idnits 2.17.1 draft-an-savi-mib-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 35 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 446 has weird spacing: '...n entry conta...' == Line 767 has weird spacing: '... of the bindi...' == Line 853 has weird spacing: '...315) of the c...' == Line 907 has weird spacing: '... of the filte...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (June 12, 2014) is 3605 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Unused Reference: 'RFC2131' is defined on line 1121, but no explicit reference was found in the text == Unused Reference: 'RFC3315' is defined on line 1124, but no explicit reference was found in the text == Unused Reference: 'RFC2223' is defined on line 1142, but no explicit reference was found in the text == Unused Reference: 'RFC2629' is defined on line 1149, but no explicit reference was found in the text == Unused Reference: 'RFC4181' is defined on line 1152, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 2223 (Obsoleted by RFC 7322) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 2 errors (**), 0 flaws (~~), 11 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SAVI C. An 3 Internet-Draft J. Yang 4 Intended status: Experimental J. Wu 5 Expires: December 14, 2014 J. Bi 6 CERNET 7 June 12, 2014 9 Definition of Managed Objects for SAVI Protocol 10 draft-an-savi-mib-07 12 Abstract 14 This memo defines a portion of the Management Information Base (MIB) 15 for use with network management protocols in the Internet community. 16 In particular, it defines objects for managing SAVI (Source Address 17 Validation Improvements) protocol instance. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on December 14, 2014. 36 Copyright Notice 38 Copyright (c) 2014 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. The Internet-Standard Management Framework . . . . . . . . . 3 55 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 58 5.1. The SAVI System Table . . . . . . . . . . . . . . . . . . 4 59 5.2. The SAVI Port Table . . . . . . . . . . . . . . . . . . . 5 60 5.3. The SAVI Binding Table . . . . . . . . . . . . . . . . . 6 61 5.4. The SAVI Filtering Table . . . . . . . . . . . . . . . . 7 62 6. Textual Conventions . . . . . . . . . . . . . . . . . . . . . 7 63 7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 8 64 7.1. Relationship to the INET-ADDRESS-MIB . . . . . . . . . . 8 65 7.2. Relationship to the IF-MIB . . . . . . . . . . . . . . . 8 66 7.3. MIB modules required for IMPORTS . . . . . . . . . . . . 8 67 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 8 68 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 69 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 70 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23 71 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 72 12.1. Normative References . . . . . . . . . . . . . . . . . . 24 73 12.2. Informative References . . . . . . . . . . . . . . . . . 25 74 12.3. URL References . . . . . . . . . . . . . . . . . . . . . 25 75 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 26 76 Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . 27 78 1. Introduction 80 The Source Address Validation Improvement protocol was developed to 81 complement ingress filtering with finer-grained, standardized IP 82 source address validation(refer to [RFC7039]).A SAVI protocol 83 instance is located on the path of hosts' packets, enforcing the 84 hosts' use of legitimate IP source addresses. 86 SAVI protocol determines whether the IP address obtaining process is 87 legitimate according to IP address assignment method. For links with 88 Stateless Address Auto Configuration (SLAAC), Dynamic Host 89 Configuration Protocol (DHCP), and Secure Neighbor Discovery (SEND), 90 the process is defined in separate documents of SAVI Working Group 91 (refer to [RFC6620], [I-D.ietf-savi-dhcp], [RFC7219].) 93 This document defines a MIB module that can be used to manage the 94 SAVI protocol instance. It covers both configuration and status 95 monitoring aspects of SAVI implementations. 97 This document uses terminology from the SAVI Protocol specification. 99 2. The Internet-Standard Management Framework 101 For a detailed overview of the documents that describe the current 102 Internet-Standard Management Framework, please refer to section 7 of 103 RFC 3410 [RFC3410]. 105 Managed objects are accessed via a virtual information store, termed 106 the Management Information Base or MIB. MIB objects are generally 107 accessed through the Simple Network Management Protocol (SNMP). 108 Objects in the MIB are defined using the mechanisms defined in the 109 Structure of Management Information (SMI). This memo specifies a MIB 110 module that is compliant to the SMIv2, which is described in STD 58, 111 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 112 [RFC2580]. 114 3. Conventions 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in RFC 2119 [RFC2119]. 120 4. Overview 122 The SAVI Protocol MIB module (SAVI-MIB) is conformant to SAVI 123 protocol, and is designed to: 125 o Support centralized management and monitoring of SAVI protocol 126 instance by standard SNMP protocol. 