Internet Draft M. Stiemerling Document: draft-stiemerling-midcom-server-mib-00.txt J. Quittek Expires: May 2003 NEC Europe Ltd. P. Srisuresh Caymas Systems, Inc. November 2003 Definitions of Managed Objects for MIDCOM Server Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Distribution of this document is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes a set of managed objects that allow monitoring and configuration of middleboxes running a MIDCOM server, i.e. the MIDCOM MIB module RFC YYYY. Stiemerling, Quittek, Srisuresh [Page 1] Internet-Draft MIDCOM SERVER MIB November 2003 Table of Contents 1 Introduction ................................................. 2 2 The Internet-Standard Management Framework ................... 2 3 Overview ..................................................... 2 3.1 Terminology ................................................ 3 4 Structure of the MIB module .................................. 3 4.1 midcomSrvResourceTable ..................................... 4 4.2 midcomSrvFwTable ........................................... 5 4.3 MIDCOM Server Statistics ................................... 5 5 Definitions .................................................. 7 6 Security Considerations ...................................... 19 7 Open Issues .................................................. 19 8 Normative References ......................................... 19 9 Informative References ....................................... 20 10 Authors' Addresses .......................................... 21 11 Full Copyright Statement .................................... 21 1. Introduction This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes a set of managed objects that allow monitoring and configuration of MIDCOM server, i.e. the MIDCOM MIB module. Middleboxes, such as firewall and Network Address Translators (NAT), that implement the MIDCOM MIB module (RFC YYYY) are called MIDCOM server throughout this document. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. Stiemerling, Quittek, Srisuresh [Page 2] Internet-Draft MIDCOM SERVER MIB November 2003 3. Overview The MIDCOM working group has defined the framework, protocol requirements, protocol semantics, and a protocol evaluation document. The outcome of the protocol evaluation is the use of SNMPv3 as the MIDCOM protocol. Consequently, the MIDCOM protocol will be defined as a MIB module, the MIDCOM MIB module. This module implements the MIDCOM protocol semantics as defined in [RFCXXXX]. For monitoring and configuring this MIDCOM protocol implementation, another MIB module is required. This is the MIDCOM SERVER MIB module. Whereas the MIDCOM MIB module is used for dynamic configuration of middleboxes, the MIDCOM SERVER MIB module is used for monitoring the resource usage of the MIDCOM MIB and for configuring some parameters related to the MIDCOM MIB module. As defined in [RFC3234], firewalls and NATs belong to the group of middleboxes. A middlebox is a device on the datagram path between source and destination, which performs other functions than just IP routing. Middleboxes may be an obstacle to several applications that make use of dynamic port allocation schemes. The IETF MIDCOM working group defined a framework [RFC3303], requirements [RFC3304] and protocol semantics [RFCXXXX] for communication between applications and middleboxes acting as firewalls, NATs or a combination of both. The MIDCOM protocol is defined in the MIDCOM MIB module in [RFCXXXX] and can be used for dynamically configuring middleboxes on the datagram path in order to enable datagram streams to pass the middlebox. This way, applications can request pinholes at firewalls and address bindings at NATs. Instances serving MIDCOM on the middlebox are called MIDCOM server throughout this document. The MIDCOM SERVER MIB module defined in this document serves for configuration and monitoring MIDCOM servers on middleboxes. 3.1. Terminology The terminology used in this document is fully aligned with the terminology defined in [RFCXXXX]. There is a conflict between the MIDCOM terminology and the SNMP terminology. The roles of entities participating in SNMP communication are called 'manager' and 'agent' with the agent acting as server for requests from the manager. This use of the term 'agent' is different to its use in the MIDCOM framework: The SNMP manager corresponds to the MIDCOM agent and the SNMP agent corresponds to the MIDCOM middlebox. In order to avoid confusion, the term agent is Stiemerling, Quittek, Srisuresh [Page 3] Internet-Draft MIDCOM SERVER MIB November 2003 only used in combination with a prefix: either as MIDCOM agent or as SNMP agent. 