idnits 2.17.1 draft-ietf-softwire-dslite-mib-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 24, 2015) is 3069 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Y. Fu 3 Internet-Draft CNNIC 4 Intended status: Standards Track S. Jiang 5 Expires: May 27, 2016 Huawei Technologies Co., Ltd 6 J. Dong 7 Y. Chen 8 Tsinghua University 9 November 24, 2015 11 DS-Lite Management Information Base (MIB) 12 draft-ietf-softwire-dslite-mib-12 14 Abstract 16 This memo defines a portion of the Management Information Base (MIB) 17 for using with network management protocols in the Internet 18 community. In particular, it defines managed objects for Dual-Stack 19 Lite (DS-Lite). 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on May 27, 2016. 38 Copyright Notice 40 Copyright (c) 2015 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 57 3. The Internet-Standard Management Framework . . . . . . . . . 3 58 4. Relationship to the IF-MIB . . . . . . . . . . . . . . . . . 3 59 5. Difference from the IP tunnel MIB and NATV2-MIB . . . . . . . 3 60 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6.1. The Object Group . . . . . . . . . . . . . . . . . . . . 5 62 6.1.1. The dsliteTunnel Subtree . . . . . . . . . . . . . . 5 63 6.1.2. The dsliteNAT Subtree . . . . . . . . . . . . . . . . 5 64 6.1.3. The dsliteInfo Subtree . . . . . . . . . . . . . . . 5 65 6.2. The Notification Group . . . . . . . . . . . . . . . . . 5 66 6.2.1. The dsliteTrap Subtree . . . . . . . . . . . . . . . 5 67 6.3. The Conformance Group . . . . . . . . . . . . . . . . . . 5 68 7. MIB modules required for IMPORTS . . . . . . . . . . . . . . 5 69 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 70 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 71 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 72 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 73 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 74 12.1. Normative References . . . . . . . . . . . . . . . . . . 21 75 12.2. Informative References . . . . . . . . . . . . . . . . . 22 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 78 1. Introduction 80 Dual-Stack Lite [RFC6333] is a solution to offer both IPv4 and IPv6 81 connectivity to customers crossing an IPv6 only infrastructure. One 82 of its key components is an IPv4-over-IPv6 tunnel, which is used to 83 provide IPv4 connectivity across a service provider's IPv6 network. 84 Another key component is a carrier-grade IPv4-IPv4 Network Address 85 Translation (NAT) to share service provider IPv4 addresses among 86 customers. 88 This document defines a portion of the Management Information Base 89 (MIB) for using with network management protocols in the Internet 90 community. This MIB module may be used for configuration and 91 monitoring devices in a Dual-Stack Lite scenario. 93 2. Requirements Language 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 97 "OPTIONAL" in this document are to be interpreted as described in 98 [RFC2119] when they appear in ALL CAPS. When these words are not in 99 ALL CAPS (such as "should" or "Should"), they have their usual 100 English meanings, and are not to be interpreted as [RFC2119] key 101 words. 103 3. The Internet-Standard Management Framework 105 For a detailed overview of the documents that describe the current 106 Internet-Standard Management Framework, please refer to section 7 of 107 [RFC3410]. 109 Managed objects are accessed via a virtual information store, termed 110 the Management Information Base or MIB. MIB objects are generally 111 accessed through the Simple Network Management Protocol (SNMP). 112 Objects in the MIB are defined using the mechanisms defined in the 113 Structure of Management Information (SMI). This memo specifies a MIB 114 module that is compliant to the SMIv2, which is described in 115 [RFC2578], [RFC2579] and [RFC2580]. 117 4. Relationship to the IF-MIB 119 The Interfaces MIB [RFC2863] defines generic managed objects for 120 managing interfaces. Each logical interface (physical or virtual) 121 has an ifEntry. Tunnels are handled by creating a logical interface 122 (ifEntry) for each tunnel. Each DS-Lite tunnel also acts as a 123 virtual interface, which has a corresponding entry in the IP Tunnel 124 MIB and Interface MIB. Those corresponding entries are indexed by 125 ifIndex. 