128 o Support configuration and querying of SAVI protocol parameters. 130 o Support configuration and querying of binding entries. Operators 131 may insert and delete manual binding entries. 133 o Support querying of filtering entries. 135 Based on SAVI protocol, attributes and objects of a SAVI protocol 136 instance can be classified into four categories: 138 o System attributes. These attributes are corresponding to a SAVI 139 protocol instance, such as IP Address Assignment Methods and some 140 constants. 142 o Anchor attributes. These attributes are corresponding to a SAVI 143 anchor. Anchor is defined in [RFC7039]. 145 o Binding Status Table. This table contains the state of binding 146 between source address and binding anchor (refer to [RFC6620], 147 [I-D.ietf-savi-dhcp], [RFC7219]). 149 o Filtering Table. This table contains the bindings between binding 150 anchor and address, which is used to filter packets (refer to 151 [RFC6620], [I-D.ietf-savi-dhcp], [RFC7219]). 153 A table is designed for each category of objects. 155 5. Structure of the MIB Module 157 This section presents the structure of the SAVI-MIB module. The MIB 158 objects are derived from the SAVI protocol specification. 160 This MIB is composed of a series of tables meant to form the base for 161 managing SAVI entities. The following subsections describe all 162 tables in the SAVI MIB module. 164 5.1. The SAVI System Table 166 The SAVI System Table (saviObjectsSystemTable) contains the objects 167 which are corresponding to SAVI system-wide parameters. It supports 168 the configuration and collection of SAVI system-wide parameters. 170 There is an entry for each IP stack, IPv4 and IPv6. The table is 171 indexed by: 173 o saviObjectsSystemIPVersion - The IP Version. A textual convention 174 InetVersion defined in RFC4001 is used to represent the different 175 version of IP protocol. 177 It contains the following objects: 179 o saviObjectsSystemMode - Which IP address assignment method the 180 link is running in (refer to [RFC7039]). 182 o saviObjectsSystemMaxDhcpResponseTime - A constant defined in SAVI 183 protocol (refer to [I-D.ietf-savi-dhcp]). 185 o saviObjectsSystemDataSnoopingInterval - A constant defined in SAVI 186 protocol (refer to [I-D.ietf-savi-dhcp]). 188 o saviObjectsSystemMaxLeaseQueryDelay - A constant defined in SAVI 189 protocol (refer to [I-D.ietf-savi-dhcp]). 191 o saviObjectsSystemOffLinkDelay - A constant defined in SAVI 192 protocol (refer to [I-D.ietf-savi-dhcp]). 194 o saviObjectsSystemDetectionTimeout - A constant defined in SAVI 195 protocol (refer to [I-D.ietf-savi-dhcp]). 197 o saviObjectsSystemTentLT - A constant defined in SAVI protocol 198 (refer to [RFC6620]). 200 o saviObjectsSystemDefaultLT - A constant defined in SAVI protocol 201 (refer to [RFC6620]). 203 o saviObjectsSystemTWAIT - A constant defined in SAVI protocol 204 (refer to [RFC6620]). 206 The MAX-ACCESS of thses objects is READ-WRITE. Network Operators may 207 do configuration by setting these objects. 209 5.2. The SAVI Port Table 211 The SAVI Port Table (saviObjectsPortTable) contains the objects which 212 are corresponding to SAVI running parameters of each anchor. It 213 supports the configuration and collection of SAVI parameters of each 214 anchor. 216 There is an entry for each IP stack, IPv4 and IPv6. The table is 217 indexed by: 219 o saviObjectsPortIPVersion - The IP Version. 221 o saviObjectsPortIfIndex - The index value that uniquely identifies 222 the interface to which this entry is applicable. 224 It contains the following objects: 226 o saviObjectsPortValidatingAttr - An attribute defined in SAVI 227 protocol (refer to [I-D.ietf-savi-dhcp]). 229 o saviObjectsPortDhcpTrustAttr - An attribute defined in SAVI 230 protocol (refer to [I-D.ietf-savi-dhcp]). 232 o saviObjectsPortTrustAttr - An attribute defined in SAVI protocol 233 (refer to [I-D.ietf-savi-dhcp]). 235 o saviObjectsPortDhcpSnoopingAttr - An attribute defined in SAVI 236 protocol (refer to [I-D.ietf-savi-dhcp]). 238 o saviObjectsPortDataSnoopingAttr - An attribute defined in SAVI 239 protocol (refer to [I-D.ietf-savi-dhcp]). 241 o saviObjectsPortFilteringNum - The max filtering number of the 242 Port. 244 The MAX-ACCESS of thses objects is READ-WRITE. Network Operators may 245 configure by setting these objects. 247 5.3. The SAVI Binding Table 249 The SAVI Binding Table (saviObjectsBindingTable) contains the objects 250 which are corresponding to Binding State Table (BST) defined in SAVI 251 protocol. It contains the binding parameters and state of each 252 binding entry. It supports the collection of binding entries. And 253 an entry can be inserted or deleted if it is a manual binding entry. 255 The table is indexed by: 257 o saviObjectsBindingIpAddressType - IP address type. A textual 258 convention InetAddressType defined in RFC4001 is used to represent 259 the different kind of IP address. 261 o saviObjectsBindingType - which IP address assignment method is 262 used to create the binding entry - manual(1), slaac(2), dhcp(3), 263 send(4). 