idnits 2.17.1 draft-ietf-softwire-dslite-mib-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 30, 2015) is 3093 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Y. Fu 3 Internet-Draft CNNIC 4 Intended status: Standards Track S. Jiang 5 Expires: April 2, 2016 Huawei Technologies Co., Ltd 6 J. Dong 7 Y. Chen 8 Tsinghua University 9 September 30, 2015 11 DS-Lite Management Information Base (MIB) 12 draft-ietf-softwire-dslite-mib-11 14 Abstract 16 This memo defines a portion of the Management Information Base (MIB) 17 for using with network management protocols in the Internet 18 community. In particular, it defines managed objects for Dual-Stack 19 Lite (DS-Lite). 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on April 2, 2016. 38 Copyright Notice 40 Copyright (c) 2015 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 57 3. The Internet-Standard Management Framework . . . . . . . . . 3 58 4. Relationship to the IF-MIB . . . . . . . . . . . . . . . . . 3 59 5. Difference from the IP tunnel MIB and NATV2-MIB . . . . . . . 3 60 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6.1. The Object Group . . . . . . . . . . . . . . . . . . . . 5 62 6.1.1. The dsliteTunnel Subtree . . . . . . . . . . . . . . 5 63 6.1.2. The dsliteNAT Subtree . . . . . . . . . . . . . . . . 5 64 6.1.3. The dsliteInfo Subtree . . . . . . . . . . . . . . . 5 65 6.2. The Notification Group . . . . . . . . . . . . . . . . . 5 66 6.2.1. The dsliteTrap Subtree . . . . . . . . . . . . . . . 5 67 6.3. The Conformance Group . . . . . . . . . . . . . . . . . . 5 68 7. MIB modules required for IMPORTS . . . . . . . . . . . . . . 5 69 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 70 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 71 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 72 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 73 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 74 12.1. Normative References . . . . . . . . . . . . . . . . . . 20 75 12.2. Informative References . . . . . . . . . . . . . . . . . 21 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 78 1. Introduction 80 Dual-Stack Lite [RFC6333] is a solution to offer both IPv4 and IPv6 81 connectivity to customers crossing an IPv6 only infrastructure. One 82 of its key components is an IPv4-over-IPv6 tunnel, which is used to 83 provide IPv4 connectivity across a service provider's IPv6 network. 84 Another key component is a carrier-grade IPv4-IPv4 Network Address 85 Translation (NAT) to share service provider IPv4 addresses among 86 customers. 88 This document defines a portion of the Management Information Base 89 (MIB) for using with network management protocols in the Internet 90 community. This MIB module may be used for configuration and 91 monitoring devices in a Dual-Stack Lite scenario. 93 2. Requirements Language 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 97 "OPTIONAL" in this document are to be interpreted as described in 98 [RFC2119] when they appear in ALL CAPS. When these words are not in 99 ALL CAPS (such as "should" or "Should"), they have their usual 100 English meanings, and are not to be interpreted as [RFC2119] key 101 words. 103 3. The Internet-Standard Management Framework 105 For a detailed overview of the documents that describe the current 106 Internet-Standard Management Framework, please refer to section 7 of 107 [RFC3410]. 109 Managed objects are accessed via a virtual information store, termed 110 the Management Information Base or MIB. MIB objects are generally 111 accessed through the Simple Network Management Protocol (SNMP). 112 Objects in the MIB are defined using the mechanisms defined in the 113 Structure of Management Information (SMI). This memo specifies a MIB 114 module that is compliant to the SMIv2, which is described in 115 [RFC2578], [RFC2579] and [RFC2580]. 117 4. Relationship to the IF-MIB 119 The Interfaces MIB [RFC2863] defines generic managed objects for 120 managing interfaces. Each logical interface (physical or virtual)has 121 an ifEntry. Tunnels are handled by creating a logical interface 122 (ifEntry) for each tunnel. Each DS-Lite tunnel also acts as a 123 virtual interface, which has a corresponding entry in the IP Tunnel 124 MIB and Interface MIB. Those corresponding entries are indexed by 125 ifIndex. 