idnits 2.17.1 draft-ietf-nat-natmib-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 2 longer pages, the longest (page 45) being 59 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 2646: '... RECOMMENDED. Instead, it is RECOMM...' Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 131 has weird spacing: '...rt) and the...' == Line 2607 has weird spacing: '...ce, the suppo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 2003) is 7461 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2863' is mentioned on line 144, but not defined == Unused Reference: 'RFC3022' is defined on line 2670, but no explicit reference was found in the text == Unused Reference: 'RFC3291' is defined on line 2677, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 3022 ** Downref: Normative reference to an Informational RFC: RFC 2663 ** Obsolete normative reference: RFC 3291 (Obsoleted by RFC 4001) ** Obsolete normative reference: RFC 3489 (Obsoleted by RFC 5389) Summary: 7 errors (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 NAT Working Group R. Raghunarayan 2 INTERNET-DRAFT N. Pai 3 Expires May 2004 Cisco Systems, Inc. 4 R. Rohit 5 Mascon Global Limited 6 C. Wang 7 Bank One Corp 8 P. Srisuresh 9 Caymas Systems, Inc. 10 November 2003 12 Definitions of Managed Objects for Network Address Translators (NAT) 14 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six 27 months and may be updated, replaced, or obsoleted by other 28 documents at any time. It is inappropriate to use Internet-Drafts 29 as reference material or to cite them other than as "work in 30 progress." 32 The list of current Internet-Drafts can be accessed at 33 http://www.ietf.org/ietf/1id-abstracts.txt 35 The list of Internet-Draft Shadow Directories can be accessed at 36 http://www.ietf.org/shadow.html. 38 Copyright Notice 40 Copyright (C), 2003, The Internet Society. All Rights Reserved. 42 Abstract 44 This memo defines an SMIv2 Management Information Base (MIB) for 45 device implementing Network Address Translator (NAT) function. 46 This MIB may be used for configuration as well as monitoring of 47 a device capable of NAT function. 49 Table of Contents 51 1 Introduction ................................................2 52 2 The Internet-Standard Management Framework ..................2 53 3 Terminology .................................................3 54 4 Overview ....................................................4 55 4.1 natInterfaceTable............................................4 56 4.2 natAddrMapTable..............................................4 57 4.3 Default timeouts, Protocol table and other scalars...........5 58 4.4 natAddrBindTable and natAddrPortBindTable....................5 59 4.5 natSessionTable..............................................5 60 4.6 Notifications................................................6 61 4.7 Relation among tables........................................6 62 4.8 Configuration via the MIB....................................6 63 4.9 Relationship to Interface MIB................................7 64 5 Definitions .................................................7 65 6 Intellectual Property........................................53 66 7 Change History...............................................54 67 8 Acknowledgements ............................................54 68 9 Security Considerations .....................................56 69 10 References ..................................................57 70 11 Author's Addresses ..........................................58 71 12 Full Copyright Statement.....................................59 73 1. Introduction 75 This memo defines an SMIv2 Management Information Base (MIB) for 76 device implementing NAT function. This may be used 77 for configuration as well as monitoring of a device capable 78 of NAT function. Section 2 provides references to the SNMP management 79 framework which was used as the basis for the MIB definition. 80 Section 3 describes the terms used throughout the document. Section 81 4 provides an overview of the key objects, their inter-relationship 82 and how the MIB may be used to configure and monitor a NAT device. 83 Lastly, section 5 has the complete NAT MIB definition. 85 2. The Internet-Standard Management Framework 87 For a detailed overview of the documents that describe the current 88 Internet-Standard Management Framework, please refer to section 7 of 89 RFC 3410 [RFC3410]. 91 Managed objects are accessed via a virtual information store, termed 92 the Management Information Base or MIB. MIB objects are generally 93 accessed through the Simple Network Management Protocol (SNMP). 95 Objects in the MIB are defined using the mechanisms defined in the 96 Structure of Management Information (SMI). This memo specifies a MIB 97 module that is compliant to the SMIv2, which is described in STD 58, 98 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 99 [RFC2580]. 101 3. Terminology 103 Definitions for majority of the terms used throughout the document 104 may be found in RFC 2663 [RFC2663]. Listed below are additional 105 terms used in the document. 107 Symmetric NAT - Symmetric NAT is a variation of Network Address Port 108 Translator (NAPT) in that it does not retain a consistent port bind 109 between (private IP address, private port) and (public IP address, 110 public port) across all sessions originating from the same host 111 using the same endpoint tuple of (private IP address, private Port). 112 Instead, it assigns a new public port to each new session, 113 irrespective whether the session uses the same end-point as before 114 or not. A detailed definition for the term "Symmetric NAT" may be 115 found in RFC 3489 [RFC3489]. 117 Bind - Several variations of the term 'bind' are used throughout 118 the document. Address-bind is a tuple of (Private IP address, 119 Public IP Address) used for translating an IP address end-point in 120 IP packets. Address-port-bind (or simply, Port-bind) is a tuple of 121 (transport protocol, Private IP address, Private port, Public IP 122 Address, Public port) used for translating a port end-point tuple 123 of (transport protocol, IP address, port). Bind is used to refer to 124 one of address-bind or port-bind. Bind-Mode identifies whether a 125 bind is address-bind or port-bind. 127 NAT Session - A NAT session is an association between a session 128 as seen in the private realm and a session as seen in the public 129 realm, by virtue of NAT translation. If a session in the private 130 realm were to be represented as (PrivateSrcAddr, PrivateDstAddr, 131 TransportProtocol, PrivateSrcPort, PrivateDstPort) and the 132 same session in the public realm were to be represented as 133 (PublicSrcAddr, PublicDstAddr, TransportProtocol, PublicSrcPort, 134 PublicDstPort), the NAT session will provide the translation 135 glue between the two session representations. 137 The terms public and private are used throughout the document in 138 the context of networks, while the terms local and global are used 139 when referring to addresses and ports. 141 4. Overview 143 NAT MIB is configurable on per-interface basis and depends in 144 several parts on the IF-MIB [RFC2863]. 146 NAT MIB requires that an interface for which NAT is configured 147 be connected to one of private or public realm. The realm association 148 of the interface plays an important role in the definition of address 149 maps for the interface. An address map entry identifies the 150 orientation of the session (inbound or outbound to the interface) for 151 which the entry may be used for NAT translation. The address map 152 entry also identifies the end-point of the session which must to be 153 subject to translation. An SNMP Textual-Convention 154 'NatTranslationEntity' is defined to capture this important 155 characteristic that combines session orientation and applicable 156 session endpoint for translation. 158 An address map may consist of static or dynamic entries. A static 159 address map entry has a direct one-to-one relationship with binds. 160 NAT will dynamically create binds from a dynamic address map entry. 161 A Bind may be used for translation by multiple NAT-sessions using 162 the same end-point. The following subsections define the key objects 163 used in NAT MIB, their inter-relationship and how to configure a NAT 164 device using the MIB. An interface is connected to the private or 165 the public realm, and will generally have a different address maps 166 for each realm. 168 4.1. natInterfaceTable 170 The first step in configuring a NAT device is determining the 171 interface for which NAT is to be configured. NAT translated packets 172 traverse the NAT device by ingressing on a private interface and 173 egressing on a public interface or vice versa. NAT may be configured 174 on either of these two interfaces. The next step is identifying the 175 type(s) of NAT service (traditional NAT, twice NAT or bidirectional 176 NAT) desired for the interface. Zero or more of these services may 177 be provided on the same interface. natInterfaceTable is defined in 178 the MIB to configure interface specific realm type and the NAT 179 services enabled for the interface. natInterfaceTable is indexed by 180 ifIndex and also includes interface specific NAT statistics. 182 4.2. natAddrMapTable 184 Address maps are key to NAT configuration. Each interface may have 185 zero or more address map entries defined. NAT looks up address map 186 entries in the order in which they are defined to determine the 187 translation parameters for the first packet of each new session 188 traversing the interface. An address map may consist of static or 189 dynamic entries. A static address map entry has a direct one-to-one 190 relationship with binds. NAT will dynamically create binds from a 191 dynamic address map entry. Address map entries and their session 192 translation attributes must be selected carefully based on the 193 interface, its realm-type and the type of NAT service desired. 194 Address map entries may be defined in this MIB using natAddrMapTable. 195 natAddresMapTable is indexed by the tuple of 196 (ifIndex, natAddrMapIndex). Statistics for the address maps are also 197 maintained in the same table. 199 4.3 Default timeouts, Protocol table and other scalars 201 Protocol specific idle NAT session timeouts are defined in 202 DefTimeouts object in the NAT MIB. These are global to the 203 system and are not interface specific. Protocol specific statistics 204 are maintained in natProtocolTable. natProtocolTable is indexed by 205 the protocol type. 207 The scalars, natAddrBindNumberOfEntries and 208 natAddrPortBindNumberOfEntries, hold the number of entries that 209 currently exist in the Address bind and the Address-Port bind 210 tables respectively. 212 4.4 natAddrBindTable and natAddrPortBindTable 214 Two Bind tables, natAddrBindTable and natAddrPortBindTable, are 215 defined to hold the bind entries. natAddrBindTable contains 216 address-binds and natAddrPortBindTable contains address-port-binds. 217 natAddrBindTable is indexed by the tuple of (ifIndex, LocalAddrType, 218 LocalAddr). natAddrPortBindTable is indexed by the tuple of 219 (ifIndex, LocalAddrType, LocalAddr, LocalPort, Protocol). 220 These tables also maintain bind specific statistics. 222 4.5 natSessionTable 224 NAT session provides the necessary translation glue between two 225 session representations of the same end-to-end session. I.e., a 226 session as seen in the private realm and the same session as seen 227 in the public realm. Session orientation (inbound or outbound) is 228 determined from the orientation of the first packet traversing NAT 229 interface. Address map entries and bind entries on the interface 230 determine whether or not a session is subject to NAT translation. 