265 o saviObjectsBindingIfIndex - The index value that uniquely 266 identifies the interface to which this entry is applicable. 268 o saviObjectsBindingIpAddress - The binding source IP address. A 269 textual convention InetAddress defined in RFC4001 is used to 270 define this object. 272 The SAVI Binding Table contains the following objects: 274 o saviObjectsBindingMacAddr - The binding source mac address. 276 o saviObjectsBindingState - The state of the binding entry. 278 o saviObjectsBindingLifetime - The remaining lifetime of the entry. 280 o saviObjectsBindingCreationtime - The value of the local clock when 281 the entry was firstly created. 283 o saviObjectsBindingTID - The Transaction ID (TID) (refer to RFC2131 284 and RFC3315) of the corresponding DHCP transaction. 286 o saviObjectsBindingRowStatus - The status of this row, by which new 287 entries may be created, or old entries be deleted from this table. 288 As defined in RFC2579, the RowStatus textual convention is used to 289 manage the creation and deletion of conceptual rows. For SAVI 290 Binding Table, an entry can be created or deleted only when 291 saviObjectsBindingType=manual. 293 The MAX-ACCESS of thses objects is READ-CREATE. Network Operators 294 may create or delete an entry by setting these objects. 296 5.4. The SAVI Filtering Table 298 The SAVI Filtering Table (saviObjectsFilteringTable) contains the 299 objects which are corresponding to Filtering Table (FT) defined in 300 SAVI protocol. It supports the collection of filtering entries. 302 The table is indexed by: 304 o saviObjectsFilteringIpAddressType - IP address type. 306 o saviObjectsFilteringIfIndex - The index value that uniquely 307 identifies the interface to which this entry is applicable. 309 o saviObjectsFilteringIpAddress - The source IP address. 311 It contains the following objects: 313 o saviObjectsFilteringMacAddr - The source mac address. 315 The MAX-ACCESS of the object is READ-ONLY. 317 6. Textual Conventions 319 The textual conventions used in the SAVI-MIB are as follows. 321 The MODULE-COMPLIANCE,OBJECT-GROUP textual convention is imported 322 from SNMPv2-CONF [RFC2580]. The MODULE-IDENTITY, OBJECT-IDENTITY, 323 OBJECT-TYPE, Unsigned32 textual convention is imported from 324 SNMPv2-SMI [RFC2578]. 326 The MacAddress,TimeInterval,RowStatus textual convention is imported 327 from SNMPv2-TC [RFC2579]. 329 The InetVersion,InetAddressType,InetAddress textual convention is 330 imported from INET-ADDRESS-MIB [RFC4001]. 332 The InterfaceIndex textual convention is imported from IF-MIB 333 [RFC2863]. 335 The ip textual convention is imported from IP-MIB [RFC4293]. 337 7. Relationship to Other MIB Modules 339 7.1. Relationship to the INET-ADDRESS-MIB 341 To support extensibility, IETF defined new textual conventions to 342 represent different IP protocol and different IP address in a unified 343 formation in RFC4001. To support different IP version, a textual 344 convention InetVersion is defined to represent the different version 345 of IP protocol. To support different IP address, a generic Internet 346 address is defined. It consists of two objects: The first one has 347 the syntax InetAddressType, and the second object have the syntax 348 InetAddress. The value of the first object determines how the value 349 of the second is encoded. 351 Since SAVI running mode and parameter is independent of IPv4 and 352 IPv6, so different OID instances should be defined for each protocol. 353 In SAVI-MIB definition, when IP address is used as a part of binding 354 table, it is defined using textual conventions described in INET- 355 ADDRESS-MIB. 357 7.2. Relationship to the IF-MIB 359 The Interfaces MIB [RFC2863] defines generic managed objects for 360 managing interfaces. This document contains the interface-specific 361 extensions for managing SAVI anchors that are modeled as interfaces. 363 The IF-MIB module is required to be supported on the SAVI device. 364 The interface MUST be modeled as an ifEntry, and ifEntry objects such 365 as ifIndex are to be used as per [RFC2863]. 367 An ifIndex [RFC2863] is used as a common index for interfaces in the 368 SAVI-MIB modules. 370 7.3. MIB modules required for IMPORTS 372 The SAVI MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], 373 SNMPv2-TC [RFC2579],SNMPv2-CONF [RFC2580], IF-MIB [RFC2863] and INET- 374 ADDRESS-MIB [RFC4001] . 376 8. Definitions 378 SAVI-MIB DEFINITIONS ::=BEGIN 380 IMPORTS 381 MODULE-COMPLIANCE,OBJECT-GROUP 382 FROM SNMPv2-CONF --RFC2580 383 MODULE-IDENTITY, OBJECT-IDENTITY, OBJECT-TYPE, Unsigned32 384 FROM SNMPv2-SMI --RFC2578 386 TEXTUAL-CONVENTION,MacAddress,TimeInterval,RowStatus 387 FROM SNMPv2-TC --RFC2579 388 InterfaceIndex 389 FROM IF-MIB --RFC2863 390 InetVersion,InetAddressType,InetAddress 391 FROM INET-ADDRESS-MIB --RFC4001 392 ip 393 FROM IP-MIB --RFC4293 394 ; 396 saviMIB MODULE-IDENTITY 397 LAST-UPDATED "201406120037Z" --Jun 12,2014 398 ORGANIZATION 399 "IETF SAVI Working Group" 400 CONTACT-INFO 401 "WG charter: 402 http://datatracker.ietf.org/wg/savi/charter/ 404 Editor: 405 Changqing An 406 CERNET 407 Postal: Network Research Center, Tsinghua University 408 Beijing 100084 409 China 410 Email: acq@cernet.edu.cn 412 Jiahai Yang 413 CERNET 414 Postal: Network Research Center, Tsinghua University 415 Beijing 100084 416 China 417 Email: yang@cernet.edu.cn 418 " 420 DESCRIPTION 421 "This MIB Module is designed to support configuration 422 and monitoring of SAVI protocol. 