| < draft-ietf-ipsecme-mib-iptfs-01.txt | draft-ietf-ipsecme-mib-iptfs-02.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Fedyk | Network Working Group D. Fedyk | |||
| Internet-Draft E. Kinzie | Internet-Draft E. Kinzie | |||
| Intended status: Standards Track LabN Consulting, L.L.C. | Intended status: Standards Track LabN Consulting, L.L.C. | |||
| Expires: 15 May 2022 11 November 2021 | Expires: 20 May 2022 16 November 2021 | |||
| Definitions of Managed Objects for IP Traffic Flow Security | Definitions of Managed Objects for IP Traffic Flow Security | |||
| draft-ietf-ipsecme-mib-iptfs-01 | draft-ietf-ipsecme-mib-iptfs-02 | |||
| Abstract | Abstract | |||
| This document describes managed objects for the the management of IP | This document describes managed objects for the the management of IP | |||
| Traffic Flow Security additions to IKEv2 and IPsec. This document | Traffic Flow Security additions to IKEv2 and IPsec. This document | |||
| provides a read only version of the objects defined in the YANG | provides a read only version of the objects defined in the YANG | |||
| module for the same purpose. | module for the same purpose. | |||
| This is an unpublished work in progress. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 15 May 2022. | This Internet-Draft will expire on 20 May 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology & Concepts . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology & Concepts . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Management Objects . . . . . . . . . . . . . . . . . . . . . 3 | 4. Management Objects . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.1. MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . 3 | 4.1. MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.2. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4.2. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 7. Normative References . . . . . . . . . . . . . . . . . . . . 19 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 20 | ||||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 22 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines a Management Information Base (MIB) module for | This document defines a Management Information Base (MIB) module for | |||
| use with network management protocols in the Internet community. | use with network management protocols in the Internet community. | |||
| Traffic Flow Security (IP-TFS) extensions as defined in | Traffic Flow Security (IP-TFS) extensions as defined in | |||
| [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | |||
| tunnel Security Association to provide improved traffic | tunnel Security Association to provide improved traffic | |||
| confidentiality. | confidentiality. | |||
| skipping to change at page 4, line 44 ¶ | skipping to change at page 5, line 7 ¶ | |||
| +--iptfsMIBConformances(1) | +--iptfsMIBConformances(1) | |||
| | +--iptfsMIBCompliance(1) | | +--iptfsMIBCompliance(1) | |||
| +--iptfsMIBGroups(2) | +--iptfsMIBGroups(2) | |||
| +--iptfsMIBConfGroup(1) | +--iptfsMIBConfGroup(1) | |||
| +--ipsecStatsConfGroup(2) | +--ipsecStatsConfGroup(2) | |||
| +--iptfsInnerStatsConfGroup(3) | +--iptfsInnerStatsConfGroup(3) | |||
| +--iptfsOuterStatsConfGroup(4) | +--iptfsOuterStatsConfGroup(4) | |||
| 4.2. SNMP | 4.2. SNMP | |||
| The following is the MIB for IP-TFS. | The following is the MIB for IP-TFS. The Congestion control | |||
| algorithm in [RFC5348] is refrenced in the MIB text. | ||||
| -- *------------------------------------------------------------------ | -- *---------------------------------------------------------------- | |||
| -- * | -- * | |||
| -- *------------------------------------------------------------------ | -- *---------------------------------------------------------------- | |||
| IETF-IPTFS-MIB DEFINITIONS ::= BEGIN | IETF-IPTFS-MIB DEFINITIONS ::= BEGIN | |||
| IMPORTS | IMPORTS | |||
| MODULE-IDENTITY, OBJECT-TYPE, | MODULE-IDENTITY, OBJECT-TYPE, | |||
| Integer32, Unsigned32, Counter64, experimental | Integer32, Unsigned32, Counter64, experimental | |||
| FROM SNMPv2-SMI | FROM SNMPv2-SMI | |||
| MODULE-COMPLIANCE, OBJECT-GROUP | MODULE-COMPLIANCE, OBJECT-GROUP | |||
| FROM SNMPv2-CONF | FROM SNMPv2-CONF | |||
| TEXTUAL-CONVENTION, | TEXTUAL-CONVENTION, | |||
| TruthValue | TruthValue | |||
| FROM SNMPv2-TC; | FROM SNMPv2-TC; | |||
| iptfsMIB MODULE-IDENTITY | iptfsMIB MODULE-IDENTITY | |||
| LAST-UPDATED "202111110000Z" | LAST-UPDATED "202111160000Z" | |||
| ORGANIZATION "IETF IPsecme Working Group" | ORGANIZATION "IETF IPsecme Working Group" | |||
| CONTACT-INFO | CONTACT-INFO | |||
| " | " | |||
| Author: Don Fedyk | Author: Don Fedyk | |||
| <mailto:dfedyk@labn.net> | <mailto:dfedyk@labn.net> | |||
| Author: Eric Kinzie | Author: Eric Kinzie | |||
| <mailto:ekinzie.labn.net>" | <mailto:ekinzie.labn.net>" | |||
| DESCRIPTION | DESCRIPTION | |||
| "This module defines the configuration and operational | "This module defines the configuration and operational | |||
| state for managing the IP Traffic Flow Security | state for managing the IP Traffic Flow Security | |||
| functionality [RFC XXXX]. Copyright (c) 2020 IETF | functionality [RFC XXXX]. Copyright (c) 2021 IETF | |||
| Trust and the persons identified as authors of the | Trust and the persons identified as authors of the | |||
| code. All rights reserved. | code. All rights reserved. | |||
| Redistribution and use in source and binary forms, | Redistribution and use in source and binary forms, | |||
| with or without modification, is permitted pursuant | with or without modification, is permitted pursuant | |||
| to, and subject to the license terms contained in, | to, and subject to the license terms contained in, | |||
| the Simplified BSD License set forth in Section 4.c | the Simplified BSD License set forth in Section 4.c | |||
| of the IETF Trust's Legal Provisions Relating to IETF | of the IETF Trust's Legal Provisions Relating to IETF | |||
| Documents (https://trustee.ietf.org/license-info). | Documents (https://trustee.ietf.org/license-info). | |||
