idnits 2.17.1 draft-ietf-softwire-dslite-mib-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (March 25, 2015) is 3312 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-05) exists of draft-perrault-behave-natv2-mib-02 -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Y. Fu 3 Internet-Draft S. Jiang 4 Intended status: Standards Track Huawei Technologies Co., Ltd 5 Expires: September 26, 2015 J. Dong 6 Y. Chen 7 Tsinghua University 8 March 25, 2015 10 DS-Lite Management Information Base (MIB) 11 draft-ietf-softwire-dslite-mib-09 13 Abstract 15 This memo defines a portion of the Management Information Base (MIB) 16 for using with network management protocols in the Internet 17 community. In particular, it defines managed objects for Dual-Stack 18 Lite (DS-Lite). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 26, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 56 3. The Internet-Standard Management Framework . . . . . . . . . 3 57 4. Relationship to the IF-MIB . . . . . . . . . . . . . . . . . 3 58 5. Difference from the IP tunnel MIB and NATV2-MIB . . . . . . . 3 59 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 60 6.1. The Object Group . . . . . . . . . . . . . . . . . . . . 4 61 6.1.1. The dsliteTunnel Subtree . . . . . . . . . . . . . . 5 62 6.1.2. The dsliteNAT Subtree . . . . . . . . . . . . . . . . 5 63 6.1.3. The dsliteInfo Subtree . . . . . . . . . . . . . . . 5 64 6.2. The Notification Group . . . . . . . . . . . . . . . . . 5 65 6.2.1. The dsliteTrap Subtree . . . . . . . . . . . . . . . 5 66 6.3. The Conformance Group . . . . . . . . . . . . . . . . . . 5 67 7. MIB modules required for IMPORTS . . . . . . . . . . . . . . 5 68 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 69 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 70 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 71 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 72 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 73 12.1. Normative References . . . . . . . . . . . . . . . . . . 20 74 12.2. Informative References . . . . . . . . . . . . . . . . . 21 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 77 1. Introduction 79 Dual-Stack Lite [RFC6333] is a solution to offer both IPv4 and IPv6 80 connectivity to customers crossing an IPv6 only infrastructure. One 81 of its key components is an IPv4-over-IPv6 tunnel, which is used to 82 provide IPv4 connectivity across a service provider's IPv6 network. 83 Another key component is a carrier-grade IPv4-IPv4 Network Address 84 Translation (NAT) to share service provider IPv4 addresses among 85 customers. 87 This document defines a portion of the Management Information Base 88 (MIB) for using with network management protocols in the Internet 89 community. This MIB module may be used for configuration and 90 monitoring devices in a Dual-Stack Lite scenario. 92 2. Requirements Language 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 96 document are to be interpreted as described in [RFC2119] when they 97 appear in ALL CAPS. When these words are not in ALL CAPS (such as 98 "should" or "Should"), they have their usual English meanings, and 99 are not to be interpreted as [RFC2119] key words. 101 3. The Internet-Standard Management Framework 103 For a detailed overview of the documents that describe the current 104 Internet-Standard Management Framework, please refer to section 7 of 105 [RFC3410]. 107 Managed objects are accessed via a virtual information store, termed 108 the Management Information Base or MIB. MIB objects are generally 109 accessed through the Simple Network Management Protocol (SNMP). 110 Objects in the MIB are defined using the mechanisms defined in the 111 Structure of Management Information (SMI). This memo specifies a MIB 112 module that is compliant to the SMIv2, which is described in 113 [RFC2578], [RFC2579] and [RFC2580]. 115 4. Relationship to the IF-MIB 117 The Interfaces MIB [RFC2863] defines generic managed objects for 118 managing interfaces. Each logical interface (physical or virtual)has 119 an ifEntry. Tunnels are handled by creating a logical interface 120 (ifEntry) for each tunnel. Each DS-Lite tunnel also acts as a 121 virtual interface, which has a corresponding entry in the IP Tunnel 122 MIB and Interface MIB. Those corresponding entries are indexed by 123 ifIndex. 