423 " 424 REVISION "201406120037Z" 425 DESCRIPTION 426 "Initial version" 427 ::= {ip xxx} 429 saviObjects OBJECT IDENTIFIER ::= { saviMIB 1 } 431 -- System parameters for SAVI protocol 433 saviObjectsSystemTable OBJECT-TYPE 434 SYNTAX SEQUENCE OF SaviObjectsSystemEntry 435 MAX-ACCESS not-accessible 436 STATUS current 437 DESCRIPTION 438 "The table containing savi system-wide parameters." 439 ::= { saviObjects 1 } 441 saviObjectsSystemEntry OBJECT-TYPE 442 SYNTAX SaviObjectsSystemEntry 443 MAX-ACCESS not-accessible 444 STATUS current 445 DESCRIPTION 446 "An entry containing savi system-wide parameters for a 447 particular IP version. 448 " 449 INDEX { saviObjectsSystemIPVersion } 450 ::= { saviObjectsSystemTable 1 } 452 SaviObjectsSystemEntry ::= 453 SEQUENCE { 454 saviObjectsSystemIPVersion InetVersion, 455 saviObjectsSystemMode INTEGER, 456 saviObjectsSystemMaxDhcpResponseTime TimeInterval, 457 saviObjectsSystemDataSnoopingInterval TimeInterval, 458 saviObjectsSystemMaxLeaseQueryDelay TimeInterval, 459 saviObjectsSystemOffLinkDelay TimeInterval, 460 saviObjectsSystemDetectionTimeout TimeInterval, 461 saviObjectsSystemTentLT TimeInterval, 462 saviObjectsSystemDefaultLT TimeInterval, 463 saviObjectsSystemTWAIT TimeInterval 464 } 466 saviObjectsSystemIPVersion OBJECT-TYPE 467 SYNTAX InetVersion 468 MAX-ACCESS not-accessible 469 STATUS current 470 DESCRIPTION 471 "The IP version " 472 ::= { saviObjectsSystemEntry 1 } 474 saviObjectsSystemMode OBJECT-TYPE 475 SYNTAX INTEGER { 476 savi-disable(1), 477 savi-default(2), 478 savi-dhcp-only(3), 479 savi-slaac-only(4), 480 savi-dhcp-slaac-mix(5), 481 savi-send(6) 483 } 484 MAX-ACCESS read-write 485 STATUS current 486 DESCRIPTION 487 "IP Address Assignment Methods. " 488 ::= { saviObjectsSystemEntry 2 } 490 saviObjectsSystemMaxDhcpResponseTime OBJECT-TYPE 491 SYNTAX TimeInterval 492 MAX-ACCESS read-write 493 STATUS current 494 DESCRIPTION 495 "A constant. 496 TimeInterval is defined in RFC 2579, it's a period of time, 497 measured in units of 0.01 seconds, 498 and the value is (0..2147483647). 499 " 500 ::= { saviObjectsSystemEntry 3 } 502 saviObjectsSystemDataSnoopingInterval OBJECT-TYPE 503 SYNTAX TimeInterval 504 MAX-ACCESS read-write 505 STATUS current 506 DESCRIPTION 507 "A constant. 508 TimeInterval is defined in RFC 2579, it's a period of time, 509 measured in units of 0.01 seconds, 510 and the value is (0..2147483647). 511 " 512 ::= { saviObjectsSystemEntry 4 } 514 saviObjectsSystemMaxLeaseQueryDelay OBJECT-TYPE 515 SYNTAX TimeInterval 516 MAX-ACCESS read-write 517 STATUS current 518 DESCRIPTION 519 "A constant. 520 TimeInterval is defined in RFC 2579, it's a period of time, 521 measured in units of 0.01 seconds, 522 and the value is (0..2147483647). 523 " 524 ::= { saviObjectsSystemEntry 5 } 526 saviObjectsSystemOffLinkDelay OBJECT-TYPE 527 SYNTAX TimeInterval 528 MAX-ACCESS read-write 529 STATUS current 530 DESCRIPTION 531 "A constant. 532 TimeInterval is defined in RFC 2579, it's a period of time, 533 measured in units of 0.01 seconds, 534 and the value is (0..2147483647). 535 " 536 ::= { saviObjectsSystemEntry 6 } 538 saviObjectsSystemDetectionTimeout OBJECT-TYPE 539 SYNTAX TimeInterval 540 MAX-ACCESS read-write 541 STATUS current 542 DESCRIPTION 543 "A constant. 544 TimeInterval is defined in RFC 2579, it's a period of time, 545 measured in units of 0.01 seconds, 546 and the value is (0..2147483647). 547 " 548 ::= { saviObjectsSystemEntry 7 } 550 saviObjectsSystemTentLT OBJECT-TYPE 551 SYNTAX TimeInterval 552 MAX-ACCESS read-write 553 STATUS current 554 DESCRIPTION 555 "A constant. 556 TimeInterval is defined in RFC 2579, it's a period of time, 557 measured in units of 0.01 seconds, 558 and the value is (0..2147483647). 559 " 560 ::= { saviObjectsSystemEntry 8 } 562 saviObjectsSystemDefaultLT OBJECT-TYPE 563 SYNTAX TimeInterval 564 MAX-ACCESS read-write 565 STATUS current 566 DESCRIPTION 567 "A constant. 568 TimeInterval is defined in RFC 2579, it's a period of time, 569 measured in units of 0.01 seconds, 570 and the value is (0..2147483647). 571 " 572 ::= { saviObjectsSystemEntry 9 } 574 saviObjectsSystemTWAIT OBJECT-TYPE 575 SYNTAX TimeInterval 576 MAX-ACCESS read-write 577 STATUS current 578 DESCRIPTION 579 "A constant. 580 TimeInterval is defined in RFC 2579, it's a period of time, 581 measured in units of 0.01 seconds, 582 and the value is (0..2147483647). 583 " 584 ::= { saviObjectsSystemEntry 10 } 586 -- Port parameters for SAVI protocol 588 saviObjectsPortTable OBJECT-TYPE 589 SYNTAX SEQUENCE OF SaviObjectsPortEntry 590 MAX-ACCESS not-accessible 591 STATUS current 592 DESCRIPTION 593 "The table containing SAVI parameters of each anchor." 