231 One or both endpoints of a session may be subject to translation. 232 With the exception of symmetric NAT, all other NAT functions use 233 end-point specific bind to perform individual end-point 234 translations. Multiple NAT sessions would use the same bind so 235 long as they share the same endpoint. Symmetric NAT does not 236 retain a consistent port bind across multiple sessions using the 237 same endpoint. For this reason, the bind identifier for a NAT 238 session in symmetric NAT is set to zero. natSessionTable is indexed 239 by the tuple of (ifIndex, natSessionIndex). Statistics for NAT 240 sessions are also maintained in the same table. 242 4.6 Notifications 244 natPacketDiscard notifies the end user/manager of 245 packets being discarded due to lack of address mappings. 247 4.7 Relation among tables 249 The association between the various NAT tables can be represented 250 as follows. 252 Address map 253 | 254 | 255 | 256 ---------------------------------------------- 257 | | 258 | | 259 | | 260 Address Bind Address Port Bind 261 | | 262 | | 263 | | 264 ---------------------------------------------- 265 | 266 | 267 | 268 NAT Session 270 All NAT functions, with the exception of symmetric NAT, 271 use bind(s) to provide the glue necessary for a NAT session. 272 natSessionPrivateSrcEPBindId and natSessionPrivateDstEPBindId 273 objects represent the endpoint binds used by NAT sessions. 275 4.8 Configuration via the MIB 277 Entries in Address Bind and Address-Port Bind Tables are 278 derived from the address map table. Therefore, an address 279 Bind or an Address-Port Bind Entry must not exist without 280 an associated entry in the Address Map table. 282 Likewise, NAT session entries are derived from NAT Binds and 283 a NAT session entry must not exist in the Session table 284 (except in the case of Symmetric NAT) without a corresponding bind. 285 Before deleting a bind entry, all the session entries corresponding 286 to the bind entry must be deleted. 288 A Management station may use the following steps to configure 289 entries in the NAT-MIB: 291 - Create an entry in the natInterfaceTable specifying the 292 the value of ifIndex as the interface index of the interface 293 on which NAT is being configured. 294 Specify appropriate values, as applicable, for the other 295 objects e.g. natInterfaceRealm, natInterfaceServiceType, in the 296 table. 298 - Create one or more address map entries sequentially in reduced 299 order of priority in the natAddrMapTable specifying the value of 300 ifIndex to be the same for all entries. The ifIndex specified 301 would be the same as specified for the entry in the 302 natInterfaceTable. 304 - To configure NAT for TCP, UDP and ICMP protocols, the 305 management station can set the protocol specific scalars. 307 - The Address Bind and Address-Port Bind Table will have the 308 entries created due to this NAT configuration. A Management 309 Station may also, if deemed necessary, create Address Bind 310 or a Address-Port Bind entry and link those entries to the 311 appropriate address map configured. 313 4.9 Relationship to Interface MIB 315 The natInterfaceTable specifies the NAT configuration attributes 316 on each interface. The concept of "interface" is as defined by 317 InterfaceIndex/ifIndex of the IETF Interfaces MIB [IF-MIB]. 319 5. Definitions 321 NAT-MIB DEFINITIONS ::= BEGIN 323 IMPORTS 324 MODULE-IDENTITY, 325 OBJECT-TYPE, 326 Unsigned32, 327 Gauge32, 328 Counter64, 329 TimeTicks, 330 mib-2, 331 NOTIFICATION-TYPE 332 FROM SNMPv2-SMI 334 TimeInterval, 335 TEXTUAL-CONVENTION 336 FROM SNMPv2-TC 337 MODULE-COMPLIANCE, 338 NOTIFICATION-GROUP, 339 OBJECT-GROUP 340 FROM SNMPv2-CONF 341 StorageType, 342 RowStatus 343 FROM SNMPv2-TC 344 ifIndex 345 FROM IF-MIB 346 SnmpAdminString 347 FROM SNMP-FRAMEWORK-MIB 348 InetAddressType, 349 InetAddress, 350 InetPortNumber 351 FROM INET-ADDRESS-MIB; 353 natMIB MODULE-IDENTITY 354 LAST-UPDATED "200311060000Z" 355 ORGANIZATION "IETF MIDCOM Working Group" 356 CONTACT-INFO 357 "WG charter: 358 http://www.ietf.org/html.charters/midcom-charter.html 360 Mailing Lists: 361 General Discussion: midcom@ietf.org 362 To Subscribe: midcom-request@ietf.org 364 Rohit 365 Mascon Global Limited 366 #59/2 100 ft Ring Road 367 Banashankari II Stage 368 Bangalore 560 070 369 India 370 Phone: +91 80 679 6227 371 Email: rrohit74@hotmail.com 373 Nalinaksh Pai 374 Cisco Systems, Inc. 375 Prestige Waterford 376 No. 9, Brunton Road 377 Bangalore - 560 025 378 India 379 Phone: +91 80 532 1300 380 Email: npai@cisco.com 381 Rajiv Raghunarayan 382 Cisco Systems Inc. 383 170 West Tasman Drive 384 San Jose, CA 95134 385 Phone: +1 408 853 9612 386 Email: raraghun@cisco.com 388 Cliff Wang 389 Information Security 390 Bank One Corp 391 1111 Polaris Pkwy 392 Columbus, OH 43240 393 Phone: +1 614 213 6117 394 Email: cliffwang2000@yahoo.com 396 P. Srisuresh 397 Caymas Systems, Inc. 398 1179-A North McDowell Blvd. 399 Petaluma, CA 94954 400 Tel: (707) 283-5063 401 Email: srisuresh@yahoo.com 403 " 404 DESCRIPTION 405 "This MIB module defines the generic managed objects 406 for NAT. 408 Copyright (C) The Internet Society (2003). This version 409 of this MIB module is part of RFC yyyy; see the RFC 410 itself for full legal notices." 411 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 412 REVISION "200311060000Z" -- 06th Nov. 2003 413 DESCRIPTION 414 "Initial version, published as RFC yyyy." 415 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 417 ::= { mib-2 XXX } -- RFC Ed.: replace XXX with IANA-assigned 418 -- number & remove this note 420 natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 } 422 NatProtocolType ::= TEXTUAL-CONVENTION 423 STATUS current 424 DESCRIPTION 425 "A list of protocols that support the network 426 address translation. Inclusion of the values is 427 not intended to imply that those protocols 428 need to be supported. Any change in this 429 TEXTUAL-CONVENTION should also be reflected in 430 the definition of NatProtocolMap which is a 431 BITS representation of this." 432 SYNTAX INTEGER { 433 none (1), -- not specified 434 other (2), -- none of the following 435 icmp (3), 436 udp (4), 437 tcp (5) 438 } 440 NatProtocolMap ::= TEXTUAL-CONVENTION 441 STATUS current 442 DESCRIPTION 443 "A bitmap of protocol identifiers that support 444 the network address translation. Any change 445 in this TEXTUAL-CONVENTION should also be 446 reflected in the definition of NatProtocolType." 447 SYNTAX BITS { 448 other (0), 449 icmp (1), 450 udp (2), 451 tcp (3) 452 } 454 NatAddrMapId ::= TEXTUAL-CONVENTION 455 DISPLAY-HINT "d" 456 STATUS current 457 DESCRIPTION 458 "A unique id that is assigned to each address map 459 by a NAT enabled device." 460 SYNTAX Unsigned32 (1..4294967295) 462 NatBindIdOrZero ::= TEXTUAL-CONVENTION 463 DISPLAY-HINT "d" 464 STATUS current 465 DESCRIPTION 466 "A unique id that is assigned to each bind by 467 a NAT enabled device. The bind id will be zero 468 in case of a Symmetric NAT." 469 SYNTAX Unsigned32 (0..4294967295) 471 NatBindId ::= TEXTUAL-CONVENTION 472 DISPLAY-HINT "d" 473 STATUS current 474 DESCRIPTION 475 "A unique id that is assigned to each bind by 476 a NAT enabled device." 477 SYNTAX Unsigned32 (1..4294967295) 479 NatSessionId ::= TEXTUAL-CONVENTION 480 DISPLAY-HINT "d" 481 STATUS current 482 DESCRIPTION 483 "A unique id that is assigned to each session by 484 a NAT enabled device." 485 SYNTAX Unsigned32 (1..4294967295) 487 NatBindMode ::= TEXTUAL-CONVENTION 488 STATUS current 489 DESCRIPTION 490 "An indication whether the bind is 491 an address bind or an address-port bind." 492 SYNTAX INTEGER { 493 addressBind (1), 494 addressPortBind (2) 495 } 497 NatAssociationType ::= TEXTUAL-CONVENTION 498 STATUS current 499 DESCRIPTION 500 "An indication whether the association is 501 static or dynamic." 502 SYNTAX INTEGER { 503 static (1), 504 dynamic (2) 505 } 507 NatTranslationEntity ::= TEXTUAL-CONVENTION 508 STATUS current 509 DESCRIPTION 510 "An indication for the direction of a session for 511 which a) an address map entry, address bind or port 512 bind is applicable, and b) the entity (source or 513 destination) within the session that is subject to 514 translation." 515 SYNTAX BITS { 516 inboundSrcEndPoint (0), 517 outboundDstEndPoint(1), 518 inboundDstEndPoint (2), 519 outboundSrcEndPoint(3) 520 } 522 -- 523 -- Default Values for the NAT Protocol Timers 524 -- 526 natDefTimeouts OBJECT IDENTIFIER ::= { natMIBObjects 1 } 527 -- 528 -- UDP related NAT configuration 529 -- 531 natUdpDefIdleTimeout OBJECT-TYPE 532 SYNTAX Unsigned32 (1..4294967295) 533 UNITS "seconds" 534 MAX-ACCESS read-write 535 STATUS current 536 DESCRIPTION 537 "The default UDP idle timeout parameter." 538 DEFVAL { 300 } 539 ::= { natDefTimeouts 1 } 541 -- 542 -- ICMP related NAT configuration 543 -- 545 natIcmpDefIdleTimeout OBJECT-TYPE 546 SYNTAX Unsigned32 (1..4294967295) 547 UNITS "seconds" 548 MAX-ACCESS read-write 549 STATUS current 550 DESCRIPTION 551 "The default ICMP idle timeout parameter." 552 DEFVAL { 300 } 553 ::= { natDefTimeouts 2 } 555 -- 556 -- Other protocol parameters 557 -- 559 natOtherDefIdleTimeout OBJECT-TYPE 560 SYNTAX Unsigned32 (1..4294967295) 561 UNITS "seconds" 562 MAX-ACCESS read-write 563 STATUS current 564 DESCRIPTION 565 "The default idle timeout parameter for protocols 566 represented by the value other (2) in 567 NatProtocolType." 568 DEFVAL { 60 } 569 ::= { natDefTimeouts 3 } 571 -- 572 -- TCP related NAT Timers 573 -- 574 natTcpDefIdleTimeout OBJECT-TYPE 575 SYNTAX Unsigned32 (1..4294967295) 576 UNITS "seconds" 577 MAX-ACCESS read-write 578 STATUS current 579 DESCRIPTION 580 "The default time interval, a NAT session for an 581 established TCP connection is allowed to remain 582 valid without any activity on the TCP connection." 583 DEFVAL { 86400 } 584 ::= { natDefTimeouts 4 } 586 natTcpDefNegTimeout OBJECT-TYPE 587 SYNTAX Unsigned32 (1..4294967295) 588 UNITS "seconds" 589 MAX-ACCESS read-write 590 STATUS current 591 DESCRIPTION 592 "The default time interval, a NAT session for a TCP 593 connection which is not in the established state 594 is allowed to remain valid without any activity on 595 the TCP connection." 596 DEFVAL { 60 } 597 ::= { natDefTimeouts 5 } 599 -- 600 -- The NAT Interface Table 601 -- 603 natInterfaceTable OBJECT-TYPE 604 SYNTAX SEQUENCE OF NatInterfaceEntry 605 MAX-ACCESS not-accessible 606 STATUS current 607 DESCRIPTION 608 "This table specifies the attributes for interfaces on a 609 device supporting NAT function." 610 ::= { natMIBObjects 2 } 612 natInterfaceEntry OBJECT-TYPE 613 SYNTAX NatInterfaceEntry 614 MAX-ACCESS not-accessible 615 STATUS current 616 DESCRIPTION 617 "Each entry in the natInterfaceTable holds a set of 618 parameters for an interface, instantiated by 619 ifIndex. Therefore, the interface index must have been 620 assigned, according to the procedures applicable to that, 621 before it can be meaningfully used. 622 Generally, this means that the interface must exist. 624 When natStorageType is of type nonVolatile, however, 625 this may reflect the configuration for an interface whose 626 ifIndex has been assigned but for which the supporting 627 implementation is not currently present." 628 INDEX { ifIndex } 629 ::= { natInterfaceTable 1 } 631 NatInterfaceEntry ::= SEQUENCE { 632 natInterfaceRealm INTEGER, 633 natInterfaceServiceType BITS, 634 natInterfaceInTranslates Counter64, 635 natInterfaceOutTranslates Counter64, 636 natInterfaceDiscards Counter64, 637 natInterfaceStorageType StorageType, 638 natInterfaceRowStatus RowStatus 639 } 641 natInterfaceRealm OBJECT-TYPE 642 SYNTAX INTEGER { 643 private (1), 644 public (2) 645 } 646 MAX-ACCESS read-create 647 STATUS current 648 DESCRIPTION 649 "This object identifies whether this interface is 650 connected to the private or the public realm." 