idnits 2.17.1 draft-baker-slem-mib-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 75 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 97 has weird spacing: '...ata, it is pr...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 2003) is 7675 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Cisco Systems F. Baker 3 Internet-Draft Cisco Systems 4 Expires: September 30, 2003 April 2003 6 Cisco Lawful Intercept Control MIB 7 draft-baker-slem-mib-00 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026 except that the right to 13 produce derivative works is not granted. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that other 17 groups may also distribute working documents as Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at http:// 25 www.ietf.org/ietf/1id-abstracts.txt. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 This Internet-Draft will expire on September 30, 2003. 32 Copyright Notice 34 Copyright (C) The Internet Society (2003). All Rights Reserved. 36 Abstract 38 Ths document describes an SNMP V3 MIB for controlling the Lawful 39 Intercept architecture described in the associated document. 40 Any comments on this document should be sent to: 41 li-comment@external.cisco.com 43 Table of Contents 45 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 46 2. Theory of Operations . . . . . . . . . . . . . . . . . . . . . 4 47 2.1 Mediation Device Sessions . . . . . . . . . . . . . . . . . . 4 48 2.2 Intercepted Data Streams . . . . . . . . . . . . . . . . . . . 5 49 3. The Management Information Base . . . . . . . . . . . . . . . 7 50 4. Security Considerations . . . . . . . . . . . . . . . . . . . 33 51 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34 52 Normative References . . . . . . . . . . . . . . . . . . . . . 35 53 Informative References . . . . . . . . . . . . . . . . . . . . 36 54 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 36 55 Intellectual Property and Copyright Statements . . . . . . . . 37 57 1. Introduction 59 For a detailed overview of the documents that describe the current 60 Internet-Standard Management Framework, please refer to section 7 of 61 RFC 3410 [5]. 63 Managed objects are accessed via a virtual information store, termed 64 the Management Information Base or MIB. MIB objects are generally 65 accessed through the Simple Network Management Protocol (SNMP). 66 Objects in the MIB are defined using the mechanisms defined in the 67 Structure of Management Information (SMI). This memo specifies a MIB 68 module that is compliant to the SMIv2, which is described in STD 58, 69 RFC 2578 [1], STD 58, RFC 2579 [2], and STD 58, RFC 2580 [3]. 71 2. Theory of Operations 73 The essential information described in the Lawful Intercept MIB is 74 the relationship between the Mediation Device and the Intercept 75 Access Point, and the data which is diverted into that connection. 77 2.1 Mediation Device Sessions 79 The Mediation Device, or MD, is, simply, the device which serves as a 80 formal interface between the parties imposing the intercept and the 81 network in which the intercept occurs. It is operated by a trusted 82 administration, by definition, and has the responsibilities of 84 o Configuring Intercept Access Points (IAP, usually routers and 85 switches) to intercept data to it, 87 o Accepting that data, 89 o Selecting a subset of the data to report to the appropriate 90 authority, and 92 o Delivering the data to the authority. 94 Each such session represents a separate and identifiable data stream, 95 such as the traffic to and from a particular subscriber. If there are 96 multiple intercepts in place for multiple agencies but requesting the 97 same data, it is preferable that the Mediation Device program the 98 Intercept Access Point to intercept the data once, and have the 99 Mediation Device deliver separate copied to the various agencies. 100 However, it is imaginable that the data streams would be sufficiently 101 different that it is simpler to understand them as separate intercept 102 orders. 104 A note on transports is in order. There are a number of ways to 105 convey information from an intercepting device to the Mediation 106 Device. One could simply dump Ethernet traffic onto a dedicated 107 Ethernet port, encapsulate in UDP, encapsulate in UDP per the 108 PacketCable specification, encapsulate in TCP or some other "normal" 109 transport, or something else. One that Cisco has looked at closely is 110 the use of the Nack-Oriented Retransmission feature of RTP, being 111 discussed in the IETF. When standardized, this has the relatively 112 nice attributes of being able to reliably deliver an intercepted data 113 stream to a Mediation Device without many of the overheads or 114 start-up issues of a TCP session. 116 The key attributes of a session between a Mediation Device and an 117 Intercept Access Point are: 119 Content ID: An identifier for the MD<->IAP Session. 121 Destination Address Type: The type of address for the MD (IPv4 or 122 IPv6). 124 Destination Address: The address of the MD. 126 Destination Port: The UDP port number to which data is sent. 128 Source Interface: The interface (hardware and address) the IAP will 129 use to transmit the data. 131 RTCP Port: If RTP NOR is used (future), the port number used for RTCP 132 messages 134 DSCP: The DSCP that intercept data will carry. 136 Data Stream Type: If RTP NOR is used (future), the data type for 137 data. 139 Retransmission Stream Type: If RTP NOR is used (future), the data 140 type for retransmissions. 142 Time-out: The interval after which a session is dropped if 143 communication to the MD is lost. 145 Transport: The transport protocol used for intercepted data. 147 Notification Enable: Whether notifications are in use for this 148 session. 150 Status: Controls to activate and de-activate sessions with the 151 Mediation Device. 153 2.2 Intercepted Data Streams 155 The data stream intercepted to the MD on a particular IAP must be 156 specified. Depending on the relevant law and warrant, it may be 157 necessary to intercept all data on a specified interface, all IP or 158 Ethernet data to or from a specified address, or something as 159 specific as a single voice out of a teleconference. The tables which 160 describe this data are referred to as "stream tables". In this MIB, 161 we show a stream table for IP traffic and a stream table for Ethernet 162 traffic; other stream tables are possible as well. The key elements 163 of every stream table are: 165 Content ID: The Content ID of the Session with the MD that this data 166 stream is associated with. 168 Index: An enumeration of the data stream itself (there might be 169 several). 171 N-Tuple: Parameters that permit selection of the data stream 172 according to the relevant architecture. 