idnits 2.17.1 draft-ietf-softwire-dslite-mib-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (September 24, 2015) is 3137 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Y. Fu 3 Internet-Draft CNNIC 4 Intended status: Standards Track S. Jiang 5 Expires: March 27, 2016 Huawei Technologies Co., Ltd 6 J. Dong 7 Y. Chen 8 Tsinghua University 9 September 24, 2015 11 DS-Lite Management Information Base (MIB) 12 draft-ietf-softwire-dslite-mib-10 14 Abstract 16 This memo defines a portion of the Management Information Base (MIB) 17 for using with network management protocols in the Internet 18 community. In particular, it defines managed objects for Dual-Stack 19 Lite (DS-Lite). 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on March 27, 2016. 38 Copyright Notice 40 Copyright (c) 2015 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 57 3. The Internet-Standard Management Framework . . . . . . . . . 3 58 4. Relationship to the IF-MIB . . . . . . . . . . . . . . . . . 3 59 5. Difference from the IP tunnel MIB and NATV2-MIB . . . . . . . 3 60 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6.1. The Object Group . . . . . . . . . . . . . . . . . . . . 5 62 6.1.1. The dsliteTunnel Subtree . . . . . . . . . . . . . . 5 63 6.1.2. The dsliteNAT Subtree . . . . . . . . . . . . . . . . 5 64 6.1.3. The dsliteInfo Subtree . . . . . . . . . . . . . . . 5 65 6.2. The Notification Group . . . . . . . . . . . . . . . . . 5 66 6.2.1. The dsliteTrap Subtree . . . . . . . . . . . . . . . 5 67 6.3. The Conformance Group . . . . . . . . . . . . . . . . . . 5 68 7. MIB modules required for IMPORTS . . . . . . . . . . . . . . 5 69 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 70 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 71 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 72 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 73 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 74 12.1. Normative References . . . . . . . . . . . . . . . . . . 20 75 12.2. Informative References . . . . . . . . . . . . . . . . . 21 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 78 1. Introduction 80 Dual-Stack Lite [RFC6333] is a solution to offer both IPv4 and IPv6 81 connectivity to customers crossing an IPv6 only infrastructure. One 82 of its key components is an IPv4-over-IPv6 tunnel, which is used to 83 provide IPv4 connectivity across a service provider's IPv6 network. 84 Another key component is a carrier-grade IPv4-IPv4 Network Address 85 Translation (NAT) to share service provider IPv4 addresses among 86 customers. 88 This document defines a portion of the Management Information Base 89 (MIB) for using with network management protocols in the Internet 90 community. This MIB module may be used for configuration and 91 monitoring devices in a Dual-Stack Lite scenario. 93 2. Requirements Language 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 97 document are to be interpreted as described in [RFC2119] when they 98 appear in ALL CAPS. When these words are not in ALL CAPS (such as 99 "should" or "Should"), they have their usual English meanings, and 100 are not to be interpreted as [RFC2119] key words. 102 3. The Internet-Standard Management Framework 104 For a detailed overview of the documents that describe the current 105 Internet-Standard Management Framework, please refer to section 7 of 106 [RFC3410]. 108 Managed objects are accessed via a virtual information store, termed 109 the Management Information Base or MIB. MIB objects are generally 110 accessed through the Simple Network Management Protocol (SNMP). 111 Objects in the MIB are defined using the mechanisms defined in the 112 Structure of Management Information (SMI). This memo specifies a MIB 113 module that is compliant to the SMIv2, which is described in 114 [RFC2578], [RFC2579] and [RFC2580]. 116 4. Relationship to the IF-MIB 118 The Interfaces MIB [RFC2863] defines generic managed objects for 119 managing interfaces. Each logical interface (physical or virtual)has 120 an ifEntry. Tunnels are handled by creating a logical interface 121 (ifEntry) for each tunnel. Each DS-Lite tunnel also acts as a 122 virtual interface, which has a corresponding entry in the IP Tunnel 123 MIB and Interface MIB. Those corresponding entries are indexed by 124 ifIndex. 