idnits 2.17.1
draft-perrault-behave-natv2-mib-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
document.
== There are 6 instances of lines with non-RFC6890-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 2721 has weird spacing: '... of natv2...'
-- The document date (January 18, 2015) is 3383 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'RFC 6333' is mentioned on line 3225, but not defined
-- No information found for draft-perrault-behave-deprecate-nat-mib-v1 - is
the name correct?
-- Obsolete informational reference (is this intentional?): RFC 4008
(Obsoleted by RFC 7658)
Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group S. Perreault
3 Internet-Draft Jive Communications
4 Intended status: Standards Track T. Tsou
5 Expires: July 22, 2015 Huawei Technologies
6 S. Sivakumar
7 Cisco Systems
8 T. Taylor
9 PT Taylor Consulting
10 January 18, 2015
12 Definitions of Managed Objects for Network Address Translators (NAT)
13 draft-perrault-behave-natv2-mib-00
15 Abstract
17 This memo defines a portion of the Management Information Base (MIB)
18 for devices implementing the Network Address Translator (NAT)
19 function. The new MIB module defined in this document, NATV2-MIB, is
20 intended to replace module NAT-MIB (RFC 4008). NATV2-MIB is not
21 backwards compatible with NAT-MIB, for reasons given in the text of
22 this document. A companion document deprecates all objects in NAT-
23 MIB. NATV2-MIB can be used for monitoring of NAT instances on a
24 device capable of NAT function. Compliance levels are defined for
25 three application scenarios: basic NAT, pooled NAT, and carrier-grade
26 NAT (CGN).
28 Status of This Memo
30 This Internet-Draft is submitted in full conformance with the
31 provisions of BCP 78 and BCP 79.
33 Internet-Drafts are working documents of the Internet Engineering
34 Task Force (IETF). Note that other groups may also distribute
35 working documents as Internet-Drafts. The list of current Internet-
36 Drafts is at http://datatracker.ietf.org/drafts/current/.
38 Internet-Drafts are draft documents valid for a maximum of six months
39 and may be updated, replaced, or obsoleted by other documents at any
40 time. It is inappropriate to use Internet-Drafts as reference
41 material or to cite them other than as "work in progress."
43 This Internet-Draft will expire on July 22, 2015.
45 Copyright Notice
47 Copyright (c) 2015 IETF Trust and the persons identified as the
48 document authors. All rights reserved.
50 This document is subject to BCP 78 and the IETF Trust's Legal
51 Provisions Relating to IETF Documents
52 (http://trustee.ietf.org/license-info) in effect on the date of
53 publication of this document. Please review these documents
54 carefully, as they describe your rights and restrictions with respect
55 to this document. Code Components extracted from this document must
56 include Simplified BSD License text as described in Section 4.e of
57 the Trust Legal Provisions and are provided without warranty as
58 described in the Simplified BSD License.
60 Table of Contents
62 1. The SNMP Management Framework . . . . . . . . . . . . . . . . 3
63 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
64 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
65 3.1. Content Provided by the NATV2-MIB Module . . . . . . . . 5
66 3.1.1. Configuration Data . . . . . . . . . . . . . . . . . 5
67 3.1.2. Notifications . . . . . . . . . . . . . . . . . . . . 6
68 3.1.3. State Information . . . . . . . . . . . . . . . . . . 9
69 3.1.4. Statistics . . . . . . . . . . . . . . . . . . . . . 9
70 3.2. Outline of MIB Module Organization . . . . . . . . . . . 11
71 3.3. Detailed MIB Module Walk-Through . . . . . . . . . . . . 12
72 3.3.1. Textual Conventions . . . . . . . . . . . . . . . . . 12
73 3.3.2. Notifications . . . . . . . . . . . . . . . . . . . . 13
74 3.3.3. The Subscriber Table: natv2SubscriberTable . . . . . 13
75 3.3.4. The Instance Table: natv2InstanceTable . . . . . . . 14
76 3.3.5. The 'Next Protocol' Table: natv2NextProtocolTable . . 14
77 3.3.6. The Address Pool Table: natv2PoolTable . . . . . . . 15
78 3.3.7. The Address Pool Address Range Table:
79 natv2PoolRangeTable . . . . . . . . . . . . . . . . . 16
80 3.3.8. The Address Map Table: natv2AddressMapTable . . . . . 16
81 3.3.9. The Port Map Table: natv2PortMapTable . . . . . . . . 16
82 3.4. Conformance: Three Application Scenarios . . . . . . . . 17
83 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 17
84 5. Operational and Management Considerations . . . . . . . . . . 75
85 6. Security Considerations . . . . . . . . . . . . . . . . . . . 75
86 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 78
87 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 78
88 8.1. Normative References . . . . . . . . . . . . . . . . . . 78
89 8.2. Informative References . . . . . . . . . . . . . . . . . 79
90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79
92 1. The SNMP Management Framework
94 For a detailed overview of the documents that describe the current
95 Internet-Standard Management Framework, please refer to section 7 of
96 RFC 3410 [RFC3410].
98 Managed objects are accessed via a virtual information store, termed
99 the Management Information Base or MIB. MIB objects are generally
100 accessed through the Simple Network Management Protocol (SNMP).
101 Objects in the MIB are defined using the mechanisms defined in the
102 Structure of Management Information (SMI). This memo specifies a MIB
103 module that is compliant to the SMIv2, which is described in STD 58,
104 [RFC2578], [RFC2579] and [RFC2580].
106 2. Introduction
108 Note to RFC Ed.: please replace RFC yyyy with actual RFC number
109 throughout this document and remove this note.
111 This memo defines a portion of the Management Information Base (MIB)
112 for devices implementing NAT functions. This MIB module, NATV2-MIB,
113 may be used for monitoring of such devices. NATV2-MIB supersedes
114 NAT-MIB [RFC4008], which did not fit well with existing NAT
115 implementations, and hence was not itself much implemented.
116 [I-D.perrault-behave-deprecate-nat-mib-v1] provides a detailed
117 analysis of the deficiencies of NAT-MIB.
119 Relative to [RFC4008] and based on the analysis just mentioned, the
120 present document introduces the following changes:
122 o removed all writable configuration except that related to control
123 of the generation of notifications and the setting of quotas on
124 the use of NAT resources;
126 o minimized the read-only exposure of configuration to what is
127 needed to provide context for the state and statistical
128 information presented by the MIB module;
130 o removed the association between mapping and interfaces, retaining
131 only the mapping aspect;
133 o replaced references to NAT types with references to NAT behaviors
134 as specified in [RFC4787];
136 o replaced a module-specific enumeration of protocols with the
137 standard protocol numbers provided by the IANA Assigned Internet
138 Protocol Numbers registry.
140 This MIB module adds the following features not present in [RFC4008]:
142 o additional writable protective limits on NAT state data;
144 o additional state, statistics, and notifications;
146 o support for the carrier grade NAT (CGN) application, including
147 subscriber-awareness, support for an arbitrary number of address
148 realms, and support for multiple NAT instances running on a single
149 device;
151 o expanded support for address pools;
153 o revised indexing of port map entries to simplify traceback from a
154 given external realm, address and port to the corresponding
155 internal realm, address, and port for a given protocol.
157 These features are described in more detail below.
159 The remainder of this document is organized as follows:
161 o Section 3 provides a verbal description of the content and
162 organization of the MIB module.
164 o Section 4 provides the MIB module definition.
166 o Section 5 discusses operational and management issues relating to
167 the deployment of NATV2-MIB. One of these issues is NAT
168 management when both NAT-MIB [RFC4008] and NATV2-MIB are deployed.
170 o Section 6 and Section 7 provide a security discussion and a
171 request to IANA for allocation of an object identifier for the
172 module in the mib-2 tree, respectively.
174 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
175 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
176 "OPTIONAL" in this document are to be interpreted as described in
177 [RFC2119].
179 3. Overview
181 This section provides a prose description of the contents and
182 organization of the NATV2-MIB module.
184 3.1. Content Provided by the NATV2-MIB Module
186 The content provided by the NATV2-MIB module can be classed under
187 four headings: configuration data, notifications, state information,
188 and statistics.
190 3.1.1. Configuration Data
192 As mentioned above, the intent in designing the NATV2-MIB module was
193 to minimize the amount of configuration data presented to that needed
194 to give a context for interpreting the other types of information
195 provided. Detailed descriptions of the configuration data are
196 included with the descriptions of the individual tables. In general,
197 that data is limited to what is needed for indexing and cross-
198 referencing between tables. The two exceptions are the objects
199 describing NAT instance behavior in the NAT instance table, and the
200 detailed enumeration of resources allocated to each address pool in
201 the pool table and its extension.
203 The NATV2-MIB module provides three sets of read-write objects,
204 specifically related to other aspects of the module content. The
205 first set controls the rate at which specific notifications are
206 generated. The second set provides thresholds used to trigger the
207 notifications. These objects are listed in Section 3.1.2.
209 A third set of read-write objects sets limits on resource consumption
210 per NAT instance and per subscriber. When these limits are reached,
211 packets requiring further consumption of the given resource are
212 dropped rather than translated. Statistics described in
213 Section 3.1.4 record the numbers of packets so dropped. Limits are
214 provided for:
216 o total number of address map entries over the NAT instance. Limit
217 is set by object natv2InstanceLimitAddressMapEntries in table
218 natv2InstanceTable. Dropped packets are counted in
219 natv2InstanceAddressMapEntryLimitDrops in that table.
221 o total number of port map entries over the NAT instance. Limit is
222 set by object natv2InstanceLimitPortMapEntries in table
223 natv2InstanceTable. Dropped packets are counted in
224 natv2InstancePortMapEntryLimitDrops in that table.
226 o total number of held fragments (applicable only when the NAT
227 instance can receive fragments out of order; see [RFC4787]
228 Section 11). Limit is set by object
229 natv2InstanceLimitPendingFragments in table natv2InstanceTable.
230 Dropped packets are counted by natv2InstanceFragmentDrops in the
231 same table.
233 o total number of active subscribers (i.e., subscribers having at
234 least one mapping table entry) over the NAT instance. Limit is
235 set by object natv2InstanceLimitSubscriberActives in table
236 natv2InstanceTable. Dropped packets are counted by
237 natv2InstanceSubscriberActiveLimitDrops in the same table.
239 o number of port map entries for an individual subscriber. Limit is
240 set by object natv2SubscriberLimitPortMapEntries in table
241 natv2SubscriberTable. Dropped packets are counted by
242 natv2SubscriberPortMapFailureDrops in the same table. Note that,
243 unlike in the instance table, the per-subscriber count is lumped
244 in with the count of packets dropped because of failures to
245 allocate a port map entry for other reasons to save on storage.
247 3.1.2. Notifications
249 NATV2-MIB provides five notifications, intended to provide warning of
250 the need to provision or reallocate NAT resources. As indicated in
251 the previous section, each notification is associated with two read-
252 write objects: a control on the rate at which that notification is
253 generated, and a threshold value used to trigger the notification in
254 the first place. The default setting within the MIB module
255 specification is that all notifications are disabled. The setting of
256 threshold values is discussed in Section 5.
258 The five notifications are as follows:
260 o Two notifications relate to the management of address pools. One
261 indicates that usage equals or exceeds an upper threshold, and is
262 therefore a warning that the pool may be over-utilized unless more
263 addresses are assigned to it. The other notification indicates
264 that usage equals or has fallen below a lower threshold,
265 suggesting that some addresses allocated to that pool could be
266 reallocated to other pools. Address pool usage is calculated as
267 the percentage of the total number of ports allocated to the
268 address pool that are already in use, for the most-mapped protocol
269 at the time the notification is generated. The notifications
270 identify that protocol and report the number of port map entries
271 for that protocol in the given address pool at the moment the
272 notification was triggered.
274 o Two notifications relate to the number of address and port map
275 entries respectively, in total over the whole NAT instance. In
276 both cases the threshold that triggers the notification is an
277 upper threshold. The notifications return the number of mapping
278 entries of the given type, plus a cumulative counter of the number
279 of entries created in that mapping table at the moment the
280 notification was triggered. The intent is that the notifications
281 provide a warning that the total number of address or port map
282 entries is approaching the configured limit.
284 o The final notification is generated on a per-subscriber basis when
285 the number of port map entries for that subscriber crosses the
286 associated threshold. The objects returned by this notification
287 are similar to those returned for the instance-level mapping
288 notifications. This notification is a warning that the number of
289 port map entries for the subscriber is approaching the configured
290 limit for that subscriber.
292 Here is a detailed specification of the notifications. A given
293 notification can be disabled by setting the threshold to 0 (default),
294 with the exception noted below.
296 Notification: natv2NotificationPoolUsageLow. Indicates that address
297 pool usage for the most-mapped protocol equals or is less than the
298 threshold value.
300 Compared value: natv2PoolNotifiedPortMapEntries as a percentage of
301 total available ports in the pool.
303 Threshold: natv2PoolThresholdUsageLow in natv2PoolTable. To allow
304 for a threshold of zero usage, disabling of the
305 natv2NotificationPoolUsageLow is done by setting
306 natv2PoolThresholdUsageLow to -1 rather than 0, in contrast to all
307 of the other notifications.