174 Intercept Enable: It may be appropriate to enable and disable 175 interception of a given data stream. 177 Intercepted packet counter: Counts packets intercepted in this data 178 stream. 180 Intercepted Packet Drops: Counts packets that matched the criterion 181 but could not be intercepted. 183 Status: Controls to activate and de-activate streams. 185 3. The Management Information Base 187 -- ***************************************************************** 188 -- CISCO-TAP-MIB.my: Cisco intercept ("tap") MIB 189 -- 190 -- December 2001, Fred Baker 191 -- July 2002, Edward Pham 192 -- 193 -- Copyright (c) 2001-2002 by Cisco Systems, Inc. 194 -- All rights reserved. 195 -- 196 -- ***************************************************************** 197 -- $Log: 198 -- 199 -- ***************************************************************** 200 -- $Endlog$ 201 -- 203 CISCO-TAP-MIB DEFINITIONS ::= BEGIN 205 IMPORTS 206 MODULE-IDENTITY, 207 OBJECT-TYPE, 208 NOTIFICATION-TYPE, 209 Integer32, 210 Unsigned32 211 FROM SNMPv2-SMI 212 MODULE-COMPLIANCE, 213 OBJECT-GROUP, 214 NOTIFICATION-GROUP 215 FROM SNMPv2-CONF 216 InetAddressType, 217 InetAddress, 218 InetAddressPrefixLength, 219 InetPortNumber 220 FROM INET-ADDRESS-MIB 221 RowStatus, 222 TruthValue, 223 DateAndTime, 224 MacAddress 225 FROM SNMPv2-TC 226 SnmpAdminString 227 FROM SNMP-FRAMEWORK-MIB 228 InterfaceIndexOrZero 229 FROM IF-MIB 230 Dscp 231 FROM CISCO-QOS-PIB-MIB 233 ciscoMgmt 234 FROM CISCO-SMI; 236 cTapMIB MODULE-IDENTITY 237 LAST-UPDATED "200207250000Z" 238 ORGANIZATION "Cisco Systems, Inc." 239 CONTACT-INFO 240 " Cisco Systems 241 Customer Service 243 Postal:170 W. Tasman Drive 244 San Jose, CA 95134 245 USA 247 Tel:+1 800 553-NETS 249 E-mail:li-comment@cisco.com" 250 DESCRIPTION 251 "This module manages Cisco's intercept feature." 252 REVISION "200207250000Z" 253 DESCRIPTION 254 "Initial version of this MIB module." 255 ::= { ciscoMgmt 252 } 257 cTapMIBNotifications OBJECT IDENTIFIER ::= { cTapMIB 0 } 258 cTapMIBObjects OBJECT IDENTIFIER ::= { cTapMIB 1 } 259 cTapMIBConformance OBJECT IDENTIFIER ::= { cTapMIB 2 } 261 cTapMediationGroup OBJECT IDENTIFIER ::= { cTapMIBObjects 1 } 262 cTapStreamGroup OBJECT IDENTIFIER ::= { cTapMIBObjects 2 } 263 cTapDebugGroup OBJECT IDENTIFIER ::= { cTapMIBObjects 3 } 265 -- cTapMediationNewIndex is defined to allow a network manager 266 -- to create a new Mediation Table entry and its corresponding 267 -- Stream Table entries without necessarily knowing what other 268 -- entries might exist. 270 cTapMediationNewIndex OBJECT-TYPE 271 SYNTAX Integer32 (1..2147483647) 272 MAX-ACCESS read-only 273 STATUS current 274 DESCRIPTION 275 "This object contains a value which may be used as an index 276 value for a new cTapMediationEntry. Whenever read, the agent 277 will change the value to a new non-conflicting value. This is 278 to reduce the probability of errors during creation of new 279 cTapMediationTable entries." 280 ::= { cTapMediationGroup 1 } 282 -- The Tap Mediation Table lists the applications, by address and 283 -- port number, to which traffic may be intercepted. These may be 284 -- on the same or different Mediation Devices. 286 cTapMediationTable OBJECT-TYPE 287 SYNTAX SEQUENCE OF CTapMediationEntry 288 MAX-ACCESS not-accessible 289 STATUS current 290 DESCRIPTION 291 "This table lists the Mediation Devices with which the 292 intercepting device communicates. These may be on the same or 293 different Mediation Devices. 295 This table is written by the Mediation Device, and is always 296 volatile. This is because intercepts may disappear during a 297 restart of the intercepting equipment." 298 ::= { cTapMediationGroup 2 } 300 cTapMediationEntry OBJECT-TYPE 301 SYNTAX CTapMediationEntry 302 MAX-ACCESS not-accessible 303 STATUS current 304 DESCRIPTION 305 "The entry describes a single session maintained with an 306 application on a Mediation Device." 307 INDEX { cTapMediationContentId } 308 ::= { cTapMediationTable 1 } 310 CTapMediationEntry ::= SEQUENCE { 311 cTapMediationContentId Integer32, 312 cTapMediationDestAddressType InetAddressType, 313 cTapMediationDestAddress InetAddress, 314 cTapMediationDestPort InetPortNumber, 315 cTapMediationSrcInterface InterfaceIndexOrZero, 316 cTapMediationRtcpPort InetPortNumber, 317 cTapMediationDscp Dscp, 318 cTapMediationDataType Integer32, 319 cTapMediationRetransmitType Integer32, 320 cTapMediationTimeout DateAndTime, 321 cTapMediationTransport INTEGER, 322 cTapMediationNotificationEnable TruthValue, 323 cTapMediationStatus RowStatus 324 } 326 cTapMediationContentId OBJECT-TYPE 327 SYNTAX Integer32 (1..2147483647) 328 MAX-ACCESS not-accessible 329 STATUS current 330 DESCRIPTION 331 "cTapMediationContentId is a session identifier, from the 332 intercept application's perspective, and a content identifier 333 from the Mediation Device's perspective. The Mediation Device 334 is responsible for making sure these are unique, although the 335 SNMP RowStatus row creation process will help by not allowing 336 it to create conflicting entries. Before creating a new entry, 337 a value for this variable may be obtained by reading 338 cTapMediationNewIndex to reduce the probability of a value 339 collision." 340 ::= { cTapMediationEntry 1 } 342 cTapMediationDestAddressType OBJECT-TYPE 343 SYNTAX InetAddressType 344 MAX-ACCESS read-create 345 STATUS current 346 DESCRIPTION 347 "The type of cTapMediationDestAddress." 348 ::= { cTapMediationEntry 2 } 350 cTapMediationDestAddress OBJECT-TYPE 351 SYNTAX InetAddress 352 MAX-ACCESS read-create 353 STATUS current 354 DESCRIPTION 355 "The IP Address of the Mediation Device's network interface 356 to which to direct intercepted traffic." 357 ::= { cTapMediationEntry 3 } 359 cTapMediationDestPort OBJECT-TYPE 360 SYNTAX InetPortNumber 361 MAX-ACCESS read-create 362 STATUS current 363 DESCRIPTION 364 "The port number on the Mediation Device's network interface 365 to which to direct intercepted traffic." 366 ::= { cTapMediationEntry 4 } 368 cTapMediationSrcInterface OBJECT-TYPE 369 SYNTAX InterfaceIndexOrZero 370 MAX-ACCESS read-create 371 STATUS current 372 DESCRIPTION 373 "The interface on the intercepting device from which to 374 transmit intercepted data. If zero, any interface may be used 375 according to normal IP practice." 376 ::= { cTapMediationEntry 5 } 378 cTapMediationRtcpPort OBJECT-TYPE 379 SYNTAX InetPortNumber 380 MAX-ACCESS read-only 381 STATUS current 382 DESCRIPTION 383 "The port number on the intercepting device to which the 384 Mediation Devices directs RTCP Receiver Reports and Nacks. 385 This object is only relevant when the value of 386 cTapMediationTransport is 'rtpNack'. 388 This port is assigned by the intercepting device, rather than 389 by the Mediation Device or manager application. The value of 390 this MIB object has no effect before activating the 391 cTapMediationEntry." 