Midcom working Group P. Srisuresh INTERNET-DRAFT Caymas Systems Category: Standards Track Expires: April 27, 2003 October 2003 SNMP managed objects for Middlebox Communications (MIDCOM) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Middlebox communication (midcom) was conceived to move application level gateway (ALG) intelligence out of middleboxes into application specific midcom agents. Midcom agents will be assumed to use midcom to control middlebox resources so as to permit applications to traverse a middlebox. The scope of the middleboxes is limited to NAT and firewall devices. This document defines SNMP managed midcom objects to control middlebox resources and justifies adapting SNMPv3 as the midcom protocol. Srisuresh [Page 1] Internet-Draft Midcom MIB October 2003 Table of Contents 1. Overview.......................................................2 2. Terminology....................................................3 2.1. "Midcom agent" or "agent"....................................3 2.2. SNMP agent...................................................3 2.3. NAT session..................................................3 3. SNMP Management Framework......................................4 4. MIDCOM Overview and SNMP Applicability.........................4 5. SNMP and the MIDCOM data model.................................5 5.1 Secure Communications......................................7 5.2 Device Configuration.......................................8 5.3 Service Configuration......................................8 5.4 Midcom compatibility requirements on NAT and Firewall......9 6. Midcom MIB....................................................10 7. Security Considerations.......................................49 8. Acknowledgements..............................................49 9. References....................................................49 Normative References.............................................49 Informative References...........................................51 Author's address.................................................51 Full Copyright Statement.........................................52 1. Overview The principal objective of the document is to describe how SNMPv3 may be adapted as the MIDCOM protocol. MIDCOM MIB is defined to facilitate transactions between a midcom agent and a middlebox. The scope of the middleboxes considered in the document is limited to NAT and Firewall devices. This document refers external documents for NAT and firewall MIBs and states the compliance criteria for the external MIBS to be MIDCOM compliant. Section 1 provides an overview of the SNMP Management Framework. Section 2 provides further background on SNMP and its applicability to the MIDCOM Protocol Framework, Requirements and semantics. Section 3 provides a high level overview of the SNMPv3 protocol, the MIB data model and its applicability tigether as a MIDCOM protocol. Section 6 has the midcom mib described in detail. 2. Terminology Srisuresh [Page 2] Internet-Draft Midcom MIB October 2003 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. The Midcom terms used throughout this document are mostly as per RFC 3303. The NAT terms used in the document are mostly as per RFC 2663. Definition for the term "Symmetric NAT" may be found in RFC 3489. Symmetric NAT is a variation of NAPT in that a port bind is not retained across multiple sessions from the same private source port. The following terms used extensively in the document are reiterated here for clarity. 2.1. "Midcom agent" or "agent" Midcom agent, hereafter refered simply as agent, is an entity performing ALG functions, logically external to a middlebox. MIDCOM agents possess a combination of application awareness and knowledge of the middlebox function. A midcom agent may be located anywhere in the end-2-end path of an application path, including the middlebox itself. The exact interface through which a midcom agent engages in a midcom session with the middlebox is irrelevant to the enforcement of midcom. 2.2. SNMP agent SNMP agent is an entity on middlebox servicing SNMP requests from SNMP applications, including midcom agents. 2.3. NAT session A NAT session is an association between a session as seen in the private realm and a session as seen in the public realm, by virtue of NAT translation. If a session in the private realm were to be represented as (PrivateSrcAddr, PrivateDstAddr, TransportProtocol, PrivateSrcPort, PrivateDstPort) and the same session in the public realm were to be represented as (PublicSrcAddr, PublicDstAddr, TransportProtocol, PublicSrcPort, PublicDstPort), the NAT session will provide the translation glue between the two session representations. 3. SNMP Management Framework For a detailed overview of the documents that describe the current Internet-Standard (SNMP) Management Framework, please refer to Srisuresh [Page 3] Internet-Draft Midcom MIB October 2003 section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580[RFC2580]. 4. MIDCOM Overview and SNMP Applicability The MIDCOM architecture and framework [RFC3303] defines a model in which trusted third parties can be delegated to assist middleboxes in performing their operations, without requiring application intelligence be embedded in the middleboxes. This trusted third party is referred to as the MIDCOM Agent. The MIDCOM protocol is defined between the MIDCOM agent and middlebox. The SNMP management framework provides functions equivalent to those defined by the MIDCOM framework, although there are a few architectural differences. For SNMP, application intelligence is captured in MIB modules, rather than in the messaging protocol. MIB modules define a data model of the information that can be collected and configured for managed functionality. The SNMP messaging protocol transports the data in a standardized format without needing to understand the semantics of the data being transferred. The endpoints of the communication understand the semantics of the data. Traditionally, the SNMP endpoints have been called Manager and Agent. An SNMP manager is an entity capable of generating requests and receiving notifications, and a SNMP agent is an entity capable of responding to requests and generating notifications. As applied to the MIDCOM framework, the SNMP Manager corresponds to the MIDCOM agent and the SNMP Agent corresponds to the Middlebox. The MIDCOM protocol is divided into three phases, per section 4 of [RFC3303]: . Session Setup . Run-time (involving real-time configuration of the middlebox) . Session Termination A MIDCOM session is defined to be a lasting association between a MIDCOM agent and a middlebox. The MIDCOM agent should initiate Srisuresh [Page 4] Internet-Draft Midcom MIB October 2003 the session prior to the start of the application. Although the SNMP management framework does not have the concept of a session, session-like associations can be established through the use of managed objects. Requests from the MIDCOM agent to the Middlebox are performed using Read/write access to managed objects defined in MIB modules. The middlebox (SNMP agent) responds to requests by sending an SNMP response message indicating the success or failure of the request. The MIDCOM agent (SNMP manager) MAY verify this information by reading or polling the corresponding managed objects. The MIDCOM Protocol semantics [MDCSEM] defines two basic transaction types: request transactions and notify transactions. SNMPv3 uses the architecture detailed in [RFC3411], where all SNMP entities are capable of performing certain functions, such as the generation of requests, response to requests, the generation of asynchronous notifications and the receipt of notifications. SNMP is used to read and manipulate a virtual database (the MIB) which is composed of objects representing commands, controls, status, and statistics, which are defined in managed-application-specific MIB modules. 