idnits 2.17.1 draft-an-savi-mib-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 8 instances of too long lines in the document, the longest one being 35 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 445 has weird spacing: '...n entry conta...' == Line 689 has weird spacing: '... of the bindi...' == Line 806 has weird spacing: '... of the filte...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (July 18, 2018) is 2101 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2131' is defined on line 1056, but no explicit reference was found in the text == Unused Reference: 'RFC3315' is defined on line 1076, but no explicit reference was found in the text == Unused Reference: 'RFC2223' is defined on line 1109, but no explicit reference was found in the text == Unused Reference: 'RFC2629' is defined on line 1113, but no explicit reference was found in the text == Unused Reference: 'RFC4181' is defined on line 1127, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Downref: Normative reference to an Informational RFC: RFC 7039 -- Obsolete informational reference (is this intentional?): RFC 2223 (Obsoleted by RFC 7322) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 3 errors (**), 0 flaws (~~), 10 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SAVI C. An 3 Internet-Draft J. Yang 4 Intended status: Standards Track J. Wu 5 Expires: January 19, 2019 J. Bi 6 Tsinghua University 7 July 18, 2018 9 Definition of Managed Objects for SAVI Protocol 10 draft-an-savi-mib-15 12 Abstract 14 This memo defines a portion of the Management Information Base (MIB) 15 for use with network management protocols in the Internet community. 16 In particular, it defines objects for managing SAVI (Source Address 17 Validation Improvements) protocol instance. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 19, 2019. 36 Copyright Notice 38 Copyright (c) 2018 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. The Internet-Standard Management Framework . . . . . . . . . 3 55 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 58 5.1. The SAVI System Table . . . . . . . . . . . . . . . . . . 4 59 5.2. The SAVI Port Table . . . . . . . . . . . . . . . . . . . 5 60 5.3. The SAVI Binding Table . . . . . . . . . . . . . . . . . 6 61 5.4. The SAVI Filtering Table . . . . . . . . . . . . . . . . 7 62 5.5. The SAVI Counting Table . . . . . . . . . . . . . . . . . 7 63 6. Textual Conventions . . . . . . . . . . . . . . . . . . . . . 8 64 7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 8 65 7.1. Relationship to the INET-ADDRESS-MIB . . . . . . . . . . 8 66 7.2. Relationship to the IF-MIB . . . . . . . . . . . . . . . 8 67 7.3. MIB modules required for IMPORTS . . . . . . . . . . . . 9 68 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 70 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 71 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23 72 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 73 12.1. Normative References . . . . . . . . . . . . . . . . . . 23 74 12.2. Informative References . . . . . . . . . . . . . . . . . 24 75 12.3. URL References . . . . . . . . . . . . . . . . . . . . . 25 76 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 26 77 Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . 27 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 80 1. Introduction 82 The Source Address Validation Improvement protocol was developed to 83 complement ingress filtering with finer-grained, standardized IP 84 source address validation(refer to [RFC7039]).A SAVI protocol 85 instance is located on the path of hosts' packets, enforcing the 86 hosts' use of legitimate IP source addresses. 88 SAVI protocol determines whether the IP address obtaining process is 89 legitimate according to IP address assignment method. For links with 90 Stateless Address Auto Configuration (SLAAC), Dynamic Host 91 Configuration Protocol (DHCP), and Secure Neighbor Discovery (SEND), 92 the process is defined in separate documents of SAVI Working Group 93 (refer to [RFC6620], [RFC7513], [RFC7219].) 94 This document defines a MIB module that can be used to manage the 95 SAVI protocol instance. It covers both configuration and status 96 monitoring aspects of SAVI implementations. 98 This document uses terminology from the SAVI Protocol specification. 100 2. The Internet-Standard Management Framework 102 For a detailed overview of the documents that describe the current 103 Internet-Standard Management Framework, please refer to section 7 of 104 RFC 3410 [RFC3410]. 106 Managed objects are accessed via a virtual information store, termed 107 the Management Information Base or MIB. MIB objects are generally 108 accessed through the Simple Network Management Protocol (SNMP). 109 Objects in the MIB are defined using the mechanisms defined in the 110 Structure of Management Information (SMI). This memo specifies a MIB 111 module that is compliant to the SMIv2, which is described in STD 58, 112 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 113 [RFC2580]. 115 3. Conventions 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in RFC 2119 [RFC2119]. 