idnits 2.17.1 draft-ietf-behave-nat-mib-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 18, 2012) is 4320 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC6333' is mentioned on line 880, but not defined == Missing Reference: 'I-D.ietf-behave-lsn-requiremnents' is mentioned on line 1166, but not defined -- Obsolete informational reference (is this intentional?): RFC 4008 (Obsoleted by RFC 7658) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Perreault 3 Internet-Draft Viagenie 4 Intended status: Standards Track T. Tsou 5 Expires: December 20, 2012 Huawei Technologies (USA) 6 S. Sivakumar 7 Cisco Systems 8 June 18, 2012 10 Additional Managed Objects for Network Address Translators (NAT) 11 draft-ietf-behave-nat-mib-01 13 Abstract 15 This memo defines a portion of the Management Information Base (MIB) 16 for devices implementing Network Address Translator (NAT) function. 17 This MIB module may be used for monitoring of a device capable of NAT 18 function. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on December 20, 2012. 37 Copyright Notice 39 Copyright (c) 2012 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 4. Security Considerations . . . . . . . . . . . . . . . . . . . 26 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 59 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 60 6.1. Normative References . . . . . . . . . . . . . . . . . . . 26 61 6.2. Informative References . . . . . . . . . . . . . . . . . . 27 62 Appendix A. Change Log (to be removed by RFC Editor prior to 63 publication) . . . . . . . . . . . . . . . . . . . . 27 64 A.1. Changed in -01 . . . . . . . . . . . . . . . . . . . . . . 27 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 67 1. Introduction 69 [RFC4008] defines some objects for managing network address 70 translators (NATs). Current operational practice often requires 71 additional objects, in particular for enterprise and Internet service 72 provider (ISP) deployments. This document defines those additional 73 objects. 75 This module is designed to be completely independent from [RFC4008]. 76 A NAT implementation could be managed using this module, the one from 77 [RFC4008], or both. 79 2. Overview 81 New features in this module are as follows: 83 Counters: Many new counters are introduced. Most of them are 84 available in two variants: global and per-transport protocol. 86 Limits: A few limits on the quantity of state data stored by the NAT 87 device. Some of them can trigger notifications. 89 Address+Port Pools: Pools of external addresses and ports are often 90 used in enterprise and ISP settings. Pools are listed in a table, 91 each with its range of addresses and ports. It is possible to 92 inspect each pool's usage, to set limits, and to receive 93 notifications when thresholds are crossed. 95 Address Mappings: NATs that have an "IP address pooling" behavior of 96 "Paired" [RFC4787] maintain a mapping from internal address to 97 external address. This module allows inspection of this mapping 98 table. 100 Mapping table indexed by external 3-tuple: It is often necessary to 101 determine the internal address that is mapped to a given external 102 address and port. This MIB provides this table with an index to 103 accomplish this efficiently, without having to iterate over all 104 mappings. 106 Per-subscriber counters, limits, and notifications: Carrier-Grade 107 NATs operate with a notion of "subscriber", to which are 108 associated a set of counters, limits, and notifications. The 109 subscriber identifier may not necessarily be an internal address, 110 as in the case of DS-Lite, where the identifier is the IPv6 111 address of the tunnel endpoint and the internal addresses are the 112 same for each subscriber. 114 3. Definitions 116 This MIB module IMPORTs objects from [RFC2578], [RFC2579], and 117 [RFC4001]. 119 NEW-NAT-MIB DEFINITIONS ::= BEGIN 121 IMPORTS 122 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter64, Gauge32, 123 Integer32, Unsigned32, mib-2 124 FROM SNMPv2-SMI 126 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 127 FROM SNMPv2-CONF 129 TEXTUAL-CONVENTION 130 FROM SNMPv2-TC 132 InetAddressType, InetAddress, InetAddressPrefixLength, 133 InetPortNumber 134 FROM INET-ADDRESS-MIB; 136 newNatMIB MODULE-IDENTITY 137 LAST-UPDATED "200001010000Z" 138 ORGANIZATION "TBD" 139 CONTACT-INFO "TBD" 140 DESCRIPTION 141 "This MIB module defines generic managed objects for NAT." 143 REVISION "200001010000Z" 144 DESCRIPTION 145 "Dummy version. RFC Editor must replace this." 147 ::= { mib-2 9999 } 149 -- table of contents 151 newNatNotifications OBJECT IDENTIFIER ::= { newNatMIB 0 } 152 newNatObjects OBJECT IDENTIFIER ::= { newNatMIB 1 } 153 newNatCounters OBJECT IDENTIFIER ::= { newNatObjects 1 } 154 newNatLimits OBJECT IDENTIFIER ::= { newNatObjects 2 } 155 newNatPoolObjects OBJECT IDENTIFIER ::= { newNatObjects 3 } 156 newNatMapObjects OBJECT IDENTIFIER ::= { newNatObjects 4 } 157 newNatSubscribers OBJECT IDENTIFIER ::= { newNatObjects 5 } 158 newNatConformance OBJECT IDENTIFIER ::= { newNatMIB 2 } 159 newNatGroups OBJECT IDENTIFIER ::= { newNatConformance 1 } 160 newNatCompliance OBJECT IDENTIFIER ::= { newNatConformance 2 } 162 -- textual conventions 164 ProtocolNumber ::= TEXTUAL-CONVENTION 165 DISPLAY-HINT "d" 166 STATUS current 167 DESCRIPTION 168 "A transport protocol number, from the 'protocol-numbers' IANA 169 registry." 170 SYNTAX Unsigned32 (0..255) 172 NatPoolIndex ::= TEXTUAL-CONVENTION 173 DISPLAY-HINT "d" 174 STATUS current 175 DESCRIPTION 176 "A unique ID that is assigned to each pool." 177 SYNTAX Unsigned32 (1..4294967295) 179 -- notifications 181 newNatNotifPoolWatermarkLow NOTIFICATION-TYPE 182 OBJECTS { newNatPoolIndex } 183 STATUS current 184 DESCRIPTION 185 "This notification is generated when the specified pool's number 186 of free addresses becomes lower than or equal to the specified 187 threshold. The threshold is specified by the 188 newNatPoolWatermarkLow object" 189 ::= { newNatNotifications 1 } 191 newNatNotifPoolWatermarkHigh NOTIFICATION-TYPE 192 OBJECTS { newNatPoolIndex } 193 STATUS current 194 DESCRIPTION 195 "This notification is generated when the specified pool's number 196 of free addresses becomes greater than or equal to the 197 specified threshold. The threshold is specified by the 198 newNatPoolWatermarkHigh object" 199 ::= { newNatNotifications 2 } 201 newNatNotifMappings NOTIFICATION-TYPE 202 OBJECTS { newNatCntMappings } 203 STATUS current 204 DESCRIPTION 205 "This notification is generated when newNatCntMappings exceeds 206 the value of newNatMappingsNotifyThreshold." 207 ::= { newNatNotifications 3 } 209 newNatNotifAddrMappings NOTIFICATION-TYPE 210 OBJECTS { newNatCntAddressMappings } 211 STATUS current 212 DESCRIPTION 213 "This notification is generated when newNatCntAddressMappings 214 exceeds the value of newNatAddrMapNotifyThreshold." 215 ::= { newNatNotifications 4 } 217 newNatNotifSubscriberMappings NOTIFICATION-TYPE 218 OBJECTS { newNatSubscriberCntMappings } 219 STATUS current 220 DESCRIPTION 221 "This notification is generated when newNatSubscriberCntMappings 222 exceeds the value of newNatSubscriberMapNotifyThresh, unless 223 newNatSubscriberMapNotifyThresh is zero.." 224 ::= { newNatNotifications 5 } 226 -- counters 228 newNatCntTranslates OBJECT-TYPE 229 SYNTAX Counter64 230 MAX-ACCESS read-only 231 STATUS current 232 DESCRIPTION 233 "The number of packets to which NAT has been applied." 234 ::= { newNatCounters 1 } 236 newNatCntOOP OBJECT-TYPE 237 SYNTAX Counter64 238 MAX-ACCESS read-only 239 STATUS current 240 DESCRIPTION 241 "The number of packets to which NAT could not be applied because 242 no external port was available, excluding quota limitations." 243 ::= { newNatCounters 2 } 245 newNatCntResource OBJECT-TYPE 246 SYNTAX Counter64 247 MAX-ACCESS read-only 248 STATUS current 249 DESCRIPTION 250 "The number of packets to which NAT could not be applied because 251 of resource constraints (excluding out-of-ports condition)." 252 ::= { newNatCounters 3 } 254 newNatCntStateMismatch OBJECT-TYPE 255 SYNTAX Counter64 256 MAX-ACCESS read-only 257 STATUS current 258 DESCRIPTION 259 "The number of packets to which NAT could not be applied because 260 of mapping state mismatch. For example, a TCP packet that 261 matches an existing mapping but is dropped because its flags 262 are incompatible with the current state of the mapping would 263 cause this counter to be incremented." 264 ::= { newNatCounters 4 } 266 newNatCntQuota OBJECT-TYPE 267 SYNTAX Counter64 268 MAX-ACCESS read-only 269 STATUS current 270 DESCRIPTION 271 "The number of packets to which NAT could not be applied because 272 of quota limitations. Quotas include absolute limits as well as 273 limits on rate of allocation." 274 ::= { newNatCounters 5 } 276 newNatCntMappings OBJECT-TYPE 277 SYNTAX Gauge32 278 MAX-ACCESS read-only 279 STATUS current 280 DESCRIPTION 281 "Number of currently active mappings. 283 Equal to newNatCntMapRemovals - newNatCntMapCreations." 284 ::= { newNatCounters 6 } 286 newNatCntMapCreations OBJECT-TYPE 287 SYNTAX Counter64 288 MAX-ACCESS read-only 289 STATUS current 290 DESCRIPTION 291 "Number of mapping creations. This includes static mappings." 292 ::= { newNatCounters 7 } 294 newNatCntMapRemovals OBJECT-TYPE 295 SYNTAX Counter64 296 MAX-ACCESS read-only 297 STATUS current 298 DESCRIPTION 299 "Number of mapping removals. This includes static mappings." 