5. SNMPv3 for use as MIDCOM protocol The following diagram (Figure 1) is an operational model assumed by the MIDCOM protocol. Requirements on the Midcom protocol is identified by the MIDCOM protocol framework, requirements and semantics documents. Specification of policies via the MIDCOM PDP is outside the scope of the MIDCOM protocol and is omitted in the discussion in the remainder of this document. Srisuresh [Page 5] Internet-Draft Midcom MIB October 2003 +----------------------+ | Application | | | | +---------------+ | | | MIDCOM agent | | | | | | | +---------------+ | +------------+ +------------^---------+ | | . | Policy | . | | . | +--------+ | Application . Asynchronous | | MIDCOM | | Requests . Notifications /+-| PDP | | . / | +--------+ | . / +------------+ . / . / . / . | v v +-------------------------------------------+ | Middlebox * * | | * a. * b. | | v v | | +-------------------------------+ | | | Middlebox Communication | | | | Protocol (MIDCOM) Interface | | | +-------------------------------+ | | * | | * c. | | v | | +-------------------------------+ | | | Dynamic Device/Service | | | | Configuration | | | +-------------------------------+ | | | +-------------------------------------------+ Legend: .... Middlebox Communication Protocol (MIDCOM) //// MIDCOM PDP Interface (outside scope of this document) **** Managed objects relevant to the MIDCOM Interface (with the associated letters referencing the MIB modules potentially applicable summarized below: Figure 1: operational model assumed by the MIDCOM protocol Srisuresh [Page 6] Internet-Draft Midcom MIB October 2003 5.1 SNMP MIB data model on a middlebox The following diagram (Figure 2) restates the Midcom operational model when SNMPv3 is adapted as the Midcom protocol. The SNMP based model below includes midcom MIB and middlebox function MIBs objects. These MIBs are described in detail in the remainder of this document. +----------------------+ | Application | | | | +---------------+ | | | MIDCOM agent | | | | | | | +---------------+ | +------------^---------+ . Application . Asynchronous Requests . Notifications (via SNMPv3) . (via SNMPv3) . v +-----------------------------------------------+ | Middlebox . | | v a. | | +------------+ +-------------+ | | | SNMP-v3 |---| SNMP object | | | | Agent | | Database | | | +------------+ +-------------+ | | | | | | | | | +---------------+ | | | +---------+ | | | v | | | | +-----------------+ | | | | | MIDCOM MIB | | | | | | & MIB methods | | | | | +-----------------+ | | | | * * | | | | * ****************** | | | * | * | | | * +------+ * | | | * | * | | | v v v v | | +------------------+ +------------------+ | | | MIDCOM-compliant | | MIDCOM-compliant | | | | Nat MIB & | | Firewall MIB & | | | | MIB methods | | MIB methods | | | +------------------+ +------------------+ | Srisuresh [Page 7] Internet-Draft Midcom MIB October 2003 +-----------------------------------------------+ Legend: .... SNMP used as the MIDCOM protocol ---- Interface between the SNMP agent and the MIB modules. **** The MIB methods of the Midcom MIB accessing middlebox function specific objects. Figure 2: SNMPv3 operating as the Midcom protocol 5.2 Secure Communications MIDCOM requirements include mutual authentication, message integrity checking, timeliness checking to prevent replay, message encryption, and authorization controls to ensure only certain agents can modify certain subsets of middlebox configurations. MIDCOM requires secure request-response capabilities and secure notifications. SNMPv3 is designed to provide secure communications between two end-points. SNMPv3 defines MIB modules to allow the monitoring and configuration of all these security features. They are defined in RFC3411-RFC3418, and RFC3410 provides an overview of these capabilities. 5.3. Midcom functions Midcom MIB does not assume a middlebox to have implemented MIBs (standard or vendor proprietary) for NAT and firewall functions. Middlebox functions may be configured and managed independently of the midcom MIB. However, midcom MIB will have rule-change parameters and a pointer to the FW/NAT MIB objects (even if vendor proprietary). The FW and NAT MIBS actually contain the detailed objects. For instance, multiple agents might end up using the same NAT BIND, yet each agent might define their own Lifetime parameter and directionality for the bind. As a result, the agent specific Bind identifier is set uniquely, independent of the NAT native bind. Yet, the agent specific bind has a pointer to the NAt bind. Midcom MIB below is designed to meet the midcom requirements (RFC 3304). A set of MIB objects, one per each middlebox resource type, are defined to run midcom transactions. The resulting resources, along with rule-changing parameters and a pointer to FW/NAT MIB objects are maintained as MIB tables, one for each resource type. Also defined are group based transaction objects and group tables, as required by RFC Srisuresh [Page 8] Internet-Draft Midcom MIB October 2003 3304. 5.3.1. Agent registration for notification midcomAgentTable is designed to include all the agents that engage in a midcom session with the middlebox. Each active row of the table corresponds to a midcom agent. The agent includes the notify parameters within this row to allow middleboxes to send asynchronous notifications back to the agent. Also included is an agent-unique Middlebox Identifier a middlebox should use to identify itself during the notifications. 5.3.2. Middlebox Configuration for midcom Not every middlebox is required to enable midcom on all its interfaces. midcomConfig is designed to configure midcom on a per-interface basis on a middlebox. 5.3.3. Midcom transactions and relevant tables Midcom transactions may be divided into group transactions and resource transactions. A transaction is atomic and the results of a transaction are saved into relevant tables at the end of the transaction. Results of a transaction conducted by an agent may be reviewed anytime prior to executing another transaction of the same kind by the same agent. midcomTransGroupTable is defined to allow multiple agents to simultaneously add or delete Group identifiers and set group-wide parameters such as LifeTime and MaxIdletime. Results of the transaction are transferred into midcomGroupTable for later reference and further parameter modification by the agent. midcomTransBindTable, midcomTransNatSessionTable, and midcomTransFilterTable are defined to allow multiple agents to simultaneously request middlebox resources and set parameters such as LifeTime and MaxIdletime. Results of the transactions are transferred respectively into the relevant resource table, namely midcomBindTable, midcomNatSessionTable and midcomFiltertable for later reference and further parameter modification by the agent. 5.4. Midcom compatibility requirements on NAT and Firewall Middlebox function resources (bind, NatSession and firewall Srisuresh [Page 9] Internet-Draft Midcom MIB October 2003 filter) are now required to carry an additional LifeTime parameter. Given that there may be several agents refering the same resource (ex: bind) and each agent may choose to control lifetime, MaxIdleTime and Bind orientation as appropriate for the agent, the middlebox function is now required to use a superset of the settings. Further, a new AgentCount will be required to track the number of agents refering a certain resource. As for notification, middlebox functions might retain a pointer to the first active agent and the active agents referign the same resource might link between themselves. Doing this will ensure that Midcom is able to send notifications to all effected agents when required to do by the middlebox function. Agent precedence and inter-agent overlap on the use of resources could be particularly tricky in the case of firewall rules. For example, essentially the same filter can be configured by multiple agents with different priorities (assume, highest or lowest is all that a midcom transaction will specify). The last rule will take precedence, potentially overruling the previous agent transactions. Further, when some of the filters are specific and some are more general, there can be undesired ordering of the filters. Agents are advised to include specific rules, so as not to overrule or be overriden by other filter rules. 