392 ::= { cTapMediationEntry 6 } 394 cTapMediationDscp OBJECT-TYPE 395 SYNTAX Dscp 396 MAX-ACCESS read-create 397 STATUS current 398 DESCRIPTION 399 "The Differentiated Services Code Point the intercepting 400 device applies to the IP packets encapsulating the 401 intercepted traffic." 402 DEFVAL { 34 } -- by default, AF41, code 100010 403 ::= { cTapMediationEntry 7 } 405 cTapMediationDataType OBJECT-TYPE 406 SYNTAX Integer32 (0..127) 407 MAX-ACCESS read-create 408 STATUS current 409 DESCRIPTION 410 "If RTP with Ack/Nack resilience is selected as a transport, 411 the mediation process requires an RTP payload type for data 412 transmissions, and a second RTP payload type for 413 retransmissions. This is the RTP payload type for 414 transmissions. 416 This object is only effective when the value of 417 cTapMediationTransport is 'rtpNack'." 418 DEFVAL { 0 } 419 ::= { cTapMediationEntry 8 } 421 cTapMediationRetransmitType OBJECT-TYPE 422 SYNTAX Integer32 (0..127) 423 MAX-ACCESS read-create 424 STATUS current 425 DESCRIPTION 426 "If RTP with Ack/Nack resilience is selected as a transport, 427 the mediation process requires an RTP payload type for data 428 transmissions, and a second RTP payload type for 429 retransmissions. This is the RTP payload type for 430 retransmissions. 432 This object is only effective when the value of 433 cTapMediationTransport is 'rtpNack'." 434 DEFVAL { 0 } 435 ::= { cTapMediationEntry 9 } 437 cTapMediationTimeout OBJECT-TYPE 438 SYNTAX DateAndTime 439 MAX-ACCESS read-create 440 STATUS current 441 DESCRIPTION 442 "The time at which this row and all related Stream Table rows 443 should be automatically removed, and the intercept function 444 cease. Since the initiating network manager may be the only 445 device able to manage a specific intercept or know of its 446 existence, this acts as a fail-safe for the failure or removal 447 of the network manager. The object is only effective when the 448 value of cTapMediationStatus is 'active'." 449 ::= { cTapMediationEntry 10 } 451 cTapMediationTransport OBJECT-TYPE 452 SYNTAX INTEGER { 453 udp(1), 454 rtpNack(2), 455 tcp(3), 456 sctp(4) 457 } 458 MAX-ACCESS read-create 459 STATUS current 460 DESCRIPTION 461 "The protocol used in transferring intercepted data to the 462 Mediation Device. The following protocols may be supported: 463 udp: PacketCable udp format 464 rtpNack: RTP with Nack resilience 465 tcp: TCP with head of line blocking 466 sctp: SCTP with head of line blocking " 467 ::= { cTapMediationEntry 11 } 469 cTapMediationNotificationEnable OBJECT-TYPE 470 SYNTAX TruthValue 471 MAX-ACCESS read-create 472 STATUS current 473 DESCRIPTION 474 "This variable controls the generation of any notifications or 475 informs by the MIB agent for this table entry." 476 DEFVAL { true } 477 ::= { cTapMediationEntry 12 } 479 cTapMediationStatus OBJECT-TYPE 480 SYNTAX RowStatus 481 MAX-ACCESS read-create 482 STATUS current 483 DESCRIPTION 484 "The status of this conceptual row. This object is used to 485 manage creation, modification and deletion of rows in this 486 table. 488 cTapMediationTimeout may be modified at any time (even while the 489 row is active). But when the row is active, the other writable 490 objects may not be modified without setting its value to 491 'notInService'. 493 The entry may not be deleted or deactivated by setting its 494 value to 'destroy' or 'notInService' if there is any associated 495 entry in cTapStreamIpTable, or other such tables when such are 496 defined." 497 ::= { cTapMediationEntry 13 } 499 -- 500 -- cTapMediationCapabilities 501 -- 503 cTapMediationCapabilities OBJECT-TYPE 504 SYNTAX BITS { 505 ipV4SrcInterface(0), 506 ipV6SrcInterface(1), 507 udp(2), 508 rtpNack(3), 509 tcp(4), 510 sctp(5) 511 } 512 MAX-ACCESS read-only 513 STATUS current 514 DESCRIPTION 515 "This object displays the device capabilities with respect to 516 certain fields in Mediation Device table. This may be dependent 517 on hardware capabilities, software capabilities. 518 The following values may be supported: 519 ipV4SrcInterface: SNMP ifIndex Value may be used to select 520 the interface (denoted by 521 cTapMediationSrcInterface) on the 522 intercepting device from which to 523 transmit intercepted data to an IPv4 524 address Mediation Device. 526 ipV6SrcInterface: SNMP ifIndex Value may be used to select 527 the interface (denoted by 528 cTapMediationSrcInterface) on the 529 intercepting device from which to 530 transmit intercepted data to an IPv6 531 address Mediation Device. 533 udp: UDP may be used as transport protocol 534 (denoted by cTapMediationTransport) in 535 transferring intercepted data to the 536 Mediation Device. 538 rtcpNack: RTP with Nack resilience may be used 539 as transport protocol (denoted by 540 cTapMediationTransport) in transferring 541 intercepted data to the Mediation 542 Device. 544 tcp: TCP may be used as transport protocol 545 (denoted by cTapMediationTransport) in 546 transferring intercepted data to the 547 Mediation Device. 549 sctp: SCTP may be used as transport protocol 550 (denoted by cTapMediationTransport) in 551 transferring intercepted data to the 552 Mediation Device." 553 ::= { cTapMediationGroup 3 } 554 -- 555 -- the stream tables 556 -- 557 -- In the initial version of the MIB, only IPv4 and IPv6 intercept is 558 -- defined. It is expected that in the future other types of intercepts 559 -- may be required; these will be defined in tables like the 560 -- cTapStreamIpTable with appropriate attributes. Such tables, when 561 -- defined, will be used by the Mediation Entry in exactly the same way 562 -- that the cTapStreamIpTable is used. 563 -- 564 -- Such Tables all belong in cTapStreamGroup. 565 -- 567 cTapStreamCapabilities OBJECT-TYPE 568 SYNTAX BITS { 569 tapEnable(0), 570 interface(1), 571 ipV4(2), 572 ipV6(3), 573 l4Port(4), 574 dscp(5), 575 dstMacAddr(6), 576 srcMacAddr(7), 577 ethernetPid(8), 578 dstLlcSap(9), 579 srcLlcSap(10) 580 } 581 MAX-ACCESS read-only 582 STATUS current 583 DESCRIPTION 584 "This object displays what types of intercept streams can be 585 configured on this type of device. This may be dependent on 586 hardware capabilities, software capabilities. The following 587 fields may be supported: 588 interface: SNMP ifIndex Value may be used to select 589 interception of all data crossing an 590 interface or set of interfaces. 591 tapEnable: set if table entries with 592 cTapStreamIpInterceptEnable set to 'false' 593 are used to pre-screen packets for intercept; 594 otherwise these entries are ignored. 595 ipV4: IPv4 Address or prefix may be used to select 596 traffic to be intercepted. 597 ipV6: IPv6 Address or prefix may be used to select 598 traffic to be intercepted. 599 l4Port: TCP/UDP Ports may be used to select traffic 600 to be intercepted. 