127 The ifOperStatus in ifTable is used to represent whether the DS-Lite 128 tunnel function has been originated. The ifInUcastPkts defined in 129 ifTable will represent the number of IPv4 packets that have been 130 encapsulated into IPv6 packets sent to a B4. The ifOutUcastPkts 131 defined in ifTable contains the number of IPv6 packets that can be 132 decapsulated to IPv4 in the virtual interface. Also, the IF-MIB 133 defines ifMtu for the MTU of this tunnel interface, so DS-Lite MIB 134 does not need to define the MTU for the tunnel. 136 5. Difference from the IP tunnel MIB and NATV2-MIB 138 The key technologies for DS-Lite are IP in IP (IPv4-in-IPv6) tunnels 139 and NAT (IPv4 to IPv4 translation). 141 Notes: According to section 5.2 of [RFC6333], DS-Lite only defines 142 IPv4 in IPv6 tunnels at this moment, but other types of encapsulation 143 could be defined in the future. So this DS-Lite MIB only supports IP 144 in IP encapsulation, if another RFC defined other tunnel types in the 145 future, this DS-Lite MIB will be updated then. 147 The NATV2-MIB [RFC7659] is designed to carry translation from any 148 address family to any address family, therefore it supports IPv4 to 149 IPv4 translation. 151 The IP Tunnel MIB [RFC4087] is designed for managing tunnels of any 152 type over IPv4 and IPv6 networks, therefore it supports IP in IP 153 tunnels. In a DS-Lite scenario, the tunnel type is IP in IP, more 154 precisely, is IPv4 in IPv6. Therefore, it is unnecessary to define a 155 new object to describe tunnel type in DS-Lite MIB. 157 However, the NATV2-MIB and IP Tunnel MIB together are not sufficient 158 to support DS-Lite. This document describes the specific features 159 for DS-Lite MIB, as below. 161 In the DS-Lite scenario, the Address Family Transition Router (AFTR) 162 is not only the tunnel end concentrator, but also a 4-4 translator. 163 So as defined in [RFC6333] , when the IPv4 packets come back from the 164 Internet to the AFTR, it knows how to reconstruct the IPv6 165 encapsulation by doing a reverse lookup in the extended IPv4 NAT 166 binding table. The NAT binding table in the AFTR MUST be extended to 167 include the IPv6 address of the tunnel initiator. However, the 168 tunnel information defined in NATV2-MIB is on the address level. 169 Because the TUNNEL-MIB defined the objects on the view of interface 170 rather than the address, the DS-Lite-MIB needs to define the tunnel 171 objects to extend the NAT binding entry by interface. Therefore, a 172 combined MIB is necessary. 174 The implementation of the IP Tunnel MIB is required for DS-Lite. As 175 the tunnel is not point-to-point in DS-Lite, the tunnelIfEncapsMethod 176 in the tunnelIfEntry should be set to dsLite("xx"), and a 177 corresponding entry in the DS-Lite module will exist for every 178 tunnelIfEntry with this tunnelIfEncapsMethod. The 179 tunnelIfRemoteInetAddress must be set to "::". 181 6. Structure of the MIB Module 183 The DS-Lite MIB provides a way to monitor and manage the devices 184 (AFTRs) in a DS-Lite scenario through SNMP. 186 The DS-Lite MIB is configurable on a per-interface basis. It depends 187 on several parts of the IF-MIB [RFC2863], IP Tunnel MIB [RFC4087], 188 and NATV2-MIB [RFC7659]. 190 6.1. The Object Group 192 This Group defines objects that are needed for DS-Lite MIB. 194 6.1.1. The dsliteTunnel Subtree 196 The dsliteTunnel subtree describes managed objects used for managing 197 tunnels in the DS-Lite scenario. Because some objects defined in the 198 IP Tunnel MIB are not readable, a few new objects are defined in DS- 199 Lite MIB. 201 6.1.2. The dsliteNAT Subtree 203 The dsliteNAT subtree describes managed objects used for 204 configuration as well as monitoring of AFTR which is capable of a NAT 205 function. Because the NATV2-MIB supports the NAT management function 206 in DS-Lite, we may reuse it in DS-Lite MIB. The dsliteNAT subtree 207 also provides the information of mapping relationship between the 208 tunnel entry and NAT entry by extending the IPv6 address of B4 to the 209 natv2PortMapEntry in the NATV2-MIB. 211 6.1.3. The dsliteInfo Subtree 213 The dsliteInfo subtree provides statistical information for DS-Lite. 215 6.2. The Notification Group 217 This group defines some notification objects for DS-Lite. 219 6.2.1. The dsliteTrap Subtree 221 The dsliteTrap subtree provides trap information in DS-Lite scenario. 223 6.3. The Conformance Group 225 The dsliteConformance subtree provides conformance information of MIB 226 objects. 228 7. MIB modules required for IMPORTS 230 This MIB module IMPORTs objects from [RFC2578], [RFC2580], [RFC2863], 231 [RFC3411], [RFC4001] and [RFC7659]. 