idnits 2.17.1 draft-ietf-softwire-dslite-mib-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 18 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (February 8, 2015) is 3337 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC4787' is mentioned on line 564, but not defined == Missing Reference: 'RFC3414' is mentioned on line 871, but not defined == Missing Reference: 'RFC3826' is mentioned on line 871, but not defined == Missing Reference: 'RFC5591' is mentioned on line 873, but not defined == Missing Reference: 'RFC5592' is mentioned on line 874, but not defined == Missing Reference: 'RFC6353' is mentioned on line 874, but not defined == Unused Reference: 'RFC4008' is defined on line 948, but no explicit reference was found in the text == Outdated reference: A later version (-05) exists of draft-perrault-behave-natv2-mib-00 ** Obsolete normative reference: RFC 4008 (Obsoleted by RFC 7658) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Y. Fu 3 Internet-Draft S. Jiang 4 Intended status: Standards Track Huawei Technologies Co., Ltd 5 Expires: August 12, 2015 J. Dong 6 Y. Chen 7 Tsinghua University 8 February 8, 2015 10 DS-Lite Management Information Base (MIB) 11 draft-ietf-softwire-dslite-mib-08 13 Abstract 15 This memo defines a portion of the Management Information Base (MIB) 16 for using with network management protocols in the Internet 17 community. In particular, it defines managed objects for Dual-Stack 18 Lite (DS-Lite). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on August 12, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 56 3. The Internet-Standard Management Framework . . . . . . . . . 3 57 4. Relationship to the IF-MIB . . . . . . . . . . . . . . . . . 3 58 5. Difference from the IP tunnel MIB and NAT MIB . . . . . . . . 3 59 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 60 6.1. The Object Group . . . . . . . . . . . . . . . . . . . . 4 61 6.1.1. The dsliteTunnel Subtree . . . . . . . . . . . . . . 5 62 6.1.2. The dsliteNAT Subtree . . . . . . . . . . . . . . . . 5 63 6.1.3. The dsliteInfo Subtree . . . . . . . . . . . . . . . 5 64 6.2. The Notification Group . . . . . . . . . . . . . . . . . 5 65 6.2.1. The dsliteTrap Subtree . . . . . . . . . . . . . . . 5 66 6.3. The Conformance Group . . . . . . . . . . . . . . . . . . 5 67 7. MIB modules required for IMPORTS . . . . . . . . . . . . . . 5 68 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 69 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 70 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 71 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 72 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 73 12.1. Normative References . . . . . . . . . . . . . . . . . . 20 74 12.2. Informative References . . . . . . . . . . . . . . . . . 21 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 77 1. Introduction 79 Dual-Stack Lite [RFC6333] is a solution to offer both IPv4 and IPv6 80 connectivity to customers crossing an IPv6 only infrastructure. One 81 of its key components is an IPv4-over-IPv6 tunnel, which is used to 82 provide IPv4 connectivity across a service provider's IPv6 network. 83 Another key component is a carrier-grade IPv4-IPv4 Network Address 84 Translation (NAT) to share service provider IPv4 addresses among 85 customers. 87 This document defines a portion of the Management Information Base 88 (MIB) for using with network management protocols in the Internet 89 community. This MIB module may be used for configuration and 90 monitoring devices in a Dual-Stack Lite scenario. 92 2. Requirements Language 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 96 "OPTIONAL" in this document are to be interpreted as described in 98 [RFC2119] when they appear in ALL CAPS. When these words are not in 99 ALL CAPS (such as "should" or "Should"), they have their usual 100 English meanings, and are not to be interpreted as [RFC2119] key 101 words. 103 3. The Internet-Standard Management Framework 105 For a detailed overview of the documents that describe the current 106 Internet-Standard Management Framework, please refer to section 7 of 107 [RFC3410]. 