idnits 2.17.1 draft-an-savi-mib-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 8 instances of too long lines in the document, the longest one being 35 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 445 has weird spacing: '...n entry conta...' == Line 690 has weird spacing: '... of the bindi...' == Line 830 has weird spacing: '... of the filte...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (January 18, 2019) is 1923 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2131' is defined on line 1080, but no explicit reference was found in the text == Unused Reference: 'RFC3315' is defined on line 1100, but no explicit reference was found in the text == Unused Reference: 'RFC2223' is defined on line 1133, but no explicit reference was found in the text == Unused Reference: 'RFC2629' is defined on line 1137, but no explicit reference was found in the text == Unused Reference: 'RFC4181' is defined on line 1151, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Downref: Normative reference to an Informational RFC: RFC 7039 -- Obsolete informational reference (is this intentional?): RFC 2223 (Obsoleted by RFC 7322) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 3 errors (**), 0 flaws (~~), 10 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SAVI C. An 3 Internet-Draft J. Yang 4 Intended status: Standards Track J. Wu 5 Expires: July 22, 2019 J. Bi 6 Tsinghua University 7 January 18, 2019 9 Definition of Managed Objects for SAVI Protocol 10 draft-an-savi-mib-16 12 Abstract 14 This memo defines a portion of the Management Information Base (MIB) 15 for use with network management protocols in the Internet community. 16 In particular, it defines objects for managing SAVI (Source Address 17 Validation Improvements) protocol instance. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on July 22, 2019. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. The Internet-Standard Management Framework . . . . . . . . . 3 55 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 58 5.1. The SAVI System Table . . . . . . . . . . . . . . . . . . 4 59 5.2. The SAVI Port Table . . . . . . . . . . . . . . . . . . . 5 60 5.3. The SAVI Binding Table . . . . . . . . . . . . . . . . . 6 61 5.4. The SAVI Filtering Table . . . . . . . . . . . . . . . . 7 62 5.5. The SAVI Counting Table . . . . . . . . . . . . . . . . . 7 63 6. Textual Conventions . . . . . . . . . . . . . . . . . . . . . 8 64 7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 8 65 7.1. Relationship to the INET-ADDRESS-MIB . . . . . . . . . . 8 66 7.2. Relationship to the IF-MIB . . . . . . . . . . . . . . . 8 67 7.3. MIB modules required for IMPORTS . . . . . . . . . . . . 9 68 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 70 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 71 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23 72 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 73 12.1. Normative References . . . . . . . . . . . . . . . . . . 24 74 12.2. Informative References . . . . . . . . . . . . . . . . . 25 75 12.3. URL References . . . . . . . . . . . . . . . . . . . . . 25 76 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 27 77 Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . 28 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 80 1. Introduction 82 The Source Address Validation Improvement protocol was developed to 83 complement ingress filtering with finer-grained, standardized IP 84 source address validation(refer to [RFC7039]).A SAVI protocol 85 instance is located on the path of hosts' packets, enforcing the 86 hosts' use of legitimate IP source addresses. 88 SAVI protocol determines whether the IP address obtaining process is 89 legitimate according to IP address assignment method. For links with 90 Stateless Address Auto Configuration (SLAAC), Dynamic Host 91 Configuration Protocol (DHCP), and Secure Neighbor Discovery (SEND), 92 the process is defined in separate documents of SAVI Working Group 93 (refer to [RFC6620], [RFC7513], [RFC7219].) 94 This document defines a MIB module that can be used to manage the 95 SAVI protocol instance. It covers both configuration and status 96 monitoring aspects of SAVI implementations. 98 This document uses terminology from the SAVI Protocol specification. 100 2. The Internet-Standard Management Framework 102 For a detailed overview of the documents that describe the current 103 Internet-Standard Management Framework, please refer to section 7 of 104 RFC 3410 [RFC3410]. 106 Managed objects are accessed via a virtual information store, termed 107 the Management Information Base or MIB. MIB objects are generally 108 accessed through the Simple Network Management Protocol (SNMP). 109 Objects in the MIB are defined using the mechanisms defined in the 110 Structure of Management Information (SMI). This memo specifies a MIB 111 module that is compliant to the SMIv2, which is described in STD 58, 112 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 113 [RFC2580]. 115 3. Conventions 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in RFC 2119 [RFC2119]. 