601 dscp: DSCP may be used to select traffic to be 602 intercepted. 603 dstMacAddr: Destination MAC Address may be used to select 604 traffic to be intercepted. 605 srcMacAddr: Source MAC Address may be used to select 606 traffic to be intercepted. 607 ethernetPid: Ethernet Protocol Identifier may be used to 608 select traffic to be intercepted. 609 dstLlcSap: IEEE 802.2 Destination SAP may be used to 610 select traffic to be intercepted. 611 srcLlcSap: IEEE 802.2 Source SAP may be used to select 612 traffic to be intercepted." 613 ::= { cTapStreamGroup 1 } 614 -- 615 -- The 'access list' for intercepting data at the IP network 616 -- layer 617 -- 618 cTapStreamIpTable OBJECT-TYPE 619 SYNTAX SEQUENCE OF CTapStreamIpEntry 620 MAX-ACCESS not-accessible 621 STATUS current 622 DESCRIPTION 623 "The Intercept Stream IP Table lists the IPv4 and IPv6 streams 624 to be intercepted. The same data stream may be required by 625 multiple taps, and one might assume that often the intercepted 626 stream is a small subset of the traffic that could be 627 intercepted. 629 This essentially provides options for packet selection, only 630 some of which might be used. For example, if all traffic to or 631 from a given interface is to be intercepted, one would 632 configure an entry which lists the interface, and wild-card 633 everything else. If all traffic to or from a given IP Address 634 is to be intercepted, one would configure two such entries 635 listing the IP Address as source and destination respectively, 636 and wild-card everything else. If a particular voice on a 637 teleconference is to be intercepted, on the other hand, one 638 would extract the multicast (destination) IP address, the 639 source IP Address, the protocol (UDP), and the source and 640 destination ports from the call control exchange and list all 641 necessary information. 643 The first index indicates which Mediation Device the 644 intercepted traffic will be diverted to. The second index 645 permits multiple classifiers to be used together, such as 646 having an IP address as source or destination. " 647 ::= { cTapStreamGroup 2 } 649 cTapStreamIpEntry OBJECT-TYPE 650 SYNTAX CTapStreamIpEntry 651 MAX-ACCESS not-accessible 652 STATUS current 653 DESCRIPTION 654 "A stream entry indicates a single data stream to be 655 intercepted to a Mediation Device. Many selected data 656 streams may go to the same application interface, and many 657 application interfaces are supported." 658 INDEX { cTapMediationContentId, cTapStreamIpIndex } 659 ::= { cTapStreamIpTable 1 } 661 CTapStreamIpEntry ::= SEQUENCE { 662 cTapStreamIpIndex Integer32, 663 cTapStreamIpInterface Integer32, 664 cTapStreamIpAddrType InetAddressType, 665 cTapStreamIpDestinationAddress InetAddress, 666 cTapStreamIpDestinationLength InetAddressPrefixLength, 667 cTapStreamIpSourceAddress InetAddress, 668 cTapStreamIpSourceLength InetAddressPrefixLength, 669 cTapStreamIpTosByte Integer32, 670 cTapStreamIpTosByteMask Integer32, 671 cTapStreamIpFlowId Integer32, 672 cTapStreamIpProtocol Integer32, 673 cTapStreamIpDestL4PortMin InetPortNumber, 674 cTapStreamIpDestL4PortMax InetPortNumber, 675 cTapStreamIpSourceL4PortMin InetPortNumber, 676 cTapStreamIpSourceL4PortMax InetPortNumber, 677 cTapStreamIpInterceptEnable TruthValue, 678 cTapStreamIpInterceptedPackets Counter32, 679 cTapStreamIpInterceptDrops Counter32, 680 cTapStreamIpStatus RowStatus 681 } 683 cTapStreamIpIndex OBJECT-TYPE 684 SYNTAX Integer32 (1..2147483647) 685 MAX-ACCESS not-accessible 686 STATUS current 687 DESCRIPTION 688 "The index of the stream itself." 689 ::= { cTapStreamIpEntry 1 } 691 cTapStreamIpInterface OBJECT-TYPE 692 SYNTAX Integer32 (-1 | 0 | 1..2147483647) 693 MAX-ACCESS read-create 694 STATUS current 695 DESCRIPTION 696 "The ifIndex value of the interface over which traffic to be 697 intercepted is received or transmitted. The interface may be 698 physical or virtual. If this is the only parameter specified, 699 and it is other than -1 or 0, all traffic on the selected 700 interface will be chosen. 702 If the value is zero, matching traffic may be received or 703 transmitted on any interface. Additional selection parameters 704 must be selected to limit the scope of traffic intercepted. 705 This is most useful on non-routing platforms or on intercepts 706 placed elsewhere than a subscriber interface. 708 If the value is -1, one or both of 709 cTapStreamIpDestinationAddress and cTapStreamIpSourceAddress 710 must be specified with prefix length greater than zero. 711 Matching traffic on the interface pointed to by ipRouteIfIndex 712 or ipCidrRouteIfIndex values associated with those values is 713 intercepted, whichever is specified to be more focused than a 714 default route. If routing changes, either by operator action 715 or by routing protocol events, the interface will change with 716 it. This is primarily intended for use on subscriber interfaces 717 and other places where routing is guaranteed to be 718 symmetrical. 720 In both of these cases, it is possible to have the same packet 721 selected for intersection on both its ingress and egress 722 interface. Nonetheless, only one instance of the packet is 723 sent to the Mediation Device. 725 This value must be set when creating a stream entry, either to 726 select an interface, to select all interfaces, or to select the 727 interface that routing chooses. Some platforms may not 728 implement the entire range of options." 729 REFERENCE "RFC 1213, RFC 2096" 730 ::= { cTapStreamIpEntry 2 } 732 cTapStreamIpAddrType OBJECT-TYPE 733 SYNTAX InetAddressType 734 MAX-ACCESS read-create 735 STATUS current 736 DESCRIPTION 737 "The type of address, used in packet selection." 738 DEFVAL { ipv4 } 739 ::= { cTapStreamIpEntry 3 } 741 cTapStreamIpDestinationAddress OBJECT-TYPE 742 SYNTAX InetAddress 743 MAX-ACCESS read-create 744 STATUS current 745 DESCRIPTION 746 "The Destination address or prefix used in packet selection. 747 This address will be of the type specified in 748 cTapStreamIpAddrType." 749 DEFVAL { '00000000'H } -- 0.0.0.0 750 ::= { cTapStreamIpEntry 4 } 752 cTapStreamIpDestinationLength OBJECT-TYPE 753 SYNTAX InetAddressPrefixLength 754 MAX-ACCESS read-create 755 STATUS current 756 DESCRIPTION 757 "The length of the Destination Prefix. A value of zero causes 758 all addresses to match. This prefix length will be consistent 759 with the type specified in cTapStreamIpAddrType." 760 DEFVAL { 0 } -- by default, any destination address 761 ::= { cTapStreamIpEntry 5 } 763 cTapStreamIpSourceAddress OBJECT-TYPE 764 SYNTAX InetAddress 765 MAX-ACCESS read-create 766 STATUS current 767 DESCRIPTION 768 "The Source Address used in packet selection. This address will 769 be of the type specified in cTapStreamIpAddrType." 