125 The ifOperStatus in ifTable is used to represent whether the DS-Lite 126 tunnel function has been originated. The ifInUcastPkts defined in 127 ifTable will represent the number of IPv4 packets that have been 128 encapsulated into IPv6 packets sent to a B4. The ifOutUcastPkts 129 defined in ifTable contains the number of IPv6 packets that can be 130 decapsulated to IPv4 in the virtual interface. Also, the IF-MIB 131 defines ifMtu for the MTU of this tunnel interface, so DS-Lite MIB 132 does not need to define the MTU for the tunnel. 134 5. Difference from the IP tunnel MIB and NATV2-MIB 136 The key technologies for DS-Lite are IP in IP (IPv4-in-IPv6) tunnels 137 and NAT (IPv4 to IPv4 translation). 139 Notes: According to section 5.2 of [RFC6333], DS-Lite only defines 140 IPv4 in IPv6 tunnels at this moment, but other types of encapsulation 141 could be defined in the future. So this DS-Lite MIB only supports IP 142 in IP encapsulation, if another RFC defined other tunnel types in the 143 future, this DS-Lite MIB will be updated then. 145 The NATV2-MIB [I-D.perrault-behave-natv2-mib] is designed to carry 146 translation from any address family to any address family, therefore 147 it supports IPv4 to IPv4 translation. 149 The IP Tunnel MIB [RFC4087] is designed for managing tunnels of any 150 type over IPv4 and IPv6 networks, therefore it supports IP in IP 151 tunnels. In a DS-Lite scenario, the tunnel type is IP in IP, more 152 precisely, is IPv4 in IPv6. Therefore, it is unnecessary to define a 153 new object to describe tunnel type in DS-Lite MIB. 155 However, the NATV2-MIB and IP Tunnel MIB together are not sufficient 156 to support DS-Lite. This document describes the specific features 157 for DS-Lite MIB, as below. 159 In the DS-Lite scenario, the Address Family Transition Router (AFTR) 160 is not only the tunnel end concentrator, but also a 4-4 translator. 161 So as defined in [RFC6333] , when the IPv4 packets come back from the 162 Internet to AFTR, the AFTR knows how to reconstruct the IPv6 163 encapsulation by doing a reverse lookup in the extended IPv4 NAT 164 binding table. So the NAT binding table in the AFTR MUST be extended 165 to include the IPv6 address of the tunnel initiator. But the tunnel 166 information defined in NATV2-MIB is on the address level. Because 167 the TUNNEL-MIB defined the objects on the view of interface, the DS- 168 Lite-MIB need define the tunnel objects to extend the NAT binding 169 entry by interface for accordance. Therefore, a combined MIB is 170 necessary. 172 The implementation of the IP Tunnel MIB is required for DS-Lite. The 173 tunnelIfEncapsMethod in the tunnelIfEntry should be set to 174 dsLite("xx"), and a corresponding entry in the DS-Lite module will 175 exist for every tunnelIfEntry with this tunnelIfEncapsMethod. The 176 tunnelIfRemoteInetAddress must be set to "::". 178 6. Structure of the MIB Module 180 The DS-Lite MIB provides a way to monitor and manage the devices 181 (AFTRs) in DS-Lite scenario through SNMP. 183 The DS-Lite MIB is configurable on a per-interface basis. It depends 184 on several parts of the IF-MIB [RFC2863], IP Tunnel MIB [RFC4087], 185 and NATV2-MIB [I-D.perrault-behave-natv2-mib]. 187 6.1. The Object Group 189 This Group defines objects that are needed for DS-Lite MIB. 191 6.1.1. The dsliteTunnel Subtree 193 The dsliteTunnel subtree describes managed objects used for managing 194 tunnels in the DS-Lite scenario. Because some objects defined in the 195 IP Tunnel MIB are not read-write and read-only, a few new objects are 196 defined in DS- Lite MIB. 198 6.1.2. The dsliteNAT Subtree 200 The dsliteNAT subtree describes managed objects used for 201 configuration as well as monitoring of AFTR which is capable of a NAT 202 function. Because the NATV2-MIB supports the NAT management function 203 in DS-Lite, we may reuse it in DS-Lite MIB. The dsliteNAT subtree 204 also provides the information of mapping relationship between the 205 tunnel entry and NAT entry by extending the IPv6 address of B4 to the 206 natv2PortMapEntry in the NATV2-MIB. 208 6.1.3. The dsliteInfo Subtree 210 The dsliteInfo subtree provides statistical information for DS-Lite. 212 6.2. The Notification Group 214 This group defines some notification objects for DS-Lite. 216 6.2.1. The dsliteTrap Subtree 218 The dsliteTrap subtree provides trap information in DS-Lite scenario. 