121 4. Overview 123 The SAVI Protocol MIB module (SAVI-MIB) is conformant to SAVI 124 protocol, and is designed to: 126 o Support centralized management and monitoring of SAVI protocol 127 instance by standard SNMP protocol. 129 o Support configuration and querying of SAVI protocol parameters. 131 o Support configuration and querying of binding entries. Operators 132 may insert and delete manual binding entries. 134 o Support querying of filtering entries. 136 o Support querying of the count of packets dropped because of 137 validation failure for each interface. 139 Based on SAVI protocol, attributes and objects of a SAVI protocol 140 instance can be classified into five categories: 142 o System attributes. These attributes are corresponding to a SAVI 143 protocol instance, such as IP Address Assignment Methods and some 144 constants. 146 o Anchor attributes. These attributes are corresponding to a SAVI 147 anchor. Anchor is defined in [RFC7039]. 149 o Binding Status Table. This table contains the state of binding 150 between source address and binding anchor (refer to [RFC6620], 151 [RFC7513], [RFC7219]). 153 o Filtering Table. This table contains the bindings between binding 154 anchor and address, which is used to filter packets (refer to 155 [RFC6620], [RFC7513], [RFC7219]). 157 o Counting Table. This table contains the count of fail packets for 158 each interface. 160 A table is designed for each category of objects. 162 5. Structure of the MIB Module 164 This section presents the structure of the SAVI-MIB module. The MIB 165 objects are derived from the SAVI protocol specification. 167 This MIB is composed of a series of tables meant to form the base for 168 managing SAVI entities. The following subsections describe all 169 tables in the SAVI MIB module. 171 5.1. The SAVI System Table 173 The SAVI System Table (saviObjectsSystemTable) contains the objects 174 which are corresponding to SAVI system-wide parameters. It supports 175 the configuration and collection of SAVI system-wide parameters. 177 There is an entry for each IP stack, IPv4 and IPv6. The table is 178 indexed by: 180 o saviObjectsSystemIPVersion - The IP Version. A textual convention 181 InetVersion defined in RFC4001 is used to represent the different 182 version of IP protocol. 184 o saviObjectsSystemMethod - IP address assignment method. 186 It contains the following objects: 188 o saviObjectsSystemMethodName - Name of IP address assignment 189 method. 191 o saviObjectsSystemMethodEnable - If the method is enabled. 193 o saviObjectsSystemMethodPreference - Preference of the method. 195 The MAX-ACCESS of these objects is READ-WRITE. Network Operators may 196 do configuration by setting these objects. 198 5.2. The SAVI Port Table 200 The SAVI Port Table (saviObjectsPortTable) contains the objects which 201 are corresponding to SAVI running parameters of each anchor. It 202 supports the configuration and collection of SAVI parameters of each 203 anchor. 205 There is an entry for each IP stack, IPv4 and IPv6. The table is 206 indexed by: 208 o saviObjectsPortIPVersion - The IP Version. 210 o saviObjectsPortIfIndex - The index value that uniquely identifies 211 the interface to which this entry is applicable. 213 It contains the following objects: 215 o saviObjectsPortValidatingAttr - An attribute defined in SAVI 216 protocol (refer to [RFC7513]). 218 o saviObjectsPortDhcpTrustAttr - An attribute defined in SAVI 219 protocol (refer to [RFC7513]). 221 o saviObjectsPortTrustAttr - An attribute defined in SAVI protocol 222 (refer to [RFC7513]). 224 o saviObjectsPortDhcpSnoopingAttr - An attribute defined in SAVI 225 protocol (refer to [RFC7513]). 227 o saviObjectsPortDataSnoopingAttr - An attribute defined in SAVI 228 protocol (refer to [RFC7513]). 230 o saviObjectsPortFilteringNum - The max filtering number of the 231 Port. 233 The MAX-ACCESS of these objects is READ-WRITE. Network Operators may 234 configure by setting these objects. 236 5.3. The SAVI Binding Table 238 The SAVI Binding Table (saviObjectsBindingTable) contains the objects 239 which are corresponding to Binding State Table (BST) defined in SAVI 240 protocol. It contains the binding parameters and state of each 241 binding entry. It supports the collection of binding entries. And 242 an entry can be inserted or deleted if it is a manual binding entry. 244 The table is indexed by: 246 o saviObjectsBindingIpAddressType - IP address type. A textual 247 convention InetAddressType defined in RFC4001 is used to represent 248 the different kind of IP address. 250 o saviObjectsBindingMethod - which IP address assignment method is 251 used to create the binding entry - manual(1), slaac(2), dhcp(3), 252 send(4). 254 o saviObjectsBindingIfIndex - The index value that uniquely 255 identifies the interface to which this entry is applicable. 257 o saviObjectsBindingIpAddress - The binding source IP address. A 258 textual convention InetAddress defined in RFC4001 is used to 259 define this object. 261 The SAVI Binding Table contains the following objects: 263 o saviObjectsBindingMacAddr - The binding source mac address. 265 o saviObjectsBindingLifetime - The remaining lifetime of the entry. 