300 ::= { newNatCounters 8 } 302 newNatCntAddressMappings OBJECT-TYPE 303 SYNTAX Gauge32 304 MAX-ACCESS read-only 305 STATUS current 306 DESCRIPTION 307 "Number of active address mappings. 309 Equal to newNatCntAddrMapRemovals - newNatCntAddrMapCreations." 310 ::= { newNatCounters 9 } 312 newNatCntAddrMapCreations OBJECT-TYPE 313 SYNTAX Counter64 314 MAX-ACCESS read-only 315 STATUS current 316 DESCRIPTION 317 "Number of address mapping creations. This includes static 318 mappings." 319 ::= { newNatCounters 10 } 321 newNatCntAddrMapRemovals OBJECT-TYPE 322 SYNTAX Counter64 323 MAX-ACCESS read-only 324 STATUS current 325 DESCRIPTION 326 "Number of address mapping removals. This includes static 327 mappings." 328 ::= { newNatCounters 11 } 330 newNatCntProtocolTable OBJECT-TYPE 331 SYNTAX SEQUENCE OF NewNatCntProtocolEntry 332 MAX-ACCESS not-accessible 333 STATUS current 334 DESCRIPTION 335 "Table of protocols with per-protocol counters." 336 ::= { newNatCounters 128 } 338 newNatCntProtocolEntry OBJECT-TYPE 339 SYNTAX NewNatCntProtocolEntry 340 MAX-ACCESS not-accessible 341 STATUS current 342 DESCRIPTION 343 "Per-protocol counters." 344 INDEX { newNatCntProtocolNumber } 345 ::= { newNatCntProtocolTable 1 } 347 NewNatCntProtocolEntry ::= 348 SEQUENCE { 349 newNatCntProtocolNumber ProtocolNumber, 350 newNatCntProtocolTranslates Counter64, 351 newNatCntProtocolOOP Counter64, 352 newNatCntProtocolResource Counter64, 353 newNatCntProtocolStateMismatch Counter64, 354 newNatCntProtocolQuota Counter64, 355 newNatCntProtocolMappings Gauge32, 356 newNatCntProtocolMapCreations Counter64, 357 newNatCntProtocolMapRemovals Counter64 358 } 360 newNatCntProtocolNumber OBJECT-TYPE 361 SYNTAX ProtocolNumber 362 MAX-ACCESS not-accessible 363 STATUS current 364 DESCRIPTION 365 "Counters in this conceptual row apply to packets using the 366 transport protocol identified by this object's value." 367 ::= { newNatCntProtocolEntry 1 } 369 newNatCntProtocolTranslates OBJECT-TYPE 370 SYNTAX Counter64 371 MAX-ACCESS read-only 372 STATUS current 373 DESCRIPTION 374 "The number of packets to which NAT has been applied." 375 ::= { newNatCntProtocolEntry 2 } 377 newNatCntProtocolOOP OBJECT-TYPE 378 SYNTAX Counter64 379 MAX-ACCESS read-only 380 STATUS current 381 DESCRIPTION 382 "The number of packets to which NAT could not be applied because 383 no external port was available." 384 ::= { newNatCntProtocolEntry 3 } 386 newNatCntProtocolResource OBJECT-TYPE 387 SYNTAX Counter64 388 MAX-ACCESS read-only 389 STATUS current 390 DESCRIPTION 391 "The number of packets to which NAT could not be applied because 392 of resource constraints (excluding out-of-ports condition)." 393 ::= { newNatCntProtocolEntry 4 } 395 newNatCntProtocolStateMismatch OBJECT-TYPE 396 SYNTAX Counter64 397 MAX-ACCESS read-only 398 STATUS current 399 DESCRIPTION 400 "The number of packets to which NAT could not be applied because 401 of state table mismatch. For example, a TCP packet that matches 402 an existing mapping but is dropped because its flags are 403 incompatible with the current state of the mapping would cause 404 this counter to be incremented." 405 ::= { newNatCntProtocolEntry 5 } 407 newNatCntProtocolQuota OBJECT-TYPE 408 SYNTAX Counter64 409 MAX-ACCESS read-only 410 STATUS current 411 DESCRIPTION 412 "The number of packets to which NAT could not be applied because 413 of exceeded quotas. Quotas include absolute limits as well as 414 limits on rate of allocation." 415 ::= { newNatCntProtocolEntry 6 } 417 newNatCntProtocolMappings OBJECT-TYPE 418 SYNTAX Gauge32 419 MAX-ACCESS read-only 420 STATUS current 421 DESCRIPTION 422 "Number of active mappings. 424 Equal to newNatCntMapRemovals - newNatCntMapCreations." 425 ::= { newNatCntProtocolEntry 7 } 427 newNatCntProtocolMapCreations OBJECT-TYPE 428 SYNTAX Counter64 429 MAX-ACCESS read-only 430 STATUS current 431 DESCRIPTION 432 "Number of mapping creations. This includes static mappings." 433 ::= { newNatCntProtocolEntry 8 } 435 newNatCntProtocolMapRemovals OBJECT-TYPE 436 SYNTAX Counter64 437 MAX-ACCESS read-only 438 STATUS current 439 DESCRIPTION 440 "Number of mapping removals. This includes statis mappings." 441 ::= { newNatCntProtocolEntry 9 } 443 -- limits 445 newNatLimitMappings OBJECT-TYPE 446 SYNTAX Unsigned32 447 MAX-ACCESS read-write 448 STATUS current 449 DESCRIPTION 450 "Global limit on the total number of mappings. Zero means 451 unlimited." 452 ::= { newNatLimits 1 } 453 -- TODO: How does that work with bulk port allocation? 455 newNatMappingsNotifyThreshold OBJECT-TYPE 456 SYNTAX Unsigned32 457 MAX-ACCESS read-write 458 STATUS current 459 DESCRIPTION 460 "See newNatNotifMappings." 