121 4. Overview 123 The SAVI Protocol MIB module (SAVI-MIB) is conformant to SAVI 124 protocol, and is designed to: 126 o Support centralized management and monitoring of SAVI protocol 127 instance by standard SNMP protocol. 129 o Support configuration and querying of SAVI protocol parameters. 131 o Support configuration and querying of binding entries. Operators 132 may insert and delete manual binding entries. 134 o Support querying of filtering entries. 136 o Support querying of the count of packets dropped because of 137 validation failure for each interface. 139 Based on SAVI protocol, attributes and objects of a SAVI protocol 140 instance can be classified into five categories: 142 o System attributes. These attributes are corresponding to a SAVI 143 protocol instance, such as IP Address Assignment Methods and some 144 constants. 146 o Anchor attributes. These attributes are corresponding to a SAVI 147 anchor. Anchor is defined in [RFC7039]. 149 o Binding Status Table. This table contains the state of binding 150 between source address and binding anchor (refer to [RFC6620], 151 [RFC7513], [RFC7219]). 153 o Filtering Table. This table contains the bindings between binding 154 anchor and address, which is used to filter packets (refer to 155 [RFC6620], [RFC7513], [RFC7219]). 157 o Counting Table. This table contains the count of fail packets for 158 each interface. 160 A table is designed for each category of objects. 162 5. Structure of the MIB Module 164 This section presents the structure of the SAVI-MIB module. The MIB 165 objects are derived from the SAVI protocol specification. 167 This MIB is composed of a series of tables meant to form the base for 168 managing SAVI entities. The following subsections describe all 169 tables in the SAVI MIB module. 171 5.1. The SAVI System Table 173 The SAVI System Table (saviObjectsSystemTable) contains the objects 174 which are corresponding to SAVI system-wide parameters. It supports 175 the configuration and collection of SAVI system-wide parameters. 177 There is an entry for each IP stack, IPv4 and IPv6. The table is 178 indexed by: 180 o saviObjectsSystemIPVersion - The IP Version. A textual convention 181 InetVersion defined in RFC4001 is used to represent the different 182 version of IP protocol. 184 o saviObjectsSystemMethod - IP address assignment method. 186 It contains the following objects: 188 o saviObjectsSystemMethodName - Name of IP address assignment 189 method. 191 o saviObjectsSystemMethodEnable - If the method is enabled. 193 o saviObjectsSystemMethodPreference - Preference of the method. 195 The MAX-ACCESS of these objects is READ-WRITE. Network Operators may 196 do configuration by setting these objects. 198 5.2. The SAVI Port Table 200 The SAVI Port Table (saviObjectsPortTable) contains the objects which 201 are corresponding to SAVI running parameters of each anchor. It 202 supports the configuration and collection of SAVI parameters of each 203 anchor. 205 There is an entry for each IP stack, IPv4 and IPv6. The table is 206 indexed by: 208 o saviObjectsPortIPVersion - The IP Version. 210 o saviObjectsPortIfIndex - The index value that uniquely identifies 211 the interface to which this entry is applicable. 213 It contains the following objects: 215 o saviObjectsPortValidatingAttr - An attribute defined in SAVI 216 protocol (refer to [RFC7513]). 218 o saviObjectsPortDhcpTrustAttr - An attribute defined in SAVI 219 protocol (refer to [RFC7513]). 221 o saviObjectsPortTrustAttr - An attribute defined in SAVI protocol 222 (refer to [RFC7513]). 224 o saviObjectsPortDhcpSnoopingAttr - An attribute defined in SAVI 225 protocol (refer to [RFC7513]). 227 o saviObjectsPortDataSnoopingAttr - An attribute defined in SAVI 228 protocol (refer to [RFC7513]). 230 o saviObjectsPortFilteringNum - The max filtering number of the 231 Port. 233 The MAX-ACCESS of these objects is READ-WRITE. Network Operators may 234 configure by setting these objects. 236 5.3. The SAVI Binding Table 238 The SAVI Binding Table (saviObjectsBindingTable) contains the objects 239 which are corresponding to Binding State Table (BST) defined in SAVI 240 protocol. It contains the binding parameters and state of each 241 binding entry. It supports the collection of binding entries. And 242 an entry can be inserted or deleted if it is a manual binding entry. 244 The table is indexed by: 246 o saviObjectsBindingIpAddressType - IP address type. A textual 247 convention InetAddressType defined in RFC4001 is used to represent 248 the different kind of IP address. 250 o saviObjectsBindingMethod - which IP address assignment method is 251 used to create the binding entry - manual(1), slaac(2), dhcp(3), 252 send(4). 254 o saviObjectsBindingIfIndex - The index value that uniquely 255 identifies the interface to which this entry is applicable. 257 o saviObjectsBindingIpAddress - The binding source IP address. A 258 textual convention InetAddress defined in RFC4001 is used to 259 define this object. 261 The SAVI Binding Table contains the following objects: 263 o saviObjectsBindingMacAddr - The binding source mac address. 