651 DEFVAL { public } 652 ::= { natInterfaceEntry 1 } 654 natInterfaceServiceType OBJECT-TYPE 655 SYNTAX BITS { 656 basicNat (0), 657 napt (1), 658 bidirectionalNat (2), 659 twiceNat (3) 660 } 661 MAX-ACCESS read-create 662 STATUS current 663 DESCRIPTION 664 "An indication of the direction in which new sessions 665 are permitted and the extent of translation done within 666 the IP and transport headers." 667 ::= { natInterfaceEntry 2 } 669 natInterfaceInTranslates OBJECT-TYPE 670 SYNTAX Counter64 671 MAX-ACCESS read-only 672 STATUS current 673 DESCRIPTION 674 "Number of packets received on this interface that 675 were translated." 676 ::= { natInterfaceEntry 3 } 678 natInterfaceOutTranslates OBJECT-TYPE 679 SYNTAX Counter64 680 MAX-ACCESS read-only 681 STATUS current 682 DESCRIPTION 683 "Number of translated packets that were sent out this 684 interface." 685 ::= { natInterfaceEntry 4 } 687 natInterfaceDiscards OBJECT-TYPE 688 SYNTAX Counter64 689 MAX-ACCESS read-only 690 STATUS current 691 DESCRIPTION 692 "Number of packets that had to be rejected/dropped due to 693 lack of resources for this interface." 694 ::= { natInterfaceEntry 5 } 696 natInterfaceStorageType OBJECT-TYPE 697 SYNTAX StorageType 698 MAX-ACCESS read-create 699 STATUS current 700 DESCRIPTION 701 "The storage type for this conceptual row. 702 Conceptual rows having the value 'permanent' 703 need not allow write-access to any columnar objects 704 in the row." 705 REFERENCE 706 "Textual Conventions for SMIv2, Section 2." 707 DEFVAL { nonVolatile } 708 ::= { natInterfaceEntry 6 } 710 natInterfaceRowStatus OBJECT-TYPE 711 SYNTAX RowStatus 712 MAX-ACCESS read-create 713 STATUS current 714 DESCRIPTION 715 "The status of this conceptual row. 717 Until instances of all corresponding columns are 718 appropriately configured, the value of the 719 corresponding instance of the natInterfaceRowStatus 720 column is 'notReady'. 722 In particular, a newly created row cannot be made 723 active until the corresponding instance of 724 natInterfaceServiceType has been set. 726 None of the objects in this row may be modified 727 while the value of this object is active(1)." 728 REFERENCE 729 "Textual Conventions for SMIv2, Section 2." 730 ::= { natInterfaceEntry 7 } 732 -- 733 -- The Address Map Table 734 -- 736 natAddrMapTable OBJECT-TYPE 737 SYNTAX SEQUENCE OF NatAddrMapEntry 738 MAX-ACCESS not-accessible 739 STATUS current 740 DESCRIPTION 741 "This table lists address map parameters for NAT." 742 ::= { natMIBObjects 3 } 744 natAddrMapEntry OBJECT-TYPE 745 SYNTAX NatAddrMapEntry 746 MAX-ACCESS not-accessible 747 STATUS current 748 DESCRIPTION 749 "This entry represents an address map to be used for 750 NAT, and contributes to the dynamic and/or static 751 address mapping tables of the NAT device." 752 INDEX { ifIndex, natAddrMapIndex } 753 ::= { natAddrMapTable 1 } 755 NatAddrMapEntry ::= SEQUENCE { 756 natAddrMapIndex NatAddrMapId, 757 natAddrMapName SnmpAdminString, 758 natAddrMapEntryType NatAssociationType, 759 natAddrMapTranslationEntity NatTranslationEntity, 760 natAddrMapLocalAddrType InetAddressType, 761 natAddrMapLocalAddrFrom InetAddress, 762 natAddrMapLocalAddrTo InetAddress, 763 natAddrMapLocalPortFrom InetPortNumber, 764 natAddrMapLocalPortTo InetPortNumber, 765 natAddrMapGlobalAddrType InetAddressType, 766 natAddrMapGlobalAddrFrom InetAddress, 767 natAddrMapGlobalAddrTo InetAddress, 768 natAddrMapGlobalPortFrom InetPortNumber, 769 natAddrMapGlobalPortTo InetPortNumber, 770 natAddrMapProtocol NatProtocolMap, 771 natAddrMapInTranslates Counter64, 772 natAddrMapOutTranslates Counter64, 773 natAddrMapDiscards Counter64, 774 natAddrMapAddrUsed Gauge32, 775 natAddrMapStorageType StorageType, 776 natAddrMapRowStatus RowStatus 777 } 779 natAddrMapIndex OBJECT-TYPE 780 SYNTAX NatAddrMapId 781 MAX-ACCESS not-accessible 782 STATUS current 783 DESCRIPTION 784 "Along with ifIndex, this object uniquely 785 identifies an entry in the natAddrMapTable. 786 Address map entries are applied in the order 787 specified by natAddrMapIndex." 788 ::= { natAddrMapEntry 1 } 790 natAddrMapName OBJECT-TYPE 791 SYNTAX SnmpAdminString (SIZE(1..32)) 792 MAX-ACCESS read-create 793 STATUS current 794 DESCRIPTION 795 "Name identifying all map entries in the table associated 796 with the same interface. All map entries with the same 797 ifIndex will carry the same map name." 798 ::= { natAddrMapEntry 2 } 800 natAddrMapEntryType OBJECT-TYPE 801 SYNTAX NatAssociationType 802 MAX-ACCESS read-create 803 STATUS current 804 DESCRIPTION 805 "This parameter can be used to set up static 806 or dynamic address maps." 807 ::= { natAddrMapEntry 3 } 809 natAddrMapTranslationEntity OBJECT-TYPE 810 SYNTAX NatTranslationEntity 811 MAX-ACCESS read-create 812 STATUS current 813 DESCRIPTION 814 "The end-point entity (source or destination) in 815 inbound or outbound sessions (i.e., first packets) that 816 may be translated by an address map entry. 818 Session direction (inbound or outbound) is 819 derived from the direction of the first packet 820 of a session traversing a NAT interface. 821 NAT address (and Transport-ID) maps may be defined 822 to effect inbound or outbound sessions. 824 Traditionally, address map for Basic NAT and NAPT are 825 configured on a public interface for outbound sessions, 826 effecting translation of source end-point. The value of 827 this object must be set to outboundSrcEndPoint for 828 those interfaces. 830 Alternately, if address map for Basic NAT and NAPT were 831 to be configured on a private interface, the desired 832 value for this object for the map entries 833 would be inboundSrcEndPoint. I.e., effecting translation 834 of source end-point for inbound sessions. 836 If TwiceNAT were to be configured on a private interface, 837 the desired value for this object for the map entries 838 would be a bitmask of inboundSrcEndPoint and 839 inboundDstEndPoint." 840 ::= { natAddrMapEntry 4 } 842 natAddrMapLocalAddrType OBJECT-TYPE 843 SYNTAX InetAddressType 844 MAX-ACCESS read-create 845 STATUS current 846 DESCRIPTION 847 "This object specifies the address type used for 848 natAddrMapLocalAddrFrom and natAddrMapLocalAddrTo." 849 ::= { natAddrMapEntry 5 } 851 natAddrMapLocalAddrFrom OBJECT-TYPE 852 SYNTAX InetAddress 853 MAX-ACCESS read-create 854 STATUS current 855 DESCRIPTION 856 "This object specifies the first IP address of the range 857 of IP addresses mapped by this translation entry." 858 ::= { natAddrMapEntry 6 } 860 natAddrMapLocalAddrTo OBJECT-TYPE 861 SYNTAX InetAddress 862 MAX-ACCESS read-create 863 STATUS current 864 DESCRIPTION 865 "This object specifies the last IP address of the range of 866 IP addresses mapped by this translation entry. If only 867 a single address is being mapped, the value of this object 868 is equal to the value of natAddrMapLocalAddrFrom. For a 869 static NAT, the number of addresses in the range defined 870 by natAddrMapLocalAddrFrom and natAddrMapLocalAddrTo must 871 be equal to the number of addresses in the range defined by 872 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo." 873 ::= { natAddrMapEntry 7 } 875 natAddrMapLocalPortFrom OBJECT-TYPE 876 SYNTAX InetPortNumber 877 MAX-ACCESS read-create 878 STATUS current 879 DESCRIPTION 880 "If this conceptual row describes a Basic NAT address 881 mapping, then the value of this object must be 0. If 882 this conceptual row describes NAPT, then the value of 883 this object specifies the first port number in the range 884 of ports being mapped. 886 If the translation specifies a single port, then 887 the value of this object is equal to the value of 888 natAddrMapLocalPortTo." 889 ::= { natAddrMapEntry 8 } 891 natAddrMapLocalPortTo OBJECT-TYPE 892 SYNTAX InetPortNumber 893 MAX-ACCESS read-create 894 STATUS current 895 DESCRIPTION 896 "If this conceptual row describes a Basic NAT address 897 mapping, then the value of this object must be 0. If 898 this conceptual row describes NAPT, then the value of 899 this object specifies the last port number in the range 900 of ports being mapped. 902 If the translation specifies a single port, then the 903 value of this object is equal to the value of 904 natAddrMapLocalPortFrom." 905 ::= { natAddrMapEntry 9 } 907 natAddrMapGlobalAddrType OBJECT-TYPE 908 SYNTAX InetAddressType 909 MAX-ACCESS read-create 910 STATUS current 911 DESCRIPTION 912 "This object specifies the address type used for 913 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo." 914 ::= { natAddrMapEntry 10 } 916 natAddrMapGlobalAddrFrom OBJECT-TYPE 917 SYNTAX InetAddress 918 MAX-ACCESS read-create 919 STATUS current 920 DESCRIPTION 921 "This object specifies the first IP address of the range of 922 IP addresses being mapped to." 923 ::= { natAddrMapEntry 11 } 925 natAddrMapGlobalAddrTo OBJECT-TYPE 926 SYNTAX InetAddress 927 MAX-ACCESS read-create 928 STATUS current 929 DESCRIPTION 930 "This object specifies the last IP address of the range of 931 IP addresses being mapped to. If only a single address is 932 being mapped to, the value of this object is equal to the 933 value of natAddrMapGlobalAddrFrom. For a static NAT, the 934 number of addresses in the range defined by 935 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo must be 936 equal to the number of addresses in the range defined by 937 natAddrMapLocalAddrFrom and natAddrMapLocalAddrTo." 938 ::= { natAddrMapEntry 12 } 940 natAddrMapGlobalPortFrom OBJECT-TYPE 941 SYNTAX InetPortNumber 942 MAX-ACCESS read-create 943 STATUS current 944 DESCRIPTION 945 "If this conceptual row describes a Basic NAT address 946 mapping, then the value of this object must be 0. If 947 this conceptual row describes NAPT, then the value of 948 this object specifies the first port number in the range 949 of ports being mapped to. If the translation specifies a 950 single port, then the value of this object is equal to 951 the value natAddrMapGlobalPortTo." 952 ::= { natAddrMapEntry 13 } 954 natAddrMapGlobalPortTo OBJECT-TYPE 955 SYNTAX InetPortNumber 956 MAX-ACCESS read-create 957 STATUS current 958 DESCRIPTION 959 "If this conceptual row describes a Basic NAT address 960 mapping, then the value of this object must be 0. If 961 this conceptual row describes NAPT, then the value of this 962 object specifies the last port number in the range of 963 ports being mapped to. If the translation specifies a 964 single port, then the value of this object is equal to 965 the value of natAddrMapGlobalPortFrom." 966 ::= { natAddrMapEntry 14 } 968 natAddrMapProtocol OBJECT-TYPE 969 SYNTAX NatProtocolMap 970 MAX-ACCESS read-create 971 STATUS current 972 DESCRIPTION 973 "This object specifies a bitmap of protocol identifiers." 974 ::= { natAddrMapEntry 15 } 976 natAddrMapInTranslates OBJECT-TYPE 977 SYNTAX Counter64 978 MAX-ACCESS read-only 979 STATUS current 980 DESCRIPTION 981 "The number of inbound packets, pertaining to this address 982 map entry, that were translated." 983 ::= { natAddrMapEntry 16 } 985 natAddrMapOutTranslates OBJECT-TYPE 986 SYNTAX Counter64 987 MAX-ACCESS read-only 988 STATUS current 989 DESCRIPTION 990 "The number of outbound packets, pertaining to this 991 address map entry, that were translated." 992 ::= { natAddrMapEntry 17 } 994 natAddrMapDiscards OBJECT-TYPE 995 SYNTAX Counter64 996 MAX-ACCESS read-only 997 STATUS current 998 DESCRIPTION 999 "The number of packets, pertaining to this address map 1000 entry, that were dropped due to lack of addresses in the 1001 address pool identified by this address map. The value of 1002 this object must always be zero in case of static 1003 address map." 1004 ::= { natAddrMapEntry 18 } 1006 natAddrMapAddrUsed OBJECT-TYPE 1007 SYNTAX Gauge32 1008 MAX-ACCESS read-only 1009 STATUS current 1010 DESCRIPTION 1011 "The number of addresses, pertaining to this address map, 1012 that are currently being used from the NAT pool. 1013 The value of this object must always be zero in case of 1014 static address map." 1015 ::= { natAddrMapEntry 19 } 1017 natAddrMapStorageType OBJECT-TYPE 1018 SYNTAX StorageType 1019 MAX-ACCESS read-create 1020 STATUS current 1021 DESCRIPTION 1022 "The storage type for this conceptual row. 1023 Conceptual rows having the value 'permanent' 1024 need not allow write-access to any columnar objects 1025 in the row." 1027 REFERENCE 1028 "Textual Conventions for SMIv2, Section 2." 