| This version of this SNMP MIB module is part of RFC XXXX | This version of this SNMP MIB module is part of RFC XXXX | |||
| (https://tools.ietf.org/html/rfcXXXX); see the RFC | (https://tools.ietf.org/html/rfcXXXX); see the RFC | |||
| itself for full legal notices." | itself for full legal notices." | |||
| REVISION "202111110000Z" | REVISION "202111160000Z" | |||
| DESCRIPTION | DESCRIPTION | |||
| "Initial revision. Derived from the IPTFS Yang Model." | "Initial revision. Derived from the IPTFS Yang Model." | |||
| ::= { experimental 500 } | ::= { experimental 500 } | |||
| -- | -- | |||
| -- Textual Conventions | -- Textual Conventions | |||
| -- | -- | |||
| UnsignedShort ::= TEXTUAL-CONVENTION | ||||
| DISPLAY-HINT "d" | ||||
| STATUS current | ||||
| DESCRIPTION "xs:unsignedShort" | ||||
| SYNTAX Unsigned32 (0 .. 65535) | ||||
| NanoSeconds ::= TEXTUAL-CONVENTION | UnsignedShort ::= TEXTUAL-CONVENTION | |||
| DISPLAY-HINT "d" | DISPLAY-HINT "d" | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION "xs:unsignedShort" | |||
| "Represents time unit value in nanoseconds." | SYNTAX Unsigned32 (0 .. 65535) | |||
| SYNTAX Counter64 | ||||
| -- Objects, Notifications & Conformances | NanoSeconds ::= TEXTUAL-CONVENTION | |||
| DISPLAY-HINT "d" | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Represents time unit value in nanoseconds." | ||||
| SYNTAX Counter64 | ||||
| iptfsMIBObjects OBJECT IDENTIFIER | -- Objects, Notifications & Conformances | |||
| ::= { iptfsMIB 1 } | ||||
| iptfsMIBConformance OBJECT IDENTIFIER | ||||
| ::= { iptfsMIB 2} | ||||
| -- | iptfsMIBObjects OBJECT IDENTIFIER | |||
| -- IPTFS MIB Object Groups | ::= { iptfsMIB 1 } | |||
| -- | iptfsMIBConformance OBJECT IDENTIFIER | |||
| iptfsGroup OBJECT IDENTIFIER | ::= { iptfsMIB 2} | |||
| ::= { iptfsMIBObjects 1 } | ||||
| ipsecStatsGroup OBJECT IDENTIFIER | -- | |||
| ::= { iptfsMIBObjects 2 } | -- IPTFS MIB Object Groups | |||
| -- | ||||
| iptfsGroup OBJECT IDENTIFIER | ||||
| ::= { iptfsMIBObjects 1 } | ||||
| iptfsInnerStatsGroup OBJECT IDENTIFIER | ipsecStatsGroup OBJECT IDENTIFIER | |||
| ::= { iptfsMIBObjects 3 } | ::= { iptfsMIBObjects 2 } | |||
| iptfsOuterStatsGroup OBJECT IDENTIFIER | iptfsInnerStatsGroup OBJECT IDENTIFIER | |||
| ::= { iptfsMIBObjects 4 } | ::= { iptfsMIBObjects 3 } | |||
| iptfsConfigTable OBJECT-TYPE | iptfsOuterStatsGroup OBJECT IDENTIFIER | |||
| SYNTAX SEQUENCE OF IptfsConfigTableEntry | ::= { iptfsMIBObjects 4 } | |||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The table containing configuration information for | ||||
| IPTFS." | ||||
| ::= { iptfsGroup 1 } | ||||
| iptfsConfigTableEntry OBJECT-TYPE | iptfsConfigTable OBJECT-TYPE | |||
| SYNTAX IptfsConfigTableEntry | SYNTAX SEQUENCE OF IptfsConfigTableEntry | |||
| MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "An entry (conceptual row) containing the information on | "The table containing configuration information for | |||
| a particular IPTFS SA." | IPTFS." | |||
| INDEX { iptfsConfigSaIndex } | ::= { iptfsGroup 1 } | |||
| ::= { iptfsConfigTable 1 } | ||||
| IptfsConfigTableEntry ::= SEQUENCE { | iptfsConfigTableEntry OBJECT-TYPE | |||
| iptfsConfigSaIndex Integer32, | SYNTAX IptfsConfigTableEntry | |||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "An entry (conceptual row) containing the information on | ||||
| a particular IPTFS SA." | ||||
| INDEX { iptfsConfigSaIndex } | ||||
| ::= { iptfsConfigTable 1 } | ||||
| -- identifier information | IptfsConfigTableEntry ::= SEQUENCE { | |||
| congestionControl TruthValue, | iptfsConfigSaIndex Integer32, | |||
| usePathMtu TruthValue, | ||||
| outerPacketSize UnsignedShort, | ||||
| l2FixedRate Counter64, | ||||
| l3FixedRate Counter64, | ||||
| dontFragment TruthValue, | ||||
| maxAggregationTime NanoSeconds, | ||||
| windowSize Unsigned32, | ||||
| sendImmediately TruthValue, | ||||
| lostPktTimerInt NanoSeconds | ||||
| } | ||||
| iptfsConfigSaIndex OBJECT-TYPE | -- identifier information | |||
| congestionControl TruthValue, | ||||
| usePathMtu TruthValue, | ||||
| outerPacketSize UnsignedShort, | ||||
| l2FixedRate Counter64, | ||||
| l3FixedRate Counter64, | ||||
| dontFragment TruthValue, | ||||
| maxAggregationTime NanoSeconds, | ||||
| windowSize Unsigned32, | ||||
| sendImmediately TruthValue, | ||||
| lostPktTimerInt NanoSeconds | ||||
| } | ||||
| iptfsConfigSaIndex OBJECT-TYPE | ||||
| SYNTAX Integer32 (1..16777215) | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A unique value, greater than zero, for each SA. | ||||
| It is recommended that values are assigned contiguously | ||||
| starting from 1. | ||||
| The value for each entry must remain constant at least | ||||
| from one re-initialization of entity's network management | ||||
| system to the next re-initialization." | ||||
| ::= { iptfsConfigTableEntry 1 } | ||||
| congestionControl OBJECT-TYPE | ||||
| SYNTAX TruthValue | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "When set to true, the default, this enables the | ||||
| congestion control on-the-wire exchange of data that is | ||||
| required by congestion control algorithms as defined by | ||||
| RFC 5348. When set to false, IP-TFS sends fixed-sized | ||||
| packets over an IP-TFS tunnel at a constant rate." | ||||
| DEFVAL { false } | ||||
| ::= { iptfsConfigTableEntry 2 } | ||||
| usePathMtu OBJECT-TYPE | ||||
| SYNTAX TruthValue | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Packet size is either auto-discovered or manually | ||||
| configured. If usePathMtu is true the system utilizes | ||||
| path-mtu to determine maximum IPTFS packet size. If | ||||
| the packet size is explicitly configured then it will | ||||
| only be adjusted downward if use-path-mtu is set." | ||||
| ::= { iptfsConfigTableEntry 3 } | ||||
| outerPacketSize OBJECT-TYPE | ||||
| SYNTAX UnsignedShort | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "On Transmission, the size of the outer encapsulating | ||||
| tunnel packet (i.e., the IP packet containing the ESP | ||||
| payload)." | ||||
| ::= { iptfsConfigTableEntry 4 } | ||||