109 Managed objects are accessed via a virtual information store, termed 110 the Management Information Base or MIB. MIB objects are generally 111 accessed through the Simple Network Management Protocol (SNMP). 112 Objects in the MIB are defined using the mechanisms defined in the 113 Structure of Management Information (SMI). This memo specifies a MIB 114 module that is compliant to the SMIv2, which is described in 115 [RFC2578], [RFC2579] and [RFC2580]. 117 4. Relationship to the IF-MIB 119 The Interfaces MIB [RFC2863] defines generic managed objects for 120 managing interfaces. Each logical interface (physical or virtual)has 121 an ifEntry. Tunnels are handled by creating a logical interface 122 (ifEntry) for each tunnel. Each DS-Lite tunnel also acts as a 123 virtual interface, which has a corresponding entry in the IP Tunnel 124 MIB and Interface MIB. Those corresponding entries are indexed by 125 ifIndex. 127 The ifOperStatus in ifTable is used to represent whether the DS-Lite 128 tunnel function has been originated. The ifInUcastPkts defined in 129 ifTable will represent the number of IPv4 packets that have been 130 encapsulated into IPv6 packets sent to a B4. The ifOutUcastPkts 131 defined in ifTable contains the number of IPv6 packets that can be 132 decapsulated to IPv4 in the virtual interface. Also, the IF-MIB 133 defines ifMtu for the MTU of this tunnel interface, so DS-Lite MIB 134 does not need to define the MTU for the tunnel. 136 5. Difference from the IP tunnel MIB and NAT MIB 138 The key technologies for DS-Lite are IP in IP (IPv4-in-IPv6) tunnels 139 and NAT (IPv4 to IPv4 translation). 141 Notes: According to section 5.2 of [RFC6333], DS-Lite only defines 142 IPv4 in IPv6 tunnels at this moment, but other types of encapsulation 143 could be defined in the future. So this DS-Lite MIB only supports IP 144 in IP encapsulation, if another RFC defined other tunnel types in the 145 future, this DS-Lite MIB will be updated then. 147 The NATV2-MIB [I-D.perrault-behave-natv2-mib] is designed to carry 148 translation from any address family to any address family, therefore 149 it supports IPv4 to IPv4 translation. 151 The IP Tunnel MIB [RFC4087] is designed for managing tunnels of any 152 type over IPv4 and IPv6 networks, therefore it supports IP in IP 153 tunnels. In a DS-Lite scenario, the tunnel type is IP in IP, more 154 precisely, is IPv4 in IPv6. Therefore, it is unnecessary to define a 155 new object to describe tunnel type in DS-Lite MIB. 157 However, the NATV2-MIB and IP Tunnel MIB together are not sufficient 158 to support DS-Lite. This document describes the specific features 159 for DS-Lite MIB, as below. 161 In a DS-Lite scenario, the Address Family Transition Router (AFTR) is 162 not only the tunnel end concentrator, but also a 4-4 translator. So 163 as defined in [RFC6333] , when the IPv4 packets come back from the 164 Internet to AFTR, the AFTR knows how to reconstruct the IPv6 165 encapsulation by doing a reverse lookup in the extended IPv4 NAT 166 binding table. So the NAT binding table in the AFTR MUST be extended 167 to include the IPv6 address of the tunnel initiator. But the NAT 168 binding entry defined in the NATV2-MIB are not extended by the object 169 definded for the tunnel initiator. Therefore, a combined MIB is 170 necessary. 172 The implementation of the IP Tunnel MIB is required for DS-Lite. The 173 tunnelIfEncapsMethod in the tunnelIfEntry should be set to 174 dsLite("xx"), and a corresponding entry in the DS-Lite module will 175 exist for every tunnelIfEntry with this tunnelIfEncapsMethod. The 176 tunnelIfRemoteInetAddress must be set to "::". 178 6. Structure of the MIB Module 180 The DS-Lite MIB provides a way to monitor and manage the devices 181 (AFTRs) in DS-Lite scenario through SNMP. 183 The DS-Lite MIB is configurable on a per-interface basis. It depends 184 on several parts of the IF-MIB [RFC2863], IP Tunnel MIB [RFC4087], 185 and NATV2-MIB [I-D.perrault-behave-natv2-mib]. 