1029 DEFVAL { nonVolatile } 1030 ::= { natAddrMapEntry 20 } 1032 natAddrMapRowStatus OBJECT-TYPE 1033 SYNTAX RowStatus 1034 MAX-ACCESS read-create 1035 STATUS current 1036 DESCRIPTION 1037 "The status of this conceptual row. 1039 Until instances of all corresponding columns are 1040 appropriately configured, the value of the 1041 corresponding instance of the natAddrMapRowStatus 1042 column is 'notReady'. 1044 None of the objects in this row may be modified 1045 while the value of this object is active(1)." 1046 REFERENCE 1047 "Textual Conventions for SMIv2, Section 2." 1048 ::= { natAddrMapEntry 21 } 1050 -- 1051 -- Address Bind section 1052 -- 1054 natAddrBindNumberOfEntries OBJECT-TYPE 1055 SYNTAX Gauge32 1056 MAX-ACCESS read-only 1057 STATUS current 1058 DESCRIPTION 1059 "This object maintains a count of the number of entries 1060 that currently exist in the natAddrBindTable." 1061 ::= { natMIBObjects 4 } 1063 -- 1064 -- The NAT Address BIND Table 1065 -- 1067 natAddrBindTable OBJECT-TYPE 1068 SYNTAX SEQUENCE OF NatAddrBindEntry 1069 MAX-ACCESS not-accessible 1070 STATUS current 1071 DESCRIPTION 1072 "This table holds information about the currently 1073 active NAT BINDs." 1074 ::= { natMIBObjects 5 } 1076 natAddrBindEntry OBJECT-TYPE 1077 SYNTAX NatAddrBindEntry 1078 MAX-ACCESS not-accessible 1079 STATUS current 1080 DESCRIPTION 1081 "Each entry in this table holds information about 1082 an active address BIND. These entries are lost 1083 upon agent restart." 1084 INDEX { ifIndex, natAddrBindLocalAddrType, natAddrBindLocalAddr } 1085 ::= { natAddrBindTable 1 } 1087 NatAddrBindEntry ::= SEQUENCE { 1088 natAddrBindLocalAddrType InetAddressType, 1089 natAddrBindLocalAddr InetAddress, 1090 natAddrBindGlobalAddrType InetAddressType, 1091 natAddrBindGlobalAddr InetAddress, 1092 natAddrBindId NatBindId, 1093 natAddrBindTranslationEntity NatTranslationEntity, 1094 natAddrBindType NatAssociationType, 1095 natAddrBindMapIndex NatAddrMapId, 1096 natAddrBindSessions Gauge32, 1097 natAddrBindMaxIdleTime TimeInterval, 1098 natAddrBindCurrentIdleTime TimeTicks, 1099 natAddrBindInTranslates Counter64, 1100 natAddrBindOutTranslates Counter64, 1101 natAddrBindRowStatus RowStatus 1102 } 1104 natAddrBindLocalAddrType OBJECT-TYPE 1105 SYNTAX InetAddressType 1106 MAX-ACCESS not-accessible 1107 STATUS current 1108 DESCRIPTION 1109 "This object specifies the address type used for 1110 natAddrBindLocalAddr." 1111 ::= { natAddrBindEntry 1 } 1113 natAddrBindLocalAddr OBJECT-TYPE 1114 SYNTAX InetAddress 1115 MAX-ACCESS not-accessible 1116 STATUS current 1117 DESCRIPTION 1118 "This object represents the private-realm specific network 1119 layer address, which maps to the public-realm address 1120 represented by natAddrBindGlobalAddr." 1121 ::= { natAddrBindEntry 2 } 1123 natAddrBindGlobalAddrType OBJECT-TYPE 1124 SYNTAX InetAddressType 1125 MAX-ACCESS read-create 1126 STATUS current 1127 DESCRIPTION 1128 "This object specifies the address type used for 1129 natAddrBindGlobalAddr." 1130 ::= { natAddrBindEntry 3 } 1132 natAddrBindGlobalAddr OBJECT-TYPE 1133 SYNTAX InetAddress 1134 MAX-ACCESS read-create 1135 STATUS current 1136 DESCRIPTION 1137 "This object represents the public-realm network layer 1138 address that maps to the private-realm network layer 1139 address represented by natAddrBindLocalAddr." 1140 ::= { natAddrBindEntry 4 } 1142 natAddrBindId OBJECT-TYPE 1143 SYNTAX NatBindId 1144 MAX-ACCESS read-only 1145 STATUS current 1146 DESCRIPTION 1147 "This object represents a bind id that is dynamically 1148 assigned to each bind by a NAT enabled device. Each 1149 bind is represented by a bind id that is 1150 unique across both, the natAddrBindTable and the 1151 natAddrPortBindTable." 1152 ::= { natAddrBindEntry 5 } 1154 natAddrBindTranslationEntity OBJECT-TYPE 1155 SYNTAX NatTranslationEntity 1156 MAX-ACCESS read-create 1157 STATUS current 1158 DESCRIPTION 1159 "This object represents the direction of sessions 1160 for which this bind is applicable and the endpoint entity 1161 (source or destination) within the sessions that is 1162 subject to translation using the BIND. 1164 Orientation of the bind can be a superset of 1165 translationEntity of the address map entry which 1166 forms the basis for this bind. 1168 For example, if the translationEntity of an 1169 address map entry is outboundSrcEndPoint, the 1170 translationEntity of a bind derived from this 1171 map entry may either be outboundSrcEndPoint or 1172 it may be bidirectional (a bitmask of 1173 outboundSrcEndPoint and inboundDestEndPoint)." 1174 ::= { natAddrBindEntry 6 } 1176 natAddrBindType OBJECT-TYPE 1177 SYNTAX NatAssociationType 1178 MAX-ACCESS read-create 1179 STATUS current 1180 DESCRIPTION 1181 "This object indicates whether the bind is static or 1182 dynamic." 1183 ::= { natAddrBindEntry 7 } 1185 natAddrBindMapIndex OBJECT-TYPE 1186 SYNTAX NatAddrMapId 1187 MAX-ACCESS read-create 1188 STATUS current 1189 DESCRIPTION 1190 "This object is a pointer to the natAddrMapTable entry 1191 (and the parameters of that entry) which was used in 1192 creating this BIND. This object, in conjunction with the 1193 ifIndex (which identifies a unique addrMapName) points to 1194 a unique entry in the natAddrMapTable. If the bind 1195 is being created by the Management Station, then it 1196 should set the value for this object to point to an 1197 existing address map entry. An attempt to set this object 1198 to a nonexistent address map entry will result in an 1199 inconsistentValue error." 1200 ::= { natAddrBindEntry 8 } 1202 natAddrBindSessions OBJECT-TYPE 1203 SYNTAX Gauge32 1204 MAX-ACCESS read-only 1205 STATUS current 1206 DESCRIPTION 1207 "Number of sessions currently using this BIND." 1208 ::= { natAddrBindEntry 9 } 1210 natAddrBindMaxIdleTime OBJECT-TYPE 1211 SYNTAX TimeInterval 1212 MAX-ACCESS read-create 1213 STATUS current 1214 DESCRIPTION 1215 "This object indicates the maximum time for 1216 which this bind can be idle with no sessions 1217 attached to it. 1219 The value of this object is of relevance only for 1220 dynamic NAT." 1221 ::= { natAddrBindEntry 10 } 1223 natAddrBindCurrentIdleTime OBJECT-TYPE 1224 SYNTAX TimeTicks 1225 MAX-ACCESS read-only 1226 STATUS current 1227 DESCRIPTION 1228 "At any given instance of time, this object indicates the 1229 time that this bind has been idle with no sessions 1230 attached to it. 1232 The value of this object is of relevance only for 1233 dynamic NAT." 1234 ::= { natAddrBindEntry 11 } 1236 natAddrBindInTranslates OBJECT-TYPE 1237 SYNTAX Counter64 1238 MAX-ACCESS read-only 1239 STATUS current 1240 DESCRIPTION 1241 "The number of inbound packets that were successfully 1242 translated using this bind entry." 1243 ::= { natAddrBindEntry 12 } 1245 natAddrBindOutTranslates OBJECT-TYPE 1246 SYNTAX Counter64 1247 MAX-ACCESS read-only 1248 STATUS current 1249 DESCRIPTION 1250 "The number of outbound packets that were successfully 1251 translated using this bind entry." 1252 ::= { natAddrBindEntry 13 } 1254 natAddrBindRowStatus OBJECT-TYPE 1255 SYNTAX RowStatus 1256 MAX-ACCESS read-create 1257 STATUS current 1258 DESCRIPTION 1259 "The status of this conceptual row. 1261 Until instances of all corresponding columns are 1262 appropriately configured, the value of the 1263 corresponding instance of the natAddrBindRowStatus 1264 column is 'notReady'. 1266 None of the writable objects except 1267 natAddrBindMaxIdleTime in this row may be modified 1268 while the value of this object is active(1)." 1269 REFERENCE 1270 "Textual Conventions for SMIv2, Section 2." 1271 ::= { natAddrBindEntry 14 } 1273 -- 1274 -- Address-Port Bind section 1275 -- 1277 natAddrPortBindNumberOfEntries OBJECT-TYPE 1278 SYNTAX Gauge32 1279 MAX-ACCESS read-only 1280 STATUS current 1281 DESCRIPTION 1282 "This object maintains a count of the number of entries 1283 that currently exist in the natAddrPortBindTable." 1284 ::= { natMIBObjects 6 } 1286 -- 1287 -- The NAT Address-Port Bind Table 1288 -- 1290 natAddrPortBindTable OBJECT-TYPE 1291 SYNTAX SEQUENCE OF NatAddrPortBindEntry 1292 MAX-ACCESS not-accessible 1293 STATUS current 1294 DESCRIPTION 1295 "This table holds information about the currently 1296 active NAPT BINDs." 1297 ::= { natMIBObjects 7 } 1299 natAddrPortBindEntry OBJECT-TYPE 1300 SYNTAX NatAddrPortBindEntry 1301 MAX-ACCESS not-accessible 1302 STATUS current 1303 DESCRIPTION 1304 "Each entry in the this table holds information 1305 about a NAPT bind that is currently active. 1306 These entries are lost upon agent restart." 1307 INDEX { ifIndex, natAddrPortBindLocalAddrType, 1308 natAddrPortBindLocalAddr, natAddrPortBindLocalPort, 1309 natAddrPortBindProtocol } 1310 ::= { natAddrPortBindTable 1 } 1312 NatAddrPortBindEntry ::= SEQUENCE { 1313 natAddrPortBindLocalAddrType InetAddressType, 1314 natAddrPortBindLocalAddr InetAddress, 1315 natAddrPortBindLocalPort InetPortNumber, 1316 natAddrPortBindProtocol NatProtocolType, 1317 natAddrPortBindGlobalAddrType InetAddressType, 1318 natAddrPortBindGlobalAddr InetAddress, 1319 natAddrPortBindGlobalPort InetPortNumber, 1320 natAddrPortBindId NatBindId, 1321 natAddrPortBindTranslationEntity NatTranslationEntity, 1322 natAddrPortBindType NatAssociationType, 1323 natAddrPortBindMapIndex NatAddrMapId, 1324 natAddrPortBindSessions Gauge32, 1325 natAddrPortBindMaxIdleTime TimeInterval, 1326 natAddrPortBindCurrentIdleTime TimeTicks, 1327 natAddrPortBindInTranslates Counter64, 1328 natAddrPortBindOutTranslates Counter64, 1329 natAddrPortBindRowStatus RowStatus 1330 } 1332 natAddrPortBindLocalAddrType OBJECT-TYPE 1333 SYNTAX InetAddressType 1334 MAX-ACCESS not-accessible 1335 STATUS current 1336 DESCRIPTION 1337 "This object specifies the address type used for 1338 natAddrPortBindLocalAddr." 1339 ::= { natAddrPortBindEntry 1 } 1341 natAddrPortBindLocalAddr OBJECT-TYPE 1342 SYNTAX InetAddress 1343 MAX-ACCESS not-accessible 1344 STATUS current 1345 DESCRIPTION 1346 "This object represents the private-realm specific network 1347 layer address which, in conjunction with 1348 natAddrPortBindLocalPort, maps to the public-realm 1349 network layer address and transport id represented by 1350 natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort 1351 respectively." 1352 ::= { natAddrPortBindEntry 2 } 1354 natAddrPortBindLocalPort OBJECT-TYPE 1355 SYNTAX InetPortNumber 1356 MAX-ACCESS not-accessible 1357 STATUS current 1358 DESCRIPTION 1359 "When the protocol is set to TCP or UDP, this object 1360 represents the private-realm specific port number. 1361 When the protocol is set to ICMP, a bind is created 1362 only for query/response type of ICMP messages such as 1363 ICMP echo, Timestamp and Information request messages, 1364 and the object represents the private-realm specific 1365 identifier in the ICMP message, as defined in 1366 RFC 792[RFC792] for ICMPv4 and RFC 2463 [RFC2463] for 1367 ICMPv6. This object together with natAddrPortBindProtocol, 1368 natAddrPortBindLocalAddrType and natAddrPortBindLocalAddr 1369 constitutes a session endpoint in the private realm. A 1370 bind entry binds a private realm specific endpoint to a 1371 public realm specific endpoint, as represented by the 1372 tuple of (natAddPortBindGlobalPort, 1373 natAddrPortBindProtocol, natAddrPortBindGlobalAddrType 1374 and natAddrPortBindGlobalAddr)." 