idnits 2.17.1 draft-ietf-ipsecme-mib-iptfs-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 134 has weird spacing: '...thValue con...' == Line 135 has weird spacing: '...thValue use...' == Line 139 has weird spacing: '...thValue don...' == Line 140 has weird spacing: '...Seconds maxA...' == Line 142 has weird spacing: '...thValue sen...' == (1 more instance...) -- The document date (18 November 2021) is 861 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC XXXX' is mentioned on line 220, but not defined == Outdated reference: A later version (-19) exists of draft-ietf-ipsecme-iptfs-12 == Outdated reference: A later version (-11) exists of draft-ietf-ipsecme-yang-iptfs-03 ** Downref: Normative reference to an Informational RFC: RFC 3410 Summary: 1 error (**), 0 flaws (~~), 10 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft E. Kinzie 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: 22 May 2022 18 November 2021 7 Definitions of Managed Objects for IP Traffic Flow Security 8 draft-ietf-ipsecme-mib-iptfs-03 10 Abstract 12 This document describes managed objects for the the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. This document 14 provides a read only version of the objects defined in the YANG 15 module for the same purpose. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on 22 May 2022. 34 Copyright Notice 36 Copyright (c) 2021 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 41 license-info) in effect on the date of publication of this document. 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. Code Components 44 extracted from this document must include Revised BSD License text as 45 described in Section 4.e of the Trust Legal Provisions and are 46 provided without warranty as described in the Revised BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Terminology & Concepts . . . . . . . . . . . . . . . . . . . 3 52 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 4. Management Objects . . . . . . . . . . . . . . . . . . . . . 3 54 4.1. MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . 3 55 4.2. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 57 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 58 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 59 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 60 8.1. Normative References . . . . . . . . . . . . . . . . . . 20 61 8.2. Informative References . . . . . . . . . . . . . . . . . 22 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 64 1. Introduction 66 This document defines a Management Information Base (MIB) module for 67 use with network management protocols in the Internet community. 68 Traffic Flow Security (IP-TFS) extensions as defined in 69 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 70 tunnel Security Association to provide improved traffic 71 confidentiality. 73 For a detailed overview of the documents that describe the current 74 Internet-Standard Management Framework, please refer to section 7 of 75 [RFC3410]. 77 Managed objects are accessed via a virtual information store, termed 78 the Management Information Base or MIB. MIB objects are generally 79 accessed through the Simple Network Management Protocol (SNMP). 80 Objects in the MIB are defined using the mechanisms defined in the 81 Structure of Management Information (SMI). This memo specifies a MIB 82 module that is compliant to the SMIv2, which is described in STD 58, 83 [RFC2578], STD 58, [RFC2579] and STD 58, [RFC2580]. 85 The objects defined here are the same as 86 [I-D.ietf-ipsecme-yang-iptfs] with the exception that only 87 operational data is supported. This module uses the YANG model as a 88 reference point for managed objects. Note an IETF MIB model for 89 IPsec was never standardized however the structures here could be 90 adapted to existing MIB implementations. 