267 o saviObjectsBindingCreationtime - The value of the local clock when 268 the entry was firstly created. 270 o saviObjectsBindingRowStatus - The status of this row, by which new 271 entries may be created, or old entries be deleted from this table. 272 As defined in RFC2579, the RowStatus textual convention is used to 273 manage the creation and deletion of conceptual rows. For SAVI 274 Binding Table, an entry can be created or deleted only when 275 saviObjectsBindingMethod=manual. 277 The MAX-ACCESS of these objects is READ-CREATE. Network Operators 278 may create or delete an entry by setting these objects. 280 5.4. The SAVI Filtering Table 282 The SAVI Filtering Table (saviObjectsFilteringTable) contains the 283 objects which are corresponding to Filtering Table (FT) defined in 284 SAVI protocol. It supports the collection of filtering entries. 286 The table is indexed by: 288 o saviObjectsFilteringIpAddressType - IP address type. 290 o saviObjectsFilteringIfIndex - The index value that uniquely 291 identifies the interface to which this entry is applicable. 293 o saviObjectsFilteringIpAddress - The source IP address. 295 It contains the following objects: 297 o saviObjectsFilteringMacAddr - The source mac address. 299 The MAX-ACCESS of the object is READ-ONLY. 301 5.5. The SAVI Counting Table 303 The SAVI Counting Table (saviObjectsCountTable) contains the objects 304 counting packets dropped because of validation failure for each 305 interface. 307 The table is indexed by: 309 o saviObjectsCountIPVersion - IP Version. 311 o saviObjectsCountIfIndex - The index value that uniquely identifies 312 the interface to which this entry is applicable. 314 It contains the following objects: 316 o saviObjectsCountFilterPkts - The count of packets dropped because 317 of validation failure. 319 o saviObjectsCountFilterOctets - The count of octets dropped because 320 of validation failure. 322 The MAX-ACCESS of the object is READ-ONLY. 324 6. Textual Conventions 326 The textual conventions used in the SAVI-MIB are as follows. 328 The MODULE-COMPLIANCE,OBJECT-GROUP textual convention is imported 329 from SNMPv2-CONF [RFC2580]. The MODULE-IDENTITY, OBJECT-IDENTITY, 330 OBJECT-TYPE, Unsigned32 textual convention is imported from 331 SNMPv2-SMI [RFC2578]. 333 The MacAddress,TimeInterval,RowStatus textual convention is imported 334 from SNMPv2-TC [RFC2579]. 336 The InetVersion,InetAddressType,InetAddress textual convention is 337 imported from INET-ADDRESS-MIB [RFC4001]. 339 The InterfaceIndex textual convention is imported from IF-MIB 340 [RFC2863]. 342 The ip textual convention is imported from IP-MIB [RFC4293]. 344 7. Relationship to Other MIB Modules 346 7.1. Relationship to the INET-ADDRESS-MIB 348 To support extensibility, IETF defined new textual conventions to 349 represent different IP protocol and different IP address in a unified 350 formation in RFC4001. To support different IP version, a textual 351 convention InetVersion is defined to represent the different version 352 of IP protocol. To support different IP address, a generic Internet 353 address is defined. It consists of two objects: The first one has 354 the syntax InetAddressType, and the second object have the syntax 355 InetAddress. The value of the first object determines how the value 356 of the second is encoded. 358 Since SAVI running mode and parameter is independent of IPv4 and 359 IPv6, so different OID instances should be defined for each protocol. 360 In SAVI-MIB definition, when IP address is used as a part of binding 361 table, it is defined using textual conventions described in INET- 362 ADDRESS-MIB. 364 7.2. Relationship to the IF-MIB 366 The Interfaces MIB [RFC2863] defines generic managed objects for 367 managing interfaces. This document contains the interface-specific 368 extensions for managing SAVI anchors that are modeled as interfaces. 370 The IF-MIB module is required to be supported on the SAVI device. 371 The interface MUST be modeled as an ifEntry, and ifEntry objects such 372 as ifIndex are to be used as per [RFC2863]. 374 An ifIndex [RFC2863] is used as a common index for interfaces in the 375 SAVI-MIB modules. 377 7.3. MIB modules required for IMPORTS 379 The SAVI MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], 380 SNMPv2-TC [RFC2579],SNMPv2-CONF [RFC2580], IF-MIB [RFC2863] and INET- 381 ADDRESS-MIB [RFC4001] . 383 8. Definitions 385 SAVI-MIB DEFINITIONS ::=BEGIN 387 IMPORTS 388 MODULE-COMPLIANCE,OBJECT-GROUP 389 FROM SNMPv2-CONF --RFC2580 390 MODULE-IDENTITY, OBJECT-IDENTITY, OBJECT-TYPE, Unsigned32 391 FROM SNMPv2-SMI --RFC2578 392 TEXTUAL-CONVENTION,MacAddress,TimeInterval,RowStatus 393 FROM SNMPv2-TC --RFC2579 394 InterfaceIndex 395 FROM IF-MIB --RFC2863 396 InetVersion,InetAddressType,InetAddress 397 FROM INET-ADDRESS-MIB --RFC4001 398 ip 399 FROM IP-MIB --RFC4293 400 ; 402 saviMIB MODULE-IDENTITY 403 LAST-UPDATED "201901180000Z" 404 ORGANIZATION 405 "IETF SAVI Working Group" 406 CONTACT-INFO 407 "WG charter: 408 http://datatracker.ietf.org/wg/savi/charter/ 410 Editor: 411 Changqing An 412 CERNET 413 Postal: Institute for Network Sciences and Cyberspace, Tsinghua University 414 Beijing 100084 415 China 416 Email: acq@tsinghua.edu.cn 417 " 419 DESCRIPTION 420 "This MIB Module is designed to support configuration 421 and monitoring of SAVI protocol. 