4. Structure of the MIB module This section presents the structure of the MIB module that is specified in this section. The MIDCOM SERVER MIB module is divided intro three logical groups for monitoring the resource usage on a per policy rule base, configuring firewall parameters, and general statistics. 4.1. midcomSrvResourceTable Information about resource usage per policy rule is provided by the midcomSrvResourceTable. Each row in the midcomSrvResourceTable serves exactly one policy rule. Resources are NAT resources and firewall resources, depending on the type of middlebox, i.e. firewall, NAT, or any combination of those. NAT resources are NAT binds and NAT sessions. NAT address mappings are not considered. For firewalls only firewall filter rules are considered as resources. The values provide by the following objects on NAT binds and NAT sessions may refer to a more detailed NAT MIB module. This module is not specified in this document. The values provided by the following objects on firewall rules may refer to a more detailed firewall MIB module. This module is not specified in this document. These following objects are defined: o natSrcBindMode This object indicates whether the source address is an address NAT bind or an address-port NAT bind. o natSrcBindId This object is the link to the NAT bind for the source address in the NAT engine. The natSrcBindId is the identifier of the actual NAT bind. o natDstBindMode This object indicates whether the destination address is an address NAT bind or an address-port NAT bind. Stiemerling, Quittek, Srisuresh [Page 4] Internet-Draft MIDCOM SERVER MIB November 2003 o natDstBindId This object is the link to the NAT bind for the destination address in the NAT engine. The natSrcBindId is the identifier of the actual NAT bind. o natSessionId1 This object links to the first NAT session associated with one of the above NAT binds. o natSessionId2 This object links to the second NAT session associated with one of the above NAT binds. o fwRuleId The firewall rule for this policy rule. 4.2. midcomSrvFwTable The midcomSrvFwTable keeps a row per interface available for MIDCOM service at the middlebox. Several parameters per interface are configurable through this table: o fwGroup Firewall rules loaded for the MIDCOM server may be assigned to specific group in the firewall rule engine. A SNMP manager can set the firewall group with this object. o fwPriority Depending on the firewall type rules may have an associated firewall rule priority. A SNMP manager can set the firewall rule priority with this object. 4.3. MIDCOM Server Statistics Several objects are provided for collecting statistics about the MIDCOM server: o midcomSrvSessionsRejected MIDCOM agents are required to establish a session prior to any further GET or SET message on policy rules or groups. This object counts the rejected session establishment requests. o midcomSrvSessionsCurrent This object indicates the total number of current established sessions. o midcomSrvSessionsTotal This object indicates the total number of established sessions Stiemerling, Quittek, Srisuresh [Page 5] Internet-Draft MIDCOM SERVER MIB November 2003 current and in the past. o midcomSrvRuleEntriesRejected This object indicates the total number of rejected policy rule entries. Typically, policy rules will be rejected with a specific reason (see below). Failed row creations in midcomRuleTable are counted with this object, i.e. policy rule requests that are rejected by the SNMP agent. o midcomSrvRulesIncomplete This object indicates the total number of policy rules that have not been fully loaded into a table row of midcomRuleTable. o midcomSrvResRulesRejected This object indicates the total number of rejected reserved policy rules. The SNMP agent accepts the row creation of a row in midcomRuleTable, but any further action is rejected. o midcomSrvResRulesFailed This object indicates the total number of failed reserved policy rules. Failed reserved policy rules are typically policy rules that are accepted by the SNMP agent, but not accepted by the middlebox. o midcomSrvResRulesActive This object indicates the number of active reserved policy rules