187 6.1. The Object Group 189 This Group defines objects that are needed for DS-Lite MIB. 191 6.1.1. The dsliteTunnel Subtree 193 The dsliteTunnel subtree describes managed objects used for managing 194 tunnels in the DS-Lite scenario. Because some objects defined in the 195 IP Tunnel MIB are not read-write and read-only, a few new objects are 196 defined in DS- Lite MIB. 198 6.1.2. The dsliteNAT Subtree 200 The dsliteNAT subtree describes managed objects used for 201 configuration as well as monitoring of AFTR which is capable of a NAT 202 function. Because the NATV2-MIB supports the NAT management function 203 in DS-Lite, we may reuse it in DS-Lite MIB. The dsliteNAT subtree 204 also provides the information of mapping relationship between the 205 tunnel entry and NAT entry by extending the IPv6 address of B4 to the 206 natv2PortMapEntry in the NATV2-MIB. 208 6.1.3. The dsliteInfo Subtree 210 The dsliteInfo subtree provides statistical information for DS-Lite. 212 6.2. The Notification Group 214 This group defines some notification objects for DS-Lite. 216 6.2.1. The dsliteTrap Subtree 218 The dsliteTrap subtree provides trap information in DS-Lite scenario. 220 6.3. The Conformance Group 222 The dsliteConformance subtree provides conformance information of MIB 223 objects. 225 7. MIB modules required for IMPORTS 227 This MIB module IMPORTs objects from [RFC2578], [RFC2580], [RFC2863], 228 [RFC3411], [RFC4001] and [I-D.perrault-behave-natv2-mib]. 230 8. Definitions 232 DSLite-MIB DEFINITIONS ::= BEGIN 234 IMPORTS 235 MODULE-IDENTITY, OBJECT-TYPE, transmission, 236 NOTIFICATION-TYPE,Gauge32,TimeTicks, 237 Integer32, Counter64,Unsigned32 238 FROM SNMPv2-SMI 240 OBJECT-GROUP, MODULE-COMPLIANCE, 241 NOTIFICATION-GROUP 242 FROM SNMPv2-CONF 244 DisplayString 245 FROM SNMPv2-TC 247 SnmpAdminString 248 FROM SNMP-FRAMEWORK-MIB 250 ifIndex 251 FROM IF-MIB 253 InetAddress, InetAddressType, InetAddressPrefixLength, 254 InetPortNumber 255 FROM INET-ADDRESS-MIB 257 ProtocolNumber, Natv2InstanceIndex, Natv2SubscriberIndex 258 FROM NATV2-MIB; 260 dsliteMIB MODULE-IDENTITY 261 LAST-UPDATED "201502080000Z" -- February 08, 2015 262 ORGANIZATION "IETF Softwire Working Group" 263 CONTACT-INFO 264 "Yu Fu 265 Huawei Technologies Co., Ltd 266 Huawei Building, 156 Beiqing Rd., Hai-Dian District 267 Beijing, P.R. China 100095 268 EMail: eleven.fuyu@huawei.com 270 Sheng Jiang 271 Huawei Technologies Co., Ltd 272 Huawei Building, 156 Beiqing Rd., Hai-Dian District 273 Beijing, P.R. China 100095 274 EMail: jiangsheng@huawei.com 276 Jiang Dong 277 Tsinghua University 278 Department of Computer Science, Tsinghua University 279 Beijing 100084 280 P.R. China 281 Email: knight.dongjiang@gmail.com 283 Yuchi Chen 284 Tsinghua University 285 Department of Computer Science, Tsinghua University 286 Beijing 100084 287 P.R. China 288 Email: flashfoxmx@gmail.com " 290 DESCRIPTION 291 "The MIB module is defined for management of object in the 292 DS-Lite scenario. 293 Copyright (C) The Internet Society (2015). This version 294 of this MIB module is part of RFC yyyy; see the RFC itself 295 for full legal notices. " 296 REVISION "201502080000Z" 297 DESCRIPTION 298 "Initial version. Published as RFC xxxx." 299 --RFC Ed.: RFC-edtitor pls fill in xxxx 300 ::= { transmission xxx } 301 --RFC Ed.: assigned by IANA, see section 10 for details 303 --Top level components of this MIB module 305 dsliteMIBObjects OBJECT IDENTIFIER 306 ::= { dsliteMIB 1 } 307 dsliteTunnel OBJECT IDENTIFIER 308 ::= { dsliteMIBObjects 1 } 310 dsliteNAT OBJECT IDENTIFIER 311 ::= { dsliteMIBObjects 2 } 313 dsliteInfo OBJECT IDENTIFIER 314 ::= { dsliteMIBObjects 3 } 316 --Notifications section 318 dsliteNotifications OBJECT IDENTIFIER 319 ::= { dsliteMIB 0 } 321 dsliteTraps OBJECT IDENTIFIER 322 ::= { dsliteNotifications 1 } 324 --dsliteTunnel 326 --dsliteTunnelTable 328 dsliteTunnelTable OBJECT-TYPE 329 SYNTAX SEQUENCE OF DsliteTunnelEntry 330 MAX-ACCESS not-accessible 331 STATUS current 332 DESCRIPTION 333 "The (conceptual) table containing information on configured 334 tunnels. This table can be used to map B4 address to the 335 associated AFTR address. It can also be used for row 336 creation." 