309 Objects returned: natv2PoolNotifiedPortMapEntries and
310 natv2PoolNotifiedPortMapProtocol in natv2PoolTable;
312 Rate control: natv2PoolNotificationInterval in
313 natv2PoolTable (default 20 seconds between notifications for a
314 given address pool).
316 Notification: natv2NotificationPoolUsageHigh. Indicates that address
317 pool usage for the most-mapped protocol has risen to the threshold
318 value or more.
320 Compared value: natv2PoolNotifiedPortMapEntries as a percentage of
321 total available ports in the pool.
323 Threshold: natv2PoolThresholdUsageHigh in natv2PoolTable;
325 Objects returned: natv2PoolNotifiedPortMapEntries,
326 natv2PoolNotifiedPortMapProtocol in natv2PoolTable;
328 Rate control: natv2PoolNotificationInterval in
329 natv2PoolTable (default 20 seconds between notifications for a
330 given address pool).
332 Notification: natv2NotificationInstanceAddressMapEntriesHigh.
333 Indicates that the total number of entries in the address map table
334 over the whole NAT instance equals or exceeds the threshold value.
336 Compared value: natv2InstanceAddressMapEntries in
337 natv2InstanceTable;
339 Threshold: natv2InstanceThresholdAddressMapEntriesHigh in
340 natv2InstanceTable;
342 Objects returned: natv2InstanceAddressMapEntries,
343 natv2InstanceAddressMapCreations in natv2InstanceTable;
345 Rate control: natv2InstanceNotificationInterval in
346 natv2InstanceTable (default 10 seconds between notifications for a
347 given NAT instance).
349 Notification: natv2NotificationInstancePortMapEntriesHigh. Indicates
350 that the total number of entries in the port map table over the whole
351 NAT instance equals or exceeds the threshold value.
353 Compared value: natv2InstancePortMapEntries in natv2InstanceTable;
355 Threshold: natv2InstanceThresholdPortMapEntriesHigh in
356 natv2InstanceTable;
358 Objects returned: natv2InstancePortMapEntries,
359 natv2InstancePortMapCreations in natv2InstanceTable;
361 Rate control: natv2InstanceNotificationInterval in
362 natv2InstanceTable (default 10 seconds between notifications for a
363 given NAT instance).
365 Notification: natv2NotificationSubscriberPortMapEntriesHigh.
366 Indicates that the total number of entries in the port map table for
367 the given subscriber equals or exceeds the threshold value configured
368 for that subscriber.
370 Compared value: natv2SubscriberPortMapEntries in
371 natv2SubscriberTable;
373 Threshold: natv2SubscriberThresholdPortMapEntriesHigh in
374 natv2SubscriberTable;
376 Objects returned: natv2SubscriberPortMapEntries,
377 natv2SubscriberPortMapCreations in natv2SubscriberTable;
379 Rate control: natv2SubscriberNotificationInterval in
380 natv2SubscriberTable (default 60 seconds between notifications for
381 a given subscriber).
383 3.1.3. State Information
385 State information provides a snapshot of the content and extent of
386 the NAT mapping tables at a given moment of time. The address and
387 port mapping tables are described in detail below. In addition to
388 these tables, two state variables are provided: current number of
389 entries in the address mapping table, and current number of entries
390 in the port mapping table. With one exception, these are provided at
391 four levels of granularity: per NAT instance, per protocol, per
392 address pool, and per subscriber. Address map entries are not
393 tracked per protocol, since address mapping is protocol-independent.
395 3.1.4. Statistics
397 NATV2-MIB provides a number of counters, intended to help both with
398 provisioning of the NAT and debugging of problems. As with the state
399 data, these counters are provided at the four levels of NAT instance,
400 protocol, address pool, and subscriber when they make sense. Each
401 counter is cumulative beginning from a "last discontuity time"
402 recorded by an object in the table containing the counter.
404 The basic set of counters, as reflected in the NAT instance table, is
405 as follows:
407 Translations: number of packets processed and translated (in this
408 case, in total for the NAT instance);
410 Address map entry creations: cumulative number of address map
411 entries created, including static mappings;
413 Port map entry creations: cumulative number of port map entries
414 created, including static mappings;
416 Address map limit drops: cumulative number of packets dropped rather
417 than translated because the packet would have triggered the
418 creation of a new address mapping, but the configured limit on
419 number of address map entries has already been reached.
421 Port map limit drops: cumulative number of packets dropped rather
422 than translated because the packet would have triggered the
423 creation of a new port mapping, but the configured limit on number
424 of port map entries has already been reached.
426 Active subscriber limit drops: cumulative number of packets dropped
427 rather than translated because the packet would have triggered the
428 creation of a new address and/or port mapping for a subscriber
429 with no existing entries in either table, but the configured limit
430 on number of active subscribers has already been reached.
432 Address mapping failure drops: cumulative number of packets dropped
433 because the packet would have triggered the creation of a new
434 address mapping, but no address could be allocated in the external
435 realm concerned because all addresses from the selected address
436 pool (or the whole realm, if no address pool has been configured
437 for that realm) have already been fully allocated.
439 Port mapping failure drops: cumulative number of packets dropped
440 because the packet would have triggered the creation of a new port
441 mapping, but no port could be allocated for the protocol
442 concerned. The precise conditions under which these packet drops
443 occur depend on the pooling behavior [RFC4787] configured or
444 implemented in the NAT instance. See the DESCRIPTION clause for
445 the natv2InstancePortMapFailureDrops object for a detailed
446 description of the different cases. These cases were defined with
447 care to ensure that address mapping failure could be distinguished
448 from port mapping failure.
450 Fragment drops: cumulative number of packets dropped because the
451 packet contains a fragment and the fragment behavior [RFC4787]
452 configured or implemented in the NAT instance indicates that the
453 packet should be dropped. The main case is a NAT instance that
454 meets REQ-14 of [RFC4787], hence can receive and process out-of-
455 order fragments. In that case, dropping occurs only when the
456 configured limit on pending fragments provided by NATV2-MIB has
457 already been reached. The other cases are detailed in the
458 DESCRIPTION clause of the natv2InstanceFragmentBehavior object.
460 Other resource drops: cumulative number of packets dropped because
461 of unaavailability of some other resource.
463 Table 1 indicates the granularities at which these statistics are
464 reported.
466 +-----------------------+------------+----------+------+------------+
467 | Statistic | NAT | Protocol | Pool | Subscriber |
468 | | Instance | | | |
469 +-----------------------+------------+----------+------+------------+
470 | Translations | Yes | Yes | No | Yes |
471 | Address map entry | Yes | No | Yes | Yes |
472 | creations | | | | |
473 | Port map entry | Yes | Yes | Yes | Yes |
474 | creations | | | | |
475 | Address map limit | Yes | No | No | No |
476 | drops | | | | |
477 | Port map limit drops | Yes | No | No | Yes |
478 | Active subscriber | Yes | No | No | No |
479 | limit drops | | | | |
480 | Address mapping | Yes | No | Yes | Yes |
481 | failure drops | | | | |
482 | Port mapping failure | Yes | Yes | Yes | Yes |
483 | drops | | | | |
484 | Fragment drops | Yes | No | No | No |
485 | Other resource drops | Yes | Yes | Yes | Yes |
486 +-----------------------+------------+----------+------+------------+
488 Table 1: Statistics Provided By Level of Granularity
490 3.2. Outline of MIB Module Organization
492 Figure 1 shows how object identifiers are organized in the NATV2-MIB
493 module. Under the general natv2MIB object identifier in the mib-2
494 tree, the objects are classed into four groups:
496 natv2MIBNotifications(0) identifies the five notifications described
497 in Section 3.1.2;
499 natv2MIBDeviceObjects(1) identifies objects relating to the whole
500 device, specifically, the subscriber table.
502 natv2MIBInstanceObjects(2) identifies objects relating to individual
503 NAT instances. These include the NAT instance table, the protocol
504 table, the address pool table and its address range expansion, the
505 address map table, and the port map table.
507 natv2MIBConformance(3) identifies the group and compliance clauses,
508 specified for the three application scenarios described in
509 Section 3.4.
511 natv2MIB
512 |
513 +-------------+-------------+-------------+
514 | | | |
515 | | |
516 0 | | |
517 natv2MIBNotifications | | |
518 | | |
519 | 1 | |
520 | natv2MIBDeviceObjects | |
521 Five | |
522 notifications | 2 |
523 | natv2MIBInstanceObjects |
524 | |
525 Subscriber | 3
526 table | natv2MIBConformance
527 | |
528 | |
529 Six per-NAT- |
530 instance tables |
531 |
532 +----------------------+-------
533 | |
534 | |
536 1 2
537 natv2MIBCompliances natv2MIBGroups
538 | |
539 | |
540 Basic Basic
541 Pooled Pooled
542 Carrier grade NAT Carrier grade NAT
544 Figure 1: Organization of Object Identifiers For NATV2-MIB
546 3.3. Detailed MIB Module Walk-Through
548 This section reviews the contents of the NATV2-MIB module. The table
549 descriptions include references to subsections of Section 3.1 where
550 desirable to avoid repetition of that information.
552 3.3.1. Textual Conventions
554 The module defines four key textual conventions: ProtocolNumber,
555 Natv2SubscriberIndex, Natv2InstanceIndex, and Natv2PoolIndex.
556 ProtocolNumber is based on the IANA registry of protocol numbers,
557 hence is potentially reusable by other MIB modules.
559 Objects of type Natv2SubscriberIndex identify individual subscribers
560 served by the the NAT device. The values of these identifiers are
561 administered and, in intent, are permanently associated with their
562 respective subscribers. Reuse of a value after a subscriber has been
563 deleted is discouraged. The scope of the subscriber index was
564 defined to be at device rather than NAT instance level to make it
565 easier to shift subscribers between instances (e.g., for load
566 balancing).
568 Objects of type Natv2InstanceIndex identify specific NAT instances on
569 the device. Again, these are administered values intended to be
570 permanently associated with the NAT instances to which they have been
571 assigned.
573 Objects of type Natv2PoolIndex identify individual address pools in a
574 given NAT instance. As with the subscriber and instance index
575 objects, the pool identifiers are administered and intended to be
576 permanently associated with their respective pools.
578 3.3.2. Notifications
580 Notifications were described in Section 3.1.2.
582 3.3.3. The Subscriber Table: natv2SubscriberTable
584 Table natv2SubscriberTable is indexed by subscriber index. One
585 conceptual row contains information relating to a specific
586 subscriber: the subscriber's internal address or prefix for
587 correlation with other management information; state and statistical
588 information as described in Section 3.1.3 and Section 3.1.4, the per-
589 subscriber control objects described in Section 3.1.1, and
590 natv2SubscriberDiscontinuityTime, which provides a timestamp of the
591 latest time following which the statistics have accumulated without
592 discontinuity.
594 Turning back to the address information for a moment: this
595 information includes the identity of the address realm in which the
596 address is routable. That enables support of an arbitrary number of
597 address realms on the same NAT instance. Address realm identifiers
598 are administered values in the form of a limited-length
599 SnmpAdminString. In the absence of configuration to the contrary,
600 the default realm for all internal addresses as recorded in mapping
601 entries is "internal".
603 The term "address realm" is defined in [RFC2663] Section 2.1 and
604 reused in subsequent NAT-related documents.
606 In the special case of DS-Lite [RFC6333], for unique matching of the
607 subscriber data to other information in the MIB module, it is
608 necessary that the address information should relate to the outer
609 IPv6 header of packets going to or from the host, with the address
610 realm being the one in which that IPv6 address is routable. The
611 presentation of address information for other types of tunneled
612 access to the NAT is out of scope.
614 3.3.4. The Instance Table: natv2InstanceTable
616 Table natv2InstanceTable is indexed by an object of type
617 Natv2InstanceIndex. A conceptual row of this table provides
618 information relating to a particular NAT instance configured on the
619 device.
621 Configuration information provided by this table includes an instance
622 name of type DisplayString that may have been configured for this
623 instance, and a set of objects indicating respectively the port
624 mapping, filtering, pooling, and fragment behaviors configured or
625 implemented in the instance. These behaviors are all defined in
626 [RFC4787]. Their values affect the interpretation of some of the
627 statistics provided in the instance table.
629 Read-write objects listed in Section 3.1.2 set the notification rate
630 for instance-level notifications and set the thresholds that trigger
631 them. Additional read-write objects described in Section 3.1.1 set
632 limits on the number of address and port mapping entries, number of
633 pending fragments, and number of active subscribers for the instance.
635 The state and statistical information provided by this table consists
636 of the per-instance items described in Section 3.1.3 and
637 Section 3.1.4 respectively. natv2InstanceDiscontinuityTime is a
638 timestamp giving the time beyond which all of the statistical
639 counters in natv2InstanceTable are guaranteed to have accumulated
640 continuously.
642 3.3.5. The 'Next Protocol' Table: natv2NextProtocolTable
644 The 'next protocol' table is indexed by the NAT instance number and
645 an object of type ProtocolNumber as described in Section 3.3.1 (i.e.,
646 an IANA-registered protocol number). The set of protocols supported
647 by the NAT instance is implementation-dependent, but MUST include
648 ICMP(1), TCP(6), UDP(17), and ICMPv6(58). Depending on the
649 application, it SHOULD include IPv4 encapsulation(4), IPv6
650 encapsulation(41), IPSec AH(51), and SCTP(132). Support of PIM(103)
651 is highly desirable.