in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvResRulesExpired This object indicates the number of expired reserved policy rules in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvResRulesTerminated This object indicates the number of terminated reserved policy rules in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvResRulesOnRequest This object indicates the number of reserved policy rules on- request in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvEnabledRulesRejected This object indicates the total number of rejected enabled policy rules. The SNMP agent accepts the row creation of a row in midcomRuleTable, but any further action is rejected. Stiemerling, Quittek, Srisuresh [Page 6] Internet-Draft MIDCOM SERVER MIB November 2003 o midcomSrvEnabledRulesFailed This object indicates the total number of failed enabled policy rules. Failed enabled policy rules are typically policy rules that are accepted by the SNMP agent, but not accepted by the middlebox. o midcomSrvEnabledRulesActive This object indicates the number of active enabled policy rules in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvEnabledRulesExpired This object indicates the number of expired enabled policy rules in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvEnabledRulesTerminated This object indicates the number of terminated enabled policy rules in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvEnabledRulesOnRequest This object indicates the number of enabled policy rules on- request in midcomRuleTable at the point of time when the object is retrieved by the SNMP manager. o midcomSrvTransRejected This object indicates the total number of rejected transactions. A transaction is rejected when there is no session established for the requesting SNMP manager, i.e. no entry in midcomSessionTable. o midcomSrvTransFailed This object indicates the total number of failed transactions. A transaction is accepted (not rejected), but due to another reason it failed. For instance a transaction consisting of multiple SET operations is only performed with a single SET. o midcomSrvTransCompleted This object indicates the total number of successfully completed transactions at the MIDCOM server. 5. Definitions MIDCOM-SERVER-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, mib-2 Stiemerling, Quittek, Srisuresh [Page 7] Internet-Draft MIDCOM SERVER MIB November 2003 FROM SNMPv2-SMI -- RFC2578 TEXTUAL-CONVENTION FROM SNMPv2-TC -- RFC2579 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF -- RFC2580 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC3411 InterfaceIndex FROM IF-MIB -- RFC2863 midcomSessionOwner, midcomGroupIndex, midcomRuleIndex FROM MIDCOM-MIB; -- draft! midcomSrvMIB MODULE-IDENTITY LAST-UPDATED "200311240930Z" -- November 24, 2003 ORGANIZATION "IETF Middlebox Communication Working Group" CONTACT-INFO "WG charter: http://www.ietf.org/html.charters/midcom-charter.html Mailing Lists: General Discussion: midcom@ietf.org To Subscribe: midcom-request@ietf.org In Body: subscribe your_email_address Editor: Martin Stiemerling NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 69221 Heidelberg Germany Tel: +49 6221 90511-13 Email: stiemerling@netlab.nec.de" DESCRIPTION "This MIB module defines a set of basic objects for monitoring and configuring MIDCOM servers on middleboxes that support MIDCOM. Such middleboxes may be firewalls and network address translators. This MIB module does not implement portions of the MIDCOM protocol, but is the MIDCOM SERVER MIB module for monitoring instances of the MIDCOM protocol. Stiemerling, Quittek, Srisuresh [Page 8] Internet-Draft MIDCOM SERVER MIB November 2003 There are three groups of managed objects defined by this MIB module: - objects describing the used middlebox resources on a per MIDCOM policy rule base - objects describing the used firewall configuration on a per MIDCOM policy rule base - objects providing statistical information about the MIDCOM MIB module Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC yyyy; see the RFC itself for full legal notices." -- RFC Ed.: replace yyyy with actual RFC number & remove this notice REVISION "200311240930Z" -- November 24, 2003 DESCRIPTION "Initial version, published as RFC yyyy." -- RFC Ed.: replace yyyy with actual RFC number & remove this notice ::= { mib-2 44445 } -- 44445 to be assigned by IANA. -- -- Some textual conventions for this module -- MidcomNatBindMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indication whether the NAT bind is an address bind or an address-port bind." SYNTAX INTEGER { addressBind (1), addressPortBind (2) } MidcomNatBindId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A unique ID that is assigned to each NAT bind by a NAT enabled device." SYNTAX Unsigned32 MidcomNatSessionId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A unique ID that is assigned to each NAT session by a NAT enabled device." SYNTAX Unsigned32 -- Stiemerling, Quittek, Srisuresh [Page 9] Internet-Draft MIDCOM SERVER MIB November 2003 -- main components of this MIB module -- midcomSrvObjects OBJECT IDENTIFIER ::= { midcomSrvMIB 1 } midcomSrvConformance OBJECT IDENTIFIER ::= { midcomSrvMIB 2 } -- -- Resources group -- -- The MIDCOM server resources group contains a set of managed -- objects describing the currently used resources of the MIDCOM -- server. -- Some objects in this group have MAX-ACCESS read-write. -- midcomSrvResources OBJECT IDENTIFIER ::= { midcomSrvObjects 1 } -- -- The NAT resource table -- midcomSrvResourceTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomSrvMbEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all used middlebox resources per MIDCOM policy rule. The midcomSrvMBTable is indexed by session owner, group index, rule index. " ::= { midcomSrvResources 1 } midcomSrvResourceEntry OBJECT-TYPE SYNTAX MidcomSrvMbEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular set of middlebox resources." INDEX { midcomSessionOwner, midcomGroupIndex, midcomRuleIndex } ::= { midcomSrvResourceTable 1 } MidcomSrvMbEntry ::= SEQUENCE { natSrcBindMode MidcomNatBindMode, natSrcBindId MidcomNatBindId, natDstBindMode MidcomNatBindMode, natDstBindId MidcomNatBindId, Stiemerling, Quittek, Srisuresh [Page 10] Internet-Draft MIDCOM SERVER MIB November 2003 natSessionId1 MidcomNatSessionId, natSessionId2 MidcomNatSessionId, fwRuleId Unsigned32 -- more input required. } natSrcBindMode OBJECT-TYPE SYNTAX MidcomNatBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "An indication whether this policy rule uses an address NAT bind or an address-port NAT bind for the source address." ::= { midcomSrvResourceEntry 4 } natSrcBindId OBJECT-TYPE SYNTAX MidcomNatBindId MAX-ACCESS read-only STATUS current DESCRIPTION "The allocated NAT bind for the source address used by this policy rule." ::= { midcomSrvResourceEntry 5 } natDstBindMode OBJECT-TYPE SYNTAX MidcomNatBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "An indication whether this policy rule uses an address NAT bind or an address-port NAT bind for the destination address." ::= { midcomSrvResourceEntry 6 } natDstBindId OBJECT-TYPE SYNTAX MidcomNatBindId MAX-ACCESS read-only STATUS current DESCRIPTION "The allocated NAT bind for the destination address used by this policy rule." ::= { midcomSrvResourceEntry 7 } natSessionId1 OBJECT-TYPE SYNTAX MidcomNatSessionId MAX-ACCESS read-only STATUS current DESCRIPTION "A unique ID that is assigned to this specific NAT Stiemerling, Quittek, Srisuresh [Page 11] Internet-Draft MIDCOM SERVER MIB November 2003 session at the NAT for this policy rule. A maximum of two NAT sessions can be assigned to one policy rule." ::= { midcomSrvResourceEntry 8 } natSessionId2 OBJECT-TYPE SYNTAX MidcomNatSessionId MAX-ACCESS read-only STATUS current DESCRIPTION "A unique ID that is assigned to this specific NAT session at the NAT for this policy rule. A maximum of two NAT sessions can be assigned to one policy rule." ::= { midcomSrvResourceEntry 9 } fwRuleId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique ID that is assigned to this specific firewall rule at the firewall for this policy rule." ::= { midcomSrvResourceEntry 10 } -- -- The firewall (fw) configuration table -- midcomSrvFwTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomSrvFwEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the firewal configuration per interface. The midcomSrvFwTable is indexed by midcomifIndex " ::= { midcomSrvResources 2 } midcomSrvFwEntry OBJECT-TYPE SYNTAX MidcomSrvFwEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular set of firewall resources." INDEX { midcomifIndex } Stiemerling, Quittek, Srisuresh [Page 12] Internet-Draft MIDCOM SERVER MIB November 2003 ::= { midcomSrvFwTable 1 } MidcomSrvFwEntry ::= SEQUENCE { midcomifIndex InterfaceIndex, fwGroup SnmpAdminString, fwPriority Unsigned32 -- Wes, what should be here? } midcomifIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "The corresponding interface of the middlebox." ::= { midcomSrvFwEntry 1 } fwGroup OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The firewall rule group to which all firewall rules of the MIDCOM server are assigned." ::= { midcomSrvFwEntry 2 } fwPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The priority assigned to all firewall rules of the MIDCOM server." ::= { midcomSrvFwEntry 3 } -- -- The statistics of the MIDCOM server -- midcomSrvStatistics OBJECT IDENTIFIER ::= { midcomSrvObjects 2 } midcomSrvSessionsRejected OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of rejected MIDCOM sessions. The MIDCOM MIB module can rejected sessions that Stiemerling, Quittek, Srisuresh [Page 13] Internet-Draft MIDCOM SERVER MIB November 2003 are not authorized or unknown." ::= { midcomSrvStatistics 1 } midcomSrvSessionsCurrent OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently established MIDCOM sessions. This object equals the number of rows in the midcomSessionTable and gives the number of MIDCOM agents (=SNMP managers) that are allowed to read, create, or modify entries in the MIDCOM MIB module." ::= { midcomSrvStatistics 2 } midcomSrvSessionsTotal OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The summarized number of all current and past established MIDCOM sessions." ::= { midcomSrvStatistics 3 } midcomSrvRuleEntriesRejected OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of policy rule entries rejected without any further detailed reason. Policy rules may be rejected due to several reasons. This object counts policy rules rejected without any other specific reason." ::= { midcomSrvStatistics 4 } midcomSrvRulesIncomplete OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy rules that are incomplete. Policy rules are loaded via row entries in midcomRuleTable. This object counts policy rules that are loaded but not fully specified, Stiemerling, Quittek, Srisuresh [Page 14] Internet-Draft MIDCOM SERVER MIB November 2003 i.e. the associated action (reserved or enable) is not set. Those rule are typically removed after sometime and counted." ::= { midcomSrvStatistics 5 } midcomSrvResRulesRejected OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of reserved policy rules that are loaded, but are rejected." ::= { midcomSrvStatistics 6 } midcomSrvResRulesFailed OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of failed reserved policy rules." ::= { midcomSrvStatistics 7 } midcomSrvResRulesActive OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active reserved policy rules." ::= { midcomSrvStatistics 8 } midcomSrvResRulesExpired OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently expired reserved policy rules." ::= { midcomSrvStatistics 9 } midcomSrvResRulesTerminated OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently terminated reserved policy rules." ::= { midcomSrvStatistics 10 } midcomSrvResRulesOnRequest OBJECT-TYPE Stiemerling, Quittek, Srisuresh [Page 15] Internet-Draft MIDCOM SERVER MIB November 2003 SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently on-request reserved policy rules." ::= { midcomSrvStatistics 11 } midcomSrvEnabledRulesRejected OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of rejected enabled policy rules." ::= { midcomSrvStatistics 12 } midcomSrvEnabledRulesFailed OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of failed enabled policy rules." ::= { midcomSrvStatistics 13 } midcomSrvEnabledRulesActive OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active enabled policy rules." ::= { midcomSrvStatistics 14 } midcomSrvEnabledRulesExpired OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently expired enabled policy rules." ::= { midcomSrvStatistics 15 } midcomSrvEnabledRulesTerminated OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently terminated enabled policy rules." ::= { midcomSrvStatistics 16 } Stiemerling, Quittek, Srisuresh [Page 16] Internet-Draft MIDCOM SERVER MIB November 2003 midcomSrvEnabledRulesOnRequest OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently on-request enabled policy rules." ::= { midcomSrvStatistics 17 } midcomSrvTransRejected OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of rejected transactions." ::= { midcomSrvStatistics 18 } midcomSrvTransFailed OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of failed transactions." ::= { midcomSrvStatistics 