idnits 2.17.1 draft-ops-rfc2012-update-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([5]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 2001) is 8470 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '5' on line 725 looks like a reference -- Missing reference section? '7' on line 731 looks like a reference -- Missing reference section? '8' on line 734 looks like a reference -- Missing reference section? '9' on line 738 looks like a reference -- Missing reference section? '10' on line 741 looks like a reference -- Missing reference section? '11' on line 744 looks like a reference -- Missing reference section? '12' on line 748 looks like a reference -- Missing reference section? '13' on line 752 looks like a reference -- Missing reference section? '14' on line 756 looks like a reference -- Missing reference section? '15' on line 759 looks like a reference -- Missing reference section? '16' on line 762 looks like a reference -- Missing reference section? '17' on line 766 looks like a reference -- Missing reference section? '18' on line 821 looks like a reference -- Missing reference section? '19' on line 774 looks like a reference -- Missing reference section? '20' on line 778 looks like a reference -- Missing reference section? '21' on line 822 looks like a reference -- Missing reference section? '22' on line 785 looks like a reference -- Missing reference section? '1' on line 194 looks like a reference -- Missing reference section? '2' on line 715 looks like a reference -- Missing reference section? '3' on line 718 looks like a reference -- Missing reference section? '4' on line 722 looks like a reference -- Missing reference section? '6' on line 728 looks like a reference Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 24 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IPv6 MIB Revision Design Team Bill Fenner 2 INTERNET-DRAFT AT&T Research 3 Expires: August 2001 Brian Haberman 4 Nortel Networks 5 Keith McCloghrie 6 Cisco Systems 7 Juergen Schoenwalder 8 TU Braunschweig 9 Dave Thaler 10 Microsoft 11 February 2001 13 Management Information Base 14 for the Transmission Control Protocol (TCP) 15 draft-ops-rfc2012-update-00.txt 17 Status of this Document 19 This document is an Internet-Draft and is in full conformance with all 20 provisions of Section 10 of RFC2026. 22 Internet-Drafts are working documents of the Internet Engineering Task 23 Force (IETF), its areas, and its working groups. Note that other groups 24 may also distribute working documents as Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference material 29 or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This document is a product of the IPv6 MIB Revision Design Team. 38 Comments should be addressed to the authors, or the mailing list at 39 ipv6mib@ibr.cs.tu-bs.de. 41 Copyright Notice 43 Copyright (C) The Internet Society (2001). All Rights Reserved. 45 Abstract 47 This memo defines a portion of the Management Information Base (MIB) for 48 use with network management protocols in the Internet community. In 49 particular, it describes managed objects used for implementations of the 50 Transmission Control Protocol (TCP) [5] in an IP version independent 51 manner. 53 Table of Contents 55 1. The SNMP Management Framework . . . . . . . . . . . . . . . . . . 2 56 2. Revision History. . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 4. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 59 5. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . . . 15 60 6. References. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 61 7. Security Considerations . . . . . . . . . . . . . . . . . . . . . 17 62 8. Editor's Address. . . . . . . . . . . . . . . . . . . . . . . . . 18 63 9. Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 18 65 1. The SNMP Management Framework 67 The SNMP Management Framework presently consists of five major 68 components: 70 o An overall architecture, described in RFC 2571 [7]. 72 o Mechanisms for describing and naming objects and events for the 73 purpose of management. The first version of this Structure of 74 Management Information (SMI) is called SMIv1 and described in STD 16, 75 RFC 1155 [8], STD 16, RFC 1212 [9] and RFC 1215 [10]. The second 76 version, called SMIv2, is described in STD 58, RFC 2578 [11], STD 58, 77 RFC 2579 [12] and STD 58, RFC 2580 [13]. 79 o Message protocols for transferring management information. The first 80 version of the SNMP message protocol is called SNMPv1 and described in 81 STD 15, RFC 1157 [14]. A second version of the SNMP message protocol, 82 which is not an Internet standards track protocol, is called SNMPv2c 83 and described in RFC 1901 [15] and RFC 1906 [16]. The third version of 84 the message protocol is called SNMPv3 and described in RFC 1906 [16], 85 RFC 2572 [17] and RFC 2574 [18]. 87 o Protocol operations for accessing management information. The first 88 set of protocol operations and associated PDU formats is described in 89 STD 15, RFC 1157 [14]. A second set of protocol operations and 90 associated PDU formats is described in RFC 1905 [19]. 92 o A set of fundamental applications described in RFC 2573 [20] and the 93 view-based access control mechanism described in RFC 2575 [21]. 95 A more detailed introduction to the current SNMP Management Framework 96 can be found in RFC 2570 [22]. 98 Managed objects are accessed via a virtual information store, termed the 99 Management Information Base or MIB. Objects in the MIB are defined 100 using the mechanisms defined in the SMI. 102 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 103 conforming to the SMIv1 can be produced through the appropriate 104 translations. The resulting translated MIB must be semantically 105 equivalent, except where objects or events are omitted because no 106 translation is possible (use of Counter64). Some machine readable 107 information in SMIv2 will be converted into textual descriptions in 108 SMIv1 during the translation process. However, this loss of machine 109 readable information is not considered to change the semantics of the 110 MIB. 112 2. Revision History 114 Changes from first draft posted to v6mib mailing list: 116 23 Feb 2001 118 Made threshold for HC packet counters 1Mpps 120 Added copyright statements and table of contents 122 21 Feb 2001 -- Juergen's changes 124 Renamed tcpInetConn* to tcpConnection* 126 Updated Conformance info 128 Added missing tcpConnectionState and tcpConnState objects to 129 SEQUENCEs 131 6 Feb 2001 133 Removed v6-only objects. 135 Renamed inetTcp* to tcpInet* 137 Added SIZE restriction to InetAddress index objects. (36 = 32-byte 138 addresses plus 4-byte scope, but it's just a strawman) 139 Used InetPortNumber TC from updated INET-ADDRESS-MIB 141 Updated compliance statements. 143 Added Keith to authors 145 Added open issues section. 147 3. Definitions 149 TCP-MIB DEFINITIONS ::= BEGIN 151 IMPORTS 152 MODULE-IDENTITY, OBJECT-TYPE, Integer32, Gauge32, 153 Counter32, Counter64, IpAddress, mib-2 154 FROM SNMPv2-SMI 155 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 156 InetAddress, InetAddressType, 157 InetPortNumber FROM INET-ADDRESS-MIB; 159 tcpMIB MODULE-IDENTITY 160 LAST-UPDATED "200102210000Z" 161 ORGANIZATION "IETF IPv6 MIB Revision Team" 162 CONTACT-INFO 163 "Bill Fenner (editor) 165 AT&T Labs -- Research 166 75 Willow Rd. 167 Menlo Park, CA 94025 169 Phone: +1 650 330-7893 170 Email: " 171 DESCRIPTION 172 "The MIB module for managing TCP implementations." 