233 8. Definitions 235 DSLite-MIB DEFINITIONS ::= BEGIN 237 IMPORTS 238 MODULE-IDENTITY, OBJECT-TYPE, transmission, 239 NOTIFICATION-TYPE,Gauge32,TimeTicks, 240 Integer32, Counter64,Unsigned32 241 FROM SNMPv2-SMI 243 OBJECT-GROUP, MODULE-COMPLIANCE, 244 NOTIFICATION-GROUP 245 FROM SNMPv2-CONF 247 DisplayString 248 FROM SNMPv2-TC 250 SnmpAdminString 251 FROM SNMP-FRAMEWORK-MIB 253 ifIndex 254 FROM IF-MIB 256 InetAddress, InetAddressType, InetAddressPrefixLength, 257 InetPortNumber 258 FROM INET-ADDRESS-MIB 260 ProtocolNumber, Natv2InstanceIndex, Natv2SubscriberIndex 261 FROM NATV2-MIB; 263 dsliteMIB MODULE-IDENTITY 264 LAST-UPDATED "201511240000Z" -- November 24, 2015 265 ORGANIZATION "IETF Softwire Working Group" 266 CONTACT-INFO 267 "Yu Fu 268 CNNIC 269 No.4 South 4th Street, Zhongguancun, Hai-Dian District 270 Beijing, P.R. China 100095 271 EMail: fuyu@cnnic.cn 273 Sheng Jiang 274 Huawei Technologies Co., Ltd 275 Huawei Building, 156 Beiqing Rd., Hai-Dian District 276 Beijing, P.R. China 100095 277 EMail: jiangsheng@huawei.com 279 Jiang Dong 280 Tsinghua University 281 Department of Computer Science, Tsinghua University 282 Beijing 100084 283 P.R. China 284 Email: knight.dongjiang@gmail.com 285 Yuchi Chen 286 Tsinghua University 287 Department of Computer Science, Tsinghua University 288 Beijing 100084 289 P.R. China 290 Email: flashfoxmx@gmail.com " 292 DESCRIPTION 293 "The MIB module is defined for management of object in the 294 DS-Lite scenario. 295 Copyright (C) The Internet Society (2015). This version 296 of this MIB module is part of RFC yyyy; see the RFC itself 297 for full legal notices. " 298 REVISION "201511240000Z" 299 DESCRIPTION 300 "Initial version. Published as RFC xxxx." 301 --RFC Ed.: RFC-edtitor pls fill in xxxx 302 ::= { transmission xxx } 303 --RFC Ed.: assigned by IANA, see section 10 for details 305 --Top level components of this MIB module 307 dsliteMIBObjects OBJECT IDENTIFIER 308 ::= { dsliteMIB 1 } 309 dsliteTunnel OBJECT IDENTIFIER 310 ::= { dsliteMIBObjects 1 } 312 dsliteNAT OBJECT IDENTIFIER 313 ::= { dsliteMIBObjects 2 } 315 dsliteInfo OBJECT IDENTIFIER 316 ::= { dsliteMIBObjects 3 } 318 --Notifications section 320 dsliteNotifications OBJECT IDENTIFIER 321 ::= { dsliteMIB 0 } 323 dsliteTraps OBJECT IDENTIFIER 324 ::= { dsliteNotifications 1 } 326 --dsliteTunnel 328 --dsliteTunnelTable 330 dsliteTunnelTable OBJECT-TYPE 331 SYNTAX SEQUENCE OF DsliteTunnelEntry 332 MAX-ACCESS not-accessible 333 STATUS current 334 DESCRIPTION 335 "The (conceptual) table containing information on 336 configured tunnels. This table can be used to map 337 B4 address to the associated AFTR address. It can 338 also be used for row creation." 339 REFERENCE 340 "B4, AFTR: RFC 6333." 341 ::= { dsliteTunnel 1 } 343 dsliteTunnelEntry OBJECT-TYPE 344 SYNTAX DsliteTunnelEntry 345 MAX-ACCESS not-accessible 346 STATUS current 347 DESCRIPTION 348 "Each entry in this table contains the information on a 349 particular configured tunnel." 350 INDEX { dsliteTunnelAddressType, 351 dsliteTunnelStartAddress, 352 dsliteTunnelEndAddress, 353 ifIndex } 354 ::= { dsliteTunnelTable 1 } 356 DsliteTunnelEntry ::= 357 SEQUENCE { 358 dsliteTunnelAddressType InetAddressType, 359 dsliteTunnelStartAddress InetAddress, 360 dsliteTunnelEndAddress InetAddress, 361 dsliteTunnelStartAddPreLen InetAddressPrefixLength 362 } 364 dsliteTunnelAddressType OBJECT-TYPE 365 SYNTAX InetAddressType 366 MAX-ACCESS not-accessible 367 STATUS current 368 DESCRIPTION 369 " This object MUST be set to the value of ipv6(2). 370 It describes the address type of the IPv4-in-IPv6 371 tunnel initiator and endpoint." 372 REFERENCE 373 "InetAddressType in RFC 4001." 374 ::= { dsliteTunnelEntry 1 } 376 dsliteTunnelStartAddress OBJECT-TYPE 377 SYNTAX InetAddress 378 MAX-ACCESS not-accessible 379 STATUS current 380 DESCRIPTION 381 "The address of the initiator of the tunnel." 382 REFERENCE 383 "InetAddress in RFC 4001." 384 ::= { dsliteTunnelEntry 2 } 386 dsliteTunnelEndAddress OBJECT-TYPE 387 SYNTAX InetAddress 388 MAX-ACCESS not-accessible 389 STATUS current 390 DESCRIPTION 391 "The address of the endpoint of the tunnel." 392 REFERENCE 393 "InetAddress in RFC 4001." 394 ::= { dsliteTunnelEntry 3 } 396 dsliteTunnelStartAddPreLen OBJECT-TYPE 397 SYNTAX InetAddressPrefixLength 398 MAX-ACCESS read-only 399 STATUS current 400 DESCRIPTION 401 "IPv6 prefix length of the IP address for the 402 start point of the tunnel." 