337 REFERENCE 338 "B4, AFTR: RFC 6333." 339 ::= { dsliteTunnel 1 } 341 dsliteTunnelEntry OBJECT-TYPE 342 SYNTAX DsliteTunnelEntry 343 MAX-ACCESS not-accessible 344 STATUS current 345 DESCRIPTION 346 "Each entry in this table contains the information on a 347 particular configured tunnel." 348 INDEX { dsliteTunnelAddressType, 349 dsliteTunnelStartAddress, 350 dsliteTunnelEndAddress, 351 ifIndex } 352 ::= { dsliteTunnelTable 1 } 354 DsliteTunnelEntry ::= 355 SEQUENCE { 356 dsliteTunnelAddressType InetAddressType, 357 dsliteTunnelStartAddress InetAddress, 358 dsliteTunnelEndAddress InetAddress, 359 dsliteTunnelStartAddPreLen InetAddressPrefixLength 360 } 362 dsliteTunnelAddressType OBJECT-TYPE 363 SYNTAX InetAddressType 364 MAX-ACCESS not-accessible 365 STATUS current 366 DESCRIPTION 367 " This object MUST be set to the value of ipv6(2). 368 It describes the address type of the IPv4-in-IPv6 369 tunnel initiator and endpoint." 370 ::= { dsliteTunnelEntry 1 } 372 dsliteTunnelStartAddress OBJECT-TYPE 373 SYNTAX InetAddress 374 MAX-ACCESS not-accessible 375 STATUS current 376 DESCRIPTION 377 "The address of the initiator of the tunnel." 378 ::= { dsliteTunnelEntry 2 } 380 dsliteTunnelEndAddress OBJECT-TYPE 381 SYNTAX InetAddress 382 MAX-ACCESS not-accessible 383 STATUS current 384 DESCRIPTION 385 "The address of the endpoint of the tunnel." 386 ::= { dsliteTunnelEntry 3 } 388 dsliteTunnelStartAddPreLen OBJECT-TYPE 389 SYNTAX InetAddressPrefixLength 390 MAX-ACCESS read-only 391 STATUS current 392 DESCRIPTION 393 "IPv6 prefix length of the IP address for the 394 start point of the tunnel." 395 ::= { dsliteTunnelEntry 4 } 397 --dsliteNAT 398 --dsliteNATMapTable(The address pool defined by natv2PoolTable and natv2PoolRangeTable 399 --in draft-perrault-behave-natv2-mib are sufficient) 400 --dsliteNATBindTable(NAPT) 402 dsliteNATBindTable OBJECT-TYPE 403 SYNTAX SEQUENCE OF DsliteNATBindEntry 404 MAX-ACCESS not-accessible 405 STATUS current 406 DESCRIPTION 407 "This table contains information about currently 408 active NAT binds in the NAT of AFTR. This table extends the 409 IPv6 address of B4 to the natv2PortMapTable 410 defined in NATV2-MIB(draft-perrault-behave-natv2-mib)." 411 ::= { dsliteNAT 1 } 413 dsliteNATBindEntry OBJECT-TYPE 414 SYNTAX DsliteNATBindEntry 415 MAX-ACCESS not-accessible 416 STATUS current 417 DESCRIPTION 418 "Each entry in this table holds the relationship between 419 tunnel information and nat bind information. These entries 420 are lost upon agent restart." 421 INDEX { dsliteNATBindMappingInstanceIndex, 422 dsliteNATBindMappingProto, 423 dsliteNATBindMappingExtRealm, 424 dsliteNATBindMappingExtAddressType, 425 dsliteNATBindMappingExtAddress, 426 dsliteNATBindMappingExtPort, 427 ifIndex, 428 dsliteTunnelStartAddress, 429 dsliteTunnelStartAddPreLen } 430 ::= { dsliteNATBindTable 1 } 432 DsliteNATBindEntry ::= 433 SEQUENCE { 434 dsliteNATBindMappingInstanceIndex Natv2InstanceIndex, 435 dsliteNATBindMappingProto ProtocolNumber, 436 dsliteNATBindMappingExtRealm SnmpAdminString, 437 dsliteNATBindMappingExtAddressType InetAddressType, 438 dsliteNATBindMappingExtAddress InetAddress, 439 dsliteNATBindMappingExtPort InetPortNumber, 440 dsliteNATBindMappingIntRealm SnmpAdminString, 441 dsliteNATBindMappingIntAddressType InetAddressType, 442 dsliteNATBindMappingIntAddress InetAddress, 443 dsliteNATBindMappingIntPort InetPortNumber, 444 dsliteNATBindMappingPool Unsigned32, 445 dsliteNATBindMappingMapBehavior NatBehaviorType, 446 dsliteNATBindMappingFilterBehavior NatBehaviorType, 447 dsliteNATBindMappingAddressPooling NatPoolingType 448 } 450 dsliteNATBindMappingInstanceIndex 451 SYNTAX Natv2InstanceIndex 452 MAX-ACCESS not-accessible 453 STATUS current 454 DESCRIPTION 455 "Index of the NAT instance that created this port map entry." 456 ::= { dsliteNATBindEntry 1 } 458 dsliteNATBindMappingProto OBJECT-TYPE 459 SYNTAX ProtocolNumber 460 MAX-ACCESS not-accessible 461 STATUS current 462 DESCRIPTION 463 " This object specifies the mapping's transport protocol 464 number." 