173 REVISION "200102210000Z" 174 DESCRIPTION 175 "IP version neutral revision, published as RFC XXXX." 176 REVISION "9411010000Z" 177 DESCRIPTION 178 "Initial SMIv2 version, published as RFC 2012." 179 REVISION "9103310000Z" 180 DESCRIPTION 181 "The initial revision of this MIB module was part of MIB-II." 182 ::= { mib-2 49 } 184 -- the TCP base variables group 185 tcp OBJECT IDENTIFIER ::= { mib-2 6 } 187 -- Scalars 189 tcpRtoAlgorithm OBJECT-TYPE 190 SYNTAX INTEGER { 191 other(1), -- none of the following 192 constant(2), -- a constant rto 193 rsre(3), -- MIL-STD-1778, Appendix B 194 vanj(4) -- Van Jacobson's algorithm [1] 195 } 196 MAX-ACCESS read-only 197 STATUS current 198 DESCRIPTION 199 "The algorithm used to determine the timeout value used for 200 retransmitting unacknowledged octets." 201 ::= { tcp 1 } 203 tcpRtoMin OBJECT-TYPE 204 SYNTAX Integer32 205 UNITS "milliseconds" 206 MAX-ACCESS read-only 207 STATUS current 208 DESCRIPTION 209 "The minimum value permitted by a TCP implementation for the 210 retransmission timeout, measured in milliseconds. More 211 refined semantics for objects of this type depend upon the 212 algorithm used to determine the retransmission timeout. In 213 particular, when the timeout algorithm is rsre(3), an object 214 of this type has the semantics of the LBOUND quantity 215 described in RFC 793." 216 ::= { tcp 2 } 218 tcpRtoMax OBJECT-TYPE 219 SYNTAX Integer32 220 UNITS "milliseconds" 221 MAX-ACCESS read-only 222 STATUS current 223 DESCRIPTION 224 "The maximum value permitted by a TCP implementation for the 225 retransmission timeout, measured in milliseconds. More 226 refined semantics for objects of this type depend upon the 227 algorithm used to determine the retransmission timeout. In 228 particular, when the timeout algorithm is rsre(3), an object 229 of this type has the semantics of the UBOUND quantity 230 described in RFC 793." 231 ::= { tcp 3 } 233 tcpMaxConn OBJECT-TYPE 234 SYNTAX Integer32 235 MAX-ACCESS read-only 236 STATUS current 237 DESCRIPTION 238 "The limit on the total number of TCP connections the entity 239 can support. In entities where the maximum number of 240 connections is dynamic, this object should contain the value 241 -1." 242 ::= { tcp 4 } 244 tcpActiveOpens OBJECT-TYPE 245 SYNTAX Counter32 246 MAX-ACCESS read-only 247 STATUS current 248 DESCRIPTION 249 "The number of times TCP connections have made a direct 250 transition to the SYN-SENT state from the CLOSED state." 251 ::= { tcp 5 } 253 tcpPassiveOpens OBJECT-TYPE 254 SYNTAX Counter32 255 MAX-ACCESS read-only 256 STATUS current 257 DESCRIPTION 258 "The number of times TCP connections have made a direct 259 transition to the SYN-RCVD state from the LISTEN state." 260 ::= { tcp 6 } 262 tcpAttemptFails OBJECT-TYPE 263 SYNTAX Counter32 264 MAX-ACCESS read-only 265 STATUS current 266 DESCRIPTION 267 "The number of times TCP connections have made a direct 268 transition to the CLOSED state from either the SYN-SENT 269 state or the SYN-RCVD state, plus the number of times TCP 270 connections have made a direct transition to the LISTEN 271 state from the SYN-RCVD state." 272 ::= { tcp 7 } 274 tcpEstabResets OBJECT-TYPE 275 SYNTAX Counter32 276 MAX-ACCESS read-only 277 STATUS current 278 DESCRIPTION 279 "The number of times TCP connections have made a direct 280 transition to the CLOSED state from either the ESTABLISHED 281 state or the CLOSE-WAIT state." 282 ::= { tcp 8 } 284 tcpCurrEstab OBJECT-TYPE 285 SYNTAX Gauge32 286 MAX-ACCESS read-only 287 STATUS current 288 DESCRIPTION 289 "The number of TCP connections for which the current state is 290 either ESTABLISHED or CLOSE-WAIT." 291 ::= { tcp 9 } 293 tcpInSegs OBJECT-TYPE 294 SYNTAX Counter32 295 MAX-ACCESS read-only 296 STATUS current 297 DESCRIPTION 298 "The total number of segments received, including those 299 received in error. This count includes segments received on 300 currently established connections." 