461 ::= { newNatLimits 2 } 463 newNatLimitAddressMappings OBJECT-TYPE 464 SYNTAX Unsigned32 465 MAX-ACCESS read-write 466 STATUS current 467 DESCRIPTION 468 "Global limit on the total number of internal-to-external 469 address mappings. Zero means unlimited. 471 This limit is only applicable to NATs that have an 'IP address 472 pooling' behavior of 'Paired' [RFC4787]." 473 ::= { newNatLimits 3 } 475 newNatAddrMapNotifyThreshold OBJECT-TYPE 476 SYNTAX Unsigned32 477 MAX-ACCESS read-write 478 STATUS current 479 DESCRIPTION 480 "See newNatNotifAddrMappings." 481 ::= { newNatLimits 4 } 483 newNatLimitFragments OBJECT-TYPE 484 SYNTAX Unsigned32 485 MAX-ACCESS read-write 486 STATUS current 487 DESCRIPTION 488 "Global limit on the total number of fragments pending 489 reassembly. Zero means unlimited. 491 This limit is only applicable to NATs having 'Receive 492 Fragments Out of Order' behavior [RFC4787]." 493 ::= { newNatLimits 5 } 495 newNatLimitSubscribers OBJECT-TYPE 496 SYNTAX Unsigned32 497 MAX-ACCESS read-write 498 STATUS current 499 DESCRIPTION 500 "Global limit on the number of subscribers with active mappings. 501 Zero means unlimited." 502 ::= { newNatLimits 6 } 504 -- pools 506 newNatPoolTable OBJECT-TYPE 507 SYNTAX SEQUENCE OF NewNatPoolEntry 508 MAX-ACCESS not-accessible 509 STATUS current 510 DESCRIPTION 511 "Table of pools." 512 ::= { newNatPoolObjects 1 } 514 newNatPoolEntry OBJECT-TYPE 515 SYNTAX NewNatPoolEntry 516 MAX-ACCESS not-accessible 517 STATUS current 518 DESCRIPTION 519 "Entry in the table of pools." 520 INDEX { newNatPoolIndex } 521 ::= { newNatPoolTable 1 } 523 NewNatPoolEntry ::= 524 SEQUENCE { 525 newNatPoolIndex NatPoolIndex, 526 newNatPoolUsage Integer32, 527 newNatPoolWatermarkLow Integer32, 528 newNatPoolWatermarkHigh Integer32, 529 newNatPoolPortMin InetPortNumber, 530 newNatPoolPortMax InetPortNumber 531 -- TODO: virtual router ID, status, ref count, etc. 532 } 534 newNatPoolIndex OBJECT-TYPE 535 SYNTAX NatPoolIndex 536 MAX-ACCESS read-only 537 STATUS current 538 DESCRIPTION 539 "Index of an address pool." 540 ::= { newNatPoolEntry 1 } 542 newNatPoolUsage OBJECT-TYPE 543 SYNTAX Integer32 (0..100) 544 MAX-ACCESS read-only 545 STATUS current 546 DESCRIPTION 547 "Percentage of the pool's total number of external ports 548 currently mapped." 549 ::= { newNatPoolEntry 2 } 551 newNatPoolWatermarkLow OBJECT-TYPE 552 SYNTAX Integer32 (-1|0..100) 553 MAX-ACCESS read-create 554 STATUS current 555 DESCRIPTION 556 "Low watermark on a pool's usage, in percentage of the total 557 number of ports available. If set to -1, the watermark is 558 disabled. Otherwise when newNatPoolUsage becomes lower than or 559 equal to newNatPoolWatermarkLow, a notification is sent. The 560 NAT may also start behaving in low usage mode (this is 561 implementation-defined)." 562 ::= { newNatPoolEntry 3 } 564 newNatPoolWatermarkHigh OBJECT-TYPE 565 SYNTAX Integer32 (-1|0..100) 566 MAX-ACCESS read-create 567 STATUS current 568 DESCRIPTION 569 "High watermark on a pool's usage, in percentage of the total 570 number of ports available. If set to -1, the watermark is 571 disabled. Otherwise, when newNatPoolUsage becomes higher than 572 or equal to newNatPoolWatermarkHigh, a notification is sent. 573 The NAT may also start behaving in high usage mode (this is 574 implementation-defined)." 575 ::= { newNatPoolEntry 4 } 577 newNatPoolPortMin OBJECT-TYPE 578 SYNTAX InetPortNumber 579 MAX-ACCESS read-create 580 STATUS current 581 DESCRIPTION 582 "Minimal port number to be allocated in this pool." 583 ::= { newNatPoolEntry 5 } 585 newNatPoolPortMax OBJECT-TYPE 586 SYNTAX InetPortNumber 587 MAX-ACCESS read-create 588 STATUS current 589 DESCRIPTION 590 "Maximal port number to be allocated in this pool." 591 ::= { newNatPoolEntry 6 } 593 newNatPoolRangeTable OBJECT-TYPE 594 SYNTAX SEQUENCE OF NewNatPoolRangeEntry 595 MAX-ACCESS not-accessible 596 STATUS current 597 DESCRIPTION 598 "This table contains address ranges used by pool entries." 599 ::= { newNatPoolObjects 2 } 601 newNatPoolRangeEntry OBJECT-TYPE 602 SYNTAX NewNatPoolRangeEntry 603 MAX-ACCESS not-accessible 604 STATUS current 605 DESCRIPTION 606 "NAT pool address range." 607 INDEX { newNatPoolRangeType, 608 newNatPoolRangeBegin } 609 ::= { newNatPoolRangeTable 1 } 611 NewNatPoolRangeEntry ::= 612 SEQUENCE { 613 newNatPoolRangePoolIndex NatPoolIndex, 614 newNatPoolRangeType InetAddressType, 615 newNatPoolRangeBegin InetAddress, 616 newNatPoolRangeEnd InetAddress, 617 newNatPoolRangeAllocatedPorts Gauge32 618 -- TODO: the usual bookkeeping things 619 } 621 newNatPoolRangePoolIndex OBJECT-TYPE 622 SYNTAX NatPoolIndex 623 MAX-ACCESS read-only 624 STATUS current 625 DESCRIPTION 626 "Index of the address pool to which this address range belongs. 