-TC -- RFC 2579 MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF -- RFC 2580 ifIndex, InterfaceIndex FROM IF-MIB -- RFC 2863 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC 3411 InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB; -- RFC 3291 NatTranslationEntity, NatBindIdOrZero, NatSessionId, FROM NAT-MIB; midcomMIB MODULE-IDENTITY LAST-UPDATED "200310200000Z" ORGANIZATION "IETF Midcom Working Group" CONTACT-INFO "WG charter: http://www.ietf.org/html.charters/midcom-charter.html Mailing Lists: General Discussion: midcom@ietf.org To Subscribe: midcom-request@ietf.org In Body: subscribe your_email_address Author: Pyda Srisuresh 1179-A North McDowell Blvd. Petaluma, CA 94954 Srisuresh [Page 11] Internet-Draft Midcom MIB October 2003 Tel: (707) 283-5063 Email: srisuresh@yahoo.com " DESCRIPTION "This MIB module defines the managed objects for midcom. " REVISION "200310200000Z" -- 20th Sept. 2003 DESCRIPTION "Initial version of this MIB module." ::= { mib-2 XXX } -- RFC Ed.: replace XXX with IANA-assigned -- number & remove this note midcomMIBObjects OBJECT IDENTIFIER ::= { midcomMIB 1 } -- -- Four Groups -- -- o midcomConfig - Configuration of a middlebox for -- midcom access. -- o midcomAgentInfo - Active agent info, including the info -- necessary for asynchronous notification. -- o midcomTables - Results of agent initiated transactions -- are saved into relevant tables for later -- reference and parameter modification by -- the agents. -- o midcomTransactions - Midcom agent initiated transactions. -- midcomConfig OBJECT IDENTIFIER ::= { midcomMIBObjects 1 } midcomAgentInfo OBJECT IDENTIFIER ::= { midcomMIBObjects 2 } midcomTables OBJECT IDENTIFIER ::= { midcomMIBObjects 3 } midcomTransactions OBJECT IDENTIFIER ::= { midcomMIBObjects 4 } -- -- Textual conventions used -- MidcomMBFunctionEnum ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An enumeration of Middlebox functions that are Srisuresh [Page 12] Internet-Draft Midcom MIB October 2003 supported by the midcom protocol. Inclusion of values is not intended to imply that those functions need to be supported. Any change in this TEXTUAL-CONVENTION should also be reflected in the definition of midcomConfMBFunctionType object which is a BITS representation of this TEXTUAL-CONVENTION." SYNTAX INTEGER { none (1), -- not specified nat (2), firewall (3) } MidcomMBFunctionBITS ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A BITS representation of Middlebox functions for which MIDCOM is enabled on a middlebox. Any change in this TEXTUAL-CONVENTION should also be reflected in the definition of midcomConfMBFunctionEnum object which is an enumeration of the middlebox functions summported" SYNTAX BITS { nat (0), firewall (1) } MidcomMBResource ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An enumeration of Middlebox function specific resource types that are supported by the midcom protocol. Inclusion of values is not intended to imply that those functions need to be supported. " SYNTAX INTEGER { none (1), -- not specified natBind(2), natSession(3), firewallFilter(4) } MidcomAgentIndex ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A unique id that is assigned to each midcom Srisuresh [Page 13] Internet-Draft Midcom MIB October 2003 session by the middlebox." SYNTAX Unsigned32 (1..4294967295) MidcomBindMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indication of whether a bind is address bind or port bind. " SYNTAX INTEGER { addressBind (1), portBind (2) } -- -- midcomConfig -- The Configuration Group -- The per-interface Midcom Configuration Table -- midcomConfInterfaceTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomConfInterfaceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table specifies the midcom configuration attributes per interface on a device supporting midcom access." ::= { midcomConfig 1 } midcomConfInterfaceEntry OBJECT-TYPE SYNTAX MidcomConfInterfaceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the midcomConfInterfaceTable holds a set of Midcom configuration parameters pertaining to an interface" INDEX { ifIndex } ::= { midcomConfInterfaceTable 1 } MidcomConfInterfaceEntry ::= SEQUENCE { midcomConfMBFunctionType MidcomMBFunctionBITS, midcomConfStorageType StorageType, midcomConfRowStatus RowStatus } Srisuresh [Page 14] Internet-Draft Midcom MIB October 2003 midcomConfMBFunctionType OBJECT-TYPE SYNTAX MidcomMBFunctionBITS MAX-ACCESS read-create STATUS current DESCRIPTION "Middlebox functions for which Midcom processing is enabled." ::= { midcomConfInterfaceEntry 1 } midcomConfStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row." REFERENCE "Textual Conventions for SMIv2, Section 2." DEFVAL { nonVolatile } ::= { midcomConfInterfaceEntry 2 } midcomConfRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. None of the objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2." ::= { midcomConfInterfaceEntry 3 } -- -- -- midcomAgentInfo -- Agent specific tables managed by the midcom MIB. -- -- midcomAgentIndexNext OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns an unused index into Agent table for the USM user that issued the read-request. The returned value can be used for creating a new entry Srisuresh [Page 15] Internet-Draft Midcom MIB October 2003 in the midcomAgentTable. The same return value