594 ::= { saviObjects 2 } 596 saviObjectsPortEntry OBJECT-TYPE 597 SYNTAX SaviObjectsPortEntry 598 MAX-ACCESS not-accessible 599 STATUS current 600 DESCRIPTION 601 "An entry containing SAVI running parameters of an anchor." 602 INDEX { 603 saviObjectsPortIPVersion, 604 saviObjectsPortIfIndex 605 } 606 ::= { saviObjectsPortTable 1 } 608 SaviObjectsPortEntry ::= 609 SEQUENCE { 610 saviObjectsPortIPVersion InetVersion, 611 saviObjectsPortIfIndex InterfaceIndex, 612 saviObjectsPortValidatingAttr INTEGER, 613 saviObjectsPortDhcpTrustAttr INTEGER, 614 saviObjectsPortTrustAttr INTEGER, 615 saviObjectsPortDhcpSnoopingAttr INTEGER, 616 saviObjectsPortDataSnoopingAttr INTEGER, 617 saviObjectsPortFilteringNum Unsigned32 618 } 620 saviObjectsPortIPVersion OBJECT-TYPE 621 SYNTAX InetVersion 622 MAX-ACCESS not-accessible 623 STATUS current 624 DESCRIPTION 625 "The IP version " 626 ::= { saviObjectsPortEntry 1 } 628 saviObjectsPortIfIndex OBJECT-TYPE 629 SYNTAX InterfaceIndex 630 MAX-ACCESS not-accessible 631 STATUS current 632 DESCRIPTION 633 "The index value that uniquely identifies the interface to 634 which this entry is applicable. The interface identified by 635 a particular value of this index is the same interface as 636 identified by the same value of the IF-MIB's ifIndex. 637 " 638 ::= { saviObjectsPortEntry 2 } 640 saviObjectsPortValidatingAttr OBJECT-TYPE 641 SYNTAX INTEGER { 642 enable(1), 643 disable(2) 644 } 645 MAX-ACCESS read-write 646 STATUS current 647 DESCRIPTION 648 "An attribute defined in SAVI protocol. 649 enable(1), the attribute is set. 650 disable(2), the attribute is not set. 651 " 652 ::= { saviObjectsPortEntry 3 } 654 saviObjectsPortDhcpTrustAttr OBJECT-TYPE 655 SYNTAX INTEGER { 656 enable(1), 657 disable(2) 658 } 659 MAX-ACCESS read-write 660 STATUS current 661 DESCRIPTION 662 "An attribute defined in SAVI protocol. 663 enable(1), the attribute is set. 664 disable(2), the attribute is not set. 665 " 666 ::= { saviObjectsPortEntry 4 } 668 saviObjectsPortTrustAttr OBJECT-TYPE 669 SYNTAX INTEGER { 670 enable(1), 671 disable(2) 672 } 673 MAX-ACCESS read-write 674 STATUS current 675 DESCRIPTION 676 "An attribute defined in SAVI protocol. 677 enable(1), the attribute is set. 678 disable(2), the attribute is not set. 679 " 680 ::= { saviObjectsPortEntry 5 } 682 saviObjectsPortDhcpSnoopingAttr OBJECT-TYPE 683 SYNTAX INTEGER { 684 enable(1), 685 disable(2) 686 } 687 MAX-ACCESS read-write 688 STATUS current 689 DESCRIPTION 690 "An attribute defined in SAVI protocol. 691 enable(1), the attribute is set. 692 disable(2), the attribute is not set. 693 " 694 ::= { saviObjectsPortEntry 6 } 696 saviObjectsPortDataSnoopingAttr OBJECT-TYPE 697 SYNTAX INTEGER { 698 enable(1), 699 disable(2) 700 } 701 MAX-ACCESS read-write 702 STATUS current 703 DESCRIPTION 704 "An attribute defined in SAVI protocol. 705 enable(1), the attribute is set. 706 disable(2), the attribute is not set. 707 " 708 ::= { saviObjectsPortEntry 7 } 710 saviObjectsPortFilteringNum OBJECT-TYPE 711 SYNTAX Unsigned32 712 MAX-ACCESS read-write 713 STATUS current 714 DESCRIPTION 715 "The max filtering number of the Port." 716 ::= { saviObjectsPortEntry 8 } 718 -- Binding Status Table for SAVI protocol 720 saviObjectsBindingTable OBJECT-TYPE 721 SYNTAX SEQUENCE OF SaviObjectsBindingEntry 722 MAX-ACCESS not-accessible 723 STATUS current 724 DESCRIPTION 725 "The table containing the state of binding 726 between source address and anchor. 727 " 728 ::= { saviObjects 3 } 730 saviObjectsBindingEntry OBJECT-TYPE 731 SYNTAX SaviObjectsBindingEntry 732 MAX-ACCESS not-accessible 733 STATUS current 734 DESCRIPTION 735 "An entry containing the state of binding between source 736 address and anchor. 737 Entries are keyed on the source IP address type, 738 binding type, anchor, and source IP address. 739 " 740 INDEX { 741 saviObjectsBindingIpAddressType, 742 saviObjectsBindingType, 743 saviObjectsBindingIfIndex, 744 saviObjectsBindingIpAddress 745 } 746 ::= { saviObjectsBindingTable 1 } 748 SaviObjectsBindingEntry ::= 749 SEQUENCE { 750 saviObjectsBindingIpAddressType InetAddressType, 751 saviObjectsBindingType INTEGER, 752 saviObjectsBindingIfIndex InterfaceIndex, 753 saviObjectsBindingIpAddress InetAddress, 754 saviObjectsBindingMacAddr MacAddress, 755 saviObjectsBindingState INTEGER, 756 saviObjectsBindingLifetime TimeInterval, 757 saviObjectsBindingCreationtime DateAndTime, 758 saviObjectsBindingTID INTEGER, 759 saviObjectsBindingRowStatus RowStatus 760 } 762 saviObjectsBindingIpAddressType OBJECT-TYPE 763 SYNTAX InetAddressType 764 MAX-ACCESS not-accessible 765 STATUS current 766 DESCRIPTION 767 "IP address type of the binding source IP." 768 ::= { saviObjectsBindingEntry 1 } 770 saviObjectsBindingType OBJECT-TYPE 771 SYNTAX INTEGER { 772 manual(1), 773 slaac(2), 774 dhcp(3), 775 send(4) 776 } 777 MAX-ACCESS not-accessible 778 STATUS current 779 DESCRIPTION 780 "IP address assignment methods." 