6.0. Midcom MIB Midcom MIB provides a means for midcom agents to control middlebox resources and for middlebox to asynchronously notify the midcom agents of relevant state changes. Midcom agents learn of the functions present on the middlebox using this MIB. MIDCOM-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, Unsigned32, Gauge32, Srisuresh [Page 10] Internet-Draft Midcom MIB October 2003 Counter64, TimeTicks, mib-2 FROM SNMPv2-SMI -- RFC 2578 TEXTUAL-CONVENTION, StorageType, RowStatus, TimeInterval FROM SNMPv2-TC -- RFC 2579 MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF -- RFC 2580 ifIndex, InterfaceIndex FROM IF-MIB -- RFC 2863 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC 3411 InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB; -- RFC midcomMIB MODULE-IDENTITY LAST-UPDATED "200310200000Z" ORGANIZATION "IETF Midcom Working Group" CONTACT-INFO "WG charter: http://www.ietf.org/html.charters/midcom-charter.html Mailing Lists: General Discussion: midcom@ietf.org To Subscribe: midcom-request@ietf.org In Body: subscribe your_email_address Author: Pyda Srisuresh 1179-A North McDowell Blvd. Petaluma, CA 94954 Tel: (707) 283-5063 Email: srisuresh@yahoo.com " DESCRIPTION Srisuresh [Page 11] Internet-Draft Midcom MIB October 2003 "This MIB module defines the managed objects for midcom. " REVISION "200310200000Z" -- 20th Sept. 2003 DESCRIPTION "Initial version of this MIB module." ::= { mib-2 4444 } -- RFC Ed.: replace 4444 with IANA-assigned -- number & remove this note midcomMIBObjects OBJECT IDENTIFIER ::= { midcomMIB 1 } -- -- Four Groups -- -- o midcomConfig - Configuration of a middlebox for -- midcom access. -- o midcomAgentInfo - Active agent info, including the info -- necessary for asynchronous notification. -- o midcomTables - Results of agent initiated transactions -- are saved into relevant tables for later -- reference and parameter modification by -- the agents. -- o midcomTransactions - Midcom agent initiated transactions. -- midcomConfig OBJECT IDENTIFIER ::= { midcomMIBObjects 1 } midcomAgentInfo OBJECT IDENTIFIER ::= { midcomMIBObjects 2 } midcomTables OBJECT IDENTIFIER ::= { midcomMIBObjects 3 } midcomTransactions OBJECT IDENTIFIER ::= { midcomMIBObjects 4 } -- -- Textual conventions used -- -- -- The following TC are copied as is from NAT-MIB. -- In the future, these will be IMPORTS from NAT-MIB. -- NATProtocolType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION Srisuresh [Page 12] Internet-Draft Midcom MIB October 2003 "A list of protocols that support the network address translation. Inclusion of values is not intended to imply that those protocols need to be supported. Any change in this TEXTUAL-CONVENTION should also be reflected in the definition of NATProtocolMap which is a BITS representation of this " SYNTAX INTEGER { none (1), -- not specified other (2), -- none of the following icmp (3), udp (4), tcp (5) } NatBindIdOrZero ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A unique id that is assigned to each bind by a NAT enabled device. The bind id will be zero in case of a symmetric NAT." SYNTAX Unsigned32 (0..4294967295) NatBindId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A unique id that is assigned to each bind by a NAT enabled device." SYNTAX Unsigned32 (1..4294967295) NatSessionId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A unique id that is assigned to each session by a NAT enabled device." SYNTAX Unsigned32 (1..4294967295) NatBindMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indication whether the bind is an address bind or an address-port bind." SYNTAX INTEGER { addressBind (1), addressPortBind (2) Srisuresh [Page 13] Internet-Draft Midcom MIB October 2003 } NatBindType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indication whether the bind is static or dynamic." SYNTAX INTEGER { static (1), dynamic (2) } NatTranslationEntity ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indication for the direction of a session for which a) an address map entry, address bind or port bind is applicable, and b) the entity (source or detination) within the session that is subject to translation." SYNTAX BITS { inboundSrcEndPoint (1), outboundDstEndPoint(2), inboundDstEndPoint (3), outboundSrcEndPoint(4) } MidcomMBFunctionEnum ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An enumeration of Middlebox functions that are supported by the midcom protocol. Inclusion of values is not intended to imply that those functions need to be supported. Any change in this TEXTUAL-CONVENTION should also be reflected in the definition of midcomConfMBFunctionType object which is a BITS representation of this TEXTUAL-CONVENTION." SYNTAX INTEGER { none (1), -- not specified nat (2), firewall (3) } MidcomMBFunctionBITS ::= TEXTUAL-CONVENTION STATUS current Srisuresh [Page 14] Internet-Draft Midcom MIB October 2003 DESCRIPTION "A BITS representation of Middlebox functions for which MIDCOM is enabled on a middlebox. Any change in this TEXTUAL-CONVENTION should also be reflected in the definition of midcomConfMBFunctionEnum object which is an enumeration of the middlebox functions summported" SYNTAX BITS { nat (0), firewall (1) } MidcomMBResource ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An enumeration of Middlebox function specific resource types that are supported by the midcom protocol. Inclusion of values is not intended to imply that those functions need to be supported. " SYNTAX INTEGER { none (1), -- not specified natBind(2), natSession(3), firewallFilter(4) } MidcomAgentIndex ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A unique id that is assigned to each midcom session by the middlebox." SYNTAX Unsigned32 (1..4294967295) MidcomBindMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indication of whether a bind is address bind or port bind. " SYNTAX INTEGER { addressBind (1), portBind (2) } Srisuresh [Page 15] Internet-Draft Midcom MIB October 2003 -- -- midcomConfig -- The Configuration Group -- The per-interface Midcom Configuration Table -- midcomConfInterfaceTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomConfInterfaceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table specifies the midcom configuration attributes per interface on a device supporting midcom access." ::= { midcomConfig 1 } midcomConfInterfaceEntry OBJECT-TYPE SYNTAX MidcomConfInterfaceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the midcomConfInterfaceTable holds a set of Midcom configuration parameters pertaining to an interface" INDEX { ifIndex } ::= { midcomConfInterfaceTable 1 } MidcomConfInterfaceEntry ::= SEQUENCE { midcomConfMBFunctionType MidcomMBFunctionBITS, midcomConfStorageType StorageType, midcomConfRowStatus RowStatus } midcomConfMBFunctionType OBJECT-TYPE SYNTAX MidcomMBFunctionBITS MAX-ACCESS read-create STATUS current DESCRIPTION "Middlebox functions for which Midcom processing is enabled." ::= { midcomConfInterfaceEntry 1 } midcomConfStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current Srisuresh [Page 16] Internet-Draft Midcom MIB October 2003 DESCRIPTION "The storage type for this conceptual row." REFERENCE "Textual Conventions for SMIv2, Section 2." DEFVAL { nonVolatile } ::= { midcomConfInterfaceEntry 2 } midcomConfRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. None of the objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2." ::= { midcomConfInterfaceEntry 3 } -- -- -- midcomAgentInfo -- Agent specific tables managed by the midcom MIB. -- -- midcomAgentIndexNext OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns an unused index into Agent table for the USM user that issued the read-request. The returned value can be used for creating a new entry in the midcomAgentTable. The same return value also serves to create new entries in midcomTransGroup, midcomTransBind, midcomTransSession & midcomTransFilter tables. In all these tables, the first index would be set to the AgentIndex returned here and is set to read-only. A value retuned when reading this object is not returned again on subsequent read-requests as long as possible. This ensures that the same USM user can engage in multiple independent midcom sessions with the middlebox. Each midcom agent might be responsible for a different application." ::= { midcomAgentInfo 1 } Srisuresh [Page 17] Internet-Draft Midcom MIB October 2003 -- -- midcomAgentTable -- Agent Registration with Middlebox with -- all the requisite information for notification. -- midcomAgentTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomAgentEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Lists the active Midcom agents." ::= { midcomAgentInfo 2 } midcomAgentEntry OBJECT-TYPE SYNTAX MidcomAgentEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the midcomAgentTable pertains to a midcom agent. Parameters associated with the midcom agent are stored in this table. Each entry contains objects describing where notifications are to be sent to the MIDCOM agent. " INDEX { midcomAgentIndex } ::= { midcomAgentTable 1 } MidcomAgentEntry ::= SEQUENCE { midcomAgentIndex MidcomAgentIndex, midcomAgentName SnmpAdminString, midcomAgentMBId Unsigned32, midcomAgentAddrType InetAddressType, midcomAgentAddress InetAddress, midcomAgentPort InetPortNumber, midcomAgentStatus RowStatus } midcomAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A middlebox-unique index or Identifier for each midcom agent in the Table. This object allows the same USM user to engage in multiple midcom sessions, perhaps one for each application. Each midcom agent will have a unique agentIndex. " Srisuresh [Page 18] Internet-Draft Midcom MIB October 2003 ::= { midcomAgentEntry 1 } midcomAgentName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of the SNMP manager that represents the midcom agent in this midcomAgentTable. " ::= { midcomAgentEntry 2 } midcomAgentMBId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This is a agent-unique Identifier issued by agent to the middlebox. This identifier is to be used by the middlebox during asynchronous notifications to the agent. " ::= { midcomAgentEntry 3 } midcomAgentAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object specifies the address type used for midcomAgentEntryAddress" ::= { midcomAgentEntry 4 } midcomAgentAddress OBJECT-TYPE SYNTAX InetAddress (SIZE (0..20)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the network layer address of the Midcom agent. This address, in conjunction with AddrType and the UDP port midcomAgentPort may be used by the middlebox functions for asynchronous notification to the agent. " ::= { midcomAgentEntry 5 } Srisuresh [Page 19] Internet-Draft Midcom MIB October 2003 midcomAgentPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the UDP port of the Midcom agent. The combinations of (AddressType, Address, Port) are to be used by the middlebox functions for asynchronous notification to the agent. " ::= { midcomAgentEntry 6 } midcomAgentStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2" ::= { midcomAgentEntry 7 } -- -- midcomTables - Results of agent initiated transactions -- are saved into relevant tables for later -- reference and parameter modification by -- the agents. -- -- -- midcomGroupTable -- group Ids per each agent. -- midcomGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Lists the groups registered by each agent." ::= { midcomTables 1 } midcomGroupEntry OBJECT-TYPE SYNTAX MidcomGroupEntry Srisuresh [Page 20] Internet-Draft Midcom MIB October 2003 MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the GroupTable holds a unique tuple of parameters associated with a group Identifier. Group identifiers are registered by an agent with midcom." INDEX { midcomGroupAgentIndex, midcomGroupMBResource, midcomGroupId } ::= { midcomGroupTable 1 } MidcomGroupEntry ::= SEQUENCE { midcomGroupAgentIndex MidcomAgentIndex, midcomGroupMBResource MidcomMBResource, midcomGroupId Unsigned32, midcomGroupLifetime TimeInterval, midcomGroupMaxIdletime TimeInterval, midcomGroupStatus RowStatus } midcomGroupAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Identifier for an agent in the table" ::= { midcomGroupEntry 1 } midcomGroupMBResource OBJECT-TYPE SYNTAX MidcomMBResource MAX-ACCESS read-only STATUS current DESCRIPTION "Middlebox resource type for which the GroupId is registered by the agent. " ::= { midcomGroupEntry 2 } midcomGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Group Identifier registered by the agent for the resource the agent owns. " ::= { midcomGroupEntry 3 } midcomGroupLifetime OBJECT-TYPE Srisuresh [Page 21] Internet-Draft Midcom MIB October 2003 SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default Lifetime of the resources that are assigned this group Id." ::= { midcomGroupEntry 4 } midcomGroupMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default MaxIdletime of the resources that are assigned this group Id." ::= { midcomGroupEntry 5 } midcomGroupStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2" ::= { midcomGroupEntry 6 } -- -- midcomBindTable -- Bind Ids managed by each agent. -- midcomBindTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomBindEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Lists NAT binds owned by each agent." ::= { midcomTables 2 } midcomBindEntry OBJECT-TYPE SYNTAX MidcomBindEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the BindTable holds a unique tuple of parameters associated with a Bind. " Srisuresh [Page 22] Internet-Draft Midcom MIB October 2003 INDEX { midcomBindAgentIndex, midcomBindGroupId, midcomBindId } ::= { midcomBindTable 1 } MidcomBindEntry ::= SEQUENCE { midcomBindAgentIndex MidcomAgentIndex, midcomBindGroupId Unsigned32, midcomBindId NatBindId, midcomBindLifetime TimeInterval, midcomBindMaxIdleTime TimeInterval, midcomBindIfIndex InterfaceIndex, midcomBindTranslationEntity NatTranslationEntity, midcomBindMBId NatBindId, midcomBindMode MidcomBindMode, midcomBindStatus RowStatus } midcomBindAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Identifier for an agent in the table" ::= { midcomBindEntry 1 } midcomBindGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this bind resource. A value of 0 implies that the bind does not belong to a group membership. " ::= { midcomBindEntry 2 } midcomBindId OBJECT-TYPE SYNTAX NatBindId MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Bind Identifier assigend to this midcom bind resource. This identifier is independent of the bind identifier midcomBindMBId that is managed by the NAT middlebox. " ::= { midcomBindEntry 3 } Srisuresh [Page 23] Internet-Draft Midcom MIB October 2003 midcomBindLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Lifetime of the bind resource. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. " ::= { midcomBindEntry 4 } midcomBindMaxIdleTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the Bind resource. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomBindEntry 5 } midcomBindIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Interface Index for which the bind is defined. This value may be set to 0 to mean any IP interface on the middlebox. This value may also be set to 0, when the middlebox has just one interface on which midcom is configured. " ::= { midcomBindEntry 6 } midcomBindTranslationEntity OBJECT-TYPE SYNTAX NatTranslationEntity MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the direction of the session for which this BIND is applicable and entity within the first packet that is subject to translation. " Srisuresh [Page 24] Internet-Draft Midcom MIB October 2003 ::= { midcomBindEntry 7 } midcomBindMBId OBJECT-TYPE SYNTAX NatBindId MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Bind Identifier managed by the NAT middlebox function. This identifier is independent of the bind identifier midcomBindId that is used in conjunction with midcom. Multiple midcomBindIds may be associated with the same midcomBindMBId. " ::= { midcomBindEntry 8 } midcomBindMode OBJECT-TYPE SYNTAX MidcomBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates whethr the bind is address bind or port bind. " ::= { midcomBindEntry 9 } midcomBindStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2" ::= { midcomBindEntry 10 } -- -- midcomNatSessionTable -- NAT Session Ids per each agent. -- midcomNatSessionTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomNatSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Lists NAT sessions owned by each agent." ::= { midcomTables 3 } Srisuresh [Page 25] Internet-Draft Midcom MIB October 2003 midcomNatSessionEntry OBJECT-TYPE SYNTAX MidcomNatSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in the NatSessionTable holds a unique tuple of parameters associated with a NAT session. " INDEX { midcomNatSessionAgentIndex, midcomNatSessionGroupId, midcomNatSessionId } ::= { midcomNatSessionTable 1 } MidcomNatSessionEntry ::= SEQUENCE { midcomNatSessionAgentIndex MidcomAgentIndex, midcomNatSessionGroupId Unsigned32, midcomNatSessionId NatSessionId, midcomNatSessionLifetime TimeInterval, midcomNatSessionMaxIdleTime TimeInterval, midcomNatSessionIfIndex InterfaceIndex, midcomNatSessionStatus RowStatus } midcomNatSessionAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Unique Identifier for an agent in the table" ::= { midcomNatSessionEntry 1 } midcomNatSessionGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this resource. A value of 0 implies that the session does not belong to a group membership. " ::= { midcomNatSessionEntry 2 } midcomNatSessionId OBJECT-TYPE SYNTAX NatSessionId MAX-ACCESS read-only STATUS current Srisuresh [Page 26] Internet-Draft Midcom MIB October 2003 DESCRIPTION "Unique session Identifier assigend to this midcom resource. This identifier is same as the session identifier that is managed by the NAT middlebox. " ::= { midcomNatSessionEntry 3 } midcomNatSessionLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Lifetime of the session. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. " ::= { midcomNatSessionEntry 4 } midcomNatSessionMaxIdleTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the session. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomNatSessionEntry 5 } midcomNatSessionIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Interface Index on which the bind is defined. This value may be set to 0 to mean any IP interface on the middlebox. This value may also be set to 0, when the middlebox has just one interface on which midcom is configured. " ::= { midcomNatSessionEntry 6 } midcomNatSessionStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create Srisuresh [Page 27] Internet-Draft Midcom MIB October 2003 STATUS current DESCRIPTION "The status of this conceptual row. Objects in this row may be modified while the value of this object is active(1)." REFERENCE "Textual Conventions for SMIv2, Section 2" ::= { midcomNatSessionEntry 7 } -- -- midcomTransactions -- The transaction Group -- Transactions issued by the midcom agents -- to the midcom MIB module. -- -- -- -- Textual conventions used -- -- MidcomInvocationStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Allows invocation and status queries." SYNTAX INTEGER { neverInvoked(1), performOperation(2), inProgress(3), success(4), failure(5) } MidcomGroupCommand ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The choice of operations on groups. add command: Midcom agent uses the command to specify the group-identifiers and associated parameters it wishes to use during the Midcom session. In case of success, the GroupId is tracked by the midcom Module midcomGroupTable. No ill effect in case of failure. delete command: Srisuresh [Page 28] Internet-Draft Midcom MIB October 2003 Midcom agent uses the command to remove a group-identifier from its list of valid group-ids. In case of success, the GroupId is deleted from the midcomGroupTable. " SYNTAX INTEGER { add(1), delete(2) } MidcomBindCommand ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The choice of operations on Nat Binds. reserveBindInboundSrc, reserveBindInboundDst, reserveBindOutboundSrc, reserveBindOutboundDst Reserve an address or port bind, given the interface and a src or dst endpoint in one of private address realm or public address realm. reserveBindInboundSrcOrOutboundDst, reserveBindInboundDstOrOutboundSrc Reserve an address or portBind, given the interface and a src or dst endpoint in one of private address realm or public address realm. Set the Bind to be bi-directional. reserveBind2InboundSrc, reserveBind2InboundDst, reserveBind2OutboundSrc, reserveBind2OutboundDst Reserve two port binds, given the interface index and a src or dst endpoint in one of private address realm or public address realm. The two ports assigned for the two port-binds are to be contiguous and assume oddity as specified in an oddity parameter. If the bind assigned turns out to be an address bind, one address bind suffices independent of the port oddity requirement. reserveBind2InboundSrcInboundDst, reseverBind2OutboundSrcOutboundDst, Reserve two binds as in a twice NAT, given the interface index and the session tuple in private realm or public realm. " Srisuresh [Page 29] Internet-Draft Midcom MIB October 2003 SYNTAX INTEGER { reserveBindInboundSrc (1), reserveBindInboundDst (2), reserveBindOutboundSrc(3), reserveBindOutboundDst(4), reserveBindInboundSrcOrOutboundDst(5), reserveBindInboundDstOrOutboundSrc(6), reserveBind2InboundSrc(7), reserveBind2InboundDst(8), reserveBind2OutboundSrc(9), reserveBind2OutboundDst(10), reserveBind2InboundSrcInboundDst(11), reseverBind2OutboundSrcOutboundDst(12) } MidcomNatSessionCommand ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The choice of commands on NAT sessions. createNatSession Create a NAT-session, given the parameters of a session as seen by NAT as the first packet in the ingress or egress direction specific to an interface. The associated Binds may or may not be pre-specified. When the command is successfully executed, a single NAT SessionId is created. create2NatSessions Create 2 NAT sessions, given the oddity requirement. When the command is successfully executed, two NAT session Ids are created. " SYNTAX INTEGER { createNatSession(1), create2NatSessions (2) } MidcomTransInOutFlags ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A BITS representation used to specify the relevant parameters for input during a command request (or) during a command response. " SYNTAX BITS { privateAddrType (0), Srisuresh [Page 30] Internet-Draft Midcom MIB October 2003 privateSrcAddr (1), privateSrcPort (2), privateDstAddr (3), privateDstPort (4), globalAddrType (5), globalSrcAddr (6), globalSrcPort (7), globalDstAddr (8), globalDstPort (9), groupId (10), lifetime (11), maxIdletime (12), privateSrcBind (13), privateDstBind (14) } MidcomSessionDirection ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Describes the direction of a session specific to an interface. " SYNTAX INTEGER { inbound(1), outbound(2) } midcomTransGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomTransGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This lists Group based transactions, one per each agent." ::= { midcomTransactions 1 } midcomTransGroupEntry OBJECT-TYPE SYNTAX MidcomTransGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry pertains to a midcom agent carrying out a group based transaction. Midcom module will respond with Success or Failure, with an error code. In the case of success, the tuples specified in the transaction are entered into midcomGroupTable for later reference and parameter modification by the Srisuresh [Page 31] Internet-Draft Midcom MIB October 2003 agent. " INDEX { midcomTransGroupAgentIndex } ::= { midcomTransGroupTable 1 } MidcomTransGroupEntry ::= SEQUENCE { midcomTransGroupAgentIndex MidcomAgentIndex, midcomTransGroupMBResource MidcomMBResource, midcomTransGroupGroupId Unsigned32, midcomTransGroupLifetime TimeInterval, midcomTransGroupMaxIdletime