also serves to create new entries in midcomTransGroup, midcomTransBind, midcomTransSession & midcomTransFilter tables. In all these tables, the first index would be set to the AgentIndex returned here and is set to read-only. A value retuned when reading this object is not returned again on subsequent read-requests as long as possible. This ensures that the same USM user can engage in multiple independent midcom sessions with the middlebox. Each midcom agent might be responsible for a different application." ::= { midcomAgentInfo 1 } -- -- midcomAgentTable -- Agent Registration with Middlebox with -- all the requisite information for notification. -- midcomAgentTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomAgentEntry MAX-ACCESS read-only STATUS current DESCRIPTION "Lists the active Midcom agents." ::= { midcomAgentInfo 2 } midcomAgentEntry OBJECT-TYPE SYNTAX MidcomAgentEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the midcomAgentTable pertains to a midcom agent. Parameters associated with the midcom agent are stored in this table. Each entry contains objects describing where notifications are to be sent to the MIDCOM agent. " INDEX { midcomAgentIndex } ::= { midcomAgentTable 1 } MidcomAgentEntry ::= SEQUENCE { midcomAgentIndex MidcomAgentIndex, midcomAgentName MidcomNameOrPassword, midcomAgentMBId Unsigned32, midcomAgentAddrType InetAddressType, midcomAgentAddress InetAddress, Srisuresh [Page 16] Internet-Draft Midcom MIB October 2003 midcomAgentPort InetPortNumber, midcomAgentEntryStatus RowStatus } midcomAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A middlebox-unique index or Identifier for each midcom agent in the Table. This object allows the same USM user to engage in multiple midcom sessions, perhaps one for each application. Each midcom agent will have a unique agentIndex. " ::= { midcomAgentEntry 1 } midcomAgentName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of the SNMP manager that represents the midcom agent in this midcomAgentTable. " ::= { midcomAgentEntry 2 } midcomAgentMBId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This is a agent-unique Identifier issued by agent to the middlebox. This identifier is to be used by the middlebox during asynchronous notifications to the agent. " ::= { midcomAgentEntry 3 } midcomAgentAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object specifies the address type used for midcomAgentEntryAddress" ::= { midcomAgentEntry 4 } Srisuresh [Page 17] Internet-Draft Midcom MIB October 2003 midcomAgentAddress OBJECT-TYPE SYNTAX InetAddress (SIZE (0..20)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the network layer address of the Midcom agent. This address, in conjunction with AddrType and the UDP port midcomAgentPort may be used by the middlebox functions for asynchronous notification to the agent. " ::= { midcomAgentEntry 5 } midcomAgentPort OBJECT-TYPE SYNTAX InetPortNumber, MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the UDP port of the Midcom agent. The combinations of (AddressType, Address, Port) are to be used by the middlebox functions for asynchronous notification to the agent. " ::= { midcomAgentEntry 6 } midcomAgentStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2 ::= { midcomAgentEntry 7 } -- -- midcomTables - Results of agent initiated transactions -- are saved into relevant tables for later -- reference and parameter modification by -- the agents. -- -- -- midcomGroupTable Srisuresh [Page 18] Internet-Draft Midcom MIB October 2003 -- group Ids per each agent. -- midcomGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomGroupEntry MAX-ACCESS read-only STATUS current DESCRIPTION "Lists the groups registered by each agent." ::= { midcomTables 1 } midcomGroupEntry OBJECT-TYPE SYNTAX MidcomGroupEntry MAX-ACCESS read-only STATUS current DESCRIPTION "Each entry in the GroupTable holds a unique tuple of parameters associated with a group Identifier. Group identifiers are registered by an agent with midcom." INDEX { midcomGroupAgentIndex, midcomGroupMBResource, midcomGroupId } ::= { midcomGroupTable 1 } MidcomGroupEntry ::= SEQUENCE { midcomGroupAgentIndex MidcomAgentIndex, midcomGroupMBResource MidcomMBResource, midcomGroupGroupId Unsigned32, midcomGroupLifetime TimeInterval, midcomGroupMaxIdletime TimeInterval, midcomGroupStatus RowStatus } midcomGroupAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Identifier for an agent in the table" ::= { midcomGroupEntry 1 } midcomGroupMBResource OBJECT-TYPE SYNTAX MidcomMBResource MAX-ACCESS read-only STATUS current DESCRIPTION "Middlebox resource type for which the GroupId is registered by the agent. " ::= { midcomGroupEntry 2 } Srisuresh [Page 19] Internet-Draft Midcom MIB October 2003 midcomGroupGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Group Identifier registered by the agent for the resource the agent owns. " ::= { midcomGroupEntry 3 } midcomGroupLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default Lifetime of the resources that are assigned this group Id." ::= { midcomGroupEntry 4 } midcomGroupMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default MaxIdletime of the resources that are assigned this group Id." ::= { midcomGroupEntry 5 } midcomGroupStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2 ::= { midcomGroupEntry 6 } -- -- midcomBindTable -- Bind Ids managed by each agent. -- midcomBindTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomBindEntry MAX-ACCESS read-only STATUS current DESCRIPTION "Lists NAT binds owned by each agent." Srisuresh [Page 20] Internet-Draft Midcom MIB October 2003 ::= { midcomTables 2 } midcomBindEntry OBJECT-TYPE SYNTAX MidcomBindEntry MAX-ACCESS read-write STATUS current DESCRIPTION "Each entry in the BindTable holds a unique tuple of parameters associated with a Bind. " INDEX { midcomBindAgentIndex, midcomBindGroupId, midcomBindId } ::= { midcomBindTable 1 } MidcomBindEntry ::= SEQUENCE { midcomBindAgentIndex MidcomAgentIndex, midcomBindGroupId Unsigned32, midcomBindId NatBindId, midcomBindLifetime TimeInterval, midcomBindMaxIdleTime TimeInterval, midcomBindIfIndex InterfaceIndex, midcomBindTranslationEntity NatTranslationEntity, midcomBindMBId NatBindId, midcomBindMode MidcomBindMode, midcomBindStatus RowStatus } midcomBindAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Identifier for an agent in the table" ::= { midcomBindEntry 1 } midcomBindGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this bind resource. A value of 0 implies that the bind does not belong to a group membership. " ::= { midcomBindEntry 2 } Srisuresh [Page 21] Internet-Draft Midcom MIB October 2003 midcomBindId OBJECT-TYPE SYNTAX NatBindId MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Bind Identifier assigend to this midcom bind resource. This identifier is independent of the bind identifier midcomBindMBId that is managed by the NAT middlebox. " ::= { midcomBindEntry 3 } midcomBindLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Lifetime of the bind resource. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. " ::= { midcomBindEntry 4 } midcomBindMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the Bind resource. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomBindEntry 5 } midcomBindIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Interface Index for which the bind is defined. This value may be set to 0 to mean any IP interface on the middlebox. This value may also be set to 0, when the middlebox has just one interface on which midcom is configured. " ::= { midcomBindEntry 6 } Srisuresh [Page 22] Internet-Draft Midcom MIB October 2003 midcomBindTranslationEntity OBJECT-TYPE SYNTAX NatTranslationEntity MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the direction of the session for which this BIND is applicable and entity within the first packet that is subject to translation. " ::= { midcomBindEntry 7 } midcomBindMBId OBJECT-TYPE SYNTAX NatBindId MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Bind Identifier managed by the NAT middlebox function. This identifier is independent of the bind identifier midcomBindId that is used in conjunction with midcom. Multiple midcomBindIds may be associated with the same midcomBindMBId. " ::= { midcomBindEntry 8 } midcomBindMode OBJECT-TYPE SYNTAX MidcomBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates whethr the bind is address bind or port bind. " ::= { midcomBindEntry 9 } midcomBindStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2 ::= { midcomBindEntry 6 } -- -- midcomNatSessionTable Srisuresh [Page 23] Internet-Draft Midcom MIB October 2003 -- NAT Session Ids per each agent. -- midcomNatSessionTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomNatSessionEntry MAX-ACCESS read-only STATUS current DESCRIPTION "Lists NAT sessions owned by each agent." ::= { midcomTables 3 } midcomNatSessionEntry OBJECT-TYPE SYNTAX MidcomNatSessionEntry MAX-ACCESS read-write STATUS current DESCRIPTION "Each entry in the NatSessionTable holds a unique tuple of parameters associated with a NAT session. " INDEX { midcomNatSessionAgentIndex, midcomNatSessionGroupId, midcomNatSessionId } ::= { midcomNatSessionTable 1 } MidcomNatSessionEntry ::= SEQUENCE { midcomNatSessionAgentIndex MidcomAgentIndex, midcomNatSessionGroupId Unsigned32, midcomNatSessionId NatSessionId, midcomNatSessionLifetime TimeInterval, midcomNatSessionMaxIdleTime TimeInterval, midcomNatSessionIfIndex InterfaceIndex, midcomNatSessionRowStatus RowStatus } midcomNatSessionAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Identifier for an agent in the table" ::= { midcomNatSessionEntry 1 } midcomNatSessionGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this resource. A value of 0 implies that the session does Srisuresh [Page 24] Internet-Draft Midcom MIB October 2003 not belong to a group membership. " ::= { midcomNatSessionEntry 2 } midcomNatSessionId OBJECT-TYPE SYNTAX NatBindId MAX-ACCESS read-only STATUS current DESCRIPTION "Unique session Identifier assigend to this midcom bind resource. This identifier is same as the session identifier that is managed by the NAT middlebox. " ::= { midcomNatSessionEntry 3 } midcomNatSessionLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Lifetime of the session. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. " ::= { midcomNatSessionEntry 4 } midcomNatSessionMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the session. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomNatSessionEntry 5 } midcomNatSessionIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Interface Index on which the bind is defined. This value may be set to 0 to mean any IP interface on the middlebox. This value may also be set to 0, when the middlebox has Srisuresh [Page 25] Internet-Draft Midcom MIB October 2003 just one interface on which midcom is configured. " ::= { midcomNatSessionEntry 6 } midcomNatSessionStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2 ::= { midcomNatSessionEntry 7 } -- -- midcomTransactions -- The transaction Group -- Transactions issued by the midcom agents -- to the midcom MIB module. -- -- -- -- Textual conventions used -- -- MidcomInvocationStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Allows invocation and status queries." SYNTAX INTEGER { neverInvoked(1), performOperation(2), inProgress(3), success(4), failure(5) } MidcomGroupCommand ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The choice of operations on groups. add command: Srisuresh [Page 26] Internet-Draft Midcom MIB October 2003 Midcom agent uses the command to specify the group-identifiers and associated parameters it wishes to use during the Midcom session. In case of success, the GroupId is tracked by the midcom Module midcomGroupTable. No ill effect in case of failure. delete command: Midcom agent uses the command to remove a group-identifier from its list of valid group-ids. In case of success, the GroupId is deleted from the midcomGroupTable. " SYNTAX INTEGER { add(1), delete(2) } MidcomBindCommand ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The choice of operations on Nat Binds. reserveBindInboundSrc, reserveBindInboundDst, reserveBindOutboundSrc, reserveBindOutboundDst Reserve an address or port bind, given the interface and a src or dst endpoint in one of private address realm or public address realm. reserveBindInboundSrcOrOutboundDst, reserveBindInboundDstOrOutboundSrc Reserve an address or portBind, given the interface and a src or dst endpoint in one of private address realm or public address realm. Set the Bind to be bi-directional. reserveBind2InboundSrc, reserveBind2InboundDst, reserveBind2OutboundSrc, reserveBind2OutboundDst Reserve two port binds, given the interface index and a src or dst endpoint in one of private address realm or public address realm. The two ports assigned for the two port-binds are to be contiguous and assume oddity as specified in an oddity parameter. If the bind assigned turns out to be an address bind, one address Srisuresh [Page 27] Internet-Draft Midcom MIB October 2003 bind suffices independent of the port oddity requirement. reserveBind2InboundSrcInboundDst, reseverBind2OutboundSrcOutboundDst, Reserve two binds as in a twice NAT, given the interface index and the session tuple in private realm or public realm. " SYNTAX INTEGER { reserveBindInboundSrc, reserveBindInboundDst, reserveBindOutboundSrc, reserveBindOutboundDst, reserveBindInboundSrcOrOutboundDst, reserveBindInboundDstOrOutboundSrc, reserveBind2InboundSrc, reserveBind2InboundDst, reserveBind2OutboundSrc, reserveBind2OutboundDst, reserveBind2InboundSrcInboundDst, reseverBind2OutboundSrcOutboundDst, } MidcomNatSessionCommand ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The choice of commands on NAT sessions. " SYNTAX INTEGER { createNatSession(1) } MidcomTransInOutFlags ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A BITS representation used to specify the relevant parameters for input during a command request (or) during a command response. " SYNTAX BITS { privateAddrType (0), privateSrcAddr (1), privateSrcPort (2), privateDstAddr (3), privateDstPort (4), globalAddrType (5), globalSrcAddr (6), Srisuresh [Page 28] Internet-Draft Midcom MIB October 2003 globalSrcPort (7), globalDstAddr (8), globalDstPort (9), groupId (10), lifetime (11), maxIdletime (12), PrivateSrcBind (13), PrivateDstBind (14) } MidcomSessionDirection ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Describes the direction of a session specific to an interface. " SYNTAX INTEGER { inbound(1), outbound(2) } midcomTransGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomTransGroupEntry MAX-ACCESS read-write STATUS current DESCRIPTION "This lists Group based transactions, one per each agent." ::= { midcomTransactions 1 } midcomTransGroupEntry OBJECT-TYPE SYNTAX MidcomTransGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry pertains to a midcom agent carrying out a group based transaction. Midcom module will respond with Success or Failure, with an error code. In the case of success, the tuples specified in the transaction are entered into midcomGroupTable for later reference and parameter modification by the agent. " INDEX { midcomTransGroupAgentIndex } ::= { midcomTransGroupTable 1 } MidcomTransGroupEntry ::= SEQUENCE { Srisuresh [Page 29] Internet-Draft Midcom MIB October 2003 midcomTransGroupAgentIndex MidcomAgentIndex, midcomTransGroupMBResource MidcomMBResource, midcomTransGroupGroupId Unsigned32, midcomTransGroupLifetime TimeInterval, midcomTransGroupMaxIdletime TimeInterval, midcomTransGroupCommand MidcomGroupCommand, midcomTransGroupStatus MidcomInvocationStatus } midcomTransGroupAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Identifier for an Agent in the Table. This object is set when an agent reads the object midcomAgentIndexNext. " ::= { midcomTransGroupEntry 1 } midcomTransGroupMBResource OBJECT-TYPE SYNTAX MidcomMBResource MAX-ACCESS