403 ::= { dsliteTunnelEntry 4 } 405 --dsliteNAT 406 --dsliteNATMapTable(The address pool defined by 407 --natv2PoolTable and natv2PoolRangeTable 408 --in RFC7659 are sufficient) 409 --dsliteNATBindTable(NAPT) 411 dsliteNATBindTable OBJECT-TYPE 412 SYNTAX SEQUENCE OF DsliteNATBindEntry 413 MAX-ACCESS not-accessible 414 STATUS current 415 DESCRIPTION 416 "This table contains information about currently 417 active NAT binds in the NAT of AFTR. This table extends 418 the IPv6 address of B4 to the natv2PortMapTable 419 defined in NATV2-MIB(draft-perrault-behave-natv2-mib)." 420 ::= { dsliteNAT 1 } 422 dsliteNATBindEntry OBJECT-TYPE 423 SYNTAX DsliteNATBindEntry 424 MAX-ACCESS not-accessible 425 STATUS current 426 DESCRIPTION 427 "Each entry in this table holds the relationship between 428 tunnel information and nat bind information. These entries 429 are lost upon agent restart." 430 INDEX { dsliteNATBindMappingInstanceIndex, 431 dsliteNATBindMappingProto, 432 dsliteNATBindMappingExtRealm, 433 dsliteNATBindMappingExtAddressType, 434 dsliteNATBindMappingExtAddress, 435 dsliteNATBindMappingExtPort, 436 ifIndex, 437 dsliteTunnelStartAddress, 438 dsliteTunnelStartAddPreLen } 439 ::= { dsliteNATBindTable 1 } 441 DsliteNATBindEntry ::= 442 SEQUENCE { 443 dsliteNATBindMappingInstanceIndex Natv2InstanceIndex, 444 dsliteNATBindMappingProto ProtocolNumber, 445 dsliteNATBindMappingExtRealm SnmpAdminString, 446 dsliteNATBindMappingExtAddressType InetAddressType, 447 dsliteNATBindMappingExtAddress InetAddress, 448 dsliteNATBindMappingExtPort InetPortNumber, 449 dsliteNATBindMappingIntRealm SnmpAdminString, 450 dsliteNATBindMappingIntAddressType InetAddressType, 451 dsliteNATBindMappingIntAddress InetAddress, 452 dsliteNATBindMappingIntPort InetPortNumber, 453 dsliteNATBindMappingPool Unsigned32, 454 dsliteNATBindMappingMapBehavior INTEGER, 455 dsliteNATBindMappingFilterBehavior INTEGER, 456 dsliteNATBindMappingAddressPooling INTEGER 457 } 459 dsliteNATBindMappingInstanceIndex 460 SYNTAX Natv2InstanceIndex 461 MAX-ACCESS not-accessible 462 STATUS current 463 DESCRIPTION 464 "Index of the NAT instance that created this port map entry." 465 ::= { dsliteNATBindEntry 1 } 467 dsliteNATBindMappingProto OBJECT-TYPE 468 SYNTAX ProtocolNumber 469 MAX-ACCESS not-accessible 470 STATUS current 471 DESCRIPTION 472 "This object specifies the mapping's transport protocol 473 number." 474 ::= { dsliteNATBindEntry 2 } 476 dsliteNATBindMappingExtRealm OBJECT-TYPE 477 SYNTAX SnmpAdminString (SIZE(0..32)) 478 MAX-ACCESS not-accessible 479 STATUS current 480 DESCRIPTION 481 "The realm to which dsliteNATBindMappingExtAddress 482 belongs." 483 ::= { dsliteNATBindEntry 3 } 485 dsliteNATBindMappingExtAddressType OBJECT-TYPE 486 SYNTAX InetAddressType 487 MAX-ACCESS not-accessible 488 STATUS current 489 DESCRIPTION 490 "Types of the mapping's external address." 491 REFERENCE 492 "InetAddressType in RFC 4001." 493 ::= { dsliteNATBindEntry 4 } 495 dsliteNATBindMappingExtAddress OBJECT-TYPE 496 SYNTAX InetAddress (SIZE (0..16)) 497 MAX-ACCESS not-accessible 498 STATUS current 499 DESCRIPTION 500 "The mapping's external address. If this is the undefined 501 address, all external addresses are mapped to the internal 502 address." 503 ::= { dsliteNATBindEntry 5 } 505 dsliteNATBindMappingExtPort OBJECT-TYPE 506 SYNTAX InetPortNumber 507 MAX-ACCESS not-accessible 508 STATUS current 509 DESCRIPTION 510 "The mapping's assigned external port number. If this is 511 zero, all external ports are mapped to the internal port." 512 REFERENCE 513 "InetPortNumber in RFC 4001." 514 ::= { dsliteNATBindEntry 6 } 516 dsliteNATBindMappingIntRealm OBJECT-TYPE 517 SYNTAX SnmpAdminString 518 MAX-ACCESS read-only 519 STATUS current 520 DESCRIPTION 521 "The realm to which natMappingIntAddress belongs." 522 ::= { dsliteNATBindEntry 7 } 524 dsliteNATBindMappingIntAddressType OBJECT-TYPE 525 SYNTAX InetAddressType 526 MAX-ACCESS read-only 527 STATUS current 528 DESCRIPTION 529 "Type of the mapping's internal address." 530 ::= { dsliteNATBindEntry 8 } 532 dsliteNATBindMappingIntAddress OBJECT-TYPE 533 SYNTAX InetAddress 534 MAX-ACCESS read-only 535 STATUS current 536 DESCRIPTION 537 "The mapping's internal address. If this is the undefined 538 address, addresses are not translated." 539 REFERENCE 540 "InetAddress in RFC 4001." 541 ::= { dsliteNATBindEntry 9 } 543 dsliteNATBindMappingIntPort OBJECT-TYPE 544 SYNTAX InetPortNumber 545 MAX-ACCESS read-only 546 STATUS current 547 DESCRIPTION 548 "The mapping's internal port number. If this is zero, ports 549 are not translated." 