627 See newNatPoolIndex." 628 ::= { newNatPoolRangeEntry 1 } 630 newNatPoolRangeType OBJECT-TYPE 631 SYNTAX InetAddressType 632 MAX-ACCESS not-accessible 633 STATUS current 634 DESCRIPTION 635 "The address type of newNatPoolRangeBegin and 636 newNatPoolRangeEnd." 638 ::= { newNatPoolRangeEntry 2 } 640 newNatPoolRangeBegin OBJECT-TYPE 641 SYNTAX InetAddress (SIZE (4|16)) 642 MAX-ACCESS not-accessible 643 STATUS current 644 DESCRIPTION 645 "Lowest address included in this range." 646 ::= { newNatPoolRangeEntry 3 } 648 newNatPoolRangeEnd OBJECT-TYPE 649 SYNTAX InetAddress (SIZE (4|16)) 650 MAX-ACCESS read-only 651 STATUS current 652 DESCRIPTION 653 "Highest address included in this range." 654 ::= { newNatPoolRangeEntry 4 } 656 newNatPoolRangeAllocatedPorts OBJECT-TYPE 657 SYNTAX Gauge32 658 MAX-ACCESS read-only 659 STATUS current 660 DESCRIPTION 661 "Number of ports currently allocated on the addresses in this 662 range." 663 ::= { newNatPoolRangeEntry 5 } 665 -- indexed mapping tables 667 newNatMapIntAddrTable OBJECT-TYPE 668 SYNTAX SEQUENCE OF NewNatMapIntAddrEntry 669 MAX-ACCESS not-accessible 670 STATUS current 671 DESCRIPTION 672 "Table of mappings from internal to external address. 674 This table is only applicable to NATs that have an 'IP address 675 pooling' behavior of 'Paired' [RFC4787]." 676 ::= { newNatMapObjects 1 } 678 newNatMapIntAddrEntry OBJECT-TYPE 679 SYNTAX NewNatMapIntAddrEntry 680 MAX-ACCESS not-accessible 681 STATUS current 682 DESCRIPTION 683 "Mapping from internal to external address." 684 INDEX { newNatMapIntAddrType, 685 newNatMapIntAddrInt } 686 ::= { newNatMapIntAddrTable 1 } 688 NewNatMapIntAddrEntry ::= 689 SEQUENCE { 690 newNatMapIntAddrType InetAddressType, 691 newNatMapIntAddrInt InetAddress, 692 newNatMapIntAddrExt InetAddress 693 } 695 newNatMapIntAddrType OBJECT-TYPE 696 SYNTAX InetAddressType 697 MAX-ACCESS not-accessible 698 STATUS current 699 DESCRIPTION 700 "Address type for newNatMapIntAddrInt and newNatMapIntAddrExt." 701 ::= { newNatMapIntAddrEntry 1 } 703 newNatMapIntAddrInt OBJECT-TYPE 704 SYNTAX InetAddress (SIZE (4|16)) 705 MAX-ACCESS not-accessible 706 STATUS current 707 DESCRIPTION 708 "Internal address." 709 ::= { newNatMapIntAddrEntry 2 } 711 newNatMapIntAddrExt OBJECT-TYPE 712 SYNTAX InetAddress 713 MAX-ACCESS read-only 714 STATUS current 715 DESCRIPTION 716 "External address." 717 ::= { newNatMapIntAddrEntry 3 } 719 newNatMappingTable OBJECT-TYPE 720 SYNTAX SEQUENCE OF NewNatMappingTableEntry 721 MAX-ACCESS not-accessible 722 STATUS current 723 DESCRIPTION 724 "Table of mappings indexed by external 3-tuple." 725 ::= { newNatMapObjects 2 } 727 newNatMappingTableEntry OBJECT-TYPE 728 SYNTAX NewNatMappingTableEntry 729 MAX-ACCESS not-accessible 730 STATUS current 731 DESCRIPTION 732 "A single NAT mapping." 734 INDEX { newNatMappingProto, 735 newNatMappingExtAddressType, 736 newNatMappingExtAddress, 737 newNatMappingExtPort } 738 ::= { newNatMappingTable 1 } 740 NewNatMappingTableEntry ::= 741 SEQUENCE { 742 newNatMappingProto ProtocolNumber, 743 newNatMappingExtAddressType InetAddressType, 744 newNatMappingExtAddress InetAddress, 745 newNatMappingExtPort InetPortNumber, 746 newNatMappingIntAddressType InetAddressType, 747 newNatMappingIntAddress InetAddress, 748 newNatMappingIntPort InetPortNumber, 749 newNatMappingPool NatPoolIndex 750 } 752 newNatMappingProto OBJECT-TYPE 753 SYNTAX ProtocolNumber 754 MAX-ACCESS not-accessible 755 STATUS current 756 DESCRIPTION 757 "The mapping's transport protocol number." 758 ::= { newNatMappingTableEntry 1 } 760 newNatMappingExtAddressType OBJECT-TYPE 761 SYNTAX InetAddressType 762 MAX-ACCESS not-accessible 763 STATUS current 764 DESCRIPTION 765 "Type of the mapping's external address." 766 ::= { newNatMappingTableEntry 2 } 768 newNatMappingExtAddress OBJECT-TYPE 769 SYNTAX InetAddress (SIZE (4|16)) 770 MAX-ACCESS not-accessible 771 STATUS current 772 DESCRIPTION 773 "The mapping's external address. If this is the undefined 774 address, all external addresses are mapped to the internal 775 address." 776 ::= { newNatMappingTableEntry 3 } 778 newNatMappingExtPort OBJECT-TYPE 779 SYNTAX InetPortNumber 780 MAX-ACCESS not-accessible 781 STATUS current 782 DESCRIPTION 783 "The mapping's external port number. If this is zero, all 784 external ports are mapped to the internal port." 785 ::= { newNatMappingTableEntry 4 } 787 newNatMappingIntAddressType OBJECT-TYPE 788 SYNTAX InetAddressType 789 MAX-ACCESS read-only 790 STATUS current 791 DESCRIPTION 792 "Type of the mapping's internal address." 