653 This table includes no configuration information. The state and
654 statistical information provided by this table consists of the per-
655 protocol items described in Section 3.1.3 and Section 3.1.4
656 respectively. natv2InstanceDiscontinuityTime in natv2InstanceTable is
657 reused as the timestamp giving the time beyond which all of the
658 statistical counters in natv2NextProtocolTable are guaranteed to have
659 accumulated continuously. The reasoning is that any event affecting
660 the continuity of per-protocol statistics will affect the continuity
661 of NAT instance statistics, and vice versa.
663 3.3.6. The Address Pool Table: natv2PoolTable
665 The address pool table is indexed by the NAT instance identifier for
666 the instance on which it is provisioned, plus a pool index of type
667 Natv2PoolIndex. Configuration information provided includes the
668 address realm for which the pool provides addresses, the type of
669 address (IPv4 or IPv6) supported by the realm, plus the port range it
670 makes available for allocation. The same set of port numbers (or, in
671 the ICMP case, identifier values), is made available for every
672 protocol supported by the NAT instance. The port range is specified
673 in terms of minimum and maximum port number.
675 The state and statistical information provided by this table consists
676 of the per-pool items described in Section 3.1.3 and Section 3.1.4
677 respectively, plus two additional state objects described below.
678 natv2PoolTable provides the pool-specific object
679 natv2PoolDiscontinuityTime to indicate the time since which the
680 statistical counters have accumulated continuously.
682 Read-write objects to set high and low thresholds for pool usage
683 notifications and for governing notification rate were identified in
684 Section 3.1.2. The default interval between notifications for a
685 given address pool is set to 20 seconds.
687 Implementation note: the thresholds are defined in terms of
688 percentage of available port utilization. The number of available
689 ports in a pool is equal to (max port - min port + 1) (from the
690 natv2PoolTable configuration information) multiplied by the number
691 of addresses provisioned in the pool (sum of number of addresses
692 provided by each natv2PoolRangeTable conceptual row relating to
693 that pool). At configuration time, the thresholds can be
694 recalculated in terms of total number of port map entries
695 corresponding to the configured percentage, so that runtime
696 comparisons to the current number of port map entries require no
697 further arithmetic operations.
699 natv2PoolTable also provides two state objects that are returned with
700 the notifications. natv2PoolNotifiedPortMapProtocol identifies the
701 most-mapped protocol at the time the notification was triggered.
702 natv2PoolNotifiedPortMapEntries provides the total number of port map
703 entries for that protocol at that same time.
705 3.3.7. The Address Pool Address Range Table: natv2PoolRangeTable
707 natv2PoolRangeTable provides configuration information only. It is
708 an expansion of natv2PoolTable giving the address ranges with which a
709 given address pool has been configured. As such, it is indexed by
710 the combination of NAT instance index, address pool index, and a
711 conceptual row index, where each conceptual row conveys a different
712 address range. The address range is specified in terms of lowest
713 address, highest address rather than the usual prefix notation to
714 provide maximum flexibility.
716 3.3.8. The Address Map Table: natv2AddressMapTable
718 The address map table provides a table of mappings from internal to
719 external address at a given moment. It is indexed by the combination
720 of NAT instance index, internal realm, internal address type (IPv4 or
721 IPv6) in that realm, the internal address of the local host for which
722 the map entry was created, and a conceptual row index to traverse all
723 of the entries relating to the same internal address.
725 In the special case of DS-Lite [RFC6333], the internal address and
726 realm used in the index are those of the IPv6 outer header. The IPv4
727 source address for the inner header, for which [RFC6333] has reserved
728 addresses in the 192.0.0.0/29 range, is captured in two additional
729 objects in the corresponding conceptual row:
730 natv2AddressMapInternalMappedAddressType, and
731 natv2AddressMapInternalMappedAddress. In cases other than DS-Lite
732 access these objects have no meaning. (Other tunneled access is out
733 of scope.)
735 The additional information provided by natv2AddressMapTable consists
736 of the external realm, address type in that realm, and mapped
737 external address. Depending on implementation support, the table
738 also provides the index of the address pool from which the external
739 address was drawn and the index of the subscriber to which the map
740 entry belongs.
742 3.3.9. The Port Map Table: natv2PortMapTable
744 The port map table provides a table of mappings by protocol from
745 external port, address, and realm to internal port, address, and
746 realm. As such, it is indexed by the combination of NAT instance
747 index, protocol number, external realm identifier, address type in
748 that realm, external address, and external port. The mapping from
749 external realm, address, and port to internal realm, address, and
750 port is unique, so no conceptual row index is needed. The indexing
751 is designed to make it easy to trace individual sessions back to the
752 host, based on the contents of packets observed in the external
753 realm.
755 Beyond the indexing, the information provided by the port map table
756 consists of the internal realm, address type, address, and port
757 number, and, depending on implementation support, the index of the
758 subscriber to which the map entry belongs.
760 As with the address map table, special provision is made for the case
761 of DS-Lite [RFC6333]. The realm and outgoing source address are
762 those for the outer header, and the address type is IPv6. Additional
763 objects natv2PortMapInternalMappedAddressType and
764 natv2PortMapInternalMappedAddress capture the outgoing source address
765 in the inner header, which will be in the well-known 192.0.0.0/29
766 range.
768 3.4. Conformance: Three Application Scenarios
770 The conformance statements in NATV2-MIB provide for three application
771 scenarios: basic NAT, NAT supporting address pools, and carrier grade
772 NAT (CGN).
774 A basic NAT MAY limit the number of NAT instances it supports to one,
775 but MUST support indexing by NAT instance. Similarly, a basic NAT
776 MAY limit the number of realms it supports to two. By definition, a
777 basic NAT is not required to support the subscriber table, the
778 address pool table, or the address pool address range table. Some
779 individual objects in other tables are also not relevant to basic
780 NAT.
782 A NAT supporting address pools adds the address pool table and the
783 address pool address range table to what it implements. Some
784 individual objects in other tables also need to be implemented. A
785 NAT supporting address pools MUST support more than two realms.
787 Finally, a CGN MUST support the full contents of the MIB module.
788 That includes the subscriber table, but also includes the special
789 provision for DS-Lite access in the address and port map tables.
791 4. Definitions
793 This MIB module IMPORTs objects from [RFC2578], [RFC2579], [RFC2580],
794 [RFC3411], and [RFC4001].
796 NATV2-MIB DEFINITIONS ::= BEGIN
797 IMPORTS
798 MODULE-IDENTITY,
799 OBJECT-TYPE,
800 Integer32,
801 Unsigned32,
802 Counter64,
803 mib-2,
804 NOTIFICATION-TYPE
805 FROM SNMPv2-SMI -- RFC 2578
806 TEXTUAL-CONVENTION,
807 DisplayString,
808 TimeStamp
809 FROM SNMPv2-TC -- RFC 2579
810 MODULE-COMPLIANCE,
811 NOTIFICATION-GROUP,
812 OBJECT-GROUP
813 FROM SNMPv2-CONF -- RFC 2580
814 SnmpAdminString
815 FROM SNMP-FRAMEWORK-MIB -- RFC 3411
816 InetAddressType,
817 InetAddress,
818 InetAddressPrefixLength,
819 InetPortNumber
820 FROM INET-ADDRESS-MIB -- RFC 4001
822 natv2MIB MODULE-IDENTITY
823 LAST-UPDATED "201501180000Z"
824 -- RFC Ed.: set to publication date
825 ORGANIZATION
826 "IETF Behavior Engineering for Hindrance Avoidance
827 (BEHAVE) Working Group"
828 CONTACT-INFO
829 "Working Group Email: behave@ietf.org
831 Simon Perreault
832 Jive Communications
833 Quebec, QC
834 Canada
836 Email: sperreault@jive.com
838 Tina Tsou
839 Huawei Technologies
840 Bantian, Longgang
841 Shenzhen 518129
842 PR China
843 Email: tina.tsou.zouting@huawei.com
845 Senthil Sivakumar
846 Cisco Systems
847 7100-8 Kit Creek Road
848 Research Triangle Park, North Carolina 27709
849 USA
851 Phone: +1 919 392 5158
852 Email: ssenthil@cisco.com
854 Tom Taylor
855 PT Taylor Consulting
856 Ottawa
857 Canada
859 Email: tom.taylor.stds@gmail.com"
861 DESCRIPTION
862 "This MIB module defines the generic managed objects
863 for NAT.
865 Copyright (C) The Internet Society (2015). This
866 version of this MIB module is part of RFC yyyy; see
867 the RFC itself for full legal notices."
868 REVISION "201501180000Z"
869 -- RFC Ed.: set to publication date
870 DESCRIPTION
871 "Complete rewrite, published as RFC yyyy.
872 Replaces former version published as RFC 4008."
873 -- RFC Ed.: replace yyyy with actual RFC number and set date"
874 ::= { mib-2 TBD }
876 -- textual conventions
878 ProtocolNumber ::= TEXTUAL-CONVENTION
879 DISPLAY-HINT "d"
880 STATUS current
881 DESCRIPTION
882 "A protocol number, from the 'protocol-numbers' IANA
883 registry."
884 REFERENCE
885 "IANA Protocol Numbers,
886 http://www.iana.org/assignments/protocol-numbers/protocol-
887 numbers.xhtml#protocol-numbers-1"
888 SYNTAX Unsigned32 (0..255)
890 Natv2SubscriberIndex ::= TEXTUAL-CONVENTION
891 DISPLAY-HINT "d"
892 STATUS current
893 DESCRIPTION
894 "A unique value, greater than zero, for each subscriber
895 in the managed system. The value for each
896 subscriber MUST remain constant at least from one
897 update of the entity's natv2SubscriberDiscontinuityTime
898 object until the next update of that object. If a
899 subscriber is deleted, its assigned index value MUST NOT
900 be assigned to another subscriber at least until
901 reinitialization of the entity's management system."
902 SYNTAX Unsigned32 (1..4294967295)
904 Natv2SubscriberIndexOrZero ::= TEXTUAL-CONVENTION
905 DISPLAY-HINT "d"
906 STATUS current
907 DESCRIPTION
908 "This textual convention is an extension of the
909 Natv2SubscriberIndex convention. The latter defines a
910 greater than zero value used to identify a subscriber in
911 the managed system. This extension permits the additional
912 value of zero, which serves as a placeholder when no
913 subscriber is associated with the object."
914 SYNTAX Unsigned32 (0|1..4294967295)
916 Natv2InstanceIndex ::= TEXTUAL-CONVENTION
917 DISPLAY-HINT "d"
918 STATUS current
919 DESCRIPTION
920 "A unique value, greater than zero, for each NAT instance
921 in the managed system. It is RECOMMENDED that values are
922 assigned contiguously starting from 1. The value for each
923 NAT instance MUST remain constant at least from one
924 update of the entity's natv2InstanceDiscontinuityTime
925 object until the next update of that object. If a NAT
926 instance is deleted, its assigned index value MUST NOT
927 be assigned to another NAT instance at least until
928 reinitialization of the entity's management system."
929 SYNTAX Unsigned32 (1..4294967295)
931 Natv2PoolIndex ::= TEXTUAL-CONVENTION
932 DISPLAY-HINT "d"
933 STATUS current
934 DESCRIPTION
935 "A unique value over the containing NAT instance, greater than
936 zero, for each address pool supported by that NAT instance.
937 It is RECOMMENDED that values are assigned contiguously
938 starting from 1. The value for each address pool MUST remain
939 constant at least from one update of the entity's
940 natv2PoolDiscontinuityTime object until the next update of
941 that object. If an address pool is deleted, its assigned
942 index value MUST NOT be assigned to another address pool for
943 the same NAT instance at least until reinitialization of the
944 entity's management system."
945 SYNTAX Unsigned32 (1..4294967295)
947 Natv2PoolIndexOrZero ::= TEXTUAL-CONVENTION
948 DISPLAY-HINT "d"
949 STATUS current
950 DESCRIPTION
951 "This textual convention is an extension of the
952 Natv2PoolIndex convention. The latter defines a greater
953 than zero value used to identify address pools in the
954 managed system. This extension permits the additional
955 value of zero, which serves as a placeholder when the
956 implementation does not support address pools or no address
957 pool is configured in a given external realm."
958 SYNTAX Unsigned32 (0|1..4294967295)
960 -- notifications
962 natv2MIBNotifications OBJECT IDENTIFIER ::= { natv2MIB 0 }
964 natv2NotificationPoolUsageLow NOTIFICATION-TYPE
965 OBJECTS { natv2PoolNotifiedPortMapEntries,
966 natv2PoolNotifiedPortMapProtocol }
967 STATUS current
968 DESCRIPTION
969 "This notification is triggered when an address pool's usage
970 becomes less than or equal to the value of the
971 natv2PoolThresholdUsageLow object for that pool, unless the
972 notification has been disabled by setting the value of the
973 threshold to -1. It is reported subject to the rate
974 limitation specified by natv2PortMapNotificationInterval.