127 The ifOperStatus in ifTable is used to represent whether the DS-Lite 128 tunnel function has been originated. The ifInUcastPkts defined in 129 ifTable will represent the number of IPv4 packets that have been 130 encapsulated into IPv6 packets sent to a B4. The ifOutUcastPkts 131 defined in ifTable contains the number of IPv6 packets that can be 132 decapsulated to IPv4 in the virtual interface. Also, the IF-MIB 133 defines ifMtu for the MTU of this tunnel interface, so DS-Lite MIB 134 does not need to define the MTU for the tunnel. 136 5. Difference from the IP tunnel MIB and NATV2-MIB 138 The key technologies for DS-Lite are IP in IP (IPv4-in-IPv6) tunnels 139 and NAT (IPv4 to IPv4 translation). 141 Notes: According to section 5.2 of [RFC6333], DS-Lite only defines 142 IPv4 in IPv6 tunnels at this moment, but other types of encapsulation 143 could be defined in the future. So this DS-Lite MIB only supports IP 144 in IP encapsulation, if another RFC defined other tunnel types in the 145 future, this DS-Lite MIB will be updated then. 147 The NATV2-MIB [I-D.perrault-behave-natv2-mib] is designed to carry 148 translation from any address family to any address family, therefore 149 it supports IPv4 to IPv4 translation. 151 The IP Tunnel MIB [RFC4087] is designed for managing tunnels of any 152 type over IPv4 and IPv6 networks, therefore it supports IP in IP 153 tunnels. In a DS-Lite scenario, the tunnel type is IP in IP, more 154 precisely, is IPv4 in IPv6. Therefore, it is unnecessary to define a 155 new object to describe tunnel type in DS-Lite MIB. 157 However, the NATV2-MIB and IP Tunnel MIB together are not sufficient 158 to support DS-Lite. This document describes the specific features 159 for DS-Lite MIB, as below. 161 In the DS-Lite scenario, the Address Family Transition Router (AFTR) 162 is not only the tunnel end concentrator, but also a 4-4 translator. 163 So as defined in [RFC6333] , when the IPv4 packets come back from the 164 Internet to AFTR, the AFTR knows how to reconstruct the IPv6 165 encapsulation by doing a reverse lookup in the extended IPv4 NAT 166 binding table. So the NAT binding table in the AFTR MUST be extended 167 to include the IPv6 address of the tunnel initiator. But the tunnel 168 information defined in NATV2-MIB is on the address level. Because 169 the TUNNEL-MIB defined the objects on the view of interface, the DS- 170 Lite-MIB need define the tunnel objects to extend the NAT binding 171 entry by interface for accordance. Therefore, a combined MIB is 172 necessary. 174 The implementation of the IP Tunnel MIB is required for DS-Lite. The 175 tunnelIfEncapsMethod in the tunnelIfEntry should be set to 176 dsLite("xx"), and a corresponding entry in the DS-Lite module will 177 exist for every tunnelIfEntry with this tunnelIfEncapsMethod. The 178 tunnelIfRemoteInetAddress must be set to "::". 180 6. Structure of the MIB Module 182 The DS-Lite MIB provides a way to monitor and manage the devices 183 (AFTRs) in DS-Lite scenario through SNMP. 185 The DS-Lite MIB is configurable on a per-interface basis. It depends 186 on several parts of the IF-MIB [RFC2863], IP Tunnel MIB [RFC4087], 187 and NATV2-MIB [I-D.perrault-behave-natv2-mib]. 189 6.1. The Object Group 191 This Group defines objects that are needed for DS-Lite MIB. 193 6.1.1. The dsliteTunnel Subtree 195 The dsliteTunnel subtree describes managed objects used for managing 196 tunnels in the DS-Lite scenario. Because some objects defined in the 197 IP Tunnel MIB are not read-write and read-only, a few new objects are 198 defined in DS- Lite MIB. 200 6.1.2. The dsliteNAT Subtree 202 The dsliteNAT subtree describes managed objects used for 203 configuration as well as monitoring of AFTR which is capable of a NAT 204 function. Because the NATV2-MIB supports the NAT management function 205 in DS-Lite, we may reuse it in DS-Lite MIB. The dsliteNAT subtree 206 also provides the information of mapping relationship between the 207 tunnel entry and NAT entry by extending the IPv6 address of B4 to the 208 natv2PortMapEntry in the NATV2-MIB. 210 6.1.3. The dsliteInfo Subtree 212 The dsliteInfo subtree provides statistical information for DS-Lite. 214 6.2. The Notification Group 216 This group defines some notification objects for DS-Lite. 218 6.2.1. The dsliteTrap Subtree 220 The dsliteTrap subtree provides trap information in DS-Lite scenario. 