| l2FixedRate OBJECT-TYPE | ||||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "TFS bit rate may be specified at layer 2 wire rate. On | ||||
| transmission, target bandwidth/bit rate in bps for iptfs | ||||
| tunnel. This rate is the nominal timing for the fixed | ||||
| size packet. If congestion control is enabled the rate | ||||
| may be adjusted down (or up if unset)." | ||||
| ::= { iptfsConfigTableEntry 5 } | ||||
| l3FixedRate OBJECT-TYPE | ||||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "TFS bit rate may be specified at layer 3 packet rate. | ||||
| On Transmission, target bandwidth/bit rate in bps for | ||||
| iptfs tunnel. This rate is the nominal timing for the | ||||
| fixed size packet. If congestion control is enabled the | ||||
| rate may be adjusted down (or up if unset)." | ||||
| ::= { iptfsConfigTableEntry 6 } | ||||
| dontFragment OBJECT-TYPE | ||||
| SYNTAX TruthValue | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "On transmission, disable packet fragmentation across | ||||
| consecutive iptfs tunnel packets; inner packets larger | ||||
| than what can be transmitted in outer packets will be | ||||
| dropped." | ||||
| ::= { iptfsConfigTableEntry 7 } | ||||
| maxAggregationTime OBJECT-TYPE | ||||
| SYNTAX NanoSeconds | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "On transmission, maximum aggregation time is the | ||||
| maximum length of time a received inner packet can be | ||||
| held prior to transmission in the iptfs tunnel. Inner | ||||
| packets that would be held longer than this time, based | ||||
| on the current tunnel configuration will be dropped | ||||
| rather than be queued for transmission." | ||||
| ::= { iptfsConfigTableEntry 8 } | ||||
| windowSize OBJECT-TYPE | ||||
| SYNTAX Unsigned32(0..65535) | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "On reception, the maximum number of out-of-order | ||||
| packets that will be reordered by an iptfs receiver | ||||
| while performing the reordering operation. The value 0 | ||||
| disables any reordering." | ||||
| ::= { iptfsConfigTableEntry 9 } | ||||
| sendImmediately OBJECT-TYPE | ||||
| SYNTAX TruthValue | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "On reception, end inner packets as soon as possible, do | ||||
| not wait for lost or misordered outer packets. | ||||
| Selecting this option reduces the inner (user) packet | ||||
| delay but can amplify out-of-order delivery of the inner | ||||
| packet stream in the presence of packet aggregation and | ||||
| any reordering." | ||||
| ::= { iptfsConfigTableEntry 10 } | ||||
| lostPktTimerInt OBJECT-TYPE | ||||
| SYNTAX NanoSeconds | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "On reception, this interval defines the length of time | ||||
| an iptfs receiver will wait for a missing packet before | ||||
| considering it lost. If not using send-immediately, | ||||
| then each lost packet will delay inner (user) packets | ||||
| until this timer expires. Setting this value too low can | ||||
| impact reordering and reassembly." | ||||
| ::= { iptfsConfigTableEntry 11 } | ||||
| ipsecStatsTable OBJECT-TYPE | ||||
| SYNTAX SEQUENCE OF IpsecStatsTableEntry | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The table containing basic statistics on IPsec." | ||||
| ::= { ipsecStatsGroup 1 } | ||||
| ipsecStatsTableEntry OBJECT-TYPE | ||||
| SYNTAX IpsecStatsTableEntry | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "An entry (conceptual row) containing the information on | ||||
| a particular IKE SA." | ||||
| INDEX { ipsecSaIndex } | ||||
| ::= { ipsecStatsTable 1 } | ||||
| IpsecStatsTableEntry ::= SEQUENCE { | ||||
| ipsecSaIndex Integer32, | ||||
| -- packet statistics information | ||||
| txPackets Counter64, | ||||
| txOctets Counter64, | ||||
| txDropPackets Counter64, | ||||
| rxPackets Counter64, | ||||
| rxOctets Counter64, | ||||
| rxDropPackets Counter64 | ||||
| } | ||||
| ipsecSaIndex OBJECT-TYPE | ||||
| SYNTAX Integer32 (1..16777215) | SYNTAX Integer32 (1..16777215) | |||
| MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "A unique value, greater than zero, for each SA. | "A unique value, greater than zero, for each SA. | |||
| It is recommended that values are assigned contiguously | It is recommended that values are assigned contiguously | |||
| starting from 1. | starting from 1. | |||
| The value for each entry must remain constant at least | The value for each entry must remain constant at least | |||
| from one re-initialization of entity's network management | from one re-initialization of entity's network management | |||
| system to the next re-initialization." | system to the next re-initialization." | |||
| ::= { iptfsConfigTableEntry 1 } | ::= { ipsecStatsTableEntry 1 } | |||
| congestionControl OBJECT-TYPE | txPackets OBJECT-TYPE | |||
| SYNTAX TruthValue | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Congestion Control With the congestion controlled | "Outbound Packet count." | |||
| mode, IP-TFS adapts to network congestion by lowering | ::= { ipsecStatsTableEntry 2 } | |||
| the packet send rate to accommodate the congestion, as | ||||
| well as raising the rate when congestion subsides." | ||||
| DEFVAL { false } | ||||
| ::= { iptfsConfigTableEntry 2 } | ||||
| usePathMtu OBJECT-TYPE | txOctets OBJECT-TYPE | |||
| SYNTAX TruthValue | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Packet size is either auto-discovered or manually | "Outbound Packet bytes." | |||
| configured. If usePathMtu is true the system utilizes | ::= { ipsecStatsTableEntry 3 } | |||
| path-mtu to determine maximum IPTFS packet size. If | ||||
| the packet size is explicitly configured then it will | ||||
| only be adjusted downward if use-path-mtu is set." | ||||
| ::= { iptfsConfigTableEntry 3 } | ||||
| outerPacketSize OBJECT-TYPE | txDropPackets OBJECT-TYPE | |||
| SYNTAX UnsignedShort | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The size of the outer encapsulating tunnel packet | "Outbound dropped packets count." | |||
| (i.e., the IP packet containing the ESP payload)." | ::= { ipsecStatsTableEntry 4 } | |||
| ::= { iptfsConfigTableEntry 4 } | ||||
