idnits 2.17.1 draft-ietf-capwap-802dot11-mib-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 30, 2009) is 5438 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-capwap-base-mib-04 ** Downref: Normative reference to an Informational draft: draft-ietf-capwap-base-mib (ref. 'I-D.ietf-capwap-base-mib') -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.802-11.2007' -- Obsolete informational reference (is this intentional?): RFC 4347 (Obsoleted by RFC 6347) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Y. Shi, Ed. 3 Internet-Draft H3C Tech. Co., Ltd 4 Intended status: Standards Track D. Perkins, Ed. 5 Expires: December 1, 2009 SNMPinfo 6 C. Elliott, Ed. 7 Cisco Systems, Inc. 8 Y. Zhang, Ed. 9 Fortinet, Inc. 10 May 30, 2009 12 CAPWAP Protocol Binding MIB for IEEE 802.11 13 draft-ietf-capwap-802dot11-mib-04 15 Status of This Memo 17 This Internet-Draft is submitted to IETF in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on December 1, 2009. 38 Copyright Notice 40 Copyright (c) 2009 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents in effect on the date of 45 publication of this document (http://trustee.ietf.org/license-info). 46 Please review these documents carefully, as they describe your rights 47 and restrictions with respect to this document. 49 Abstract 51 This memo defines a portion of the Management Information Base (MIB) 52 for use with network management protocols. In particular, it 53 describes managed objects for modeling the Control And Provisioning 54 of Wireless Access Points (CAPWAP) Protocol for IEEE 802.11 wireless 55 binding. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. The Internet-Standard Management Framework . . . . . . . . . . 3 61 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 4. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 5.1. WLAN Profile . . . . . . . . . . . . . . . . . . . . . . . 5 65 5.2. Requirements and Constraints . . . . . . . . . . . . . . . 5 66 5.3. Mechanism of Reusing Wireless Binding MIB Module . . . . . 6 67 6. Structure of MIB Module . . . . . . . . . . . . . . . . . . . 6 68 7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 6 69 7.1. Relationship to SNMPv2-MIB Module . . . . . . . . . . . . 7 70 7.2. Relationship to IF-MIB Module . . . . . . . . . . . . . . 7 71 7.3. Relationship to CAPWAP-BASE-MIB Module . . . . . . . . . . 7 72 7.4. Relationship to MIB Module in IEEE 802.11 Standard . . . . 7 73 7.5. MIB Modules Required for IMPORTS . . . . . . . . . . . . . 8 74 8. Example of CAPWAP-DOT11-MIB Module Usage . . . . . . . . . . . 8 75 9. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 13 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 20 77 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 78 11.1. IANA Considerations for CAPWAP-DOT11-MIB Module . . . . . 21 79 11.2. IANA Considerations for ifType . . . . . . . . . . . . . . 21 80 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 21 81 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21 82 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 83 14.1. Normative References . . . . . . . . . . . . . . . . . . . 21 84 14.2. Informative References . . . . . . . . . . . . . . . . . . 23 85 Appendix A. Appendix A. Changes between -04 and -03 . . . . . . . 23 87 1. Introduction 89 The CAPWAP Protocol [RFC5415] defines a standard, interoperable 90 protocol, which enables an Access Controller (AC) to manage a 91 collection of Wireless Termination Points(WTPs). CAPWAP supports the 92 use of various wireless technologies by the WTPs, with one specified 93 in the CAPWAP Protocol Binding for IEEE 802.11 [RFC5416]. 95 This document defines a MIB module that can be used to manage CAPWAP 96 implementations for IEEE 802.11 wireless binding. This MIB module 97 covers both configuration for WLAN and a way to reuse the IEEE 802.11 98 MIB module [IEEE.802-11.2007]. 100 2. The Internet-Standard Management Framework 102 For a detailed overview of the documents that describe the current 103 Internet-Standard Management Framework, please refer to section 7 of 104 RFC 3410 [RFC3410]. 106 Managed objects are accessed via a virtual information store, termed 107 the Management Information Base or MIB. MIB objects are generally 108 accessed through the Simple Network Management Protocol (SNMP). 109 Objects in the MIB are defined using the mechanisms defined in the 110 Structure of Management Information (SMI). This memo specifies a MIB 111 module that is compliant to the SMIv2, which is described in STD 58, 112 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 113 [RFC2580]. 115 3. Terminology 117 This document uses terminology from the CAPWAP Protocol specification 118 [RFC5415], the CAPWAP Protocol Binding for IEEE 802.11 [RFC5416] and 119 CAPWAP Protocol Base MIB [I-D.ietf-capwap-base-mib]. 121 Access Controller (AC): The network entity that provides WTP access 122 to the network infrastructure in the data plane, control plane, 123 management plane, or a combination therein. 125 Wireless Termination Point (WTP): The physical or network entity that 126 contains an RF antenna and wireless PHY to transmit and receive 127 station traffic for wireless access networks. 