550 REFERENCE 551 "InetPortNumber in RFC 4001." 552 ::= { dsliteNATBindEntry 10 } 554 dsliteNATBindMappingPool OBJECT-TYPE 555 SYNTAX Unsigned32 (0|1..4294967295) 556 MAX-ACCESS read-only 557 STATUS current 558 DESCRIPTION 559 "Index of the pool that contains this mapping's external 560 address and port. If zero, no pool is associated with this 561 mapping." 562 ::= { dsliteNATBindEntry 11 } 564 dsliteNATBindMappingMapBehavior OBJECT-TYPE 565 SYNTAX INTEGER{ 566 endpointIndependent (0), 567 addressDependent(1), 568 addressAndPortDependent (2) 569 } 570 MAX-ACCESS read-only 571 STATUS current 572 DESCRIPTION 573 "Mapping behavior as described in [RFC4787] section 4.1. 575 endpointIndependent(0), the behavior REQUIRED by 576 RFC 4787, REQ-1, maps the source address and port to 577 the same external address and port for all destination 578 address and port combinations reached through the same 579 external realm and using the given protocol. 581 addressDependent(1) maps to the same external address 582 and port for all destination ports at the same 583 destination address reached through the same external 584 realm and using the given protocol. 586 addressAndPortDependent(2) maps to a separate external 587 address and port combination for each different 588 destination address and port combination reached 589 through the same external realm." 590 REFERENCE 591 "RFC 4787 section 4.1" 592 ::= { dsliteNATBindEntry 12 } 594 dsliteNATBindMappingFilterBehavior OBJECT-TYPE 595 SYNTAX INTEGER{ 596 endpointIndependent (0), 597 addressDependent(1), 598 addressAndPortDependent (2) 599 } 600 MAX-ACCESS read-only 601 STATUS current 602 DESCRIPTION 603 "Filtering behavior as described in [RFC4787] section 5. 605 endpointIndependent(0) accepts for translation packets 606 from all combinations of remote address and port 607 destined to the mapped external address and port via 608 the given external realm and using the given protocol. 610 addressDependent(1) accepts for translation packets from 611 all remote ports from the same remote source address 612 destined to the mapped external address and port via the 613 given external realm and using the given protocol. 615 addressAndPortDependent(2) accepts for translation only 616 those packets with the same remote source address, port, 617 and protocol incoming from the same external realm as 618 identified when the applicable port map entry was 619 created. 621 RFC 4787, REQ-8 recommends either endpointIndependent(0) 622 or addressDependent(1) filtering behavior depending on 623 whether application friendliness or security takes 624 priority." 625 REFERENCE 626 "RFC 4787 section 5" 627 ::= { dsliteNATBindEntry 13 } 629 dsliteNATBindMappingAddressPooling OBJECT-TYPE 630 SYNTAX INTEGER{ 631 arbitrary (0), 632 paired (1) 633 } 634 MAX-ACCESS read-only 635 STATUS current 636 DESCRIPTION 637 "Type of address pooling behavior that was used to create 638 this mapping. 640 arbitrary(0) pooling behavior means that the NAT instance 641 may create the new port mapping using any address in the 642 pool that has a free port for the protocol concerned. 644 paired(1) pooling behavior, the behavior RECOMMENDED by RFC 645 4787, REQ-2, means that once a given internal address has 646 been mapped to a particular address in a particular pool, 647 further mappings of the same internal address to that pool 648 will reuse the previously assigned pool member address." 649 REFERENCE 650 "RFC 4787 section 4.1" 651 ::= { dsliteNATBindEntry 14 } 653 --dsliteInfo 655 dsliteAFTRAlarmScalar OBJECT IDENTIFIER ::= { dsliteInfo 1 } 657 dsliteAFTRAlarmB4Addr OBJECT-TYPE 658 SYNTAX InetAddress 659 MAX-ACCESS accessible-for-notify 660 STATUS current 661 DESCRIPTION 662 "This object indicate the IP address of 663 B4 that send alarm " 664 ::= { dsliteAFTRAlarmScalar 1 } 666 dsliteAFTRAlarmProtocolType OBJECT-TYPE 667 SYNTAX DisplayString 668 MAX-ACCESS accessible-for-notify 669 STATUS current 670 DESCRIPTION 671 "This object indicate the protocol type of alarm, 672 0:tcp,1:udp,2:icmp,3:total " 673 ::= { dsliteAFTRAlarmScalar 2 } 675 dsliteAFTRAlarmSpecificIP OBJECT-TYPE 676 SYNTAX InetAddress 677 MAX-ACCESS accessible-for-notify 678 STATUS current 679 DESCRIPTION 680 "This object indicate the IP address whose port usage 681 reach threshold " 682 ::= { dsliteAFTRAlarmScalar 3 } 684 dsliteAFTRAlarmConnectNumber OBJECT-TYPE 685 SYNTAX Integer32 (60..90) 686 MAX-ACCESS read-write 687 STATUS current 688 DESCRIPTION 689 "This object indicate the threshold of DS-Lite 690 connections alarm." 