126 The ifOperStatus in ifTable is used to represent whether the DS-Lite 127 tunnel function has been originated. The ifInUcastPkts defined in 128 ifTable will represent the number of IPv4 packets that have been 129 encapsulated into IPv6 packets sent to a B4. The ifOutUcastPkts 130 defined in ifTable contains the number of IPv6 packets that can be 131 decapsulated to IPv4 in the virtual interface. Also, the IF-MIB 132 defines ifMtu for the MTU of this tunnel interface, so DS-Lite MIB 133 does not need to define the MTU for the tunnel. 135 5. Difference from the IP tunnel MIB and NATV2-MIB 137 The key technologies for DS-Lite are IP in IP (IPv4-in-IPv6) tunnels 138 and NAT (IPv4 to IPv4 translation). 140 Notes: According to section 5.2 of [RFC6333], DS-Lite only defines 141 IPv4 in IPv6 tunnels at this moment, but other types of encapsulation 142 could be defined in the future. So this DS-Lite MIB only supports IP 143 in IP encapsulation, if another RFC defined other tunnel types in the 144 future, this DS-Lite MIB will be updated then. 146 The NATV2-MIB [I-D.perrault-behave-natv2-mib] is designed to carry 147 translation from any address family to any address family, therefore 148 it supports IPv4 to IPv4 translation. 150 The IP Tunnel MIB [RFC4087] is designed for managing tunnels of any 151 type over IPv4 and IPv6 networks, therefore it supports IP in IP 152 tunnels. In a DS-Lite scenario, the tunnel type is IP in IP, more 153 precisely, is IPv4 in IPv6. Therefore, it is unnecessary to define a 154 new object to describe tunnel type in DS-Lite MIB. 156 However, the NATV2-MIB and IP Tunnel MIB together are not sufficient 157 to support DS-Lite. This document describes the specific features 158 for DS-Lite MIB, as below. 160 In the DS-Lite scenario, the Address Family Transition Router (AFTR) 161 is not only the tunnel end concentrator, but also a 4-4 translator. 162 So as defined in [RFC6333] , when the IPv4 packets come back from the 163 Internet to AFTR, the AFTR knows how to reconstruct the IPv6 164 encapsulation by doing a reverse lookup in the extended IPv4 NAT 165 binding table. So the NAT binding table in the AFTR MUST be extended 166 to include the IPv6 address of the tunnel initiator. But the tunnel 167 information defined in NATV2-MIB is on the address level. Because 168 the TUNNEL-MIB defined the objects on the view of interface, the DS- 169 Lite-MIB need define the tunnel objects to extend the NAT binding 170 entry by interface for accordance. Therefore, a combined MIB is 171 necessary. 173 The implementation of the IP Tunnel MIB is required for DS-Lite. The 174 tunnelIfEncapsMethod in the tunnelIfEntry should be set to 175 dsLite("xx"), and a corresponding entry in the DS-Lite module will 176 exist for every tunnelIfEntry with this tunnelIfEncapsMethod. The 177 tunnelIfRemoteInetAddress must be set to "::". 179 6. Structure of the MIB Module 181 The DS-Lite MIB provides a way to monitor and manage the devices 182 (AFTRs) in DS-Lite scenario through SNMP. 184 The DS-Lite MIB is configurable on a per-interface basis. It depends 185 on several parts of the IF-MIB [RFC2863], IP Tunnel MIB [RFC4087], 186 and NATV2-MIB [I-D.perrault-behave-natv2-mib]. 188 6.1. The Object Group 190 This Group defines objects that are needed for DS-Lite MIB. 192 6.1.1. The dsliteTunnel Subtree 194 The dsliteTunnel subtree describes managed objects used for managing 195 tunnels in the DS-Lite scenario. Because some objects defined in the 196 IP Tunnel MIB are not read-write and read-only, a few new objects are 197 defined in DS- Lite MIB. 199 6.1.2. The dsliteNAT Subtree 201 The dsliteNAT subtree describes managed objects used for 202 configuration as well as monitoring of AFTR which is capable of a NAT 203 function. Because the NATV2-MIB supports the NAT management function 204 in DS-Lite, we may reuse it in DS-Lite MIB. The dsliteNAT subtree 205 also provides the information of mapping relationship between the 206 tunnel entry and NAT entry by extending the IPv6 address of B4 to the 207 natv2PortMapEntry in the NATV2-MIB. 209 6.1.3. The dsliteInfo Subtree 211 The dsliteInfo subtree provides statistical information for DS-Lite. 213 6.2. The Notification Group 215 This group defines some notification objects for DS-Lite. 217 6.2.1. The dsliteTrap Subtree 219 The dsliteTrap subtree provides trap information in DS-Lite scenario. 