465 ::= { dsliteNATBindEntry 2 } 467 dsliteNATBindMappingExtRealm OBJECT-TYPE 468 SYNTAX SnmpAdminString (SIZE(0..32)) 469 MAX-ACCESS not-accessible 470 STATUS current 471 DESCRIPTION 472 " The realm to which dsliteNATBindMappingExtAddress belongs." 473 ::= { dsliteNATBindEntry 3 } 475 dsliteNATBindMappingExtAddressType OBJECT-TYPE 476 SYNTAX InetAddressType 477 MAX-ACCESS not-accessible 478 STATUS current 479 DESCRIPTION 480 "Type of the mapping's external address." 481 ::= { dsliteNATBindEntry 4 } 483 dsliteNATBindMappingExtAddress OBJECT-TYPE 484 SYNTAX InetAddress (SIZE (4|16)) 485 MAX-ACCESS not-accessible 486 STATUS current 487 DESCRIPTION 488 "The mapping's external address. If this is the undefined 489 address, all external addresses are mapped to the internal 490 address." 491 ::= { dsliteNATBindEntry 5 } 493 dsliteNATBindMappingExtPort OBJECT-TYPE 494 SYNTAX InetPortNumber 495 MAX-ACCESS not-accessible 496 STATUS current 497 DESCRIPTION 498 "The mapping's assigned external port number. If this is zero, all 499 external ports are mapped to the internal port." 500 ::= { dsliteNATBindEntry 6 } 502 dsliteNATBindMappingIntRealm OBJECT-TYPE 503 SYNTAX SnmpAdminString 504 MAX-ACCESS read-only 505 STATUS current 506 DESCRIPTION 507 "The realm to which natMappingIntAddress belongs." 508 ::= { dsliteNATBindEntry 7 } 510 dsliteNATBindMappingIntAddressType OBJECT-TYPE 511 SYNTAX InetAddressType 512 MAX-ACCESS read-only 513 STATUS current 514 DESCRIPTION 515 "Type of the mapping's internal address." 516 ::= { dsliteNATBindEntry 8 } 518 dsliteNATBindMappingIntAddress OBJECT-TYPE 519 SYNTAX InetAddress 520 MAX-ACCESS read-only 521 STATUS current 522 DESCRIPTION 523 "The mapping's internal address. If this is the undefined 524 address, addresses are not translated." 525 ::= { dsliteNATBindEntry 9 } 527 dsliteNATBindMappingIntPort OBJECT-TYPE 528 SYNTAX InetPortNumber 529 MAX-ACCESS read-only 530 STATUS current 531 DESCRIPTION 532 "The mapping's internal port number. If this is zero, ports 533 are not translated." 534 ::= { dsliteNATBindEntry 10 } 536 dsliteNATBindMappingPool OBJECT-TYPE 537 SYNTAX Unsigned32 (0|1..4294967295) 538 MAX-ACCESS read-only 539 STATUS current 540 DESCRIPTION 541 "Index of the pool that contains this mapping's external 542 address and port. If zero, no pool is associated with this 543 mapping." 544 ::= { dsliteNATBindEntry 11 } 546 dsliteNATBindMappingMapBehavior OBJECT-TYPE 547 MAX-ACCESS read-only 548 STATUS current 549 DESCRIPTION 550 "Mapping behavior as described in [RFC4787] section 4.1." 551 REFERENCE 552 "RFC 4787 section 4.1" 553 SYNTAX INTEGER{ 554 endpointIndependent (0), 555 addressDependent(1), 556 addressAndPortDependent (2) 557 } 558 ::= { dsliteNATBindEntry 12 } 560 dsliteNATBindMappingFilterBehavior OBJECT-TYPE 561 MAX-ACCESS read-only 562 STATUS current 563 DESCRIPTION 564 "Filtering behavior as described in [RFC4787] section 5." 565 REFERENCE 566 "RFC 4787 section 5" 567 SYNTAX INTEGER{ 568 endpointIndependent (0), 569 addressDependent(1), 570 addressAndPortDependent (2) 571 } 572 ::= { dsliteNATBindEntry 13 } 574 dsliteNATBindMappingAddressPooling OBJECT-TYPE 575 MAX-ACCESS read-only 576 STATUS current 577 DESCRIPTION 578 "Type of address pooling behavior that was used to create 579 this mapping." 580 REFERENCE 581 "RFC 4787 section 4.1" 582 SYNTAX INTEGER{ 583 arbitrary (0), 584 paired (1) 585 } 586 ::= { dsliteNATBindEntry 14 } 588 --dsliteInfo 590 dsliteAFTRAlarmScalar OBJECT IDENTIFIER ::= { dsliteInfo 1 } 592 dsliteAFTRAlarmB4Addr OBJECT-TYPE 593 SYNTAX InetAddress 594 MAX-ACCESS accessible-for-notify 595 STATUS current 596 DESCRIPTION 597 "This object indicate the IP address of 598 B4 that send alarm " 599 ::= { dsliteAFTRAlarmScalar 1 } 601 dsliteAFTRAlarmProtocolType OBJECT-TYPE 602 SYNTAX DisplayString 603 MAX-ACCESS accessible-for-notify 604 STATUS current 605 DESCRIPTION 606 "This object indicate the protocol type of alarm, 607 0:tcp,1:udp,2:icmp,3:total " 608 ::= { dsliteAFTRAlarmScalar 2 } 610 dsliteAFTRAlarmSpecificIP OBJECT-TYPE 611 SYNTAX InetAddress 612 MAX-ACCESS accessible-for-notify 613 STATUS current 614 DESCRIPTION 615 " This object indicate the IP address whose port usage 616 reach threshold " 617 ::= { dsliteAFTRAlarmScalar 3 } 619 dsliteAFTRAlarmConnectNumber OBJECT-TYPE 620 SYNTAX Integer32 (60..90) 621 MAX-ACCESS read-write 622 STATUS current 623 DESCRIPTION 624 " This object indicate the threshold of DS-Lite 625 connections alarm." 