265 o saviObjectsBindingLifetime - The remaining lifetime of the entry. 267 o saviObjectsBindingCreationtime - The value of the local clock when 268 the entry was firstly created. 270 o saviObjectsBindingRowStatus - The status of this row, by which new 271 entries may be created, or old entries be deleted from this table. 272 As defined in RFC2579, the RowStatus textual convention is used to 273 manage the creation and deletion of conceptual rows. For SAVI 274 Binding Table, an entry can be created or deleted only when 275 saviObjectsBindingMethod=manual. 277 The MAX-ACCESS of these objects is READ-CREATE. Network Operators 278 may create or delete an entry by setting these objects. 280 5.4. The SAVI Filtering Table 282 The SAVI Filtering Table (saviObjectsFilteringTable) contains the 283 objects which are corresponding to Filtering Table (FT) defined in 284 SAVI protocol. It supports the collection of filtering entries. 286 The table is indexed by: 288 o saviObjectsFilteringIpAddressType - IP address type. 290 o saviObjectsFilteringIfIndex - The index value that uniquely 291 identifies the interface to which this entry is applicable. 293 o saviObjectsFilteringIpAddress - The source IP address. 295 It contains the following objects: 297 o saviObjectsFilteringMacAddr - The source mac address. 299 The MAX-ACCESS of the object is READ-ONLY. 301 5.5. The SAVI Counting Table 303 The SAVI Counting Table (saviObjectsCountTable) contains the objects 304 counting packets dropped because of validation failure for each 305 interface. 307 The table is indexed by: 309 o saviObjectsCountIPVersion - IP Version. 311 o saviObjectsCountIfIndex - The index value that uniquely identifies 312 the interface to which this entry is applicable. 314 It contains the following objects: 316 o saviObjectsCountFilterPkts - The count of packets dropped because 317 of validation failure. 319 o saviObjectsCountFilterOctets - The count of octets dropped because 320 of validation failure. 322 The MAX-ACCESS of the object is READ-ONLY. 324 6. Textual Conventions 326 The textual conventions used in the SAVI-MIB are as follows. 328 The MODULE-COMPLIANCE,OBJECT-GROUP textual convention is imported 329 from SNMPv2-CONF [RFC2580]. The MODULE-IDENTITY, OBJECT-IDENTITY, 330 OBJECT-TYPE, Unsigned32 textual convention is imported from 331 SNMPv2-SMI [RFC2578]. 333 The MacAddress,TimeInterval,RowStatus textual convention is imported 334 from SNMPv2-TC [RFC2579]. 336 The InetVersion,InetAddressType,InetAddress textual convention is 337 imported from INET-ADDRESS-MIB [RFC4001]. 339 The InterfaceIndex textual convention is imported from IF-MIB 340 [RFC2863]. 342 The ip textual convention is imported from IP-MIB [RFC4293]. 344 7. Relationship to Other MIB Modules 346 7.1. Relationship to the INET-ADDRESS-MIB 348 To support extensibility, IETF defined new textual conventions to 349 represent different IP protocol and different IP address in a unified 350 formation in RFC4001. To support different IP version, a textual 351 convention InetVersion is defined to represent the different version 352 of IP protocol. To support different IP address, a generic Internet 353 address is defined. It consists of two objects: The first one has 354 the syntax InetAddressType, and the second object have the syntax 355 InetAddress. The value of the first object determines how the value 356 of the second is encoded. 358 Since SAVI running mode and parameter is independent of IPv4 and 359 IPv6, so different OID instances should be defined for each protocol. 360 In SAVI-MIB definition, when IP address is used as a part of binding 361 table, it is defined using textual conventions described in INET- 362 ADDRESS-MIB. 364 7.2. Relationship to the IF-MIB 366 The Interfaces MIB [RFC2863] defines generic managed objects for 367 managing interfaces. This document contains the interface-specific 368 extensions for managing SAVI anchors that are modeled as interfaces. 370 The IF-MIB module is required to be supported on the SAVI device. 371 The interface MUST be modeled as an ifEntry, and ifEntry objects such 372 as ifIndex are to be used as per [RFC2863]. 374 An ifIndex [RFC2863] is used as a common index for interfaces in the 375 SAVI-MIB modules. 377 7.3. MIB modules required for IMPORTS 379 The SAVI MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], 380 SNMPv2-TC [RFC2579],SNMPv2-CONF [RFC2580], IF-MIB [RFC2863] and INET- 381 ADDRESS-MIB [RFC4001] . 383 8. Definitions 385 SAVI-MIB DEFINITIONS ::=BEGIN 387 IMPORTS 388 MODULE-COMPLIANCE,OBJECT-GROUP 389 FROM SNMPv2-CONF --RFC2580 390 MODULE-IDENTITY, OBJECT-IDENTITY, OBJECT-TYPE, Unsigned32 391 FROM SNMPv2-SMI --RFC2578 392 TEXTUAL-CONVENTION,MacAddress,TimeInterval,RowStatus 393 FROM SNMPv2-TC --RFC2579 394 InterfaceIndex 395 FROM IF-MIB --RFC2863 396 InetVersion,InetAddressType,InetAddress 397 FROM INET-ADDRESS-MIB --RFC4001 398 ip 399 FROM IP-MIB --RFC4293 400 ; 402 saviMIB MODULE-IDENTITY 403 LAST-UPDATED "201807180000Z" 404 ORGANIZATION 405 "IETF SAVI Working Group" 406 CONTACT-INFO 407 "WG charter: 408 http://datatracker.ietf.org/wg/savi/charter/ 410 Editor: 411 Changqing An 412 CERNET 413 Postal: Institute for Network Sciences and Cyberspace, Tsinghua University 414 Beijing 100084 415 China 416 Email: acq@tsinghua.edu.cn 417 " 419 DESCRIPTION 420 "This MIB Module is designed to support configuration 421 and monitoring of SAVI protocol. 