221 6.3. The Conformance Group 223 The dsliteConformance subtree provides conformance information of MIB 224 objects. 226 7. MIB modules required for IMPORTS 228 This MIB module IMPORTs objects from [RFC2578], [RFC2580], [RFC2863], 229 [RFC3411], [RFC4001] and [I-D.perrault-behave-natv2-mib]. 231 8. Definitions 233 DSLite-MIB DEFINITIONS ::= BEGIN 235 IMPORTS 236 MODULE-IDENTITY, OBJECT-TYPE, transmission, 237 NOTIFICATION-TYPE,Gauge32,TimeTicks, 238 Integer32, Counter64,Unsigned32 239 FROM SNMPv2-SMI 241 OBJECT-GROUP, MODULE-COMPLIANCE, 242 NOTIFICATION-GROUP 243 FROM SNMPv2-CONF 245 DisplayString 246 FROM SNMPv2-TC 248 SnmpAdminString 249 FROM SNMP-FRAMEWORK-MIB 251 ifIndex 252 FROM IF-MIB 254 InetAddress, InetAddressType, InetAddressPrefixLength, 255 InetPortNumber 256 FROM INET-ADDRESS-MIB 258 ProtocolNumber, Natv2InstanceIndex, Natv2SubscriberIndex 259 FROM NATV2-MIB; 261 dsliteMIB MODULE-IDENTITY 262 LAST-UPDATED "201509250000Z" -- September 25, 2015 263 ORGANIZATION "IETF Softwire Working Group" 264 CONTACT-INFO 265 "Yu Fu 266 CNNIC 267 No.4 South 4th Street, Zhongguancun, Hai-Dian District 268 Beijing, P.R. China 100095 269 EMail: fuyu@cnnic.cn 271 Sheng Jiang 272 Huawei Technologies Co., Ltd 273 Huawei Building, 156 Beiqing Rd., Hai-Dian District 274 Beijing, P.R. China 100095 275 EMail: jiangsheng@huawei.com 277 Jiang Dong 278 Tsinghua University 279 Department of Computer Science, Tsinghua University 280 Beijing 100084 281 P.R. China 282 Email: knight.dongjiang@gmail.com 283 Yuchi Chen 284 Tsinghua University 285 Department of Computer Science, Tsinghua University 286 Beijing 100084 287 P.R. China 288 Email: flashfoxmx@gmail.com " 290 DESCRIPTION 291 "The MIB module is defined for management of object in the 292 DS-Lite scenario. 293 Copyright (C) The Internet Society (2015). This version 294 of this MIB module is part of RFC yyyy; see the RFC itself 295 for full legal notices. " 296 REVISION "201509250000Z" 297 DESCRIPTION 298 "Initial version. Published as RFC xxxx." 299 --RFC Ed.: RFC-edtitor pls fill in xxxx 300 ::= { transmission xxx } 301 --RFC Ed.: assigned by IANA, see section 10 for details 303 --Top level components of this MIB module 305 dsliteMIBObjects OBJECT IDENTIFIER 306 ::= { dsliteMIB 1 } 307 dsliteTunnel OBJECT IDENTIFIER 308 ::= { dsliteMIBObjects 1 } 310 dsliteNAT OBJECT IDENTIFIER 311 ::= { dsliteMIBObjects 2 } 313 dsliteInfo OBJECT IDENTIFIER 314 ::= { dsliteMIBObjects 3 } 316 --Notifications section 318 dsliteNotifications OBJECT IDENTIFIER 319 ::= { dsliteMIB 0 } 321 dsliteTraps OBJECT IDENTIFIER 322 ::= { dsliteNotifications 1 } 324 --dsliteTunnel 326 --dsliteTunnelTable 328 dsliteTunnelTable OBJECT-TYPE 329 SYNTAX SEQUENCE OF DsliteTunnelEntry 330 MAX-ACCESS not-accessible 331 STATUS current 332 DESCRIPTION 333 "The (conceptual) table containing information on 334 configured tunnels. This table can be used to map 335 B4 address to the associated AFTR address. It can 336 also be used for row creation." 337 REFERENCE 338 "B4, AFTR: RFC 6333." 339 ::= { dsliteTunnel 1 } 341 dsliteTunnelEntry OBJECT-TYPE 342 SYNTAX DsliteTunnelEntry 343 MAX-ACCESS not-accessible 344 STATUS current 345 DESCRIPTION 346 "Each entry in this table contains the information on a 347 particular configured tunnel." 348 INDEX { dsliteTunnelAddressType, 349 dsliteTunnelStartAddress, 350 dsliteTunnelEndAddress, 351 ifIndex } 352 ::= { dsliteTunnelTable 1 } 354 DsliteTunnelEntry ::= 355 SEQUENCE { 356 dsliteTunnelAddressType InetAddressType, 357 dsliteTunnelStartAddress InetAddress, 358 dsliteTunnelEndAddress InetAddress, 359 dsliteTunnelStartAddPreLen InetAddressPrefixLength 360 } 362 dsliteTunnelAddressType OBJECT-TYPE 363 SYNTAX InetAddressType 364 MAX-ACCESS not-accessible 365 STATUS current 366 DESCRIPTION 367 " This object MUST be set to the value of ipv6(2). 368 It describes the address type of the IPv4-in-IPv6 369 tunnel initiator and endpoint." 