220 6.3. The Conformance Group 222 The dsliteConformance subtree provides conformance information of MIB 223 objects. 225 7. MIB modules required for IMPORTS 227 This MIB module IMPORTs objects from [RFC2578], [RFC2580], [RFC2863], 228 [RFC3411], [RFC4001] and [I-D.perrault-behave-natv2-mib]. 230 8. Definitions 232 DSLite-MIB DEFINITIONS ::= BEGIN 234 IMPORTS 235 MODULE-IDENTITY, OBJECT-TYPE, transmission, 236 NOTIFICATION-TYPE,Gauge32,TimeTicks, 237 Integer32, Counter64,Unsigned32 238 FROM SNMPv2-SMI 240 OBJECT-GROUP, MODULE-COMPLIANCE, 241 NOTIFICATION-GROUP 242 FROM SNMPv2-CONF 244 DisplayString 245 FROM SNMPv2-TC 247 SnmpAdminString 248 FROM SNMP-FRAMEWORK-MIB 250 ifIndex 251 FROM IF-MIB 253 InetAddress, InetAddressType, InetAddressPrefixLength, 254 InetPortNumber 255 FROM INET-ADDRESS-MIB 257 ProtocolNumber, Natv2InstanceIndex, Natv2SubscriberIndex 258 FROM NATV2-MIB; 260 dsliteMIB MODULE-IDENTITY 261 LAST-UPDATED "201503250000Z" -- March 25, 2015 262 ORGANIZATION "IETF Softwire Working Group" 263 CONTACT-INFO 264 "Yu Fu 265 Huawei Technologies Co., Ltd 266 Huawei Building, 156 Beiqing Rd., Hai-Dian District 267 Beijing, P.R. China 100095 268 EMail: eleven.fuyu@huawei.com 270 Sheng Jiang 271 Huawei Technologies Co., Ltd 272 Huawei Building, 156 Beiqing Rd., Hai-Dian District 273 Beijing, P.R. China 100095 274 EMail: jiangsheng@huawei.com 276 Jiang Dong 277 Tsinghua University 278 Department of Computer Science, Tsinghua University 279 Beijing 100084 280 P.R. China 281 Email: knight.dongjiang@gmail.com 283 Yuchi Chen 284 Tsinghua University 285 Department of Computer Science, Tsinghua University 286 Beijing 100084 287 P.R. China 288 Email: flashfoxmx@gmail.com " 290 DESCRIPTION 291 "The MIB module is defined for management of object in the 292 DS-Lite scenario. 293 Copyright (C) The Internet Society (2015). This version 294 of this MIB module is part of RFC yyyy; see the RFC itself 295 for full legal notices. " 296 REVISION "201503250000Z" 297 DESCRIPTION 298 "Initial version. Published as RFC xxxx." 299 --RFC Ed.: RFC-edtitor pls fill in xxxx 300 ::= { transmission xxx } 301 --RFC Ed.: assigned by IANA, see section 10 for details 303 --Top level components of this MIB module 305 dsliteMIBObjects OBJECT IDENTIFIER 306 ::= { dsliteMIB 1 } 307 dsliteTunnel OBJECT IDENTIFIER 308 ::= { dsliteMIBObjects 1 } 310 dsliteNAT OBJECT IDENTIFIER 311 ::= { dsliteMIBObjects 2 } 313 dsliteInfo OBJECT IDENTIFIER 314 ::= { dsliteMIBObjects 3 } 316 --Notifications section 318 dsliteNotifications OBJECT IDENTIFIER 319 ::= { dsliteMIB 0 } 321 dsliteTraps OBJECT IDENTIFIER 322 ::= { dsliteNotifications 1 } 324 --dsliteTunnel 326 --dsliteTunnelTable 328 dsliteTunnelTable OBJECT-TYPE 329 SYNTAX SEQUENCE OF DsliteTunnelEntry 330 MAX-ACCESS not-accessible 331 STATUS current 332 DESCRIPTION 333 "The (conceptual) table containing information on configured 334 tunnels. This table can be used to map B4 address to the 335 associated AFTR address. It can also be used for row 336 creation." 337 REFERENCE 338 "B4, AFTR: RFC 6333." 339 ::= { dsliteTunnel 1 } 341 dsliteTunnelEntry OBJECT-TYPE 342 SYNTAX DsliteTunnelEntry 343 MAX-ACCESS not-accessible 344 STATUS current 345 DESCRIPTION 346 "Each entry in this table contains the information on a 347 particular configured tunnel." 348 INDEX { dsliteTunnelAddressType, 349 dsliteTunnelStartAddress, 350 dsliteTunnelEndAddress, 351 ifIndex } 352 ::= { dsliteTunnelTable 1 } 354 DsliteTunnelEntry ::= 355 SEQUENCE { 356 dsliteTunnelAddressType InetAddressType, 357 dsliteTunnelStartAddress InetAddress, 358 dsliteTunnelEndAddress InetAddress, 359 dsliteTunnelStartAddPreLen InetAddressPrefixLength 360 } 362 dsliteTunnelAddressType OBJECT-TYPE 363 SYNTAX InetAddressType 364 MAX-ACCESS not-accessible 365 STATUS current 366 DESCRIPTION 367 " This object MUST be set to the value of ipv6(2). 