422 " 423 REVISION "201807180000Z" 424 DESCRIPTION 425 "Initial version" 426 ::= {ip xxx} 428 saviObjects OBJECT IDENTIFIER ::= { saviMIB 1 } 430 -- System parameters for SAVI protocol 432 saviObjectsSystemTable OBJECT-TYPE 433 SYNTAX SEQUENCE OF SaviObjectsSystemEntry 434 MAX-ACCESS not-accessible 435 STATUS current 436 DESCRIPTION 437 "The table containing savi system-wide parameters." 438 ::= { saviObjects 1 } 440 saviObjectsSystemEntry OBJECT-TYPE 441 SYNTAX SaviObjectsSystemEntry 442 MAX-ACCESS not-accessible 443 STATUS current 444 DESCRIPTION 445 "An entry containing savi system-wide parameters for a 446 particular IP version. 447 " 448 INDEX { saviObjectsSystemIPVersion,saviObjectsSystemMethod } 449 ::= { saviObjectsSystemTable 1 } 451 SaviObjectsSystemEntry ::= 452 SEQUENCE { 453 saviObjectsSystemIPVersion InetVersion, 454 saviObjectsSystemMethod INTEGER, 455 saviObjectsSystemMethodName DisplayString (SIZE (0..255)), 456 saviObjectsSystemMethodEnable INTEGER, 457 saviObjectsSystemMethodPreference INTEGER 458 } 460 saviObjectsSystemIPVersion OBJECT-TYPE 461 SYNTAX InetVersion 462 MAX-ACCESS not-accessible 463 STATUS current 464 DESCRIPTION 465 "The IP version " 466 ::= { saviObjectsSystemEntry 1 } 468 saviObjectsSystemMethod OBJECT-TYPE 469 SYNTAX INTEGER { 470 manual(1), 471 slaac(2), 472 dhcp(3), 473 send(4) 474 } 475 MAX-ACCESS not-accessible 476 STATUS current 477 DESCRIPTION 478 "IP address assignment methods." 479 ::= { saviObjectsSystemEntry 2 } 481 saviObjectsSystemMethodName OBJECT-TYPE 482 SYNTAX DisplayString (SIZE (0..255)) 483 MAX-ACCESS read-only 484 STATUS current 485 DESCRIPTION 486 "Name of IP address assignment methods. " 487 ::= { saviObjectsSystemEntry 3 } 489 saviObjectsSystemMethodEnable OBJECT-TYPE 490 SYNTAX INTEGER { 491 enable(1), 492 disable(2) 493 } 494 MAX-ACCESS read-write 495 STATUS current 496 DESCRIPTION 497 "If the method is enabled. " 498 ::= { saviObjectsSystemEntry 4 } 500 saviObjectsSystemMethodPreference OBJECT-TYPE 501 SYNTAX INTEGER { 502 enable(1), 503 disable(2) 504 } 505 MAX-ACCESS read-write 506 STATUS current 507 DESCRIPTION 508 "Preference of the method. " 509 ::= { saviObjectsSystemEntry 5 } 511 -- Port parameters for SAVI protocol 512 saviObjectsPortTable OBJECT-TYPE 513 SYNTAX SEQUENCE OF SaviObjectsPortEntry 514 MAX-ACCESS not-accessible 515 STATUS current 516 DESCRIPTION 517 "The table containing SAVI parameters of each anchor." 518 ::= { saviObjects 2 } 520 saviObjectsPortEntry OBJECT-TYPE 521 SYNTAX SaviObjectsPortEntry 522 MAX-ACCESS not-accessible 523 STATUS current 524 DESCRIPTION 525 "An entry containing SAVI running parameters of an anchor." 526 INDEX { 527 saviObjectsPortIPVersion, 528 saviObjectsPortIfIndex 529 } 530 ::= { saviObjectsPortTable 1 } 532 SaviObjectsPortEntry ::= 533 SEQUENCE { 534 saviObjectsPortIPVersion InetVersion, 535 saviObjectsPortIfIndex InterfaceIndex, 536 saviObjectsPortValidatingAttr INTEGER, 537 saviObjectsPortDhcpTrustAttr INTEGER, 538 saviObjectsPortTrustAttr INTEGER, 539 saviObjectsPortDhcpSnoopingAttr INTEGER, 540 saviObjectsPortDataSnoopingAttr INTEGER, 541 saviObjectsPortFilteringNum Unsigned32 542 } 544 saviObjectsPortIPVersion OBJECT-TYPE 545 SYNTAX InetVersion 546 MAX-ACCESS not-accessible 547 STATUS current 548 DESCRIPTION 549 "The IP version " 550 ::= { saviObjectsPortEntry 1 } 552 saviObjectsPortIfIndex OBJECT-TYPE 553 SYNTAX InterfaceIndex 554 MAX-ACCESS not-accessible 555 STATUS current 556 DESCRIPTION 557 "The index value that uniquely identifies the interface to 558 which this entry is applicable. The interface identified by 559 a particular value of this index is the same interface as 560 identified by the same value of the IF-MIB's ifIndex. 561 " 562 ::= { saviObjectsPortEntry 2 } 564 saviObjectsPortValidatingAttr OBJECT-TYPE 565 SYNTAX INTEGER { 566 enable(1), 567 disable(2) 568 } 569 MAX-ACCESS read-write 570 STATUS current 571 DESCRIPTION 572 "An attribute defined in SAVI protocol. 573 enable(1), the attribute is set. 574 disable(2), the attribute is not set. 575 " 576 ::= { saviObjectsPortEntry 3 } 578 saviObjectsPortDhcpTrustAttr OBJECT-TYPE 579 SYNTAX INTEGER { 580 enable(1), 581 disable(2) 582 } 583 MAX-ACCESS read-write 584 STATUS current 585 DESCRIPTION 586 "An attribute defined in SAVI protocol. 587 enable(1), the attribute is set. 588 disable(2), the attribute is not set. 589 " 590 ::= { saviObjectsPortEntry 4 } 592 saviObjectsPortTrustAttr OBJECT-TYPE 593 SYNTAX INTEGER { 594 enable(1), 595 disable(2) 596 } 597 MAX-ACCESS read-write 598 STATUS current 599 DESCRIPTION 600 "An attribute defined in SAVI protocol. 