| l2FixedRate OBJECT-TYPE | rxPackets OBJECT-TYPE | |||
| SYNTAX Counter64 | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "TFS bit rate may be specified at layer 2 wire rate. | "Inbound Packet count." | |||
| Target bandwidth/bit rate in bps for iptfs tunnel. | ::= { ipsecStatsTableEntry 5 } | |||
| This rate is the nominal timing for the fixed size | ||||
| packet. If congestion control is enabled the rate may | ||||
| be adjusted down (or up if unset)." | ||||
| ::= { iptfsConfigTableEntry 5 } | ||||
| l3FixedRate OBJECT-TYPE | rxOctets OBJECT-TYPE | |||
| SYNTAX Counter64 | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "TFS bit rate may be specified at layer 3 packet | "Inbound Packet bytes." | |||
| rate.Target bandwidth/bit rate in bps for iptfs | ::= { ipsecStatsTableEntry 6 } | |||
| tunnel. this rate is the nominal timing for the fixed | ||||
| size packet. If congestion control is enabled the rate | ||||
| may be adjusted down (or up if unset)." | ||||
| ::= { iptfsConfigTableEntry 6 } | ||||
| dontFragment OBJECT-TYPE | rxDropPackets OBJECT-TYPE | |||
| SYNTAX TruthValue | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Disable packet fragmentation across consecutive iptfs | "Inbound Dropped packets" | |||
| tunnel packets when set to true." | ::= { ipsecStatsTableEntry 7 } | |||
| ::= { iptfsConfigTableEntry 7 } | ||||
| maxAggregationTime OBJECT-TYPE | iptfsInnerStatsTable OBJECT-TYPE | |||
| SYNTAX NanoSeconds | SYNTAX SEQUENCE OF IptfsInnerSaEntry | |||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The table containing information on IPTFS | ||||
| Inner Packets." | ||||
| ::= { iptfsInnerStatsGroup 1 } | ||||
| iptfsInnerStatsTableEntry OBJECT-TYPE | ||||
| SYNTAX IptfsInnerSaEntry | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "An entry containing the information on | ||||
| a particular tfs SA." | ||||
| INDEX { iptfsInnerSaIndex } | ||||
| ::= { iptfsInnerStatsTable 1 } | ||||
| IptfsInnerSaEntry ::= SEQUENCE { | ||||
| iptfsInnerSaIndex Integer32, | ||||
| txInnerPackets Counter64, | ||||
| txInnerOctets Counter64, | ||||
| rxInnerPackets Counter64, | ||||
| rxInnerOctets Counter64, | ||||
| rxIncompleteInnerPackets Counter64 | ||||
| } | ||||
| iptfsInnerSaIndex OBJECT-TYPE | ||||
| SYNTAX Integer32 (1..16777215) | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A unique value, greater than zero, for each SA. | ||||
| It is recommended that values are assigned contiguously | ||||
| starting from 1. | ||||
| The value for each entry must remain constant at least | ||||
| from one re-initialization of entity's network management | ||||
| system to the next re-initialization." | ||||
| ::= { iptfsInnerStatsTableEntry 1 } | ||||
| txInnerPackets OBJECT-TYPE | ||||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Maximum aggregation time is the maximum length of | "Total number of IP-TFS inner packets sent. This count | |||
| time a received inner packet can be held prior to | is whole packets only. A fragmented packet counts as | |||
| transmission in the iptfs tunnel. Inner packets that | one packet." | |||
| would be held longer than this time, based on the | ::= { iptfsInnerStatsTableEntry 2 } | |||
| current tunnel configuration will be dropped rather | ||||
| than be queued for transmission." | ||||
| ::= { iptfsConfigTableEntry 8 } | ||||
| windowSize OBJECT-TYPE | txInnerOctets OBJECT-TYPE | |||
| SYNTAX Unsigned32(0..65535) | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The maximum number of out-of-order packets that will be | "Total number of IP-TFS inner octets sent. This is | |||
| reordered by an iptfs receiver while performing the | inner packet octets only. Does not count padding." | |||
| reordering operation. The value 0 disables any | ::= { iptfsInnerStatsTableEntry 3 } | |||
| reordering." | ||||
| ::= { iptfsConfigTableEntry 9 } | ||||
| sendImmediately OBJECT-TYPE | rxInnerPackets OBJECT-TYPE | |||
| SYNTAX TruthValue | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Send inner packets as soon as possible, do not wait for | "Total number of IP-TFS inner packets received." | |||
| lost or misordered outer packets. Selecting this option | ::= { iptfsInnerStatsTableEntry 4 } | |||
| reduces the inner (user) packet delay but can amplify | ||||
| out-of-order delivery of the inner packet stream in the | ||||
| presence of packet aggregation and any reordering." | ||||
| ::= { iptfsConfigTableEntry 10 } | ||||
| lostPktTimerInt OBJECT-TYPE | rxInnerOctets OBJECT-TYPE | |||
| SYNTAX NanoSeconds | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "This interval defines the length of time an iptfs | "Total number of IP-TFS inner octets received. Does | |||
| receiver will wait for a missing packet before | not include padding or overhead." | |||
| considering it lost. Setting this value too low can | ::= { iptfsInnerStatsTableEntry 5 } | |||
| impact reordering and reassembly. The value is | ||||
| configurable in milliseconds or fractional milliseconds | ||||
| down to 1 nanosecond." | ||||
| ::= { iptfsConfigTableEntry 11 } | ||||
| ipsecStatsTable OBJECT-TYPE | rxIncompleteInnerPackets OBJECT-TYPE | |||
| SYNTAX SEQUENCE OF IpsecStatsTableEntry | SYNTAX Counter64 | |||
| MAX-ACCESS not-accessible | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The table containing basic statistics on IPsec." | "Total number of IP-TFS inner packets that were | |||
| ::= { ipsecStatsGroup 1 } | incomplete. Usually this is due to fragments not | |||
| received. Also, this may be due to misordering or | ||||
| errors in received outer packets." | ||||
| ::= { iptfsInnerStatsTableEntry 6 } | ||||
| ipsecStatsTableEntry OBJECT-TYPE | iptfsOuterStatsTable OBJECT-TYPE | |||
| SYNTAX IpsecStatsTableEntry | SYNTAX SEQUENCE OF IptfsOuterSaEntry | |||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The table containing information on IPTFS." | ||||
| ::= { iptfsOuterStatsGroup 1 } | ||||
| iptfsOuterStatsTableEntry OBJECT-TYPE | ||||
| SYNTAX IptfsOuterSaEntry | ||||
| MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "An entry (conceptual row) containing the information on | "An entry containing the information on | |||