770 DEFVAL { '00000000'H } -- 0.0.0.0 771 ::= { cTapStreamIpEntry 6 } 773 cTapStreamIpSourceLength OBJECT-TYPE 774 SYNTAX InetAddressPrefixLength 775 MAX-ACCESS read-create 776 STATUS current 777 DESCRIPTION 778 "The length of the Source Prefix. A value of zero causes all 779 addresses to match. This prefix length will be consistent with 780 the type specified in cTapStreamIpAddrType." 781 DEFVAL { 0 } -- by default, any source address 782 ::= { cTapStreamIpEntry 7 } 784 cTapStreamIpTosByte OBJECT-TYPE 785 SYNTAX Integer32 (0..255) 786 MAX-ACCESS read-create 787 STATUS current 788 DESCRIPTION 789 "The value of the TOS byte, when masked with 790 cTapStreamIpTosByteMask, of traffic to be intercepted. 791 If cTapStreamIpTosByte & (~cTapStreamIpTosByteMask) != 0, 792 configuration is rejected." 793 DEFVAL { 0 } 794 ::= { cTapStreamIpEntry 8 } 796 cTapStreamIpTosByteMask OBJECT-TYPE 797 SYNTAX Integer32 (0..255) 798 MAX-ACCESS read-create 799 STATUS current 800 DESCRIPTION 801 "The value of the TOS byte in an IPv4 or IPv6 header is ANDed 802 with cTapStreamIpTosByteMask and compared with 803 cTapStreamIpTosByte. 805 If the values are equal, the comparison is equal. If the mask 806 is zero and the TosByte value is zero, the result is to always 807 accept." 808 DEFVAL { 0 } -- by default, any DSCP or other TOS byte value 809 ::= { cTapStreamIpEntry 9 } 811 cTapStreamIpFlowId OBJECT-TYPE 812 SYNTAX Integer32 (-1 | 0..1048575) 813 MAX-ACCESS read-create 814 STATUS current 815 DESCRIPTION 816 "The flow identifier in an IPv6 header. -1 indicates that the 817 Flow Id is unused." 818 DEFVAL { -1 } -- by default, any flow identifier value 819 ::= { cTapStreamIpEntry 10 } 821 cTapStreamIpProtocol OBJECT-TYPE 822 SYNTAX Integer32 (-1 | 0..255) 823 MAX-ACCESS read-create 824 STATUS current 825 DESCRIPTION 826 "The IP protocol to match against the IPv4 protocol number or 827 the IPv6 Next- Header number in the packet. -1 means 'any IP 828 protocol'." 829 DEFVAL { -1 } -- by default, any IP protocol 830 ::= { cTapStreamIpEntry 11 } 832 cTapStreamIpDestL4PortMin OBJECT-TYPE 833 SYNTAX InetPortNumber 834 MAX-ACCESS read-create 835 STATUS current 836 DESCRIPTION 837 "The minimum value that the layer-4 destination port number in 838 the packet must have in order to match. This value must be 839 equal to or less than the value specified for this entry in 840 cTapStreamIpDestL4PortMax. 842 If both cTapStreamIpDestL4PortMin and cTapStreamIpDestL4PortMax 843 are at their default values, the port number is effectively 844 unused." 845 DEFVAL { 0 } -- by default, any transport layer port number 846 ::= { cTapStreamIpEntry 12 } 848 cTapStreamIpDestL4PortMax OBJECT-TYPE 849 SYNTAX InetPortNumber 850 MAX-ACCESS read-create 851 STATUS current 852 DESCRIPTION 853 "The maximum value that the layer-4 destination port number in 854 the packet must have in order to match this classifier entry. 855 This value must be equal to or greater than the value specified 856 for this entry in cTapStreamIpDestL4PortMin. 858 If both cTapStreamIpDestL4PortMin and cTapStreamIpDestL4PortMax 859 are at their default values, the port number is effectively 860 unused." 861 DEFVAL { 65535 } -- by default, any transport layer port number 862 ::= { cTapStreamIpEntry 13 } 864 cTapStreamIpSourceL4PortMin OBJECT-TYPE 865 SYNTAX InetPortNumber 866 MAX-ACCESS read-create 867 STATUS current 868 DESCRIPTION 869 "The minimum value that the layer-4 destination port number in 870 the packet must have in order to match. This value must be 871 equal to or less than the value specified for this entry in 872 cTapStreamIpSourceL4PortMax. 874 If both cTapStreamIpSourceL4PortMin and 875 cTapStreamIpSourceL4PortMax are at their default values, the 876 port number is effectively unused." 877 DEFVAL { 0 } -- by default, any transport layer port number 878 ::= { cTapStreamIpEntry 14 } 880 cTapStreamIpSourceL4PortMax OBJECT-TYPE 881 SYNTAX InetPortNumber 882 MAX-ACCESS read-create 883 STATUS current 884 DESCRIPTION 885 "The maximum value that the layer-4 destination port number in 886 the packet must have in order to match this classifier entry. 887 This value must be equal to or greater than the value specified 888 for this entry in cTapStreamIpSourceL4PortMin. 890 If both cTapStreamIpSourceL4PortMin and 891 cTapStreamIpSourceL4PortMax are at their default values, the 892 port number is effectively unused." 893 DEFVAL { 65535 } -- by default, any transport layer port number 894 ::= { cTapStreamIpEntry 15 } 896 cTapStreamIpInterceptEnable OBJECT-TYPE 897 SYNTAX TruthValue 898 MAX-ACCESS read-create 899 STATUS current 900 DESCRIPTION 901 "If 'true', the tap should intercept matching traffic. 902 If 'false', this entry is used to pre-screen packets for 903 intercept." 904 DEFVAL { true } 905 ::= { cTapStreamIpEntry 16 } 907 cTapStreamIpInterceptedPackets OBJECT-TYPE 908 SYNTAX Counter32 909 MAX-ACCESS read-only 910 STATUS current 911 DESCRIPTION 912 "The number of packets matching this data stream specification 913 that have been intercepted." 914 ::= { cTapStreamIpEntry 17 } 916 cTapStreamIpInterceptDrops OBJECT-TYPE 917 SYNTAX Counter32 918 MAX-ACCESS read-only 919 STATUS current 920 DESCRIPTION 921 "The number of packets matching this data stream specification 922 that, having been intercepted, were dropped in the lawful 923 intercept process." 924 ::= { cTapStreamIpEntry 18 } 926 cTapStreamIpStatus OBJECT-TYPE 927 SYNTAX RowStatus 928 MAX-ACCESS read-create 929 STATUS current 930 DESCRIPTION 931 "The status of this conceptual row. This object manages 932 creation, modification, and deletion of rows in this table. 933 cTapStreamIpInterceptEnable may be modified any time even the 934 value of this entry rowStatus object is 'active'. When other 935 rows must be changed, cTapStreamIpStatus must be first set to 936 'notInService'." 937 ::= { cTapStreamIpEntry 19 } 939 -- 940 -- The "access list" for intercepting data at the IEEE 802 941 -- link layer 942 -- 944 cTapStream802Table OBJECT-TYPE 945 SYNTAX SEQUENCE OF CTapStream802Entry 946 MAX-ACCESS not-accessible 947 STATUS current 948 DESCRIPTION 949 "The Intercept Stream 802 Table lists the IEEE 802 data streams 950 to be intercepted. The same data stream may be required by 951 multiple taps, and one might assume that often the intercepted 952 stream is a small subset of the traffic that could be 953 intercepted. 