626 ::= { dsliteAFTRAlarmScalar 4 } 628 dsliteStatisticTable OBJECT-TYPE 629 SYNTAX SEQUENCE OF DsliteStatisticEntry 630 MAX-ACCESS not-accessible 631 STATUS current 632 DESCRIPTION 633 "This table provides statistical information 634 of DS-Lite." 635 ::= { dsliteInfo 2 } 637 dsliteStatisticEntry OBJECT-TYPE 638 SYNTAX DsliteStatisticEntry 639 MAX-ACCESS not-accessible 640 STATUS current 641 DESCRIPTION 642 "This table provides statistical information 643 of DS-Lite." 644 INDEX { dsliteStatisticSubscriberIdex } 645 ::= { dsliteStatisticTable 1 } 647 DsliteStatisticEntry ::= 648 SEQUENCE { 649 dsliteStatisticSubscriberIdex Natv2SubscriberIndex, 650 dsliteStatisticDiscard Counter64, 651 dsliteStatisticTransmitted Counter64, 652 dsliteStatisticIpv4Session Counter64, 653 dsliteStatisticIpv6Session Counter64 654 } 656 dsliteStatisticSubscriberIdex OBJECT-TYPE 657 SYNTAX Natv2SubscriberIndex 658 MAX-ACCESS not-accessible 659 STATUS current 660 DESCRIPTION 661 "Index of the subscriber or host.A unique value, 662 greater than zero, for each subscriber in the 663 managed system." 664 ::= { dsliteStatisticEntry 1 } 666 dsliteStatisticDiscard OBJECT-TYPE 667 SYNTAX Counter64 668 MAX-ACCESS read-only 669 STATUS current 670 DESCRIPTION 671 " This object indicate the number of packets 672 discarded from this subscriber." 673 ::= { dsliteStatisticEntry 2 } 675 dsliteStatisticTransmitted OBJECT-TYPE 676 SYNTAX Counter64 677 MAX-ACCESS read-only 678 STATUS current 679 DESCRIPTION 680 " This object indicate the number of packets received 681 from or sent to this subscriber." 682 ::= { dsliteStatisticEntry 3 } 684 dsliteStatisticIpv4Session OBJECT-TYPE 685 SYNTAX Counter64 686 MAX-ACCESS read-only 687 STATUS current 688 DESCRIPTION 689 " This object indicate the number of the 690 current IPv4 Session." 691 ::= { dsliteStatisticEntry 4 } 693 dsliteStatisticIpv6Session OBJECT-TYPE 694 SYNTAX Counter64 695 MAX-ACCESS read-only 696 STATUS current 697 DESCRIPTION 698 " This object indicate the number of the 699 current IPv6 Session." 700 ::= { dsliteStatisticEntry 5 } 702 ---dslite trap 704 dsliteTunnelNumAlarm NOTIFICATION-TYPE 705 OBJECTS { dsliteAFTRAlarmProtocolType, 706 dsliteAFTRAlarmB4Addr } 707 STATUS current 708 DESCRIPTION 709 "This trap is triggered when the number of 710 current connecting dslite tunnel exceeds the value of 711 dsliteAFTRAlarmConnectNumber." 712 ::= { dsliteTraps 1 } 714 dsliteAFTRUserSessionNumAlarm NOTIFICATION-TYPE 715 OBJECTS { dsliteAFTRAlarmProtocolType, 716 dsliteAFTRAlarmB4Addr } 717 STATUS current 718 DESCRIPTION 719 " This trap is triggered when sessions of 720 user reach the threshold." 721 ::= { dsliteTraps 2 } 723 dsliteAFTRPortUsageOfSpecificIpAlarm NOTIFICATION-TYPE 724 OBJECTS { dsliteAFTRAlarmSpecificIP } 725 STATUS current 726 DESCRIPTION 727 "This trap is triggered when used NAT 728 ports of map address reach the threshold." 729 ::= { dsliteTraps 3 } 731 --Module Conformance statement 733 dsliteConformance OBJECT IDENTIFIER 734 ::= { dsliteMIB 2 } 736 dsliteCompliances OBJECT IDENTIFIER ::= { dsliteConformance 1 } 738 dsliteGroups OBJECT IDENTIFIER ::= { dsliteConformance 2 } 740 -- compliance statements 742 dsliteCompliance MODULE-COMPLIANCE 743 STATUS current 744 DESCRIPTION 745 " Description the minimal requirements for conformance 746 to the DS-Lite MIB." 747 MODULE -- this module 748 MANDATORY-GROUPS { dsliteNATBindGroup, 749 dsliteTunnelGroup, 750 dsliteStatisticGroup, 751 dsliteTrapsGroup,dsliteAFTRAlarmScalarGroup } 752 ::= { dsliteCompliances 1 } 754 dsliteNATBindGroup OBJECT-GROUP 755 OBJECTS { 756 dsliteNATBindMappingIntRealm, 757 dsliteNATBindMappingIntAddressType, 758 dsliteNATBindMappingIntAddress, 759 dsliteNATBindMappingIntPort, 760 dsliteNATBindMappingPool, 761 dsliteNATBindMappingMapBehavior, 762 dsliteNATBindMappingFilterBehavior, 763 