691 DEFVAL 692 { 60 } 693 ::= { dsliteAFTRAlarmScalar 4 } 695 dsliteStatisticTable OBJECT-TYPE 696 SYNTAX SEQUENCE OF DsliteStatisticEntry 697 MAX-ACCESS not-accessible 698 STATUS current 699 DESCRIPTION 700 "This table provides statistical information 701 of DS-Lite." 702 ::= { dsliteInfo 2 } 704 dsliteStatisticEntry OBJECT-TYPE 705 SYNTAX DsliteStatisticEntry 706 MAX-ACCESS not-accessible 707 STATUS current 708 DESCRIPTION 709 "This table provides statistical information 710 of DS-Lite." 712 INDEX { dsliteStatisticSubscriberIdex } 713 ::= { dsliteStatisticTable 1 } 715 DsliteStatisticEntry ::= 716 SEQUENCE { 717 dsliteStatisticSubscriberIdex Natv2SubscriberIndex, 718 dsliteStatisticDiscard Counter64, 719 dsliteStatisticTransmitted Counter64, 720 dsliteStatisticIpv4Session Counter64, 721 dsliteStatisticIpv6Session Counter64 722 } 724 dsliteStatisticSubscriberIdex OBJECT-TYPE 725 SYNTAX Natv2SubscriberIndex 726 MAX-ACCESS not-accessible 727 STATUS current 728 DESCRIPTION 729 "Index of the subscriber or host.A unique value, 730 greater than zero, for each subscriber in the 731 managed system." 732 ::= { dsliteStatisticEntry 1 } 734 dsliteStatisticDiscard OBJECT-TYPE 735 SYNTAX Counter64 736 MAX-ACCESS read-only 737 STATUS current 738 DESCRIPTION 739 " This object indicate the number of packets 740 discarded from this subscriber." 741 ::= { dsliteStatisticEntry 2 } 743 dsliteStatisticTransmitted OBJECT-TYPE 744 SYNTAX Counter64 745 MAX-ACCESS read-only 746 STATUS current 747 DESCRIPTION 748 " This object indicate the number of packets received 749 from or sent to this subscriber." 750 ::= { dsliteStatisticEntry 3 } 752 dsliteStatisticIpv4Session OBJECT-TYPE 753 SYNTAX Counter64 754 MAX-ACCESS read-only 755 STATUS current 756 DESCRIPTION 757 " This object indicate the number of the 758 current IPv4 Session." 760 ::= { dsliteStatisticEntry 4 } 762 dsliteStatisticIpv6Session OBJECT-TYPE 763 SYNTAX Counter64 764 MAX-ACCESS read-only 765 STATUS current 766 DESCRIPTION 767 " This object indicate the number of the 768 current IPv6 Session." 769 ::= { dsliteStatisticEntry 5 } 771 ---dslite trap 773 dsliteTunnelNumAlarm NOTIFICATION-TYPE 774 OBJECTS { dsliteAFTRAlarmProtocolType, 775 dsliteAFTRAlarmB4Addr } 776 STATUS current 777 DESCRIPTION 778 "This trap is triggered when the number of 779 current connecting dslite tunnel exceeds the value of 780 dsliteAFTRAlarmConnectNumber." 781 ::= { dsliteTraps 1 } 783 dsliteAFTRUserSessionNumAlarm NOTIFICATION-TYPE 784 OBJECTS { dsliteAFTRAlarmProtocolType, 785 dsliteAFTRAlarmB4Addr } 786 STATUS current 787 DESCRIPTION 788 " This trap is triggered when sessions of 789 user reach the threshold." 790 ::= { dsliteTraps 2 } 792 dsliteAFTRPortUsageOfSpecificIpAlarm NOTIFICATION-TYPE 793 OBJECTS { dsliteAFTRAlarmSpecificIP } 794 STATUS current 795 DESCRIPTION 796 "This trap is triggered when used NAT 797 ports of map address reach the threshold." 798 ::= { dsliteTraps 3 } 800 --Module Conformance statement 802 dsliteConformance OBJECT IDENTIFIER 803 ::= { dsliteMIB 2 } 805 dsliteCompliances OBJECT IDENTIFIER ::= { dsliteConformance 1 } 807 dsliteGroups OBJECT IDENTIFIER ::= { dsliteConformance 2 } 809 -- compliance statements 811 dsliteCompliance MODULE-COMPLIANCE 812 STATUS current 813 DESCRIPTION 814 " Description the minimal requirements for conformance 815 to the DS-Lite MIB." 816 MODULE -- this module 817 MANDATORY-GROUPS { dsliteNATBindGroup, 818 dsliteTunnelGroup, 819 dsliteStatisticGroup, 820 dsliteTrapsGroup,dsliteAFTRAlarmScalarGroup } 821 ::= { dsliteCompliances 1 } 823 dsliteNATBindGroup OBJECT-GROUP 824 OBJECTS { 825 dsliteNATBindMappingIntRealm, 826 dsliteNATBindMappingIntAddressType, 827 dsliteNATBindMappingIntAddress, 828 dsliteNATBindMappingIntPort, 829 dsliteNATBindMappingPool, 830 dsliteNATBindMappingMapBehavior, 831 dsliteNATBindMappingFilterBehavior, 832 dsliteNATBindMappingAddressPooling } 833 STATUS current 834 DESCRIPTION 835 " The collection of this objects are used to give the 836 information about NAT Bind." 837 ::= { dsliteGroups 1 } 839 dsliteTunnelGroup OBJECT-GROUP 840 OBJECTS { dsliteTunnelStartAddPreLen } 841 STATUS current 842 DESCRIPTION 843 " The collection of this objects are used to give the 844 information of tunnel in ds-lite." 845 ::= { dsliteGroups 2 } 847 dsliteStatisticGroup OBJECT-GROUP 848 OBJECTS { dsliteStatisticDiscard, 849 dsliteStatisticTransmitted, 