222 6.3. The Conformance Group 224 The dsliteConformance subtree provides conformance information of MIB 225 objects. 227 7. MIB modules required for IMPORTS 229 This MIB module IMPORTs objects from [RFC2578], [RFC2580], [RFC2863], 230 [RFC3411], [RFC4001] and [I-D.perrault-behave-natv2-mib]. 232 8. Definitions 234 DSLite-MIB DEFINITIONS ::= BEGIN 236 IMPORTS 237 MODULE-IDENTITY, OBJECT-TYPE, transmission, 238 NOTIFICATION-TYPE,Gauge32,TimeTicks, 239 Integer32, Counter64,Unsigned32 240 FROM SNMPv2-SMI 242 OBJECT-GROUP, MODULE-COMPLIANCE, 243 NOTIFICATION-GROUP 244 FROM SNMPv2-CONF 246 DisplayString 247 FROM SNMPv2-TC 249 SnmpAdminString 250 FROM SNMP-FRAMEWORK-MIB 252 ifIndex 253 FROM IF-MIB 255 InetAddress, InetAddressType, InetAddressPrefixLength, 256 InetPortNumber 257 FROM INET-ADDRESS-MIB 259 ProtocolNumber, Natv2InstanceIndex, Natv2SubscriberIndex 260 FROM NATV2-MIB; 262 dsliteMIB MODULE-IDENTITY 263 LAST-UPDATED "201509300000Z" -- September 30, 2015 264 ORGANIZATION "IETF Softwire Working Group" 265 CONTACT-INFO 266 "Yu Fu 267 CNNIC 268 No.4 South 4th Street, Zhongguancun, Hai-Dian District 269 Beijing, P.R. China 100095 270 EMail: fuyu@cnnic.cn 272 Sheng Jiang 273 Huawei Technologies Co., Ltd 274 Huawei Building, 156 Beiqing Rd., Hai-Dian District 275 Beijing, P.R. China 100095 276 EMail: jiangsheng@huawei.com 278 Jiang Dong 279 Tsinghua University 280 Department of Computer Science, Tsinghua University 281 Beijing 100084 282 P.R. China 283 Email: knight.dongjiang@gmail.com 284 Yuchi Chen 285 Tsinghua University 286 Department of Computer Science, Tsinghua University 287 Beijing 100084 288 P.R. China 289 Email: flashfoxmx@gmail.com " 291 DESCRIPTION 292 "The MIB module is defined for management of object in the 293 DS-Lite scenario. 294 Copyright (C) The Internet Society (2015). This version 295 of this MIB module is part of RFC yyyy; see the RFC itself 296 for full legal notices. " 297 REVISION "201509300000Z" 298 DESCRIPTION 299 "Initial version. Published as RFC xxxx." 300 --RFC Ed.: RFC-edtitor pls fill in xxxx 301 ::= { transmission xxx } 302 --RFC Ed.: assigned by IANA, see section 10 for details 304 --Top level components of this MIB module 306 dsliteMIBObjects OBJECT IDENTIFIER 307 ::= { dsliteMIB 1 } 308 dsliteTunnel OBJECT IDENTIFIER 309 ::= { dsliteMIBObjects 1 } 311 dsliteNAT OBJECT IDENTIFIER 312 ::= { dsliteMIBObjects 2 } 314 dsliteInfo OBJECT IDENTIFIER 315 ::= { dsliteMIBObjects 3 } 317 --Notifications section 319 dsliteNotifications OBJECT IDENTIFIER 320 ::= { dsliteMIB 0 } 322 dsliteTraps OBJECT IDENTIFIER 323 ::= { dsliteNotifications 1 } 325 --dsliteTunnel 327 --dsliteTunnelTable 329 dsliteTunnelTable OBJECT-TYPE 330 SYNTAX SEQUENCE OF DsliteTunnelEntry 331 MAX-ACCESS not-accessible 332 STATUS current 333 DESCRIPTION 334 "The (conceptual) table containing information on 335 configured tunnels. This table can be used to map 336 B4 address to the associated AFTR address. It can 337 also be used for row creation." 338 REFERENCE 339 "B4, AFTR: RFC 6333." 340 ::= { dsliteTunnel 1 } 342 dsliteTunnelEntry OBJECT-TYPE 343 SYNTAX DsliteTunnelEntry 344 MAX-ACCESS not-accessible 345 STATUS current 346 DESCRIPTION 347 "Each entry in this table contains the information on a 348 particular configured tunnel." 349 INDEX { dsliteTunnelAddressType, 350 dsliteTunnelStartAddress, 351 dsliteTunnelEndAddress, 352 ifIndex } 353 ::= { dsliteTunnelTable 1 } 355 DsliteTunnelEntry ::= 356 SEQUENCE { 357 dsliteTunnelAddressType InetAddressType, 358 dsliteTunnelStartAddress InetAddress, 359 dsliteTunnelEndAddress InetAddress, 360 dsliteTunnelStartAddPreLen InetAddressPrefixLength 361 } 363 dsliteTunnelAddressType OBJECT-TYPE 364 SYNTAX InetAddressType 365 MAX-ACCESS not-accessible 366 STATUS current 367 DESCRIPTION 368 " This object MUST be set to the value of ipv6(2). 369 It describes the address type of the IPv4-in-IPv6 370 tunnel initiator and endpoint." 