422 " 423 REVISION "201901180000Z" 424 DESCRIPTION 425 "Initial version" 426 ::= {ip XXX} 428 saviObjects OBJECT IDENTIFIER ::= { saviMIB 1 } 430 -- System parameters for SAVI protocol 432 saviObjectsSystemTable OBJECT-TYPE 433 SYNTAX SEQUENCE OF SaviObjectsSystemEntry 434 MAX-ACCESS not-accessible 435 STATUS current 436 DESCRIPTION 437 "The table containing savi system-wide parameters." 438 ::= { saviObjects 1 } 440 saviObjectsSystemEntry OBJECT-TYPE 441 SYNTAX SaviObjectsSystemEntry 442 MAX-ACCESS not-accessible 443 STATUS current 444 DESCRIPTION 445 "An entry containing savi system-wide parameters for a 446 particular IP version. 447 " 448 INDEX { saviObjectsSystemIPVersion,saviObjectsSystemMethod } 449 ::= { saviObjectsSystemTable 1 } 451 SaviObjectsSystemEntry ::= 452 SEQUENCE { 453 saviObjectsSystemIPVersion InetVersion, 454 saviObjectsSystemMethod INTEGER, 455 saviObjectsSystemMethodName DisplayString (SIZE (0..255)), 456 saviObjectsSystemMethodEnable INTEGER, 457 saviObjectsSystemMethodPreference INTEGER 458 } 460 saviObjectsSystemIPVersion OBJECT-TYPE 461 SYNTAX InetVersion 462 MAX-ACCESS not-accessible 463 STATUS current 464 DESCRIPTION 465 "The IP version " 466 ::= { saviObjectsSystemEntry 1 } 468 saviObjectsSystemMethod OBJECT-TYPE 469 SYNTAX INTEGER { 470 manual(1), 471 slaac(2), 472 dhcp(3), 473 send(4) 474 } 475 MAX-ACCESS not-accessible 476 STATUS current 477 DESCRIPTION 478 "IP address assignment methods." 479 ::= { saviObjectsSystemEntry 2 } 481 saviObjectsSystemMethodName OBJECT-TYPE 482 SYNTAX DisplayString (SIZE (0..255)) 483 MAX-ACCESS read-only 484 STATUS current 485 DESCRIPTION 486 "Name of IP address assignment methods. " 487 ::= { saviObjectsSystemEntry 3 } 489 saviObjectsSystemMethodEnable OBJECT-TYPE 490 SYNTAX INTEGER { 491 enable(1), 492 disable(2) 493 } 494 MAX-ACCESS read-write 495 STATUS current 496 DESCRIPTION 497 "If the method is enabled. " 498 ::= { saviObjectsSystemEntry 4 } 500 saviObjectsSystemMethodPreference OBJECT-TYPE 501 SYNTAX INTEGER { 502 enable(1), 503 disable(2) 504 } 505 MAX-ACCESS read-write 506 STATUS current 507 DESCRIPTION 508 "Preference of the method. " 509 ::= { saviObjectsSystemEntry 5 } 511 -- Port parameters for SAVI protocol 512 saviObjectsPortTable OBJECT-TYPE 513 SYNTAX SEQUENCE OF SaviObjectsPortEntry 514 MAX-ACCESS not-accessible 515 STATUS current 516 DESCRIPTION 517 "The table containing SAVI parameters of each anchor." 518 ::= { saviObjects 2 } 520 saviObjectsPortEntry OBJECT-TYPE 521 SYNTAX SaviObjectsPortEntry 522 MAX-ACCESS not-accessible 523 STATUS current 524 DESCRIPTION 525 "An entry containing SAVI running parameters of an anchor." 526 INDEX { 527 saviObjectsPortIPVersion, 528 saviObjectsPortIfIndex 529 } 530 ::= { saviObjectsPortTable 1 } 532 SaviObjectsPortEntry ::= 533 SEQUENCE { 534 saviObjectsPortIPVersion InetVersion, 535 saviObjectsPortIfIndex InterfaceIndex, 536 saviObjectsPortValidatingAttr INTEGER, 537 saviObjectsPortDhcpTrustAttr INTEGER, 538 saviObjectsPortTrustAttr INTEGER, 539 saviObjectsPortDhcpSnoopingAttr INTEGER, 540 saviObjectsPortDataSnoopingAttr INTEGER, 541 saviObjectsPortFilteringNum Unsigned32 542 } 544 saviObjectsPortIPVersion OBJECT-TYPE 545 SYNTAX InetVersion 546 MAX-ACCESS not-accessible 547 STATUS current 548 DESCRIPTION 549 "The IP version " 550 ::= { saviObjectsPortEntry 1 } 552 saviObjectsPortIfIndex OBJECT-TYPE 553 SYNTAX InterfaceIndex 554 MAX-ACCESS not-accessible 555 STATUS current 556 DESCRIPTION 557 "The index value that uniquely identifies the interface to 558 which this entry is applicable. The interface identified by 559 a particular value of this index is the same interface as 560 identified by the same value of the IF-MIB's ifIndex. 561 " 562 ::= { saviObjectsPortEntry 2 } 564 saviObjectsPortValidatingAttr OBJECT-TYPE 565 SYNTAX INTEGER { 566 enable(1), 567 disable(2) 568 } 569 MAX-ACCESS read-write 570 STATUS current 571 DESCRIPTION 572 "An attribute defined in SAVI protocol. 573 enable(1), the attribute is set. 574 disable(2), the attribute is not set. 575 " 576 ::= { saviObjectsPortEntry 3 } 578 saviObjectsPortDhcpTrustAttr OBJECT-TYPE 579 SYNTAX INTEGER { 580 enable(1), 581 disable(2) 582 } 583 MAX-ACCESS read-write 584 STATUS current 585 DESCRIPTION 586 "An attribute defined in SAVI protocol. 587 enable(1), the attribute is set. 588 disable(2), the attribute is not set. 589 " 590 ::= { saviObjectsPortEntry 4 } 592 saviObjectsPortTrustAttr OBJECT-TYPE 593 SYNTAX INTEGER { 594 enable(1), 595 disable(2) 596 } 597 MAX-ACCESS read-write 598 STATUS current 599 DESCRIPTION 600 "An attribute defined in SAVI protocol. 601 enable(1), the attribute is set. 602 disable(2), the attribute is not set. 603 " 604 ::= { saviObjectsPortEntry 5 } 606 saviObjectsPortDhcpSnoopingAttr OBJECT-TYPE 607 SYNTAX INTEGER { 608 enable(1), 609 disable(2) 610 } 611 MAX-ACCESS read-write 612 STATUS current 613 DESCRIPTION 614 "An attribute defined in SAVI protocol. 