370 ::= { dsliteTunnelEntry 1 } 372 dsliteTunnelStartAddress OBJECT-TYPE 373 SYNTAX InetAddress 374 MAX-ACCESS not-accessible 375 STATUS current 376 DESCRIPTION 377 "The address of the initiator of the tunnel." 378 ::= { dsliteTunnelEntry 2 } 380 dsliteTunnelEndAddress OBJECT-TYPE 381 SYNTAX InetAddress 382 MAX-ACCESS not-accessible 383 STATUS current 384 DESCRIPTION 385 "The address of the endpoint of the tunnel." 386 ::= { dsliteTunnelEntry 3 } 388 dsliteTunnelStartAddPreLen OBJECT-TYPE 389 SYNTAX InetAddressPrefixLength 390 MAX-ACCESS read-only 391 STATUS current 392 DESCRIPTION 393 "IPv6 prefix length of the IP address for the 394 start point of the tunnel." 395 ::= { dsliteTunnelEntry 4 } 397 --dsliteNAT 398 --dsliteNATMapTable(The address pool defined by 399 --natv2PoolTable and natv2PoolRangeTable 400 --in draft-perrault-behave-natv2-mib are sufficient) 401 --dsliteNATBindTable(NAPT) 403 dsliteNATBindTable OBJECT-TYPE 404 SYNTAX SEQUENCE OF DsliteNATBindEntry 405 MAX-ACCESS not-accessible 406 STATUS current 407 DESCRIPTION 408 "This table contains information about currently 409 active NAT binds in the NAT of AFTR. This table extends 410 the IPv6 address of B4 to the natv2PortMapTable 411 defined in NATV2-MIB(draft-perrault-behave-natv2-mib)." 412 ::= { dsliteNAT 1 } 414 dsliteNATBindEntry OBJECT-TYPE 415 SYNTAX DsliteNATBindEntry 416 MAX-ACCESS not-accessible 417 STATUS current 418 DESCRIPTION 419 "Each entry in this table holds the relationship between 420 tunnel information and nat bind information. These entries 421 are lost upon agent restart." 422 INDEX { dsliteNATBindMappingInstanceIndex, 423 dsliteNATBindMappingProto, 424 dsliteNATBindMappingExtRealm, 425 dsliteNATBindMappingExtAddressType, 426 dsliteNATBindMappingExtAddress, 427 dsliteNATBindMappingExtPort, 428 ifIndex, 429 dsliteTunnelStartAddress, 430 dsliteTunnelStartAddPreLen } 431 ::= { dsliteNATBindTable 1 } 433 DsliteNATBindEntry ::= 434 SEQUENCE { 435 dsliteNATBindMappingInstanceIndex Natv2InstanceIndex, 436 dsliteNATBindMappingProto ProtocolNumber, 437 dsliteNATBindMappingExtRealm SnmpAdminString, 438 dsliteNATBindMappingExtAddressType InetAddressType, 439 dsliteNATBindMappingExtAddress InetAddress, 440 dsliteNATBindMappingExtPort InetPortNumber, 441 dsliteNATBindMappingIntRealm SnmpAdminString, 442 dsliteNATBindMappingIntAddressType InetAddressType, 443 dsliteNATBindMappingIntAddress InetAddress, 444 dsliteNATBindMappingIntPort InetPortNumber, 445 dsliteNATBindMappingPool Unsigned32, 446 dsliteNATBindMappingMapBehavior INTEGER, 447 dsliteNATBindMappingFilterBehavior INTEGER, 448 dsliteNATBindMappingAddressPooling NatPoolingType 449 } 451 dsliteNATBindMappingInstanceIndex 452 SYNTAX Natv2InstanceIndex 453 MAX-ACCESS not-accessible 454 STATUS current 455 DESCRIPTION 456 "Index of the NAT instance that created this port map entry." 457 ::= { dsliteNATBindEntry 1 } 459 dsliteNATBindMappingProto OBJECT-TYPE 460 SYNTAX ProtocolNumber 461 MAX-ACCESS not-accessible 462 STATUS current 463 DESCRIPTION 464 " This object specifies the mapping's transport protocol 465 number." 466 ::= { dsliteNATBindEntry 2 } 468 dsliteNATBindMappingExtRealm OBJECT-TYPE 469 SYNTAX SnmpAdminString (SIZE(0..32)) 470 MAX-ACCESS not-accessible 471 STATUS current 472 DESCRIPTION 473 " The realm to which dsliteNATBindMappingExtAddress belongs." 474 ::= { dsliteNATBindEntry 3 } 476 dsliteNATBindMappingExtAddressType OBJECT-TYPE 477 SYNTAX InetAddressType 478 MAX-ACCESS not-accessible 479 STATUS current 480 DESCRIPTION 481 "Type of the mapping's external address." 482 ::= { dsliteNATBindEntry 4 } 484 dsliteNATBindMappingExtAddress OBJECT-TYPE 485 SYNTAX InetAddress (SIZE (4|16)) 486 MAX-ACCESS not-accessible 487 STATUS current 488 DESCRIPTION 489 "The mapping's external address. If this is the undefined 490 address, all external addresses are mapped to the internal 491 address." 492 ::= { dsliteNATBindEntry 5 } 494 dsliteNATBindMappingExtPort OBJECT-TYPE 495 SYNTAX InetPortNumber 496 MAX-ACCESS not-accessible 497 STATUS current 498 DESCRIPTION 499 "The mapping's assigned external port number. If this is zero, 500 all external ports are mapped to the internal port." 501 ::= { dsliteNATBindEntry 6 } 503 dsliteNATBindMappingIntRealm OBJECT-TYPE 504 SYNTAX SnmpAdminString 505 MAX-ACCESS read-only 506 STATUS current 507 DESCRIPTION 508 "The realm to which natMappingIntAddress belongs." 