19 } midcomSrvTransCompleted OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of completed transactions." ::= { midcomSrvStatistics 20 } -- -- Compliance statements -- midcomSrvCompliances OBJECT IDENTIFIER ::= { midcomSrvConformance 1 } midcomSrvGroups OBJECT IDENTIFIER ::= { midcomSrvConformance 2 } -- -- This is the MIDCOM server compliance defintion -- midcomSrvCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that implement the MIDCOM SERVER MIB." MODULE -- this module Stiemerling, Quittek, Srisuresh [Page 17] Internet-Draft MIDCOM SERVER MIB November 2003 MANDATORY-GROUPS { midcomSrvResourceGroup, midcomSrvFwGroup, midcomSrvStatisticsGroup } ::= { midcomSrvCompliances 1 } midcomSrvResourceGroup OBJECT-GROUP OBJECTS { natSrcBindMode, natSrcBindId, natDstBindMode, natDstBindId, natSessionId1, natSessionId2, fwRuleId } STATUS current DESCRIPTION "A collection of objects providing information about the used NAT resources." ::= { midcomSrvGroups 1 } midcomSrvFwGroup OBJECT-GROUP OBJECTS { fwGroup, fwPriority } STATUS current DESCRIPTION "A collection of objects providing information about the used firewall resources." ::= { midcomSrvGroups 2 } midcomSrvStatisticsGroup OBJECT-GROUP OBJECTS { midcomSrvSessionsRejected, midcomSrvSessionsCurrent, midcomSrvSessionsTotal, midcomSrvRuleEntriesRejected, midcomSrvRulesIncomplete, midcomSrvResRulesRejected, midcomSrvResRulesFailed, midcomSrvResRulesActive, midcomSrvResRulesExpired, midcomSrvResRulesTerminated, midcomSrvResRulesOnRequest, midcomSrvEnabledRulesRejected, midcomSrvEnabledRulesFailed, midcomSrvEnabledRulesActive, Stiemerling, Quittek, Srisuresh [Page 18] Internet-Draft MIDCOM SERVER MIB November 2003 midcomSrvEnabledRulesExpired, midcomSrvEnabledRulesTerminated, midcomSrvEnabledRulesOnRequest, midcomSrvTransRejected, midcomSrvTransFailed, midcomSrvTransCompleted } STATUS current DESCRIPTION "A collection of objects providing statistical information about the MIDCOM server." ::= { midcomSrvGroups 3 } END 6. Security Considerations TBD XXX SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is REQUIRED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). For implementations of the MIDCOM SERVER MIB it is REQUIRED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 7. Open Issues - Firewall entries in midcomSrvResourceTable - Furhter entries ibn midcomSrvFwTable? Stiemerling, Quittek, Srisuresh [Page 19] Internet-Draft MIDCOM SERVER MIB November 2003 8. Normative References [RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A. and A. Rayhan, "Middlebox communication architecture and framework", RFC 3303, August 2002. [RFC3304] Swale, R.P., Mart, P.A., Sijben, P., Brimm, S. and M. Shore, "Middlebox Communications (midcom) Protocol Requirements", RFC 3304, August 2002. [RFCXXXX] Stiemerling, M., Quittek, J. and T. Tailor, "Middlebox Communications (midcom) protocol semantics", RFC XXXX, YYYYmonth 2003, . [RFCYYYY] Quittek, J., Stiemerling, M., "MIDCOM MIB XXXX", RFC YYYYY [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999. 9. Informative References [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [NAT-TERM] Srisuresh,P., and Holdrege, M., "IP Network Translator (NAT) Terminology and Considerations", RFC 2663, August 1999. Stiemerling, Quittek, Srisuresh [Page 20] Internet-Draft MIDCOM SERVER MIB November 2003 [RFC2246] Dierks, T., Allen, C., "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC2402] Kent, S., and Atkinson, R., "IP Authentication Header", RFC 2402, November 1998. [RFC2406] Kent, S., and Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. Stiemerling, Quittek, Srisuresh [Page 21] Internet-Draft MIDCOM SERVER MIB November 2003 10. Authors' Addresses Martin Stiemerling NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 69115 Heidelberg Germany Phone: +49 6221 90511-13 Email: stiemerling@ccrle.nec.de Juergen Quittek NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 69115 Heidelberg Germany Phone: +49 6221 90511-15 EMail: quittek@ccrle.nec.de P. Srisuresh Caymans Systems, Inc. 1179-A North McDowell Blvd. Petaluma, CA 94954 USA Phone: +1 707 283 5063 EMail: srisuresh@yahoo.com 11. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. Stiemerling, Quittek, Srisuresh [Page 22] Internet-Draft MIDCOM SERVER MIB November 2003 The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Stiemerling, Quittek, Srisuresh [Page 23] Internet-Draft MIDCOM SERVER MIB November 2003