615 enable(1), the attribute is set. 616 disable(2), the attribute is not set. 617 " 618 ::= { saviObjectsPortEntry 6 } 620 saviObjectsPortDataSnoopingAttr OBJECT-TYPE 621 SYNTAX INTEGER { 622 enable(1), 623 disable(2) 624 } 625 MAX-ACCESS read-write 626 STATUS current 627 DESCRIPTION 628 "An attribute defined in SAVI protocol. 629 enable(1), the attribute is set. 630 disable(2), the attribute is not set. 631 " 632 ::= { saviObjectsPortEntry 7 } 634 saviObjectsPortFilteringNum OBJECT-TYPE 635 SYNTAX Unsigned32 636 MAX-ACCESS read-write 637 STATUS current 638 DESCRIPTION 639 "The max filtering number of the Port." 640 ::= { saviObjectsPortEntry 8 } 642 -- Binding Status Table for SAVI protocol 644 saviObjectsBindingTable OBJECT-TYPE 645 SYNTAX SEQUENCE OF SaviObjectsBindingEntry 646 MAX-ACCESS not-accessible 647 STATUS current 648 DESCRIPTION 649 "The table containing the state of binding 650 between source address and anchor. 651 " 652 ::= { saviObjects 3 } 654 saviObjectsBindingEntry OBJECT-TYPE 655 SYNTAX SaviObjectsBindingEntry 656 MAX-ACCESS not-accessible 657 STATUS current 658 DESCRIPTION 659 "An entry containing the state of binding between source 660 address and anchor. 661 Entries are keyed on the source IP address type, 662 binding type, anchor, and source IP address. 663 " 664 INDEX { 665 saviObjectsBindingIpAddressType, 666 saviObjectsBindingMethod, 667 saviObjectsBindingIfIndex, 668 saviObjectsBindingIpAddress 669 } 670 ::= { saviObjectsBindingTable 1 } 672 SaviObjectsBindingEntry ::= 673 SEQUENCE { 674 saviObjectsBindingIpAddressType InetAddressType, 675 saviObjectsBindingMethod INTEGER, 676 saviObjectsBindingIfIndex InterfaceIndex, 677 saviObjectsBindingIpAddress InetAddress, 678 saviObjectsBindingMacAddr MacAddress, 679 saviObjectsBindingState INTEGER, 680 saviObjectsBindingLifetime TimeInterval, 681 saviObjectsBindingCreationtime DateAndTime, 682 saviObjectsBindingRowStatus RowStatus 683 } 685 saviObjectsBindingIpAddressType OBJECT-TYPE 686 SYNTAX InetAddressType 687 MAX-ACCESS not-accessible 688 STATUS current 689 DESCRIPTION 690 "IP address type of the binding source IP." 691 ::= { saviObjectsBindingEntry 1 } 693 saviObjectsBindingMethod OBJECT-TYPE 694 SYNTAX INTEGER { 695 manual(1), 696 slaac(2), 697 dhcp(3), 698 send(4) 699 } 700 MAX-ACCESS not-accessible 701 STATUS current 702 DESCRIPTION 703 "IP address assignment methods." 704 ::= { saviObjectsBindingEntry 2 } 706 saviObjectsBindingIfIndex OBJECT-TYPE 707 SYNTAX InterfaceIndex 708 MAX-ACCESS not-accessible 709 STATUS current 710 DESCRIPTION 711 "The index value that uniquely identifies the interface to 712 which this entry is applicable. The interface identified by 713 a particular value of this index is the same interface as 714 identified by the same value of the IF-MIB's ifIndex. 715 " 716 ::= { saviObjectsBindingEntry 3 } 718 saviObjectsBindingIpAddress OBJECT-TYPE 719 SYNTAX InetAddress 720 MAX-ACCESS not-accessible 721 STATUS current 722 DESCRIPTION 723 "The binding source IP address" 724 ::= { saviObjectsBindingEntry 4 } 726 saviObjectsBindingMacAddr OBJECT-TYPE 727 SYNTAX MacAddress 728 MAX-ACCESS read-create 729 STATUS current 730 DESCRIPTION 731 "The binding source mac address." 732 ::= { saviObjectsBindingEntry 5 } 734 saviObjectsBindingState OBJECT-TYPE 735 SYNTAX INTEGER { 736 NO_BIND(1), 737 INIT_BIND(2), 738 BOUND(3), 739 DETECTION(4), 740 RECOVERY(5), 741 VERIFY(6), 742 TENTATIVE(7), 743 VALID(8), 744 TESTING_TP-LT(9), 745 TESTING_VP(10), 746 TESTING_VP-1(11), 747 TENTATIVE_NUD(12), 748 TENTATIVE_DAD(13) 749 } 751 MAX-ACCESS read-create 752 STATUS current 753 DESCRIPTION 754 "The state of the binding entry. " 755 ::= { saviObjectsBindingEntry 6 } 757 saviObjectsBindingLifetime OBJECT-TYPE 758 SYNTAX TimeInterval 759 MAX-ACCESS read-create 760 STATUS current 761 DESCRIPTION 762 "The remaining lifetime of the entry. 763 TimeInterval is defined in RFC 2579, it's a period of time, 764 measured in units of 0.01 seconds, 765 and the value is (0..2147483647). 766 If saviObjectsBindingMethod=manual, a value of 2147483647 767 represents infinity. 768 " 769 ::= { saviObjectsBindingEntry 7 } 771 saviObjectsBindingCreationtime OBJECT-TYPE 772 SYNTAX DateAndTime 773 MAX-ACCESS read-create 774 STATUS current 775 DESCRIPTION 776 "The value of the local clock when the entry was firstly created. 777 " 778 ::= { saviObjectsBindingEntry 8 } 780 saviObjectsBindingRowStatus OBJECT-TYPE 781 SYNTAX RowStatus 782 MAX-ACCESS read-create 783 STATUS current 784 DESCRIPTION 785 "The status of this row, by which new entries may be 786 created, or old entries deleted from this table. 787 An Entry can be created or deleted only when 788 saviObjectsBindingMethod=manual. 789 " 790 ::= { saviObjectsBindingEntry 9 } 792 -- Filtering Table for SAVI protocol 794 saviObjectsFilteringTable OBJECT-TYPE 795 SYNTAX SEQUENCE OF SaviObjectsFilteringEntry 796 MAX-ACCESS not-accessible 797 STATUS current 798 DESCRIPTION 799 "The table containing the filtering entries." 800 ::= { saviObjects 4 } 802 saviObjectsFilteringEntry OBJECT-TYPE 803 SYNTAX SaviObjectsFilteringEntry 804 MAX-ACCESS not-accessible 805 STATUS current 806 DESCRIPTION 807 "An entry containing the filtering parameters. 