368 It describes the address type of the IPv4-in-IPv6 369 tunnel initiator and endpoint." 370 ::= { dsliteTunnelEntry 1 } 372 dsliteTunnelStartAddress OBJECT-TYPE 373 SYNTAX InetAddress 374 MAX-ACCESS not-accessible 375 STATUS current 376 DESCRIPTION 377 "The address of the initiator of the tunnel." 378 ::= { dsliteTunnelEntry 2 } 380 dsliteTunnelEndAddress OBJECT-TYPE 381 SYNTAX InetAddress 382 MAX-ACCESS not-accessible 383 STATUS current 384 DESCRIPTION 385 "The address of the endpoint of the tunnel." 386 ::= { dsliteTunnelEntry 3 } 388 dsliteTunnelStartAddPreLen OBJECT-TYPE 389 SYNTAX InetAddressPrefixLength 390 MAX-ACCESS read-only 391 STATUS current 392 DESCRIPTION 393 "IPv6 prefix length of the IP address for the 394 start point of the tunnel." 395 ::= { dsliteTunnelEntry 4 } 397 --dsliteNAT 398 --dsliteNATMapTable(The address pool defined by 399 --natv2PoolTable and natv2PoolRangeTable 400 --in draft-perrault-behave-natv2-mib are sufficient) 401 --dsliteNATBindTable(NAPT) 403 dsliteNATBindTable OBJECT-TYPE 404 SYNTAX SEQUENCE OF DsliteNATBindEntry 405 MAX-ACCESS not-accessible 406 STATUS current 407 DESCRIPTION 408 "This table contains information about currently 409 active NAT binds in the NAT of AFTR. This table extends the 410 IPv6 address of B4 to the natv2PortMapTable 411 defined in NATV2-MIB(draft-perrault-behave-natv2-mib)." 412 ::= { dsliteNAT 1 } 414 dsliteNATBindEntry OBJECT-TYPE 415 SYNTAX DsliteNATBindEntry 416 MAX-ACCESS not-accessible 417 STATUS current 418 DESCRIPTION 419 "Each entry in this table holds the relationship between 420 tunnel information and nat bind information. These entries 421 are lost upon agent restart." 422 INDEX { dsliteNATBindMappingInstanceIndex, 423 dsliteNATBindMappingProto, 424 dsliteNATBindMappingExtRealm, 425 dsliteNATBindMappingExtAddressType, 426 dsliteNATBindMappingExtAddress, 427 dsliteNATBindMappingExtPort, 428 ifIndex, 429 dsliteTunnelStartAddress, 430 dsliteTunnelStartAddPreLen } 431 ::= { dsliteNATBindTable 1 } 433 DsliteNATBindEntry ::= 434 SEQUENCE { 435 dsliteNATBindMappingInstanceIndex Natv2InstanceIndex, 436 dsliteNATBindMappingProto ProtocolNumber, 437 dsliteNATBindMappingExtRealm SnmpAdminString, 438 dsliteNATBindMappingExtAddressType InetAddressType, 439 dsliteNATBindMappingExtAddress InetAddress, 440 dsliteNATBindMappingExtPort InetPortNumber, 441 dsliteNATBindMappingIntRealm SnmpAdminString, 442 dsliteNATBindMappingIntAddressType InetAddressType, 443 dsliteNATBindMappingIntAddress InetAddress, 444 dsliteNATBindMappingIntPort InetPortNumber, 445 dsliteNATBindMappingPool Unsigned32, 446 dsliteNATBindMappingMapBehavior INTEGER, 447 dsliteNATBindMappingFilterBehavior INTEGER, 448 dsliteNATBindMappingAddressPooling NatPoolingType 449 } 451 dsliteNATBindMappingInstanceIndex 452 SYNTAX Natv2InstanceIndex 453 MAX-ACCESS not-accessible 454 STATUS current 455 DESCRIPTION 456 "Index of the NAT instance that created this port map entry." 457 ::= { dsliteNATBindEntry 1 } 459 dsliteNATBindMappingProto OBJECT-TYPE 460 SYNTAX ProtocolNumber 461 MAX-ACCESS not-accessible 462 STATUS current 463 DESCRIPTION 464 " This object specifies the mapping's transport protocol 465 number." 466 ::= { dsliteNATBindEntry 2 } 468 dsliteNATBindMappingExtRealm OBJECT-TYPE 469 SYNTAX SnmpAdminString (SIZE(0..32)) 470 MAX-ACCESS not-accessible 471 STATUS current 472 DESCRIPTION 473 " The realm to which dsliteNATBindMappingExtAddress belongs." 474 ::= { dsliteNATBindEntry 3 } 476 dsliteNATBindMappingExtAddressType OBJECT-TYPE 477 SYNTAX InetAddressType 478 MAX-ACCESS not-accessible 479 STATUS current 480 DESCRIPTION 481 "Type of the mapping's external address." 482 ::= { dsliteNATBindEntry 4 } 484 dsliteNATBindMappingExtAddress OBJECT-TYPE 485 SYNTAX InetAddress (SIZE (4|16)) 486 MAX-ACCESS not-accessible 487 STATUS current 488 DESCRIPTION 489 "The mapping's external address. If this is the undefined 490 address, all external addresses are mapped to the internal 491 address." 