301 ::= { tcp 10 } 303 tcpOutSegs OBJECT-TYPE 304 SYNTAX Counter32 305 MAX-ACCESS read-only 306 STATUS current 307 DESCRIPTION 308 "The total number of segments sent, including those on 309 current connections but excluding those containing only 310 retransmitted octets." 311 ::= { tcp 11 } 313 tcpRetransSegs OBJECT-TYPE 314 SYNTAX Counter32 315 MAX-ACCESS read-only 316 STATUS current 317 DESCRIPTION 318 "The total number of segments retransmitted - that is, the 319 number of TCP segments transmitted containing one or more 320 previously transmitted octets." 321 ::= { tcp 12 } 323 tcpInErrs OBJECT-TYPE 324 SYNTAX Counter32 325 MAX-ACCESS read-only 326 STATUS current 327 DESCRIPTION 328 "The total number of segments received in error (e.g., bad 329 TCP checksums)." 330 ::= { tcp 14 } 332 tcpOutRsts OBJECT-TYPE 333 SYNTAX Counter32 334 MAX-ACCESS read-only 335 STATUS current 336 DESCRIPTION 337 "The number of TCP segments sent containing the RST flag." 338 ::= { tcp 15 } 340 tcpHCInSegs OBJECT-TYPE 341 SYNTAX Counter64 342 MAX-ACCESS read-only 343 STATUS current 344 DESCRIPTION 345 "The total number of segments received, including those 346 received in error, on systems that can receive more than 1 347 million TCP packets per second. This count includes 348 segments received on currently established connections." 349 ::= { tcp 17 } 351 tcpHCOutSegs OBJECT-TYPE 352 SYNTAX Counter64 353 MAX-ACCESS read-only 354 STATUS current 355 DESCRIPTION 356 "The total number of segments sent, including those on 357 current connections but excluding those containing only 358 retransmitted octets, on systems that can transmit more than 359 1 million TCP packets per second." 360 ::= { tcp 18 } 362 -- The TCP Connection table 364 tcpConnectionTable OBJECT-TYPE 365 SYNTAX SEQUENCE OF TcpConnectionEntry 366 MAX-ACCESS not-accessible 367 STATUS current 368 DESCRIPTION 369 "A table containing information about existing TCP 370 connections or listeners." 371 ::= { tcp 19 } 373 tcpConnectionEntry OBJECT-TYPE 374 SYNTAX TcpConnectionEntry 375 MAX-ACCESS not-accessible 376 STATUS current 377 DESCRIPTION 378 "A conceptual row of the tcpConnectionTable containing 379 information about a particular current TCP connection. Each 380 row of this table is transient, in that it ceases to exist 381 when (or soon after) the connection makes the transition to 382 the CLOSED state." 383 INDEX { tcpConnectionLocalAddressType, 384 tcpConnectionLocalAddress, 385 tcpConnectionLocalPort, 386 tcpConnectionRemAddressType, 387 tcpConnectionRemAddress, 388 tcpConnectionRemPort } 389 ::= { tcpConnectionTable 1 } 391 TcpConnectionEntry ::= SEQUENCE { 392 tcpConnectionLocalAddressType InetAddressType, 393 tcpConnectionLocalAddress InetAddress, 394 tcpConnectionLocalPort InetPortNumber, 395 tcpConnectionRemAddressType InetAddressType, 396 tcpConnectionRemAddress InetAddress, 397 tcpConnectionRemPort InetPortNumber, 398 tcpConnectionState INTEGER 399 } 401 tcpConnectionLocalAddressType OBJECT-TYPE 402 SYNTAX InetAddressType 403 MAX-ACCESS not-accessible 404 STATUS current 405 DESCRIPTION 406 "The address type of tcpConnectionLocalAddress. Only IPv4 407 and IPv6 addresses are expected." 408 ::= { tcpConnectionEntry 1 } 410 tcpConnectionLocalAddress OBJECT-TYPE 411 SYNTAX InetAddress (SIZE(0..36)) 412 MAX-ACCESS not-accessible 413 STATUS current 414 DESCRIPTION 415 "The local IP address for this TCP connection. In the case 416 of a connection in the listen state which is willing to 417 accept connections for any IP interface associated with the 418 node, a value of all zeroes is used." 419 ::= { tcpConnectionEntry 2 } 421 tcpConnectionLocalPort OBJECT-TYPE 422 SYNTAX InetPortNumber 423 MAX-ACCESS not-accessible 424 STATUS current 425 DESCRIPTION 426 "The local port number for this TCP connection." 