808 Entries are keyed on the source IP address type, 809 anchor, and source IP address. 810 " 811 INDEX { saviObjectsFilteringIpAddressType, 812 saviObjectsFilteringIfIndex, 813 saviObjectsFilteringIpAddress 814 } 815 ::= { saviObjectsFilteringTable 1 } 817 SaviObjectsFilteringEntry ::= 818 SEQUENCE { 819 saviObjectsFilteringIpAddressType InetAddressType, 820 saviObjectsFilteringIfIndex InterfaceIndex, 821 saviObjectsFilteringIpAddress InetAddress, 822 saviObjectsFilteringMacAddr MacAddress 823 } 825 saviObjectsFilteringIpAddressType OBJECT-TYPE 826 SYNTAX InetAddressType 827 MAX-ACCESS not-accessible 828 STATUS current 829 DESCRIPTION 830 "IP address type of the filtering source IP" 831 ::= { saviObjectsFilteringEntry 1 } 833 saviObjectsFilteringIfIndex OBJECT-TYPE 834 SYNTAX InterfaceIndex 835 MAX-ACCESS not-accessible 836 STATUS current 837 DESCRIPTION 838 "The index value that uniquely identifies the interface to 839 which this entry is applicable. The interface identified by 840 a particular value of this index is the same interface as 841 identified by the same value of the IF-MIB's ifIndex. 842 " 843 ::= { saviObjectsFilteringEntry 2 } 845 saviObjectsFilteringIpAddress OBJECT-TYPE 846 SYNTAX InetAddress 847 MAX-ACCESS not-accessible 848 STATUS current 849 DESCRIPTION 850 "The filtering source IP address." 851 ::= { saviObjectsFilteringEntry 3 } 853 saviObjectsFilteringMacAddr OBJECT-TYPE 854 SYNTAX MacAddress 855 MAX-ACCESS read-only 856 STATUS current 857 DESCRIPTION 858 "The filtering source mac address." 859 ::= { saviObjectsFilteringEntry 4 } 861 --Count of packets dropped because of validation failure for each interface. 863 saviObjectsCountTable OBJECT-TYPE 864 SYNTAX SEQUENCE OF saviObjectsCountEntry 865 MAX-ACCESS not-accessible 866 STATUS current 867 DESCRIPTION 868 "The table containing count of packets dropped because of validation failure." 869 ::= { saviObjects 5 } 871 saviObjectsCountEntry OBJECT-TYPE 872 SYNTAX saviObjectsCountEntry 873 MAX-ACCESS not-accessible 874 STATUS current 875 DESCRIPTION 876 "An entry containing count of packets dropped because of validation failure for each interface." 877 INDEX { saviObjectsCountIPVersion, 878 saviObjectsCountIfIndex 879 } 880 ::= { saviObjectsCountTable 1 } 882 saviObjectsCountEntry ::= 883 SEQUENCE { 884 saviObjectsCountIPVersion InetVersion, 885 saviObjectsCountIfIndex InterfaceIndex, 886 saviObjectsCountFilterPkts Counter64, 887 saviObjectsCountFilterOctets Counter64 888 } 890 saviObjectsCountIPVersion OBJECT-TYPE 891 SYNTAX InetVersion 892 MAX-ACCESS not-accessible 893 STATUS current 894 DESCRIPTION 895 "The IP version " 896 ::= { saviObjectsCountEntry 1 } 898 saviObjectsCountIfIndex OBJECT-TYPE 899 SYNTAX InterfaceIndex 900 MAX-ACCESS not-accessible 901 STATUS current 902 DESCRIPTION 903 "The Interface." 904 ::= { saviObjectsCountEntry 2 } 906 saviObjectsCountFilterPkts OBJECT-TYPE 907 SYNTAX Counter64 908 MAX-ACCESS read-only 909 STATUS current 910 DESCRIPTION 911 "The count of Pkts dropped." 912 ::= { saviObjectsCountEntry 3 } 914 saviObjectsCountFilterOctets OBJECT-TYPE 915 SYNTAX Counter64 916 MAX-ACCESS read-only 917 STATUS current 918 DESCRIPTION 919 "The count of Octets dropped." 920 ::= { saviObjectsCountEntry 4 } 922 -- Conformance information 923 saviConformance OBJECT IDENTIFIER ::= { saviMIB 2 } 924 saviCompliances OBJECT IDENTIFIER ::= { saviConformance 1 } 926 -- Compliance statements 927 saviCompliance MODULE-COMPLIANCE 928 STATUS current 929 DESCRIPTION 930 "The compliance statement for entities which implement SAVI 931 protocol. 932 " 933 MODULE 934 MANDATORY-GROUPS { 935 systemGroup, 936 portGroup, 937 bindingGroup, 938 filteringGroup 939 } 940 ::= { saviCompliances 1} 942 saviGroups OBJECT IDENTIFIER ::= { saviConformance 2 } 944 --Units of conformance 946 systemGroup OBJECT-GROUP 947 OBJECTS { 948 saviObjectsSystemMethod, 949 saviObjectsSystemMethodName, 950 saviObjectsSystemMethodEnable, 951 saviObjectsSystemMethodPreference 952 } 953 STATUS current 954 DESCRIPTION 955 "The system group contains objects corrsponding to savi system 956 parameters. 957 " 958 ::= {saviGroups 1} 960 portGroup OBJECT-GROUP 961 OBJECTS { 962 saviObjectsPortValidatingAttr, 963 saviObjectsPortDhcpTrustAttr, 964 saviObjectsPortTrustAttr, 965 saviObjectsPortDhcpSnoopingAttr, 966 saviObjectsPortDataSnoopingAttr, 967 saviObjectsPortFilteringNum 968 } 969 STATUS current 970 DESCRIPTION 971 "The if group contains objects corresponding to the savi running 972 parameters of each anchor. 973 " 974 ::= {saviGroups 2} 976 bindingGroup OBJECT-GROUP 977 OBJECTS { 978 saviObjectsBindingMacAddr, 979 saviObjectsBindingLifetime, 980 saviObjectsBindingCreationtime, 981 saviObjectsBindingRowStatus 982 } 983 STATUS current 984 DESCRIPTION 985 "The binding group contains the binding 986 information of anchor and source ip address. 987 " 988 ::= {saviGroups 3} 990 filteringGroup OBJECT-GROUP 991 OBJECTS { 992 saviObjectsFilteringMacAddr 993 } 994 STATUS current 995 DESCRIPTION 996 "The filtering group contains the filtering 997 information of anchor and source ip address. 