92 2. Terminology & Concepts 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 96 "OPTIONAL" in this document are to be interpreted as described in 97 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 98 as shown here. 100 3. Overview 102 This document defines configuration and operational parameters of IP 103 traffic flow security (IP-TFS). IP-TFS, defined in 104 [I-D.ietf-ipsecme-iptfs], configures a security association for 105 tunnel mode IPsec with characteristics that improve traffic 106 confidentiality and reduce bandwidth efficiency loss. 108 This document is based on the concepts and management model defined 109 in [I-D.ietf-ipsecme-yang-iptfs]. This documents assume familiarity 110 with IP security concepts described in [RFC4301], IP-TFS as described 111 in [I-D.ietf-ipsecme-iptfs] and the IP-TFS management model described 112 in [I-D.ietf-ipsecme-yang-iptfs]. 114 This document specifies an extensible operational model for IP-TFS. 115 It reuses the management model defined in 116 [I-D.ietf-ipsecme-yang-iptfs]. It allows SNMP systems to read 117 configured and operational objects of IPTFS. 119 4. Management Objects 121 4.1. MIB Tree 123 The following is the MIB registration tree diagram for the IP-TFS 124 extensions. 126 # IETF-IPTFS-MIB registration tree (generated by smidump 0.4.8) 128 --iptfsMIB(1.3.6.1.3.500) 129 +--iptfsMIBObjects(1) 130 | +--iptfsGroup(1) 131 | | +--iptfsConfigTable(1) 132 | | +--iptfsConfigTableEntry(1) [iptfsConfigSaIndex] 133 | | +-- --- Integer32 iptfsConfigSaIndex(1) 134 | | +-- r-n TruthValue congestionControl(2) 135 | | +-- r-n TruthValue usePathMtu(3) 136 | | +-- r-n UnsignedShort outerPacketSize(4) 137 | | +-- r-n Counter64 l2FixedRate(5) 138 | | +-- r-n Counter64 l3FixedRate(6) 139 | | +-- r-n TruthValue dontFragment(7) 140 | | +-- r-n NanoSeconds maxAggregationTime(8) 141 | | +-- r-n Unsigned32 windowSize(9) 142 | | +-- r-n TruthValue sendImmediately(10) 143 | | +-- r-n NanoSeconds lostPktTimerInt(11) 144 | +--ipsecStatsGroup(2) 145 | | +--ipsecStatsTable(1) 146 | | +--ipsecStatsTableEntry(1) [ipsecSaIndex] 147 | | +-- --- Integer32 ipsecSaIndex(1) 148 | | +-- r-n Counter64 txPackets(2) 149 | | +-- r-n Counter64 txOctets(3) 150 | | +-- r-n Counter64 txDropPackets(4) 151 | | +-- r-n Counter64 rxPackets(5) 152 | | +-- r-n Counter64 rxOctets(6) 153 | | +-- r-n Counter64 rxDropPackets(7) 154 | +--iptfsInnerStatsGroup(3) 155 | | +--iptfsInnerStatsTable(1) 156 | | +--iptfsInnerStatsTableEntry(1) [iptfsInnerSaIndex] 157 | | +-- --- Integer32 iptfsInnerSaIndex(1) 158 | | +-- r-n Counter64 txInnerPackets(2) 159 | | +-- r-n Counter64 txInnerOctets(3) 160 | | +-- r-n Counter64 rxInnerPackets(4) 161 | | +-- r-n Counter64 rxInnerOctets(5) 162 | | +-- r-n Counter64 rxIncompleteInnerPackets(6) 163 | +--iptfsOuterStatsGroup(4) 164 | +--iptfsOuterStatsTable(1) 165 | +--iptfsOuterStatsTableEntry(1) [iptfsSaIndex] 166 | +-- --- Integer32 iptfsSaIndex(1) 167 | +-- r-n Counter64 txExtraPadPackets(2) 168 | +-- r-n Counter64 txExtraPadOctets(3) 169 | +-- r-n Counter64 txAllPadPackets(4) 170 | +-- r-n Counter64 txAllPadOctets(5) 171 | +-- r-n Counter64 rxExtraPadPackets(6) 172 | +-- r-n Counter64 rxExtraPadOctets(7) 173 | +-- r-n Counter64 rxAllPadPackets(8) 174 | +-- r-n Counter64 rxAllPadOctets(9) 175 | +-- r-n Counter64 rxErroredPackets(10) 176 | +-- r-n Counter64 rxMissedPackets(11) 177 +--iptfsMIBConformance(2) 178 +--iptfsMIBConformances(1) 179 | +--iptfsMIBCompliance(1) 180 +--iptfsMIBGroups(2) 181 +--iptfsMIBConfGroup(1) 182 +--ipsecStatsConfGroup(2) 183 +--iptfsInnerStatsConfGroup(3) 184 +--iptfsOuterStatsConfGroup(4) 186 4.2. SNMP 188 The following is the MIB for IP-TFS. The Congestion control 189 algorithm in [RFC5348] is refrenced in the MIB text. 191 -- *---------------------------------------------------------------- 192 -- * 193 -- *---------------------------------------------------------------- 195 IETF-IPTFS-MIB DEFINITIONS ::= BEGIN 196 IMPORTS 197 MODULE-IDENTITY, OBJECT-TYPE, 198 Integer32, Unsigned32, Counter64, experimental 199 FROM SNMPv2-SMI 200 MODULE-COMPLIANCE, OBJECT-GROUP 201 FROM SNMPv2-CONF 202 TEXTUAL-CONVENTION, 203 TruthValue 204 FROM SNMPv2-TC; 206 iptfsMIB MODULE-IDENTITY 207 LAST-UPDATED "202111180000Z" 208 ORGANIZATION "IETF IPsecme Working Group" 209 CONTACT-INFO 210 " 211 Author: Don Fedyk 212 214 Author: Eric Kinzie 215 " 217 DESCRIPTION 218 "This module defines the configuration and operational 219 state for managing the IP Traffic Flow Security 220 functionality [RFC XXXX]. Copyright (c) 2021 IETF 221 Trust and the persons identified as authors of the 222 code. All rights reserved. 