read-create STATUS current DESCRIPTION "Middlebox function specific resource type for which the GroupId is applicable." ::= { midcomTransGroupEntry 2 } midcomTransGroupGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier for which the Group operation is to be performed." ::= { midcomTransGroupEntry 3 } midcomTransGroupLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default Lifetime of the resources that are assigned this group Id. This field is required only during the add operation. This field is ignored during the delete operation. " ::= { midcomTransGroupEntry 4 } midcomTransGroupMaxIdletime OBJECT-TYPE Srisuresh [Page 30] Internet-Draft Midcom MIB October 2003 SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default MaxIdletime of the resources that are assigned this group Id. This field is required to be filled only during the add operation. This field is ignored during the delete operation. " ::= { midcomTransGroupEntry 5 } midcomTransGroupCommand OBJECT-TYPE SYNTAX MidcomGroupCommand MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the group command to be executed. " ::= { midcomTransGroupEntry 6 } midcomTransGroupStatus OBJECT-TYPE SYNTAX MidcomInvocationStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Invocation status." ::= { midcomTransGroupEntry 7 } midcomTransBindTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomTransBindEntry MAX-ACCESS read-write STATUS current DESCRIPTION "This lists Bind based transactions, one per each agent." ::= { midcomTransactions 2 } midcomTransBindEntry OBJECT-TYPE SYNTAX MidcomTransBindEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry pertains to a midcom agent carrying out a BIND based transaction. Midcom module will respond with Success or Failure, with an error code. In the case of success, there can be a maximum of two address or port binds returned. These binds are also entered into midcomBindTable Srisuresh [Page 31] Internet-Draft Midcom MIB October 2003 for later use by the midcom agents. " INDEX { midcomTransBindAgentIndex } ::= { midcomTransBindTable 1 } MidcomTransBindEntry ::= SEQUENCE { midcomTransBindAgentIndex MidcomAgentIndex, midcomTransBindCommand MidcomBindCommand, midcomTransBindOddity Unsigned32, midcomTransBindProtocol NATProtocolType, midcomTransBindSessionDirection MidcomSessionDirection, midcomTransBindIfIndex InterfaceIndex, midcomTransBindInParms MidcomTransInOutFlags, midcomTransBindOutParms MidcomTransInOutFlags, midcomTransBindGroupId Unsigned32, midcomTransBindLifetime TimeInterval, midcomTransBindMaxIdletime TimeInterval, midcomTransBindPrivateAddrType InetAddressType, midcomTransBindPrivateSrcAddr InetAddress, midcomTransBindPrivateSrcPort InetPortNumber, midcomTransBindPrivateDstAddr InetAddress, midcomTransBindPrivateDstPort InetPortNumber, midcomTransBindGlobalAddrType InetAddressType, midcomTransBindGlobalSrcAddr InetAddress, midcomTransBindGlobalSrcPort InetPortNumber, midcomTransBindGlobalDstAddr InetAddress, midcomTransBindGlobalDstPort InetPortNumber, midcomTransBindPrivateSrcBindId MidcomBindIdOrZero, midcomTransBindPrivateSrcBindMode MidcomBindMode, midcomTransBindPrivateDstBindId MidcomBindIdOrZero, midcomTransBindPrivateDstBindMode MidcomBindMode, midcomTransBindStatus MidcomInvocationStatus } midcomTransBindAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Identifier for an Agent in the Table. This object is set when an agent reads the object midcomAgentIndexNext. " ::= { midcomTransBindEntry 1 } midcomTransBindCommand OBJECT-TYPE Srisuresh [Page 32] Internet-Draft Midcom MIB October 2003 SYNTAX MidcomBindCommand MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the bind command to be executed. " ::= { midcomTransBindEntry 2 } midcomTransBindOddity OBJECT-TYPE MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies whether or not the bind should enforce oddity to match that of the specified end point or end points. " SYNTAX INTEGER { oddityEnforce(1), -- Enforce oddity oddityNotRequired (2) -- Oddity not required. } ::= { midcomTransBindEntry 3 } midcomTransBindProtocol OBJECT-TYPE SYNTAX NATProtocolType MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the protocol (TCP/UDP) of the session that requires the bind reservation. " ::= { midcomTransBindEntry 4 } midcomTransBindSessionDirection OBJECT-TYPE SYNTAX MidcomSessionDirection MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the orientation of the session that requires the bind reservation. " ::= { midcomTransBindEntry 5 } midcomTransBindIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-create STATUS current DESCRIPTION "Interface Index for which the bind is being requested. This value may be set to 0 to mean any Srisuresh [Page 33] Internet-Draft Midcom MIB October 2003 IP interface on the middlebox. This value may also be set to 0, when the middlebox has just one interface on which midcom is configured. " ::= { midcomTransBindEntry 6 } midcomTransBindInParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current DESCRIPTION "Lists the fields within the row that are filled by the requestor. While the transaction allows for any or all of the end-points to be specified, typically, no more than one end-point should be defined. For Twice-Nat alone, two end-points must be specified. " ::= { midcomTransBindEntry 7 } midcomTransBindOutParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current DESCRIPTION "Lists the fields within the row that are filled by the middlebox in response to the bind request from agent. While the transaction allows for any or all of the end-points to be filled, typically, no more than one end-point should be filled. For Twice-Nat alone, two end-points must be specified. For oddity based port binds, the second bind is used to specify the second port bind. " ::= { midcomTransBindEntry 8 } midcomTransBindGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this bind resource. Srisuresh [Page 34] Internet-Draft Midcom MIB October 2003 A value of 0 implies that the bind is not assigned a group membership. " ::= { midcomTransBindEntry 9 } midcomTransBindLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Individual Lifetime of the bind resource. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. " ::= { midcomTransBindEntry 10 } midcomTransBindMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the Bind resource. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomTransBindEntry 11 } midcomTransBindPrivateAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the private realm. " ::= { midcomTransBindEntry 12 } midcomTransBindPrivateSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm source end point. " Srisuresh [Page 35] Internet-Draft Midcom MIB October 2003 ::= { midcomTransBindEntry 13 } midcomTransBindPrivateSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm source end point. " ::= { midcomTransBindEntry 14 } midcomTransBindPrivateDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm destination end point. " ::= { midcomTransBindEntry 15 } midcomTransBindPrivateDstPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm destination end point. " ::= { midcomTransBindEntry 16 } midcomTransBindGlobalAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the global address realm. " ::= { midcomTransBindEntry 17 } midcomTransBindGlobalSrcAddr OBJECT-TYPE SYNTAX InetAddress Srisuresh [Page 36] Internet-Draft Midcom MIB October 2003 MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the global realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm source end point. " ::= { midcomTransBindEntry 18 } midcomTransBindGlobalSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the global realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm source end point. " ::= { midcomTransBindEntry 19 } midcomTransBindGlobalDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the global realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm destination end point. " ::= { midcomTransBindEntry 20 } midcomTransBindGlobalDstPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm destination end point. " ::= { midcomTransBindEntry 21 } midcomTransBindPrivateSrcBindId OBJECT-TYPE SYNTAX MidcomBindIdOrZero Srisuresh [Page 37] Internet-Draft Midcom MIB October 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "This is the first Bind that will be generated in majority of the cases. This will be set to 0 in the case of symmetric NAT. " ::= { midcomTransBindEntry 22 } midcomTransBindPrivateSrcBindMode OBJECT-TYPE SYNTAX MidcomBindMode, MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether PrivateSrcBind is address bind or port bind. " ::= { midcomTransBindEntry 23 } midcomTransBindPrivateDstBindId OBJECT-TYPE SYNTAX MidcomBindIdOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This is the second Bind that will be generated in the case of twice-NAT or oddity based 2 bind request. This will be set to 0 in the case of symmetric NAT. " ::= { midcomTransBindEntry 24 } midcomTransBindPrivateDstBindMode OBJECT-TYPE SYNTAX MidcomBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether PrivateDstBind is address bind or port bind. " ::= { midcomTransBindEntry 25 } midcomTransBindStatus OBJECT-TYPE SYNTAX MidcomInvocationStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Invocation status." ::= { midcomTransBindEntry 26 } midcomTransNatSessionTable OBJECT-TYPE Srisuresh [Page 38] Internet-Draft Midcom MIB October 2003 SYNTAX SEQUENCE OF MidcomTransNatSessionEntry MAX-ACCESS read-write STATUS current DESCRIPTION "This lists NatSession based transactions, one per each agent." ::= { midcomTransactions 3 } midcomTransNatSessionEntry OBJECT-TYPE SYNTAX MidcomTransNatSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry pertains to a midcom agent carrying out a Nat session based transaction. Midcom module will respond with Success or Failure, with an error code. In the case of success, there can be a maximum of two address or port binds returned. These binds are entered into midcomBindTable for later use by the midcom agents. Further, the NatSession entry is included within the midcomNatSession table. " INDEX { midcomTransNatSessionAgentIndex } ::= { midcomTransNatSessionTable 1 } MidcomTransNatSessionEntry ::= SEQUENCE { midcomTransNatSessionAgentIndex MidcomAgentIndex, midcomTransNatSessionCommand MidcomNatSessionCommand, midcomTransNatSessionProtocol NATProtocolType, midcomTransNatSessionSessionDirection MidcomSessionDirection, midcomTransNatSessionIfIndex InterfaceIndex, midcomTransNatSessionInParms MidcomTransInOutFlags, midcomTransNatSessionOutParms MidcomTransInOutFlags, midcomTransNatSessionGroupId