427 ::= { tcpConnectionEntry 3 } 429 tcpConnectionRemAddressType OBJECT-TYPE 430 SYNTAX InetAddressType 431 MAX-ACCESS not-accessible 432 STATUS current 433 DESCRIPTION 434 "The address type of tcpConnectionRemAddress. Only IPv4 and 435 IPv6 addresses are expected. Must be the same as 436 tcpConnectionLocalAddressType." 437 ::= { tcpConnectionEntry 4 } 439 tcpConnectionRemAddress OBJECT-TYPE 440 SYNTAX InetAddress (SIZE(0..36)) 441 MAX-ACCESS not-accessible 442 STATUS current 443 DESCRIPTION 444 "The remote IP address for this TCP connection." 445 ::= { tcpConnectionEntry 5 } 447 tcpConnectionRemPort OBJECT-TYPE 448 SYNTAX InetPortNumber 449 MAX-ACCESS not-accessible 450 STATUS current 451 DESCRIPTION 452 "The remote port number for this TCP connection." 453 ::= { tcpConnectionEntry 6 } 455 tcpConnectionState OBJECT-TYPE 456 SYNTAX INTEGER { 457 closed(1), 458 listen(2), 459 synSent(3), 460 synReceived(4), 461 established(5), 462 finWait1(6), 463 finWait2(7), 464 closeWait(8), 465 lastAck(9), 466 closing(10), 467 timeWait(11), 468 deleteTCB(12) 469 } 470 MAX-ACCESS read-write 471 STATUS current 472 DESCRIPTION 473 "The state of this TCP connection. 475 The only value which may be set by a management station is 476 deleteTCB(12). Accordingly, it is appropriate for an agent 477 to return a `badValue' response if a management station 478 attempts to set this object to any other value. 480 If a management station sets this object to the value 481 deleteTCB(12), then this has the effect of deleting the TCB 482 (as defined in RFC 793) of the corresponding connection on 483 the managed node, resulting in immediate termination of the 484 connection. 486 As an implementation-specific option, a RST segment may be 487 sent from the managed node to the other TCP endpoint (note 488 however that RST segments are not sent reliably)." 489 ::= { tcpConnectionEntry 7 } 491 -- The deprecated TCP Connection table 493 tcpConnTable OBJECT-TYPE 494 SYNTAX SEQUENCE OF TcpConnEntry 495 MAX-ACCESS not-accessible 496 STATUS deprecated 497 DESCRIPTION 498 "A table containing information about existing IPv4-specific 499 TCP connections or listeners. This table has been 500 deprecated in favor of the version neutral 501 tcpConnectionTable." 502 ::= { tcp 13 } 504 tcpConnEntry OBJECT-TYPE 505 SYNTAX TcpConnEntry 506 MAX-ACCESS not-accessible 507 STATUS deprecated 508 DESCRIPTION 509 "A conceptual row of the tcpConnTable containing information 510 about a particular current IPv4 TCP connection. Each row of 511 this table is transient, in that it ceases to exist when (or 512 soon after) the connection makes the transition to the 513 CLOSED state." 514 INDEX { tcpConnLocalAddress, 515 tcpConnLocalPort, 516 tcpConnRemAddress, 517 tcpConnRemPort } 518 ::= { tcpConnTable 1 } 520 TcpConnEntry ::= SEQUENCE { 521 tcpConnState INTEGER, 522 tcpConnLocalAddress IpAddress, 523 tcpConnLocalPort INTEGER, 524 tcpConnRemAddress IpAddress, 525 tcpConnRemPort INTEGER 526 } 528 tcpConnState OBJECT-TYPE 529 SYNTAX INTEGER { 530 closed(1), 531 listen(2), 532 synSent(3), 533 synReceived(4), 534 established(5), 535 finWait1(6), 536 finWait2(7), 537 closeWait(8), 538 lastAck(9), 539 closing(10), 540 timeWait(11), 541 deleteTCB(12) 542 } 543 MAX-ACCESS read-write 544 STATUS deprecated 545 DESCRIPTION 546 "The state of this TCP connection. 548 The only value which may be set by a management station is 549 deleteTCB(12). Accordingly, it is appropriate for an agent 550 to return a `badValue' response if a management station 551 attempts to set this object to any other value. 553 If a management station sets this object to the value 554 deleteTCB(12), then this has the effect of deleting the TCB 555 (as defined in RFC 793) of the corresponding connection on 556 the managed node, resulting in immediate termination of the 557 connection. 