998 " 999 ::= {saviGroups 4} 1001 END 1003 9. Security Considerations 1005 There are a number of management objects defined in this MIB module 1006 with a MAX-ACCESS clause of read-write and/or read-create. Such 1007 objects may be considered sensitive or vulnerable in some network 1008 environments. The support for SET operations in a non-secure 1009 environment without proper protection can have a negative effect on 1010 network operations. These are the tables and objects and their 1011 sensitivity/vulnerability: 1013 o saviObjectsSystemTable - Unauthorized changes to the writable 1014 objects under saviObjectsSystemTable MAY disrupt allocation of 1015 resources in the network. For example, a device's SAVI system 1016 mode be changed by set operation to SAVI-DISABLE will give chance 1017 to IP source address spoofing. 1019 o saviObjectsPortTable - Unauthorized changes to the writable 1020 objects under saviObjectsPortTable MAY disrupt allocation of 1021 resources in the network. For example, an anchor's ValidatingAttr 1022 be changed by set operation to DISABLE will give chance to IP 1023 source address spoofing. 1025 o saviObjectsBindingTable - Unauthorized changes to the writable 1026 objects under this table MAY disrupt allocation of resources in 1027 the network. For example, a manual binding entry is inserted to 1028 the BST will give chance to IP source address spoofing. 1030 Some of the readable objects in this MIB module (i.e., objects with a 1031 MAX-ACCESS other than not-accessible) may be considered sensitive or 1032 vulnerable in some network environments. It is thus important to 1033 control even GET and/or NOTIFY access to these objects and possibly 1034 to even encrypt the values of these objects when sending them over 1035 the network via SNMP. These are the tables and objects and their 1036 sensitivity/vulnerability: 1038 o saviObjectsBindingTable, saviObjectsFilteringTable - The IP 1039 address and binding anchor information will be helpful to some 1040 attacks. 1042 SNMP versions prior to SNMPv3 did not include adequate security. 1043 Even if the network itself is secure (for example by using IPsec), 1044 there is no control as to who on the secure network is allowed to 1045 access and GET/SET (read/change/create/delete) the objects in this 1046 MIB module. 1048 It is RECOMMENDED that implementers consider the security features as 1049 provided by the SNMPv3 framework (see [RFC3410], section 8), 1050 including full support for the SNMPv3 cryptographic mechanisms (for 1051 authentication and privacy). 1053 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1054 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1055 enable cryptographic security. It is then a customer/operator 1056 responsibility to ensure that the SNMP entity giving access to an 1057 instance of this MIB module is properly configured to give access to 1058 the objects only to those principals (users) that have legitimate 1059 rights to indeed GET or SET (change/create/delete) them. 1061 10. IANA Considerations 1063 The MIB module in this document uses the following IANA-assigned 1064 OBJECT IDENTIFIER values recorded in the SMI Numbers registry: 1066 Descriptor OBJECT IDENTIFIER value 1067 ---------- ----------------------- 1068 SAVI-MIB { ip XXX } 1070 11. Contributors 1072 12. References 1073 12.1. Normative References 1075 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1076 Requirement Levels", BCP 14, RFC 2119, 1077 DOI 10.17487/RFC2119, March 1997, 1078 . 1080 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 1081 RFC 2131, DOI 10.17487/RFC2131, March 1997, 1082 . 1084 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1085 Schoenwaelder, Ed., "Structure of Management Information 1086 Version 2 (SMIv2)", STD 58, RFC 2578, 1087 DOI 10.17487/RFC2578, April 1999, 1088 . 1090 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1091 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 1092 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 1093 . 1095 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1096 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 1097 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 1098 . 1100 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 1101 C., and M. Carney, "Dynamic Host Configuration Protocol 1102 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 1103 2003, . 1105 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1106 Schoenwaelder, "Textual Conventions for Internet Network 1107 Addresses", RFC 4001, DOI 10.17487/RFC4001, February 2005, 1108 . 1110 [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS 1111 SAVI: First-Come, First-Served Source Address Validation 1112 Improvement for Locally Assigned IPv6 Addresses", 1113 RFC 6620, DOI 10.17487/RFC6620, May 2012, 1114 . 1116 [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed., 1117 "Source Address Validation Improvement (SAVI) Framework", 1118 RFC 7039, DOI 10.17487/RFC7039, October 2013, 1119 . 1121 [RFC7219] Bagnulo, M. and A. Garcia-Martinez, "SEcure Neighbor 1122 Discovery (SEND) Source Address Validation Improvement 1123 (SAVI)", RFC 7219, DOI 10.17487/RFC7219, May 2014, 1124 . 