129 Control And Provisioning of Wireless Access Points (CAPWAP): It is a 130 generic protocol defining AC and WTP control and data plane 131 communication via a CAPWAP protocol transport mechanism. CAPWAP 132 control messages, and optionally CAPWAP data messages, are secured 133 using Datagram Transport Layer Security (DTLS) [RFC4347]. 135 CAPWAP Control Channel: A bi-directional flow defined by the AC IP 136 Address, WTP IP Address, AC control port, WTP control port and the 137 transport-layer protocol (UDP or UDP-Lite) over which CAPWAP control 138 packets are sent and received. 140 CAPWAP Data Channel: A bi-directional flow defined by the AC IP 141 Address, WTP IP Address, AC data port, WTP data port, and the 142 transport-layer protocol (UDP or UDP-Lite) over which CAPWAP data 143 packets are sent and received. 145 Station (STA): A device that contains an interface to a wireless 146 medium (WM). 148 Split and Local MAC: The CAPWAP protocol supports two modes of 149 operation: Split and Local MAC. In Split MAC mode all L2 wireless 150 data and management frames are encapsulated via the CAPWAP protocol 151 and exchanged between the AC and the WTPs. The Local MAC mode of 152 operation allows the data frames to be either locally bridged, or 153 tunneled as 802.3 frames. 155 Wireless Binding: The CAPWAP protocol is independent of a specific 156 WTP radio technology, as well its associated wireless link layer 157 protocol. Elements of the CAPWAP protocol are designed to 158 accommodate the specific needs of each wireless technology in a 159 standard way. Implementation of the CAPWAP protocol for a particular 160 wireless technology MUST define a binding protocol for it, e.g., the 161 binding for IEEE 802.11, provided in [RFC5416]. 163 WLAN: A WLAN refers to a logical component instantiated on a WTP 164 device. A single physical WTP MAY operate a number of WLANs. Each 165 Basic Service Set Identifier (BSSID) and its constituent wireless 166 terminal radios are denoted as a distinct WLAN on a physical WTP. To 167 support a physical WTP with multiple WLANs is an important feature 168 for CAPWAP protocol's 802.11 binding, and it is also for MIB module 169 design. 171 Wireless Binding MIB Module: Other Standards Developing Organizations 172 (SDOs), such as IEEE already defined MIB module for a specific 173 wireless technology, e.g., the IEEE 802.11 MIB module 174 [IEEE.802-11.2007]. Such MIB modules are called wireless binding MIB 175 modules. 177 CAPWAP Protocol Wireless Binding MIB Module: It is a MIB module 178 corresponding to the CAPWAP Protocol Binding for a Wireless binding. 179 Sometimes, not all the technology-specific message elements in a 180 CAPWAP binding protocol have MIB objects defined by other SDOs. For 181 example, the protocol of [RFC5416] defines WLAN conception. Also, 182 Local or Split MAC modes could be specified for a WLAN. The MAC mode 183 for a WLAN is not in the scope of IEEE 802.11 [IEEE.802-11.2007]. In 184 such cases, in addition to the existing wireless binding MIB modules 185 defined by other SDOs, a CAPWAP protocol wireless binding MIB module 186 is required to be defined for a wireless binding. 188 4. Conventions 190 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 191 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 192 document are to be interpreted as described in RFC 2119 [RFC2119]. 194 5. Overview 196 5.1. WLAN Profile 198 A WLAN profile stores configuration parameters such as MAC type and 199 tunnel mode for a WLAN. Each WLAN profile is identified by a profile 200 identifier. The operator needs to create WLAN profiles before WTPs 201 connect to the AC. To provide WLAN service, the operator SHOULD bind 202 WLAN profiles to a WTP Virtual Radio Interface which corresponding to 203 a PHY radio. During the binding operation, the AC MUST select an 204 unused WLAN ID between one(1) and 16 [RFC5416]. For example, to bind 205 one more WLAN profile to a radio that has been bound with a WLAN 206 profile, the AC SHOULD allocate WLAN ID 2 to the radio. Although the 207 maximum value of WLAN ID is 16, the operator could configure more 208 than 16 WLAN Profiles on the AC. 210 5.2. Requirements and Constraints 212 The IEEE 802.11 MIB module [IEEE.802-11.2007] already defines MIB 213 objects for most IEEE 802.11 Message Elements in the the CAPWAP 214 Protocol Binding for IEEE 802.11 [RFC5416]. As a CAPWAP Protocol 215 802.11 binding MIB module, the CAPWAP-DOT11-MIB module MUST be able 216 to reuse such MIB objects in the IEEE 802.11 MIB module and support 217 functions such as MAC mode for WLAN in the [RFC5416] which are not in 218 the scope of IEEE 802.11 standard. The CAPWAP-DOT11-MIB module MUST 219 support such functions. 221 In summary, the CAPWAP-DOT11-MIB module needs to support: 223 - Reuse of wireless binding MIB modules in the IEEE 802.11 standard; 225 - Centralized manage and configuration of WLAN profiles on the AC; 227 - Configuration of a MAC type and tunnel mode for a specific WLAN 228 profile. 