559 As an implementation-specific option, a RST segment may be 560 sent from the managed node to the other TCP endpoint (note 561 however that RST segments are not sent reliably)." 562 ::= { tcpConnEntry 1 } 564 tcpConnLocalAddress OBJECT-TYPE 565 SYNTAX IpAddress 566 MAX-ACCESS read-only 567 STATUS deprecated 568 DESCRIPTION 569 "The local IP address for this TCP connection. In the case 570 of a connection in the listen state which is willing to 571 accept connections for any IP interface associated with the 572 node, the value 0.0.0.0 is used." 573 ::= { tcpConnEntry 2 } 575 tcpConnLocalPort OBJECT-TYPE 576 SYNTAX INTEGER (0..65535) 577 MAX-ACCESS read-only 578 STATUS deprecated 579 DESCRIPTION 580 "The local port number for this TCP connection." 581 ::= { tcpConnEntry 3 } 583 tcpConnRemAddress OBJECT-TYPE 584 SYNTAX IpAddress 585 MAX-ACCESS read-only 586 STATUS deprecated 587 DESCRIPTION 588 "The remote IP address for this TCP connection." 589 ::= { tcpConnEntry 4 } 591 tcpConnRemPort OBJECT-TYPE 592 SYNTAX INTEGER (0..65535) 593 MAX-ACCESS read-only 594 STATUS deprecated 595 DESCRIPTION 596 "The remote port number for this TCP connection." 597 ::= { tcpConnEntry 5 } 599 -- conformance information 601 tcpMIBConformance OBJECT IDENTIFIER ::= { tcpMIB 2 } 603 tcpMIBCompliances OBJECT IDENTIFIER ::= { tcpMIBConformance 1 } 604 tcpMIBGroups OBJECT IDENTIFIER ::= { tcpMIBConformance 2 } 606 -- compliance statements 608 tcpMIBCompliance2 MODULE-COMPLIANCE 609 STATUS current 610 DESCRIPTION 611 "The compliance statement for systems which implement TCP." 613 MODULE -- this module 614 MANDATORY-GROUPS { tcpBaseGroup, tcpConnectionGroup } 615 GROUP tcpHCGroup 616 DESCRIPTION 617 "This group is mandatory for those systems which are capable 618 of receiving or transmitting more than 1 million TCP 619 packets per second. 1 million packets per second will 620 cause a Counter32 to wrap in just over an hour." 621 OBJECT tcpConnectionState 622 MIN-ACCESS read-only 623 DESCRIPTION 624 "Write access is not required." 625 ::= { tcpMIBCompliances 2 } 627 tcpMIBCompliance MODULE-COMPLIANCE 628 STATUS deprecated 629 DESCRIPTION 630 "The compliance statement for IPv4-only systems which 631 implement TCP. In order to be IP version independent, this 632 compliance statement is deprecated in favor of 633 tcpMIBCompliance2." 634 MODULE -- this module 635 MANDATORY-GROUPS { tcpGroup } 636 OBJECT tcpConnState 637 MIN-ACCESS read-only 638 DESCRIPTION 639 "Write access is not required." 640 ::= { tcpMIBCompliances 1 } 642 -- units of conformance 644 tcpGroup OBJECT-GROUP 645 OBJECTS { tcpRtoAlgorithm, tcpRtoMin, tcpRtoMax, 646 tcpMaxConn, tcpActiveOpens, 647 tcpPassiveOpens, tcpAttemptFails, 648 tcpEstabResets, tcpCurrEstab, tcpInSegs, 649 tcpOutSegs, tcpRetransSegs, tcpConnState, 650 tcpConnLocalAddress, tcpConnLocalPort, 651 tcpConnRemAddress, tcpConnRemPort, 652 tcpInErrs, tcpOutRsts } 653 STATUS deprecated 654 DESCRIPTION 655 "The tcp group of objects providing for management of TCP 656 entities." 657 ::= { tcpMIBGroups 1 } 659 tcpBaseGroup OBJECT-GROUP 660 OBJECTS { tcpRtoAlgorithm, tcpRtoMin, tcpRtoMax, 661 tcpMaxConn, tcpActiveOpens, 662 tcpPassiveOpens, tcpAttemptFails, 663 tcpEstabResets, tcpCurrEstab, tcpInSegs, 664 tcpOutSegs, tcpRetransSegs, 665 tcpInErrs, tcpOutRsts } 666 STATUS current 667 DESCRIPTION 668 "The group of counters common to TCP entities." 669 ::= { tcpMIBGroups 2 } 671 tcpHCGroup OBJECT-GROUP 672 OBJECTS { tcpHCInSegs, tcpHCOutSegs } 673 STATUS current 674 DESCRIPTION 675 "The group of objects providing for counters of high speed 676 TCP implementations." 