492 ::= { dsliteNATBindEntry 5 } 494 dsliteNATBindMappingExtPort OBJECT-TYPE 495 SYNTAX InetPortNumber 496 MAX-ACCESS not-accessible 497 STATUS current 498 DESCRIPTION 499 "The mapping's assigned external port number. If this is zero, 500 all external ports are mapped to the internal port." 501 ::= { dsliteNATBindEntry 6 } 503 dsliteNATBindMappingIntRealm OBJECT-TYPE 504 SYNTAX SnmpAdminString 505 MAX-ACCESS read-only 506 STATUS current 507 DESCRIPTION 508 "The realm to which natMappingIntAddress belongs." 509 ::= { dsliteNATBindEntry 7 } 511 dsliteNATBindMappingIntAddressType OBJECT-TYPE 512 SYNTAX InetAddressType 513 MAX-ACCESS read-only 514 STATUS current 515 DESCRIPTION 516 "Type of the mapping's internal address." 517 ::= { dsliteNATBindEntry 8 } 519 dsliteNATBindMappingIntAddress OBJECT-TYPE 520 SYNTAX InetAddress 521 MAX-ACCESS read-only 522 STATUS current 523 DESCRIPTION 524 "The mapping's internal address. If this is the undefined 525 address, addresses are not translated." 526 ::= { dsliteNATBindEntry 9 } 528 dsliteNATBindMappingIntPort OBJECT-TYPE 529 SYNTAX InetPortNumber 530 MAX-ACCESS read-only 531 STATUS current 532 DESCRIPTION 533 "The mapping's internal port number. If this is zero, ports 534 are not translated." 535 ::= { dsliteNATBindEntry 10 } 537 dsliteNATBindMappingPool OBJECT-TYPE 538 SYNTAX Unsigned32 (0|1..4294967295) 539 MAX-ACCESS read-only 540 STATUS current 541 DESCRIPTION 542 "Index of the pool that contains this mapping's external 543 address and port. If zero, no pool is associated with this 544 mapping." 545 ::= { dsliteNATBindEntry 11 } 547 dsliteNATBindMappingMapBehavior OBJECT-TYPE 548 MAX-ACCESS read-only 549 STATUS current 550 DESCRIPTION 551 "Mapping behavior as described in [RFC4787] section 4.1." 552 REFERENCE 553 "RFC 4787 section 4.1" 554 SYNTAX INTEGER{ 555 endpointIndependent (0), 556 addressDependent(1), 557 addressAndPortDependent (2) 558 } 559 ::= { dsliteNATBindEntry 12 } 561 dsliteNATBindMappingFilterBehavior OBJECT-TYPE 562 MAX-ACCESS read-only 563 STATUS current 564 DESCRIPTION 565 "Filtering behavior as described in [RFC4787] section 5." 566 REFERENCE 567 "RFC 4787 section 5" 568 SYNTAX INTEGER{ 569 endpointIndependent (0), 570 addressDependent(1), 571 addressAndPortDependent (2) 572 } 573 ::= { dsliteNATBindEntry 13 } 575 dsliteNATBindMappingAddressPooling OBJECT-TYPE 576 MAX-ACCESS read-only 577 STATUS current 578 DESCRIPTION 579 "Type of address pooling behavior that was used to create 580 this mapping." 581 REFERENCE 582 "RFC 4787 section 4.1" 583 SYNTAX INTEGER{ 584 arbitrary (0), 585 paired (1) 586 } 587 ::= { dsliteNATBindEntry 14 } 589 --dsliteInfo 591 dsliteAFTRAlarmScalar OBJECT IDENTIFIER ::= { dsliteInfo 1 } 593 dsliteAFTRAlarmB4Addr OBJECT-TYPE 594 SYNTAX InetAddress 595 MAX-ACCESS accessible-for-notify 596 STATUS current 597 DESCRIPTION 598 "This object indicate the IP address of 599 B4 that send alarm " 600 ::= { dsliteAFTRAlarmScalar 1 } 602 dsliteAFTRAlarmProtocolType OBJECT-TYPE 603 SYNTAX DisplayString 604 MAX-ACCESS accessible-for-notify 605 STATUS current 606 DESCRIPTION 607 "This object indicate the protocol type of alarm, 608 0:tcp,1:udp,2:icmp,3:total " 609 ::= { dsliteAFTRAlarmScalar 2 } 611 dsliteAFTRAlarmSpecificIP OBJECT-TYPE 612 SYNTAX InetAddress 613 MAX-ACCESS accessible-for-notify 614 STATUS current 615 DESCRIPTION 616 " This object indicate the IP address whose port usage 617 reach threshold " 619 ::= { dsliteAFTRAlarmScalar 3 } 621 dsliteAFTRAlarmConnectNumber OBJECT-TYPE 622 SYNTAX Integer32 (60..90) 623 MAX-ACCESS read-write 624 STATUS current 625 DESCRIPTION 626 " This object indicate the threshold of DS-Lite 627 connections alarm." 