230 5.3. Mechanism of Reusing Wireless Binding MIB Module 232 In the IEEE 802.11 MIB module, the MIB tables such as 233 Dot11AuthenticationAlgorithmsTable are able to support WLAN 234 configuration (such as authentication algorithm), and these tables 235 use the ifIndex as the index which works well in the autonomous WLAN 236 architecture. 238 Reuse of such wireless binding MIB modules is very important to 239 centralized WLAN architectures. The key point is to abstract a WLAN 240 profile as a WLAN Profile Interface on the AC, which could be 241 identified by an ifIndex. The MIB objects in the IEEE 802.11 MIB 242 module which are associated with this interface can be used to 243 configure WLAN parameters for the WLAN, such as authentication 244 algorithm. With the ifIndex of a WLAN Profile Interface, the AC is 245 able to reuse the IEEE 802.11 MIB module. 247 In the CAPWAP-BASE-MIB module, each PHY radio is identified by a WTP 248 ID and a radio ID, and has a corresponding WTP Virtual Radio 249 Interface on the AC. The IEEE 802.11 MIB module associated with this 250 interface can be used to configure IEEE 802.11 wireless binding 251 parameters for the radio such as RTS Threshold. A WLAN BSS 252 Interface, created by binding WLAN to WTP Virtual Radio Interface, is 253 used for data forwarding. 255 6. Structure of MIB Module 257 The MIB objects are derived from the CAPWAP protocol binding for IEEE 258 802.11 document [RFC5416]. 260 1) capwapDot11WlanTable 262 The table allows the operator to display and configure WLAN profiles, 263 such as specifying the MAC type and tunnel mode for a WLAN. Also, it 264 helps the AC to configure a WLAN through the IEEE 802.11 MIB module. 266 2) capwapDot11WlanBindTable 268 The table provides a way to bind WLAN profiles to a WTP Virtual Radio 269 Interface which has a PHY radio corresponding to it. A binding 270 operation dynamically creates a WLAN BSS Interface, which is used for 271 data forwarding. 273 7. Relationship to Other MIB Modules 274 7.1. Relationship to SNMPv2-MIB Module 276 The CAPWAP-DOT11-MIB module does not duplicate the objects of the 277 'system' group in the SNMPv2-MIB [RFC3418] that is defined as being 278 mandatory for all systems, and the objects apply to the entity as a 279 whole. The 'system' group provides identification of the management 280 entity and certain other system-wide data. 282 7.2. Relationship to IF-MIB Module 284 The Interfaces Group [RFC2863] defines generic managed objects for 285 managing interfaces. This memo contains the media-specific 286 extensions to the Interfaces Group for managing WLAN that are modeled 287 as interfaces. 289 Each WLAN profile corresponds to a WLAN Profile Interface on the AC. 290 The interface MUST be modeled as an ifEntry, and ifEntry objects such 291 as ifIndex, ifDescr, ifName, ifAlias are to be used as per [RFC2863]. 292 The WLAN Profile Interface provides a way to configure IEEE 802.11 293 parameters for a specific WLAN, and reuse the IEEE 802.11 MIB module. 295 Also, the AC MUST have a mechanism that preserves the value of the 296 WLAN Profile Interfaces' ifIndexes in the ifTable at AC reboot. 298 To provide data forwarding service, the AC dynamically creates WLAN 299 BSS Interfaces. A WLAN BSS Interface MUST be modeled as an ifEntry, 300 and ifEntry objects such as ifIndex, ifDescr, ifName, ifAlias are to 301 be used as per [RFC2863]. The interface enables a single physical 302 WTP to support multiple WLANs. 304 Also, the AC MUST have a mechanism that preserves the value of the 305 WLAN BSS Interfaces' ifIndexes in the ifTable at AC reboot. 307 7.3. Relationship to CAPWAP-BASE-MIB Module 309 The CAPWAP-BASE-MIB module provides a way to manage and control WTP 310 and radio objects. Especially, it provides the WTP Virtual Radio 311 Interface mechanism to enable the AC to reuse the IEEE 802.11 MIB 312 module. With this mechanism, an operator could configure an IEEE 313 802.11 radio's parameters and view the radio's traffic statistics on 314 the AC. Based on the CAPWAP-BASE-MIB module, the CAPWAP-DOT11-MIB 315 module provides more WLAN information. 317 7.4. Relationship to MIB Module in IEEE 802.11 Standard 319 With the ifIndex of WLAN Profile Interface and WLAN BSS Interface, 320 the MIB module is able to reuse the IEEE 802.11 MIB module 321 [IEEE.802-11.2007]. The CAPWAP-DOT11-MIB module does not duplicate 322 those objects in the IEEE 802.11 MIB module. 324 The CAPWAP Protocol Binding for IEEE 802.11 [RFC5416] involves some 325 of the MIB objects defined in IEEE 802.11 standard. Although CAPWAP- 326 DOT11-MIB module uses it [RFC5416] as a reference, it could reuse all 327 the MIB objects in the IEEE 802.11 standard , and is not limited by 328 the scope of CAPWAP Protocol Binding for IEEE 802.11. 330 7.5. MIB Modules Required for IMPORTS 332 The following MIB modules are required for IMPORTS: SNMPv2-SMI 333 [RFC2578], SNMPv2-TC [RFC2579], SNMPv2-CONF [RFC2580], IF-MIB 334 [RFC2863] and CAPWAP-BASE-MIB [I-D.ietf-capwap-base-mib]. 