371 ::= { dsliteTunnelEntry 1 } 373 dsliteTunnelStartAddress OBJECT-TYPE 374 SYNTAX InetAddress 375 MAX-ACCESS not-accessible 376 STATUS current 377 DESCRIPTION 378 "The address of the initiator of the tunnel." 379 ::= { dsliteTunnelEntry 2 } 381 dsliteTunnelEndAddress OBJECT-TYPE 382 SYNTAX InetAddress 383 MAX-ACCESS not-accessible 384 STATUS current 385 DESCRIPTION 386 "The address of the endpoint of the tunnel." 387 ::= { dsliteTunnelEntry 3 } 389 dsliteTunnelStartAddPreLen OBJECT-TYPE 390 SYNTAX InetAddressPrefixLength 391 MAX-ACCESS read-only 392 STATUS current 393 DESCRIPTION 394 "IPv6 prefix length of the IP address for the 395 start point of the tunnel." 396 ::= { dsliteTunnelEntry 4 } 398 --dsliteNAT 399 --dsliteNATMapTable(The address pool defined by 400 --natv2PoolTable and natv2PoolRangeTable 401 --in draft-perrault-behave-natv2-mib are sufficient) 402 --dsliteNATBindTable(NAPT) 404 dsliteNATBindTable OBJECT-TYPE 405 SYNTAX SEQUENCE OF DsliteNATBindEntry 406 MAX-ACCESS not-accessible 407 STATUS current 408 DESCRIPTION 409 "This table contains information about currently 410 active NAT binds in the NAT of AFTR. This table extends 411 the IPv6 address of B4 to the natv2PortMapTable 412 defined in NATV2-MIB(draft-perrault-behave-natv2-mib)." 413 ::= { dsliteNAT 1 } 415 dsliteNATBindEntry OBJECT-TYPE 416 SYNTAX DsliteNATBindEntry 417 MAX-ACCESS not-accessible 418 STATUS current 419 DESCRIPTION 420 "Each entry in this table holds the relationship between 421 tunnel information and nat bind information. These entries 422 are lost upon agent restart." 423 INDEX { dsliteNATBindMappingInstanceIndex, 424 dsliteNATBindMappingProto, 425 dsliteNATBindMappingExtRealm, 426 dsliteNATBindMappingExtAddressType, 427 dsliteNATBindMappingExtAddress, 428 dsliteNATBindMappingExtPort, 429 ifIndex, 430 dsliteTunnelStartAddress, 431 dsliteTunnelStartAddPreLen } 432 ::= { dsliteNATBindTable 1 } 434 DsliteNATBindEntry ::= 435 SEQUENCE { 436 dsliteNATBindMappingInstanceIndex Natv2InstanceIndex, 437 dsliteNATBindMappingProto ProtocolNumber, 438 dsliteNATBindMappingExtRealm SnmpAdminString, 439 dsliteNATBindMappingExtAddressType InetAddressType, 440 dsliteNATBindMappingExtAddress InetAddress, 441 dsliteNATBindMappingExtPort InetPortNumber, 442 dsliteNATBindMappingIntRealm SnmpAdminString, 443 dsliteNATBindMappingIntAddressType InetAddressType, 444 dsliteNATBindMappingIntAddress InetAddress, 445 dsliteNATBindMappingIntPort InetPortNumber, 446 dsliteNATBindMappingPool Unsigned32, 447 dsliteNATBindMappingMapBehavior INTEGER, 448 dsliteNATBindMappingFilterBehavior INTEGER, 449 dsliteNATBindMappingAddressPooling INTEGER 450 } 452 dsliteNATBindMappingInstanceIndex 453 SYNTAX Natv2InstanceIndex 454 MAX-ACCESS not-accessible 455 STATUS current 456 DESCRIPTION 457 "Index of the NAT instance that created this port map entry." 458 ::= { dsliteNATBindEntry 1 } 460 dsliteNATBindMappingProto OBJECT-TYPE 461 SYNTAX ProtocolNumber 462 MAX-ACCESS not-accessible 463 STATUS current 464 DESCRIPTION 465 " This object specifies the mapping's transport protocol 466 number." 467 ::= { dsliteNATBindEntry 2 } 469 dsliteNATBindMappingExtRealm OBJECT-TYPE 470 SYNTAX SnmpAdminString (SIZE(0..32)) 471 MAX-ACCESS not-accessible 472 STATUS current 473 DESCRIPTION 474 " The realm to which dsliteNATBindMappingExtAddress belongs." 475 ::= { dsliteNATBindEntry 3 } 477 dsliteNATBindMappingExtAddressType OBJECT-TYPE 478 SYNTAX InetAddressType 479 MAX-ACCESS not-accessible 480 STATUS current 481 DESCRIPTION 482 "Type of the mapping's external address." 483 ::= { dsliteNATBindEntry 4 } 485 dsliteNATBindMappingExtAddress OBJECT-TYPE 486 SYNTAX InetAddress (SIZE (4|16)) 487 MAX-ACCESS not-accessible 488 STATUS current 489 DESCRIPTION 490 "The mapping's external address. If this is the undefined 491 address, all external addresses are mapped to the internal 492 address." 493 ::= { dsliteNATBindEntry 5 } 495 dsliteNATBindMappingExtPort OBJECT-TYPE 496 SYNTAX InetPortNumber 497 MAX-ACCESS not-accessible 498 STATUS current 499 DESCRIPTION 500 "The mapping's assigned external port number. If this is zero, 501 all external ports are mapped to the internal port." 502 ::= { dsliteNATBindEntry 6 } 504 dsliteNATBindMappingIntRealm OBJECT-TYPE 505 SYNTAX SnmpAdminString 506 MAX-ACCESS read-only 507 STATUS current 508 DESCRIPTION 509 "The realm to which natMappingIntAddress belongs." 