509 ::= { dsliteNATBindEntry 7 } 511 dsliteNATBindMappingIntAddressType OBJECT-TYPE 512 SYNTAX InetAddressType 513 MAX-ACCESS read-only 514 STATUS current 515 DESCRIPTION 516 "Type of the mapping's internal address." 517 ::= { dsliteNATBindEntry 8 } 519 dsliteNATBindMappingIntAddress OBJECT-TYPE 520 SYNTAX InetAddress 521 MAX-ACCESS read-only 522 STATUS current 523 DESCRIPTION 524 "The mapping's internal address. If this is the undefined 525 address, addresses are not translated." 526 ::= { dsliteNATBindEntry 9 } 528 dsliteNATBindMappingIntPort OBJECT-TYPE 529 SYNTAX InetPortNumber 530 MAX-ACCESS read-only 531 STATUS current 532 DESCRIPTION 533 "The mapping's internal port number. If this is zero, ports 534 are not translated." 535 ::= { dsliteNATBindEntry 10 } 537 dsliteNATBindMappingPool OBJECT-TYPE 538 SYNTAX Unsigned32 (0|1..4294967295) 539 MAX-ACCESS read-only 540 STATUS current 541 DESCRIPTION 542 "Index of the pool that contains this mapping's external 543 address and port. If zero, no pool is associated with this 544 mapping." 545 ::= { dsliteNATBindEntry 11 } 547 dsliteNATBindMappingMapBehavior OBJECT-TYPE 548 MAX-ACCESS read-only 549 STATUS current 550 DESCRIPTION 551 "Mapping behavior as described in [RFC4787] section 4.1." 552 REFERENCE 553 "RFC 4787 section 4.1" 554 SYNTAX INTEGER{ 555 endpointIndependent (0), 556 addressDependent(1), 557 addressAndPortDependent (2) 558 } 559 ::= { dsliteNATBindEntry 12 } 561 dsliteNATBindMappingFilterBehavior OBJECT-TYPE 562 MAX-ACCESS read-only 563 STATUS current 564 DESCRIPTION 565 "Filtering behavior as described in [RFC4787] section 5." 566 REFERENCE 567 "RFC 4787 section 5" 568 SYNTAX INTEGER{ 569 endpointIndependent (0), 570 addressDependent(1), 571 addressAndPortDependent (2) 572 } 573 ::= { dsliteNATBindEntry 13 } 575 dsliteNATBindMappingAddressPooling OBJECT-TYPE 576 MAX-ACCESS read-only 577 STATUS current 578 DESCRIPTION 579 "Type of address pooling behavior that was used to create 580 this mapping." 581 REFERENCE 582 "RFC 4787 section 4.1" 583 SYNTAX INTEGER{ 584 arbitrary (0), 585 paired (1) 586 } 587 ::= { dsliteNATBindEntry 14 } 589 --dsliteInfo 591 dsliteAFTRAlarmScalar OBJECT IDENTIFIER ::= { dsliteInfo 1 } 593 dsliteAFTRAlarmB4Addr OBJECT-TYPE 594 SYNTAX InetAddress 595 MAX-ACCESS accessible-for-notify 596 STATUS current 597 DESCRIPTION 598 "This object indicate the IP address of 599 B4 that send alarm " 600 ::= { dsliteAFTRAlarmScalar 1 } 602 dsliteAFTRAlarmProtocolType OBJECT-TYPE 603 SYNTAX DisplayString 604 MAX-ACCESS accessible-for-notify 605 STATUS current 606 DESCRIPTION 607 "This object indicate the protocol type of alarm, 608 0:tcp,1:udp,2:icmp,3:total " 609 ::= { dsliteAFTRAlarmScalar 2 } 611 dsliteAFTRAlarmSpecificIP OBJECT-TYPE 612 SYNTAX InetAddress 613 MAX-ACCESS accessible-for-notify 614 STATUS current 615 DESCRIPTION 616 " This object indicate the IP address whose port usage 617 reach threshold " 618 ::= { dsliteAFTRAlarmScalar 3 } 620 dsliteAFTRAlarmConnectNumber OBJECT-TYPE 621 SYNTAX Integer32 (60..90) 622 MAX-ACCESS read-write 623 STATUS current 624 DESCRIPTION 625 " This object indicate the threshold of DS-Lite 626 connections alarm." 627 ::= { dsliteAFTRAlarmScalar 4 } 629 dsliteStatisticTable OBJECT-TYPE 630 SYNTAX SEQUENCE OF DsliteStatisticEntry 631 MAX-ACCESS not-accessible 632 STATUS current 633 DESCRIPTION 634 "This table provides statistical information 635 of DS-Lite." 636 ::= { dsliteInfo 2 } 638 dsliteStatisticEntry OBJECT-TYPE 639 SYNTAX DsliteStatisticEntry 640 MAX-ACCESS not-accessible 641 STATUS current 642 DESCRIPTION 643 "This table provides statistical information 644 of DS-Lite." 645 INDEX { dsliteStatisticSubscriberIdex } 646 ::= { dsliteStatisticTable 1 } 648 DsliteStatisticEntry ::= 649 SEQUENCE { 650 dsliteStatisticSubscriberIdex Natv2SubscriberIndex, 651 dsliteStatisticDiscard Counter64, 652 dsliteStatisticTransmitted Counter64, 653 dsliteStatisticIpv4Session Counter64, 654 dsliteStatisticIpv6Session Counter64 655 } 657 dsliteStatisticSubscriberIdex OBJECT-TYPE 658 SYNTAX Natv2SubscriberIndex 659 MAX-ACCESS not-accessible 660 STATUS current 661 DESCRIPTION 662 "Index of the subscriber or host.A unique value, 663 greater than zero, for each subscriber in the 664 managed system." 