601 enable(1), the attribute is set. 602 disable(2), the attribute is not set. 603 " 604 ::= { saviObjectsPortEntry 5 } 606 saviObjectsPortDhcpSnoopingAttr OBJECT-TYPE 607 SYNTAX INTEGER { 608 enable(1), 609 disable(2) 610 } 611 MAX-ACCESS read-write 612 STATUS current 613 DESCRIPTION 614 "An attribute defined in SAVI protocol. 615 enable(1), the attribute is set. 616 disable(2), the attribute is not set. 617 " 618 ::= { saviObjectsPortEntry 6 } 620 saviObjectsPortDataSnoopingAttr OBJECT-TYPE 621 SYNTAX INTEGER { 622 enable(1), 623 disable(2) 624 } 625 MAX-ACCESS read-write 626 STATUS current 627 DESCRIPTION 628 "An attribute defined in SAVI protocol. 629 enable(1), the attribute is set. 630 disable(2), the attribute is not set. 631 " 632 ::= { saviObjectsPortEntry 7 } 634 saviObjectsPortFilteringNum OBJECT-TYPE 635 SYNTAX Unsigned32 636 MAX-ACCESS read-write 637 STATUS current 638 DESCRIPTION 639 "The max filtering number of the Port." 640 ::= { saviObjectsPortEntry 8 } 642 -- Binding Status Table for SAVI protocol 644 saviObjectsBindingTable OBJECT-TYPE 645 SYNTAX SEQUENCE OF SaviObjectsBindingEntry 646 MAX-ACCESS not-accessible 647 STATUS current 648 DESCRIPTION 649 "The table containing the state of binding 650 between source address and anchor. 651 " 652 ::= { saviObjects 3 } 654 saviObjectsBindingEntry OBJECT-TYPE 655 SYNTAX SaviObjectsBindingEntry 656 MAX-ACCESS not-accessible 657 STATUS current 658 DESCRIPTION 659 "An entry containing the state of binding between source 660 address and anchor. 661 Entries are keyed on the source IP address type, 662 binding type, anchor, and source IP address. 663 " 664 INDEX { 665 saviObjectsBindingIpAddressType, 666 saviObjectsBindingMethod, 667 saviObjectsBindingIfIndex, 668 saviObjectsBindingIpAddress 669 } 670 ::= { saviObjectsBindingTable 1 } 672 SaviObjectsBindingEntry ::= 673 SEQUENCE { 674 saviObjectsBindingIpAddressType InetAddressType, 675 saviObjectsBindingMethod INTEGER, 676 saviObjectsBindingIfIndex InterfaceIndex, 677 saviObjectsBindingIpAddress InetAddress, 678 saviObjectsBindingMacAddr MacAddress, 679 saviObjectsBindingLifetime TimeInterval, 680 saviObjectsBindingCreationtime DateAndTime, 681 saviObjectsBindingRowStatus RowStatus 682 } 684 saviObjectsBindingIpAddressType OBJECT-TYPE 685 SYNTAX InetAddressType 686 MAX-ACCESS not-accessible 687 STATUS current 688 DESCRIPTION 689 "IP address type of the binding source IP." 690 ::= { saviObjectsBindingEntry 1 } 692 saviObjectsBindingMethod OBJECT-TYPE 693 SYNTAX INTEGER { 694 manual(1), 695 slaac(2), 696 dhcp(3), 697 send(4) 698 } 699 MAX-ACCESS not-accessible 700 STATUS current 701 DESCRIPTION 702 "IP address assignment methods." 703 ::= { saviObjectsBindingEntry 2 } 705 saviObjectsBindingIfIndex OBJECT-TYPE 706 SYNTAX InterfaceIndex 707 MAX-ACCESS not-accessible 708 STATUS current 709 DESCRIPTION 710 "The index value that uniquely identifies the interface to 711 which this entry is applicable. The interface identified by 712 a particular value of this index is the same interface as 713 identified by the same value of the IF-MIB's ifIndex. 714 " 715 ::= { saviObjectsBindingEntry 3 } 717 saviObjectsBindingIpAddress OBJECT-TYPE 718 SYNTAX InetAddress 719 MAX-ACCESS not-accessible 720 STATUS current 721 DESCRIPTION 722 "The binding source IP address" 723 ::= { saviObjectsBindingEntry 4 } 725 saviObjectsBindingMacAddr OBJECT-TYPE 726 SYNTAX MacAddress 727 MAX-ACCESS read-create 728 STATUS current 729 DESCRIPTION 730 "The binding source mac address." 731 ::= { saviObjectsBindingEntry 5 } 733 saviObjectsBindingLifetime OBJECT-TYPE 734 SYNTAX TimeInterval 735 MAX-ACCESS read-create 736 STATUS current 737 DESCRIPTION 738 "The remaining lifetime of the entry. 739 TimeInterval is defined in RFC 2579, it's a period of time, 740 measured in units of 0.01 seconds, 741 and the value is (0..2147483647). 742 If saviObjectsBindingMethod=manual, a value of 2147483647 743 represents infinity. 744 " 745 ::= { saviObjectsBindingEntry 6 } 747 saviObjectsBindingCreationtime OBJECT-TYPE 748 SYNTAX DateAndTime 749 MAX-ACCESS read-create 750 STATUS current 751 DESCRIPTION 752 "The value of the local clock when the entry was firstly created. 753 " 754 ::= { saviObjectsBindingEntry 7 } 756 saviObjectsBindingRowStatus OBJECT-TYPE 757 SYNTAX RowStatus 758 MAX-ACCESS read-create 759 STATUS current 760 DESCRIPTION 761 "The status of this row, by which new entries may be 762 created, or old entries deleted from this table. 763 An Entry can be created or deleted only when 764 saviObjectsBindingMethod=manual. 765 " 766 ::= { saviObjectsBindingEntry 8 } 768 -- Filtering Table for SAVI protocol 770 saviObjectsFilteringTable OBJECT-TYPE 771 SYNTAX SEQUENCE OF SaviObjectsFilteringEntry 772 MAX-ACCESS not-accessible 773 STATUS current 774 DESCRIPTION 775 "The table containing the filtering entries." 776 ::= { saviObjects 4 } 778 saviObjectsFilteringEntry OBJECT-TYPE 779 SYNTAX SaviObjectsFilteringEntry 780 MAX-ACCESS not-accessible 781 STATUS current 782 DESCRIPTION 783 "An entry containing the filtering parameters. 784 Entries are keyed on the source IP address type, 785 anchor, and source IP address. 