510 ::= { dsliteNATBindEntry 7 } 512 dsliteNATBindMappingIntAddressType OBJECT-TYPE 513 SYNTAX InetAddressType 514 MAX-ACCESS read-only 515 STATUS current 516 DESCRIPTION 517 "Type of the mapping's internal address." 518 ::= { dsliteNATBindEntry 8 } 520 dsliteNATBindMappingIntAddress OBJECT-TYPE 521 SYNTAX InetAddress 522 MAX-ACCESS read-only 523 STATUS current 524 DESCRIPTION 525 "The mapping's internal address. If this is the undefined 526 address, addresses are not translated." 527 ::= { dsliteNATBindEntry 9 } 529 dsliteNATBindMappingIntPort OBJECT-TYPE 530 SYNTAX InetPortNumber 531 MAX-ACCESS read-only 532 STATUS current 533 DESCRIPTION 534 "The mapping's internal port number. If this is zero, ports 535 are not translated." 536 ::= { dsliteNATBindEntry 10 } 538 dsliteNATBindMappingPool OBJECT-TYPE 539 SYNTAX Unsigned32 (0|1..4294967295) 540 MAX-ACCESS read-only 541 STATUS current 542 DESCRIPTION 543 "Index of the pool that contains this mapping's external 544 address and port. If zero, no pool is associated with this 545 mapping." 546 ::= { dsliteNATBindEntry 11 } 548 dsliteNATBindMappingMapBehavior OBJECT-TYPE 549 SYNTAX INTEGER{ 550 endpointIndependent (0), 551 addressDependent(1), 552 addressAndPortDependent (2) 553 } 554 MAX-ACCESS read-only 555 STATUS current 556 DESCRIPTION 557 "Mapping behavior as described in [RFC4787] section 4.1." 558 REFERENCE 559 "RFC 4787 section 4.1" 560 ::= { dsliteNATBindEntry 12 } 562 dsliteNATBindMappingFilterBehavior OBJECT-TYPE 563 SYNTAX INTEGER{ 564 endpointIndependent (0), 565 addressDependent(1), 566 addressAndPortDependent (2) 567 } 568 MAX-ACCESS read-only 569 STATUS current 570 DESCRIPTION 571 "Filtering behavior as described in [RFC4787] section 5." 572 REFERENCE 573 "RFC 4787 section 5" 574 ::= { dsliteNATBindEntry 13 } 576 dsliteNATBindMappingAddressPooling OBJECT-TYPE 577 SYNTAX INTEGER{ 578 arbitrary (0), 579 paired (1) 580 } 581 MAX-ACCESS read-only 582 STATUS current 583 DESCRIPTION 584 "Type of address pooling behavior that was used to create 585 this mapping." 586 REFERENCE 587 "RFC 4787 section 4.1" 588 ::= { dsliteNATBindEntry 14 } 590 --dsliteInfo 592 dsliteAFTRAlarmScalar OBJECT IDENTIFIER ::= { dsliteInfo 1 } 594 dsliteAFTRAlarmB4Addr OBJECT-TYPE 595 SYNTAX InetAddress 596 MAX-ACCESS accessible-for-notify 597 STATUS current 598 DESCRIPTION 599 "This object indicate the IP address of 600 B4 that send alarm " 601 ::= { dsliteAFTRAlarmScalar 1 } 603 dsliteAFTRAlarmProtocolType OBJECT-TYPE 604 SYNTAX DisplayString 605 MAX-ACCESS accessible-for-notify 606 STATUS current 607 DESCRIPTION 608 "This object indicate the protocol type of alarm, 609 0:tcp,1:udp,2:icmp,3:total " 610 ::= { dsliteAFTRAlarmScalar 2 } 612 dsliteAFTRAlarmSpecificIP OBJECT-TYPE 613 SYNTAX InetAddress 614 MAX-ACCESS accessible-for-notify 615 STATUS current 616 DESCRIPTION 617 " This object indicate the IP address whose port usage 618 reach threshold " 619 ::= { dsliteAFTRAlarmScalar 3 } 621 dsliteAFTRAlarmConnectNumber OBJECT-TYPE 622 SYNTAX Integer32 (60..90) 623 MAX-ACCESS read-write 624 STATUS current 625 DESCRIPTION 626 " This object indicate the threshold of DS-Lite 627 connections alarm." 628 ::= { dsliteAFTRAlarmScalar 4 } 630 dsliteStatisticTable OBJECT-TYPE 631 SYNTAX SEQUENCE OF DsliteStatisticEntry 632 MAX-ACCESS not-accessible 633 STATUS current 634 DESCRIPTION 635 "This table provides statistical information 636 of DS-Lite." 637 ::= { dsliteInfo 2 } 639 dsliteStatisticEntry OBJECT-TYPE 640 SYNTAX DsliteStatisticEntry 641 MAX-ACCESS not-accessible 642 STATUS current 643 DESCRIPTION 644 "This table provides statistical information 645 of DS-Lite." 646 INDEX { dsliteStatisticSubscriberIdex } 647 ::= { dsliteStatisticTable 1 } 649 DsliteStatisticEntry ::= 650 SEQUENCE { 651 dsliteStatisticSubscriberIdex Natv2SubscriberIndex, 652 dsliteStatisticDiscard Counter64, 653 dsliteStatisticTransmitted Counter64, 654 dsliteStatisticIpv4Session Counter64, 655 dsliteStatisticIpv6Session Counter64 656 } 658 dsliteStatisticSubscriberIdex OBJECT-TYPE 659 SYNTAX Natv2SubscriberIndex 660 MAX-ACCESS not-accessible 661 STATUS current 662 DESCRIPTION 663 "Index of the subscriber or host.A unique value, 664 greater than zero, for each subscriber in the 665 managed system." 