1126 [RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address 1127 Validation Improvement (SAVI) Solution for DHCP", 1128 RFC 7513, DOI 10.17487/RFC7513, May 2015, 1129 . 1131 12.2. Informative References 1133 [RFC2223] Postel, J. and J. Reynolds, "Instructions to RFC Authors", 1134 RFC 2223, DOI 10.17487/RFC2223, October 1997, 1135 . 1137 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 1138 DOI 10.17487/RFC2629, June 1999, 1139 . 1141 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 1142 MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, 1143 . 1145 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1146 "Introduction and Applicability Statements for Internet- 1147 Standard Management Framework", RFC 3410, 1148 DOI 10.17487/RFC3410, December 2002, 1149 . 1151 [RFC4181] Heard, C., Ed., "Guidelines for Authors and Reviewers of 1152 MIB Documents", BCP 111, RFC 4181, DOI 10.17487/RFC4181, 1153 September 2005, . 1155 [RFC4293] Routhier, S., Ed., "Management Information Base for the 1156 Internet Protocol (IP)", RFC 4293, DOI 10.17487/RFC4293, 1157 April 2006, . 1159 12.3. URL References 1161 [idguidelines] 1162 IETF Internet Drafts editor, 1163 "http://www.ietf.org/ietf/1id-guidelines.txt". 1165 [idnits] IETF Internet Drafts editor, 1166 "http://www.ietf.org/ID-Checklist.html". 1168 [ietf] IETF Tools Team, "http://tools.ietf.org". 1170 [ops] the IETF OPS Area, "http://www.ops.ietf.org". 1172 [xml2rfc] XML2RFC tools and documentation, 1173 "http://xml.resource.org". 1175 Appendix A. Change Log 1177 From draft 00 to draft 01 1179 o Change the value range of object saviObjectsSystemMode and add a 1180 new value savi-send(6). 1182 From draft 01 to draft 02 1184 o Change saviObjectsTrustStatus into two booleans, one is 1185 saviObjectsDhcpTrustStatus, another is saviObjectsRaTrustStatus. 1187 o Change the character string saviObjectsIf to saviObjectsPort 1188 globally. 1190 o Change saviObjectsBindingState according to the latest version of 1191 solution drafts. 1193 From draft 02 to draft 03 1195 o Add a new object saviObjectsPortBindRecoveryAttr, and change the 1196 object saviObjectsPortRaTrustStatus to saviObjectsPortTrustAttr 1197 according to the latest version of solution drafts and RFC. 1199 o Change the value range and meaning of saviObjectsBindingState 1200 according to the latest version of solution drafts and RFC. 1202 o Change the value range of object saviObjectsBindingType, add a new 1203 value send(4), and change the value static(1) to manual(1). 1205 From draft 03 to draft 04 1207 o Add three new objects according to the latest version of solution 1208 drafts and RFC, i.e. saviObjectsSystemTentLT, 1209 saviObjectsSystemDefaultLT, saviObjectsSystemTWAIT. 1211 From draft 04 to draft 05 1213 o Add two new objects according to the latest version of solution 1214 drafts and RFC, i.e. saviObjectsBindingCreationtime, 1215 saviObjectsBindingTID. 1217 From draft 05 to draft 06 1219 o Add three new objects, saviObjectsSystemDadTimeout, 1220 saviObjectsPortDhcpSnoopingAttr and 1221 saviObjectsPortDataSnoopingAttr. 1223 o Replace object saviObjectsSystemBindRecoveryInterval with 1224 saviObjectsSystemDataSnoopingInterval. 1226 o Replace object saviObjectsPortSAVISAVIAttr with 1227 saviObjectsPortTrustAttr. 1229 o Delete object saviObjectsPortBindRecoveryAttr. 1231 From draft 06 to draft 07 1233 o Replace object saviObjectsSystemDadTimeout with 1234 saviObjectsSystemDetectionTimeout. 1236 From draft 07 to draft 08 1238 o Add a new table to count the fail packets of each interface. 1240 From draft 08 to draft 09 1242 o Change the value range and meaning of saviObjectsBindingState 1243 according to the latest version of solution RFC. 1245 From draft 09 to draft 10 1247 o Replace object saviObjectsSystemMode with 1248 saviObjectsSystemSlaacEnable, saviObjectsSystemDhcpEnable, 1249 saviObjectsSystemSendEnable, saviObjectsManualEnable. 1251 From draft 10 to draft 11 1253 o Add a new table SaviObjectsPreferenceTable to reflect the 1254 preference of each savi method. 1256 From draft 11 to draft 12 1258 o Replace object saviObjectsBindingType with 1259 saviObjectsBindingMethod. 1261 From draft 12 to draft 13 1263 o Add a new object saviObjectsCountFilterOctets to count the octets 1264 dropped by SAVI protocol. 1266 Appendix B. Open Issues 1268 Note to RFC Editor: please remove this appendix before publication as 1269 an RFC. 1271 Authors' Addresses 1273 Changqing An 1274 Tsinghua University 1275 Institute for Network Sciences and Cyberspace, Tsinghua University 1276 Beijing 100084 1277 China 1279 Phone: +86 10 62603113 1280 EMail: acq@cernet.edu.cn 1282 Jiahai Yang 1283 Tsinghua University 1284 Institute for Network Sciences and Cyberspace, Tsinghua University 1285 Beijing 100084 1286 China 1288 Phone: +86 10 62783492 1289 EMail: yang@cernet.edu.cn 1291 Jianping Wu 1292 Tsinghua University 1293 Institute for Network Sciences and Cyberspace, Tsinghua University 1294 Beijing 100084 1295 China 1297 EMail: jianping@cernet.edu.cn 1299 Jun Bi 1300 Tsinghua University 1301 Institute for Network Sciences and Cyberspace, Tsinghua University 1302 Beijing 100084 1303 China 1305 EMail: junbi@cernet.edu.cn