628 ::= { dsliteAFTRAlarmScalar 4 } 630 dsliteStatisticTable OBJECT-TYPE 631 SYNTAX SEQUENCE OF DsliteStatisticEntry 632 MAX-ACCESS not-accessible 633 STATUS current 634 DESCRIPTION 635 "This table provides statistical information 636 of DS-Lite." 637 ::= { dsliteInfo 2 } 639 dsliteStatisticEntry OBJECT-TYPE 640 SYNTAX DsliteStatisticEntry 641 MAX-ACCESS not-accessible 642 STATUS current 643 DESCRIPTION 644 "This table provides statistical information 645 of DS-Lite." 646 INDEX { dsliteStatisticSubscriberIdex } 647 ::= { dsliteStatisticTable 1 } 649 DsliteStatisticEntry ::= 650 SEQUENCE { 651 dsliteStatisticSubscriberIdex Natv2SubscriberIndex, 652 dsliteStatisticDiscard Counter64, 653 dsliteStatisticTransmitted Counter64, 654 dsliteStatisticIpv4Session Counter64, 655 dsliteStatisticIpv6Session Counter64 656 } 658 dsliteStatisticSubscriberIdex OBJECT-TYPE 659 SYNTAX Natv2SubscriberIndex 660 MAX-ACCESS not-accessible 661 STATUS current 662 DESCRIPTION 663 "Index of the subscriber or host.A unique value, 664 greater than zero, for each subscriber in the 665 managed system." 667 ::= { dsliteStatisticEntry 1 } 669 dsliteStatisticDiscard OBJECT-TYPE 670 SYNTAX Counter64 671 MAX-ACCESS read-only 672 STATUS current 673 DESCRIPTION 674 " This object indicate the number of packets 675 discarded from this subscriber." 676 ::= { dsliteStatisticEntry 2 } 678 dsliteStatisticTransmitted OBJECT-TYPE 679 SYNTAX Counter64 680 MAX-ACCESS read-only 681 STATUS current 682 DESCRIPTION 683 " This object indicate the number of packets received 684 from or sent to this subscriber." 685 ::= { dsliteStatisticEntry 3 } 687 dsliteStatisticIpv4Session OBJECT-TYPE 688 SYNTAX Counter64 689 MAX-ACCESS read-only 690 STATUS current 691 DESCRIPTION 692 " This object indicate the number of the 693 current IPv4 Session." 694 ::= { dsliteStatisticEntry 4 } 696 dsliteStatisticIpv6Session OBJECT-TYPE 697 SYNTAX Counter64 698 MAX-ACCESS read-only 699 STATUS current 700 DESCRIPTION 701 " This object indicate the number of the 702 current IPv6 Session." 703 ::= { dsliteStatisticEntry 5 } 705 ---dslite trap 707 dsliteTunnelNumAlarm NOTIFICATION-TYPE 708 OBJECTS { dsliteAFTRAlarmProtocolType, 709 dsliteAFTRAlarmB4Addr } 710 STATUS current 711 DESCRIPTION 712 "This trap is triggered when the number of 713 current connecting dslite tunnel exceeds the value of 714 dsliteAFTRAlarmConnectNumber." 716 ::= { dsliteTraps 1 } 718 dsliteAFTRUserSessionNumAlarm NOTIFICATION-TYPE 719 OBJECTS { dsliteAFTRAlarmProtocolType, 720 dsliteAFTRAlarmB4Addr } 721 STATUS current 722 DESCRIPTION 723 " This trap is triggered when sessions of 724 user reach the threshold." 725 ::= { dsliteTraps 2 } 727 dsliteAFTRPortUsageOfSpecificIpAlarm NOTIFICATION-TYPE 728 OBJECTS { dsliteAFTRAlarmSpecificIP } 729 STATUS current 730 DESCRIPTION 731 "This trap is triggered when used NAT 732 ports of map address reach the threshold." 733 ::= { dsliteTraps 3 } 735 --Module Conformance statement 737 dsliteConformance OBJECT IDENTIFIER 738 ::= { dsliteMIB 2 } 740 dsliteCompliances OBJECT IDENTIFIER ::= { dsliteConformance 1 } 742 dsliteGroups OBJECT IDENTIFIER ::= { dsliteConformance 2 } 744 -- compliance statements 746 dsliteCompliance MODULE-COMPLIANCE 747 STATUS current 748 DESCRIPTION 749 " Description the minimal requirements for conformance 750 to the DS-Lite MIB." 751 MODULE -- this module 752 MANDATORY-GROUPS { dsliteNATBindGroup, 753 dsliteTunnelGroup, 754 dsliteStatisticGroup, 755 dsliteTrapsGroup,dsliteAFTRAlarmScalarGroup } 756 ::= { dsliteCompliances 1 } 758 dsliteNATBindGroup OBJECT-GROUP 759 OBJECTS { 760 dsliteNATBindMappingIntRealm, 761 dsliteNATBindMappingIntAddressType, 762 dsliteNATBindMappingIntAddress, 763 dsliteNATBindMappingIntPort, 764 dsliteNATBindMappingPool, 765 dsliteNATBindMappingMapBehavior, 766 dsliteNATBindMappingFilterBehavior, 767 dsliteNATBindMappingAddressPooling } 768 STATUS current 769 DESCRIPTION 770 " The collection of this objects are used to give the 771 information about NAT Bind." 772 ::= { dsliteGroups 1 } 774 dsliteTunnelGroup OBJECT-GROUP 775 OBJECTS { dsliteTunnelStartAddPreLen } 776 STATUS current 777 DESCRIPTION 778 " The collection of this objects are used to give the 779 information of tunnel in ds-lite." 780 ::= { dsliteGroups 2 } 782 dsliteStatisticGroup OBJECT-GROUP 783 OBJECTS { dsliteStatisticDiscard, 784 dsliteStatisticTransmitted, 785 dsliteStatisticIpv4Session, 786 dsliteStatisticIpv6Session } 787 STATUS current 788 DESCRIPTION 789 " The collection of this objects are used to give the 790 statistical information of ds-lite." 791 ::= { dsliteGroups 