955 This essentially provides options for packet selection, only 956 some of which might be used. For example, if all traffic to or 957 from a given interface is to be intercepted, one would 958 configure an entry which lists the interface, and wild-card 959 everything else. If all traffic to or from a given MAC Address 960 is to be intercepted, one would configure two such entries 961 listing the MAC Address as source and destination respectively, 962 and wild-card everything else. 964 The first index indicates which Mediation Device the 965 intercepted traffic will be diverted to. The second index 966 permits multiple classifiers to be used together, such as 967 having a MAC address as source or destination. " 968 ::= { cTapStreamGroup 3 } 970 cTapStream802Entry OBJECT-TYPE 971 SYNTAX CTapStream802Entry 972 MAX-ACCESS not-accessible 973 STATUS current 974 DESCRIPTION 975 "A stream entry indicates a single data stream to be 976 intercepted to a Mediation Device. Many selected data 977 streams may go to the same application interface, and many 978 application interfaces are supported." 979 INDEX { cTapMediationContentId, cTapStream802Index } 980 ::= { cTapStream802Table 1 } 982 CTapStream802Entry ::= SEQUENCE { 983 cTapStream802Index Integer32, 984 cTapStream802Fields BITS, 985 cTapStream802Interface Integer32, 986 cTapStream802DestinationAddress MacAddress, 987 cTapStream802SourceAddress MacAddress, 988 cTapStream802EthernetPid Integer32, 989 cTapStream802SourceLlcSap Integer32, 990 cTapStream802DestinationLlcSap Integer32, 991 cTapStream802InterceptEnable TruthValue, 992 cTapStream802InterceptedPackets Counter32, 993 cTapStream802InterceptDrops Counter32, 994 cTapStream802Status RowStatus 995 } 997 cTapStream802Index OBJECT-TYPE 998 SYNTAX Integer32 (1..2147483647) 999 MAX-ACCESS not-accessible 1000 STATUS current 1001 DESCRIPTION 1002 "The index of the stream itself." 1004 ::= { cTapStream802Entry 1 } 1006 cTapStream802Fields OBJECT-TYPE 1007 SYNTAX BITS { 1008 interface(0), 1009 dstMacAddress(1), 1010 srcMacAddress(2), 1011 ethernetPid(3), 1012 dstLlcSap(4), 1013 srcLlcSap(5) 1014 } 1015 MAX-ACCESS read-create 1016 STATUS current 1017 DESCRIPTION 1018 "This object displays what attributes must be tested to 1019 identify traffic which requires interception. The packet 1020 matches if all flagged fields match. 1022 interface: indicates that traffic on the stated 1023 interface is to be intercepted 1024 dstMacAddress: indicates that traffic destined to a 1025 given address should be intercepted 1026 srcMacAddress: indicates that traffic sourced from a 1027 given address should be intercepted 1028 ethernetPid: indicates that traffic with a stated 1029 Ethernet Protocol Identifier should be 1030 intercepted 1031 dstLlcSap: indicates that traffic with an certain 1032 802.2 LLC Destination SAP should be 1033 intercepted 1034 srcLlcSap: indicates that traffic with an certain 1035 802.2 LLC Source SAP should be 1036 intercepted 1038 At least one of the bits has to be set in order to activate an 1039 entry. If the bit is not on, the corresponding MIB object 1040 value has no effect, and need not be specified when creating 1041 the entry." 1042 ::= { cTapStream802Entry 2 } 1044 cTapStream802Interface OBJECT-TYPE 1045 SYNTAX Integer32 (-1 | 0 | 1..2147483647) 1046 MAX-ACCESS read-create 1047 STATUS current 1048 DESCRIPTION 1049 "The ifIndex value of the interface over which traffic to be 1050 intercepted is received or transmitted. The interface may be 1051 physical or virtual. If this is the only parameter specified, 1052 and it is other than -1 or 0, all traffic on the selected 1053 interface will be chosen. 1055 If the value is zero, matching traffic may be received or 1056 transmitted on any interface. Additional selection parameters 1057 must be selected to limit the scope of traffic intercepted. 1058 This is most useful on non-routing platforms or on intercepts 1059 placed elsewhere than a subscriber interface. 1061 If the value is -1, one or both of 1062 cTapStream802DestinationAddress and cTapStream802SourceAddress 1063 must be specified. Matching traffic on the interface pointed 1064 to by the dot1dTpFdbPort values associated with those values is 1065 intercepted, whichever is specified. If dot1dTpFdbPort 1066 changes, either by operator action or by protocol events, the 1067 interface will change with it. This is primarily intended for 1068 use on subscriber interfaces and other places where routing is 1069 guaranteed to be symmetrical. 1071 In both of these cases, it is possible to have the same packet 1072 selected for intersection on both its ingress and egress 1073 interface. Nonetheless, only one instance of the packet is 1074 sent to the Mediation Device. 1076 This value must be set when creating a stream entry, either to 1077 select an interface, to select all interfaces, or to select the 1078 interface that bridging learns. Some platforms may not 1079 implement the entire range of options." 1080 REFERENCE "RFC 1493" 1081 ::= { cTapStream802Entry 3 } 1083 cTapStream802DestinationAddress OBJECT-TYPE 1084 SYNTAX MacAddress 1085 MAX-ACCESS read-create 1086 STATUS current 1087 DESCRIPTION 1088 "The Destination address used in packet selection." 1089 ::= { cTapStream802Entry 4 } 1091 cTapStream802SourceAddress OBJECT-TYPE 1092 SYNTAX MacAddress 1093 MAX-ACCESS read-create 1094 STATUS current 1095 DESCRIPTION 1096 "The Source Address used in packet selection." 1097 ::= { cTapStream802Entry 5 } 1099 cTapStream802EthernetPid OBJECT-TYPE 1100 SYNTAX Integer32 (0..65535) 1101 MAX-ACCESS read-create 1102 STATUS current 1103 DESCRIPTION 1104 "The value of the Ethernet Protocol Identifier, which may be 1105 found on Ethernet traffic or IEEE 802.2 SNAP traffic." 1106 ::= { cTapStream802Entry 6 } 1108 cTapStream802DestinationLlcSap OBJECT-TYPE 1109 SYNTAX Integer32 (0..65535) 1110 MAX-ACCESS read-create 1111 STATUS current 1112 DESCRIPTION 1113 "The value of the IEEE 802.2 Destination SAP." 1114 ::= { cTapStream802Entry 7 } 1116 cTapStream802SourceLlcSap OBJECT-TYPE 1117 SYNTAX Integer32 (0..65535) 1118 MAX-ACCESS read-create 1119 STATUS current 1120 DESCRIPTION 1121 "The value of the IEEE 802.2 Source SAP." 1122 ::= { cTapStream802Entry 8 } 1124 cTapStream802InterceptEnable OBJECT-TYPE 1125 SYNTAX TruthValue 1126 MAX-ACCESS read-create 1127 STATUS current 1128 DESCRIPTION 1129 "If 'true', the tap enables interception of matching traffic. 1130 If cTapStreamCapabilities flag tapEnable is zero, this may not 1131 be set to 'false'." 1132 DEFVAL { true } 1133 ::= { cTapStream802Entry 9 } 1135 cTapStream802InterceptedPackets OBJECT-TYPE 1136 SYNTAX Counter32 1137 MAX-ACCESS read-only 1138 STATUS current 1139 DESCRIPTION 1140 "The number of packets matching this data stream specification 1141 that have been intercepted." 1142 ::= { cTapStream802Entry 10 } 1144 cTapStream802InterceptDrops OBJECT-TYPE 1145 SYNTAX Counter32 1146 MAX-ACCESS read-only 1147 STATUS current 1148 DESCRIPTION 1149 "The number of packets matching this data stream specification 1150 that, having been intercepted, were dropped in the lawful 1151 intercept process." 1152 ::= { cTapStream802Entry 11 } 1154 cTapStream802Status OBJECT-TYPE 1155 SYNTAX RowStatus 1156 MAX-ACCESS read-create 1157 STATUS current 1158 DESCRIPTION 1159 "The status of this conceptual row. This object manages 1160 creation, modification, and deletion of rows in this table. 