336 8. Example of CAPWAP-DOT11-MIB Module Usage 338 1) Create a WTP profile 340 Suppose the WTP's serial identifier is '12345678'. Creates a WTP 341 profile for it through the CapwapBaseWtpProfileTable 342 [I-D.ietf-capwap-base-mib] as follows: 344 In CapwapBaseWtpProfileTable 345 { 346 capwapBaseWtpProfileId = 1, 347 capwapBaseWtpProfileName = 'WTP Profile 12345678', 348 capwapBaseWtpProfileWTPSerialId = '12345678', 349 capwapBaseWtpProfileWTPModelNumber = 'WTP123', 350 capwapBaseWtpProfileWtpName = 'WTP 12345678', 351 capwapBaseWtpProfileWtpLocation = 'office', 352 capwapBaseWtpProfileWtpStaticIpEnable = true(1), 353 capwapBaseWtpProfileWtpStaticIpType = ipv4(1), 354 capwapBaseWtpProfileWtpStaticIp = '192.168.0.100', 355 capwapBaseWtpProfileWtpNetmask = '255.255.255.0', 356 capwapBaseWtpProfileWtpGateway = '192.168.0.1', 357 capwapBaseWtpProfileWtpFallbackEnable = true(1), 358 capwapBaseWtpProfileWtpEchoInterval = 30, 359 capwapBaseWtpProfileWtpIdleTimeout = 300, 360 capwapBaseWtpProfileWtpMaxDiscoveryInterval = 20, 361 capwapBaseWtpProfileWtpReportInterval = 120, 362 capwapBaseWtpProfileWtpSilentInterval = 30, 363 capwapBaseWtpProfileWtpStatisticsTimer = 120, 364 capwapBaseWtpProfileWtpWaitDTLSTimer = 60, 365 capwapBaseWtpProfileWtpEcnSupport = limited(0) 366 } 368 Suppose the WTP with model number 'WTP123' has one PHY radio and this 369 PHY radio is identified by ID 1. The creation of this WTP profile 370 triggers the AC to automatically create a WTP Virtual Radio Interface 371 and add a new row object to the CapwapBaseWirelessBindingTable 372 without manual intervention. Suppose the ifIndex of the WTP Virtual 373 Radio Interface is 10. The following information is stored in the 374 CapwapBaseWirelessBindingTable. 376 In CapwapBaseWirelessBindingTable 377 { 378 capwapBaseWtpProfileId = 1, 379 capwapBaseWirelessBindingRadioId = 1, 380 capwapBaseWirelessBindingVirtualRadioIfIndex = 10, 381 capwapBaseWirelessBindingType = dot11(2) 382 } 384 The WTP Virtual Radio Interfaces on the AC correspond to the PHY 385 radios on the WTP. The WTP Virtual Radio Interface is modeled by 386 ifTable [RFC2863]. 388 In ifTable 389 { 390 ifIndex = 10, 391 ifDescr = 'WTP Virtual Radio Interface', 392 ifType = xxx, 393 RFC Editor - please replace xxx with the value 394 allocated by IANA for IANAifType of WTP Virtual Radio Interface 395 ifMtu = 0, 396 ifSpeed = 0, 397 ifPhysAddress = '000000', 398 ifAdminStatus = true(1), 399 ifOperStatus = false(0), 400 ifLastChange = 0, 401 ifInOctets = 0, 402 ifInUcastPkts = 0, 403 ifInDiscards = 0, 404 ifInErrors = 0, 405 ifInUnknownProtos = 0, 406 ifOutOctets = 0, 407 ifOutUcastPkts = 0, 408 ifOutDiscards = 0, 409 ifOutErrors = 0 410 } 412 2) Query the ifIndexes of WTP Virtual Radio Interfaces 414 Before configuring PHY radios, the operator needs to get the 415 ifIndexes of WTP Virtual Radio Interfaces corresponding to the PHY 416 radios. 418 As the CapwapBaseWirelessBindingTable already stores the mappings 419 between PHY radios (Radio IDs) and the ifIndexes of WTP Virtual Radio 420 Interfaces, the operator can get the ifIndex information by querying 421 this table. Such a query operation SHOULD run from radio ID 1 to 422 radio ID 31 according to [RFC5415]), and stop when a invalid ifIndex 423 value (0) is returned. 425 This example uses capwapBaseWtpProfileId = 1 and 426 capwapBaseWirelessBindingRadioId = 1 as inputs to query the 427 CapwapBaseWirelessBindingTable, and gets 428 capwapBaseWirelessBindingVirtualRadioIfIndex = 10. Then it uses 429 capwapBaseWtpProfileId = 1 and capwapBaseWirelessBindingRadioId = 2, 430 and gets a invalid ifIndex value (0), so the the query operation 431 ends. This method gets not only the ifIndexes of WTP Virtual Radio 432 Interfaces, but also the numbers of PHY radios. Besides checking 433 whether the ifIndex value is valid, the operator SHOULD check whether 434 the capwapBaseWirelessBindingType is the desired binding type. 436 3) Configure IEEE 802.11 parameters for a WTP Virtual Radio Interface 438 This configuration is made on the AC through the IEEE 802.11 MIB 439 module. 441 The following shows an example of configuring parameters for a WTP 442 Virtual Radio Interface with ifIndex 10 through the 443 Dot11OperationTable [IEEE.802-11.2007]. 445 In Dot11OperationTable 446 { 447 ifIndex = 10, 448 dot11MACAddress = '000000', 449 dot11RTSThreshold = 2347, 450 dot11ShortRetryLimit = 7, 451 dot11LongRetryLimit = 4, 452 dot11FragmentationThreshold = 256, 453 dot11MaxTransmitMSDULifetime = 512, 454 dot11MaxReceiveLifetime = 512, 455 dot11ManufacturerID = 'capwap', 456 dot11ProductID = 'capwap' 457 } 459 4) Configure a WLAN Profile 461 WLAN configuration is made on the AC through the CAPWAP-DOT11-MIB 462 Module, and IEEE 802.11 MIB module. 464 The first step is to create a WLAN Profile Interface through the 465 CAPWAP-DOT11-MIB module on the AC. 467 For example, when you configure a WLAN profile which is identified by 468 capwapDot11WlanProfileId 1, the CapwapDot11WlanTable creates the 469 following row object for it. 471 In CapwapDot11WlanTable 472 { 473 capwapDot11WlanProfileId = 1, 474 capwapDot11WlanProfileIfIndex = 20, 475 capwapDot11WlanMacType = splitMAC(2), 476 capwapDot11WlanTunnelMode = dot3Tunnel(2), 477 capwapDot11WlanRowStatus = createAndGo(4) 478 } 480 The creation of a row object triggers the AC to automatically create 481 a WLAN Profile Interface and it is identified by ifIndex 20 without 482 manual intervention. 