| a particular IKE SA." | a particular tfs SA." | |||
| INDEX { ipsecSaIndex } | INDEX { iptfsSaIndex } | |||
| ::= { ipsecStatsTable 1 } | ::= { iptfsOuterStatsTable 1 } | |||
| IpsecStatsTableEntry ::= SEQUENCE { | ||||
| ipsecSaIndex Integer32, | ||||
| -- packet statistics information | ||||
| txPackets Counter64, | ||||
| txOctets Counter64, | ||||
| txDropPackets Counter64, | ||||
| rxPackets Counter64, | ||||
| rxOctets Counter64, | ||||
| rxDropPackets Counter64 | ||||
| } | ||||
| ipsecSaIndex OBJECT-TYPE | ||||
| SYNTAX Integer32 (1..16777215) | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A unique value, greater than zero, for each SA. | ||||
| It is recommended that values are assigned contiguously | ||||
| starting from 1. | ||||
| The value for each entry must remain constant at least | ||||
| from one re-initialization of entity's network management | ||||
| system to the next re-initialization." | ||||
| ::= { ipsecStatsTableEntry 1 } | ||||
| txPackets OBJECT-TYPE | ||||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Outbound Packet count." | ||||
| ::= { ipsecStatsTableEntry 2 } | ||||
| txOctets OBJECT-TYPE | ||||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Outbound Packet bytes." | ||||
| ::= { ipsecStatsTableEntry 3 } | ||||
| txDropPackets OBJECT-TYPE | ||||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Outbound dropped packets count." | ||||
| ::= { ipsecStatsTableEntry 4 } | ||||
| rxPackets OBJECT-TYPE | IptfsOuterSaEntry ::= SEQUENCE { | |||
| SYNTAX Counter64 | iptfsSaIndex Integer32, | |||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Inbound Packet count." | ||||
| ::= { ipsecStatsTableEntry 5 } | ||||
| rxOctets OBJECT-TYPE | -- iptfs packet statistics information | |||
| SYNTAX Counter64 | txExtraPadPackets Counter64, | |||
| MAX-ACCESS read-only | txExtraPadOctets Counter64, | |||
| STATUS current | txAllPadPackets Counter64, | |||
| DESCRIPTION | txAllPadOctets Counter64, | |||
| "Inbound Packet bytes." | rxExtraPadPackets Counter64, | |||
| ::= { ipsecStatsTableEntry 6 } | rxExtraPadOctets Counter64, | |||
| rxAllPadPackets Counter64, | ||||
| rxAllPadOctets Counter64, | ||||
| rxErroredPackets Counter64, | ||||
| rxMissedPackets Counter64 | ||||
| } | ||||
| rxDropPackets OBJECT-TYPE | iptfsSaIndex OBJECT-TYPE | |||
| SYNTAX Counter64 | SYNTAX Integer32 (1..16777215) | |||
| MAX-ACCESS read-only | MAX-ACCESS not-accessible | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Inbound Dropped packets" | "A unique value, greater than zero, for each SA. | |||
| ::= { ipsecStatsTableEntry 7 } | It is recommended that values are assigned contiguously | |||
| starting from 1. | ||||
| iptfsInnerStatsTable OBJECT-TYPE | ||||
| SYNTAX SEQUENCE OF IptfsInnerSaEntry | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The table containing information on IPTFS | ||||
| Inner Packets." | ||||
| ::= { iptfsInnerStatsGroup 1 } | ||||
| iptfsInnerStatsTableEntry OBJECT-TYPE | ||||
| SYNTAX IptfsInnerSaEntry | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "An entry containing the information on | ||||
| a particular tfs SA." | ||||
| INDEX { iptfsInnerSaIndex } | ||||
| ::= { iptfsInnerStatsTable 1 } | ||||
| IptfsInnerSaEntry ::= SEQUENCE { | ||||
| iptfsInnerSaIndex Integer32, | ||||
| txInnerPackets Counter64, | ||||
| txInnerOctets Counter64, | ||||
| rxInnerPackets Counter64, | ||||
| rxInnerOctets Counter64, | ||||
| rxIncompleteInnerPackets Counter64 | ||||
| } | ||||
| iptfsInnerSaIndex OBJECT-TYPE | ||||
| SYNTAX Integer32 (1..16777215) | ||||
| MAX-ACCESS not-accessible | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A unique value, greater than zero, for each SA. | ||||
| It is recommended that values are assigned contiguously | ||||
| starting from 1. | ||||
| The value for each entry must remain constant at least | The value for each entry must remain constant at least | |||
| from one re-initialization of entity's network management | from one re-initialization of entity's network management | |||
| system to the next re-initialization." | system to the next re-initialization." | |||
| ::= { iptfsInnerStatsTableEntry 1 } | ::= { iptfsOuterStatsTableEntry 1 } | |||
| txInnerPackets OBJECT-TYPE | txExtraPadPackets OBJECT-TYPE | |||
| SYNTAX Counter64 | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Total number of IP-TFS inner packets sent. This count | "Total number of transmitted outer IP-TFS packets that | |||
| is whole packets only. A fragmented packet counts as | included some padding." | |||
| one packet." | ::= { iptfsOuterStatsTableEntry 2 } | |||
| ::= { iptfsInnerStatsTableEntry 2 } | ||||
| txInnerOctets OBJECT-TYPE | txExtraPadOctets OBJECT-TYPE | |||
| SYNTAX Counter64 | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Total number of IP-TFS inner octets sent. This is | "Total number of transmitted octets of padding added to | |||
| inner packet octets only. Does not count padding." | outer IP-TFS packets with data." | |||
| ::= { iptfsInnerStatsTableEntry 3 } | ::= { iptfsOuterStatsTableEntry 3 } | |||
| rxInnerPackets OBJECT-TYPE | txAllPadPackets OBJECT-TYPE | |||
| SYNTAX Counter64 | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Total number of IP-TFS inner packets received." | "Total number of transmitted IP-TFS packets that were | |||
| ::= { iptfsInnerStatsTableEntry 4 } | all padding with no inner packet data." | |||
| ::= { iptfsOuterStatsTableEntry 4 } | ||||
| rxInnerOctets OBJECT-TYPE | txAllPadOctets OBJECT-TYPE | |||
| SYNTAX Counter64 | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "Total number of IP-TFS inner octets received. Does | "Total number transmitted octets of padding added to | |||
| not include padding or overhead." | IP-TFS packets with no inner packet data." | |||
| ::= { iptfsInnerStatsTableEntry 5 } | ||||
| rxIncompleteInnerPackets OBJECT-TYPE | ::= { iptfsOuterStatsTableEntry 5 } | |||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Total number of IP-TFS inner packets that were | ||||