976 Address pool usage is calculated as the percentage of the
977 total number of ports allocated to the address pool that are
978 already in use, for the most-mapped protocol at the time
979 the notification is triggered. The two returned objects are
980 members of natv2PoolTable indexed by the NAT instance and
981 pool indices for which the event is being reported. They
982 give the number of port map entries using external addresses
983 configured on the pool for the most-mapped protocol and
984 identify that protocol at the time the notification was
985 triggered."
986 REFERENCE
987 "RFC yyyy Section 3.1.2 and Section 3.3.6."
988 ::= { natv2MIBNotifications 1 }
990 natv2NotificationPoolUsageHigh NOTIFICATION-TYPE
991 OBJECTS { natv2PoolNotifiedPortMapEntries,
992 natv2PoolNotifiedPortMapProtocol }
993 STATUS current
994 DESCRIPTION
995 "This notification is triggered when an address pool's usage
996 becomes greater than or equal to the value of the
997 natv2PoolThresholdUsageHigh object for that pool, unless
998 the notification has been disabled by setting the value of
999 the threshold to -1. It is reported subject to the rate
1000 limitation specified by natv2PortMapNotificationInterval.
1002 Address pool usage is calculated as the percentage of the
1003 total number of ports allocated to the address pool that are
1004 already in use, for the most-mapped protocol at the time the
1005 notification is triggered. The two returned objects are
1006 members of natv2PoolTable indexed by the NAT instance and
1007 pool indices for which the event is being reported. They
1008 give the number of port map entries using external addresses
1009 configured on the pool for the most-mapped protocol and
1010 identify that protocol at the time the notification was
1011 triggered."
1012 REFERENCE
1013 "RFC yyyy Section 3.1.2 and Section 3.3.6."
1014 ::= { natv2MIBNotifications 2 }
1016 natv2NotificationInstanceAddressMapEntriesHigh NOTIFICATION-TYPE
1017 OBJECTS { natv2InstanceAddressMapEntries,
1018 natv2InstanceAddressMapCreations }
1019 STATUS current
1020 DESCRIPTION
1021 "This notification is triggered when the value of
1022 natv2InstanceAddressMapEntries equals or exceeds the value
1023 of the natv2InstanceThresholdAddressMapEntriesHigh object
1024 for the NAT instance, unless disabled by setting that
1025 threshold to 0. Reporting is subject to the rate limitation
1026 given by natv2InstanceNotificationInterval.
1028 natv2InstanceAddressMapEntries and
1029 natv2InstanceAddressMapCreations are members of
1030 table natv2InstanceTable indexed by the identifier
1031 of the NAT instance for which the event is being
1032 reported. They give the total number of address
1033 map entries over the whole NAT instance and the
1034 cumulative number created since the last reset of
1035 the counter, at the moment the notification was
1036 triggered."
1037 REFERENCE
1038 "RFC yyyy Section 3.1.2."
1039 ::= { natv2MIBNotifications 3 }
1041 natv2NotificationInstancePortMapEntriesHigh NOTIFICATION-TYPE
1042 OBJECTS { natv2InstancePortMapEntries,
1043 natv2InstancePortMapCreations }
1044 STATUS current
1045 DESCRIPTION
1046 "This notification is triggered when the value of
1047 natv2InstancePortMapEntries becomes greater than or equal to
1048 the value of natv2InstanceThresholdPortMapEntriesHigh,
1049 unless disabled by setting that threshold to 0. Reporting is
1050 subject to the rate limitation given by
1051 natv2InstanceNotificationInterval.
1053 natv2InstancePortMapEntries and
1054 natv2InstancePortMapCreations are members of table
1055 natv2InstanceTable indexed by the identifier of the NAT
1056 instance for which the event is being reported. They give
1057 the total number of active port mappings over the whole NAT
1058 instance and the cumulative number created since the last
1059 reset of the counter, at the moment the notification was
1060 triggered."
1061 ::= { natv2MIBNotifications 4 }
1063 natv2NotificationSubscriberPortMappingEntriesHigh
1064 NOTIFICATION-TYPE
1065 OBJECTS { natv2SubscriberPortMapEntries,
1066 natv2SubscriberPortMapCreations }
1067 STATUS current
1068 DESCRIPTION
1069 "This notification is triggered when the value of
1070 natv2SubscriberPortMapEntries for an individual subscriber
1071 becomes greater than or equal to the value of the
1072 natv2SubscriberThresholdPortMapEntriesHigh object for that
1073 subscriber, unless disabled by setting that threshold to 0.
1074 Reporting is subject to the rate limitation given by
1075 natv2SubscriberNotificationInterval.
1077 natv2SubscriberPortMapEntries and
1078 natv2SubscriberPortMapCreations are members of table
1079 natv2SubscriberTable indexed by the subscriber for
1080 which the event is being reported. They give the total
1081 number of port map entries for the subscriber and the
1082 cumulative number created since the last reset of the
1083 counter, at the moment the notification was triggered."
1084 ::= { natv2MIBNotifications 5 }
1086 -- Device-level objects
1088 natv2MIBDeviceObjects OBJECT IDENTIFIER ::= { natv2MIB 1 }
1090 -- subscriber table
1092 natv2SubscriberTable OBJECT-TYPE
1093 SYNTAX SEQUENCE OF Natv2SubscriberEntry
1094 MAX-ACCESS not-accessible
1095 STATUS current
1096 DESCRIPTION
1097 "Table of subscribers. As well as the subscriber index, it
1098 provides per-subscriber state and counter objects, a last
1099 discontinuity time object for the counters, and writable
1100 threshold value and limit on port consumption."
1101 REFERENCE
1102 "RFC yyyy Section 3.3.3."
1103 ::= { natv2MIBDeviceObjects 1 }
1105 natv2SubscriberEntry OBJECT-TYPE
1106 SYNTAX Natv2SubscriberEntry
1107 MAX-ACCESS not-accessible
1108 STATUS current
1109 DESCRIPTION
1110 "Each entry describes a single subscriber."
1111 INDEX { natv2SubscriberIndex }
1112 ::= { natv2SubscriberTable 1 }
1114 Natv2SubscriberEntry ::=
1115 SEQUENCE {
1116 natv2SubscriberIndex Natv2SubscriberIndex,
1117 natv2SubscriberRealm SnmpAdminString,
1118 natv2SubscriberInternalPrefixType InetAddressType,
1119 natv2SubscriberInternalPrefix InetAddress,
1120 natv2SubscriberInternalPrefixLength InetAddressPrefixLength,
1121 -- State
1122 natv2SubscriberAddressMapEntries Unsigned32,
1123 natv2SubscriberPortMapEntries Unsigned32,
1124 -- Counters and last discontinuity time
1125 natv2SubscriberTranslations Counter64,
1126 natv2SubscriberAddressMapCreations Counter64,
1127 natv2SubscriberPortMapCreations Counter64,
1128 natv2SubscriberAddressMapFailureDrops Counter64,
1129 natv2SubscriberPortMapFailureDrops Counter64,
1130 natv2SubscriberOtherResourceFailureDrops Counter64,
1131 natv2SubscriberDiscontinuityTime TimeStamp,
1132 -- Read-write controls
1133 natv2SubscriberLimitPortMapEntries Unsigned32,
1134 -- Disable limit by setting to 0 (default)
1135 natv2SubscriberThresholdPortMapEntriesHigh Unsigned32,
1136 -- Disable notifications by setting threshold to 0 (default)
1137 natv2SubscriberNotificationInterval Unsigned32
1138 -- Default is 60 seconds
1139 }
1141 natv2SubscriberIndex OBJECT-TYPE
1142 SYNTAX Natv2SubscriberIndex
1143 MAX-ACCESS not-accessible
1144 STATUS current
1145 DESCRIPTION
1146 "A unique value, greater than zero, for each subscriber
1147 in the managed system. The value for each
1148 subscriber MUST remain constant at least from one
1149 update of the entity's natv2SubscriberDiscontinuityTime
1150 object until the next update of that object. If a
1151 subscriber is deleted, its assigned index value MUST NOT
1152 be assigned to another subscriber at least until
1153 reinitialization of the entity's management system."
1154 ::= { natv2SubscriberEntry 1 }
1156 -- Configuration for this subscriber: realm, internal address(es)
1158 natv2SubscriberInternalRealm OBJECT-TYPE
1159 SYNTAX SnmpAdminString (SIZE(0..32))
1160 MAX-ACCESS read-only
1161 STATUS current
1162 DESCRIPTION
1163 "The address realm to which this subscriber belongs. A realm
1164 defines an address space. All NATs support at least two
1165 realms.
1167 The default realm for subscribers is 'internal'.
1168 Administrators can set other values for individual
1169 subscribers when they are configured. The administrator MAY
1170 configure a new value of natv2SubscriberRealm at any time
1171 subsequent to initial configuration of the subscriber. If
1172 this happens, it MUST be treated as a point of discontinuity
1173 requiring an update of natv2SubscriberDiscontinuityTime.
1175 When the subscriber sends a packet to the NAT through a
1176 DS-Lite [RFC 6333] tunnel, this is the realm of the outer
1177 packet header source address. Other tunneled access is out
1178 of scope."
1179 REFERENCE
1180 "Address realm: RFC 2663. DS-Lite: RFC 6333."
1181 DEFVAL
1182 { "internal" }
1183 ::= { natv2SubscriberEntry 2 }
1185 natv2SubscriberInternalPrefixType OBJECT-TYPE
1186 SYNTAX InetAddressType
1187 MAX-ACCESS read-only
1188 STATUS current
1189 DESCRIPTION
1190 "Subscriber's internal prefix type. Any value other than
1191 ipv4(1) or ipv6(2) would be unexpected. In the case of
1192 DS-Lite access, this is the prefix type (IPv6(2)) used in
1193 the outer packet header."
1194 REFERENCE
1195 "DS-Lite: RFC 6333."
1196 ::= { natv2SubscriberEntry 3 }
1198 natv2SubscriberInternalPrefix OBJECT-TYPE
1199 SYNTAX InetAddress
1200 MAX-ACCESS read-only
1201 STATUS current
1202 DESCRIPTION
1203 "Prefix assigned to a subscriber's CPE. Source addresses of
1204 packets outgoing from the subscriber will be contained
1205 within this prefix. In the case of DS-Lite access,
1206 the source address taken from the prefix will be
1207 that of the outer header."
1208 REFERENCE
1209 "DS-Lite: RFC 6333."
1210 ::= { natv2SubscriberEntry 4 }
1212 natv2SubscriberInternalPrefixLength OBJECT-TYPE
1213 SYNTAX InetAddressPrefixLength
1214 MAX-ACCESS read-only
1215 STATUS current
1216 DESCRIPTION
1217 "Length of the prefix assigned to a subscriber's CPE, in
1218 bits. If a single address is assigned, this will be 32
1219 for IPv4 and 128 for IPv6."
1220 ::= { natv2SubscriberEntry 5 }
1222 -- State objects
1223 natv2SubscriberAddressMapEntries OBJECT-TYPE
1224 SYNTAX Unsigned32
1225 MAX-ACCESS read-only
1226 STATUS current
1227 DESCRIPTION
1228 "The current number of address map entries for the
1229 subscriber, including static mappings. An address map entry
1230 maps from a given internal address and realm to an external
1231 address in a particular external realm. This definition
1232 includes 'hairpin' mappings, where the external realm is the
1233 same as the internal one. Address map entries are also
1234 tracked per instance and per address pool within the
1235 instance."
1236 REFERENCE
1237 "RFC yyyy Section 3.3.8."
1238 ::= { natv2SubscriberEntry 6 }
1240 natv2SubscriberPortMapEntries OBJECT-TYPE
1241 SYNTAX Unsigned32
1242 MAX-ACCESS read-only
1243 STATUS current
1244 DESCRIPTION
1245 "The current number of port map entries in the port map table
1246 for the subscriber, including static mappings. A port map
1247 entry maps from a given external realm, address, and port
1248 for a given protocol to an internal realm, address, and
1249 port. This definition includes 'hairpin' mappings, where the
1250 external realm is the same as the internal one. Port map
1251 entries are also tracked per instance and per protocol and
1252 address pool within the instance."
1253 REFERENCE
1254 "RFC yyyy Section 3.3.9."
1255 ::= { natv2SubscriberEntry 7 }
1257 -- Counters and last discontinuity time
1259 natv2SubscriberTranslations OBJECT-TYPE
1260 SYNTAX Counter64
1261 MAX-ACCESS read-only
1262 STATUS current
1263 DESCRIPTION
1264 "The cumulative number of translated packets received from or
1265 sent to this subscriber. This value MUST be monotone
1266 increasing in the periods between updates of the entity's
1267 natv2SubscriberDiscontinuityTime. If a manager detects a
1268 change in the latter since the last time it sampled this
1269 counter, it SHOULD NOT make use of the difference between
1270 the latest value of the counter and any value retrieved
1271 before the new value of natv2SubscriberDiscontinuityTime."
1272 ::= { natv2SubscriberEntry 8 }
1274 natv2SubscriberAddressMapCreations OBJECT-TYPE
1275 SYNTAX Counter64
1276 MAX-ACCESS read-only
1277 STATUS current
1278 DESCRIPTION
1279 "The cumulative number of address map entries created for
1280 this subscriber, including static mappings. Address map
1281 entries are also tracked per instance and per protocol and
1282 address pool within the instance.