665 ::= { dsliteStatisticEntry 1 } 667 dsliteStatisticDiscard OBJECT-TYPE 668 SYNTAX Counter64 669 MAX-ACCESS read-only 670 STATUS current 671 DESCRIPTION 672 " This object indicate the number of packets 673 discarded from this subscriber." 674 ::= { dsliteStatisticEntry 2 } 676 dsliteStatisticTransmitted OBJECT-TYPE 677 SYNTAX Counter64 678 MAX-ACCESS read-only 679 STATUS current 680 DESCRIPTION 681 " This object indicate the number of packets received 682 from or sent to this subscriber." 683 ::= { dsliteStatisticEntry 3 } 685 dsliteStatisticIpv4Session OBJECT-TYPE 686 SYNTAX Counter64 687 MAX-ACCESS read-only 688 STATUS current 689 DESCRIPTION 690 " This object indicate the number of the 691 current IPv4 Session." 692 ::= { dsliteStatisticEntry 4 } 694 dsliteStatisticIpv6Session OBJECT-TYPE 695 SYNTAX Counter64 696 MAX-ACCESS read-only 697 STATUS current 698 DESCRIPTION 699 " This object indicate the number of the 700 current IPv6 Session." 701 ::= { dsliteStatisticEntry 5 } 703 ---dslite trap 705 dsliteTunnelNumAlarm NOTIFICATION-TYPE 706 OBJECTS { dsliteAFTRAlarmProtocolType, 707 dsliteAFTRAlarmB4Addr } 709 STATUS current 710 DESCRIPTION 711 "This trap is triggered when the number of 712 current connecting dslite tunnel exceeds the value of 713 dsliteAFTRAlarmConnectNumber." 714 ::= { dsliteTraps 1 } 716 dsliteAFTRUserSessionNumAlarm NOTIFICATION-TYPE 717 OBJECTS { dsliteAFTRAlarmProtocolType, 718 dsliteAFTRAlarmB4Addr } 719 STATUS current 720 DESCRIPTION 721 " This trap is triggered when sessions of 722 user reach the threshold." 723 ::= { dsliteTraps 2 } 725 dsliteAFTRPortUsageOfSpecificIpAlarm NOTIFICATION-TYPE 726 OBJECTS { dsliteAFTRAlarmSpecificIP } 727 STATUS current 728 DESCRIPTION 729 "This trap is triggered when used NAT 730 ports of map address reach the threshold." 731 ::= { dsliteTraps 3 } 733 --Module Conformance statement 735 dsliteConformance OBJECT IDENTIFIER 736 ::= { dsliteMIB 2 } 738 dsliteCompliances OBJECT IDENTIFIER ::= { dsliteConformance 1 } 740 dsliteGroups OBJECT IDENTIFIER ::= { dsliteConformance 2 } 742 -- compliance statements 744 dsliteCompliance MODULE-COMPLIANCE 745 STATUS current 746 DESCRIPTION 747 " Description the minimal requirements for conformance 748 to the DS-Lite MIB." 749 MODULE -- this module 750 MANDATORY-GROUPS { dsliteNATBindGroup, 751 dsliteTunnelGroup, 752 dsliteStatisticGroup, 753 dsliteTrapsGroup,dsliteAFTRAlarmScalarGroup } 754 ::= { dsliteCompliances 1 } 756 dsliteNATBindGroup OBJECT-GROUP 757 OBJECTS { 758 dsliteNATBindMappingIntRealm, 759 dsliteNATBindMappingIntAddressType, 760 dsliteNATBindMappingIntAddress, 761 dsliteNATBindMappingIntPort, 762 dsliteNATBindMappingPool, 763 dsliteNATBindMappingMapBehavior, 764 dsliteNATBindMappingFilterBehavior, 765 dsliteNATBindMappingAddressPooling } 766 STATUS current 767 DESCRIPTION 768 " The collection of this objects are used to give the 769 information about NAT Bind." 770 ::= { dsliteGroups 1 } 772 dsliteTunnelGroup OBJECT-GROUP 773 OBJECTS { dsliteTunnelStartAddPreLen } 774 STATUS current 775 DESCRIPTION 776 " The collection of this objects are used to give the 777 information of tunnel in ds-lite." 778 ::= { dsliteGroups 2 } 780 dsliteStatisticGroup OBJECT-GROUP 781 OBJECTS { dsliteStatisticDiscard, 782 dsliteStatisticTransmitted, 783 dsliteStatisticIpv4Session, 784 dsliteStatisticIpv6Session } 785 STATUS current 786 DESCRIPTION 787 " The collection of this objects are used to give the 788 statistical information of ds-lite." 789 ::= { dsliteGroups 3 } 791 dsliteTrapsGroup NOTIFICATION-GROUP 792 NOTIFICATIONS { dsliteTunnelNumAlarm, 793 dsliteAFTRUserSessionNumAlarm, 794 dsliteAFTRPortUsageOfSpecificIpAlarm } 795 STATUS current 796 DESCRIPTION 797 "The collection of this objects are used to give the 798 trap information of ds-lite." 799 ::= { dsliteGroups 4 } 801 dsliteAFTRAlarmScalarGroup OBJECT-GROUP 802 OBJECTS { dsliteAFTRAlarmB4Addr, dsliteAFTRAlarmProtocolType, 803 dsliteAFTRAlarmSpecificIP, 804 dsliteAFTRAlarmConnectNumber } 806 STATUS current 807 DESCRIPTION 808 " The collection of this objects are used to give the 809 information about AFTR alarming Scalar." 