TimeInterval, midcomTransGroupCommand MidcomGroupCommand, midcomTransGroupStatus MidcomInvocationStatus } midcomTransGroupAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Identifier for an Agent in the Table. This object is set when an agent reads the object midcomAgentIndexNext. " ::= { midcomTransGroupEntry 1 } midcomTransGroupMBResource OBJECT-TYPE SYNTAX MidcomMBResource MAX-ACCESS read-create STATUS current DESCRIPTION "Middlebox function specific resource type for which the GroupId is applicable." ::= { midcomTransGroupEntry 2 } midcomTransGroupGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier for which the Group operation is to be performed." ::= { midcomTransGroupEntry 3 } midcomTransGroupLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default Lifetime of the resources that are assigned this group Id. This field is required only during the add operation. Srisuresh [Page 32] Internet-Draft Midcom MIB October 2003 This field is ignored during the delete operation. " ::= { midcomTransGroupEntry 4 } midcomTransGroupMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Default MaxIdletime of the resources that are assigned this group Id. This field is required to be filled only during the add operation. This field is ignored during the delete operation. " ::= { midcomTransGroupEntry 5 } midcomTransGroupCommand OBJECT-TYPE SYNTAX MidcomGroupCommand MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the group command to be executed. " ::= { midcomTransGroupEntry 6 } midcomTransGroupStatus OBJECT-TYPE SYNTAX MidcomInvocationStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Invocation status." ::= { midcomTransGroupEntry 7 } midcomTransBindTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomTransBindEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This lists Bind based transactions, one per each agent." ::= { midcomTransactions 2 } midcomTransBindEntry OBJECT-TYPE SYNTAX MidcomTransBindEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry pertains to a midcom agent carrying out a BIND based transaction. Srisuresh [Page 33] Internet-Draft Midcom MIB October 2003 Midcom module will respond with Success or Failure, with an error code. In the case of success, there can be a maximum of two address or port binds returned. These binds are also entered into midcomBindTable for later use by the midcom agents. " INDEX { midcomTransBindAgentIndex } ::= { midcomTransBindTable 1 } MidcomTransBindEntry ::= SEQUENCE { midcomTransBindAgentIndex MidcomAgentIndex, midcomTransBindCommand MidcomBindCommand, midcomTransBindOddity INTEGER, midcomTransBindProtocol NATProtocolType, midcomTransBindSessionDirection MidcomSessionDirection, midcomTransBindIfIndex InterfaceIndex, midcomTransBindInParms MidcomTransInOutFlags, midcomTransBindOutParms MidcomTransInOutFlags, midcomTransBindGroupId Unsigned32, midcomTransBindLifetime TimeInterval, midcomTransBindMaxIdletime TimeInterval, midcomTransBindPrivateAddrType InetAddressType, midcomTransBindPrivateSrcAddr InetAddress, midcomTransBindPrivateSrcPort InetPortNumber, midcomTransBindPrivateDstAddr InetAddress, midcomTransBindPrivateDstPort InetPortNumber, midcomTransBindGlobalAddrType InetAddressType, midcomTransBindGlobalSrcAddr InetAddress, midcomTransBindGlobalSrcPort InetPortNumber, midcomTransBindGlobalDstAddr InetAddress, midcomTransBindGlobalDstPort InetPortNumber, midcomTransBindPrivateSrcBindId NatBindIdOrZero, midcomTransBindPrivateSrcBindMode MidcomBindMode, midcomTransBindPrivateDstBindId NatBindIdOrZero, midcomTransBindPrivateDstBindMode MidcomBindMode, midcomTransBindStatus MidcomInvocationStatus } midcomTransBindAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Identifier for an Agent in the Table. Srisuresh [Page 34] Internet-Draft Midcom MIB October 2003 This object is set when an agent reads the object midcomAgentIndexNext. " ::= { midcomTransBindEntry 1 } midcomTransBindCommand OBJECT-TYPE SYNTAX MidcomBindCommand MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the bind command to be executed. " ::= { midcomTransBindEntry 2 } midcomTransBindOddity OBJECT-TYPE SYNTAX INTEGER { oddityEnforce(1), -- Enforce oddity oddityNotRequired (2) -- Oddity not required. } MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies whether or not the bind should enforce oddity to match that of the specified end point or end points. " ::= { midcomTransBindEntry 3 } midcomTransBindProtocol OBJECT-TYPE SYNTAX NATProtocolType MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the protocol (TCP/UDP) of the session that requires the bind reservation. " ::= { midcomTransBindEntry 4 } midcomTransBindSessionDirection OBJECT-TYPE SYNTAX MidcomSessionDirection MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the orientation of the session that requires the bind reservation. " ::= { midcomTransBindEntry 5 } midcomTransBindIfIndex OBJECT-TYPE Srisuresh [Page 35] Internet-Draft Midcom MIB October 2003 SYNTAX InterfaceIndex MAX-ACCESS read-create STATUS current DESCRIPTION "Interface Index for which the bind is being requested. This value may be set to 0 to mean any IP interface on the middlebox. This value may also be set to 0, when the middlebox has just one interface on which midcom is configured. " ::= { midcomTransBindEntry 6 } midcomTransBindInParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current DESCRIPTION "Lists the fields within the row that are filled by the requestor. While the transaction allows for any or all of the end-points to be specified, typically, no more than one end-point should be defined. For Twice-Nat alone, two end-points must be specified. " ::= { midcomTransBindEntry 7 } midcomTransBindOutParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current DESCRIPTION "Lists the fields within the row that are filled by the middlebox in response to the bind request from agent. While the transaction allows for any or all of the end-points to be filled, typically, no more than one end-point should be filled. For Twice-Nat alone, two end-points must be specified. For oddity based port binds, the second bind is used to specify the second port bind. " Srisuresh [Page 36] Internet-Draft Midcom MIB October 2003 ::= { midcomTransBindEntry 8 } midcomTransBindGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this bind resource. A value of 0 implies that the bind is not assigned a group membership. " ::= { midcomTransBindEntry 9 } midcomTransBindLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Individual Lifetime of the bind resource. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. " ::= { midcomTransBindEntry 10 } midcomTransBindMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the Bind resource. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomTransBindEntry 11 } midcomTransBindPrivateAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the private realm. " Srisuresh [Page 37] Internet-Draft Midcom MIB October 2003 ::= { midcomTransBindEntry 12 } midcomTransBindPrivateSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm source end point. " ::= { midcomTransBindEntry 13 } midcomTransBindPrivateSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm source end point. " ::= { midcomTransBindEntry 14 } midcomTransBindPrivateDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm destination end point. " ::= { midcomTransBindEntry 15 } midcomTransBindPrivateDstPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a private realm address and the bind command is to find a bind for private realm destination end point. " Srisuresh [Page 38] Internet-Draft Midcom MIB October 2003 ::= { midcomTransBindEntry 16 } midcomTransBindGlobalAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the global address realm. " ::= { midcomTransBindEntry 17 } midcomTransBindGlobalSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the global realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm source end point. " ::= { midcomTransBindEntry 18 } midcomTransBindGlobalSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the global realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm source end point. " ::= { midcomTransBindEntry 19 } midcomTransBindGlobalDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the global realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm destination end point. " ::= { midcomTransBindEntry 20 } midcomTransBindGlobalDstPort OBJECT-TYPE SYNTAX InetPortNumber Srisuresh [Page 39] Internet-Draft Midcom MIB October 2003 MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a global realm address and the bind command is to find a bind for global realm destination end point. " ::= { midcomTransBindEntry 21 } midcomTransBindPrivateSrcBindId OBJECT-TYPE SYNTAX NatBindIdOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This is the first Bind that will be generated in majority of the cases. This will be set to 0 in the case of symmetric NAT. " ::= { midcomTransBindEntry 22 } midcomTransBindPrivateSrcBindMode OBJECT-TYPE SYNTAX MidcomBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether PrivateSrcBind is address bind or port bind. " ::= { midcomTransBindEntry 23 } midcomTransBindPrivateDstBindId OBJECT-TYPE SYNTAX NatBindIdOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This is the second Bind that will be generated in the case of twice-NAT or oddity based 2 bind request. This will be set to 0 in the case of symmetric NAT. " ::= { midcomTransBindEntry 24 } midcomTransBindPrivateDstBindMode OBJECT-TYPE SYNTAX MidcomBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether PrivateDstBind is Srisuresh [Page 40] Internet-Draft Midcom MIB October 2003 address bind or port bind. " ::= { midcomTransBindEntry 25 } midcomTransBindStatus OBJECT-TYPE SYNTAX MidcomInvocationStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Invocation status." ::= { midcomTransBindEntry 26 } midcomTransNatSessionTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomTransNatSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This lists NatSession based transactions, one per each agent." ::= { midcomTransactions 3 } midcomTransNatSessionEntry OBJECT-TYPE SYNTAX MidcomTransNatSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry pertains to a midcom agent carrying out a Nat session based transaction. Midcom module will respond with Success or Failure, with an error code. In the case of success, there can be a maximum of two address or port binds returned. These binds are entered into midcomBindTable for later use by the midcom agents. Further, the NatSession entry is included within the midcomNatSession table. " INDEX { midcomTransNatSessionAgentIndex } ::= { midcomTransNatSessionTable 1 } MidcomTransNatSessionEntry ::= SEQUENCE { midcomTransNatSessionAgentIndex MidcomAgentIndex, midcomTransNatSessionCommand MidcomNatSessionCommand, midcomTransNatSessionOddity INTEGER, midcomTransNatSessionProtocol NATProtocolType, midcomTransNatSessionSessionDirection MidcomSessionDirection, midcomTransNatSessionIfIndex InterfaceIndex, Srisuresh [Page 41] Internet-Draft Midcom MIB October 2003 midcomTransNatSessionInParms MidcomTransInOutFlags, midcomTransNatSessionOutParms MidcomTransInOutFlags, midcomTransNatSessionGroupId Unsigned32, midcomTransNatSessionLifetime TimeInterval, midcomTransNatSessionMaxIdletime TimeInterval, midcomTransNatSessionPrivateAddrType InetAddressType, midcomTransNatSessionPrivateSrcAddr InetAddress, midcomTransNatSessionPrivateSrcPort InetPortNumber, midcomTransNatSessionPrivateDstAddr InetAddress, midcomTransNatSessionPrivateDstPort InetPortNumber, midcomTransNatSessionGlobalAddrType InetAddressType, midcomTransNatSessionGlobalSrcAddr InetAddress, midcomTransNatSessionGlobalSrcPort InetPortNumber, midcomTransNatSessionGlobalDstAddr InetAddress, midcomTransNatSessionGlobalDstPort InetPortNumber, midcomTransNatSessionPrivateSrcBindId NatBindIdOrZero, midcomTransNatSessionPrivateDstBindId NatBindIdOrZero, midcomTransNatSessionSessionId NatSessionId, midcomTransNatSessionSessionId2 NatSessionId, midcomTransNatSessionStatus MidcomInvocationStatus } midcomTransNatSessionAgentIndex OBJECT-TYPE SYNTAX MidcomAgentIndex MAX-ACCESS read-only STATUS current DESCRIPTION "A unique Identifier for an Agent in the Table. This object is set when an agent reads the object midcomAgentIndexNext. " ::= { midcomTransNatSessionEntry 1 } midcomTransNatSessionCommand OBJECT-TYPE SYNTAX MidcomNatSessionCommand MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the NatSession command to be executed. " ::= { midcomTransNatSessionEntry 2 } midcomTransNatSessionOddity OBJECT-TYPE SYNTAX INTEGER { oddityEnforce(1), -- Enforce oddity oddityNotRequired (2) -- Oddity not required. Srisuresh [Page 42] Internet-Draft Midcom MIB October 2003 } MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies whether or not the Nat-Session should enforce oddity while assigning translation port(s) to match that of the specified session.. " ::= { midcomTransNatSessionEntry 3 } midcomTransNatSessionProtocol OBJECT-TYPE SYNTAX NATProtocolType MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the protocol (TCP/UDP) of the session. " ::= { midcomTransNatSessionEntry 4 } midcomTransNatSessionSessionDirection OBJECT-TYPE SYNTAX MidcomSessionDirection MAX-ACCESS read-write STATUS current DESCRIPTION "This specifies the orientation of the session with reference to the interface index specified. " ::= { midcomTransNatSessionEntry 5 } midcomTransNatSessionIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-create STATUS current DESCRIPTION "Interface Index for which the NAT-Session is being requested. This value may be set to 0 to mean any IP interface on the middlebox. This value may also be set to 0, when the middlebox has just one interface on which midcom is configured. " ::= { midcomTransNatSessionEntry 6 } midcomTransNatSessionInParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current Srisuresh [Page 43] Internet-Draft Midcom MIB October 2003 DESCRIPTION "Lists the fields within the row that are filled by the requestor. While the transaction allows for any or all of the session parameters to be specified, typically, session parameters are filled in the private alone or in the public realm alone. " ::= { midcomTransNatSessionEntry 7 } midcomTransNatSessionOutParms OBJECT-TYPE SYNTAX MidcomTransInOutFlags MAX-ACCESS read-write STATUS current DESCRIPTION "Lists the fields within the row that are filled by the middlebox in response to the session request from agent. While the transaction allows for any or all session parameters to be filled, typically, session parameters are filled in the private alone or in the public realm alone. " ::= { midcomTransNatSessionEntry 8 } midcomTransNatSessionGroupId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "Group Identifier assigend to this resource. A value of 0 implies that the session is not assigned a group membership. " ::= { midcomTransNatSessionEntry 9 } midcomTransNatSessionLifetime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "Individual Lifetime of the bind resource. When this is set to 0 and GroupId is set to non-zero, the Lifetime of the GroupId is used to determine the lifetime of this resource. Srisuresh [Page 44] Internet-Draft Midcom MIB October 2003 " ::= { midcomTransNatSessionEntry 10 } midcomTransNatSessionMaxIdletime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-create STATUS current DESCRIPTION "MaxIdletime of the Bind resource. When this is set to 0 and GroupId is set to non-zero, the MaxIdletime of the GroupId is used to determine the Maxidletime of this resource. " ::= { midcomTransNatSessionEntry 11 } midcomTransNatSessionPrivateAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the private realm. " ::= { midcomTransNatSessionEntry 12 } midcomTransNatSessionPrivateSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the private realm. This is relevant if the agent refers a private realm session. Wild-card IP address is allowed and may be denoted as all zeros. " ::= { midcomTransNatSessionEntry 13 } midcomTransNatSessionPrivateSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the