1284 This value MUST be monotone increasing in
1285 the periods between updates of the entity's
1286 natv2SubscriberDiscontinuityTime. If a manager detects a
1287 change in the latter since the last time it sampled this
1288 counter, it SHOULD NOT make use of the difference between
1289 the latest value of the counter and any value retrieved
1290 before the new value of natv2SubscriberDiscontinuityTime."
1291 ::= { natv2SubscriberEntry 9 }
1293 natv2SubscriberPortMapCreations OBJECT-TYPE
1294 SYNTAX Counter64
1295 MAX-ACCESS read-only
1296 STATUS current
1297 DESCRIPTION
1298 "The cumulative number of port map entries created for this
1299 subscriber, including static mappings. Port map entries are
1300 also tracked per instance and per protocol and address pool
1301 within the instance.
1303 This value MUST be monotone increasing in the periods
1304 between updates of the entity's
1305 natv2SubscriberDiscontinuityTime. If a manager detects a
1306 change in the latter since the last time it sampled this
1307 counter, it SHOULD NOT make use of the difference between
1308 the latest value of the counter and any value retrieved
1309 before the new value of natv2SubscriberDiscontinuityTime."
1310 ::= { natv2SubscriberEntry 10 }
1312 natv2SubscriberAddressMapFailureDrops OBJECT-TYPE
1313 SYNTAX Counter64
1314 MAX-ACCESS read-only
1315 STATUS current
1316 DESCRIPTION
1317 "The cumulative number of packets originated by this
1318 subscriber that were dropped because the packet would have
1319 triggered the creation of a new address map entry, but no
1320 address could be allocated in the selected external realm
1321 because all addresses from the selected address pool (or the
1322 whole realm, if no address pool has been configured for that
1323 realm) have already been fully allocated.
1325 This value MUST be monotone increasing in the periods
1326 between updates of the entity's
1327 natv2SubscriberDiscontinuityTime. If a manager detects a
1328 change in the latter since the last time it sampled this
1329 counter, it SHOULD NOT make use of the difference between
1330 the latest value of the counter and any value retrieved
1331 before the new value of natv2SubscriberDiscontinuityTime."
1332 ::= { natv2SubscriberEntry 11 }
1334 natv2SubscriberPortMapFailureDrops OBJECT-TYPE
1335 SYNTAX Counter64
1336 MAX-ACCESS read-only
1337 STATUS current
1338 DESCRIPTION
1339 "The cumulative number of packets dropped because the
1340 packet would have triggered the creation of a new
1341 port mapping, but no port could be allocated for the
1342 protocol concerned. The usual case for this will be
1343 for a NAT instance that supports address pooling and
1344 the 'paired' pooling behavior recommended by RFC 4787,
1345 where the internal endpoint has used up all of the
1346 ports allocated to it for the address it was mapped to
1347 in the selected address pool in the external realm
1348 concerned and cannot be given more ports because
1349 - policy or implementation prevents it from having a
1350 second address in the same pool, and
1351 - policy or unavailability prevents it from acquiring
1352 more ports at its originally assigned address.
1354 If the NAT instance supports address pooling but its
1355 pooling behavior is 'arbitrary' (meaning that
1356 the NAT instance can allocate a new port mapping for
1357 the given internal endpoint on any address in the
1358 selected address pool and is not bound to what it has
1359 already mapped for that endpoint), then this counter
1360 is incremented when all ports for the protocol concerned
1361 over the whole of the selected address pool are already
1362 in use.
1364 As a third case, if no address pools have been configured
1365 for the external realm concerned, then this counter is
1366 incremented because all ports for the protocol involved over
1367 the whole set of addresses available for that external realm
1368 are already in use.
1370 Finally, this counter is incremented if the packet would
1371 have triggered the creation of a new port mapping, but the
1372 current value of natv2SubscriberPortMapEntries equals or
1373 exceeds the value of natv2SubscriberLimitPortMapEntries
1374 for this subscriber (unless that limit is disabled).
1376 This value MUST be monotone increasing in the periods
1377 between updates of the entity's
1378 natv2SubscriberDiscontinuityTime. If a manager detects a
1379 change in the latter since the last time it sampled this
1380 counter, it SHOULD NOT make use of the difference between
1381 the latest value of the counter and any value retrieved
1382 before the new value of natv2SubscriberDiscontinuityTime."
1383 REFERENCE
1384 "Pooling behavior: RFC 4787, end of section 4.1."
1385 ::= { natv2SubscriberEntry 12 }
1387 natv2SubscriberOtherResourceFailureDrops OBJECT-TYPE
1388 SYNTAX Counter64
1389 MAX-ACCESS read-only
1390 STATUS current
1391 DESCRIPTION
1392 "The cumulative number of packets dropped because of
1393 unavailability of a resource other than an address or
1394 port that would have been required to process it.
1396 This value MUST be monotone increasing in the periods
1397 between updates of the entity's
1398 natv2SubscriberDiscontinuityTime. If a manager detects a
1399 change in the latter since the last time it sampled this
1400 counter, it SHOULD NOT make use of the difference between
1401 the latest value of the counter and any value retrieved
1402 before the new value of natv2SubscriberDiscontinuityTime."
1403 ::= { natv2SubscriberEntry 13 }
1405 natv2SubscriberDiscontinuityTime OBJECT-TYPE
1406 SYNTAX TimeStamp
1407 MAX-ACCESS read-only
1408 STATUS current
1409 DESCRIPTION
1410 "Snapshot of the value of the sysUpTime object at the
1411 beginning of the latest period of continuity of the
1412 statistical counters associated with this subscriber."
1413 ::= { natv2SubscriberEntry 14 }
1415 -- Per-subscriber limit and threshold on port mappings
1416 -- Disabled if set to zero
1417 natv2SubscriberLimitPortMapEntries OBJECT-TYPE
1418 SYNTAX Unsigned32
1419 MAX-ACCESS read-write
1420 STATUS current
1421 DESCRIPTION
1422 "Limit on total number of port mappings active for this
1423 subscriber (natv2SubscriberPortMapEntries). Once this limit
1424 is reached, packets that might have triggered new port
1425 mappings are dropped. The number of such packets dropped is
1426 counted in natv2InstancePortMapFailureDrops.
1428 Limit is disabled if set to zero (default)."
1429 DEFVAL
1430 { 0 }
1431 ::= { natv2SubscriberEntry 15 }
1433 natv2SubscriberThresholdPortMapEntriesHigh OBJECT-TYPE
1434 SYNTAX Unsigned32
1435 MAX-ACCESS read-write
1436 STATUS current
1437 DESCRIPTION
1438 "Notification threshold for total number of port mappings
1439 active for this subscriber. Whenever
1440 natv2SubscriberPortMapEntries is updated, if it equals or
1441 exceeds natv2SubscriberThresholdPortMapEntriesHigh, the
1442 notification
1443 natv2NotificationSubscriberPortMappingEntriesHigh is
1444 triggered, unless the notification is disabled by setting
1445 the threshold to 0. Reporting is subject to the minimum
1446 inter-notification interval given by
1447 natv2SubscriberNotificationInterval. If multiple
1448 notifications are triggered during one interval, the agent
1449 MUST report only the one containing the highest value of
1450 natv2SubscriberPortMapEntries and discard the others."
1451 DEFVAL
1452 { 0 }
1453 ::= { natv2SubscriberEntry 16 }
1455 natv2SubscriberNotificationInterval OBJECT-TYPE
1456 SYNTAX Unsigned32 (1..3600)
1457 UNITS
1458 "Seconds"
1459 MAX-ACCESS read-write
1460 STATUS current
1461 DESCRIPTION
1462 "Minimum number of seconds (default 60) between successive
1463 reporting of notifications for this subscriber. Controls the
1464 reporting of
1465 natv2NotificationSubscriberPortMappingEntriesHigh."
1466 DEFVAL
1467 { 60 }
1468 ::= { natv2SubscriberEntry 17 }
1470 -- Per-NAT-instance objects
1472 natv2MIBInstanceObjects OBJECT IDENTIFIER ::= { natv2MIB 2 }
1474 -- Instance table
1476 natv2InstanceTable OBJECT-TYPE
1477 SYNTAX SEQUENCE OF Natv2InstanceEntry
1478 MAX-ACCESS not-accessible
1479 STATUS current
1480 DESCRIPTION
1481 "Table of NAT instances. As well as state and counter
1482 objects, it provides the instance index, instance name,
1483 number of address pools, next available address pool index
1484 value, and the last discontinuity time object which is
1485 applicable to the counters. It also contains writable
1486 thresholds for reporting of notifications and limits on
1487 usage of resources at the level of the NAT instance.
1489 It is assumed that NAT instances can be created and deleted
1490 dynamically, but this MIB module does not provide the means
1491 to do so. For restrictions on assignment and maintenance of
1492 the NAT index instance see the description of
1493 natv2InstanceIndex in the table below. For the requirements
1494 on maintenance of the values of the counters in this table
1495 see the description of natv2InstanceDiscontinuityTime in
1496 this table.
1498 Each NAT instance has its own resources and behavior. The
1499 resources include memory as reflected in space for map
1500 entries, processing power as reflected in the rate of map
1501 creation and deletion, and mappable addresses in each realm
1502 that can play the role of an external realm for at least
1503 some mappings for that instance. The NAT instance table
1504 includes limits and notification thresholds that relate to
1505 memory usage for mapping at the level of the whole instance.
1506 The limit on number of subscribers with active mappings is a
1507 limit to some extent on processor usage.
1509 The mappable 'external' addresses may or may not be
1510 organized into address pools. For a definition of address
1511 pools see the description of natv2PoolTable. If the instance
1512 does support address pools, it also has a pooling behavior.
1513 Mapping, filtering, and pooling behavior are defined in the
1514 descriptions of the natv2InstancePortMappingBehavior,
1515 natv2InstanceFilteringBehavior, and
1516 natv2InstancePoolingBehavior objects in this table. The
1517 instance also has a fragmentation behavior, defined in the
1518 description of the natv2InstanceFragmentBehavior object."
1519 REFERENCE
1520 "RFC yyyy Section 3.3.4. NAT behaviors: RFC 4787
1521 (primary, UDP); RFC 5382 (TCP), RFC 5508 (ICMP), RFC5597
1522 (DCCP)."
1523 ::= { natv2MIBInstanceObjects 1 }
1525 natv2InstanceEntry OBJECT-TYPE
1526 SYNTAX Natv2InstanceEntry
1527 MAX-ACCESS not-accessible
1528 STATUS current
1529 DESCRIPTION
1530 "Objects related to a single NAT instance."
1531 INDEX { natv2InstanceIndex }
1532 ::= { natv2InstanceTable 1 }
1534 Natv2InstanceEntry ::=
1535 SEQUENCE {
1536 natv2InstanceIndex Natv2InstanceIndex,
1537 natv2InstanceAlias DisplayString,
1538 -- Configured behaviors
1539 natv2InstancePortMappingBehavior INTEGER,
1540 natv2InstanceFilteringBehavior INTEGER,
1541 natv2InstancePoolingBehavior INTEGER,
1542 natv2InstanceFragmentBehavior INTEGER,
1543 -- State
1544 natv2InstanceAddressMapEntries Unsigned32,
1545 natv2InstancePortMapEntries Unsigned32,
1546 -- Statistics and discontinuity time
1547 natv2InstanceTranslations Counter64,
1548 natv2InstanceAddressMapCreations Counter64,
1549 natv2InstancePortMapCreations Counter64,
1550 natv2InstanceAddressMapEntryLimitDrops Counter64,
1551 natv2InstancePortMapEntryLimitDrops Counter64,
1552 natv2InstanceSubscriberActiveLimitDrops Counter64,
1553 natv2InstanceAddressMapFailureDrops Counter64,
1554 natv2InstancePortMapFailureDrops Counter64,
1555 natv2InstanceFragmentDrops Counter64,
1556 natv2InstanceOtherResourceFailureDrops Counter64,
1557 natv2InstanceDiscontinuityTime TimeStamp,
1559 -- Notification thresholds, disabled if set to 0
1560 natv2InstanceThresholdAddressMapEntriesHigh Unsigned32,
1561 natv2InstanceThresholdPortMapEntriesHigh Unsigned32,
1562 natv2InstanceNotificationInterval Unsigned32,
1563 -- Limits, disabled if set to 0
1564 natv2InstanceLimitAddressMapEntries Unsigned32,
1565 natv2InstanceLimitPortMapEntries Unsigned32,
1566 natv2InstanceLimitPendingFragments Unsigned32,
1567 natv2InstanceLimitSubscriberActives Unsigned32
1568 }
1570 natv2InstanceIndex OBJECT-TYPE
1571 SYNTAX Natv2InstanceIndex
1572 MAX-ACCESS not-accessible
1573 STATUS current
1574 DESCRIPTION
1575 "NAT instance index. It is up to the implementation to
1576 determine which values correspond to in-service NAT
1577 instances. This object is used as an index for all tables
1578 defined below."