| incomplete. Usually this is due to fragments not | ||||
| received. Also, this may be due to misordering or | ||||
| errors in received outer packets." | ||||
| ::= { iptfsInnerStatsTableEntry 6 } | ||||
| iptfsOuterStatsTable OBJECT-TYPE | rxExtraPadPackets OBJECT-TYPE | |||
| SYNTAX SEQUENCE OF IptfsOuterSaEntry | SYNTAX Counter64 | |||
| MAX-ACCESS not-accessible | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The table containing information on IPTFS." | "Total number of received outer IP-TFS packets that | |||
| ::= { iptfsOuterStatsGroup 1 } | included some padding." | |||
| ::= { iptfsOuterStatsTableEntry 6 } | ||||
| iptfsOuterStatsTableEntry OBJECT-TYPE | rxExtraPadOctets OBJECT-TYPE | |||
| SYNTAX IptfsOuterSaEntry | SYNTAX Counter64 | |||
| MAX-ACCESS not-accessible | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "An entry containing the information on | "Total number of received octets of padding added to | |||
| a particular tfs SA." | outer IP-TFS packets with data." | |||
| INDEX { iptfsSaIndex } | ::= { iptfsOuterStatsTableEntry 7 } | |||
| ::= { iptfsOuterStatsTable 1 } | ||||
| IptfsOuterSaEntry ::= SEQUENCE { | rxAllPadPackets OBJECT-TYPE | |||
| iptfsSaIndex Integer32, | SYNTAX Counter64 | |||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Total number of received IP-TFS packets that were all | ||||
| padding with no inner paccket data." | ||||
| ::= { iptfsOuterStatsTableEntry 8 } | ||||
| -- iptfs packet statistics information | rxAllPadOctets OBJECT-TYPE | |||
| txExtraPadPackets Counter64, | SYNTAX Counter64 | |||
| txExtraPadOctets Counter64, | MAX-ACCESS read-only | |||
| txAllPadPackets Counter64, | STATUS current | |||
| txAllPadOctets Counter64, | DESCRIPTION | |||
| rxExtraPadPackets Counter64, | "Total number received octets of padding added to | |||
| rxExtraPadOctets Counter64, | IP-TFS packets with no inner packet data." | |||
| rxAllPadPackets Counter64, | ::= { iptfsOuterStatsTableEntry 9 } | |||
| rxAllPadOctets Counter64, | ||||
| rxErroredPackets Counter64, | ||||
| rxMissedPackets Counter64 | ||||
| } | ||||
| iptfsSaIndex OBJECT-TYPE | rxErroredPackets OBJECT-TYPE | |||
| SYNTAX Integer32 (1..16777215) | SYNTAX Counter64 | |||
| MAX-ACCESS not-accessible | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "A unique value, greater than zero, for each SA. | "Total number of IP-TFS outer packets dropped due to | |||
| It is recommended that values are assigned contiguously | errors." | |||
| starting from 1. | ::= { iptfsOuterStatsTableEntry 10 } | |||
| The value for each entry must remain constant at least | rxMissedPackets OBJECT-TYPE | |||
| from one re-initialization of entity's network management | SYNTAX Counter64 | |||
| system to the next re-initialization." | MAX-ACCESS read-only | |||
| ::= { iptfsOuterStatsTableEntry 1 } | STATUS current | |||
| DESCRIPTION | ||||
| "Total number of IP-TFS outer packets missing indicated | ||||
| by missing sequence number." | ||||
| ::= { iptfsOuterStatsTableEntry 11 } | ||||
| txExtraPadPackets OBJECT-TYPE | -- | |||
| SYNTAX Counter64 | -- Iptfs Module Compliance | |||
| MAX-ACCESS read-only | -- | |||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Total number of transmitted outer IP-TFS packets that | ||||
| included some padding." | ||||
| ::= { iptfsOuterStatsTableEntry 2 } | ||||
| txExtraPadOctets OBJECT-TYPE | iptfsMIBConformances OBJECT IDENTIFIER | |||
| SYNTAX Counter64 | ::= { iptfsMIBConformance 1 } | |||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Total number of transmitted octets of padding added to | ||||
| outer IP-TFS packets with data." | ||||
| ::= { iptfsOuterStatsTableEntry 3 } | ||||
| txAllPadPackets OBJECT-TYPE | iptfsMIBGroups OBJECT IDENTIFIER | |||
| SYNTAX Counter64 | ::= { iptfsMIBConformance 2 } | |||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Total number of transmitted IP-TFS packets that were | ||||
| all padding with no inner packet data." | ||||
| ::= { iptfsOuterStatsTableEntry 4 } | ||||
| txAllPadOctets OBJECT-TYPE | iptfsMIBCompliance MODULE-COMPLIANCE | |||
| SYNTAX Counter64 | STATUS current | |||
| MAX-ACCESS read-only | DESCRIPTION | |||
| STATUS current | "The compliance statement for entities which | |||
| DESCRIPTION | implement the IPTFS MIB" | |||
| "Total number transmitted octets of padding added to | MODULE -- this module | |||
| IP-TFS packets with no inner packet data." | MANDATORY-GROUPS { | |||
| ::= { iptfsOuterStatsTableEntry 5 } | iptfsMIBConfGroup, | |||
| ipsecStatsConfGroup, | ||||
| iptfsInnerStatsConfGroup, | ||||
| iptfsOuterStatsConfGroup | ||||
| } | ||||
| rxExtraPadPackets OBJECT-TYPE | ::= { iptfsMIBConformances 1 } | |||
| SYNTAX Counter64 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Total number of received outer IP-TFS packets that | ||||
| included some padding." | ||||
| ::= { iptfsOuterStatsTableEntry 6 } | ||||
| rxExtraPadOctets OBJECT-TYPE | -- | |||
| SYNTAX Counter64 | -- MIB Groups (Units of Conformance) | |||
| MAX-ACCESS read-only | -- | |||
| STATUS current | ||||
| DESCRIPTION | ||||
| "Total number of received octets of padding added to | ||||
| outer IP-TFS packets with data." | ||||
| ::= { iptfsOuterStatsTableEntry 7 } | ||||
| rxAllPadPackets OBJECT-TYPE | iptfsMIBConfGroup OBJECT-GROUP | |||
| SYNTAX Counter64 | OBJECTS { | |||
| MAX-ACCESS read-only | congestionControl, | |||
| STATUS current | usePathMtu, | |||
| DESCRIPTION | outerPacketSize , | |||
| "Total number of received IP-TFS packets that were all | l2FixedRate , | |||
| padding with no inner paccket data." | l3FixedRate , | |||
| ::= { iptfsOuterStatsTableEntry 8 } | dontFragment, | |||
| maxAggregationTime, | ||||
| windowSize, | ||||
| sendImmediately, | ||||
| lostPktTimerInt | ||||
| } | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA IPTFS | ||||
| Configuration." | ||||
| ::= { iptfsMIBGroups 1 } | ||||
| rxAllPadOctets OBJECT-TYPE | ipsecStatsConfGroup OBJECT-GROUP | |||
| SYNTAX Counter64 | OBJECTS { | |||
| MAX-ACCESS read-only | txPackets, | |||
| STATUS current | txOctets, | |||
| DESCRIPTION | txDropPackets, | |||