private realm. This is relevant if the agent refers a private realm based session. Wild-card port is allowed and may be denoted as zero. " ::= { midcomTransNatSessionEntry 14 } Srisuresh [Page 45] Internet-Draft Midcom MIB October 2003 midcomTransNatSessionPrivateDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the private realm. This is relevant if the agent refers a private realm based session. Wild-card IP address is allowed and may be denoted as all zeros. " ::= { midcomTransNatSessionEntry 15 } midcomTransNatSessionPrivateDstPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a private realm based session. Wild-card port is allowed and may be denoted as zero. " ::= { midcomTransNatSessionEntry 16 } midcomTransNatSessionGlobalAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP address type in the global address realm. " ::= { midcomTransNatSessionEntry 17 } midcomTransNatSessionGlobalSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP source address in the global realm. This is relevant if the agent refers a global realm based session. Wild-card IP address is allowed and may be denoted as all zeros. " ::= { midcomTransNatSessionEntry 18 } Srisuresh [Page 46] Internet-Draft Midcom MIB October 2003 midcomTransNatSessionGlobalSrcPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP source port in the global realm. This is relevant if the agent refers a global realm based session. Wild-card port is allowed and may be denoted as zero. " ::= { midcomTransNatSessionEntry 19 } midcomTransNatSessionGlobalDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination address in the global realm. This is relevant if the agent refers a global realm based session. Wild-card IP address is allowed and may be denoted as all zeros. " ::= { midcomTransNatSessionEntry 20 } midcomTransNatSessionGlobalDstPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "IP destination port in the private realm. This is relevant if the agent refers a global realm based session. Wild-card port is allowed and may be denoted as zero. " ::= { midcomTransNatSessionEntry 21 } midcomTransNatSessionPrivateSrcBindId OBJECT-TYPE SYNTAX NatBindIdOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "This is the first Bind that may be supplied by the agent. This BindId is the unique bindId for the midcom agent and is independent of what the NAT middlebox might have. Srisuresh [Page 47] Internet-Draft Midcom MIB October 2003 This may be set to 0 in the case requestor does not have a BIND pre-assigned. " ::= { midcomTransNatSessionEntry 22 } midcomTransNatSessionPrivateDstBindId OBJECT-TYPE SYNTAX NatBindIdOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "This is the second Bind (as in twice-NAT) that may be supplied by the midcom agent for a session. In the case the command is to create two sessions, the second Bind refers to the sesond session. This BindId is the unique bindId for the midcom agent and is independent of what the NAT middlebox might have. This may be set to 0 in the case requestor does not have a BIND pre-assigned or the session needs no more than one BIND. " ::= { midcomTransNatSessionEntry 23 } midcomTransNatSessionSessionId OBJECT-TYPE SYNTAX NatSessionId MAX-ACCESS read-only STATUS current DESCRIPTION "Unique session Identifier returned upon successful execution of the session command. " ::= { midcomTransNatSessionEntry 24 } midcomTransNatSessionSessionId2 OBJECT-TYPE SYNTAX NatSessionId MAX-ACCESS read-only STATUS current DESCRIPTION "Second session Identifier assigned upon successful execution of the session command. This is set when the command is to create two sessions using the oddity basis, for two consecutive ports. " ::= { midcomTransNatSessionEntry 25 } midcomTransNatSessionStatus OBJECT-TYPE SYNTAX MidcomInvocationStatus Srisuresh [Page 48] Internet-Draft Midcom MIB October 2003 MAX-ACCESS read-write STATUS current DESCRIPTION "Invocation status." ::= { midcomTransNatSessionEntry 26 } END 7. Security Considerations The MIDCOM requirements [RFC3304] defines the general security requirements for the MIDCOM protocol. The SNMPv3 User-based Security Model (USM, [RFC2574]) satisfies those requirements. USM defines three standardized methods for providing authentication, confidentiality, and integrity. The method to use can be optionally chosen. The methods operate securely across untrusted domains. Additionally, USM has specific built-in mechanisms for preventing replay attacks including unique protocol engine IDs, timers and counters per engine and time windows for the validity of messages. 8. Acknowledgements The author wishes to thank Wes Hardekar for kindly playing the role of MIB doctor on the raw initial versions of this document. The author also wishes to thank Dave Harrington for providing clarity on how and where to draw the line in defining the MIBs, given the interrelation between Midcom MIB and middlebox function MIBs. Lastly, the author wishes to thank Martin Stiemerling, Juergen Quittek, Tom Taylor and Mary Barnes for the numerous valuable e-mail discussions, phone conversations and feedback on the subject. 9. References Normative References [RFC3304] R. Swale, P. Mart, P. Sijben, S. Brim, M. Shore, "Middlebox Communications (MIDCOM) Protocol Requirements", RFC 3304, August, 2002. [RFC3303] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, A. Rayhan, "Middlebox Communications Architecture and Framework", RFC 3303, August, 2002. [MDCSEM] Stiemerling, M., Quittek, J., Taylor, T., "MIDCOM Protocol Semantics", draft-ietf-midcom-semantics-02.txt, May, 2003. Srisuresh [Page 49] Internet-Draft Midcom MIB October 2003 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", STD 62, RFC 3411, November 2002. [RFC3412] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, November 2002. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", STD 62, RFC 3413, November 2002. [RFC3414] Blumenthal, U., and B. Wijnen, "User-based Security Model(USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, November 2002. [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, November 2002. [NATMIB] Raghunarayan, R., Pai, N., Rohit, R., Wang, C., Srisuresh, P., "Definitions of Managed Objects for Network Address Translators (NAT)", draft-ietf-nat-natmib-06.txt, September, 2003. [PBMMIB] Waldbusser, S., Saperia, J., Hongal, T., "Policy Based Management MIB", draft-ietf-snmpconf-pm-13.txt, March, 2003. [IPCMIB] Baer, M., Charlet, R., Hardaker, W., Story, R., Wang, C., "IPsec Policy Configuration MIB module", draft-ietf-ipsp-ipsec-conf- MIB-06.txt, March, 2003. Srisuresh [Page 50] Internet-Draft Midcom MIB October 2003 Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", 3410, November 2002. [MDCPEV] Barnes, M., "Middlebox Communications (MIDCOM) Protocol Evaluation", draft-ietf-midcom-protocol-eval-06.txt, November, 2002. [RFC2287] Krupczak, C. and J. Saperia, "Definitions of System-Level Managed Objects for Applications", RFC 2287, February 1998. [RFC 2475] Blake, S., et al, "An Architecture for Differentiated Service", RFC 2475, December 1998. [RFC2564] C. Kalbfleisch, C. Krupczak, R.Presuhn, J. Saperia, "Application Management MIB", May 1999. [RFC2594] H. Hazewinkel, C. Kalbfleisch, J. Schoenwaelder, "Definitions of Managed Objects for WWW Services", May 1999. [RFC2788] N. Freed, S. Kille, "Network Services Monitoring MIB", RFC 2788, March 2000. [RFC2790] S. Waldbusser, P. Grillo, "Host Resources MIB", March 2000. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB using SMIv2", RFC 2863, June 2000. [RFC3289] Baker, F., Chan, K., Smith, A., "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002. [RFC3290] Bernet, Y., et al, "An Informal Management Model for Differentiated Services Routers", RFC 3290, May 2002. Authors' Address P. Srisuresh Caymas Systems, Inc. 1179-A North McDowell Blvd. Petaluma, CA 94954 Tel: (707) 283-5063 Email: srisuresh@yahoo.com Srisuresh [Page 51] Internet-Draft Midcom MIB October 2003 Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Srisuresh [Page 52]