810 ::= { dsliteGroups 5 } 812 END 814 9. Security Considerations 816 There are a number of management objects defined in this MIB module 817 with a MAX-ACCESS clause of read-write and/or read-create. Such 818 objects may be considered sensitive or vulnerable in some network 819 environments. The support for SET operations in a non-secure 820 environment without proper protection can have a negative effect on 821 network operations. These are the tables and objects and their 822 sensitivity/vulnerability: 824 Notification thresholds: An attacker setting an arbitrarily low 825 treshold can cause many useless notifications to be generated. 826 Setting an arbitrarily high threshold can effectively disable 827 notifications, which could be used to hide another attack. 829 dsliteAFTRAlarmConnectNumber 831 Some of the readable objects in this MIB module (i.e., objects with a 832 MAX-ACCESS other than not-accessible) may be considered sensitive or 833 vulnerable in some network environments. It is thus important to 834 control even GET and/or NOTIFY access to these objects and possibly 835 to even encrypt the values of these objects when sending them over 836 the network via SNMP. These are the tables and objects and their 837 sensitivity/vulnerability: 839 dsliteTunnelStartAddPreLen 841 dsliteNATBindMappingIntRealm 843 dsliteNATBindMappingIntAddressType 845 dsliteNATBindMappingIntAddress 847 dsliteNATBindMappingIntPort 849 dsliteNATBindMappingPool 851 dsliteNATBindMappingMapBehavior 853 dsliteNATBindMappingFilterBehavior 854 dsliteNATBindMappingAddressPooling 856 dsliteStatisticDiscard 858 dsliteStatisticTransmitted 860 dsliteStatisticIpv4Session 862 dsliteStatisticIpv6Session 864 SNMP versions prior to SNMPv3 did not include adequate security. 865 Even if the network itself is secure (for example by using IPSec), 866 even then, there is no control as to who on the secure network is 867 allowed to access and GET/SET (read/change/create/delete) the objects 868 in this MIB module. 870 Implementations SHOULD provide the security features described by the 871 SNMPv3 framework (see [RFC3410] ), and implementations claiming 872 compliance to the SNMPv3 standard MUST include full support for 873 authentication and privacy via the User-based Security Model (USM) 874 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 875 MAY also provide support for the Transport Security Model (TSM) 876 [RFC5591] in combination with a secure transport such as SSH 877 [RFC5592] or TLS/DTLS [RFC6353]. 879 Further, deployment of SNMP versions prior to SNMPv3 is NOT 880 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 881 enable cryptographic security. It is then a customer/operator 882 responsibility to ensure that the SNMP entity giving access to an 883 instance of this MIB module is properly configured to give access to 884 the objects only to those principals (users) that have legitimate 885 rights to indeed GET or SET (change/create/delete) them. 887 10. IANA Considerations 889 The MIB module in this document uses the following IANA-assigned 890 OBJECT IDENTIFIER values recorded in the SMI Numbers registry, and 891 the following IANA-assigned tunnelType values recorded in the 892 IANAtunnelType-MIB registry: 894 Descriptor OBJECT IDENTIFIER value 895 ---------- ----------------------- 896 DSLite-MIB { transmission XXX } 898 IANAtunnelType ::= TEXTUAL-CONVENTION 900 SYNTAX INTEGER { 902 dsLite ("XX") -- dslite tunnel 904 } 906 Notes: As Appendix A of the IP Tunnel MIB[RFC4087] described that it 907 has already assigned the value direct(2) to indicate the tunnel type 908 is IP in IP tunnel, but it is still difficult to distinguish DS-Lite 909 tunnel packets from normal IP in IP tunnel packets in the scenario of 910 the AFTR connecting to both a DS-lite tunnel and an IP in IP tunnel. 