224 Redistribution and use in source and binary forms, 225 with or without modification, is permitted pursuant 226 to, and subject to the license terms contained in, 227 the Simplified BSD License set forth in Section 4.c 228 of the IETF Trust's Legal Provisions Relating to IETF 229 Documents (https://trustee.ietf.org/license-info). 231 This version of this SNMP MIB module is part of RFC XXXX 232 (https://tools.ietf.org/html/rfcXXXX); see the RFC 233 itself for full legal notices." 235 REVISION "202111180000Z" 236 DESCRIPTION 237 "Initial revision. Derived from the IPTFS Yang Model." 238 ::= { experimental 500 } 239 -- 240 -- Textual Conventions 241 -- 243 UnsignedShort ::= TEXTUAL-CONVENTION 244 DISPLAY-HINT "d" 245 STATUS current 246 DESCRIPTION "xs:unsignedShort" 247 SYNTAX Unsigned32 (0 .. 65535) 249 NanoSeconds ::= TEXTUAL-CONVENTION 250 DISPLAY-HINT "d" 251 STATUS current 252 DESCRIPTION 253 "Represents time unit value in nanoseconds." 254 SYNTAX Counter64 256 -- Objects, Notifications & Conformances 258 iptfsMIBObjects OBJECT IDENTIFIER 259 ::= { iptfsMIB 1 } 260 iptfsMIBConformance OBJECT IDENTIFIER 261 ::= { iptfsMIB 2} 263 -- 264 -- IPTFS MIB Object Groups 265 -- 266 iptfsGroup OBJECT IDENTIFIER 267 ::= { iptfsMIBObjects 1 } 269 ipsecStatsGroup OBJECT IDENTIFIER 270 ::= { iptfsMIBObjects 2 } 272 iptfsInnerStatsGroup OBJECT IDENTIFIER 273 ::= { iptfsMIBObjects 3 } 275 iptfsOuterStatsGroup OBJECT IDENTIFIER 276 ::= { iptfsMIBObjects 4 } 278 iptfsConfigTable OBJECT-TYPE 279 SYNTAX SEQUENCE OF IptfsConfigTableEntry 280 MAX-ACCESS not-accessible 281 STATUS current 282 DESCRIPTION 283 "The table containing configuration information for 284 IPTFS." 285 ::= { iptfsGroup 1 } 287 iptfsConfigTableEntry OBJECT-TYPE 288 SYNTAX IptfsConfigTableEntry 289 MAX-ACCESS not-accessible 290 STATUS current 291 DESCRIPTION 292 "An entry (conceptual row) containing the information on 293 a particular IPTFS SA." 294 INDEX { iptfsConfigSaIndex } 295 ::= { iptfsConfigTable 1 } 297 IptfsConfigTableEntry ::= SEQUENCE { 298 iptfsConfigSaIndex Integer32, 300 -- identifier information 301 congestionControl TruthValue, 302 usePathMtu TruthValue, 303 outerPacketSize UnsignedShort, 304 l2FixedRate Counter64, 305 l3FixedRate Counter64, 306 dontFragment TruthValue, 307 maxAggregationTime NanoSeconds, 308 windowSize Unsigned32, 309 sendImmediately TruthValue, 310 lostPktTimerInt NanoSeconds 311 } 313 iptfsConfigSaIndex OBJECT-TYPE 314 SYNTAX Integer32 (1..16777215) 315 MAX-ACCESS not-accessible 316 STATUS current 317 DESCRIPTION 318 "A unique value, greater than zero, for each SA. 319 It is recommended that values are assigned contiguously 320 starting from 1. 322 The value for each entry must remain constant at least 323 from one re-initialization of entity's network management 324 system to the next re-initialization." 325 ::= { iptfsConfigTableEntry 1 } 327 congestionControl OBJECT-TYPE 328 SYNTAX TruthValue 329 MAX-ACCESS read-only 330 STATUS current 331 DESCRIPTION 332 "When set to true, the default, this enables the 333 congestion control on-the-wire exchange of data that is 334 required by congestion control algorithms as defined by 335 RFC 5348. When set to false, IP-TFS sends fixed-sized 336 packets over an IP-TFS tunnel at a constant rate." 337 DEFVAL { false } 338 ::= { iptfsConfigTableEntry 2 } 340 usePathMtu OBJECT-TYPE 341 SYNTAX TruthValue 342 MAX-ACCESS read-only 343 STATUS current 344 DESCRIPTION 345 "Packet size is either auto-discovered or manually 346 configured. If usePathMtu is true the system utilizes 347 path-mtu to determine maximum IPTFS packet size. If 348 the packet size is explicitly configured then it will 349 only be adjusted downward if use-path-mtu is set." 350 ::= { iptfsConfigTableEntry 3 } 352 outerPacketSize OBJECT-TYPE 353 SYNTAX UnsignedShort 354 MAX-ACCESS read-only 355 STATUS current 356 DESCRIPTION 357 "On Transmission, the size of the outer encapsulating 358 tunnel packet (i.e., the IP packet containing the ESP 359 payload)." 