850 dsliteStatisticIpv4Session, 851 dsliteStatisticIpv6Session } 852 STATUS current 853 DESCRIPTION 854 " The collection of this objects are used to give the 855 statistical information of ds-lite." 856 ::= { dsliteGroups 3 } 858 dsliteTrapsGroup NOTIFICATION-GROUP 859 NOTIFICATIONS { dsliteTunnelNumAlarm, 860 dsliteAFTRUserSessionNumAlarm, 861 dsliteAFTRPortUsageOfSpecificIpAlarm } 862 STATUS current 863 DESCRIPTION 864 "The collection of this objects are used to give the 865 trap information of ds-lite." 866 ::= { dsliteGroups 4 } 868 dsliteAFTRAlarmScalarGroup OBJECT-GROUP 869 OBJECTS { dsliteAFTRAlarmB4Addr, dsliteAFTRAlarmProtocolType, 870 dsliteAFTRAlarmSpecificIP, 871 dsliteAFTRAlarmConnectNumber } 872 STATUS current 873 DESCRIPTION 874 " The collection of this objects are used to give the 875 information about AFTR alarming Scalar." 876 ::= { dsliteGroups 5 } 878 END 880 9. Security Considerations 882 There is only one object defined in this MIB module with a MAX-ACCESS 883 clause of read-write and/or read-create. Such objects may be 884 considered sensitive or vulnerable in some network environments. The 885 support for SET operations in a non-secure environment without proper 886 protection can have a negative effect on network operations. These 887 are the tables and objects and their sensitivity/vulnerability: 889 Notification thresholds: An attacker setting an arbitrarily low 890 treshold can cause many useless notifications to be generated. 891 Setting an arbitrarily high threshold can effectively disable 892 notifications, which could be used to hide another attack. 894 dsliteAFTRAlarmConnectNumber 896 Some of the readable objects in this MIB module (i.e., objects with a 897 MAX-ACCESS other than not-accessible) may be considered sensitive or 898 vulnerable in some network environments. It is thus important to 899 control even GET and/or NOTIFY access to these objects and possibly 900 to even encrypt the values of these objects when sending them over 901 the network via SNMP. These are the tables and objects and their 902 sensitivity/vulnerability: 904 dsliteTunnelStartAddPreLen 905 dsliteNATBindMappingIntRealm 907 dsliteNATBindMappingIntAddressType 909 dsliteNATBindMappingIntAddress 911 dsliteNATBindMappingIntPort 913 dsliteNATBindMappingPool 915 dsliteNATBindMappingMapBehavior 917 dsliteNATBindMappingFilterBehavior 919 dsliteNATBindMappingAddressPooling 921 dsliteStatisticDiscard 923 dsliteStatisticTransmitted 925 dsliteStatisticIpv4Session 927 dsliteStatisticIpv6Session 929 SNMP versions prior to SNMPv3 did not include adequate security. 930 Even if the network itself is secure (for example by using IPSec), 931 there is no control as to who on the secure network is allowed to 932 access and GET/SET (read/change/create/delete) the objects in this 933 MIB module. 935 Implementations SHOULD provide the security features described by the 936 SNMPv3 framework (see [RFC3410] ), and implementations claiming 937 compliance to the SNMPv3 standard MUST include full support for 938 authentication and privacy via the User-based Security Model (USM) 939 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 940 MAY also provide support for the Transport Security Model (TSM) 941 [RFC5591] in combination with a secure transport such as SSH 942 [RFC5592] or TLS/DTLS [RFC6353]. 944 Further, deployment of SNMP versions prior to SNMPv3 is NOT 945 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 946 enable cryptographic security. It is then a customer/operator 947 responsibility to ensure that the SNMP entity giving access to an 948 instance of this MIB module is properly configured to give access to 949 the objects only to those principals (users) that have legitimate 950 rights to indeed GET or SET (change/create/delete) them. 952 10. IANA Considerations 954 The MIB module in this document uses the following IANA-assigned 955 OBJECT IDENTIFIER values recorded in the SMI Numbers registry, and 956 the following IANA-assigned tunnelType values recorded in the 957 IANAtunnelType-MIB registry: 959 Descriptor OBJECT IDENTIFIER value 960 ---------- ----------------------- 961 DSLite-MIB { transmission XXX } 963 IANAtunnelType ::= TEXTUAL-CONVENTION 965 SYNTAX INTEGER { 967 dsLite ("XX") -- dslite tunnel 969 } 971 Notes: As Appendix A of the IP Tunnel MIB [RFC4087] described that it 972 has already assigned the value direct(2) to indicate the tunnel type 973 is IP in IP tunnel, but it is still difficult to distinguish DS-Lite 974 tunnel packets from normal IP in IP tunnel packets in the scenario of 975 the AFTR connecting to both a DS-lite tunnel and an IP in IP tunnel. 