1375 ::= { natAddrPortBindEntry 3 } 1377 natAddrPortBindProtocol OBJECT-TYPE 1378 SYNTAX NatProtocolType 1379 MAX-ACCESS not-accessible 1380 STATUS current 1381 DESCRIPTION 1382 "This object specifies a protocol identifier. If the 1383 value of this object is none(1), then this bind entry 1384 applies to all IP traffic. Any other value of this object 1385 specifies the class of IP traffic to which this BIND 1386 applies." 1387 ::= { natAddrPortBindEntry 4 } 1389 natAddrPortBindGlobalAddrType OBJECT-TYPE 1390 SYNTAX InetAddressType 1391 MAX-ACCESS read-create 1392 STATUS current 1393 DESCRIPTION 1394 "This object specifies the address type used for 1395 natAddrPortBindGlobalAddr." 1396 ::= { natAddrPortBindEntry 5 } 1398 natAddrPortBindGlobalAddr OBJECT-TYPE 1399 SYNTAX InetAddress 1400 MAX-ACCESS read-create 1401 STATUS current 1402 DESCRIPTION 1403 "This object represents the public-realm specific network 1404 layer address that, in conjunction with 1405 natAddrPortBindGlobalPort, maps to the private-realm 1406 network layer address and transport id represented by 1407 natAddrPortBindLocalAddr and natAddrPortBindLocalPort 1408 respectively." 1409 ::= { natAddrPortBindEntry 6 } 1411 natAddrPortBindGlobalPort OBJECT-TYPE 1412 SYNTAX InetPortNumber 1413 MAX-ACCESS read-create 1414 STATUS current 1415 DESCRIPTION 1416 "When the protocol is set to TCP or UDP, this object 1417 represents the public-realm specific port number. 1419 When the protocol is set to ICMP, a bind is created only 1420 for query/response type of ICMP messages such as ICMP 1421 echo, Timestamp and Information request messages, and 1422 the object represents the public-realm specific identifier 1423 in the ICMP message, as defined in RFC 792[RFC792] 1424 for ICMPv4 and RFC 2463[RFC2463] for ICMPv6. This object 1425 together with natAddrPortBindProtocol, 1426 natAddrPortBindGlobalAddrType and natAddrPortBindGlobalAddr 1427 constitutes a session endpoint in the public realm. A bind 1428 entry binds a public realm specific endpoint to a private 1429 realm specific endpoint, as represented by the tuple of 1430 ( natAddPortBindLocalPort, natAddrPortBindProtocol, 1431 natAddrPortBindLocalAddrType and 1432 natAddrPortBindLocalAddr)." 1433 ::= { natAddrPortBindEntry 7 } 1435 natAddrPortBindId OBJECT-TYPE 1436 SYNTAX NatBindId 1437 MAX-ACCESS read-only 1438 STATUS current 1439 DESCRIPTION 1440 "This object represents a bind id that is dynamically 1441 assigned to each bind by a NAT enabled device. Each 1442 bind is represented by a unique bind id across both, 1443 the natAddrBindTable and the natAddrPortBindTable." 1444 ::= { natAddrPortBindEntry 8 } 1446 natAddrPortBindTranslationEntity OBJECT-TYPE 1447 SYNTAX NatTranslationEntity 1448 MAX-ACCESS read-create 1449 STATUS current 1450 DESCRIPTION 1451 "This object represents the direction of sessions 1452 for which this bind is applicable and the entity 1453 (source or destination) within the sessions that is 1454 subject to translation using the BIND. 1456 Orientation of the bind can be a superset of 1457 translationEntity of the address map entry which 1458 forms the basis for this bind. 1460 For example, if the translationEntity of an 1461 address map entry is outboundSrcEndPoint, the 1462 translationEntity of a bind derived from this 1463 map entry may either be outboundSrcEndPoint or 1464 it may be bidirectional (a bitmask of 1465 outboundSrcEndPoint and inboundDestEndPoint)." 1466 ::= { natAddrPortBindEntry 9 } 1468 natAddrPortBindType OBJECT-TYPE 1469 SYNTAX NatAssociationType 1470 MAX-ACCESS read-create 1471 STATUS current 1472 DESCRIPTION 1473 "This object indicates whether the bind is static or 1474 dynamic." 1475 ::= { natAddrPortBindEntry 10 } 1477 natAddrPortBindMapIndex OBJECT-TYPE 1478 SYNTAX NatAddrMapId 1479 MAX-ACCESS read-create 1480 STATUS current 1481 DESCRIPTION 1482 "This object is a pointer to the natAddrMapTable entry 1483 (and the parameters of that entry) which was used in 1484 creating this BIND. This object, in conjunction with the 1485 ifIndex (which identifies a unique addrMapName) points to 1486 a unique entry in the natAddrMapTable. If the bind 1487 is being created by the Management Station, then it 1488 should set the value for this object to point to an 1489 existing address map entry. An attempt to set this object 1490 to a nonexistent address map entry will result in an 1491 inconsistentValue error." 1492 ::= { natAddrPortBindEntry 11 } 1494 natAddrPortBindSessions OBJECT-TYPE 1495 SYNTAX Gauge32 1496 MAX-ACCESS read-only 1497 STATUS current 1498 DESCRIPTION 1499 "Number of sessions currently using this BIND." 1500 ::= { natAddrPortBindEntry 12 } 1502 natAddrPortBindMaxIdleTime OBJECT-TYPE 1503 SYNTAX TimeInterval 1504 MAX-ACCESS read-create 1505 STATUS current 1506 DESCRIPTION 1507 "This object indicates the maximum time for 1508 which this bind can be idle with no sessions 1509 attached to it. 1510 The value of this object is of relevance 1511 only for dynamic NAT." 1512 ::= { natAddrPortBindEntry 13 } 1514 natAddrPortBindCurrentIdleTime OBJECT-TYPE 1515 SYNTAX TimeTicks 1516 MAX-ACCESS read-only 1517 STATUS current 1518 DESCRIPTION 1519 "At any given instance of time, this object indicates the 1520 time that this bind has been idle with no sessions 1521 attached to it. 1523 The value of this object is of relevance 1524 only for dynamic NAT." 1525 ::= { natAddrPortBindEntry 14 } 1527 natAddrPortBindInTranslates OBJECT-TYPE 1528 SYNTAX Counter64 1529 MAX-ACCESS read-only 1530 STATUS current 1531 DESCRIPTION 1532 "The number of inbound packets that were translated as per 1533 this bind entry." 1534 ::= { natAddrPortBindEntry 15 } 1536 natAddrPortBindOutTranslates OBJECT-TYPE 1537 SYNTAX Counter64 1538 MAX-ACCESS read-only 1539 STATUS current 1540 DESCRIPTION 1541 "The number of outbound packets that were translated as per 1542 this bind entry." 1543 ::= { natAddrPortBindEntry 16 } 1545 natAddrPortBindRowStatus OBJECT-TYPE 1546 SYNTAX RowStatus 1547 MAX-ACCESS read-create 1548 STATUS current 1549 DESCRIPTION 1550 "The status of this conceptual row. 1552 Until instances of all corresponding columns are 1553 appropriately configured, the value of the 1554 corresponding instance of the natAddrBindRowStatus 1555 column is 'notReady'. 1557 None of the writable objects except 1558 natAddrPortBindMaxIdleTime in this row may be 1559 modified while the value of this object is active(1)." 1560 REFERENCE 1561 "Textual Conventions for SMIv2, Section 2." 1562 ::= { natAddrPortBindEntry 17 } 1564 -- 1565 -- The Session Table 1566 -- 1568 natSessionTable OBJECT-TYPE 1569 SYNTAX SEQUENCE OF NatSessionEntry 1570 MAX-ACCESS not-accessible 1571 STATUS current 1572 DESCRIPTION 1573 "The (conceptual) table containing one entry for each 1574 NAT session currently active on this NAT device." 1575 ::= { natMIBObjects 8 } 1577 natSessionEntry OBJECT-TYPE 1578 SYNTAX NatSessionEntry 1579 MAX-ACCESS not-accessible 1580 STATUS current 1581 DESCRIPTION 1582 "An entry (conceptual row) containing information 1583 about an active NAT session on this NAT device. 1584 These entries are lost upon agent restart." 1585 INDEX { ifIndex, natSessionIndex } 1586 ::= { natSessionTable 1 } 1588 NatSessionEntry ::= SEQUENCE { 1589 natSessionIndex NatSessionId, 1590 natSessionPrivateSrcEPBindId NatBindIdOrZero, 1591 natSessionPrivateSrcEPBindMode NatBindMode, 1592 natSessionPrivateDstEPBindId NatBindId, 1593 natSessionPrivateDstEPBindMode NatBindMode, 1594 natSessionDirection INTEGER, 1595 natSessionUpTime TimeTicks, 1596 natSessionAddrMapIndex NatAddrMapId, 1597 natSessionProtocolType NatProtocolType, 1598 natSessionPrivateAddrType InetAddressType, 1599 natSessionPrivateSrcAddr InetAddress, 1600 natSessionPrivateSrcPort InetPortNumber, 1601 natSessionPrivateDstAddr InetAddress, 1602 natSessionPrivateDstPort InetPortNumber, 1603 natSessionPublicAddrType InetAddressType, 1604 natSessionPublicSrcAddr InetAddress, 1605 natSessionPublicSrcPort InetPortNumber, 1606 natSessionPublicDstAddr InetAddress, 1607 natSessionPublicDstPort InetPortNumber, 1608 natSessionMaxIdleTime TimeInterval, 1609 natSessionCurrentIdleTime TimeTicks, 1610 natSessionInTranslates Counter64, 1611 natSessionOutTranslates Counter64, 1612 natSessionRowStatus RowStatus 1613 } 1614 natSessionIndex OBJECT-TYPE 1615 SYNTAX NatSessionId 1616 MAX-ACCESS not-accessible 1617 STATUS current 1618 DESCRIPTION 1619 "The session ID for this NAT session." 1620 ::= { natSessionEntry 1 } 1622 natSessionPrivateSrcEPBindId OBJECT-TYPE 1623 SYNTAX NatBindIdOrZero 1624 MAX-ACCESS read-create 1625 STATUS current 1626 DESCRIPTION 1627 "The bind id associated between private and public 1628 source end points. In the case of Symmetric-NAT, 1629 this would be set to zero." 1630 ::= { natSessionEntry 2 } 1632 natSessionPrivateSrcEPBindMode OBJECT-TYPE 1633 SYNTAX NatBindMode 1634 MAX-ACCESS read-create 1635 STATUS current 1636 DESCRIPTION 1637 "This object indicates whether the bind indicated 1638 by the object natSessionPrivateSrcEPBindId 1639 is an address bind or an address-port bind." 1640 ::= { natSessionEntry 3 } 1642 natSessionPrivateDstEPBindId OBJECT-TYPE 1643 SYNTAX NatBindId 1644 MAX-ACCESS read-create 1645 STATUS current 1646 DESCRIPTION 1647 "The bind id associated between private and public 1648 destination end points." 1649 ::= { natSessionEntry 4 } 1651 natSessionPrivateDstEPBindMode OBJECT-TYPE 1652 SYNTAX NatBindMode 1653 MAX-ACCESS read-create 1654 STATUS current 1655 DESCRIPTION 1656 "This object indicates whether the bind indicated 1657 by the object natSessionPrivateDstEPBindId 1658 is an address bind or an address-port bind." 1659 ::= { natSessionEntry 5 } 1661 natSessionDirection OBJECT-TYPE 1662 SYNTAX INTEGER { 1663 inbound (1), 1664 outbound (2) 1665 } 1666 MAX-ACCESS read-create 1667 STATUS current 1668 DESCRIPTION 1669 "The direction of this session with respect to the 1670 local network. 'inbound' indicates that this session 1671 was initiated from the public network into the private 1672 network. 'outbound' indicates that this session was 1673 initiated from the private network into the public 1674 network." 1675 ::= { natSessionEntry 6 } 1677 natSessionUpTime OBJECT-TYPE 1678 SYNTAX TimeTicks 1679 MAX-ACCESS read-only 1680 STATUS current 1681 DESCRIPTION 1682 "The up time of this session in one-hundredths of a 1683 second." 1684 ::= { natSessionEntry 7 } 1686 natSessionAddrMapIndex OBJECT-TYPE 1687 SYNTAX NatAddrMapId 1688 MAX-ACCESS read-create 1689 STATUS current 1690 DESCRIPTION 1691 "This object is a pointer to the natAddrMapTable entry 1692 (and the parameters of that entry) which was used in 1693 creating this session. This object, in conjunction with 1694 the ifIndex (which identifies a unique addrMapName) points 1695 to a unique entry in the natAddrMapTable. If the session 1696 is being created by the Management Station, then it 1697 should set the value for this object to point to an 1698 existing address map entry. An attempt to set this object 1699 to a nonexistent address map entry will result in an 1700 inconsistentValue error." 1701 ::= { natSessionEntry 8 } 1703 natSessionProtocolType OBJECT-TYPE 1704 SYNTAX NatProtocolType 1705 MAX-ACCESS read-create 1706 STATUS current 1707 DESCRIPTION 1708 "The protocol type of this session." 1709 ::= { natSessionEntry 9 } 1711 natSessionPrivateAddrType OBJECT-TYPE 1712 SYNTAX InetAddressType 1713 MAX-ACCESS read-create 1714 STATUS current 1715 DESCRIPTION 1716 "This object specifies the address type used for 1717 natSessionPrivateAddr." 1718 ::= { natSessionEntry 10 } 1720 natSessionPrivateSrcAddr OBJECT-TYPE 1721 SYNTAX InetAddress 1722 MAX-ACCESS read-create 1723 STATUS current 1724 DESCRIPTION 1725 "The source IP address of the session endpoint that 1726 lies in the private network." 