912 11. Acknowledgements 914 The authors would like to thanks the valuable comments made by Suresh 915 Krishnan, Ian Farrer, Yiu Lee, Qi Sun, Yong Cui, David Harrington, 916 Dave Thaler, Tassos Chatzithomaoglou, Tom Taylor and other members of 917 SOFTWIRE WG. 919 This document was produced using the xml2rfc tool [RFC2629]. 921 12. References 923 12.1. Normative References 925 [I-D.perrault-behave-natv2-mib] 926 Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 927 "Definitions of Managed Objects for Network Address 928 Translators (NAT)", draft-perrault-behave-natv2-mib-05 929 (work in progress), June 2015. 931 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 932 Schoenwaelder, Ed., "Structure of Management Information 933 Version 2 (SMIv2)", STD 58, RFC 2578, 934 DOI 10.17487/RFC2578, April 1999, 935 . 937 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 938 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 939 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 940 . 942 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 943 MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, 944 . 946 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 947 Architecture for Describing Simple Network Management 948 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 949 DOI 10.17487/RFC3411, December 2002, 950 . 952 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 953 Schoenwaelder, "Textual Conventions for Internet Network 954 Addresses", RFC 4001, DOI 10.17487/RFC4001, February 2005, 955 . 957 [RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, 958 DOI 10.17487/RFC4087, June 2005, 959 . 961 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 962 Translation (NAT) Behavioral Requirements for Unicast 963 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 964 2007, . 966 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 967 Stack Lite Broadband Deployments Following IPv4 968 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 969 . 971 12.2. Informative References 973 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 974 Requirement Levels", BCP 14, RFC 2119, 975 DOI 10.17487/RFC2119, March 1997, 976 . 978 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 979 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 980 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 981 . 983 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 984 DOI 10.17487/RFC2629, June 1999, 985 . 987 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 988 "Introduction and Applicability Statements for Internet- 989 Standard Management Framework", RFC 3410, 990 DOI 10.17487/RFC3410, December 2002, 991 . 993 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 994 (USM) for version 3 of the Simple Network Management 995 Protocol (SNMPv3)", STD 62, RFC 3414, 996 DOI 10.17487/RFC3414, December 2002, 997 . 999 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 1000 Advanced Encryption Standard (AES) Cipher Algorithm in the 1001 SNMP User-based Security Model", RFC 3826, 1002 DOI 10.17487/RFC3826, June 2004, 1003 . 1005 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 1006 for the Simple Network Management Protocol (SNMP)", 1007 STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, 1008 . 1010 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 1011 Shell Transport Model for the Simple Network Management 1012 Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 1013 2009, . 1015 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 1016 Model for the Simple Network Management Protocol (SNMP)", 1017 STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, 1018 . 1020 Authors' Addresses 1022 Yu Fu 1023 CNNIC 1024 No.4 South 4th Street, Zhongguancun 1025 Hai-Dian District, Beijing, 100190 1026 P.R. China 1028 Email: fuyu@cnnic.cn 1029 Sheng Jiang 1030 Huawei Technologies Co., Ltd 1031 Q14, Huawei Campus, No.156 Beiqing Road 1032 Hai-Dian District, Beijing, 100095 1033 P.R. China 1035 Email: jiangsheng@huawei.com 1037 Jiang Dong 1038 Tsinghua University 1039 Department of Computer Science, Tsinghua University 1040 Beijing 100084 1041 P.R. China 1043 Email: knight.dongjiang@gmail.com 1045 Yuchi Chen 1046 Tsinghua University 1047 Department of Computer Science, Tsinghua University 1048 Beijing 100084 1049 P.R. China 1051 Email: flashfoxmx@gmail.com