781 ::= { saviObjectsBindingEntry 2 } 783 saviObjectsBindingIfIndex OBJECT-TYPE 784 SYNTAX InterfaceIndex 785 MAX-ACCESS not-accessible 786 STATUS current 787 DESCRIPTION 788 "The index value that uniquely identifies the interface to 789 which this entry is applicable. The interface identified by 790 a particular value of this index is the same interface as 791 identified by the same value of the IF-MIB's ifIndex. 792 " 793 ::= { saviObjectsBindingEntry 3 } 795 saviObjectsBindingIpAddress OBJECT-TYPE 796 SYNTAX InetAddress 797 MAX-ACCESS not-accessible 798 STATUS current 799 DESCRIPTION 800 "The binding source IP address" 801 ::= { saviObjectsBindingEntry 4 } 803 saviObjectsBindingMacAddr OBJECT-TYPE 804 SYNTAX MacAddress 805 MAX-ACCESS read-create 806 STATUS current 807 DESCRIPTION 808 "The binding source mac address." 809 ::= { saviObjectsBindingEntry 5 } 811 saviObjectsBindingState OBJECT-TYPE 812 SYNTAX INTEGER { 813 NO_BIND(1), 814 INIT_BIND_OR_TENTATIVE(2), 815 BOUND_OR_VALID(3), 816 TESTING_TP-LT(4), 817 TESTING_VP(5) 818 } 819 MAX-ACCESS read-create 820 STATUS current 821 DESCRIPTION 822 "The state of the binding entry. " 823 ::= { saviObjectsBindingEntry 6 } 825 saviObjectsBindingLifetime OBJECT-TYPE 826 SYNTAX TimeInterval 827 MAX-ACCESS read-create 828 STATUS current 829 DESCRIPTION 830 "The remaining lifetime of the entry. 831 TimeInterval is defined in RFC 2579, it's a period of time, 832 measured in units of 0.01 seconds, 833 and the value is (0..2147483647). 834 If saviObjectsBindingType=manual, a value of 2147483647 835 represents infinity. 836 " 837 ::= { saviObjectsBindingEntry 7 } 839 saviObjectsBindingCreationtime OBJECT-TYPE 840 SYNTAX DateAndTime 841 MAX-ACCESS read-create 842 STATUS current 843 DESCRIPTION 844 "The value of the local clock when the entry was firstly created. 845 " 846 ::= { saviObjectsBindingEntry 8 } 848 saviObjectsBindingTID OBJECT-TYPE 849 SYNTAX INTEGER 850 MAX-ACCESS read-create 851 STATUS current 852 DESCRIPTION 853 "The Transaction ID (TID) (refer to RFC2131 and RFC3315) of the corresponding DHCP transaction. 854 " 855 ::= { saviObjectsBindingEntry 9 } 857 saviObjectsBindingRowStatus OBJECT-TYPE 858 SYNTAX RowStatus 859 MAX-ACCESS read-create 860 STATUS current 861 DESCRIPTION 862 "The status of this row, by which new entries may be 863 created, or old entries deleted from this table. 864 An Entry can be created or deleted only when 865 saviObjectsBindingType=manual. 866 " 867 ::= { saviObjectsBindingEntry 10 } 869 -- Filtering Table for SAVI protocol 871 saviObjectsFilteringTable OBJECT-TYPE 872 SYNTAX SEQUENCE OF SaviObjectsFilteringEntry 873 MAX-ACCESS not-accessible 874 STATUS current 875 DESCRIPTION 876 "The table containing the filtering entries." 877 ::= { saviObjects 4 } 879 saviObjectsFilteringEntry OBJECT-TYPE 880 SYNTAX SaviObjectsFilteringEntry 881 MAX-ACCESS not-accessible 882 STATUS current 883 DESCRIPTION 884 "An entry containing the filtering parameters. 885 Entries are keyed on the source IP address type, 886 anchor, and source IP address. 887 " 888 INDEX { saviObjectsFilteringIpAddressType, 889 saviObjectsFilteringIfIndex, 890 saviObjectsFilteringIpAddress 891 } 892 ::= { saviObjectsFilteringTable 1 } 894 SaviObjectsFilteringEntry ::= 895 SEQUENCE { 896 saviObjectsFilteringIpAddressType InetAddressType, 897 saviObjectsFilteringIfIndex InterfaceIndex, 898 saviObjectsFilteringIpAddress InetAddress, 899 saviObjectsFilteringMacAddr MacAddress 900 } 902 saviObjectsFilteringIpAddressType OBJECT-TYPE 903 SYNTAX InetAddressType 904 MAX-ACCESS not-accessible 905 STATUS current 906 DESCRIPTION 907 "IP address type of the filtering source IP" 908 ::= { saviObjectsFilteringEntry 1 } 910 saviObjectsFilteringIfIndex OBJECT-TYPE 911 SYNTAX InterfaceIndex 912 MAX-ACCESS not-accessible 913 STATUS current 914 DESCRIPTION 915 "The index value that uniquely identifies the interface to 916 which this entry is applicable. The interface identified by 917 a particular value of this index is the same interface as 918 identified by the same value of the IF-MIB's ifIndex. 919 " 920 ::= { saviObjectsFilteringEntry 2 } 922 saviObjectsFilteringIpAddress OBJECT-TYPE 923 SYNTAX InetAddress 924 MAX-ACCESS not-accessible 925 STATUS current 926 DESCRIPTION 927 "The filtering source IP address." 928 ::= { saviObjectsFilteringEntry 3 } 930 saviObjectsFilteringMacAddr OBJECT-TYPE 931 SYNTAX MacAddress 932 MAX-ACCESS read-only 933 STATUS current 934 DESCRIPTION 935 "The filtering source mac address." 936 ::= { saviObjectsFilteringEntry 4 } 938 -- Conformance information 939 saviConformance OBJECT IDENTIFIER ::= { saviMIB 2 } 940 saviCompliances OBJECT IDENTIFIER ::= { saviConformance 1 } 942 -- Compliance statements 943 saviCompliance MODULE-COMPLIANCE 944 STATUS current 945 DESCRIPTION 946 "The compliance statement for entities which implement SAVI 947 protocol. 948 " 949 MODULE 950 MANDATORY-GROUPS { 951 systemGroup, 952 portGroup, 953 bindingGroup, 954 filteringGroup 955 } 956 ::= { saviCompliances 1} 958 saviGroups OBJECT IDENTIFIER ::= { saviConformance 2 } 960 --Units of conformance 962 systemGroup OBJECT-GROUP 963 OBJECTS { 964 saviObjectsSystemMode, 965 saviObjectsSystemMaxDhcpResponseTime, 966 saviObjectsSystemDataSnoopingInterval, 967 saviObjectsSystemMaxLeaseQueryDelay, 968 saviObjectsSystemOffLinkDelay, 969 saviObjectsSystemDetectionTimeout, 970 saviObjectsSystemTentLT, 971 saviObjectsSystemDefaultLT, 972 saviObjectsSystemTWAIT 973 } 974 STATUS current 975 DESCRIPTION 976 "The system group contains objects corrsponding to savi system 977 parameters. 