1727 ::= { natSessionEntry 11 } 1729 natSessionPrivateSrcPort OBJECT-TYPE 1730 SYNTAX InetPortNumber 1731 MAX-ACCESS read-create 1732 STATUS current 1733 DESCRIPTION 1734 "When the protocol is set to TCP or UDP, this object 1735 represents the source port in the first packet of session 1736 while in private-realm. When the protocol is set to ICMP, 1737 a NAT session is created only for query/response type of 1738 ICMP messages such as ICMP echo, Timestamp and Information 1739 request messages, and this object represents the 1740 private-realm specific identifier in the ICMP message, 1741 as defined in RFC 792[RFC792] for ICMPv4 and 1742 RFC 2463[RFC2463] for ICMPv6. 1744 The value of this object must be 0 when ports are not 1745 involved in the translation." 1746 ::= { natSessionEntry 12 } 1748 natSessionPrivateDstAddr OBJECT-TYPE 1749 SYNTAX InetAddress 1750 MAX-ACCESS read-create 1751 STATUS current 1752 DESCRIPTION 1753 "The destination IP address of the session endpoint that 1754 lies in the private network." 1755 ::= { natSessionEntry 13 } 1757 natSessionPrivateDstPort OBJECT-TYPE 1758 SYNTAX InetPortNumber 1759 MAX-ACCESS read-create 1760 STATUS current 1761 DESCRIPTION 1762 "When the protocol is set to TCP or UDP, this object 1763 represents the destination port in the first packet 1764 of session while in private-realm. When the protocol 1765 is set to ICMP, this object is not relevant and should 1766 be set to zero." 1767 ::= { natSessionEntry 14 } 1769 natSessionPublicAddrType OBJECT-TYPE 1770 SYNTAX InetAddressType 1771 MAX-ACCESS read-create 1772 STATUS current 1773 DESCRIPTION 1774 "This object specifies the address type used for 1775 natSessionPublicAddr." 1776 ::= { natSessionEntry 15 } 1778 natSessionPublicSrcAddr OBJECT-TYPE 1779 SYNTAX InetAddress 1780 MAX-ACCESS read-create 1781 STATUS current 1782 DESCRIPTION 1783 "The source IP address of the session endpoint that 1784 lies in the public network." 1785 ::= { natSessionEntry 16 } 1787 natSessionPublicSrcPort OBJECT-TYPE 1788 SYNTAX InetPortNumber 1789 MAX-ACCESS read-create 1790 STATUS current 1791 DESCRIPTION 1792 "When the protocol is set to TCP or UDP, this object 1793 represents the source port in the first packet of 1794 session while in public-realm. When the protocol is set 1795 to ICMP, a NAT session is created only for query/response 1796 type of ICMP messages such as ICMP echo, Timestamp and 1797 Information request messages, and this object represents 1798 the public-realm specific identifier in the ICMP message, 1799 as defined in RFC 792 [RFC792] for ICMPv4 and 1800 RFC 2463[RFC2463] for ICMPv6. The value of this object 1801 must be 0 when ports are not involved in the translation." 1802 ::= { natSessionEntry 17 } 1804 natSessionPublicDstAddr OBJECT-TYPE 1805 SYNTAX InetAddress 1806 MAX-ACCESS read-create 1807 STATUS current 1808 DESCRIPTION 1809 "The destination IP address of the session endpoint that 1810 lies in the public network." 1811 ::= { natSessionEntry 18 } 1813 natSessionPublicDstPort OBJECT-TYPE 1814 SYNTAX InetPortNumber 1815 MAX-ACCESS read-create 1816 STATUS current 1817 DESCRIPTION 1818 "When the protocol is set to TCP or UDP, this object 1819 represents the destination port in the first packet of 1820 session while in public-realm. When the protocol is 1821 set to ICMP, this object is not relevant for translation 1822 and should be set to 0." 1823 ::= { natSessionEntry 19 } 1825 natSessionMaxIdleTime OBJECT-TYPE 1826 SYNTAX TimeInterval 1827 MAX-ACCESS read-create 1828 STATUS current 1829 DESCRIPTION 1830 "The max time for which this session can be idle 1831 without detecting a packet." 1832 ::= { natSessionEntry 20 } 1834 natSessionCurrentIdleTime OBJECT-TYPE 1835 SYNTAX TimeTicks 1836 MAX-ACCESS read-only 1837 STATUS current 1838 DESCRIPTION 1839 "The time since a packet belonging to this session was 1840 last detected." 1841 ::= { natSessionEntry 21 } 1843 natSessionInTranslates OBJECT-TYPE 1844 SYNTAX Counter64 1845 MAX-ACCESS read-only 1846 STATUS current 1847 DESCRIPTION 1848 "The number of inbound packets that were translated for 1849 this session." 1850 ::= { natSessionEntry 22 } 1852 natSessionOutTranslates OBJECT-TYPE 1853 SYNTAX Counter64 1854 MAX-ACCESS read-only 1855 STATUS current 1856 DESCRIPTION 1857 "The number of outbound packets that were translated for 1858 this session." 1859 ::= { natSessionEntry 23 } 1861 natSessionRowStatus OBJECT-TYPE 1862 SYNTAX RowStatus 1863 MAX-ACCESS read-create 1864 STATUS current 1865 DESCRIPTION 1866 "The status of this conceptual row. 1868 Until instances of all corresponding columns are 1869 appropriately configured, the value of the 1870 corresponding instance of the natAddrMapRowStatus 1871 column is 'notReady'. 1873 None of the writable objects except 1874 natSessionMaxIdleTime in this row may be modified 1875 while the value of this object is active(1)." 1876 REFERENCE 1877 "Textual Conventions for SMIv2, Section 2." 1878 ::= { natSessionEntry 24 } 1880 -- 1881 -- The Protocol table 1882 -- 1884 natProtocolTable OBJECT-TYPE 1885 SYNTAX SEQUENCE OF NatProtocolEntry 1886 MAX-ACCESS not-accessible 1887 STATUS current 1888 DESCRIPTION 1889 "The (conceptual) table containing per protocol NAT 1890 parameters." 1891 ::= { natMIBObjects 9 } 1893 natProtocolEntry OBJECT-TYPE 1894 SYNTAX NatProtocolEntry 1895 MAX-ACCESS not-accessible 1896 STATUS current 1897 DESCRIPTION 1898 "An entry (conceptual row) containing NAT parameters 1899 pertaining to a particular protocol." 1900 INDEX { natProtocol } 1901 ::= { natProtocolTable 1 } 1903 NatProtocolEntry ::= SEQUENCE { 1904 natProtocol NatProtocolType, 1905 natProtocolInTranslates Counter64, 1906 natProtocolOutTranslates Counter64, 1907 natProtocolDiscards Counter64 1908 } 1910 natProtocol OBJECT-TYPE 1911 SYNTAX NatProtocolType 1912 MAX-ACCESS not-accessible 1913 STATUS current 1914 DESCRIPTION 1915 "This object represents the protocol pertaining to which 1916 parameters are reported." 1917 ::= { natProtocolEntry 1 } 1919 natProtocolInTranslates OBJECT-TYPE 1920 SYNTAX Counter64 1921 MAX-ACCESS read-only 1922 STATUS current 1923 DESCRIPTION 1924 "The number of inbound packets, pertaining to the protocol 1925 identified by natProtocol, that underwent NAT." 1926 ::= { natProtocolEntry 2 } 1928 natProtocolOutTranslates OBJECT-TYPE 1929 SYNTAX Counter64 1930 MAX-ACCESS read-only 1931 STATUS current 1932 DESCRIPTION 1933 "The number of outbound packets, pertaining to the protocol 1934 identified by natProtocol, that underwent NAT." 1935 ::= { natProtocolEntry 3 } 1937 natProtocolDiscards OBJECT-TYPE 1938 SYNTAX Counter64 1939 MAX-ACCESS read-only 1940 STATUS current 1941 DESCRIPTION 1942 "The number of packets, pertaining to the protocol 1943 identified by natProtocol, that had to be 1944 rejected/dropped due to lack of resources. These 1945 rejections could be due to session timeout, resource 1946 unavailability, lack of address space etc." 1947 ::= { natProtocolEntry 4 } 1949 -- 1950 -- Notifications section 1951 -- 1953 natMIBNotifications OBJECT IDENTIFIER ::= { natMIB 0 } 1955 -- 1956 -- Notifications 1957 -- 1959 natPacketDiscard NOTIFICATION-TYPE 1960 OBJECTS { ifIndex } 1961 STATUS current 1962 DESCRIPTION 1963 "This notification is generated whenever packets are 1964 discarded e.g. due to lack of mapping space when we run 1965 out of address/ports in case of Basic NAT/NAPT 1966 respectively. 1968 An agent should not generate more than one 1969 natPacketDiscard 'notification-events' in a given time 1970 interval (five seconds is the suggested default). A 1971 'notification-event' is the transmission of a single 1972 trap or inform PDU to a list of notification 1973 destinations. 1975 If additional NAT packets are discarded within the 1976 throttling period, then notification-events for these 1977 changes should be suppressed by the agent until the 1978 current throttling period expires. At the end of a 1979 throttling period, one notification-event should be 1980 generated if any NAT packet was discarded since the 1981 start of the throttling period. In such a case, another 1982 throttling period is started right away." 1983 ::= { natMIBNotifications 1 } 1985 -- 1986 -- Conformance information. 1987 -- 1989 natMIBConformance OBJECT IDENTIFIER ::= { natMIB 2 } 1990 natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 } 1991 natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 } 1993 -- 1994 -- Units of conformance 1995 -- 1997 natConfigGroup OBJECT-GROUP 1998 OBJECTS { natInterfaceRealm, 1999 natInterfaceServiceType, 2000 natInterfaceStorageType, 2001 natInterfaceRowStatus, 2002 natAddrMapName, 2003 natAddrMapEntryType, 2004 natAddrMapTranslationEntity, 2005 natAddrMapLocalAddrType, 2006 natAddrMapLocalAddrFrom, 2007 natAddrMapLocalAddrTo, 2008 natAddrMapLocalPortFrom, 2009 natAddrMapLocalPortTo, 2010 natAddrMapGlobalAddrType, 2011 natAddrMapGlobalAddrFrom, 2012 natAddrMapGlobalAddrTo, 2013 natAddrMapGlobalPortFrom, 2014 natAddrMapGlobalPortTo, 2015 natAddrMapProtocol, 2016 natAddrMapStorageType, 2017 natAddrMapRowStatus, 2018 natUdpDefIdleTimeout, 2019 natIcmpDefIdleTimeout, 2020 natOtherDefIdleTimeout, 2021 natTcpDefIdleTimeout, 2022 natTcpDefNegTimeout } 2023 STATUS current 2024 DESCRIPTION 2025 "A collection of configuration-related information 2026 required to support management of devices supporting 2027 NAT." 2028 ::= { natMIBGroups 1 } 2030 natTranslationGroup OBJECT-GROUP 2031 OBJECTS { natAddrBindNumberOfEntries, 2032 natAddrBindGlobalAddrType, 2033 natAddrBindGlobalAddr, 2034 natAddrBindId, 2035 natAddrBindTranslationEntity, 2036 natAddrBindType, 2037 natAddrBindMapIndex, 2038 natAddrBindSessions, 2039 natAddrBindMaxIdleTime, 2040 natAddrBindCurrentIdleTime, 2041 natAddrBindInTranslates, 2042 natAddrBindOutTranslates, 2043 natAddrBindRowStatus, 2044 natAddrPortBindNumberOfEntries, 2045 natAddrPortBindGlobalAddrType, 2046 natAddrPortBindGlobalAddr, 2047 natAddrPortBindGlobalPort, 2048 natAddrPortBindId, 2049 natAddrPortBindTranslationEntity, 2050 natAddrPortBindType, 2051 natAddrPortBindMapIndex, 2052 natAddrPortBindSessions, 2053 natAddrPortBindMaxIdleTime, 2054 natAddrPortBindCurrentIdleTime, 2055 natAddrPortBindInTranslates, 2056 natAddrPortBindOutTranslates, 2057 natAddrPortBindRowStatus, 2058 natSessionPrivateSrcEPBindId, 2059 natSessionPrivateSrcEPBindMode, 2060 natSessionPrivateDstEPBindId, 2061 natSessionPrivateDstEPBindMode, 2062 natSessionDirection, 2063 natSessionUpTime, 2064 natSessionAddrMapIndex, 2065 natSessionProtocolType, 2066 natSessionPrivateAddrType, 2067 natSessionPrivateSrcAddr, 2068 natSessionPrivateSrcPort, 2069 natSessionPrivateDstAddr, 2070 natSessionPrivateDstPort, 2071 natSessionPublicAddrType, 2072 natSessionPublicSrcAddr, 2073 natSessionPublicSrcPort, 2074 natSessionPublicDstAddr, 2075 natSessionPublicDstPort, 2076 natSessionMaxIdleTime, 2077 natSessionCurrentIdleTime, 2078 natSessionInTranslates, 2079 natSessionOutTranslates, 2080 natSessionRowStatus } 2081 STATUS current 2082 DESCRIPTION 2083 "A collection of BIND-related objects required to support 2084 management of devices supporting NAT." 2085 ::= { natMIBGroups 2 } 2087 natStatsInterfaceGroup OBJECT-GROUP 2088 OBJECTS { natInterfaceInTranslates, 2089 natInterfaceOutTranslates, 2090 natInterfaceDiscards } 2091 STATUS current 2092 DESCRIPTION 2093 "A collection of NAT statistics associated with the 2094 interface on which NAT is configured, to aid 2095 troubleshooting/monitoring of the NAT operation." 2096 ::= { natMIBGroups 3 } 2098 natStatsProtocolGroup OBJECT-GROUP 2099 OBJECTS { natProtocolInTranslates, 2100 natProtocolOutTranslates, 2101 natProtocolDiscards } 2102 STATUS current 2103 DESCRIPTION 2104 "A collection of protocol specific NAT statistics, 2105 to aid troubleshooting/monitoring of NAT operation." 