786 " 787 INDEX { saviObjectsFilteringIpAddressType, 788 saviObjectsFilteringIfIndex, 789 saviObjectsFilteringIpAddress 790 } 791 ::= { saviObjectsFilteringTable 1 } 793 SaviObjectsFilteringEntry ::= 794 SEQUENCE { 795 saviObjectsFilteringIpAddressType InetAddressType, 796 saviObjectsFilteringIfIndex InterfaceIndex, 797 saviObjectsFilteringIpAddress InetAddress, 798 saviObjectsFilteringMacAddr MacAddress 799 } 801 saviObjectsFilteringIpAddressType OBJECT-TYPE 802 SYNTAX InetAddressType 803 MAX-ACCESS not-accessible 804 STATUS current 805 DESCRIPTION 806 "IP address type of the filtering source IP" 807 ::= { saviObjectsFilteringEntry 1 } 809 saviObjectsFilteringIfIndex OBJECT-TYPE 810 SYNTAX InterfaceIndex 811 MAX-ACCESS not-accessible 812 STATUS current 813 DESCRIPTION 814 "The index value that uniquely identifies the interface to 815 which this entry is applicable. The interface identified by 816 a particular value of this index is the same interface as 817 identified by the same value of the IF-MIB's ifIndex. 818 " 819 ::= { saviObjectsFilteringEntry 2 } 821 saviObjectsFilteringIpAddress OBJECT-TYPE 822 SYNTAX InetAddress 823 MAX-ACCESS not-accessible 824 STATUS current 825 DESCRIPTION 826 "The filtering source IP address." 827 ::= { saviObjectsFilteringEntry 3 } 829 saviObjectsFilteringMacAddr OBJECT-TYPE 830 SYNTAX MacAddress 831 MAX-ACCESS read-only 832 STATUS current 833 DESCRIPTION 834 "The filtering source mac address." 835 ::= { saviObjectsFilteringEntry 4 } 837 --Count of packets dropped because of validation failure for each interface. 839 saviObjectsCountTable OBJECT-TYPE 840 SYNTAX SEQUENCE OF saviObjectsCountEntry 841 MAX-ACCESS not-accessible 842 STATUS current 843 DESCRIPTION 844 "The table containing count of packets dropped because of validation failure." 845 ::= { saviObjects 5 } 847 saviObjectsCountEntry OBJECT-TYPE 848 SYNTAX saviObjectsCountEntry 849 MAX-ACCESS not-accessible 850 STATUS current 851 DESCRIPTION 852 "An entry containing count of packets dropped because of validation failure for each interface." 853 INDEX { saviObjectsCountIPVersion, 854 saviObjectsCountIfIndex 855 } 856 ::= { saviObjectsCountTable 1 } 858 saviObjectsCountEntry ::= 859 SEQUENCE { 860 saviObjectsCountIPVersion InetVersion, 861 saviObjectsCountIfIndex InterfaceIndex, 862 saviObjectsCountFilterPkts Counter64, 863 saviObjectsCountFilterOctets Counter64 864 } 866 saviObjectsCountIPVersion OBJECT-TYPE 867 SYNTAX InetVersion 868 MAX-ACCESS not-accessible 869 STATUS current 870 DESCRIPTION 871 "The IP version " 872 ::= { saviObjectsCountEntry 1 } 874 saviObjectsCountIfIndex OBJECT-TYPE 875 SYNTAX InterfaceIndex 876 MAX-ACCESS not-accessible 877 STATUS current 878 DESCRIPTION 879 "The Interface." 880 ::= { saviObjectsCountEntry 2 } 882 saviObjectsCountFilterPkts OBJECT-TYPE 883 SYNTAX Counter64 884 MAX-ACCESS read-only 885 STATUS current 886 DESCRIPTION 887 "The count of Pkts dropped." 888 ::= { saviObjectsCountEntry 3 } 890 saviObjectsCountFilterOctets OBJECT-TYPE 891 SYNTAX Counter64 892 MAX-ACCESS read-only 893 STATUS current 894 DESCRIPTION 895 "The count of Octets dropped." 896 ::= { saviObjectsCountEntry 4 } 898 -- Conformance information 899 saviConformance OBJECT IDENTIFIER ::= { saviMIB 2 } 900 saviCompliances OBJECT IDENTIFIER ::= { saviConformance 1 } 902 -- Compliance statements 903 saviCompliance MODULE-COMPLIANCE 904 STATUS current 905 DESCRIPTION 906 "The compliance statement for entities which implement SAVI 907 protocol. 908 " 909 MODULE 910 MANDATORY-GROUPS { 911 systemGroup, 912 portGroup, 913 bindingGroup, 914 filteringGroup 915 } 916 ::= { saviCompliances 1} 918 saviGroups OBJECT IDENTIFIER ::= { saviConformance 2 } 920 --Units of conformance 922 systemGroup OBJECT-GROUP 923 OBJECTS { 924 saviObjectsSystemMethod, 925 saviObjectsSystemMethodName, 926 saviObjectsSystemMethodEnable, 927 saviObjectsSystemMethodPreference 928 } 929 STATUS current 930 DESCRIPTION 931 "The system group contains objects corrsponding to savi system 932 parameters. 933 " 934 ::= {saviGroups 1} 936 portGroup OBJECT-GROUP 937 OBJECTS { 938 saviObjectsPortValidatingAttr, 939 saviObjectsPortDhcpTrustAttr, 940 saviObjectsPortTrustAttr, 941 saviObjectsPortDhcpSnoopingAttr, 942 saviObjectsPortDataSnoopingAttr, 943 saviObjectsPortFilteringNum 944 } 945 STATUS current 946 DESCRIPTION 947 "The if group contains objects corresponding to the savi running 948 parameters of each anchor. 949 " 950 ::= {saviGroups 2} 952 bindingGroup OBJECT-GROUP 953 OBJECTS { 954 saviObjectsBindingMacAddr, 955 saviObjectsBindingLifetime, 956 saviObjectsBindingCreationtime, 957 saviObjectsBindingRowStatus 958 } 959 STATUS current 960 DESCRIPTION 961 "The binding group contains the binding 962 information of anchor and soure ip address. 963 " 964 ::= {saviGroups 3} 966 filteringGroup OBJECT-GROUP 967 OBJECTS { 968 saviObjectsFilteringMacAddr 969 } 970 STATUS current 971 DESCRIPTION 972 "The filtering group contains the filtering 973 information of anchor and soure ip address. 