1161 cTapStream802InterceptEnable can be modified any time even the 1162 value of this entry rowStatus object is active. When other 1163 rows must be changed, cTapStream802Status must be first set to 1164 'notInService'." 1165 ::= { cTapStream802Entry 12 } 1167 -- 1168 -- The debug table 1169 -- 1171 cTapDebugTable OBJECT-TYPE 1172 SYNTAX SEQUENCE OF CTapDebugEntry 1173 MAX-ACCESS not-accessible 1174 STATUS current 1175 DESCRIPTION 1176 "A table that contains Lawful Intercept debug information 1177 available on this device. This table is used to map an error 1178 code to a text message for further information." 1179 ::= { cTapDebugGroup 1 } 1181 cTapDebugEntry OBJECT-TYPE 1182 SYNTAX CTapDebugEntry 1183 MAX-ACCESS not-accessible 1184 STATUS current 1185 DESCRIPTION 1186 "A list of the debug messages." 1187 INDEX { cTapDebugIndex } 1188 ::= { cTapDebugTable 1 } 1190 CTapDebugEntry ::= SEQUENCE { 1191 cTapDebugIndex Unsigned32, 1192 cTapDebugMessage SnmpAdminString 1193 } 1194 cTapDebugIndex OBJECT-TYPE 1195 SYNTAX Unsigned32 1196 MAX-ACCESS not-accessible 1197 STATUS current 1198 DESCRIPTION 1199 "Indicates an error code." 1200 ::= { cTapDebugEntry 1 } 1202 cTapDebugMessage OBJECT-TYPE 1203 SYNTAX SnmpAdminString 1204 MAX-ACCESS read-only 1205 STATUS current 1206 DESCRIPTION 1207 "A text string contains the description of an error code." 1208 ::= { cTapDebugEntry 2 } 1210 -- notifications 1212 cTapMIBActive NOTIFICATION-TYPE 1213 STATUS current 1214 DESCRIPTION 1215 "This Notification is sent when an intercepting router or 1216 switch is first capable of intercepting a packet corresponding 1217 to a configured data stream. If the configured data stream is 1218 an IP one, the value of the corresponding cTapStreamIpStatus 1219 is included in this notification. If the configured data stream 1220 is an IEEE 802 one, the value of the corresponding 1221 cTapStream802Status is included in this notification. 1223 This notification may be generated in conjunction with the 1224 intercept application, which is designed to expect the 1225 notification to be sent as reliably as possible, e.g., through 1226 the use of a finite number of retransmissions until 1227 acknowledged, as and when such mechanisms are available; for 1228 example, with SNMPv3, this would be an InformRequest. Filter 1229 installation can take a long period of time, during which call 1230 progress may be delayed." 1231 ::= { cTapMIBNotifications 1 } 1233 cTapMediationTimedOut NOTIFICATION-TYPE 1234 OBJECTS { cTapMediationStatus } 1235 STATUS current 1236 DESCRIPTION 1237 "When an intercept is autonomously removed by an intercepting 1238 device, such as due to the time specified in 1239 cTapMediationTimeout arriving, the device notifies the manager 1240 of the action." 1241 ::= { cTapMIBNotifications 2 } 1243 cTapMediationDebug NOTIFICATION-TYPE 1244 OBJECTS { cTapMediationContentId, cTapDebugIndex } 1245 STATUS current 1246 DESCRIPTION 1247 "When there is intervention needed due to some events related 1248 to entries configured in cTapMediationTable, the device 1249 notifies the manager of the event. 1251 This notification may be generated in conjunction with the 1252 intercept application, which is designed to expect the 1253 notification to be sent as reliably as possible, e.g., through 1254 the use of a finite number of retransmissions until 1255 acknowledged, as and when such mechanisms are available; for 1256 example, with SNMPv3, this would be an InformRequest." 1257 ::= { cTapMIBNotifications 3 } 1259 cTapStreamIpDebug NOTIFICATION-TYPE 1260 OBJECTS { cTapMediationContentId, cTapStreamIpIndex, 1261 cTapDebugIndex } 1262 STATUS current 1263 DESCRIPTION 1264 "When there is intervention needed due to some events related 1265 to entries configured in cTapStreamIpTable, the device 1266 notifies the manager of the event. 1268 This notification may be generated in conjunction with the 1269 intercept application, which is designed to expect the 1270 notification to be sent as reliably as possible, e.g., through 1271 the use of a finite number of retransmissions until 1272 acknowledged, as and when such mechanisms are available; for 1273 example, with SNMPv3, this would be an InformRequest." 1274 ::= { cTapMIBNotifications 4 } 1276 -- conformance information 1278 cTapMIBCompliances OBJECT IDENTIFIER ::= { cTapMIBConformance 1 } 1279 cTapMIBGroups OBJECT IDENTIFIER ::= { cTapMIBConformance 2 } 1281 -- compliance statement 1283 cTapMIBCompliance MODULE-COMPLIANCE 1284 STATUS current 1285 DESCRIPTION 1286 "The compliance statement for entities which implement the 1287 Cisco Intercept MIB" 1288 MODULE -- this module 1289 MANDATORY-GROUPS { 1290 cTapMediationComplianceGroup, 1291 cTapStreamComplianceGroup, 1292 cTapMediationCpbComplianceGroup, 1293 cTapNotificationGroup 1294 } 1295 ::= { cTapMIBCompliances 1 } 1297 -- units of conformance 1299 cTapMediationComplianceGroup OBJECT-GROUP 1300 OBJECTS { 1301 cTapMediationNewIndex, 1302 cTapMediationDestAddressType, 1303 cTapMediationDestAddress, 1304 cTapMediationDestPort, 1305 cTapMediationSrcInterface, 1306 cTapMediationRtcpPort, 1307 cTapMediationDscp, 1308 cTapMediationDataType, 1309 cTapMediationRetransmitType, 1310 cTapMediationTimeout, 1311 cTapMediationTransport, 1312 cTapMediationNotificationEnable, 1313 cTapMediationStatus 1314 } 1315 STATUS current 1316 DESCRIPTION 1317 "These objects are necessary for description of the data 1318 streams directed to a Mediation Device." 1319 ::= { cTapMIBGroups 1 } 1321 cTapStreamComplianceGroup OBJECT-GROUP 1322 OBJECTS { 1323 cTapStreamCapabilities 1324 } 1325 STATUS current 1326 DESCRIPTION 1327 "These objects are necessary for a description of the packets 1328 to select for interception." 1329 ::= { cTapMIBGroups 2 } 1331 cTapStreamIpComplianceGroup OBJECT-GROUP 1332 OBJECTS { 1333 cTapStreamIpInterface, 1334 cTapStreamIpAddrType, 1335 cTapStreamIpDestinationAddress, 1336 cTapStreamIpDestinationLength, 1337 cTapStreamIpSourceAddress, 1338 cTapStreamIpSourceLength, 1339 cTapStreamIpTosByte, 1340 cTapStreamIpTosByteMask, 1341 cTapStreamIpFlowId, 1342 cTapStreamIpProtocol, 1343 cTapStreamIpDestL4PortMin, 1344 cTapStreamIpDestL4PortMax, 1345 cTapStreamIpSourceL4PortMin, 1346 cTapStreamIpSourceL4PortMax, 1347 cTapStreamIpInterceptEnable, 1348 cTapStreamIpInterceptedPackets, 1349 cTapStreamIpInterceptDrops, 1350 cTapStreamIpStatus 1351 } 1352 STATUS current 1353 DESCRIPTION 1354 "These objects are necessary for a description of IPv4 and IPv6 1355 packets to select for interception." 