793 ::= { newNatMappingTableEntry 5 } 795 newNatMappingIntAddress OBJECT-TYPE 796 SYNTAX InetAddress 797 MAX-ACCESS read-only 798 STATUS current 799 DESCRIPTION 800 "The mapping's internal address. If this is the undefined 801 address, addresses are not translated." 802 ::= { newNatMappingTableEntry 6 } 804 newNatMappingIntPort OBJECT-TYPE 805 SYNTAX InetPortNumber 806 MAX-ACCESS read-only 807 STATUS current 808 DESCRIPTION 809 "The mapping's internal port number. If this is zero, ports are 810 not translated." 811 ::= { newNatMappingTableEntry 7 } 813 newNatMappingPool OBJECT-TYPE 814 SYNTAX NatPoolIndex (0|1..4294967295) 815 MAX-ACCESS read-only 816 STATUS current 817 DESCRIPTION 818 "Index of the pool that contains this mapping's external address 819 and port. If zero, no pool is associated with this mapping." 820 ::= { newNatMappingTableEntry 8 } 822 -- subscribers 824 newNatSubscribersTable OBJECT-TYPE 825 SYNTAX SEQUENCE OF NewNatSubscribersTableEntry 826 MAX-ACCESS not-accessible 827 STATUS current 828 DESCRIPTION 829 "Table of CGN subscribers." 830 ::= { newNatSubscribers 1 } 832 newNatSubscribersTableEntry OBJECT-TYPE 833 SYNTAX NewNatSubscribersTableEntry 834 MAX-ACCESS not-accessible 835 STATUS current 836 DESCRIPTION 837 "Each entry describes a single CGN subscriber." 838 INDEX { newNatSubscriberIdentifierType, 839 newNatSubscriberIdentifier } 840 ::= { newNatSubscribersTable 1 } 842 NewNatSubscribersTableEntry ::= 843 SEQUENCE { 844 newNatSubscriberIdentifierType InetAddressType, 845 newNatSubscriberIdentifier InetAddress, 846 newNatSubscriberIntPrefixType InetAddressType, 847 newNatSubscriberIntPrefix InetAddress, 848 newNatSubscriberIntPrefixLength InetAddressPrefixLength, 849 newNatSubscriberPool NatPoolIndex, 850 newNatSubscriberCntTranslates Counter64, 851 newNatSubscriberCntOOP Counter64, 852 newNatSubscriberCntResource Counter64, 853 newNatSubscriberCntStateMismatch Counter64, 854 newNatSubscriberCntQuota Counter64, 855 newNatSubscriberCntMappings Gauge32, 856 newNatSubscriberCntMapCreations Counter64, 857 newNatSubscriberCntMapRemovals Counter64, 858 newNatSubscriberLimitMappings Unsigned32, 859 newNatSubscriberMapNotifyThresh Unsigned32 860 } 862 newNatSubscriberIdentifierType OBJECT-TYPE 863 SYNTAX InetAddressType 864 MAX-ACCESS not-accessible 865 STATUS current 866 DESCRIPTION 867 "Address type of the subscriber identifier." 868 ::= { newNatSubscribersTableEntry 1 } 870 newNatSubscriberIdentifier OBJECT-TYPE 871 SYNTAX InetAddress (SIZE (4|16)) 872 MAX-ACCESS not-accessible 873 STATUS current 874 DESCRIPTION 875 "Address used for uniquely identifying the subscriber. 877 In traditional NAT, this is the internal address assigned to 878 the CPE. In case an address range is assigned to a subscriber, 879 the first address in the range is used as identifier. For 880 tunnelled connectivity (e.g., DS-Lite [RFC6333]), the outer 881 address is used as identifier (i.e., the IPv6 address in the 882 case of DS-Lite)." 883 ::= { newNatSubscribersTableEntry 2 } 885 newNatSubscriberIntPrefixType OBJECT-TYPE 886 SYNTAX InetAddressType 887 MAX-ACCESS read-only 888 STATUS current 889 DESCRIPTION 890 "Subscriber's internal prefix type." 891 ::= { newNatSubscribersTableEntry 3 } 893 newNatSubscriberIntPrefix OBJECT-TYPE 894 SYNTAX InetAddress 895 MAX-ACCESS read-only 896 STATUS current 897 DESCRIPTION 898 "Prefix assigned to a subscriber's CPE." 899 ::= { newNatSubscribersTableEntry 4 } 901 newNatSubscriberIntPrefixLength OBJECT-TYPE 902 SYNTAX InetAddressPrefixLength 903 MAX-ACCESS read-only 904 STATUS current 905 DESCRIPTION 906 "Length of the prefix assigned to a subscriber's CPE, in bits. 907 In case a single address is assigned, this will be 32 for IPv4 908 and 128 for IPv6." 909 ::= { newNatSubscribersTableEntry 5 } 911 newNatSubscriberPool OBJECT-TYPE 912 SYNTAX NatPoolIndex 913 MAX-ACCESS read-only 914 STATUS current 915 DESCRIPTION 916 "External address pool to which this subscriber belongs." 917 ::= { newNatSubscribersTableEntry 6 } 919 newNatSubscriberCntTranslates OBJECT-TYPE 920 SYNTAX Counter64 921 MAX-ACCESS read-only 922 STATUS current 923 DESCRIPTION 924 "The number of packets received from or sent to this subscriber 925 and to which NAT has been applied." 926 ::= { newNatSubscribersTableEntry 7 } 928 newNatSubscriberCntOOP OBJECT-TYPE 929 SYNTAX Counter64 930 MAX-ACCESS read-only 931 STATUS current 932 DESCRIPTION 933 "The number of packets received from this subscriber to which 934 NAT could not be applied because no external port was 935 available, excluding quota limitations." 