974 " 975 ::= {saviGroups 4} 977 END 978 9. Security Considerations 980 There are a number of management objects defined in this MIB module 981 with a MAX-ACCESS clause of read-write and/or read-create. Such 982 objects may be considered sensitive or vulnerable in some network 983 environments. The support for SET operations in a non-secure 984 environment without proper protection can have a negative effect on 985 network operations. These are the tables and objects and their 986 sensitivity/vulnerability: 988 o saviObjectsSystemTable - Unauthorized changes to the writable 989 objects under saviObjectsSystemTable MAY disrupt allocation of 990 resources in the network. For example, a device's SAVI system 991 mode be changed by set operation to SAVI-DISABLE will give chance 992 to IP source address spoofing. 994 o saviObjectsPortTable - Unauthorized changes to the writable 995 objects under saviObjectsPortTable MAY disrupt allocation of 996 resources in the network. For example, an anchor's ValidatingAttr 997 be changed by set operation to DISABLE will give chance to IP 998 source address spoofing. 1000 o saviObjectsBindingTable - Unauthorized changes to the writable 1001 objects under this table MAY disrupt allocation of resources in 1002 the network. For example, a manual binding entry is inserted to 1003 the BST will give chance to IP source address spoofing. 1005 Some of the readable objects in this MIB module (i.e., objects with a 1006 MAX-ACCESS other than not-accessible) may be considered sensitive or 1007 vulnerable in some network environments. It is thus important to 1008 control even GET and/or NOTIFY access to these objects and possibly 1009 to even encrypt the values of these objects when sending them over 1010 the network via SNMP. These are the tables and objects and their 1011 sensitivity/vulnerability: 1013 o saviObjectsBindingTable, saviObjectsFilteringTable - The IP 1014 address and binding anchor information will be helpful to some 1015 attacks. 1017 SNMP versions prior to SNMPv3 did not include adequate security. 1018 Even if the network itself is secure (for example by using IPsec), 1019 there is no control as to who on the secure network is allowed to 1020 access and GET/SET (read/change/create/delete) the objects in this 1021 MIB module. 1023 It is RECOMMENDED that implementers consider the security features as 1024 provided by the SNMPv3 framework (see [RFC3410], section 8), 1025 including full support for the SNMPv3 cryptographic mechanisms (for 1026 authentication and privacy). 1028 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1029 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1030 enable cryptographic security. It is then a customer/operator 1031 responsibility to ensure that the SNMP entity giving access to an 1032 instance of this MIB module is properly configured to give access to 1033 the objects only to those principals (users) that have legitimate 1034 rights to indeed GET or SET (change/create/delete) them. 1036 10. IANA Considerations 1038 The MIB module in this document uses the following IANA-assigned 1039 OBJECT IDENTIFIER values recorded in the SMI Numbers registry: 1041 Descriptor OBJECT IDENTIFIER value 1042 ---------- ----------------------- 1043 SAVI-MIB { ip XXX } 1045 11. Contributors 1047 12. References 1049 12.1. Normative References 1051 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1052 Requirement Levels", BCP 14, RFC 2119, 1053 DOI 10.17487/RFC2119, March 1997, 1054 . 1056 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 1057 RFC 2131, DOI 10.17487/RFC2131, March 1997, 1058 . 1060 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1061 Schoenwaelder, Ed., "Structure of Management Information 1062 Version 2 (SMIv2)", STD 58, RFC 2578, 1063 DOI 10.17487/RFC2578, April 1999, 1064 . 1066 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1067 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 1068 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 1069 . 1071 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1072 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 1073 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 1074 . 1076 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 1077 C., and M. Carney, "Dynamic Host Configuration Protocol 1078 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 1079 2003, . 1081 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1082 Schoenwaelder, "Textual Conventions for Internet Network 1083 Addresses", RFC 4001, DOI 10.17487/RFC4001, February 2005, 1084 . 1086 [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 1087 SAVI: First-Come, First-Served Source Address Validation 1088 Improvement for Locally Assigned IPv6 Addresses", 1089 RFC 6620, DOI 10.17487/RFC6620, May 2012, 1090 . 1092 [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed., 1093 "Source Address Validation Improvement (SAVI) Framework", 1094 RFC 7039, DOI 10.17487/RFC7039, October 2013, 1095 . 1097 [RFC7219] Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor 1098 Discovery (SEND) Source Address Validation Improvement 1099 (SAVI)", RFC 7219, DOI 10.17487/RFC7219, May 2014, 1100 . 1102 [RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address 1103 Validation Improvement (SAVI) Solution for DHCP", 1104 RFC 7513, DOI 10.17487/RFC7513, May 2015, 1105 . 