360 ::= { iptfsConfigTableEntry 4 } 362 l2FixedRate OBJECT-TYPE 363 SYNTAX Counter64 364 MAX-ACCESS read-only 365 STATUS current 366 DESCRIPTION 367 "TFS bit rate may be specified at layer 2 wire rate. On 368 transmission, target bandwidth/bit rate in bps for iptfs 369 tunnel. This rate is the nominal timing for the fixed 370 size packet. If congestion control is enabled the rate 371 may be adjusted down (or up if unset)." 372 ::= { iptfsConfigTableEntry 5 } 374 l3FixedRate OBJECT-TYPE 375 SYNTAX Counter64 376 MAX-ACCESS read-only 377 STATUS current 378 DESCRIPTION 379 "TFS bit rate may be specified at layer 3 packet rate. 380 On Transmission, target bandwidth/bit rate in bps for 381 iptfs tunnel. This rate is the nominal timing for the 382 fixed size packet. If congestion control is enabled the 383 rate may be adjusted down (or up if unset)." 384 ::= { iptfsConfigTableEntry 6 } 386 dontFragment OBJECT-TYPE 387 SYNTAX TruthValue 388 MAX-ACCESS read-only 389 STATUS current 390 DESCRIPTION 391 "On transmission, disable packet fragmentation across 392 consecutive iptfs tunnel packets; inner packets larger 393 than what can be transmitted in outer packets will be 394 dropped." 395 ::= { iptfsConfigTableEntry 7 } 397 maxAggregationTime OBJECT-TYPE 398 SYNTAX NanoSeconds 399 MAX-ACCESS read-only 400 STATUS current 401 DESCRIPTION 402 "On transmission, maximum aggregation time is the 403 maximum length of time a received inner packet can be 404 held prior to transmission in the iptfs tunnel. Inner 405 packets that would be held longer than this time, based 406 on the current tunnel configuration will be dropped 407 rather than be queued for transmission." 408 ::= { iptfsConfigTableEntry 8 } 410 windowSize OBJECT-TYPE 411 SYNTAX Unsigned32(0..65535) 412 MAX-ACCESS read-only 413 STATUS current 414 DESCRIPTION 415 "On reception, the maximum number of out-of-order 416 packets that will be reordered by an iptfs receiver 417 while performing the reordering operation. The value 0 418 disables any reordering." 419 ::= { iptfsConfigTableEntry 9 } 421 sendImmediately OBJECT-TYPE 422 SYNTAX TruthValue 423 MAX-ACCESS read-only 424 STATUS current 425 DESCRIPTION 426 "On reception, send inner packets as soon as possible, do 427 not wait for lost or misordered outer packets. 428 Selecting this option reduces the inner (user) packet 429 delay but can amplify out-of-order delivery of the inner 430 packet stream in the presence of packet aggregation and 431 any reordering." 432 ::= { iptfsConfigTableEntry 10 } 434 lostPktTimerInt OBJECT-TYPE 435 SYNTAX NanoSeconds 436 MAX-ACCESS read-only 437 STATUS current 438 DESCRIPTION 439 "On reception, this interval defines the length of time 440 an iptfs receiver will wait for a missing packet before 441 considering it lost. If not using send-immediately, 442 then each lost packet will delay inner (user) packets 443 until this timer expires. Setting this value too low can 444 impact reordering and reassembly." 445 ::= { iptfsConfigTableEntry 11 } 447 ipsecStatsTable OBJECT-TYPE 448 SYNTAX SEQUENCE OF IpsecStatsTableEntry 449 MAX-ACCESS not-accessible 450 STATUS current 451 DESCRIPTION 452 "The table containing basic statistics on IPsec." 453 ::= { ipsecStatsGroup 1 } 455 ipsecStatsTableEntry OBJECT-TYPE 456 SYNTAX IpsecStatsTableEntry 457 MAX-ACCESS not-accessible 458 STATUS current 459 DESCRIPTION 460 "An entry (conceptual row) containing the information on 461 a particular IKE SA." 462 INDEX { ipsecSaIndex } 463 ::= { ipsecStatsTable 1 } 465 IpsecStatsTableEntry ::= SEQUENCE { 466 ipsecSaIndex Integer32, 467 -- packet statistics information 468 txPackets Counter64, 469 txOctets Counter64, 470 txDropPackets Counter64, 471 rxPackets Counter64, 472 rxOctets Counter64, 473 rxDropPackets Counter64 474 } 476 ipsecSaIndex OBJECT-TYPE 477 SYNTAX Integer32 (1..16777215) 478 MAX-ACCESS not-accessible 479 STATUS current 480 DESCRIPTION 481 "A unique value, greater than zero, for each SA. 482 It is recommended that values are assigned contiguously 483 starting from 1. 