677 ::= { tcpMIBGroups 3 } 679 tcpConnectionGroup OBJECT-GROUP 680 OBJECTS { tcpConnectionState } 681 STATUS current 682 DESCRIPTION 683 "The table of TCP connections." 684 ::= { tcpMIBGroups 4 } 686 END 688 4. Open Issues 690 Per-connection byte/segment counters? Other stats? [in optional 691 conformance group] e.g. ConnInBytes ConnOutBytes ConnInPkts ConnOutPkts 692 ConnElapsed ConnSRTT 694 More HC counters? 696 v6 SIIT / IPV6_V6ONLY / ??? : does the tcpConnectionTable need 697 something? (Erik said: 699 But for the different types of wildcard listeners it would make sense 700 to be able to capture the difference between: 701 IPv4-only - bound to INADDR_ANY 702 IPv6-only - bound to in6addr_any with the IPV6_V6ONLY socket 703 option set 704 both - bound to in6addr_any and the above not set 706 [the last 2 could probably be differentiated by the remote address AF 707 being Unknown or IPv6 -- which would require changing the DESCRIPTION] 708 5. Acknowledgements 710 This document contains a modified subset of RFC 1213 and updates RFC 711 2012 and RFC 2452. 713 6. References 715 [2] Rose, M. and K. McCloghrie, "Management Information Base for Network 716 Management of TCP/IP-based internets", RFC 1213, March 1991. 718 [3] K. McCloghrie, "SNMPv2 Management Information Base for the 719 Transmission Control Protocol using SMIv2", RFC 2012, November 720 1996. 722 [4] Haskin, D. and S. Onishi, "IP Version 6 Management Information Base 723 for the Transmission Control Protocol", RFC 2452, December 1998. 725 [5] Postel, J., "Transmission Control Protocol - DARPA Internet Program 726 Protocol Specification", STD 7, RFC 793, DARPA, September 1981. 728 [6] Jacobson, V., "Congestion Avoidance and Control", SIGCOMM 1988, 729 Stanford, California. 731 [7] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 732 Describing SNMP Management Frameworks", RFC 2571, April 1999. 734 [8] Rose, M., and K. McCloghrie, "Structure and Identification of 735 Management Information for TCP/IP-based Internets", STD 16, RFC 736 1155, May 1990. 738 [9] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 739 1212, March 1991. 741 [10] M. Rose, "A Convention for Defining Traps for use with the SNMP", 742 RFC 1215, March 1991. 744 [11] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., 745 and S. Waldbusser, "Structure of Management Information Version 2 746 (SMIv2)", STD 58, RFC 2578, April 1999. 748 [12] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., 749 and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 750 2579, April 1999. 752 [13] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., 753 and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 754 2580, April 1999. 756 [14] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 757 Management Protocol", STD 15, RFC 1157, May 1990. 759 [15] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 760 "Introduction to Community-based SNMPv2", RFC 1901, January 1996. 762 [16] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 763 Mappings for Version 2 of the Simple Network Management Protocol 764 (SNMPv2)", RFC 1906, January 1996. 766 [17] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 767 Processing and Dispatching for the Simple Network Management 768 Protocol (SNMP)", RFC 2572, April 1999. 770 [18] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for 771 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 772 2574, April 1999. 774 [19] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 775 Operations for Version 2 of the Simple Network Management Protocol 776 (SNMPv2)", RFC 1905, January 1996. 778 [20] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 779 2573, April 1999. 781 [21] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 782 Control Model (VACM) for the Simple Network Management Protocol 783 (SNMP)", RFC 2575, April 1999. 