1107 12.2. Informative References 1109 [RFC2223] Postel, J. and J. Reynolds, "Instructions to RFC Authors", 1110 RFC 2223, DOI 10.17487/RFC2223, October 1997, 1111 . 1113 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 1114 DOI 10.17487/RFC2629, June 1999, 1115 . 1117 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 1118 MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, 1119 . 1121 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1122 "Introduction and Applicability Statements for Internet- 1123 Standard Management Framework", RFC 3410, 1124 DOI 10.17487/RFC3410, December 2002, 1125 . 1127 [RFC4181] Heard, C., Ed., "Guidelines for Authors and Reviewers of 1128 MIB Documents", BCP 111, RFC 4181, DOI 10.17487/RFC4181, 1129 September 2005, . 1131 [RFC4293] Routhier, S., Ed., "Management Information Base for the 1132 Internet Protocol (IP)", RFC 4293, DOI 10.17487/RFC4293, 1133 April 2006, . 1135 12.3. URL References 1137 [idguidelines] 1138 IETF Internet Drafts editor, 1139 "http://www.ietf.org/ietf/1id-guidelines.txt". 1141 [idnits] IETF Internet Drafts editor, 1142 "http://www.ietf.org/ID-Checklist.html". 1144 [ietf] IETF Tools Team, "http://tools.ietf.org". 1146 [ops] the IETF OPS Area, "http://www.ops.ietf.org". 1148 [xml2rfc] XML2RFC tools and documentation, 1149 "http://xml.resource.org". 1151 Appendix A. Change Log 1153 From draft 00 to draft 01 1155 o Change the value range of object saviObjectsSystemMode and add a 1156 new value savi-send(6). 1158 From draft 01 to draft 02 1160 o Change saviObjectsTrustStatus into two booleans, one is 1161 saviObjectsDhcpTrustStatus, another is saviObjectsRaTrustStatus. 1163 o Change the character string saviObjectsIf to saviObjectsPort 1164 globally. 1166 o Change saviObjectsBindingState according to the latest version of 1167 solution drafts. 1169 From draft 02 to draft 03 1171 o Add a new object saviObjectsPortBindRecoveryAttr, and change the 1172 object saviObjectsPortRaTrustStatus to saviObjectsPortTrustAttr 1173 according to the latest version of solution drafts and RFC. 1175 o Change the value range and meaning of saviObjectsBindingState 1176 according to the latest version of solution drafts and RFC. 1178 o Change the value range of object saviObjectsBindingType, add a new 1179 value send(4), and change the value static(1) to manual(1). 1181 From draft 03 to draft 04 1183 o Add three new objects according to the latest version of solution 1184 drafts and RFC, i.e. saviObjectsSystemTentLT, 1185 saviObjectsSystemDefaultLT, saviObjectsSystemTWAIT. 1187 From draft 04 to draft 05 1189 o Add two new objects according to the latest version of solution 1190 drafts and RFC, i.e. saviObjectsBindingCreationtime, 1191 saviObjectsBindingTID. 1193 From draft 05 to draft 06 1195 o Add three new objects, saviObjectsSystemDadTimeout, 1196 saviObjectsPortDhcpSnoopingAttr and 1197 saviObjectsPortDataSnoopingAttr. 1199 o Replace object saviObjectsSystemBindRecoveryInterval with 1200 saviObjectsSystemDataSnoopingInterval. 1202 o Replace object saviObjectsPortSAVISAVIAttr with 1203 saviObjectsPortTrustAttr. 1205 o Delete object saviObjectsPortBindRecoveryAttr. 1207 From draft 06 to draft 07 1209 o Replace object saviObjectsSystemDadTimeout with 1210 saviObjectsSystemDetectionTimeout. 1212 From draft 07 to draft 08 1214 o Add a new table to count the fail packets of each interface. 1216 From draft 08 to draft 09 1218 o Change the value range and meaning of saviObjectsBindingState 1219 according to the latest version of solution RFC. 1221 From draft 09 to draft 10 1223 o Replace object saviObjectsSystemMode with 1224 saviObjectsSystemSlaacEnable, saviObjectsSystemDhcpEnable, 1225 saviObjectsSystemSendEnable, saviObjectsManualEnable. 1227 From draft 10 to draft 11 1229 o Add a new table SaviObjectsPreferenceTable to reflect the 1230 preference of each savi method. 1232 From draft 11 to draft 12 1234 o Replace object saviObjectsBindingType with 1235 saviObjectsBindingMethod. 1237 From draft 12 to draft 13 1239 o Add a new object saviObjectsCountFilterOctets to count the octets 1240 dropped by SAVI protocol. 1242 Appendix B. Open Issues 1244 Note to RFC Editor: please remove this appendix before publication as 1245 an RFC. 1247 Authors' Addresses 1249 Changqing An 1250 Tsinghua University 1251 Institute for Network Sciences and Cyberspace, Tsinghua University 1252 Beijing 100084 1253 China 1255 Phone: +86 10 62603113 1256 EMail: acq@cernet.edu.cn 1258 Jiahai Yang 1259 Tsinghua University 1260 Institute for Network Sciences and Cyberspace, Tsinghua University 1261 Beijing 100084 1262 China 1264 Phone: +86 10 62783492 1265 EMail: yang@cernet.edu.cn 1267 Jianping Wu 1268 Tsinghua University 1269 Institute for Network Sciences and Cyberspace, Tsinghua University 1270 Beijing 100084 1271 China 1273 EMail: jianping@cernet.edu.cn 1275 Jun Bi 1276 Tsinghua University 1277 Institute for Network Sciences and Cyberspace, Tsinghua University 1278 Beijing 100084 1279 China 1281 EMail: junbi@cernet.edu.cn