485 The value for each entry must remain constant at least 486 from one re-initialization of entity's network management 487 system to the next re-initialization." 488 ::= { ipsecStatsTableEntry 1 } 490 txPackets OBJECT-TYPE 491 SYNTAX Counter64 492 MAX-ACCESS read-only 493 STATUS current 494 DESCRIPTION 495 "Outbound Packet count." 496 ::= { ipsecStatsTableEntry 2 } 498 txOctets OBJECT-TYPE 499 SYNTAX Counter64 500 MAX-ACCESS read-only 501 STATUS current 502 DESCRIPTION 503 "Outbound Packet bytes." 504 ::= { ipsecStatsTableEntry 3 } 506 txDropPackets OBJECT-TYPE 507 SYNTAX Counter64 508 MAX-ACCESS read-only 509 STATUS current 510 DESCRIPTION 511 "Outbound dropped packets count." 512 ::= { ipsecStatsTableEntry 4 } 514 rxPackets OBJECT-TYPE 515 SYNTAX Counter64 516 MAX-ACCESS read-only 517 STATUS current 518 DESCRIPTION 519 "Inbound Packet count." 520 ::= { ipsecStatsTableEntry 5 } 522 rxOctets OBJECT-TYPE 523 SYNTAX Counter64 524 MAX-ACCESS read-only 525 STATUS current 526 DESCRIPTION 527 "Inbound Packet bytes." 528 ::= { ipsecStatsTableEntry 6 } 530 rxDropPackets OBJECT-TYPE 531 SYNTAX Counter64 532 MAX-ACCESS read-only 533 STATUS current 534 DESCRIPTION 535 "Inbound Dropped packets" 536 ::= { ipsecStatsTableEntry 7 } 538 iptfsInnerStatsTable OBJECT-TYPE 539 SYNTAX SEQUENCE OF IptfsInnerSaEntry 540 MAX-ACCESS not-accessible 541 STATUS current 542 DESCRIPTION 543 "The table containing information on IPTFS 544 Inner Packets." 545 ::= { iptfsInnerStatsGroup 1 } 547 iptfsInnerStatsTableEntry OBJECT-TYPE 548 SYNTAX IptfsInnerSaEntry 549 MAX-ACCESS not-accessible 550 STATUS current 551 DESCRIPTION 552 "An entry containing the information on 553 a particular tfs SA." 554 INDEX { iptfsInnerSaIndex } 555 ::= { iptfsInnerStatsTable 1 } 557 IptfsInnerSaEntry ::= SEQUENCE { 558 iptfsInnerSaIndex Integer32, 560 txInnerPackets Counter64, 561 txInnerOctets Counter64, 562 rxInnerPackets Counter64, 563 rxInnerOctets Counter64, 564 rxIncompleteInnerPackets Counter64 566 } 568 iptfsInnerSaIndex OBJECT-TYPE 569 SYNTAX Integer32 (1..16777215) 570 MAX-ACCESS not-accessible 571 STATUS current 572 DESCRIPTION 573 "A unique value, greater than zero, for each SA. 574 It is recommended that values are assigned contiguously 575 starting from 1. 577 The value for each entry must remain constant at least 578 from one re-initialization of entity's network management 579 system to the next re-initialization." 580 ::= { iptfsInnerStatsTableEntry 1 } 582 txInnerPackets OBJECT-TYPE 583 SYNTAX Counter64 584 MAX-ACCESS read-only 585 STATUS current 586 DESCRIPTION 587 "Total number of IP-TFS inner packets sent. This count 588 is whole packets only. A fragmented packet counts as 589 one packet." 590 ::= { iptfsInnerStatsTableEntry 2 } 592 txInnerOctets OBJECT-TYPE 593 SYNTAX Counter64 594 MAX-ACCESS read-only 595 STATUS current 596 DESCRIPTION 597 "Total number of IP-TFS inner octets sent. This is 598 inner packet octets only. Does not count padding." 599 ::= { iptfsInnerStatsTableEntry 3 } 601 rxInnerPackets OBJECT-TYPE 602 SYNTAX Counter64 603 MAX-ACCESS read-only 604 STATUS current 605 DESCRIPTION 606 "Total number of IP-TFS inner packets received." 607 ::= { iptfsInnerStatsTableEntry 4 } 609 rxInnerOctets OBJECT-TYPE 610 SYNTAX Counter64 611 MAX-ACCESS read-only 612 STATUS current 613 DESCRIPTION 614 "Total number of IP-TFS inner octets received. Does 615 not include padding or overhead." 616 ::= { iptfsInnerStatsTableEntry 5 } 618 rxIncompleteInnerPackets OBJECT-TYPE 619 SYNTAX Counter64 620 MAX-ACCESS read-only 621 STATUS current 622 DESCRIPTION 623 "Total number of IP-TFS inner packets that were 624 incomplete. Usually this is due to fragments not 625 received. Also, this may be due to misordering or 626 errors in received outer packets." 