484 A WLAN Profile Interface MUST be modeled as an ifEntry on the AC 485 which provides appropriate interface information. The 486 CapwapDot11WlanTable stores the mappings between 487 capwapDot11WlanProfileIds and the ifIndexes of WLAN Profile 488 Interfaces. 490 In ifTable 491 { 492 ifIndex = 20, 493 ifDescr = 'WLAN Profile Interface', 494 ifType = xxx, 495 RFC Editor - please replace xxx with the value 496 allocated by IANA for IANAifType of 'WLAN Profile Interface' 497 ifMtu = 0, 498 ifSpeed = 0, 499 ifPhysAddress = '000000', 500 ifAdminStatus = true(1), 501 ifOperStatus = true(1), 502 ifLastChange = 0, 503 ifInOctets = 0, 504 ifInUcastPkts = 0, 505 ifInDiscards = 0, 506 ifInErrors = 0, 507 ifInUnknownProtos = 0, 508 ifOutOctets = 0, 509 ifOutUcastPkts = 0, 510 ifOutDiscards = 0, 511 ifOutErrors = 0 512 } 514 The second step is to configure WLAN parameters for the WLAN Profile 515 Interface through the IEEE 802.11 MIB module on the AC. 517 The following example configures an authentication algorithm for a 518 WLAN. 520 In Dot11AuthenticationAlgorithmsTable 521 { 522 ifIndex = 20, 523 dot11AuthenticationAlgorithmsIndex = 1, 524 dot11AuthenticationAlgorithm = Shared Key(2), 525 dot11AuthenticationAlgorithmsEnable = true(1) 526 } 528 Here ifIndex 20 identifies the WLAN Profile Interface and the index 529 of the configured authentication algorithm is 1. 531 5) Bind WLAN Profiles to a WTP radio 533 On the AC, the CapwapDot11WlanBindTable in the CAPWAP-DOT11-MIB 534 stores the bindings between WLAN profiles(identified by 535 capwapDot11WlanProfileId) and WTP Virtual Radio Interfaces 536 (identified by the ifIndex). 538 For example, after the operator binds a WLAN profile with 539 capwapDot11WlanProfileId 1 to WTP Virtual Radio Interface with 540 ifIndex 10, the CapwapDot11WlanBindTable creates the following row 541 object. 543 In CapwapDot11WlanBindTable 544 { 545 ifIndex = 10, 546 capwapDot11WlanProfileId = 1, 547 capwapDot11WlanBindBssIfIndex = 30, 548 capwapDot11WlanBindRowStatus = createAndGo(4) 549 } 551 If the capwapDot11WlanMacType of the WLAN is splitMAC(2), the 552 creation of the row object in the CapwapDot11WlanBindTable triggers 553 the AC to automatically create a WLAN BSS Interface identified by 554 ifIndex 30 without manual intervention. 556 The WLAN BSS Interface MUST be modeled as an ifEntry on the AC, which 557 provides appropriate interface information. The 558 CapwapDot11WlanBindTable stores the mappings among the ifIndex of a 559 WTP Virtual Radio Interface, WLAN profile ID, WLAN ID and the ifIndex 560 of a WLAN BSS Interface. 562 6) Current configuration status report from the WTP to the AC 563 Before a WTP that has joined the AC gets configuration from the AC, 564 it needs to report its current configuration status by sending a 565 configuration status request message to the AC, which uses the 566 message to update corresponding MIB objects on the AC. For example, 567 for ifIndex 10 (which identifies a WLAN Virtual Radio Interface), its 568 ifOperStatus in the ifTable is updated according to the current radio 569 operational status in the CAPWAP message [RFC5415]. 571 7) Query WTP and radio statistics data 573 After WTPs start to run, the operator could query WTP and radio 574 statistics data through the CAPWAP-BASE-MIB and CAPWAP-DOT11-MIB 575 modules. For example, through the dot11CountersTable 576 [IEEE.802-11.2007], the operator could query counter data of a radio 577 which is identified by the ifIndex of the corresponding WLAN Virtual 578 Radio Interface. 580 8) Query other statistics data 582 The operator could query the configuration of a WLAN through the 583 Dot11AuthenticationAlgorithmsTable [IEEE.802-11.2007] and the 584 statistic data of a WLAN BSS Interface through the ifTable [RFC2863]; 586 9. Definitions 588 CAPWAP-DOT11-MIB DEFINITIONS ::= BEGIN 590 IMPORTS 591 RowStatus, TEXTUAL-CONVENTION 592 FROM SNMPv2-TC 593 OBJECT-GROUP, MODULE-COMPLIANCE 594 FROM SNMPv2-CONF 595 MODULE-IDENTITY, OBJECT-TYPE, mib-2, Unsigned32 596 FROM SNMPv2-SMI 597 ifIndex, InterfaceIndex 598 FROM IF-MIB 599 CapwapBaseMacTypeTC, CapwapBaseTunnelModeTC 600 FROM CAPWAP-BASE-MIB; 602 capwapDot11MIB MODULE-IDENTITY 603 LAST-UPDATED "200905300000Z" -- May 30th, 2009 604 ORGANIZATION "IETF Control And Provisioning of Wireless Access 605 Points (CAPWAP) Working Group 606 http://www.ietf.org/html.charters/capwap-charter.html" 607 CONTACT-INFO 608 "General Discussion: capwap@frascone.com 609 To Subscribe: http://lists.frascone.com/mailman/listinfo/capwap 610 Yang Shi 611 H3C, Digital Technology Plaza, NO.9 Shangdi 9th Street,Haidian 612 District,Beijing,China(100085) 613 Email: young@h3c.com 615 David T. Perkins 616 228 Bayview Dr 617 San Carlos, CA 94070 618 USA 619 Phone: +1 408 394-8702 620 Email: dperkins@snmpinfo.com 622 Chris Elliott 623 Cisco Systems, Inc. 624 7025 Kit Creek Rd., P.O. Box 14987 625 Research Triangle Park 27709 626 USA 627 Phone: +1 919-392-2146 628 Email: chelliot@cisco.com 630 Yong Zhang 631 Fortinet, Inc. 632 1090 Kifer Road 633 Sunnyvale, CA 94086 634 USA 635 Email: yzhang@fortinet.com" 637 DESCRIPTION 638 "Copyright (C) 2009 The Internet Society. This version of 639 the MIB module is part of RFC xxx; see the RFC itself 640 for full legal notices. 