dsliteNATBindMappingAddressPooling } 764 STATUS current 765 DESCRIPTION 766 " The collection of this objects are used to give the 767 information about NAT Bind." 768 ::= { dsliteGroups 1 } 770 dsliteTunnelGroup OBJECT-GROUP 771 OBJECTS { dsliteTunnelStartAddPreLen } 772 STATUS current 773 DESCRIPTION 774 " The collection of this objects are used to give the 775 information of tunnel in ds-lite." 776 ::= { dsliteGroups 2 } 778 dsliteStatisticGroup OBJECT-GROUP 779 OBJECTS { dsliteStatisticDiscard, 780 dsliteStatisticTransmitted, 781 dsliteStatisticIpv4Session, 782 dsliteStatisticIpv6Session } 783 STATUS current 784 DESCRIPTION 785 " The collection of this objects are used to give the 786 statistical information of ds-lite." 787 ::= { dsliteGroups 3 } 789 dsliteTrapsGroup NOTIFICATION-GROUP 790 NOTIFICATIONS { dsliteTunnelNumAlarm, 791 dsliteAFTRUserSessionNumAlarm, 792 dsliteAFTRPortUsageOfSpecificIpAlarm } 793 STATUS current 794 DESCRIPTION 795 "The collection of this objects are used to give the 796 trap information of ds-lite." 797 ::= { dsliteGroups 4 } 799 dsliteAFTRAlarmScalarGroup OBJECT-GROUP 800 OBJECTS { dsliteAFTRAlarmB4Addr, dsliteAFTRAlarmProtocolType, 801 dsliteAFTRAlarmSpecificIP, 802 dsliteAFTRAlarmConnectNumber } 803 STATUS current 804 DESCRIPTION 805 " The collection of this objects are used to give the 806 information about AFTR alarming Scalar." 807 ::= { dsliteGroups 5 } 809 END 811 9. Security Considerations 813 There are a number of management objects defined in this MIB module 814 with a MAX-ACCESS clause of read-write and/or read-create. Such 815 objects may be considered sensitive or vulnerable in some network 816 environments. The support for SET operations in a non-secure 817 environment without proper protection can have a negative effect on 818 network operations. These are the tables and objects and their 819 sensitivity/vulnerability: 821 Notification thresholds: An attacker setting an arbitrarily low 822 treshold can cause many useless notifications to be generated. 823 Setting an arbitrarily high threshold can effectively disable 824 notifications, which could be used to hide another attack. 826 dsliteAFTRAlarmConnectNumber 828 Some of the readable objects in this MIB module (i.e., objects with a 829 MAX-ACCESS other than not-accessible) may be considered sensitive or 830 vulnerable in some network environments. It is thus important to 831 control even GET and/or NOTIFY access to these objects and possibly 832 to even encrypt the values of these objects when sending them over 833 the network via SNMP. These are the tables and objects and their 834 sensitivity/vulnerability: 836 dsliteTunnelStartAddPreLen 838 dsliteNATBindMappingIntRealm 840 dsliteNATBindMappingIntAddressType 842 dsliteNATBindMappingIntAddress 844 dsliteNATBindMappingIntPort 846 dsliteNATBindMappingPool 848 dsliteNATBindMappingMapBehavior 850 dsliteNATBindMappingFilterBehavior 852 dsliteNATBindMappingAddressPooling 854 dsliteStatisticDiscard 856 dsliteStatisticTransmitted 858 dsliteStatisticIpv4Session 859 dsliteStatisticIpv6Session 861 SNMP versions prior to SNMPv3 did not include adequate security. 862 Even if the network itself is secure (for example by using IPSec), 863 even then, there is no control as to who on the secure network is 864 allowed to access and GET/SET (read/change/create/delete) the objects 865 in this MIB module. 867 Implementations SHOULD provide the security features described by the 868 SNMPv3 framework (see [RFC3410]), and implementations claiming 869 compliance to the SNMPv3 standard MUST include full support for 870 authentication and privacy via the User-based Security Model (USM) 871 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 872 MAY also provide support for the Transport Security Model (TSM) 873 [RFC5591] in combination with a secure transport such as SSH 874 [RFC5592] or TLS/DTLS [RFC6353]. 