627 ::= { iptfsInnerStatsTableEntry 6 } 629 iptfsOuterStatsTable OBJECT-TYPE 630 SYNTAX SEQUENCE OF IptfsOuterSaEntry 631 MAX-ACCESS not-accessible 632 STATUS current 633 DESCRIPTION 634 "The table containing information on IPTFS." 635 ::= { iptfsOuterStatsGroup 1 } 637 iptfsOuterStatsTableEntry OBJECT-TYPE 638 SYNTAX IptfsOuterSaEntry 639 MAX-ACCESS not-accessible 640 STATUS current 641 DESCRIPTION 642 "An entry containing the information on 643 a particular tfs SA." 644 INDEX { iptfsSaIndex } 645 ::= { iptfsOuterStatsTable 1 } 647 IptfsOuterSaEntry ::= SEQUENCE { 648 iptfsSaIndex Integer32, 650 -- iptfs packet statistics information 651 txExtraPadPackets Counter64, 652 txExtraPadOctets Counter64, 653 txAllPadPackets Counter64, 654 txAllPadOctets Counter64, 655 rxExtraPadPackets Counter64, 656 rxExtraPadOctets Counter64, 657 rxAllPadPackets Counter64, 658 rxAllPadOctets Counter64, 659 rxErroredPackets Counter64, 660 rxMissedPackets Counter64 661 } 663 iptfsSaIndex OBJECT-TYPE 664 SYNTAX Integer32 (1..16777215) 665 MAX-ACCESS not-accessible 666 STATUS current 667 DESCRIPTION 668 "A unique value, greater than zero, for each SA. 669 It is recommended that values are assigned contiguously 670 starting from 1. 672 The value for each entry must remain constant at least 673 from one re-initialization of entity's network management 674 system to the next re-initialization." 675 ::= { iptfsOuterStatsTableEntry 1 } 677 txExtraPadPackets OBJECT-TYPE 678 SYNTAX Counter64 679 MAX-ACCESS read-only 680 STATUS current 681 DESCRIPTION 682 "Total number of transmitted outer IP-TFS packets that 683 included some padding." 684 ::= { iptfsOuterStatsTableEntry 2 } 686 txExtraPadOctets OBJECT-TYPE 687 SYNTAX Counter64 688 MAX-ACCESS read-only 689 STATUS current 690 DESCRIPTION 691 "Total number of transmitted octets of padding added to 692 outer IP-TFS packets with data." 693 ::= { iptfsOuterStatsTableEntry 3 } 695 txAllPadPackets OBJECT-TYPE 696 SYNTAX Counter64 697 MAX-ACCESS read-only 698 STATUS current 699 DESCRIPTION 700 "Total number of transmitted IP-TFS packets that were 701 all padding with no inner packet data." 702 ::= { iptfsOuterStatsTableEntry 4 } 704 txAllPadOctets OBJECT-TYPE 705 SYNTAX Counter64 706 MAX-ACCESS read-only 707 STATUS current 708 DESCRIPTION 709 "Total number transmitted octets of padding added to 710 IP-TFS packets with no inner packet data." 712 ::= { iptfsOuterStatsTableEntry 5 } 714 rxExtraPadPackets OBJECT-TYPE 715 SYNTAX Counter64 716 MAX-ACCESS read-only 717 STATUS current 718 DESCRIPTION 719 "Total number of received outer IP-TFS packets that 720 included some padding." 721 ::= { iptfsOuterStatsTableEntry 6 } 723 rxExtraPadOctets OBJECT-TYPE 724 SYNTAX Counter64 725 MAX-ACCESS read-only 726 STATUS current 727 DESCRIPTION 728 "Total number of received octets of padding added to 729 outer IP-TFS packets with data." 730 ::= { iptfsOuterStatsTableEntry 7 } 732 rxAllPadPackets OBJECT-TYPE 733 SYNTAX Counter64 734 MAX-ACCESS read-only 735 STATUS current 736 DESCRIPTION 737 "Total number of received IP-TFS packets that were all 738 padding with no inner paccket data." 739 ::= { iptfsOuterStatsTableEntry 8 } 741 rxAllPadOctets OBJECT-TYPE 742 SYNTAX Counter64 743 MAX-ACCESS read-only 744 STATUS current 745 DESCRIPTION 746 "Total number received octets of padding added to 747 IP-TFS packets with no inner packet data." 748 ::= { iptfsOuterStatsTableEntry 9 } 750 rxErroredPackets OBJECT-TYPE 751 SYNTAX Counter64 752 MAX-ACCESS read-only 753 STATUS current 754 DESCRIPTION 755 "Total number of IP-TFS outer packets dropped due to 756 errors." 757 ::= { iptfsOuterStatsTableEntry 10 } 759 rxMissedPackets OBJECT-TYPE 760 SYNTAX Counter64 761 MAX-ACCESS read-only 762 STATUS current 763 DESCRIPTION 764 "Total number of IP-TFS outer packets missing indicated 765 by missing sequence number." 