642 This MIB module contains managed object definitions for 643 CAPWAP Protocol binding for IEEE 802.11." 644 REVISION "200905300000Z" 645 DESCRIPTION 646 "Initial version, published as RFC xxx" 647 ::= { mib-2 xxx } 649 -- Textual conventions 651 CapwapDot11WlanIdTC ::= TEXTUAL-CONVENTION 652 DISPLAY-HINT "d" 653 STATUS current 654 DESCRIPTION 655 "Represents the unique identifier of a WLAN." 656 SYNTAX Unsigned32 (1..16) 658 CapwapDot11WlanIdProfileTC ::= TEXTUAL-CONVENTION 659 DISPLAY-HINT "d" 660 STATUS current 661 DESCRIPTION 662 "Represents the unique identifier of a WLAN profile." 663 SYNTAX Unsigned32 (1..512) 665 -- Top level components of this MIB module 667 -- Tables, Scalars 668 capwapDot11Objects OBJECT IDENTIFIER 669 ::= { capwapDot11MIB 1 } 670 -- Conformance 671 capwapDot11Conformance OBJECT IDENTIFIER 672 ::= { capwapDot11MIB 2 } 674 -- capwapDot11WlanTable Table 676 capwapDot11WlanTable OBJECT-TYPE 677 SYNTAX SEQUENCE OF CapwapDot11WlanEntry 678 MAX-ACCESS not-accessible 679 STATUS current 680 DESCRIPTION 681 "A table that allows the operator to display and configure 682 WLAN profiles, such as specifying the MAC type and tunnel mode 683 for a WLAN. Also, it helps the AC to configure a WLAN through 684 the IEEE 802.11 MIB module. 685 Values of all objects in this table are persistent at 686 restart/reboot." 687 ::= { capwapDot11Objects 1 } 689 capwapDot11WlanEntry OBJECT-TYPE 690 SYNTAX CapwapDot11WlanEntry 691 MAX-ACCESS not-accessible 692 STATUS current 693 DESCRIPTION 694 "A set of objects that store the settings of a WLAN profile." 695 INDEX { capwapDot11WlanProfileId } 696 ::= { capwapDot11WlanTable 1 } 698 CapwapDot11WlanEntry ::= 699 SEQUENCE { 700 capwapDot11WlanProfileId CapwapDot11WlanIdProfileTC, 701 capwapDot11WlanProfileIfIndex InterfaceIndex, 702 capwapDot11WlanMacType CapwapBaseMacTypeTC, 703 capwapDot11WlanTunnelMode CapwapBaseTunnelModeTC, 704 capwapDot11WlanRowStatus RowStatus 706 } 708 capwapDot11WlanProfileId OBJECT-TYPE 709 SYNTAX CapwapDot11WlanIdProfileTC 710 MAX-ACCESS not-accessible 711 STATUS current 712 DESCRIPTION 713 "Represents the identifier of a WLAN profile which has a 714 corresponding capwapDot11WlanProfileIfIndex." 715 ::= { capwapDot11WlanEntry 1 } 717 capwapDot11WlanProfileIfIndex OBJECT-TYPE 718 SYNTAX InterfaceIndex 719 MAX-ACCESS read-only 720 STATUS current 721 DESCRIPTION 722 "Represents the index value that uniquely identifies a 723 WLAN Profile Interface. The interface identified by a 724 particular value of this index is the same interface as 725 identified by the same value of the ifIndex. 726 The creation of a row object in the capwapDot11WlanTable 727 triggers the AC to automatically create an WLAN Profile 728 Interface identified by an ifIndex without manual 729 intervention. 730 Most MIB tables in the IEEE 802.11 MIB module 731 [IEEE.802-11.2007] use an ifIndex to identify an interface 732 to facilitate the configuration and maintenance, for example, 733 dot11AuthenticationAlgorithmsTable. 734 Using the ifIndex of a WLAN Profile Interface, the Operator 735 could configure a WLAN through the IEEE 802.11 MIB module." 736 ::= { capwapDot11WlanEntry 2 } 738 capwapDot11WlanMacType OBJECT-TYPE 739 SYNTAX CapwapBaseMacTypeTC 740 MAX-ACCESS read-create 741 STATUS current 742 DESCRIPTION 743 "Represents whether the WTP SHOULD support the WLAN in 744 Local or Split MAC modes." 745 REFERENCE 746 "Section 6.1. of CAPWAP Protocol Binding for IEEE 802.11, 747 RFC 5416." 748 ::= { capwapDot11WlanEntry 3 } 750 capwapDot11WlanTunnelMode OBJECT-TYPE 751 SYNTAX CapwapBaseTunnelModeTC 752 MAX-ACCESS read-create 753 STATUS current 754 DESCRIPTION 755 "Represents the frame tunneling mode to be used for IEEE 802.11 756 data frames from all stations associated with the WLAN. 757 Bits are exclusive with each other for a specific WLAN profile, 758 and only one tunnel mode could be configured. 759 If the operator set more than one bit, the value of the 760 Response-PDU's error-status field is set to `wrongValue', 761 and the value of its error-index field is set to the index of 762 the failed variable binding." 763 REFERENCE 764 "Section 6.1. of CAPWAP Protocol Binding for IEEE 802.11, 765 RFC 5416." 766 ::= { capwapDot11WlanEntry 4 } 768 capwapDot11WlanRowStatus OBJECT-TYPE 769 SYNTAX RowStatus 770 MAX-ACCESS read-create 771 STATUS current 772 DESCRIPTION 773 "This variable is used to create, modify, and/or delete a row 774 in this table. 775 When the operator deletes a WLAN profile, the AC SHOULD 776 check whether the WLAN profile is bound with a radio. 777 If yes, the value of the Response-PDU's error-status field 778 is set to `inconsistentValue', and the value of its 779 error-index field is set to the index of the failed variable 780 binding. If not, the row object could be deleted." 