978 " 979 ::= {saviGroups 1} 981 portGroup OBJECT-GROUP 982 OBJECTS { 983 saviObjectsPortValidatingAttr, 984 saviObjectsPortDhcpTrustAttr, 985 saviObjectsPortTrustAttr, 986 saviObjectsPortDhcpSnoopingAttr, 987 saviObjectsPortDataSnoopingAttr, 988 saviObjectsPortFilteringNum 989 } 990 STATUS current 991 DESCRIPTION 992 "The if group contains objects corresponding to the savi running 993 parameters of each anchor. 994 " 995 ::= {saviGroups 2} 997 bindingGroup OBJECT-GROUP 998 OBJECTS { 999 saviObjectsBindingMacAddr, 1000 saviObjectsBindingState, 1001 saviObjectsBindingLifetime, 1002 saviObjectsBindingCreationtime, 1003 saviObjectsBindingTID, 1004 saviObjectsBindingRowStatus 1005 } 1006 STATUS current 1007 DESCRIPTION 1008 "The binding group contains the binding 1009 information of anchor and soure ip address. 1010 " 1011 ::= {saviGroups 3} 1013 filteringGroup OBJECT-GROUP 1014 OBJECTS { 1015 saviObjectsFilteringMacAddr 1016 } 1017 STATUS current 1018 DESCRIPTION 1019 "The filtering group contains the filtering 1020 information of anchor and soure ip address. 1021 " 1022 ::= {saviGroups 4} 1023 END 1025 9. Security Considerations 1027 There are a number of management objects defined in this MIB module 1028 with a MAX-ACCESS clause of read-write and/or read-create. Such 1029 objects may be considered sensitive or vulnerable in some network 1030 environments. The support for SET operations in a non-secure 1031 environment without proper protection can have a negative effect on 1032 network operations. These are the tables and objects and their 1033 sensitivity/vulnerability: 1035 o saviObjectsSystemTable - Unauthorized changes to the writable 1036 objects under saviObjectsSystemTable MAY disrupt allocation of 1037 resources in the network. For example, a device's SAVI system 1038 mode be changed by set operation to SAVI-DISABLE will give chance 1039 to IP source address spoofing. 1041 o saviObjectsPortTable - Unauthorized changes to the writable 1042 objects under saviObjectsPortTable MAY disrupt allocation of 1043 resources in the network. For example, an anchor's ValidatingAttr 1044 be changed by set operation to DISABLE will give chance to IP 1045 source address spoofing. 1047 o saviObjectsBindingTable - Unauthorized changes to the writable 1048 objects under this table MAY disrupt allocation of resources in 1049 the network. For example, a manual binding entry is inserted to 1050 the BST will give chance to IP source address spoofing. 1052 Some of the readable objects in this MIB module (i.e., objects with a 1053 MAX-ACCESS other than not-accessible) may be considered sensitive or 1054 vulnerable in some network environments. It is thus important to 1055 control even GET and/or NOTIFY access to these objects and possibly 1056 to even encrypt the values of these objects when sending them over 1057 the network via SNMP. These are the tables and objects and their 1058 sensitivity/vulnerability: 1060 o saviObjectsBindingTable, saviObjectsFilteringTable - The IP 1061 address and binding anchor information will be helpful to some 1062 attacks. 1064 SNMP versions prior to SNMPv3 did not include adequate security. 1065 Even if the network itself is secure (for example by using IPsec), 1066 there is no control as to who on the secure network is allowed to 1067 access and GET/SET (read/change/create/delete) the objects in this 1068 MIB module. 1070 It is RECOMMENDED that implementers consider the security features as 1071 provided by the SNMPv3 framework (see [RFC3410], section 8), 1072 including full support for the SNMPv3 cryptographic mechanisms (for 1073 authentication and privacy). 1075 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1076 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1077 enable cryptographic security. It is then a customer/operator 1078 responsibility to ensure that the SNMP entity giving access to an 1079 instance of this MIB module is properly configured to give access to 1080 the objects only to those principals (users) that have legitimate 1081 rights to indeed GET or SET (change/create/delete) them. 1083 10. IANA Considerations 1085 The MIB module in this document uses the following IANA-assigned 1086 OBJECT IDENTIFIER values recorded in the SMI Numbers registry: 1088 Descriptor OBJECT IDENTIFIER value 1089 ---------- ----------------------- 1090 SAVI-MIB { ip XXX } 1092 11. Contributors 1093 12. References 1095 12.1. Normative References 1097 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1098 Requirement Levels", BCP 14, RFC 2119, March 1997. 1100 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1101 Schoenwaelder, Ed., "Structure of Management Information 1102 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 1104 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1105 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 1106 58, RFC 2579, April 1999. 