2106 ::= { natMIBGroups 4 } 2108 natStatsAddrMapGroup OBJECT-GROUP 2109 OBJECTS { natAddrMapInTranslates, 2110 natAddrMapOutTranslates, 2111 natAddrMapDiscards, 2112 natAddrMapAddrUsed } 2113 STATUS current 2114 DESCRIPTION 2115 "A collection of address map specific NAT statistics, 2116 to aid troubleshooting/monitoring of NAT operation." 2117 ::= { natMIBGroups 5 } 2119 natMIBNotificationGroup NOTIFICATION-GROUP 2120 NOTIFICATIONS { natPacketDiscard } 2121 STATUS current 2122 DESCRIPTION 2123 "A collection of notifications which are generated by 2124 devices supporting this MIB." 2125 ::= { natMIBGroups 6 } 2127 -- 2128 -- Compliance statements 2129 -- 2131 natMIBFullCompliance MODULE-COMPLIANCE 2132 STATUS current 2133 DESCRIPTION 2134 "When this MIB is implemented with support for 2135 read-create, then such an implementation can claim 2136 full compliance. Such devices can then be both 2137 monitored and configured with this MIB." 2138 MODULE -- this module 2139 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2140 natStatsInterfaceGroup } 2142 GROUP natStatsProtocolGroup 2143 DESCRIPTION 2144 "This group is optional." 2145 GROUP natStatsAddrMapGroup 2146 DESCRIPTION 2147 "This group is optional." 2148 GROUP natMIBNotificationGroup 2149 DESCRIPTION 2150 "This group is optional." 2151 GROUP natTranslationGroup 2152 DESCRIPTION 2153 "Write access to this group is not required." 2155 OBJECT natInterfaceRealm 2156 MIN-ACCESS read-only 2157 DESCRIPTION 2158 "Write access is not required." 2160 OBJECT natInterfaceRowStatus 2161 SYNTAX RowStatus { active(1) } 2162 WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } 2163 DESCRIPTION 2164 "Support for createAndWait and notInService is 2165 not required." 2167 OBJECT natInterfaceStorageType 2168 MIN-ACCESS read-only 2169 DESCRIPTION 2170 "Write Access is not required." 2172 OBJECT natAddrMapLocalAddrType 2173 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2174 DESCRIPTION 2175 "An implementation is required to support global IPv4 2176 and/or IPv6 addresses depending upon its support 2177 for IPv4 and IPv6." 2179 OBJECT natAddrMapLocalAddrFrom 2180 SYNTAX InetAddress (SIZE(4|16)) 2181 DESCRIPTION 2182 "An implementation is required to support global IPv4 2183 and/or IPv6 addresses depending upon its support 2184 for IPv4 and IPv6." 2186 OBJECT natAddrMapLocalAddrTo 2187 SYNTAX InetAddress (SIZE(4|16)) 2188 DESCRIPTION 2189 "An implementation is required to support global IPv4 2190 and/or IPv6 addresses depending upon its support 2191 for IPv4 and IPv6." 2193 OBJECT natAddrMapGlobalAddrType 2194 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2195 DESCRIPTION 2196 "An implementation is required to support global IPv4 2197 and/or IPv6 addresses depending upon its support 2198 for IPv4 and IPv6." 2200 OBJECT natAddrMapGlobalAddrFrom 2201 SYNTAX InetAddress (SIZE(4|16)) 2202 DESCRIPTION 2203 "An implementation is required to support global IPv4 2204 and/or IPv6 addresses depending upon its support 2205 for IPv4 and IPv6." 2207 OBJECT natAddrMapGlobalAddrTo 2208 SYNTAX InetAddress (SIZE(4|16)) 2209 DESCRIPTION 2210 "An implementation is required to support global IPv4 2211 and/or IPv6 addresses depending upon its support 2212 for IPv4 and IPv6." 2214 OBJECT natAddrMapRowStatus 2215 SYNTAX RowStatus { active(1) } 2216 WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } 2217 DESCRIPTION 2218 "Support for createAndWait and notInService is 2219 not required." 2221 OBJECT natAddrMapStorageType 2222 MIN-ACCESS read-only 2223 DESCRIPTION 2224 "Write Access is not required." 2226 OBJECT natAddrBindGlobalAddrType 2227 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2228 DESCRIPTION 2229 "An implementation is required to support global IPv4 2230 and/or IPv6 addresses depending upon its support 2231 for IPv4 and IPv6." 2233 OBJECT natAddrBindGlobalAddr 2234 SYNTAX InetAddress (SIZE(4|16)) 2235 DESCRIPTION 2236 "An implementation is required to support global IPv4 2237 and/or IPv6 addresses depending upon its support 2238 for IPv4 and IPv6." 2240 OBJECT natAddrBindRowStatus 2241 SYNTAX RowStatus { active(1) } 2242 WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } 2243 DESCRIPTION 2244 "Support for createAndWait and notInService is 2245 not required." 2247 OBJECT natAddrPortBindGlobalAddrType 2248 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2249 DESCRIPTION 2250 "An implementation is required to support global IPv4 2251 and/or IPv6 addresses depending upon its support 2252 for IPv4 and IPv6." 2254 OBJECT natAddrPortBindGlobalAddr 2255 SYNTAX InetAddress (SIZE(4|16)) 2256 DESCRIPTION 2257 "An implementation is required to support global IPv4 2258 and/or IPv6 addresses depending upon its support 2259 for IPv4 and IPv6." 2261 OBJECT natAddrPortBindRowStatus 2262 SYNTAX RowStatus { active(1) } 2263 WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } 2264 DESCRIPTION 2265 "Support for createAndWait and notInService is 2266 not required." 2268 OBJECT natSessionPrivateAddrType 2269 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2270 DESCRIPTION 2271 "An implementation is required to support global IPv4 2272 and/or IPv6 addresses depending upon its support 2273 for IPv4 and IPv6." 2275 OBJECT natSessionPrivateSrcAddr 2276 SYNTAX InetAddress (SIZE(4|16)) 2277 DESCRIPTION 2278 "An implementation is required to support global IPv4 2279 and/or IPv6 addresses depending upon its support 2280 for IPv4 and IPv6." 2282 OBJECT natSessionPrivateDstAddr 2283 SYNTAX InetAddress (SIZE(4|16)) 2284 DESCRIPTION 2285 "An implementation is required to support global IPv4 2286 and/or IPv6 addresses depending upon its support 2287 for IPv4 and IPv6." 2289 OBJECT natSessionPublicAddrType 2290 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2291 DESCRIPTION 2292 "An implementation is required to support global IPv4 2293 and/or IPv6 addresses depending upon its support 2294 for IPv4 and IPv6." 2296 OBJECT natSessionPublicSrcAddr 2297 SYNTAX InetAddress (SIZE(4|16)) 2298 DESCRIPTION 2299 "An implementation is required to support global IPv4 2300 and/or IPv6 addresses depending upon its support 2301 for IPv4 and IPv6." 2303 OBJECT natSessionPublicDstAddr 2304 SYNTAX InetAddress (SIZE(4|16)) 2305 DESCRIPTION 2306 "An implementation is required to support global IPv4 2307 and/or IPv6 addresses depending upon its support 2308 for IPv4 and IPv6." 2310 OBJECT natSessionRowStatus 2311 SYNTAX RowStatus { active(1) } 2312 WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } 2313 DESCRIPTION 2314 "Support for createAndWait and notInService is 2315 not required." 2317 ::= { natMIBCompliances 1 } 2319 natMIBReadOnlyCompliance MODULE-COMPLIANCE 2320 STATUS current 2321 DESCRIPTION 2322 "When this MIB is implemented without support for 2323 read-create (i.e. in read-only mode), then such an 2324 implementation can claim read-only compliance. 2325 Such a device can then be monitored but can not be 2326 configured with this MIB." 2328 MODULE -- this module 2329 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2330 natStatsInterfaceGroup } 2331 GROUP natStatsProtocolGroup 2332 DESCRIPTION 2333 "This group is optional." 2335 GROUP natStatsAddrMapGroup 2336 DESCRIPTION 2337 "This group is optional." 2338 GROUP natMIBNotificationGroup 2339 DESCRIPTION 2340 "This group is optional." 2342 OBJECT natInterfaceRowStatus 2343 SYNTAX RowStatus { active(1) } 2344 MIN-ACCESS read-only 2345 DESCRIPTION 2346 "Write access is not required, and active is the only 2347 status that needs to be supported." 2349 OBJECT natAddrMapLocalAddrType 2350 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2351 DESCRIPTION 2352 "Write access is not required. An implementation is 2353 required to support global IPv4 and/or IPv6 addresses 2354 depending upon its support for IPv4 and IPv6." 2356 OBJECT natAddrMapLocalAddrFrom 2357 SYNTAX InetAddress (SIZE(4|16)) 2358 DESCRIPTION 2359 "Write access is not required. An implementation is 2360 required to support global IPv4 and/or IPv6 addresses 2361 depending upon its support for IPv4 and IPv6." 2363 OBJECT natAddrMapLocalAddrTo 2364 SYNTAX InetAddress (SIZE(4|16)) 2365 DESCRIPTION 2366 "Write access is not required. An implementation is 2367 required to support global IPv4 and/or IPv6 addresses 2368 depending upon its support for IPv4 and IPv6." 2370 OBJECT natAddrMapGlobalAddrType 2371 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2372 DESCRIPTION 2373 "Write access is not required. An implementation is 2374 required to support global IPv4 and/or IPv6 addresses 2375 depending upon its support for IPv4 and IPv6." 2377 OBJECT natAddrMapGlobalAddrFrom 2378 SYNTAX InetAddress (SIZE(4|16)) 2379 DESCRIPTION 2380 "Write access is not required. An implementation is 2381 required to support global IPv4 and/or IPv6 addresses 2382 depending upon its support for IPv4 and IPv6." 2384 OBJECT natAddrMapGlobalAddrTo 2385 SYNTAX InetAddress (SIZE(4|16)) 2386 DESCRIPTION 2387 "Write access is not required. An implementation is 2388 required to support global IPv4 and/or IPv6 addresses 2389 depending upon its support for IPv4 and IPv6." 2391 OBJECT natAddrMapRowStatus 2392 SYNTAX RowStatus { active(1) } 2393 MIN-ACCESS read-only 2394 DESCRIPTION 2395 "Write access is not required, and active is the only 2396 status that needs to be supported." 2398 OBJECT natAddrBindGlobalAddrType 2399 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2400 DESCRIPTION 2401 "Write access is not required. An implementation is 2402 required to support global IPv4 and/or IPv6 addresses 2403 depending upon its support for IPv4 and IPv6." 2405 OBJECT natAddrBindGlobalAddr 2406 SYNTAX InetAddress (SIZE(4|16)) 2407 DESCRIPTION 2408 "Write access is not required. An implementation is 2409 required to support global IPv4 and/or IPv6 addresses 2410 depending upon its support for IPv4 and IPv6." 2412 OBJECT natAddrBindRowStatus 2413 SYNTAX RowStatus { active(1) } 2414 WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } 2415 DESCRIPTION 2416 "Support for createAndWait and notInService is 2417 not required." 2419 OBJECT natAddrPortBindGlobalAddrType 2420 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2421 DESCRIPTION 2422 "Write access is not required. An implementation is 2423 required to support global IPv4 and/or IPv6 addresses 2424 depending upon its support for IPv4 and IPv6." 2426 OBJECT natAddrPortBindGlobalAddr 2427 SYNTAX InetAddress (SIZE(4|16)) 2428 DESCRIPTION 2429 "Write access is not required. An implementation is 2430 required to support global IPv4 and/or IPv6 addresses 2431 depending upon its support for IPv4 and IPv6." 2433 OBJECT natAddrPortBindRowStatus 2434 SYNTAX RowStatus { active(1) } 2435 WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } 2436 DESCRIPTION 2437 "Support for createAndWait and notInService is 2438 not required." 2440 OBJECT natSessionPrivateAddrType 2441 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2442 DESCRIPTION 2443 "Write access is not required. An implementation is 2444 required to support global IPv4 and/or IPv6 addresses 2445 depending upon its support for IPv4 and IPv6." 2447 OBJECT natSessionPrivateSrcAddr 2448 SYNTAX InetAddress (SIZE(4|16)) 2449 DESCRIPTION 2450 "Write access is not required. An implementation is 2451 required to support global IPv4 and/or IPv6 addresses 2452 depending upon its support for IPv4 and IPv6." 2454 OBJECT natSessionPrivateDstAddr 2455 SYNTAX InetAddress (SIZE(4|16)) 2456 DESCRIPTION 2457 "Write access is not required. An implementation is 2458 required to support global IPv4 and/or IPv6 addresses 2459 depending upon its support for IPv4 and IPv6." 