781 ::= { capwapDot11WlanEntry 5 } 783 -- End of capwapDot11WlanTable Table 785 -- capwapDot11WlanBindTable Table 787 capwapDot11WlanBindTable OBJECT-TYPE 788 SYNTAX SEQUENCE OF CapwapDot11WlanBindEntry 789 MAX-ACCESS not-accessible 790 STATUS current 791 DESCRIPTION 792 "A table that stores bindings between WLAN profiles 793 (identified by capwapDot11WlanProfileId) and 794 WTP Virtual Radio Interfaces. The WTP Virtual Radio Interfaces 795 on the AC correspond to PHY radios on the WTPs. It also stores 796 the mappings between WLAN IDs and WLAN BSS Interfaces. 797 Values of all objects in this table are persistent at 798 restart/reboot." 799 REFERENCE 800 "Section 6.1. of CAPWAP Protocol Binding for IEEE 802.11, 801 RFC 5416." 802 ::= { capwapDot11Objects 2 } 804 capwapDot11WlanBindEntry OBJECT-TYPE 805 SYNTAX CapwapDot11WlanBindEntry 806 MAX-ACCESS not-accessible 807 STATUS current 808 DESCRIPTION 809 "A set of objects that stores the binding of a WLAN profile 810 to a WTP Virtual Radio Interface. It also stores the mapping 811 between WLAN ID and WLAN BSS Interface. 812 The INDEX object ifIndex is the ifIndex of a WTP Virtual 813 Radio Interface." 814 INDEX { ifIndex, capwapDot11WlanProfileId } 815 ::= { capwapDot11WlanBindTable 1 } 817 CapwapDot11WlanBindEntry ::= 818 SEQUENCE { 819 capwapDot11WlanBindWlanId CapwapDot11WlanIdTC, 820 capwapDot11WlanBindBssIfIndex InterfaceIndex, 821 capwapDot11WlanBindRowStatus RowStatus 822 } 824 capwapDot11WlanBindWlanId OBJECT-TYPE 825 SYNTAX CapwapDot11WlanIdTC 826 MAX-ACCESS read-only 827 STATUS current 828 DESCRIPTION 829 "Represents the WLAN ID of a WLAN. 830 During a binding operation, the AC MUST select an unused 831 WLAN ID from (1) and 16 [RFC5416]. For example, to bind 832 another WLAN profile to a radio that has been bound with 833 a WLAN profile, WLAN ID 2 should be assigned." 834 REFERENCE 835 "Section 6.1. of CAPWAP Protocol Binding for IEEE 802.11, 836 RFC 5416." 837 ::= { capwapDot11WlanBindEntry 1 } 839 capwapDot11WlanBindBssIfIndex OBJECT-TYPE 840 SYNTAX InterfaceIndex 841 MAX-ACCESS read-only 842 STATUS current 843 DESCRIPTION 844 "Represents the index value that uniquely identifies a 845 WLAN BSS Interface. The interface identified by a 846 particular value of this index is the same interface as 847 identified by the same value of the ifIndex. 848 The ifIndex here is for a WLAN BSS Interface. 850 The creation of a row object in the capwapDot11WlanBindTable 851 triggers the AC to automatically create a WLAN BSS Interface 852 identified by an ifIndex without manual intervention. 853 The PHY address of the capwapDot11WlanBindBssIfIndex is the 854 BSSID. While manufacturers are free to assign BSSIDs by using 855 any arbitrary mechanism, it is advised that where possible the 856 BSSIDs are assigned as a contiguous block. 857 When assigned as a block, implementations can still assign 858 any of the available BSSIDs to any WLAN. One possible method 859 is for the WTP to assign the address using the following 860 algorithm: base BSSID address + WLAN ID." 861 REFERENCE 862 "Section 2.4. of CAPWAP Protocol Binding for IEEE 802.11, 863 RFC 5416." 864 ::= { capwapDot11WlanBindEntry 2 } 866 capwapDot11WlanBindRowStatus OBJECT-TYPE 867 SYNTAX RowStatus 868 MAX-ACCESS read-create 869 STATUS current 870 DESCRIPTION 871 "This variable is used to create, modify, and/or delete a row 872 in this table." 873 ::= { capwapDot11WlanBindEntry 3 } 875 -- End of capwapDot11WlanBindTable Table 877 -- Module compliance 879 capwapDot11Groups OBJECT IDENTIFIER 880 ::= { capwapDot11Conformance 1 } 882 capwapDot11Compliances OBJECT IDENTIFIER 883 ::= { capwapDot11Conformance 2 } 885 capwapDot11Compliance MODULE-COMPLIANCE 886 STATUS current 887 DESCRIPTION 888 "Describes the requirements for conformance to the 889 CAPWAP-DOT11-MIB module." 891 MODULE -- this module 892 MANDATORY-GROUPS { 893 capwapDot11WlanGroup, 894 capwapDot11WlanBindGroup 895 } 896 ::= { capwapDot11Compliances 1 } 898 capwapDot11WlanGroup OBJECT-GROUP 899 OBJECTS { 900 capwapDot11WlanProfileIfIndex, 901 capwapDot11WlanMacType, 902 capwapDot11WlanTunnelMode, 903 capwapDot11WlanRowStatus 904 } 905 STATUS current 906 DESCRIPTION 907 "A collection of objects which are used to configure 908 the properties of a WLAN profile." 909 ::= { capwapDot11Groups 1 } 911 capwapDot11WlanBindGroup OBJECT-GROUP 912 OBJECTS { 913 capwapDot11WlanBindWlanId, 914 capwapDot11WlanBindBssIfIndex, 915 capwapDot11WlanBindRowStatus 916 } 917 STATUS current 918 DESCRIPTION 919 "A collection of objects which are used to bind the 920 WLAN profiles with a radio." 921 ::= { capwapDot11Groups 2 } 923 END 925 10. Security Considerations 927 There are a number of management objects defined in this MIB module 928 with a MAX-ACCESS clause of read-write and/or read-create. Such 929 objects MAY be considered sensitive or vulnerable in some network 930 environments. The support for SET operations in a non-secure 931 environment without proper protection can have a negative effect on 932 network operations. The followings are the tables and objects and 933 their sensitivity/vulnerability: 935 o - Unauthorized changes to the capwapDot11WlanTable and 936 capwapDot11WlanBindTable MAY disrupt allocation of resources in 937 the network, also change the behavior of WLAN system such as MAC 938 type. 940 SNMP versions prior to SNMPv3 did not include adequate security. 