Unsigned32, midcomTransNatSessionLifetime TimeInterval, midcomTransNatSessionMaxIdletime TimeInterval, midcomTransNatSessionPrivateAddrType InetAddressType, midcomTransNatSessionPrivateSrcAddr InetAddress, midcomTransNatSessionPrivateSrcPort InetPortNumber, midcomTransNatSessionPrivateDstAddr InetAddress, midcomTransNatSessionPrivateDstPort InetPortNumber, midcomTransNatSessionGlobalAddrType InetAddressType, midcomTransNatSessionGlobalSrcAddr InetAddress, midcomTransNatSessionGlobalSrcPort InetPortNumber, midcomTransNatSessionGlobalDstAddr InetAddress, Srisuresh [Page 39] Internet-Draft Midcom MIB October 2003 midcomTransNatSessionGlobalDstPort InetPortNumber, midcomTransNatSessionPrivateSrcBindId MidcomBindIdOrZero, midcomTransNatSessionPrivateDstBindId MidcomBindIdOrZero, midcomTransNatSessionStatus MidcomInvocationStatus } midcomTransNatSessionAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Identifier for an Agent in the Table. This object is set when an agent reads the object midcomAgentIndexNext. " ::= { midcomTransNatSessionEntry 1 } midcomTransNatSessionCommand OBJECT-TYPE SYNTAX MidcomNatSessionCommand MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the NatSession command to be executed. " ::= { midcomTransNatSessionEntry 2 } midcomTransNatSessionProtocol OBJECT-TYPE SYNTAX NATProtocolType MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the protocol (TCP/UDP) of the session. " ::= { midcomTransNatSessionEntry 3 } midcomTransNatSessionSessionDirection OBJECT-TYPE SYNTAX MidcomSessionDirection MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the orientation of the session with reference to the interface index specified. " ::= { midcomTransNatSessionEntry 4 } midcomTransNatSessionIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-create STATUS current Srisuresh [Page 40] Internet-Draft Midcom MIB October 2003 DESCRIPTION "Interface Index for which the NAT-Session is being requested. This value may be set to 0 to mean any IP interface on the middlebox. This value may also be set to 0, when the middlebox has just one interface on which midcom is configured. " ::= { midcomTransNatSessionEntry 5 } midcomTransNatSessionInParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current DESCRIPTION "Lists the fields within the row that are filled by the requestor. While the transaction allows for any or all of the session parameters to be specified, typically, session parameters are filled in the private alone or in the public realm alone. " ::= { midcomTransNatSessionEntry 6 } midcomTransNatSessionOutParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current DESCRIPTION "Lists the fields within the row that are filled by the middlebox in response to the session request from agent. While the transaction allows for any or all session parameters to be filled, typically, session parameters are filled in the private alone or in the public realm alone. " ::= { midcomTransNatSessionEntry 7 } midcomTransNatSessionGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this resource. Srisuresh [Page 41] Internet-Draft Midcom MIB October 2003 A value of 0 implies that the session is not assigned a group membership. " ::= { midcomTransNatSessionEntry 8 } midcomTransNatSessionLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Individual Lifetime of the bind resource. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. " ::= { midcomTransNatSessionEntry 9 } midcomTransBindMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the Bind resource. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomTransNatSessionEntry 10 } midcomTransBindPrivateAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the private realm. " ::= { midcomTransNatSessionEntry 11 } midcomTransNatSessionPrivateSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the private realm. This is relevant if the agent refers a private realm session. " ::= { midcomTransBindEntry 12 } Srisuresh [Page 42] Internet-Draft Midcom MIB October 2003 midcomTransNatSessionPrivateSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the private realm. This is relevant if the agent refers a private realm based session. " ::= { midcomTransNatSessionEntry 13 } midcomTransNatSessionPrivateDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the private realm. This is relevant if the agent refers a private realm based session. " ::= { midcomTransNatSessionEntry 14 } midcomTransNatSessionPrivateDstPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a private realm based session. " ::= { midcomTransNatSessionEntry 15 } midcomTransNatSessionGlobalAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the global address realm. " ::= { midcomTransNatSessionEntry 16 } midcomTransBindGlobalSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the global realm. This is relevant if the agent refers a global realm based session. " ::= { midcomTransNatSessionEntry 17 } Srisuresh [Page 43] Internet-Draft Midcom MIB October 2003 midcomTransNatSessionGlobalSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the global realm. This is relevant if the agent refers a global realm based session. " ::= { midcomTransNatSessionEntry 18 } midcomTransNatSessionGlobalDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the global realm. This is relevant if the agent refers a global realm based