666 ::= { dsliteStatisticEntry 1 } 668 dsliteStatisticDiscard OBJECT-TYPE 669 SYNTAX Counter64 670 MAX-ACCESS read-only 671 STATUS current 672 DESCRIPTION 673 " This object indicate the number of packets 674 discarded from this subscriber." 675 ::= { dsliteStatisticEntry 2 } 677 dsliteStatisticTransmitted OBJECT-TYPE 678 SYNTAX Counter64 679 MAX-ACCESS read-only 680 STATUS current 681 DESCRIPTION 682 " This object indicate the number of packets received 683 from or sent to this subscriber." 684 ::= { dsliteStatisticEntry 3 } 686 dsliteStatisticIpv4Session OBJECT-TYPE 687 SYNTAX Counter64 688 MAX-ACCESS read-only 689 STATUS current 690 DESCRIPTION 691 " This object indicate the number of the 692 current IPv4 Session." 693 ::= { dsliteStatisticEntry 4 } 695 dsliteStatisticIpv6Session OBJECT-TYPE 696 SYNTAX Counter64 697 MAX-ACCESS read-only 698 STATUS current 699 DESCRIPTION 700 " This object indicate the number of the 701 current IPv6 Session." 702 ::= { dsliteStatisticEntry 5 } 704 ---dslite trap 706 dsliteTunnelNumAlarm NOTIFICATION-TYPE 707 OBJECTS { dsliteAFTRAlarmProtocolType, 708 dsliteAFTRAlarmB4Addr } 710 STATUS current 711 DESCRIPTION 712 "This trap is triggered when the number of 713 current connecting dslite tunnel exceeds the value of 714 dsliteAFTRAlarmConnectNumber." 715 ::= { dsliteTraps 1 } 717 dsliteAFTRUserSessionNumAlarm NOTIFICATION-TYPE 718 OBJECTS { dsliteAFTRAlarmProtocolType, 719 dsliteAFTRAlarmB4Addr } 720 STATUS current 721 DESCRIPTION 722 " This trap is triggered when sessions of 723 user reach the threshold." 724 ::= { dsliteTraps 2 } 726 dsliteAFTRPortUsageOfSpecificIpAlarm NOTIFICATION-TYPE 727 OBJECTS { dsliteAFTRAlarmSpecificIP } 728 STATUS current 729 DESCRIPTION 730 "This trap is triggered when used NAT 731 ports of map address reach the threshold." 732 ::= { dsliteTraps 3 } 734 --Module Conformance statement 736 dsliteConformance OBJECT IDENTIFIER 737 ::= { dsliteMIB 2 } 739 dsliteCompliances OBJECT IDENTIFIER ::= { dsliteConformance 1 } 741 dsliteGroups OBJECT IDENTIFIER ::= { dsliteConformance 2 } 743 -- compliance statements 745 dsliteCompliance MODULE-COMPLIANCE 746 STATUS current 747 DESCRIPTION 748 " Description the minimal requirements for conformance 749 to the DS-Lite MIB." 750 MODULE -- this module 751 MANDATORY-GROUPS { dsliteNATBindGroup, 752 dsliteTunnelGroup, 753 dsliteStatisticGroup, 754 dsliteTrapsGroup,dsliteAFTRAlarmScalarGroup } 755 ::= { dsliteCompliances 1 } 757 dsliteNATBindGroup OBJECT-GROUP 758 OBJECTS { 759 dsliteNATBindMappingIntRealm, 760 dsliteNATBindMappingIntAddressType, 761 dsliteNATBindMappingIntAddress, 762 dsliteNATBindMappingIntPort, 763 dsliteNATBindMappingPool, 764 dsliteNATBindMappingMapBehavior, 765 dsliteNATBindMappingFilterBehavior, 766 dsliteNATBindMappingAddressPooling } 767 STATUS current 768 DESCRIPTION 769 " The collection of this objects are used to give the 770 information about NAT Bind." 771 ::= { dsliteGroups 1 } 773 dsliteTunnelGroup OBJECT-GROUP 774 OBJECTS { dsliteTunnelStartAddPreLen } 775 STATUS current 776 DESCRIPTION 777 " The collection of this objects are used to give the 778 information of tunnel in ds-lite." 779 ::= { dsliteGroups 2 } 781 dsliteStatisticGroup OBJECT-GROUP 782 OBJECTS { dsliteStatisticDiscard, 783 dsliteStatisticTransmitted, 784 dsliteStatisticIpv4Session, 785 dsliteStatisticIpv6Session } 786 STATUS current 787 DESCRIPTION 788 " The collection of this objects are used to give the 789 statistical information of ds-lite." 790 ::= { dsliteGroups 3 } 792 dsliteTrapsGroup NOTIFICATION-GROUP 793 NOTIFICATIONS { dsliteTunnelNumAlarm, 794 dsliteAFTRUserSessionNumAlarm, 795 dsliteAFTRPortUsageOfSpecificIpAlarm } 796 STATUS current 797 DESCRIPTION 798 "The collection of this objects are used to give the 799 trap information of ds-lite." 800 ::= { dsliteGroups 4 } 802 dsliteAFTRAlarmScalarGroup OBJECT-GROUP 803 OBJECTS { dsliteAFTRAlarmB4Addr, dsliteAFTRAlarmProtocolType, 804 dsliteAFTRAlarmSpecificIP, 805 dsliteAFTRAlarmConnectNumber } 807 STATUS current 808 DESCRIPTION 809 " The collection of this objects are used to give the 810 information about AFTR alarming Scalar." 