3 } 793 dsliteTrapsGroup NOTIFICATION-GROUP 794 NOTIFICATIONS { dsliteTunnelNumAlarm, 795 dsliteAFTRUserSessionNumAlarm, 796 dsliteAFTRPortUsageOfSpecificIpAlarm } 797 STATUS current 798 DESCRIPTION 799 "The collection of this objects are used to give the 800 trap information of ds-lite." 801 ::= { dsliteGroups 4 } 803 dsliteAFTRAlarmScalarGroup OBJECT-GROUP 804 OBJECTS { dsliteAFTRAlarmB4Addr, dsliteAFTRAlarmProtocolType, 805 dsliteAFTRAlarmSpecificIP, 806 dsliteAFTRAlarmConnectNumber } 807 STATUS current 808 DESCRIPTION 809 " The collection of this objects are used to give the 810 information about AFTR alarming Scalar." 811 ::= { dsliteGroups 5 } 812 END 814 9. Security Considerations 816 There are a number of management objects defined in this MIB module 817 with a MAX-ACCESS clause of read-write and/or read-create. Such 818 objects may be considered sensitive or vulnerable in some network 819 environments. The support for SET operations in a non-secure 820 environment without proper protection can have a negative effect on 821 network operations. These are the tables and objects and their 822 sensitivity/vulnerability: 824 Notification thresholds: An attacker setting an arbitrarily low 825 treshold can cause many useless notifications to be generated. 826 Setting an arbitrarily high threshold can effectively disable 827 notifications, which could be used to hide another attack. 829 dsliteAFTRAlarmConnectNumber 831 Some of the readable objects in this MIB module (i.e., objects with a 832 MAX-ACCESS other than not-accessible) may be considered sensitive or 833 vulnerable in some network environments. It is thus important to 834 control even GET and/or NOTIFY access to these objects and possibly 835 to even encrypt the values of these objects when sending them over 836 the network via SNMP. These are the tables and objects and their 837 sensitivity/vulnerability: 839 dsliteTunnelStartAddPreLen 841 dsliteNATBindMappingIntRealm 843 dsliteNATBindMappingIntAddressType 845 dsliteNATBindMappingIntAddress 847 dsliteNATBindMappingIntPort 849 dsliteNATBindMappingPool 851 dsliteNATBindMappingMapBehavior 853 dsliteNATBindMappingFilterBehavior 855 dsliteNATBindMappingAddressPooling 857 dsliteStatisticDiscard 859 dsliteStatisticTransmitted 860 dsliteStatisticIpv4Session 862 dsliteStatisticIpv6Session 864 SNMP versions prior to SNMPv3 did not include adequate security. 865 Even if the network itself is secure (for example by using IPSec), 866 even then, there is no control as to who on the secure network is 867 allowed to access and GET/SET (read/change/create/delete) the objects 868 in this MIB module. 870 Implementations SHOULD provide the security features described by the 871 SNMPv3 framework (see [RFC3410]), and implementations claiming 872 compliance to the SNMPv3 standard MUST include full support for 873 authentication and privacy via the User-based Security Model (USM) 874 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 875 MAY also provide support for the Transport Security Model (TSM) 876 [RFC5591] in combination with a secure transport such as SSH 877 [RFC5592] or TLS/DTLS [RFC6353]. 879 Further, deployment of SNMP versions prior to SNMPv3 is NOT 880 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 881 enable cryptographic security. It is then a customer/operator 882 responsibility to ensure that the SNMP entity giving access to an 883 instance of this MIB module is properly configured to give access to 884 the objects only to those principals (users) that have legitimate 885 rights to indeed GET or SET (change/create/delete) them. 887 10. IANA Considerations 889 The MIB module in this document uses the following IANA-assigned 890 OBJECT IDENTIFIER values recorded in the SMI Numbers registry, and 891 the following IANA-assigned tunnelType values recorded in the 892 IANAtunnelType-MIB registry: 894 Descriptor OBJECT IDENTIFIER value 895 ---------- ----------------------- 896 DSLite-MIB { transmission XXX } 898 IANAtunnelType ::= TEXTUAL-CONVENTION 900 SYNTAX INTEGER { 902 dsLite ("XX") -- dslite tunnel 904 } 906 Notes: As Appendix A of the IP Tunnel MIB[RFC4087] described that it 907 has already assigned the value direct(2) to indicate the tunnel type 908 is IP in IP tunnel, but it is still difficult to distinguish DS-Lite 909 tunnel packets from normal IP in IP tunnel packets in the scenario of 910 the AFTR connecting to both a DS-lite tunnel and an IP in IP tunnel. 