941 Even if the network itself is secure (for example by using IPSec), 942 even then, there is no control as to who on the secure network is 943 allowed to access and GET/SET (read/change/create/delete) the objects 944 in this MIB module. 946 It is RECOMMENDED that implementers consider the security features as 947 provided by the SNMPv3 framework (see [RFC3410], section 8), 948 including full support for the SNMPv3 cryptographic mechanisms (for 949 authentication and privacy). 951 Further, deployment of SNMP versions prior to SNMPv3 is NOT 952 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 953 enable cryptographic security. It is then a customer/operator 954 responsibility to ensure that the SNMP entity giving access to an 955 instance of this MIB module is properly configured to give access to 956 the objects only to those principals (users) that have legitimate 957 rights to indeed GET or SET (change/create/delete) them. 959 11. IANA Considerations 961 11.1. IANA Considerations for CAPWAP-DOT11-MIB Module 963 The MIB module in this document uses the following IANA-assigned 964 OBJECT IDENTIFIER values recorded in the SMI Numbers registry: 966 Descriptor OBJECT IDENTIFIER value 967 ---------- ----------------------- 969 capwapDot11MIB { mib-2 XXX } 971 11.2. IANA Considerations for ifType 973 Require IANA to assign a ifType for the WLAN Profile Interface. 975 Require IANA to assign a ifType for the WLAN BSS Interface. 977 12. Contributors 979 This MIB module is based on contributions from Long Gao. 981 13. Acknowledgements 983 The authors wish to thank David Harrington, Fei Fang, Xuebin Zhu, Hao 984 Song, Yu Liu, Sachin Dutta, Yujin Zhao, Haitao Zhang, Hao Song. 986 14. References 988 14.1. Normative References 990 [RFC2119] Bradner, S., "Key words for use in RFCs 991 to Indicate Requirement Levels", BCP 14, 992 RFC 2119, March 1997. 994 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., 995 and J. Schoenwaelder, Ed., "Structure of 996 Management Information Version 2 997 (SMIv2)", STD 58, RFC 2578, April 1999. 999 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., 1000 and J. Schoenwaelder, Ed., "Textual 1001 Conventions for SMIv2", STD 58, RFC 2579, 1002 April 1999. 1004 [RFC2580] McCloghrie, K., Perkins, D., and J. 1005 Schoenwaelder, "Conformance Statements 1006 for SMIv2", STD 58, RFC 2580, April 1999. 1008 [RFC2863] McCloghrie, K. and F. Kastenholz, "The 1009 Interfaces Group MIB", RFC 2863, 1010 June 2000. 1012 [RFC3418] Presuhn, R., "Management Information Base 1013 (MIB) for the Simple Network Management 1014 Protocol (SNMP)", STD 62, RFC 3418, 1015 December 2002. 1017 [I-D.ietf-capwap-base-mib] Shi, Y., Perkins, D., Elliott, C., and Y. 1018 Zhang, "CAPWAP Protocol Base MIB", 1019 draft-ietf-capwap-base-mib-04 (work in 1020 progress), February 2009. 1022 [RFC5415] Calhoun, P., Montemurro, M., and D. 1023 Stanley, "Control And Provisioning of 1024 Wireless Access Points (CAPWAP) Protocol 1025 Specification", RFC 5415, March 2009. 1027 [RFC5416] Calhoun, P., Montemurro, M., and D. 1028 Stanley, "Control and Provisioning of 1029 Wireless Access Points (CAPWAP) Protocol 1030 Binding for IEEE 802.11", RFC 5416, 1031 March 2009. 1033 [IEEE.802-11.2007] "Information technology - 1034 Telecommunications and information 1035 exchange between systems - Local and 1036 metropolitan area networks - Specific 1037 requirements - Part 11: Wireless LAN 1038 Medium Access Control (MAC) and Physical 1039 Layer (PHY) specifications", 1040 IEEE Standard 802.11, 2007, . 1044 14.2. Informative References 1046 [RFC3410] Case, J., Mundy, R., Partain, D., and B. 1047 Stewart, "Introduction and Applicability 1048 Statements for Internet-Standard 1049 Management Framework", RFC 3410, 1050 December 2002. 1052 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram 1053 Transport Layer Security", RFC 4347, 1054 April 2006. 1056 Appendix A. Appendix A. Changes between -04 and -03 1058 1) To close the issue 67 "Dot11 MIB should add a new Terminology WLAN 1059 Profile" 1061 -------------------------------------------------------------- 1063 Add a new section 5.1. WLAN Profile, update the section 8, update 1064 the related MIB objects, replace the "WLAN Service Interface" with 1065 "WLAN Profile Interface". 1067 Authors' Addresses 1069 Yang Shi (editor) 1070 H3C Tech. Co., Ltd 1071 Digital Technology Plaza, NO.9 Shangdi 9th Street,Haidian District, 1072 Beijing 1073 China(100085) 1075 Phone: +86 010 82775276 1076 EMail: young@h3c.com 1078 David Perkins (editor) 1079 SNMPinfo 1080 288 Quailbrook Ct San Carlos, 1081 CA 94070 1082 USA 1084 Phone: +1 408 394-8702 1085 EMail: dperkins@snmpinfo.com 1086 Chris Elliott (editor) 1087 Cisco Systems, Inc. 1088 7025 Kit Creek Rd., P.O. Box 14987 Research Triangle Park 1089 27709 1090 USA 1092 Phone: +1 919-392-2146 1093 EMail: chelliot@cisco.com 1095 Yong Zhang (editor) 1096 Fortinet, Inc. 1097 1090 Kifer Road 1098 Sunnyvale, CA 94086 1099 USA 1101 EMail: yzhang@fortinet.com