2461 OBJECT natSessionPublicAddrType 2462 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2463 DESCRIPTION 2464 "Write access is not required. An implementation is 2465 required to support global IPv4 and/or IPv6 addresses 2466 depending upon its support for IPv4 and IPv6." 2468 OBJECT natSessionPublicSrcAddr 2469 SYNTAX InetAddress (SIZE(4|16)) 2470 DESCRIPTION 2471 "Write access is not required. An implementation is 2472 required to support global IPv4 and/or IPv6 addresses 2473 depending upon its support for IPv4 and IPv6." 2475 OBJECT natSessionPublicDstAddr 2476 SYNTAX InetAddress (SIZE(4|16)) 2477 DESCRIPTION 2478 "Write access is not required. An implementation is 2479 required to support global IPv4 and/or IPv6 addresses 2480 depending upon its support for IPv4 and IPv6." 2482 OBJECT natSessionRowStatus 2483 SYNTAX RowStatus { active(1) } 2484 MIN-ACCESS read-only 2485 DESCRIPTION 2486 "Write access is not required, and active is the only 2487 status that needs to be supported." 2489 ::= { natMIBCompliances 2 } 2491 END 2492 6. Intellectual Property 2494 The IETF takes no position regarding the validity or scope of any 2495 intellectual property or other rights that might be claimed to 2496 pertain to the implementation or use of the technology described in 2497 this document or the extent to which any license under such rights 2498 might or might not be available; neither does it represent that it 2499 has made any effort to identify any such rights. Information on the 2500 IETF's procedures with respect to rights in standards-track and 2501 standards-related documentation can be found in BCP-11. 2503 Copies of claims of rights made available for publication and any 2504 assurances of licenses to be made available, or the result of an 2505 attempt made to obtain a general license or permission for the use of 2506 such proprietary rights by implementers or users of this 2507 specification can be obtained from the IETF Secretariat. 2509 The IETF invites any interested party to bring to its attention any 2510 copyrights, patents or patent applications, or other proprietary 2511 rights that may cover technology that may be required to practice 2512 this standard. Please address the information to the IETF Executive 2513 Director. 2515 7. Change History 2517 A record of changes which will be removed before publication. 2519 10 September 2001 2521 o Added the following objects to support notifications: 2522 natAddrRiseThreshold, natAddrFallingThreshold, 2523 natAddrMapName and natPktDiscardReason. 2525 o Following notifications were added (there are still some 2526 unclear parameters though): 2527 natAddressUseRising and natPacketDiscard. 2529 10 November 2001 2531 o Dynamic and Static Address Map tables are Merged. 2533 o Protocol Extensibility added. 2535 o Rearrangement of OIDs done to get things in proper sequence. 2537 07 February 2002 2539 o Config and Interface Specific tables are Merged. 2541 o MAX-ACCESS for the bind and session entry objects are 2542 changed to be read-create. 2544 o natAddrMapType renamed to natAddrMapDirection. 2546 14 June 2002 2548 o Changed the syntax of natConfServiceType to BITS and renumbered 2549 the enumeration to start with 0. 2551 o Addressed the warning raised by smilint - all InetAddress values 2552 now restricted to the size range (0..20) i.e. valid InetAddress 2553 types are now ipv4, ipv6, ipv4z and ipv6z. 2555 o MIN-ACCESS for natConfInterfaceRealm restricted to read-only. 2557 o Changed the natConfIcmpDefIdleTimeout default value to be 300. 2559 o natConfProtConfigName made a part of the optional 2560 natConfProtGroup. 2562 o RFC 3291 now referred to instead of RFC 2578 2563 2 Nov 2002 2565 o Added the Bind Origin Objects. 2567 o Updated the description of natSessionSecondBindId. 2569 o Interface specific statistics made mandatory. 2571 o New sections, 4.1, 4.2 and 4.3 added indicating relationship 2572 between tables and configuration guidelines. 2574 02 Sep 2003 2576 o Removed the protocol extensibility. 2578 o Incorporated other comments. 2580 21 Oct 2003 2582 o Rearranged notifications 2584 o Added new TEXTUAL-CONVENTIONs. 2586 o Incorporated other comments. 2588 27 Oct 2003 2590 o Updated MODULE IDENTITY according to the MIB guidelines. 2592 8. Acknowledgements 2594 The authors of the document would like to thank Randy Turner, 2595 Ashwini S.T., Kevin Luehrs, Sam Sankoorikal, and Juergen Quittek 2596 for their valuable feedback. 2597 The authors would like to especially thank Juergen Schoenwaelder 2598 for his patient and fine-combed review and detailed comments as a 2599 MIB doctor. The NAT MIB is much clearer and flatter as a result of 2600 Juergen's suggestions. 2602 9. Security Considerations 2604 It is clear that this MIB can be potentially useful for 2605 configuration. Unauthorized access to the write-able objects could 2606 cause a denial of service, and/or widespread network disturbance. 2607 Hence, the support for SET operations in a non-secure 2608 environment without proper protection can have a negative effect on 2609 network operations. 2611 At this writing, no security holes have been identified beyond those 2612 that SNMP Security is itself intended to address. These relate 2613 primarily to controlled access to sensitive information and the 2614 ability to configure a device - or which might result from operator 2615 error, which is beyond the scope of any security architecture. 2617 There are a number of managed objects in this MIB that may contain 2618 information that may be sensitive from a business perspective, in 2619 that they may represent NAT bind and session information. 2620 The NAT bind and session objects reveal the identity of private 2621 hosts that are engaged in a session with external end nodes. A 2622 curious outsider could monitor these two objects to assess the 2623 number of private hosts being supported by the NAT device. Further, 2624 a disgruntled former employee of an enterprise could use the nat 2625 bind and session information to break into specific private hosts 2626 by intercepting the existing sessions or originate new 2627 sessions into the host. There are no objects which are sensitive in 2628 their own right, such as passwords or monetary amounts. 2629 It may be important to even control GET access to these objects and 2630 possibly to even encrypt the values of these objects when sending 2631 them over the network via SNMP. Not all versions of SNMP provide 2632 features for such a secure environment. 2634 SNMP versions prior to SNMPv3 did not include adequate security. 2635 Even if the network itself is secure (for example by using IPSec), 2636 even then, there is no control as to who on the secure network is 2637 allowed to access and GET/SET (read/change/create/delete) the 2638 objects in this MIB. 2640 It is recommended that the implementers consider the security 2641 features as provided by the SNMPv3 framework (see [RFC3410], section 2642 8), including full support for the SNMPv3 cryptographic mechanisms 2643 (for authentication and privacy). 2645 Further, deployment of SNMP versions prior to SNMPv3 is NOT 2646 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 2647 enable cryptographic security. It is then a customer/operator 2648 responsibility to ensure that the SNMP entity giving access to an 2649 instance of this MIB module is properly configured to give access to 2650 the objects only to those principals (users) that have legitimate 2651 rights to indeed GET or SET (change/create/delete) them. 2653 10. References 2655 10.1. Normative References 2657 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2658 Rose, M. and S. Waldbusser, "Structure of Management 2659 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 2660 1999. 2662 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2663 Rose, M. and S. Waldbusser, "Textual Conventions for 2664 SMIv2", STD 58, RFC 2579, April 1999. 2666 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2667 Rose, M. and S. Waldbusser, "Conformance Statements for 2668 SMIv2", STD 58, RFC 2580, April 1999. 2670 [RFC3022] Srisuresh, P. and Egevang, K., "Traditional IP Network 2671 Address Translator (Traditional NAT)", RFC 3022, 2672 January 2001. 2674 [RFC2663] Srisuresh, P. and M. Holdrege, "NAT Terminology and 2675 Considerations", RFC 2663, August 1999. 2677 [RFC3291] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, 2678 J., "Textual Conventions for Internet Network Addresses", 2679 RFC 3291, May 2002. 2681 [RFC792] J. Postel, "Internet Control Message Protocol - 2682 DARPA Internet Program Protocol Specification", 2683 RFC 792, September 1981. 2685 [RFC3489] J. Rosenberg, J. Weinberger, C. Huitema, and R. Mahy, 2686 "STUN - Simple Traversal of User Datagram Protocol (UDP) 2687 Through Network Address Translators (NATs)", RFC 3489, 2688 March 2003. 2690 [IF-MIB] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 2691 MIB using SMIv2", RFC 2863, June 2000. 2693 [RFC2463] Conta & Deering, "Internet Control Message Protocol 2694 (ICMPv6) for the Internet Protocol Version 6 (IPv6) 2695 Specification", RFC 2653, December 1998 2697 10.2. Informative References 2699 [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, 2700 "Introduction and Applicability Statements for Internet- 2701 Standard Management Framework", RFC 3410, December 2002. 2703 11. Author's Addresses 2705 R. Rohit 2706 Mascon Global Limted 2707 #59/2 100 ft Ring Road 2708 Banashankari II Stage 2709 Bangalore 560 070 2710 India 2711 Phone: +91 80 679 6227 2712 Email: rrohit74@hotmail.com 2714 Nalinaksh Pai 2715 Cisco Systems, Inc. 2716 Prestige Waterford 2717 No. 9, Brunton Road 2718 Bangalore - 560 025 2719 India 2720 Phone: +91 80 532 1300 extn. 6354 2721 Email: npai@cisco.com 2723 Rajiv Raghunarayan 2724 Cisco Systems Inc. 2725 170 West Tasman Drive 2726 San Jose, CA 95134 2727 Phone: +1 408 853 9612 2728 Email: raraghun@cisco.com 2730 Cliff Wang 2731 Information Security 2732 Bank One Corp 2733 1111 Polaris Pkwy 2734 Columbus, OH 43240 2735 Phone: +1 614 213 6117 2736 Email: cliffwang2000@yahoo.com 2738 P. Srisuresh 2739 Caymas Systems, Inc. 2740 1179-A North McDowell Blvd. 2741 Petaluma, CA 94954 2742 Tel: (707) 283-5063 2743 Email: srisuresh@yahoo.com 2745 12. Full Copyright Statement 2747 Copyright (C) The Internet Society (2003). All Rights Reserved. 2749 This document and translations of it may be copied and furnished to 2750 others, and derivative works that comment on or otherwise explain it 2751 or assist in its implementation may be prepared, copied, published 2752 and distributed, in whole or in part, without restriction of any 2753 kind, provided that the above copyright notice and this paragraph 2754 are included on all such copies and derivative works. However, this 2755 document itself may not be modified in any way, such as by removing 2756 the copyright notice or references to the Internet Society or other 2757 Internet organizations, except as needed for the purpose of 2758 developing Internet standards in which case the procedures for 2759 copyrights defined in the Internet Standards process must be 2760 followed, or as required to translate it into languages other than 2761 English. 2763 The limited permissions granted above are perpetual and will not be 2764 revoked by the Internet Society or its successors or assigns. 2766 This document and the information contained herein is provided on an 2767 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 2768 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 2769 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 2770 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 2771 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2773 Acknowledgement 2775 Funding for the RFC Editor function is currently provided by the 2776 Internet Society.