936 ::= { newNatSubscribersTableEntry 8 } 938 newNatSubscriberCntResource OBJECT-TYPE 939 SYNTAX Counter64 940 MAX-ACCESS read-only 941 STATUS current 942 DESCRIPTION 943 "The number of packets received from this subscriber to which 944 NAT could not be applied because of resource constraints 945 (excluding out-of-ports condition)." 946 ::= { newNatSubscribersTableEntry 9 } 948 newNatSubscriberCntStateMismatch OBJECT-TYPE 949 SYNTAX Counter64 950 MAX-ACCESS read-only 951 STATUS current 952 DESCRIPTION 953 "The number of packets received from or destined to this 954 subscriber to which NAT could not be applied because of mapping 955 state mismatch. For example, a TCP packet that matches an 956 existing mapping but is dropped because its flags are 957 incompatible with the current state of the mapping would cause 958 this counter to be incremented." 959 ::= { newNatSubscribersTableEntry 10 } 961 newNatSubscriberCntQuota OBJECT-TYPE 962 SYNTAX Counter64 963 MAX-ACCESS read-only 964 STATUS current 965 DESCRIPTION 966 "The number of packets received from or destined to this 967 subscriber to which NAT could not be applied because of quota 968 limitations. Quotas include absolute limits as well as limits 969 on the rate of allocation." 970 ::= { newNatSubscribersTableEntry 11 } 972 newNatSubscriberCntMappings OBJECT-TYPE 973 SYNTAX Gauge32 974 MAX-ACCESS read-only 975 STATUS current 976 DESCRIPTION 977 "Number of currently active mappings created by or for this 978 subscriber. 980 Equal to newNatSubscriberCntMapRemovals - 981 newNatSubscriberCntMapCreations." 982 ::= { newNatSubscribersTableEntry 12 } 984 newNatSubscriberCntMapCreations OBJECT-TYPE 985 SYNTAX Counter64 986 MAX-ACCESS read-only 987 STATUS current 988 DESCRIPTION 989 "Number of mappings created by or for this subscriber." 990 ::= { newNatSubscribersTableEntry 13 } 992 newNatSubscriberCntMapRemovals OBJECT-TYPE 993 SYNTAX Counter64 994 MAX-ACCESS read-only 995 STATUS current 996 DESCRIPTION 997 "Number of mappings removed by or for this subscriber." 998 ::= { newNatSubscribersTableEntry 14 } 1000 newNatSubscriberLimitMappings OBJECT-TYPE 1001 SYNTAX Unsigned32 1002 MAX-ACCESS read-write 1003 STATUS current 1004 DESCRIPTION 1005 "Limit on the number of active mappings created by or for this 1006 subscriber. Zero means unlimited." 1007 ::= { newNatSubscribersTableEntry 15 } 1009 newNatSubscriberMapNotifyThresh OBJECT-TYPE 1010 SYNTAX Unsigned32 1011 MAX-ACCESS read-write 1012 STATUS current 1013 DESCRIPTION 1014 "See newNatNotifSubscriberMappings." 1015 ::= { newNatSubscribersTableEntry 16 } 1017 -- conformance groups 1019 newNatGroupBasicObjects OBJECT-GROUP 1020 OBJECTS { newNatCntTranslates, 1021 newNatCntOOP, 1022 newNatCntResource, 1023 newNatCntStateMismatch, 1024 newNatCntQuota, 1025 newNatCntMappings, 1026 newNatCntMapCreations, 1027 newNatCntMapRemovals, 1028 newNatCntProtocolTranslates, 1029 newNatCntProtocolOOP, 1030 newNatCntProtocolResource, 1031 newNatCntProtocolStateMismatch, 1032 newNatCntProtocolQuota, 1033 newNatCntProtocolMappings, 1034 newNatCntProtocolMapCreations, 1035 newNatCntProtocolMapRemovals, 1036 newNatLimitMappings, 1037 newNatMappingsNotifyThreshold, 1038 newNatPoolIndex, 1039 newNatPoolUsage, 1040 newNatPoolWatermarkLow, 1041 newNatPoolWatermarkHigh, 1042 newNatPoolPortMin, 1043 newNatPoolPortMax, 1044 newNatPoolRangePoolIndex, 1045 newNatPoolRangeEnd, 1046 newNatPoolRangeAllocatedPorts, 1047 newNatMappingIntAddressType, 1048 newNatMappingIntAddress, 1049 newNatMappingIntPort, 1050 newNatMappingPool } 1051 STATUS current 1052 DESCRIPTION 1053 "Basic counters, limits, and thresholds." 1054 ::= { newNatGroups 1 } 1056 newNatGroupAddrMapObjects OBJECT-GROUP 1057 OBJECTS { newNatCntAddressMappings, 1058 newNatCntAddrMapCreations, 1059 newNatCntAddrMapRemovals, 1060 newNatLimitAddressMappings, 1061 newNatAddrMapNotifyThreshold, 1062 newNatMapIntAddrExt } 1063 STATUS current 1064 DESCRIPTION 1065 "Objects that require 'Paired IP address pooling' behavior 1066 [RFC4787]." 1067 ::= { newNatGroups 2 } 1069 newNatGroupFragmentObjects OBJECT-GROUP 1070 OBJECTS { newNatLimitFragments } 1071 STATUS current 1072 DESCRIPTION 1073 "Objects that require 'Receive Fragments Out of Order' behavior 1074 [RFC4787]." 1075 ::= { newNatGroups 3 } 1077 newNatGroupSubscriberObjects OBJECT-GROUP 1078 OBJECTS { newNatSubscriberIntPrefixType, 1079 newNatSubscriberIntPrefix, 1080 newNatSubscriberIntPrefixLength, 1081 newNatSubscriberPool, 1082 newNatSubscriberCntTranslates, 1083 newNatSubscriberCntOOP, 1084 newNatSubscriberCntResource, 1085 newNatSubscriberCntStateMismatch, 1086 newNatSubscriberCntQuota, 1087 newNatSubscriberCntMappings, 1088 newNatSubscriberCntMapCreations, 1089 newNatSubscriberCntMapRemovals, 1090 newNatSubscriberLimitMappings, 1091 newNatSubscriberMapNotifyThresh, 1092 newNatLimitSubscribers } 1093 STATUS current 1094 DESCRIPTION 1095 "Per-subscriber counters, limits, and thresholds." 