811 ::= { dsliteGroups 5 } 813 END 815 9. Security Considerations 817 There are a number of management objects defined in this MIB module 818 with a MAX-ACCESS clause of read-write and/or read-create. Such 819 objects may be considered sensitive or vulnerable in some network 820 environments. The support for SET operations in a non-secure 821 environment without proper protection can have a negative effect on 822 network operations. These are the tables and objects and their 823 sensitivity/vulnerability: 825 Notification thresholds: An attacker setting an arbitrarily low 826 treshold can cause many useless notifications to be generated. 827 Setting an arbitrarily high threshold can effectively disable 828 notifications, which could be used to hide another attack. 830 dsliteAFTRAlarmConnectNumber 832 Some of the readable objects in this MIB module (i.e., objects with a 833 MAX-ACCESS other than not-accessible) may be considered sensitive or 834 vulnerable in some network environments. It is thus important to 835 control even GET and/or NOTIFY access to these objects and possibly 836 to even encrypt the values of these objects when sending them over 837 the network via SNMP. These are the tables and objects and their 838 sensitivity/vulnerability: 840 dsliteTunnelStartAddPreLen 842 dsliteNATBindMappingIntRealm 844 dsliteNATBindMappingIntAddressType 846 dsliteNATBindMappingIntAddress 848 dsliteNATBindMappingIntPort 850 dsliteNATBindMappingPool 852 dsliteNATBindMappingMapBehavior 854 dsliteNATBindMappingFilterBehavior 855 dsliteNATBindMappingAddressPooling 857 dsliteStatisticDiscard 859 dsliteStatisticTransmitted 861 dsliteStatisticIpv4Session 863 dsliteStatisticIpv6Session 865 SNMP versions prior to SNMPv3 did not include adequate security. 866 Even if the network itself is secure (for example by using IPSec), 867 even then, there is no control as to who on the secure network is 868 allowed to access and GET/SET (read/change/create/delete) the objects 869 in this MIB module. 871 Implementations SHOULD provide the security features described by the 872 SNMPv3 framework (see [RFC3410] ), and implementations claiming 873 compliance to the SNMPv3 standard MUST include full support for 874 authentication and privacy via the User-based Security Model (USM) 875 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 876 MAY also provide support for the Transport Security Model (TSM) 877 [RFC5591] in combination with a secure transport such as SSH 878 [RFC5592] or TLS/DTLS [RFC6353]. 880 Further, deployment of SNMP versions prior to SNMPv3 is NOT 881 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 882 enable cryptographic security. It is then a customer/operator 883 responsibility to ensure that the SNMP entity giving access to an 884 instance of this MIB module is properly configured to give access to 885 the objects only to those principals (users) that have legitimate 886 rights to indeed GET or SET (change/create/delete) them. 888 10. IANA Considerations 890 The MIB module in this document uses the following IANA-assigned 891 OBJECT IDENTIFIER values recorded in the SMI Numbers registry, and 892 the following IANA-assigned tunnelType values recorded in the 893 IANAtunnelType-MIB registry: 895 Descriptor OBJECT IDENTIFIER value 896 ---------- ----------------------- 897 DSLite-MIB { transmission XXX } 899 IANAtunnelType ::= TEXTUAL-CONVENTION 901 SYNTAX INTEGER { 903 dsLite ("XX") -- dslite tunnel 905 } 907 Notes: As Appendix A of the IP Tunnel MIB[RFC4087] described that it 908 has already assigned the value direct(2) to indicate the tunnel type 909 is IP in IP tunnel, but it is still difficult to distinguish DS-Lite 910 tunnel packets from normal IP in IP tunnel packets in the scenario of 911 the AFTR connecting to both a DS-lite tunnel and an IP in IP tunnel. 