766 ::= { iptfsOuterStatsTableEntry 11 } 768 -- 769 -- Iptfs Module Compliance 770 -- 772 iptfsMIBConformances OBJECT IDENTIFIER 773 ::= { iptfsMIBConformance 1 } 775 iptfsMIBGroups OBJECT IDENTIFIER 776 ::= { iptfsMIBConformance 2 } 778 iptfsMIBCompliance MODULE-COMPLIANCE 779 STATUS current 780 DESCRIPTION 781 "The compliance statement for entities which 782 implement the IPTFS MIB" 783 MODULE -- this module 784 MANDATORY-GROUPS { 785 iptfsMIBConfGroup, 786 ipsecStatsConfGroup, 787 iptfsInnerStatsConfGroup, 788 iptfsOuterStatsConfGroup 789 } 791 ::= { iptfsMIBConformances 1 } 793 -- 794 -- MIB Groups (Units of Conformance) 795 -- 797 iptfsMIBConfGroup OBJECT-GROUP 798 OBJECTS { 799 congestionControl, 800 usePathMtu, 801 outerPacketSize , 802 l2FixedRate , 803 l3FixedRate , 804 dontFragment, 805 maxAggregationTime, 806 windowSize, 807 sendImmediately, 808 lostPktTimerInt 809 } 810 STATUS current 811 DESCRIPTION 812 "A collection of objects providing per SA IPTFS 813 Configuration." 814 ::= { iptfsMIBGroups 1 } 816 ipsecStatsConfGroup OBJECT-GROUP 817 OBJECTS { 818 txPackets, 819 txOctets, 820 txDropPackets, 821 rxPackets, 822 rxOctets, 823 rxDropPackets 824 } 825 STATUS current 826 DESCRIPTION 827 "A collection of objects providing per SA Basic 828 Stats." 829 ::= { iptfsMIBGroups 2 } 831 iptfsInnerStatsConfGroup OBJECT-GROUP 832 OBJECTS { 833 txInnerPackets, 834 txInnerOctets, 835 rxInnerPackets, 836 rxInnerOctets, 837 rxIncompleteInnerPackets 838 } 839 STATUS current 840 DESCRIPTION 841 "A collection of objects providing per SA IPTFS 842 Inner Packet Statistics." 843 ::= { iptfsMIBGroups 3 } 845 iptfsOuterStatsConfGroup OBJECT-GROUP 846 OBJECTS { 847 txExtraPadPackets, 848 txExtraPadOctets, 849 txAllPadPackets, 850 txAllPadOctets, 851 rxExtraPadPackets, 852 rxExtraPadOctets, 853 rxAllPadPackets, 854 rxAllPadOctets, 855 rxErroredPackets, 856 rxMissedPackets 857 } 858 STATUS current 859 DESCRIPTION 860 "A collection of objects providing per SA IPTFS 861 Outer Packet Statistics." 862 ::= { iptfsMIBGroups 4 } 864 END 866 5. IANA Considerations 868 The MIB module in this document uses the following IANA-assigned 869 OBJECT IDENTIFIER value, recorded in the SMI Numbers registry: 871 +------------+-------------------------+ 872 | Descriptor | OBJECT IDENTIFIER value | 873 +------------+-------------------------+ 874 | iptfs | TBA IANA | 875 +------------+-------------------------+ 876 | ipsec | TBA IANA | 877 +------------+-------------------------+ 879 6. Security Considerations 881 The MIB specified in this document can read the operational and 882 configured behavior of IP traffic flow security, for the implications 883 regarding write configuration consult the [I-D.ietf-ipsecme-iptfs] 884 which defines the functionality. 886 There are no management objects defined in this MIB module that have 887 a MAX-ACCESS clause of read-write and/or read-create. So, if this 888 MIB module is implemented correctly, then there is no risk that an 889 intruder can alter or create any management objects of this MIB 890 module via direct SNMP SET operations. 892 Some of the objects in this MIB module may be considered sensitive or 893 vulnerable in some network environments. This includes INDEX objects 894 with a MAX-ACCESS of not-accessible, and any indices from other 895 modules exposed via AUGMENTS. It is thus important to control even 896 GET and/or NOTIFY access to these objects and possibly to even 897 encrypt the values of these objects when sending them over the 898 network via SNMP. These are the tables and objects and their 899 sensitivity/vulnerability: 901 * iptfsOuterStatsTable - IPTFS hides the traffic flows through the 902 network, anywhere that access to read SNMP statistics is enabled 903 needs to be protected from third party observation. 905 SNMP versions prior to SNMPv3 did not include adequate security. 906 Even if the network itself is secure (for example by using IPsec), 907 there is no control as to who on the secure network is allowed to 908 access and GET/SET (read/change/create/delete) the objects in this 909 MIB module. 