| "Total number received octets of padding added to | rxPackets, | |||
| IP-TFS packets with no inner packet data." | rxOctets, | |||
| ::= { iptfsOuterStatsTableEntry 9 } | rxDropPackets | |||
| } | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA Basic | ||||
| Stats." | ||||
| ::= { iptfsMIBGroups 2 } | ||||
| rxErroredPackets OBJECT-TYPE | iptfsInnerStatsConfGroup OBJECT-GROUP | |||
| SYNTAX Counter64 | OBJECTS { | |||
| MAX-ACCESS read-only | txInnerPackets, | |||
| STATUS current | txInnerOctets, | |||
| DESCRIPTION | rxInnerPackets, | |||
| "Total number of IP-TFS outer packets dropped due to | rxInnerOctets, | |||
| errors." | rxIncompleteInnerPackets | |||
| ::= { iptfsOuterStatsTableEntry 10 } | } | |||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA IPTFS | ||||
| Inner Packet Statistics." | ||||
| ::= { iptfsMIBGroups 3 } | ||||
| rxMissedPackets OBJECT-TYPE | iptfsOuterStatsConfGroup OBJECT-GROUP | |||
| SYNTAX Counter64 | OBJECTS { | |||
| MAX-ACCESS read-only | txExtraPadPackets, | |||
| STATUS current | txExtraPadOctets, | |||
| DESCRIPTION | txAllPadPackets, | |||
| "Total number of IP-TFS outer packets missing indicated | txAllPadOctets, | |||
| by missing sequence number." | rxExtraPadPackets, | |||
| ::= { iptfsOuterStatsTableEntry 11 } | rxExtraPadOctets, | |||
| rxAllPadPackets, | ||||
| rxAllPadOctets, | ||||
| rxErroredPackets, | ||||
| rxMissedPackets | ||||
| } | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA IPTFS | ||||
| Outer Packet Statistics." | ||||
| ::= { iptfsMIBGroups 4 } | ||||
| -- | END | |||
| -- Iptfs Module Compliance | ||||
| -- | ||||
| iptfsMIBConformances OBJECT IDENTIFIER | 5. IANA Considerations | |||
| ::= { iptfsMIBConformance 1 } | ||||
| iptfsMIBGroups OBJECT IDENTIFIER | The MIB module in this document uses the following IANA-assigned | |||
| ::= { iptfsMIBConformance 2 } | OBJECT IDENTIFIER value, recorded in the SMI Numbers registry: | |||
| iptfsMIBCompliance MODULE-COMPLIANCE | +------------+-------------------------+ | |||
| STATUS current | | Descriptor | OBJECT IDENTIFIER value | | |||
| DESCRIPTION | +------------+-------------------------+ | |||
| "The compliance statement for entities which implement | | iptfs | TBA IANA | | |||
| the IPTFS MIB" | +------------+-------------------------+ | |||
| MODULE -- this module | | ipsec | TBA IANA | | |||
| MANDATORY-GROUPS { | +------------+-------------------------+ | |||
| iptfsMIBConfGroup, | ||||
| ipsecStatsConfGroup, | ||||
| iptfsInnerStatsConfGroup, | ||||
| iptfsOuterStatsConfGroup | ||||
| } | ||||
| ::= { iptfsMIBConformances 1 } | 6. Security Considerations | |||
| -- | The MIB specified in this document can read the operational and | |||
| -- MIB Groups (Units of Conformance) | configured behavior of IP traffic flow security, for the implications | |||
| -- | regarding write configuration consult the [I-D.ietf-ipsecme-iptfs] | |||
| which defines the functionality. | ||||
| iptfsMIBConfGroup OBJECT-GROUP | There are no management objects defined in this MIB module that have | |||
| OBJECTS { | a MAX-ACCESS clause of read-write and/or read-create. So, if this | |||
| congestionControl, | MIB module is implemented correctly, then there is no risk that an | |||
| usePathMtu, | intruder can alter or create any management objects of this MIB | |||
| outerPacketSize , | module via direct SNMP SET operations. | |||
| l2FixedRate , | ||||
| l3FixedRate , | ||||
| dontFragment, | ||||
| maxAggregationTime, | ||||
| windowSize, | ||||
| sendImmediately, | ||||
| lostPktTimerInt | ||||
| } | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA IPTFS | ||||
| Configuration." | ||||
| ::= { iptfsMIBGroups 1 } | ||||
| ipsecStatsConfGroup OBJECT-GROUP | Some of the objects in this MIB module may be considered sensitive or | |||
| OBJECTS { | vulnerable in some network environments. This includes INDEX objects | |||
| txPackets, | with a MAX-ACCESS of not-accessible, and any indices from other | |||
| txOctets, | modules exposed via AUGMENTS. It is thus important to control even | |||
| txDropPackets, | GET and/or NOTIFY access to these objects and possibly to even | |||
| rxPackets, | encrypt the values of these objects when sending them over the | |||
| rxOctets, | network via SNMP. These are the tables and objects and their | |||
| rxDropPackets | sensitivity/vulnerability: | |||
| } | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA Basic | ||||
| Stats." | ||||
| ::= { iptfsMIBGroups 2 } | ||||
| iptfsInnerStatsConfGroup OBJECT-GROUP | * iptfsOuterStatsTable - IPTFS hides the traffic flows through the | |||
| OBJECTS { | network, anywhere that access to read SNMP statistics is enabled | |||
| txInnerPackets, | needs to be protected from third party observation. | |||
| txInnerOctets, | ||||
| rxInnerPackets, | ||||
| rxInnerOctets, | ||||
| rxIncompleteInnerPackets | ||||
| } | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA IPTFS | ||||
| Inner Packet Statistics." | ||||
| ::= { iptfsMIBGroups 3 } | ||||
| iptfsOuterStatsConfGroup OBJECT-GROUP | SNMP versions prior to SNMPv3 did not include adequate security. | |||
| OBJECTS { | Even if the network itself is secure (for example by using IPsec), | |||
| txExtraPadPackets, | there is no control as to who on the secure network is allowed to | |||
| txExtraPadOctets, | access and GET/SET (read/change/create/delete) the objects in this | |||
| txAllPadPackets, | MIB module. | |||
| txAllPadOctets, | ||||
| rxExtraPadPackets, | ||||
| rxExtraPadOctets, | ||||
| rxAllPadPackets, | ||||
| rxAllPadOctets, | ||||
| rxErroredPackets, | ||||
| rxMissedPackets | ||||
| } | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "A collection of objects providing per SA IPTFS | ||||
| Outer Packet Statistics." | ||||
| ::= { iptfsMIBGroups 4 } | ||||
| END | Implementations SHOULD provide the security features described by the | |||
| SNMPv3 framework (see [RFC3410]), and implementations claiming | ||||
| compliance to the SNMPv3 standard MUST include full support for | ||||
| authentication and privacy via the User-based Security Model (USM) | ||||