977 11. Acknowledgements 979 The authors would like to thanks the valuable comments made by Suresh 980 Krishnan, Ian Farrer, Yiu Lee, Qi Sun, Yong Cui, David Harrington, 981 Dave Thaler, Tassos Chatzithomaoglou, Tom Taylor and other members of 982 SOFTWIRE WG. 984 This document was produced using the xml2rfc tool [RFC2629]. 986 12. References 988 12.1. Normative References 990 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 991 Requirement Levels", BCP 14, RFC 2119, 992 DOI 10.17487/RFC2119, March 1997, 993 . 995 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 996 Schoenwaelder, Ed., "Structure of Management Information 997 Version 2 (SMIv2)", STD 58, RFC 2578, 998 DOI 10.17487/RFC2578, April 1999, 999 . 1001 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1002 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 1003 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 1004 . 1006 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 1007 MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, 1008 . 1010 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 1011 Architecture for Describing Simple Network Management 1012 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 1013 DOI 10.17487/RFC3411, December 2002, 1014 . 1016 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1017 Schoenwaelder, "Textual Conventions for Internet Network 1018 Addresses", RFC 4001, DOI 10.17487/RFC4001, February 2005, 1019 . 1021 [RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, 1022 DOI 10.17487/RFC4087, June 2005, 1023 . 1025 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1026 Translation (NAT) Behavioral Requirements for Unicast 1027 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1028 2007, . 1030 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1031 Stack Lite Broadband Deployments Following IPv4 1032 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 1033 . 1035 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 1036 "Definitions of Managed Objects for Network Address 1037 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 1038 October 2015, . 1040 12.2. Informative References 1042 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1043 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 1044 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 1045 . 1047 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 1048 DOI 10.17487/RFC2629, June 1999, 1049 . 1051 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1052 "Introduction and Applicability Statements for Internet- 1053 Standard Management Framework", RFC 3410, 1054 DOI 10.17487/RFC3410, December 2002, 1055 . 1057 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 1058 (USM) for version 3 of the Simple Network Management 1059 Protocol (SNMPv3)", STD 62, RFC 3414, 1060 DOI 10.17487/RFC3414, December 2002, 1061 . 1063 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 1064 Advanced Encryption Standard (AES) Cipher Algorithm in the 1065 SNMP User-based Security Model", RFC 3826, 1066 DOI 10.17487/RFC3826, June 2004, 1067 . 1069 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 1070 for the Simple Network Management Protocol (SNMP)", 1071 STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, 1072 . 1074 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 1075 Shell Transport Model for the Simple Network Management 1076 Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 1077 2009, . 1079 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 1080 Model for the Simple Network Management Protocol (SNMP)", 1081 STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, 1082 . 1084 Authors' Addresses 1086 Yu Fu 1087 CNNIC 1088 No.4 South 4th Street, Zhongguancun 1089 Hai-Dian District, Beijing, 100190 1090 P.R. China 1092 Email: fuyu@cnnic.cn 1093 Sheng Jiang 1094 Huawei Technologies Co., Ltd 1095 Q14, Huawei Campus, No.156 Beiqing Road 1096 Hai-Dian District, Beijing, 100095 1097 P.R. China 1099 Email: jiangsheng@huawei.com 1101 Jiang Dong 1102 Tsinghua University 1103 Department of Computer Science, Tsinghua University 1104 Beijing 100084 1105 P.R. China 1107 Email: knight.dongjiang@gmail.com 1109 Yuchi Chen 1110 Tsinghua University 1111 Department of Computer Science, Tsinghua University 1112 Beijing 100084 1113 P.R. China 1115 Email: flashfoxmx@gmail.com