911 Implementations SHOULD provide the security features described by the 912 SNMPv3 framework (see [RFC3410]), and implementations claiming 913 compliance to the SNMPv3 standard MUST include full support for 914 authentication and privacy via the User-based Security Model (USM) 915 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 916 MAY also provide support for the Transport Security Model (TSM) 917 [RFC5591] in combination with a secure transport such as SSH 918 [RFC5592] or TLS/DTLS [RFC6353]. 920 Further, deployment of SNMP versions prior to SNMPv3 is NOT 921 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 922 enable cryptographic security. It is then a customer/operator 923 responsibility to ensure that the SNMP entity giving access to an 924 instance of this MIB module is properly configured to give access to 925 the objects only to those principals (users) that have legitimate 926 rights to indeed GET or SET (change/create/delete) them. 928 7. Acknowledgements 930 The authors would like to thank Chris Hopps, Lou Berger and Tero 931 Kivinen for their help and feedback on the MIB model. 933 8. References 935 8.1. Normative References 937 [I-D.ietf-ipsecme-iptfs] 938 Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for 939 ESP and its Use for IP Traffic Flow Security", Work in 940 Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 941 November 2021, . 944 [I-D.ietf-ipsecme-yang-iptfs] 945 Fedyk, D. and C. Hopps, "A YANG Data Model for IP Traffic 946 Flow Security", Work in Progress, Internet-Draft, draft- 947 ietf-ipsecme-yang-iptfs-03, 11 November 2021, 948 . 951 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 952 Requirement Levels", BCP 14, RFC 2119, 953 DOI 10.17487/RFC2119, March 1997, 954 . 956 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 957 Schoenwaelder, Ed., "Structure of Management Information 958 Version 2 (SMIv2)", STD 58, RFC 2578, 959 DOI 10.17487/RFC2578, April 1999, 960 . 962 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 963 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 964 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 965 . 967 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 968 "Introduction and Applicability Statements for Internet- 969 Standard Management Framework", RFC 3410, 970 DOI 10.17487/RFC3410, December 2002, 971 . 973 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 974 (USM) for version 3 of the Simple Network Management 975 Protocol (SNMPv3)", STD 62, RFC 3414, 976 DOI 10.17487/RFC3414, December 2002, 977 . 979 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 980 Advanced Encryption Standard (AES) Cipher Algorithm in the 981 SNMP User-based Security Model", RFC 3826, 982 DOI 10.17487/RFC3826, June 2004, 983 . 985 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 986 for the Simple Network Management Protocol (SNMP)", 987 STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, 988 . 990 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 991 Shell Transport Model for the Simple Network Management 992 Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 993 2009, . 995 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 996 Model for the Simple Network Management Protocol (SNMP)", 997 STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, 998 . 1000 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1001 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1002 May 2017, . 1004 8.2. Informative References 1006 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1007 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 1008 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 1009 . 1011 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1012 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 1013 December 2005, . 1015 [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP 1016 Friendly Rate Control (TFRC): Protocol Specification", 1017 RFC 5348, DOI 10.17487/RFC5348, September 2008, 1018 . 1020 Authors' Addresses 1022 Don Fedyk 1023 LabN Consulting, L.L.C. 1025 Email: dfedyk@labn.net 1027 Eric Kinzie 1028 LabN Consulting, L.L.C. 1030 Email: ekinzie@labn.net