1579 ::= { natv2InstanceEntry 1 }
1581 natv2InstanceAlias OBJECT-TYPE
1582 SYNTAX DisplayString (SIZE (0..64))
1583 MAX-ACCESS read-only
1584 STATUS current
1585 DESCRIPTION
1586 "This object is an 'alias' name for the NAT instance as
1587 specified by a network manager, and provides a non-volatile
1588 'handle' for the instance.
1590 An example of the value which a network manager might store
1591 in this object for a NAT instance is the name/identifier of
1592 the interface that brings in internal traffic for this NAT
1593 instance or the name of the VRF for internal traffic."
1594 ::= { natv2InstanceEntry 2 }
1596 -- Configured behaviors
1598 natv2InstancePortMappingBehavior OBJECT-TYPE
1599 MAX-ACCESS read-only
1600 STATUS current
1601 DESCRIPTION
1602 "Port mapping behavior is the policy governing selection of
1603 external address and port in a given realm for a given
1604 five-tuple of source address and port, destination address
1605 and port, and protocol.
1607 endpointIndependent(0), the behavior REQUIRED by RFC 4787
1608 REQ-1, maps the source address and port to the same
1609 external address and port for all destination address and
1610 port combinations reached through the same external realm
1611 and using the given protocol.
1613 addressDependent(1) maps to the same external address and
1614 port for all destination ports at the same destination
1615 address reached through the same external realm and using
1616 the given protocol.
1618 addressAndPortDependent(2) maps to a separate external
1619 address and port combination for each different
1620 destination address and port combination reached through
1621 the same external realm."
1622 REFERENCE
1623 "RFC 4787 section 4.1."
1624 SYNTAX INTEGER {
1625 endpointIndependent (0),
1626 addressDependent (1),
1627 addressAndPortDependent (2)
1628 }
1629 ::= { natv2InstanceEntry 3 }
1631 natv2InstanceFilteringBehavior OBJECT-TYPE
1632 MAX-ACCESS read-only
1633 STATUS current
1634 DESCRIPTION
1635 "Filtering behavior is the policy governing acceptance or
1636 dropping of packets incoming from remote sources via a
1637 given external realm and destined to a specific three-tuple
1638 of external address, port, and protocol at the NAT instance
1639 that has been assigned in a port mapping.
1641 endpointIndependent(0) accepts for translation packets from
1642 all combinations of remote address and port destined to the
1643 mapped external address and port via the given external
1644 realm and using the given protocol.
1646 addressDependent(1) accepts for translation packets from all
1647 remote ports from the same remote source address destined to
1648 the mapped external address and port via the given external
1649 realm and using the given protocol.
1651 addressAndPortDependent(2) accepts for translation only
1652 those packets with the same remote source address, port, and
1653 protocol incoming from the same external realm as identified
1654 when the applicable port map entry was created.
1656 RFC 4787 REQ-8 recommends either endpointIndependent(0) or
1657 addressDependent(1) filtering behavior depending on whether
1658 application-friendliness or security takes priority."
1659 REFERENCE
1660 "RFC 4787 section 5."
1661 SYNTAX INTEGER {
1662 endpointIndependent (0),
1663 addressDependent (1),
1664 addressAndPortDependent (2)
1665 }
1666 ::= { natv2InstanceEntry 4 }
1668 natv2InstancePoolingBehavior OBJECT-TYPE
1669 MAX-ACCESS read-only
1670 STATUS current
1671 DESCRIPTION
1672 "Pooling behavior is the policy used to select the address
1673 for a new port mapping within a given address pool to which
1674 the internal address has already been mapped.
1676 arbitrary(0) pooling behavior means that the NAT instance
1677 may create the new port mapping using any address in the
1678 pool that has a free port for the protocol concerned.
1680 paired(1) pooling behavior, the behavior RECOMMENDED by RFC
1681 4787 REQ-2, means that once a given internal address has
1682 been mapped to a particular address in a particular pool,
1683 further mappings of the same internal address to that pool
1684 will reuse the previously assigned pool member address."
1685 REFERENCE
1686 "RFC 4787 near the end of section 4.1"
1687 SYNTAX INTEGER {
1688 arbitrary (0),
1689 paired (1)
1690 }
1691 ::= { natv2InstanceEntry 5 }
1693 natv2InstanceFragmentBehavior OBJECT-TYPE
1694 MAX-ACCESS read-only
1695 STATUS current
1696 DESCRIPTION
1697 "Fragment behavior is the NAT instance's capability to
1698 receive and translate fragments incoming from remote
1699 sources.
1701 fragmentNone(0) implies no capability to translate incoming
1702 fragments, so all received fragments are dropped. Each
1703 dropped fragment is counted in natv2InstanceFragmentDrops.
1705 fragmentInOrder(1) implies the ability to translate
1706 fragments only if they are received in order, so that in
1707 particular the header is in the first packet. If a fragment
1708 is received out of order, it is dropped and counted in
1709 natv2InstanceFragmentDrops.
1711 fragmentOutOfOrder(2), the capability REQUIRED by RFC 4787
1712 REQ-14, implies the capability to translate fragments even
1713 when they arrive out of order, subject to a protective
1714 limit natv2InstanceLimitPendingFragments on total number of
1715 fragments awaiting the first fragment of the chain. If the
1716 implementation supports this capability,
1717 natv2InstanceFragmentDrops is incremented only when a new
1718 fragment arrives but is dropped because the limit on pending
1719 fragments has already been reached."
1720 REFERENCE
1721 "RFC 4787 section 11."
1722 SYNTAX INTEGER {
1723 fragmentNone (0),
1724 fragmentInOrder (1),
1725 fragmentOutOfOrder (2)
1726 ::= { natv2InstanceEntry 6 }
1728 -- State
1730 natv2InstanceAddressMapEntries OBJECT-TYPE
1731 SYNTAX Unsigned32
1732 MAX-ACCESS read-only
1733 STATUS current
1734 DESCRIPTION
1735 "The current number of address map entries in total over the
1736 whole NAT instance, including static mappings. An address
1737 map entry maps from a given internal address and realm to an
1738 external address in a particular external realm. This
1739 definition includes 'hairpin' mappings, where the external
1740 realm is the same as the internal one. Address map entries
1741 are also tracked per subscriber and per address pool within
1742 the instance."
1743 REFERENCE
1744 "RFC yyyy Section 3.3.8. RFC 4787 section 6."
1745 ::= { natv2InstanceEntry 7 }
1747 natv2InstancePortMapEntries OBJECT-TYPE
1748 SYNTAX Unsigned32
1749 MAX-ACCESS read-only
1750 STATUS current
1751 DESCRIPTION
1752 "The current number of entries in the port map table in total
1753 over the whole NAT instance, including static mappings. A
1754 port map entry maps from a given external realm, address,
1755 and port for a given protocol to an internal realm, address,
1756 and port. This definition includes 'hairpin' mappings, where
1757 the external realm is the same as the internal one. Port map
1758 entries are also tracked per subscriber and per protocol and
1759 address pool within the instance."
1760 REFERENCE
1761 "RFC yyyy Section 3.3.9.
1762 Hairpinning: RFC 4787 Section 6."
1763 ::= { natv2InstanceEntry 8 }
1765 -- Statistics
1767 natv2InstanceTranslations OBJECT-TYPE
1768 SYNTAX Counter64
1769 MAX-ACCESS read-only
1770 STATUS current
1771 DESCRIPTION
1772 "The cumulative number of translated packets passing through
1773 this NAT instance. This value MUST be monotone increasing in
1774 the periods between updates of
1775 natv2InstanceDiscontinuityTime. If a manager detects a
1776 change in the latter since the last time it sampled this
1777 counter, it SHOULD NOT make use of the difference between
1778 the latest value of the counter and any value retrieved
1779 before the new value of natv2InstanceDiscontinuityTime."
1780 ::= { natv2InstanceEntry 9 }
1782 natv2InstanceAddressMapCreations OBJECT-TYPE
1783 SYNTAX Counter64
1784 MAX-ACCESS read-only
1785 STATUS current
1786 DESCRIPTION
1787 "The cumulative number of address map entries created by the
1788 NAT instance, including static mappings. Address map
1789 creations are also tracked per address pool within the
1790 instance and per subscriber.
1792 This value MUST be monotone increasing in
1793 the periods between updates of
1794 natv2InstanceDiscontinuityTime. If a manager detects a
1795 change in the latter since the last time it sampled this
1796 counter, it SHOULD NOT make use of the difference between
1797 the latest value of the counter and any value retrieved
1798 before the new value of natv2InstanceDiscontinuityTime."
1799 ::= { natv2InstanceEntry 10 }
1801 natv2InstancePortMapCreations OBJECT-TYPE
1802 SYNTAX Counter64
1803 MAX-ACCESS read-only
1804 STATUS current
1805 DESCRIPTION
1806 "The cumulative number of port map entries created by the
1807 NAT instance, including static mappings. Port map
1808 creations are also tracked per protocol and address pool
1809 within the instance and per subscriber.
1811 This value MUST be monotone increasing in
1812 the periods between updates of
1813 natv2InstanceDiscontinuityTime. If a manager detects a
1814 change in the latter since the last time it sampled this
1815 counter, it SHOULD NOT make use of the difference between
1816 the latest value of the counter and any value retrieved
1817 before the new value of natv2InstanceDiscontinuityTime."
1818 ::= { natv2InstanceEntry 11 }
1820 natv2InstanceAddressMapEntryLimitDrops OBJECT-TYPE
1821 SYNTAX Counter64
1822 MAX-ACCESS read-only
1823 STATUS current
1824 DESCRIPTION
1825 "The cumulative number of packets dropped rather than
1826 translated because the packet would have triggered
1827 the creation of a new address map entry but the limit
1828 on number of address map entries for the NAT instance
1829 given by natv2InstanceLimitAddressMapEntries has
1830 already been reached.
1832 This value MUST be monotone increasing in the periods
1833 between updates of the entity's
1834 natv2InstanceDiscontinuityTime. If a manager detects a
1835 change in the latter since the last time it sampled this
1836 counter, it SHOULD NOT make use of the difference between
1837 the latest value of the counter and any value retrieved
1838 before the new value of natv2InstanceDiscontinuityTime."
1839 ::= { natv2InstanceEntry 12 }
1841 natv2InstancePortMapEntryLimitDrops OBJECT-TYPE
1842 SYNTAX Counter64
1843 MAX-ACCESS read-only
1844 STATUS current
1845 DESCRIPTION
1846 "The cumulative number of packets dropped rather than
1847 translated because the packet would have triggered
1848 the creation of a new port map entry but the limit
1849 on number of port map entries for the NAT instance
1850 given by natv2InstanceLimitPortMapEntries has
1851 already been reached.
1853 This value MUST be monotone increasing in the periods
1854 between updates of the entity's
1855 natv2InstanceDiscontinuityTime. If a manager detects a
1856 change in the latter since the last time it sampled this
1857 counter, it SHOULD NOT make use of the difference between
1858 the latest value of the counter and any value retrieved
1859 before the new value of natv2InstanceDiscontinuityTime."
1860 ::= { natv2InstanceEntry 13 }
1862 natv2InstanceSubscriberActiveLimitDrops OBJECT-TYPE
1863 SYNTAX Counter64
1864 MAX-ACCESS read-only
1865 STATUS current
1866 DESCRIPTION
1867 "The cumulative number of packets dropped rather than
1868 translated because the packet would have triggered the
1869 creation of a new mapping for a subscriber with no other
1870 active mappings, but the limit on number of active
1871 subscribers for the NAT instance given by
1872 natv2InstanceLimitSubscriberActives has already been
1873 reached.
1875 This value MUST be monotone increasing in the periods
1876 between updates of the entity's
1877 natv2InstanceDiscontinuityTime. If a manager detects a
1878 change in the latter since the last time it sampled this
1879 counter, it SHOULD NOT make use of the difference between
1880 the latest value of the counter and any value retrieved
1881 before the new value of natv2InstanceDiscontinuityTime."
1882 ::= { natv2InstanceEntry 14 }
1884 natv2InstanceAddressMapFailureDrops OBJECT-TYPE
1885 SYNTAX Counter64
1886 MAX-ACCESS read-only
1887 STATUS current
1888 DESCRIPTION
1889 "The cumulative number of packets dropped because the packet
1890 would have triggered the creation of a new address map
1891 entry, but no address could be allocated in the selected
1892 external realm because all addresses from the selected
1893 address pool (or the whole realm, if no address pool has
1894 been configured for that realm) have already been fully
1895 allocated.
1897 This value MUST be monotone increasing in the periods
1898 between updates of the entity's
1899 natv2InstanceDiscontinuityTime. If a manager detects a
1900 change in the latter since the last time it sampled this
1901 counter, it SHOULD NOT make use of the difference between
1902 the latest value of the counter and any value retrieved
1903 before the new value of natv2InstanceDiscontinuityTime."
1904 ::= { natv2InstanceEntry 15 }
1906 natv2InstancePortMapFailureDrops OBJECT-TYPE
1907 SYNTAX Counter64
1908 MAX-ACCESS read-only
1909 STATUS current
1910 DESCRIPTION
1911 "The cumulative number of packets dropped because the
1912 packet would have triggered the creation of a new
1913 port map entry, but no port could be allocated for the
1914 protocol concerned. The usual case for this will be
1915 for a NAT instance that supports address pooling and
1916 the 'paired' pooling behavior recommended by RFC 4787,
1917 where the internal endpoint has used up all of the
1918 ports allocated to it for the address it was mapped to
1919 in the selected address pool in the external realm
1920 concerned and cannot be given more ports because
1921 - policy or implementation prevents it from having a
1922 second address in the same pool, and
1923 - policy or unavailability prevents it from acquiring
1924 more ports at its originally assigned address.