913 11. Acknowledgements 915 The authors would like to thanks the valuable comments made by Suresh 916 Krishnan, Ian Farrer, Yiu Lee, Qi Sun, Yong Cui, David Harrington, 917 Dave Thaler, Tassos Chatzithomaoglou, Tom Taylor and other members of 918 SOFTWIRE WG. 920 This document was produced using the xml2rfc tool [RFC2629]. 922 12. References 924 12.1. Normative References 926 [I-D.perrault-behave-natv2-mib] 927 Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 928 "Definitions of Managed Objects for Network Address 929 Translators (NAT)", draft-perrault-behave-natv2-mib-05 930 (work in progress), June 2015. 932 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 933 Schoenwaelder, Ed., "Structure of Management Information 934 Version 2 (SMIv2)", STD 58, RFC 2578, 935 DOI 10.17487/RFC2578, April 1999, 936 . 938 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 939 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 940 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 941 . 943 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 944 MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, 945 . 947 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 948 Architecture for Describing Simple Network Management 949 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 950 DOI 10.17487/RFC3411, December 2002, 951 . 953 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 954 Schoenwaelder, "Textual Conventions for Internet Network 955 Addresses", RFC 4001, DOI 10.17487/RFC4001, February 2005, 956 . 958 [RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, 959 DOI 10.17487/RFC4087, June 2005, 960 . 962 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 963 Translation (NAT) Behavioral Requirements for Unicast 964 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 965 2007, . 967 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 968 Stack Lite Broadband Deployments Following IPv4 969 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 970 . 972 12.2. Informative References 974 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 975 Requirement Levels", BCP 14, RFC 2119, 976 DOI 10.17487/RFC2119, March 1997, 977 . 979 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 980 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 981 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 982 . 984 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 985 DOI 10.17487/RFC2629, June 1999, 986 . 988 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 989 "Introduction and Applicability Statements for Internet- 990 Standard Management Framework", RFC 3410, 991 DOI 10.17487/RFC3410, December 2002, 992 . 994 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 995 (USM) for version 3 of the Simple Network Management 996 Protocol (SNMPv3)", STD 62, RFC 3414, 997 DOI 10.17487/RFC3414, December 2002, 998 . 1000 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 1001 Advanced Encryption Standard (AES) Cipher Algorithm in the 1002 SNMP User-based Security Model", RFC 3826, 1003 DOI 10.17487/RFC3826, June 2004, 1004 . 1006 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 1007 for the Simple Network Management Protocol (SNMP)", 1008 STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, 1009 . 1011 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 1012 Shell Transport Model for the Simple Network Management 1013 Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 1014 2009, . 1016 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 1017 Model for the Simple Network Management Protocol (SNMP)", 1018 STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, 1019 . 1021 Authors' Addresses 1023 Yu Fu 1024 CNNIC 1025 No.4 South 4th Street, Zhongguancun 1026 Hai-Dian District, Beijing, 100190 1027 P.R. China 1029 Email: fuyu@cnnic.cn 1030 Sheng Jiang 1031 Huawei Technologies Co., Ltd 1032 Q14, Huawei Campus, No.156 Beiqing Road 1033 Hai-Dian District, Beijing, 100095 1034 P.R. China 1036 Email: jiangsheng@huawei.com 1038 Jiang Dong 1039 Tsinghua University 1040 Department of Computer Science, Tsinghua University 1041 Beijing 100084 1042 P.R. China 1044 Email: knight.dongjiang@gmail.com 1046 Yuchi Chen 1047 Tsinghua University 1048 Department of Computer Science, Tsinghua University 1049 Beijing 100084 1050 P.R. China 1052 Email: flashfoxmx@gmail.com