785 [22] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to 786 Version 3 of the Internet-standard Network Management Framework", 787 RFC 2570, April 1999. 789 7. Security Considerations 791 There are a number of management objects defined in this MIB that have a 792 MAX-ACCESS clause of read-write and/or read-create. Such objects may be 793 considered sensitive or vulnerable in some network environments. The 794 support for SET operations in a non-secure environment without proper 795 protection can have a negative effect on network operations. 797 There are a number of managed objects in this MIB that may contain 798 sensitive information. These are: 800 o The tcpConnectionLocalPort and tcpConnLocalPort objects can be used to 801 identify what ports are open on the machine and can thus what attacks 802 are likely to succeed, without the attacker having to run a port 803 scanner. 805 o The tcpConnectionState and tcpConnState objects have a MAX-ACCESS 806 clause of read-write, which allows termination of an arbitrary 807 connection. Unauthorized access could cause a denial of service. 809 It is thus important to control even GET access to these objects and 810 possibly to even encrypt the values of these object when sending them 811 over the network via SNMP. Not all versions of SNMP provide features 812 for such a secure environment. 814 SNMPv1 by itself is not a secure environment. Even if the network 815 itself is secure (for example by using IPSec), even then, there is no 816 control as to who on the secure network is allowed to access and GET/SET 817 (read/change/create/delete) the objects in this MIB. 819 It is recommended that the implementers consider the security features 820 as provided by the SNMPv3 framework. Specifically, the use of the User- 821 based Security Model RFC 2574 [18] and the View-based Access Control 822 Model RFC 2575 [21] is recommended. 824 It is then a customer/user responsibility to ensure that the SNMP entity 825 giving access to an instance of this MIB, is properly configured to give 826 access to the objects only to those principals (users) that have 827 legitimate rights to indeed GET or SET (change/create/delete) them. 829 8. Editor's Address 831 Bill Fenner 832 AT&T Labs -- Research 833 75 Willow Rd 834 Menlo Park, CA 94025 835 USA 837 Email: fenner@research.att.com 839 9. Full Copyright Statement 841 Copyright (C) The Internet Society (2001). All Rights Reserved. 843 This document and translations of it may be copied and furnished to 844 others, and derivative works that comment on or otherwise explain it or 845 assist in its implementation may be prepared, copied, published and 846 distributed, in whole or in part, without restriction of any kind, 847 provided that the above copyright notice and this paragraph are included 848 on all such copies and derivative works. However, this document itself 849 may not be modified in any way, such as by removing the copyright notice 850 or references to the Internet Society or other Internet organizations, 851 except as needed for the purpose of developing Internet standards in 852 which case the procedures for copyrights defined in the Internet 853 Standards process must be followed, or as required to translate it into 854 languages other than English. 856 The limited permissions granted above are perpetual and will not be 857 revoked by the Internet Society or its successors or assigns. 859 This document and the information contained herein is provided on an "AS 860 IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK 861 FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT 862 LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT 863 INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR 864 FITNESS FOR A PARTICULAR PURPOSE.