1926 If the NAT instance supports address pooling but its
1927 pooling behavior is 'arbitrary' (meaning that
1928 the NAT instance can allocate a new port mapping for
1929 the given internal endpoint on any address in the
1930 selected address pool and is not bound to what it has
1931 already mapped for that endpoint), then this counter
1932 is incremented when all ports for the protocol concerned
1933 over the whole of the selected address pool are already
1934 in use.
1936 Finally, if no address pools have been configured for the
1937 external realm concerned, then this counter is incremented
1938 because all ports for the protocol involved over the whole
1939 set of addresses available for that external realm are
1940 already in use.
1942 This value MUST be monotone increasing in the periods
1943 between updates of the entity's
1944 natv2InstanceDiscontinuityTime. If a manager detects a
1945 change in the latter since the last time it sampled this
1946 counter, it SHOULD NOT make use of the difference between
1947 the latest value of the counter and any value retrieved
1948 before the new value of natv2InstanceDiscontinuityTime."
1949 REFERENCE
1950 "Pooling behavior: RFC 4787, end of section 4.1."
1951 ::= { natv2InstanceEntry 16 }
1953 natv2InstanceFragmentDrops OBJECT-TYPE
1954 SYNTAX Counter64
1955 MAX-ACCESS read-only
1956 STATUS current
1957 DESCRIPTION
1958 "The cumulative number of fragments received by the NAT
1959 instance but dropped rather than translated. When the NAT
1960 instance supports the 'Receive Fragment Out of Order'
1961 capability as required by RFC 4787, this occurs because the
1962 fragment was received out of order and would be added to the
1963 queue of fragments awaiting the initial fragment of the
1964 chain, but the queue has already reached the limit set by
1965 natv2InstanceLimitsPendingFragments. Counting in other cases
1966 is specified in the description of
1967 natv2InstanceFragmentBehavior.
1969 This value MUST be monotone increasing in the periods
1970 between updates of the entity's
1971 natv2InstanceDiscontinuityTime. If a manager detects a
1972 change in the latter since the last time it sampled this
1973 counter, it SHOULD NOT make use of the difference between
1974 the latest value of the counter and any value retrieved
1975 before the new value of natv2InstanceDiscontinuityTime."
1976 REFERENCE
1977 "RFC 4787, section 11."
1978 ::= { natv2InstanceEntry 17 }
1980 natv2InstanceOtherResourceFailureDrops OBJECT-TYPE
1981 SYNTAX Counter64
1982 MAX-ACCESS read-only
1983 STATUS current
1984 DESCRIPTION
1985 "The cumulative number of packets dropped because of
1986 unavailability of a resource other than an address or
1987 port that would have been required to process it.
1989 This value MUST be monotone increasing in the periods
1990 between updates of the entity's
1991 natv2InstanceDiscontinuityTime. If a manager detects a
1992 change in the latter since the last time it sampled this
1993 counter, it SHOULD NOT make use of the difference between
1994 the latest value of the counter and any value retrieved
1995 before the new value of natv2InstanceDiscontinuityTime."
1996 ::= { natv2InstanceEntry 18 }
1998 natv2InstanceDiscontinuityTime OBJECT-TYPE
1999 SYNTAX TimeStamp
2000 MAX-ACCESS read-only
2001 STATUS current
2002 DESCRIPTION
2003 "Snapshot of the value of the sysUpTime object at the
2004 beginning of the latest period of continuity of the
2005 statistical counters associated with this NAT instance."
2006 ::= { natv2InstanceEntry 19 }
2008 -- Notification thresholds, disabled by setting to zero
2010 natv2InstanceThresholdAddressMapEntriesHigh OBJECT-TYPE
2011 SYNTAX Unsigned32
2012 MAX-ACCESS read-write
2013 STATUS current
2014 DESCRIPTION
2015 "Notification threshold for total number of address map
2016 entries held by this NAT instance. Whenever
2017 natv2InstanceAddressMapEntries is updated, if it equals or
2018 exceeds natv2InstanceThresholdAddressMapEntriesHigh, then
2019 natv2NotificationInstanceAddressMapEntriesHigh may be
2020 triggered, unless the notification is disabled by setting
2021 the threshold to 0. Reporting is subject to the minimum
2022 inter-notification interval given by
2023 natv2InstanceNotificationInterval. If multiple notifications
2024 are triggered during one interval, the agent MUST report
2025 only the one containing the highest value of
2026 natv2InstanceAddressMapEntries and discard the others."
2027 DEFVAL
2028 { 0 }
2029 ::= { natv2InstanceEntry 20 }
2031 natv2InstanceThresholdPortMapEntriesHigh OBJECT-TYPE
2032 SYNTAX Unsigned32
2033 MAX-ACCESS read-write
2034 STATUS current
2035 DESCRIPTION
2036 "Notification threshold for total number of port map
2037 entries held by this NAT instance. Whenever
2038 natv2InstancePortMapEntries is updated, if it equals or
2039 exceeds natv2InstanceThresholdPortMapEntriesHigh, then
2040 natv2NotificationInstancePortMapEntriesHigh may be
2041 triggered, unless the notification is disabled by setting
2042 the threshold to 0. Reporting is subject to the minimum
2043 inter-notification interval given by
2044 natv2InstanceNotificationInterval. If multiple notifications
2045 are triggered during one interval, the agent MUST report
2046 only the one containing the highest value of
2047 natv2InstancePortMapEntries and discard the others."
2048 DEFVAL
2049 { 0 }
2050 ::= { natv2InstanceEntry 21 }
2052 natv2InstanceNotificationInterval OBJECT-TYPE
2053 SYNTAX Unsigned32 (1..3600)
2054 UNITS
2055 "Seconds"
2056 MAX-ACCESS read-write
2057 STATUS current
2058 DESCRIPTION
2059 "Minimum number of seconds (default 10) between successive
2060 notifications for this NAT instance. Controls the reporting
2061 of natv2NotificationInstanceAddressMapEntriesHigh and
2062 natv2NotificationInstancePortMapEntriesHigh."
2063 DEFVAL
2064 { 10 }
2065 ::= { natv2InstanceEntry 22 }
2067 -- Limits, disabled if set to 0
2069 natv2InstanceLimitAddressMapEntries OBJECT-TYPE
2070 SYNTAX Unsigned32
2071 MAX-ACCESS read-write
2072 STATUS current
2073 DESCRIPTION
2074 "Limit on total number of address map entries supported by
2075 the NAT instance. When natv2InstanceAddressMapEntries has
2076 reached this limit, subsequent packets that would normally
2077 trigger creation of a new address map entry will be dropped
2078 and counted in natv2InstanceAddressMapEntryLimitDrops.
2079 Warning of an approach to this limit can be achieved by
2080 setting natv2InstanceThresholdAddressMapEntriesHigh to a
2081 non-zero value, for example, 80% of the limit. The limit is
2082 disabled by setting its value to zero (default value).
2084 For further information please see the descriptions of
2085 natv2NotificationInstanceAddressMapEntriesHigh and
2086 natv2InstanceAddressMapEntries."
2087 DEFVAL
2088 { 0 }
2090 ::= { natv2InstanceEntry 23 }
2092 natv2InstanceLimitPortMapEntries OBJECT-TYPE
2093 SYNTAX Unsigned32
2094 MAX-ACCESS read-write
2095 STATUS current
2096 DESCRIPTION
2097 "Limit on total number of port map entries supported by the
2098 NAT instance. When natv2InstancePortMapEntries has reached
2099 this limit, subsequent packets that would normally trigger
2100 creation of a new port map entry will be dropped and counted
2101 in natv2InstancePortMapEntryLimitDrops. Warning of an
2102 approach to this limit can be achieved by setting
2103 natv2InstanceThresholdPortMapEntriesHigh to a non-zero
2104 value, for example, 80% of the limit. The limit is disabled
2105 by setting its value to zero (default value).
2107 For further information please see the descriptions of
2108 natv2NotificationInstancePortMapEntriesHigh and
2109 natv2InstancePortMapEntries."
2110 DEFVAL
2111 { 0 }
2112 ::= { natv2InstanceEntry 24 }
2114 natv2InstanceLimitPendingFragments OBJECT-TYPE
2115 SYNTAX Unsigned32
2116 MAX-ACCESS read-write
2117 STATUS current
2118 DESCRIPTION
2119 "Limit on number of out-of-order fragments received by the
2120 NAT instance from remote sources and held until head of
2121 chain appears. While the number of held fragments is at this
2122 limit, subsequent packets that contain fragments not
2123 relating to those already held will be dropped and counted
2124 in natv2InstancePendingFragmentLimitDrops. The limit is
2125 disabled by setting the value to zero (default value).
2127 Applicable only when the NAT instance supports 'Receive
2128 Fragments Out of Order' behavior, leave at default
2129 otherwise. See the description of
2130 natv2InstanceFragmentBehavior."
2131 REFERENCE
2132 "RFC 4787 Section 11"
2133 DEFVAL { 0 }
2134 ::= { natv2InstanceEntry 25 }
2136 natv2InstanceLimitSubscriberActives OBJECT-TYPE
2137 SYNTAX Unsigned32
2138 MAX-ACCESS read-write
2139 STATUS current
2140 DESCRIPTION
2141 "Limit on number of total number of active subscribers
2142 supported by the NAT instance. An active subscriber is
2143 defined as any subscriber with at least one map entry,
2144 including static mappings. While the number of active
2145 subscribers is at this limit, subsequent packets that would
2146 otherwise trigger first mappings for newly active
2147 subscribers will be dropped and counted in
2148 natv2InstanceSubscriberActiveLimitDrops. The limit is
2149 disabled by setting the value to zero (default value).
2150 DEFVAL { 0 }
2151 ::= { natv2InstanceEntry 26 }
2153 -- Table of counters per 'next protocol' identified by the packet
2154 -- header and supported by the NAT instance
2156 natv2NextProtocolTable OBJECT-TYPE
2157 SYNTAX SEQUENCE OF Natv2NextProtocolEntry
2158 MAX-ACCESS not-accessible
2159 STATUS current
2160 DESCRIPTION
2161 "Table of protocols with per-protocol counters. Conceptual
2162 rows of the table are indexed by the combination of the NAT
2163 instance number and the IANA-assigned 'next protocol' number
2164 as given by the ProtocolNumber TC and contained in the
2165 packet IP header. It is up to the agent implementation to
2166 determine and operate upon only those 'next protocol'
2167 numbers supported by the NAT instance."
2168 REFERENCE
2169 "RFC yyyy Section 3.3.5."
2170 ::= { natv2MIBInstanceObjects 2 }
2172 natv2NextProtocolEntry OBJECT-TYPE
2173 SYNTAX Natv2NextProtocolEntry
2174 MAX-ACCESS not-accessible
2175 STATUS current
2176 DESCRIPTION
2177 "Per-protocol counters."
2178 INDEX { natv2NextProtocolInstanceIndex,
2179 natv2NextProtocolNumber }
2180 ::= { natv2NextProtocolTable 1 }
2182 Natv2NextProtocolEntry ::=
2183 SEQUENCE {
2184 natv2NextProtocolInstanceIndex Natv2InstanceIndex,
2185 natv2NextProtocolNumber ProtocolNumber,
2186 -- State
2187 natv2NextProtocolPortMapEntries Unsigned32,
2188 -- Statistics. Discontinuity object from instance table reused here.
2189 natv2NextProtocolTranslations Counter64,
2190 natv2NextProtocolPortMapCreations Counter64,
2191 natv2NextProtocolPortMapFailureDrops Counter64,
2192 natv2NextProtocolOtherResourceFailureDrops Counter64
2193 }
2195 natv2NextProtocolInstanceIndex OBJECT-TYPE
2196 SYNTAX Natv2InstanceIndex
2197 MAX-ACCESS not-accessible
2198 STATUS current
2199 DESCRIPTION
2200 "NAT instance index. It is up to the implementation to
2201 determine and operate upon only those values that
2202 correspond to in-service NAT instances."
2203 ::= { natv2NextProtocolEntry 1 }
2205 natv2NextProtocolNumber OBJECT-TYPE
2206 SYNTAX ProtocolNumber
2207 MAX-ACCESS not-accessible
2208 STATUS current
2209 DESCRIPTION
2210 "Counters in this conceptual row apply to packets indicating
2211 the 'next protocol' identified by this object's value. It is
2212 up to the implementation to determine and operate upon only
2213 those values that correspond to protocols supported by the
2214 NAT instance."
2216 REFERENCE
2217 "IANA Protocol Numbers, http://www.iana.org/assignments/
2218 protocol-numbers/protocol-numbers.xhtml#protocol-numbers-1"
2219 ::= { natv2NextProtocolEntry 2 }
2221 -- State
2222 natv2NextProtocolPortMapEntries OBJECT-TYPE
2223 SYNTAX Unsigned32
2224 MAX-ACCESS read-only
2225 STATUS current
2226 DESCRIPTION
2227 "The current number of entries in the port map table in total
2228 over the whole NAT instance for a given protocol, including
2229 static mappings. A port map entry maps from a given external
2230 realm, address, and port for a given protocol to an internal
2231 realm, address, and port. This definition includes 'hairpin'
2232 mappings, where the external realm is the same as the
2233 internal one. Port map entries are also tracked per
2234 subscriber, per instance, and per address pool within the
2235 instance."