session. " ::= { midcomTransNatSessionEntry 19 } midcomTransNatSessionGlobalDstPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a global realm based session. " ::= { midcomTransNatSessionEntry 20 } midcomTransNatSessionPrivateSrcBindId OBJECT-TYPE SYNTAX MidcomBindIdOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "This is the first Bind that may be supplied by the agent. This BindId is the unique bindId for the midcom agent and is independent of what the NAt middlebox might have. This may be set to 0 in the case requestor does not have a BIND pre-assigned. " ::= { midcomTransNatSessionEntry 21 } midcomTransNatSessionPrivateDstBindId OBJECT-TYPE SYNTAX MidcomBindIdOrZero MAX-ACCESS read-create STATUS current Srisuresh [Page 44] Internet-Draft Midcom MIB October 2003 DESCRIPTION "This is the second Bind that may be supplied by the agent. This BindId is the unique bindId for the midcom agent and is independent of what the NAT middlebox might have. This may be set to 0 in the case requestor does not have a BIND pre-assigned. " ::= { midcomTransNatSessionEntry 22 } midcomTransNatSessionStatus OBJECT-TYPE SYNTAX MidcomInvocationStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Invocation status." ::= { midcomTransNatSessionEntry 23 } 5. Security Considerations The MIDCOM requirements [RFC3304] defines the general security requirements for the MIDCOM protocol. The SNMPv3 User-based Security Model (USM, [RFC2574]) satisfies those requirements. USM defines three standardized methods for providing authentication, confidentiality, and integrity. The method to use can be optionally chosen. The methods operate securely across untrusted domains. Additionally, USM has specific built-in mechanisms for preventing replay attacks including unique protocol engine IDs, timers and counters per engine and time windows for the validity of messages. 8. Acknowledgements The author wishes to thank Wes Hardekar for kindly playing the role of MIB doctor on the raw initial versions of this document. The author also wishes to thank Dave Harrington for providing clarity on how and where to draw the line in defining the MIBs, given the interrelation between Midcom MIB and middlebox function MIBs. Lastly, the author wishes to thank Martin Stiemerling, Juergen Quittek, Tom Taylor and Mary Barnes for the numerous valuable e-mail discussions, phone conversations and feedback on the subject. 9. References Normative References [RFC3304] R. Swale, P. Mart, P. Sijben, S. Brim, M. Shore, "Middlebox Communications (MIDCOM) Protocol Requirements", Srisuresh [Page 45] Internet-Draft Midcom MIB October 2003 RFC 3304, August, 2002. [RFC3303] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, A. Rayhan, "Middlebox Communications Architecture and Framework", RFC 3303, August, 2002. [MDCSEM] Stiemerling, M., Quittek, J., Taylor, T., "MIDCOM Protocol Semantics", draft-ietf-midcom-semantics-02.txt, May, 2003. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", STD 62, RFC 3411, November 2002. [RFC3412] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, November 2002. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", STD 62, RFC 3413, November 2002. [RFC3414] Blumenthal, U., and B. Wijnen, "User-based Security Model(USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, November 2002. [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, November 2002. [NATMIB] Raghunarayan, R., Pai, N., Rohit, R., Wang, C., Srisuresh, P., "Definitions of Managed Objects for Network Address Translators (NAT)", draft-ietf-nat-natmib-06.txt, September, 2003. [PBMMIB] Waldbusser, S., Saperia, J., Hongal, T., "Policy Based Srisuresh [Page 46] Internet-Draft Midcom MIB October 2003 Management MIB", draft-ietf-snmpconf-pm-13.txt, March, 2003. [IPCMIB] Baer, M., Charlet, R., Hardaker, W., Story, R., Wang, C., "IPsec Policy Configuration MIB module", draft-ietf-ipsp-ipsec-conf- MIB-06.txt, March, 2003. Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", 3410, November 2002. [MDCPEV] Barnes, M., "Middlebox Communications (MIDCOM) Protocol Evaluation", draft-ietf-midcom-protocol-eval-06.txt, November, 2002. [RFC2287] Krupczak, C. and J. Saperia, "Definitions of System-Level Managed Objects for Applications", RFC 2287, February 1998. [RFC 2475] Blake, S., et al, "An Architecture for Differentiated Service", RFC 2475, December 1998. [RFC2564] C. Kalbfleisch, C. Krupczak, R.Presuhn, J. Saperia, "Application Management MIB", May 1999. [RFC2594] H. Hazewinkel, C. Kalbfleisch, J. Schoenwaelder, "Definitions of Managed Objects for WWW Services", May 1999. [RFC2788] N. Freed, S. Kille, "Network Services Monitoring MIB", RFC 2788, March 2000. [RFC2790] S. Waldbusser, P. Grillo, "Host Resources MIB", March 2000. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB using SMIv2", RFC 2863, June 2000. [RFC3289] Baker, F., Chan, K., Smith, A., "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002. [RFC3290] Bernet, Y., et al, "An Informal Management Model for Differentiated Services Routers", RFC 3290, May 2002. Authors' Address P. Srisuresh Srisuresh [Page 47] Internet-Draft Midcom MIB October 2003 Caymas Systems, Inc. 1179-A North McDowell Blvd. Petaluma, CA 94954 Tel: (707) 283-5063 Email: srisuresh@yahoo.com Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Srisuresh [Page 48]