1096 ::= { newNatGroups 4 } 1098 newNatGroupBasicNotifications NOTIFICATION-GROUP 1099 NOTIFICATIONS { newNatNotifPoolWatermarkLow, 1100 newNatNotifPoolWatermarkHigh, 1101 newNatNotifMappings } 1102 STATUS current 1103 DESCRIPTION 1104 "Basic notifications." 1105 ::= { newNatGroups 5 } 1107 newNatGroupAddrMapNotifications NOTIFICATION-GROUP 1108 NOTIFICATIONS { newNatNotifAddrMappings } 1109 STATUS current 1110 DESCRIPTION 1111 "Notifications about address mappings." 1112 ::= { newNatGroups 6 } 1114 newNatGroupSubscriberNotifs NOTIFICATION-GROUP 1115 NOTIFICATIONS { newNatNotifSubscriberMappings } 1116 STATUS current 1117 DESCRIPTION 1118 "Notifications about subscribers." 1119 ::= { newNatGroups 7 } 1121 -- compliance statements 1123 newNatBasicCompliance MODULE-COMPLIANCE 1124 STATUS current 1125 DESCRIPTION 1126 "Basic compliance with this MIB is attained when the objects 1127 contained in the mandatory groups are implemented." 1128 MODULE -- this module 1129 MANDATORY-GROUPS { newNatGroupBasicObjects, 1130 newNatGroupBasicNotifications } 1131 ::= { newNatCompliance 1 } 1133 newNatAddrMapCompliance MODULE-COMPLIANCE 1134 STATUS current 1135 DESCRIPTION 1136 "NATs that have 'Paired IP address pooling' behavior [RFC4787] 1137 and implement the objects in this group can claim this level of 1138 compliance." 1139 MODULE -- this module 1140 MANDATORY-GROUPS { newNatGroupBasicObjects, 1141 newNatGroupBasicNotifications, 1142 newNatGroupAddrMapObjects, 1143 newNatGroupAddrMapNotifications } 1144 ::= { newNatCompliance 2 } 1146 newNatFragmentsCompliance MODULE-COMPLIANCE 1147 STATUS current 1148 DESCRIPTION 1149 "NATs that have 'Receive Fragments Out of Order' behavior 1150 [RFC4787] and implement the objects in this group can claim 1151 this level of compliance." 1152 MODULE -- this module 1153 MANDATORY-GROUPS { newNatGroupBasicObjects, 1154 newNatGroupBasicNotifications, 1155 newNatGroupFragmentObjects } 1156 ::= { newNatCompliance 3 } 1158 newNatCGNCompliance MODULE-COMPLIANCE 1159 STATUS current 1160 DESCRIPTION 1161 "NATs that have 'Paired IP address pooling' and 'Receive 1162 Fragments Out of Order' behavior [RFC4787] and implement the 1163 objects in this group can claim this level of compliance. 1165 This level of compliance is to be expected of a CGN compliant 1166 with [I-D.ietf-behave-lsn-requiremnents]." 1167 MODULE -- this module 1168 MANDATORY-GROUPS { newNatGroupBasicObjects, 1169 newNatGroupBasicNotifications, 1170 newNatGroupAddrMapObjects, 1171 newNatGroupAddrMapNotifications, 1172 newNatGroupFragmentObjects, 1173 newNatGroupSubscriberObjects, 1174 newNatGroupSubscriberNotifs } 1175 ::= { newNatCompliance 4 } 1177 END 1179 4. Security Considerations 1181 TBD 1183 5. IANA Considerations 1185 TBD 1187 6. References 1189 6.1. Normative References 1191 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1192 Schoenwaelder, Ed., "Structure of Management Information 1193 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 1195 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1196 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 1197 STD 58, RFC 2579, April 1999. 1199 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1200 Schoenwaelder, "Textual Conventions for Internet Network 1201 Addresses", RFC 4001, February 2005. 1203 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 1204 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 1205 RFC 4787, January 2007. 1207 6.2. Informative References 1209 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and 1210 C. Wang, "Definitions of Managed Objects for Network 1211 Address Translators (NAT)", RFC 4008, March 2005. 1213 Appendix A. Change Log (to be removed by RFC Editor prior to 1214 publication) 1216 A.1. Changed in -01 1218 o Added CGN stuff (per-subscriber quotas, counters, notifications). 1220 o Added conformance groups and compliance statements. 1222 o Added mapping table indexed by external 3-tuple. 1224 Authors' Addresses 1226 Simon Perreault 1227 Viagenie 1228 246 Aberdeen 1229 Quebec, QC G1R 2E1 1230 Canada 1232 Phone: +1 418 656 9254 1233 Email: simon.perreault@viagenie.ca 1234 URI: http://viagenie.ca 1236 Tina Tsou 1237 Huawei Technologies (USA) 1238 2330 Central Expressway 1239 Santa Clara, CA 95050 1240 USA 1242 Phone: +1 408 330 4424 1243 Email: tina.tsou.zouting@huawei.com 1244 Senthil Sivakumar 1245 Cisco Systems 1246 7100-8 Kit Creek Road 1247 Research Triangle Park, North Carolina 27709 1248 USA 1250 Phone: +1 919 392 5158 1251 Email: ssenthil@cisco.com