1108 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 1109 "Conformance Statements for SMIv2", STD 58, RFC 2580, 1110 April 1999. 1112 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1113 Schoenwaelder, "Textual Conventions for Internet Network 1114 Addresses", RFC 4001, February 2005. 1116 [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 1117 SAVI: First-Come, First-Served Source Address Validation 1118 Improvement for Locally Assigned IPv6 Addresses", RFC 1119 6620, May 2012. 1121 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 1122 2131, March 1997. 1124 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 1125 and M. Carney, "Dynamic Host Configuration Protocol for 1126 IPv6 (DHCPv6)", RFC 3315, July 2003. 1128 [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, 1129 "Source Address Validation Improvement (SAVI) Framework", 1130 RFC 7039, October 2013. 1132 [RFC7219] Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor 1133 Discovery (SEND) Source Address Validation Improvement 1134 (SAVI)", RFC 7219, May 2014. 1136 [I-D.ietf-savi-dhcp] 1137 Bi, J.,Wu, J.,Yao, G., and F. Baker, "SAVI Solution for 1138 DHCP", 2014. 1140 12.2. Informative References 1142 [RFC2223] Postel, J. and J. Reynolds, "Instructions to RFC Authors", 1143 RFC 2223, October 1997. 1145 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1146 "Introduction and Applicability Statements for Internet- 1147 Standard Management Framework", RFC 3410, December 2002. 1149 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 1150 June 1999. 1152 [RFC4181] Heard, C., "Guidelines for Authors and Reviewers of MIB 1153 Documents", BCP 111, RFC 4181, September 2005. 1155 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 1156 MIB", RFC 2863, June 2000. 1158 [RFC4293] Routhier, S., "Management Information Base for the 1159 Internet Protocol (IP)", RFC 4293, April 2006. 1161 12.3. URL References 1163 [idguidelines] 1164 IETF Internet Drafts editor, 1165 "http://www.ietf.org/ietf/1id-guidelines.txt", . 1167 [idnits] IETF Internet Drafts editor, 1168 "http://www.ietf.org/ID-Checklist.html", . 1170 [xml2rfc] XML2RFC tools and documentation, 1171 "http://xml.resource.org", . 1173 [ops] the IETF OPS Area, "http://www.ops.ietf.org", . 1175 [ietf] IETF Tools Team, "http://tools.ietf.org", . 1177 Appendix A. Change Log 1179 From draft 00 to draft 01 1181 o Change the value range of object saviObjectsSystemMode and add a 1182 new value savi-send(6). 1184 From draft 01 to draft 02 1186 o Change saviObjectsTrustStatus into two booleans, one is 1187 saviObjectsDhcpTrustStatus, another is saviObjectsRaTrustStatus. 1189 o Change the character string saviObjectsIf to saviObjectsPort 1190 globally. 1192 o Change saviObjectsBindingState according to the latest version of 1193 solution drafts. 1195 From draft 02 to draft 03 1197 o Add a new object saviObjectsPortBindRecoveryAttr, and change the 1198 object saviObjectsPortRaTrustStatus to saviObjectsPortTrustAttr 1199 according to the latest version of solution drafts and RFC. 1201 o Change the value range and meaning of saviObjectsBindingState 1202 according to the latest version of solution drafts and RFC. 1204 o Change the value range of object saviObjectsBindingType, add a new 1205 value send(4), and change the value static(1) to manual(1). 1207 From draft 03 to draft 04 1209 o Add three new objects according to the latest version of solution 1210 drafts and RFC, i.e. saviObjectsSystemTentLT, 1211 saviObjectsSystemDefaultLT, saviObjectsSystemTWAIT. 1213 From draft 04 to draft 05 1215 o Add two new objects according to the latest version of solution 1216 drafts and RFC, i.e. saviObjectsBindingCreationtime, 1217 saviObjectsBindingTID. 1219 From draft 05 to draft 06 1221 o Add three new objects, saviObjectsSystemDadTimeout, 1222 saviObjectsPortDhcpSnoopingAttr and 1223 saviObjectsPortDataSnoopingAttr. 1225 o Replace object saviObjectsSystemBindRecoveryInterval with 1226 saviObjectsSystemDataSnoopingInterval. 1228 o Replace object saviObjectsPortSAVISAVIAttr with 1229 saviObjectsPortTrustAttr. 1231 o Delete object saviObjectsPortBindRecoveryAttr. 1233 From draft 06 to draft 07 1235 o Replace object saviObjectsSystemDadTimeout with 1236 saviObjectsSystemDetectionTimeout. 1238 Appendix B. Open Issues 1240 Note to RFC Editor: please remove this appendix before publication as 1241 an RFC. 1243 Authors' Addresses 1245 Changqing An 1246 CERNET 1247 Network Research Center, Tsinghua University 1248 Beijing 100084 1249 China 1251 Phone: +86 10 62603113 1252 EMail: acq@cernet.edu.cn 1254 Jiahai Yang 1255 CERNET 1256 Network Research Center, Tsinghua University 1257 Beijing 100084 1258 China 1260 Phone: +86 10 62783492 1261 EMail: yang@cernet.edu.cn 1263 Jianping Wu 1264 CERNET 1265 Network Research Center, Tsinghua University 1266 Beijing 100084 1267 China 1269 EMail: jianping@cernet.edu.cn 1270 Jun Bi 1271 CERNET 1272 Network Research Center, Tsinghua University 1273 Beijing 100084 1274 China 1276 EMail: junbi@cernet.edu.cn