912 11. Acknowledgements 914 The authors would like to thanks the valuable comments made by Suresh 915 Krishnan, Ian Farrer, Yiu Lee, Qi Sun, Yong Cui, David Harrington, 916 Dave Thaler, Tassos Chatzithomaoglou, Tom Taylor and other members of 917 SOFTWIRE WG. 919 This document was produced using the xml2rfc tool [RFC2629]. 921 12. References 923 12.1. Normative References 925 [I-D.perrault-behave-natv2-mib] 926 Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 927 "Definitions of Managed Objects for Network Address 928 Translators (NAT)", draft-perrault-behave-natv2-mib-02 929 (work in progress), February 2015. 931 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 932 Schoenwaelder, Ed., "Structure of Management Information 933 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 935 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 936 "Conformance Statements for SMIv2", STD 58, RFC 2580, 937 April 1999. 939 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 940 MIB", RFC 2863, June 2000. 942 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 943 Architecture for Describing Simple Network Management 944 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 945 December 2002. 947 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 948 Schoenwaelder, "Textual Conventions for Internet Network 949 Addresses", RFC 4001, February 2005. 951 [RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, June 2005. 953 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 954 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 955 RFC 4787, January 2007. 957 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 958 Stack Lite Broadband Deployments Following IPv4 959 Exhaustion", RFC 6333, August 2011. 961 12.2. Informative References 963 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 964 Requirement Levels", BCP 14, RFC 2119, March 1997. 966 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 967 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 968 58, RFC 2579, April 1999. 970 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 971 June 1999. 973 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 974 "Introduction and Applicability Statements for Internet- 975 Standard Management Framework", RFC 3410, December 2002. 977 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 978 (USM) for version 3 of the Simple Network Management 979 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 981 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 982 Advanced Encryption Standard (AES) Cipher Algorithm in the 983 SNMP User-based Security Model", RFC 3826, June 2004. 985 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 986 for the Simple Network Management Protocol (SNMP)", STD 987 78, RFC 5591, June 2009. 989 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 990 Shell Transport Model for the Simple Network Management 991 Protocol (SNMP)", RFC 5592, June 2009. 993 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 994 Model for the Simple Network Management Protocol (SNMP)", 995 STD 78, RFC 6353, July 2011. 997 Authors' Addresses 998 Yu Fu 999 Huawei Technologies Co., Ltd 1000 Q14, Huawei Campus, No.156 Beiqing Road 1001 Hai-Dian District, Beijing, 100095 1002 P.R. China 1004 Email: eleven.fuyu@huawei.com 1006 Sheng Jiang 1007 Huawei Technologies Co., Ltd 1008 Q14, Huawei Campus, No.156 Beiqing Road 1009 Hai-Dian District, Beijing, 100095 1010 P.R. China 1012 Email: jiangsheng@huawei.com 1014 Jiang Dong 1015 Tsinghua University 1016 Department of Computer Science, Tsinghua University 1017 Beijing 100084 1018 P.R. China 1020 Email: knight.dongjiang@gmail.com 1022 Yuchi Chen 1023 Tsinghua University 1024 Department of Computer Science, Tsinghua University 1025 Beijing 100084 1026 P.R. China 1028 Email: flashfoxmx@gmail.com