1356 ::= { cTapMIBGroups 3 } 1358 cTapStream802ComplianceGroup OBJECT-GROUP 1359 OBJECTS { 1360 cTapStream802Fields, 1361 cTapStream802Interface, 1362 cTapStream802DestinationAddress, 1363 cTapStream802SourceAddress, 1364 cTapStream802EthernetPid, 1365 cTapStream802SourceLlcSap, 1366 cTapStream802DestinationLlcSap, 1367 cTapStream802InterceptEnable, 1368 cTapStream802InterceptedPackets, 1369 cTapStream802InterceptDrops, 1370 cTapStream802Status 1371 } 1372 STATUS current 1373 DESCRIPTION 1374 "These objects are necessary for a description of IEEE 802 1375 packets to select for interception." 1376 ::= { cTapMIBGroups 4 } 1378 cTapNotificationGroup NOTIFICATION-GROUP 1379 NOTIFICATIONS { 1380 cTapMIBActive, 1381 cTapMediationTimedOut, 1382 cTapMediationDebug, 1383 cTapStreamIpDebug 1384 } 1385 STATUS current 1386 DESCRIPTION 1387 "These notifications are used to present status from the 1388 intercepting device to the Mediation Device." 1389 ::= { cTapMIBGroups 5 } 1391 cTapMediationCpbComplianceGroup OBJECT-GROUP 1392 OBJECTS { 1393 cTapMediationCapabilities 1394 } 1395 STATUS current 1396 DESCRIPTION 1397 "These objects are necessary for a description of the 1398 mediation device to select for Lawful Intercept." 1399 ::= { cTapMIBGroups 6 } 1401 cTapDebugComplianceGroup OBJECT-GROUP 1402 OBJECTS { 1403 cTapDebugMessage 1404 } 1405 STATUS current 1406 DESCRIPTION 1407 "These objects are necessary for debug information." 1408 ::= { cTapMIBGroups 7 } 1410 END 1412 4. Security Considerations 1414 Lawful Intercept can be viewed as the direct violation of the 1415 privacy, and therefore of the security, of the party under 1416 surveillance. This is a legal matter, not a technical one; the laws 1417 of a country and a warrant issued by a duly appointed authority in 1418 that country cause the feature to be deployed and to be used. 1420 The presence of the capability in a certain router or switch creates 1421 the possibility that it can be misused, either accidentally or on 1422 purpose. It may be misconfigured, causing unintended data to be 1423 intercepted, for example, or the target may come under a denial of 1424 service attack, resulting in an indirect denial of service attack on 1425 the Mediation Device. Intercepted data, if left in the clear, may 1426 betray information to an unintended party. As such, it is Cisco's 1427 position that appropriate security measures should be used by the 1428 agency deploying this feature. It should use appropriate 1429 configuration protocols, such as SNMPv3, and appropriate privacy 1430 management facilities, such as IPSEC ESP, on this data. It is also 1431 necessary to maintain close control of the visibility of the 1432 configuration, as this can have harmful effects both on the 1433 surveillance subject if leaked, and on the investigation if leaked to 1434 the subject. 1436 The considerations of RFC 2804 [4] are very important; it is for this 1437 reason that Cisco did not attempt to modify existing protocols, but 1438 created a separate feature for the interception of relevant 1439 information. 1441 5. Acknowledgements 1443 The authors worked among a large team of contributors at Cisco, too 1444 many to name here. And they might not want us to... 1446 Normative References 1448 [1] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1449 McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of 1450 Management Information Version 2 (SMIv2)", STD 58, RFC 2578, 1451 April 1999. 1453 [2] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1454 McCloghrie, K., Rose, M. and S. Waldbusser, "Textual Conventions 1455 for SMIv2", STD 58, RFC 2579, April 1999. 1457 [3] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance 1458 Statements for SMIv2", STD 58, RFC 2580, April 1999. 1460 Informative References 1462 [4] IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, May 2000. 1464 [5] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction 1465 and Applicability Statements for Internet-Standard Management 1466 Framework", RFC 3410, December 2002. 1468 Author's Address 1470 Fred Baker 1471 Cisco Systems 1472 1121 Via Del Rey 1473 Santa Barbara, CA 93117 1474 US 1476 Phone: +1-408-526-4257 1477 Fax: +1-413-473-2403 1478 EMail: fred@cisco.com 1480 Intellectual Property Statement 1482 The IETF takes no position regarding the validity or scope of any 1483 intellectual property or other rights that might be claimed to 1484 pertain to the implementation or use of the technology described in 1485 this document or the extent to which any license under such rights 1486 might or might not be available; neither does it represent that it 1487 has made any effort to identify any such rights. Information on the 1488 IETF's procedures with respect to rights in standards-track and 1489 standards-related documentation can be found in BCP-11. Copies of 1490 claims of rights made available for publication and any assurances of 1491 licenses to be made available, or the result of an attempt made to 1492 obtain a general license or permission for the use of such 1493 proprietary rights by implementors or users of this specification can 1494 be obtained from the IETF Secretariat. 1496 The IETF invites any interested party to bring to its attention any 1497 copyrights, patents or patent applications, or other proprietary 1498 rights which may cover technology that may be required to practice 1499 this standard. Please address the information to the IETF Executive 1500 Director. 1502 Full Copyright Statement 1504 Copyright (C) The Internet Society (2003). All Rights Reserved. 1506 This document and translations of it may be copied and furnished to 1507 others, and derivative works that comment on or otherwise explain it 1508 or assist in its implementation may be prepared, copied, published 1509 and distributed, in whole or in part, without restriction of any 1510 kind, provided that the above copyright notice and this paragraph are 1511 included on all such copies and derivative works. However, this 1512 document itself may not be modified in any way, such as by removing 1513 the copyright notice or references to the Internet Society or other 1514 Internet organizations, except as needed for the purpose of 1515 developing Internet standards in which case the procedures for 1516 copyrights defined in the Internet Standards process must be 1517 followed, or as required to translate it into languages other than 1518 English. 1520 The limited permissions granted above are perpetual and will not be 1521 revoked by the Internet Society or its successors or assignees. 1523 This document and the information contained herein is provided on an 1524 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1525 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1526 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1527 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1528 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1530 Acknowledgement 1532 Funding for the RFC Editor function is currently provided by the 1533 Internet Society.