| [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations | ||||
| MAY also provide support for the Transport Security Model (TSM) | ||||
| [RFC5591] in combination with a secure transport such as SSH | ||||
| [RFC5592] or TLS/DTLS [RFC6353]. | ||||
| 5. Security Considerations | Further, deployment of SNMP versions prior to SNMPv3 is NOT | |||
| RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to | ||||
| enable cryptographic security. It is then a customer/operator | ||||
| responsibility to ensure that the SNMP entity giving access to an | ||||
| instance of this MIB module is properly configured to give access to | ||||
| the objects only to those principals (users) that have legitimate | ||||
| rights to indeed GET or SET (change/create/delete) them. | ||||
| The MIB specified in this document can read the operational and | 7. Acknowledgements | |||
| configured the behavior of IP traffic flow security, for the | ||||
| implications regarding write configuration consult the | ||||
| [I-D.ietf-ipsecme-iptfs] which defines the functionality. | ||||
| 6. Acknowledgements | The authors would like to thank Chris Hopps, Lou Berger and Tero | |||
| Kivinen for their help and feedback on the MIB model. | ||||
| The authors would like to thank Chris Hopps for his help and feedback | 8. References | |||
| on the MIB model. | ||||
| 7. Normative References | 8.1. Normative References | |||
| [I-D.ietf-ipsecme-iptfs] | [I-D.ietf-ipsecme-iptfs] | |||
| Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | |||
| ESP and its Use for IP Traffic Flow Security", Work in | ESP and its Use for IP Traffic Flow Security", Work in | |||
| Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 | Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 | |||
| November 2021, <https://www.ietf.org/archive/id/draft- | November 2021, <https://www.ietf.org/archive/id/draft- | |||
| ietf-ipsecme-iptfs-12.txt>. | ietf-ipsecme-iptfs-12.txt>. | |||
| [I-D.ietf-ipsecme-yang-iptfs] | [I-D.ietf-ipsecme-yang-iptfs] | |||
| Fedyk, D. and C. Hopps, "A YANG Data Model for IP Traffic | Fedyk, D. and C. Hopps, "A YANG Data Model for IP Traffic | |||
| skipping to change at page 19, line 49 ¶ | skipping to change at page 21, line 28 ¶ | |||
| Schoenwaelder, Ed., "Structure of Management Information | Schoenwaelder, Ed., "Structure of Management Information | |||
| Version 2 (SMIv2)", STD 58, RFC 2578, | Version 2 (SMIv2)", STD 58, RFC 2578, | |||
| DOI 10.17487/RFC2578, April 1999, | DOI 10.17487/RFC2578, April 1999, | |||
| <https://www.rfc-editor.org/info/rfc2578>. | <https://www.rfc-editor.org/info/rfc2578>. | |||
| [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
| Schoenwaelder, Ed., "Textual Conventions for SMIv2", | Schoenwaelder, Ed., "Textual Conventions for SMIv2", | |||
| STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, | STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, | |||
| <https://www.rfc-editor.org/info/rfc2579>. | <https://www.rfc-editor.org/info/rfc2579>. | |||
| [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. | ||||
| Schoenwaelder, Ed., "Conformance Statements for SMIv2", | ||||
| STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, | ||||
| <https://www.rfc-editor.org/info/rfc2580>. | ||||
| [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | |||
| "Introduction and Applicability Statements for Internet- | "Introduction and Applicability Statements for Internet- | |||
| Standard Management Framework", RFC 3410, | Standard Management Framework", RFC 3410, | |||
| DOI 10.17487/RFC3410, December 2002, | DOI 10.17487/RFC3410, December 2002, | |||
| <https://www.rfc-editor.org/info/rfc3410>. | <https://www.rfc-editor.org/info/rfc3410>. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | (USM) for version 3 of the Simple Network Management | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | Protocol (SNMPv3)", STD 62, RFC 3414, | |||
| DOI 10.17487/RFC3414, December 2002, | ||||
| <https://www.rfc-editor.org/info/rfc3414>. | ||||
| [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The | ||||
| Advanced Encryption Standard (AES) Cipher Algorithm in the | ||||
| SNMP User-based Security Model", RFC 3826, | ||||
| DOI 10.17487/RFC3826, June 2004, | ||||
| <https://www.rfc-editor.org/info/rfc3826>. | ||||
| [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model | ||||
| for the Simple Network Management Protocol (SNMP)", | ||||
| STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, | ||||
| <https://www.rfc-editor.org/info/rfc5591>. | ||||
| [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure | ||||
| Shell Transport Model for the Simple Network Management | ||||
| Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June | ||||
| 2009, <https://www.rfc-editor.org/info/rfc5592>. | ||||
| [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport | ||||
| Model for the Simple Network Management Protocol (SNMP)", | ||||
| STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6353>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 8.2. Informative References | ||||
| [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. | ||||
| Schoenwaelder, Ed., "Conformance Statements for SMIv2", | ||||
| STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, | ||||
| <https://www.rfc-editor.org/info/rfc2580>. | ||||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | ||||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | ||||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | ||||
| [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP | ||||
| Friendly Rate Control (TFRC): Protocol Specification", | ||||
| RFC 5348, DOI 10.17487/RFC5348, September 2008, | ||||
| <https://www.rfc-editor.org/info/rfc5348>. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Don Fedyk | Don Fedyk | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| Email: dfedyk@labn.net | Email: dfedyk@labn.net | |||
| Eric Kinzie | Eric Kinzie | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| End of changes. 96 change blocks. | ||||
| 580 lines changed or deleted | 681 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||