876 Further, deployment of SNMP versions prior to SNMPv3 is NOT 877 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 878 enable cryptographic security. It is then a customer/operator 879 responsibility to ensure that the SNMP entity giving access to an 880 instance of this MIB module is properly configured to give access to 881 the objects only to those principals (users) that have legitimate 882 rights to indeed GET or SET (change/create/delete) them. 884 10. IANA Considerations 886 The MIB module in this document uses the following IANA-assigned 887 OBJECT IDENTIFIER values recorded in the SMI Numbers registry, and 888 the following IANA-assigned tunnelType values recorded in the 889 IANAtunnelType-MIB registry: 891 Descriptor OBJECT IDENTIFIER value 892 ---------- ----------------------- 893 DSLite-MIB { transmission XXX } 895 IANAtunnelType ::= TEXTUAL-CONVENTION 897 SYNTAX INTEGER { 899 dsLite ("XX") -- dslite tunnel 901 } 903 Notes: As Appendix A of the IP Tunnel MIB[RFC4087] described that it 904 has already assigned the value direct(2) to indicate the tunnel type 905 is IP in IP tunnel, but it is still difficult to distinguish DS-Lite 906 tunnel packets from normal IP in IP tunnel packets in the scenario of 907 the AFTR connecting to both a DS-lite tunnel and an IP in IP tunnel. 909 11. Acknowledgements 911 The authors would like to thanks the valuable comments made by Suresh 912 Krishnan, Ian Farrer, Yiu Lee, Qi Sun, Yong Cui, David Harrington, 913 Dave Thaler, Tassos Chatzithomaoglou, Tom Taylor and other members of 914 SOFTWIRE WG. 916 This document was produced using the xml2rfc tool [RFC2629]. 918 12. References 920 12.1. Normative References 922 [I-D.perrault-behave-natv2-mib] 923 Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 924 "Definitions of Managed Objects for Network Address 925 Translators (NAT)", draft-perrault-behave-natv2-mib-00 926 (work in progress), January 2015. 928 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 929 Schoenwaelder, Ed., "Structure of Management Information 930 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 932 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 933 "Conformance Statements for SMIv2", STD 58, RFC 2580, 934 April 1999. 936 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 937 MIB", RFC 2863, June 2000. 939 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 940 Architecture for Describing Simple Network Management 941 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 942 December 2002. 944 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 945 Schoenwaelder, "Textual Conventions for Internet Network 946 Addresses", RFC 4001, February 2005. 948 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and 949 C. Wang, "Definitions of Managed Objects for Network 950 Address Translators (NAT)", RFC 4008, March 2005. 952 [RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, June 2005. 954 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 955 Stack Lite Broadband Deployments Following IPv4 956 Exhaustion", RFC 6333, August 2011. 958 12.2. Informative References 960 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 961 Requirement Levels", BCP 14, RFC 2119, March 1997. 963 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 964 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 965 58, RFC 2579, April 1999. 967 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 968 June 1999. 970 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 971 "Introduction and Applicability Statements for Internet- 972 Standard Management Framework", RFC 3410, December 2002. 974 Authors' Addresses 976 Yu Fu 977 Huawei Technologies Co., Ltd 978 Q14, Huawei Campus, No.156 Beiqing Road 979 Hai-Dian District, Beijing, 100095 980 P.R. China 982 Email: eleven.fuyu@huawei.com 984 Sheng Jiang 985 Huawei Technologies Co., Ltd 986 Q14, Huawei Campus, No.156 Beiqing Road 987 Hai-Dian District, Beijing, 100095 988 P.R. China 990 Email: jiangsheng@huawei.com 992 Jiang Dong 993 Tsinghua University 994 Department of Computer Science, Tsinghua University 995 Beijing 100084 996 P.R. China 998 Email: knight.dongjiang@gmail.com 999 Yuchi Chen 1000 Tsinghua University 1001 Department of Computer Science, Tsinghua University 1002 Beijing 100084 1003 P.R. China 1005 Email: flashfoxmx@gmail.com