2236 REFERENCE
2237 "RFC yyyy Section 3.3.5 and Section 3.3.9. Hairpinning:
2238 RFC 4787 Section 6."
2239 ::= { natv2NextProtocolEntry 3 }
2241 -- Statistics
2242 natv2NextProtocolTranslations OBJECT-TYPE
2243 SYNTAX Counter64
2244 MAX-ACCESS read-only
2245 STATUS current
2246 DESCRIPTION
2247 "The cumulative number of packets translated by the NAT
2248 instance in either direction for the given 'next
2249 protocol'.
2251 This value MUST be monotone increasing in the periods
2252 between updates of the NAT instance
2253 natv2InstanceDiscontinuityTime. If a manager detects a
2254 change in the latter since the last time it sampled this
2255 counter, it SHOULD NOT make use of the difference between
2256 the latest value of the counter and any value retrieved
2257 before the new value of natv2InstanceDiscontinuityTime."
2258 ::= { natv2NextProtocolEntry 4 }
2260 natv2NextProtocolPortMapCreations OBJECT-TYPE
2261 SYNTAX Counter64
2262 MAX-ACCESS read-only
2263 STATUS current
2264 DESCRIPTION
2265 "The cumulative number of port map entries created by the NAT
2266 instance for the given 'next protocol'.
2268 This value MUST be monotone increasing in the periods
2269 between updates of the NAT instance
2270 natv2InstanceDiscontinuityTime. If a manager detects a
2271 change in the latter since the last time it sampled this
2272 counter, it SHOULD NOT make use of the difference between
2273 the latest value of the counter and any value retrieved
2274 before the new value of natv2InstanceDiscontinuityTime."
2275 ::= { natv2NextProtocolEntry 5 }
2277 natv2NextProtocolPortMapFailureDrops OBJECT-TYPE
2278 SYNTAX Counter64
2279 MAX-ACCESS read-only
2280 STATUS current
2281 DESCRIPTION
2282 "The cumulative number of packets dropped because the packet
2283 would have triggered the creation of a new port map entry,
2284 but no port could be allocated for the protocol concerned.
2285 The usual case for this will be for a NAT instance that
2286 supports address pooling and the 'paired' pooling behavior
2287 recommended by RFC 4787, where the internal endpoint has
2288 used up all of the ports allocated to it for the address it
2289 was mapped to in the selected address pool in the external
2290 realm concerned and cannot be given more ports because
2291 - policy or implementation prevents it from having a
2292 second address in the same pool, and
2293 - policy or unavailability prevents it from acquiring
2294 more ports at its originally assigned address.
2296 If the NAT instance supports address pooling but its
2297 pooling behavior is 'arbitrary' (meaning that
2298 the NAT instance can allocate a new port mapping for
2299 the given internal endpoint on any address in the
2300 selected address pool and is not bound to what it has
2301 already mapped for that endpoint), then this counter
2302 is incremented when all ports for the protocol concerned
2303 over the whole of the selected address pool are already
2304 in use.
2306 Finally, if the NAT instance has no configured address
2307 pooling, then this counter is incremented because all
2308 ports for the protocol concerned over the whole of the
2309 NAT instance for the external realm concerned are already
2310 in use.
2312 This value MUST be monotone increasing in the periods
2313 between updates of the NAT instance
2314 natv2InstanceDiscontinuityTime. If a manager detects a
2315 change in the latter since the last time it sampled this
2316 counter, it SHOULD NOT make use of the difference between
2317 the latest value of the counter and any value retrieved
2318 before the new value of natv2InstanceDiscontinuityTime."
2319 REFERENCE
2320 "RFC 4787, end of section 4.1."
2321 ::= { natv2NextProtocolEntry 6 }
2323 natv2NextProtocolOtherResourceFailureDrops OBJECT-TYPE
2324 SYNTAX Counter64
2325 MAX-ACCESS read-only
2326 STATUS current
2327 DESCRIPTION
2328 "The cumulative number of packets with the given 'next
2329 protocol' value in the IP header that were dropped because
2330 of unavailability of a resource other than an address or
2331 port that would have been required to process it.
2333 This value MUST be monotone increasing in the periods
2334 between updates of the NAT instance
2335 natv2InstanceDiscontinuityTime. If a manager detects a
2336 change in the latter since the last time it sampled this
2337 counter, it SHOULD NOT make use of the difference between
2338 the latest value of the counter and any value retrieved
2339 before the new value of natv2InstanceDiscontinuityTime."
2340 ::= { natv2NextProtocolEntry 7 }
2342 -- pools
2344 natv2PoolTable OBJECT-TYPE
2345 SYNTAX SEQUENCE OF Natv2PoolEntry
2346 MAX-ACCESS not-accessible
2347 STATUS current
2348 DESCRIPTION
2349 "Table of address pools, applicable only if these are
2350 supported by the NAT instance. An address pool is a set of
2351 addresses and ports in a particular realm, available for
2352 assignment to the 'external' portion of a mapping. Where more
2353 than one pool has been configured for the realm, policy
2354 determines which subscribers and/or services are mapped to
2355 which pool. natv2PoolTable provides basic information, state,
2356 statistics, and two notification thresholds for each pool.
2357 natv2PoolRangeTable is an expansion table for natv2PoolTable
2358 that identifies particular address ranges allocated to the
2359 pool."
2360 REFERENCE
2361 "RFC yyyy Section 3.3.6."
2362 ::= { natv2MIBInstanceObjects 3 }
2364 natv2PoolEntry OBJECT-TYPE
2365 SYNTAX Natv2PoolEntry
2366 MAX-ACCESS not-accessible
2367 STATUS current
2368 DESCRIPTION
2369 "Entry in the table of address pools."
2370 INDEX { natv2PoolInstanceIndex, natv2PoolIndex }
2371 ::= { natv2PoolTable 1 }
2373 Natv2PoolEntry ::=
2374 SEQUENCE {
2375 -- Index
2376 natv2PoolInstanceIndex Natv2InstanceIndex,
2377 natv2PoolIndex Natv2PoolIndex,
2378 -- Configuration
2379 natv2PoolRealm SnmpAdminString,
2380 natv2PoolAddressType InetAddressType,
2381 natv2PoolPortMin InetPortNumber,
2382 natv2PoolPortMax InetPortNumber,
2383 -- State
2384 natv2PoolAddressMapEntries Unsigned32,
2385 natv2PoolPortMapEntries Unsigned32,
2386 -- Statistics and discontinuity time
2387 natv2PoolAddressMapCreations Counter64,
2388 natv2PoolPortMapCreations Counter64,
2389 natv2PoolAddressMapFailureDrops Counter64,
2390 natv2PoolPortMapFailureDrops Counter64,
2391 natv2PoolOtherResourceFailureDrops Counter64,
2392 natv2PoolDiscontinuityTime TimeStamp,
2393 -- Notification thresholds and objects returned by notifications
2394 natv2PoolThresholdUsageLow Integer32,
2395 natv2PoolThresholdUsageHigh Integer32,
2396 natv2PoolNotifiedPortMapEntries Unsigned32,
2397 natv2PoolNotifiedPortMapProtocol ProtocolNumber,
2398 natv2PoolNotificationInterval Unsigned32
2399 }
2401 natv2PoolInstanceIndex OBJECT-TYPE
2402 SYNTAX Natv2InstanceIndex
2403 MAX-ACCESS not-accessible
2404 STATUS current
2405 DESCRIPTION
2406 "NAT instance index. It is up to the agent implementation
2407 to determine and operate upon only those values that
2408 correspond to in-service NAT instances."
2409 ::= { natv2PoolEntry 1 }
2411 natv2PoolIndex OBJECT-TYPE
2412 SYNTAX Natv2PoolId
2413 MAX-ACCESS not-accessible
2414 STATUS current
2415 DESCRIPTION
2416 "Index of an address pool, unique for a given NAT instance.
2417 It is up to the agent implementation to determine and
2418 operate upon only those values that correspond to
2419 provisioned pools."
2420 ::= { natv2PoolEntry 2 }
2422 -- configuration
2423 natv2PoolRealm OBJECT-TYPE
2424 SYNTAX SnmpAdminString (SIZE (0..32))
2425 MAX-ACCESS read-only
2426 STATUS current
2427 DESCRIPTION
2428 "Address realm to which this pool's addresses belong."
2429 REFERENCE
2430 "Address realms are discussed in Section 3.3.3 of
2431 RFC yyyy. Primary reference is RFC 2663 Section 2.1."
2432 ::= { natv2PoolEntry 3 }
2434 natv2PoolAddressType OBJECT-TYPE
2435 SYNTAX InetAddressType
2436 MAX-ACCESS read-create
2437 STATUS current
2438 DESCRIPTION
2439 "Address type supplied by this address pool. This will be the
2440 same for all pools in a given realm (by definition of an
2441 address realm). Values other than ipv4(1) or ipv6(2) would
2442 be unexpected."
2443 REFERENCE
2444 "InetAddressType in RFC 4001."
2445 ::= { natv2PoolEntry 4 }
2447 natv2PoolPortMin OBJECT-TYPE
2448 SYNTAX InetPortNumber
2449 MAX-ACCESS read-create
2450 STATUS current
2451 DESCRIPTION
2452 "Minimum port number to be allocated in this pool.
2453 Applies to all protocols supported by the NAT instance."
2454 REFERENCE
2455 "InetPortNumber in RFC 4001."
2456 ::= { natv2PoolEntry 5 }
2458 natv2PoolPortMax OBJECT-TYPE
2459 SYNTAX InetPortNumber
2460 MAX-ACCESS read-create
2461 STATUS current
2462 DESCRIPTION
2463 "Maximum port number to be allocated in this pool.
2464 Applies to all protocols supported by the NAT instance."
2465 REFERENCE
2466 "InetPortNumber in RFC 4001."
2467 ::= { natv2PoolEntry 6 }
2469 -- State
2470 natv2PoolAddressMapEntries OBJECT-TYPE
2471 SYNTAX Unsigned32
2472 MAX-ACCESS read-only
2473 STATUS current
2474 "The current number of address map entries using external
2475 addresses drawn from this pool, including static mappings.
2476 This definition includes 'hairpin' mappings, where the
2477 external realm is the same as the internal one. Address map
2478 entries are also tracked per subscriber and per instance."
2479 REFERENCE
2480 "RFC yyyy Section 3.3.8. Hairpinning: RFC 4787 section 6."
2481 ::= { natv2PoolEntry 7 }
2483 natv2PoolPortMapEntries OBJECT-TYPE
2484 SYNTAX Unsigned32
2485 MAX-ACCESS read-only
2486 STATUS current
2487 DESCRIPTION
2488 "The current number of entries in the port map table using
2489 external addresses and ports drawn from this pool, including
2490 static mappings. This definition includes 'hairpin'
2491 mappings, where the external realm is the same as the
2492 internal one. Port map entries are also tracked per
2493 subscriber, per instance, and per protocol within the
2494 instance."
2495 REFERENCE
2496 "RFC yyyy Section 3.3.9. Hairpinning: RFC 4787 Section 6."
2497 ::= { natv2PoolEntry 8 }
2499 -- Statistics and discontinuity time
2500 natv2PoolAddressMapCreations OBJECT-TYPE
2501 SYNTAX Counter64
2502 MAX-ACCESS read-only
2503 STATUS current
2504 DESCRIPTION
2505 "The cumulative number of address map entries created in this
2506 pool, including static mappings. Address map entries are
2507 also tracked per instance and per subscriber.
2509 This value MUST be monotone increasing in
2510 the periods between updates of the entity's
2511 natv2PoolDiscontinuityTime. If a manager detects a
2512 change in the latter since the last time it sampled this
2513 counter, it SHOULD NOT make use of the difference between
2514 the latest value of the counter and any value retrieved
2515 before the new value of natv2PoolDiscontinuityTime."
2516 ::= { natv2PoolEntry 9 }
2518 natv2PoolPortMapCreations OBJECT-TYPE
2519 SYNTAX Counter64
2520 MAX-ACCESS read-only
2521 STATUS current
2522 DESCRIPTION
2523 "The cumulative number of port map entries created in this
2524 pool, including static mappings. Port map entries are also
2525 tracked per instance, per protocol, and per subscriber.
2527 This value MUST be monotone increasing in the periods
2528 between updates of the entity's
2529 natv2PoolDiscontinuityTime. If a manager detects a
2530 change in the latter since the last time it sampled this
2531 counter, it SHOULD NOT make use of the difference between
2532 the latest value of the counter and any value retrieved
2533 before the new value of natv2PoolDiscontinuityTime."
2534 ::= { natv2PoolEntry 10 }
2536 natv2PoolAddressMapFailureDrops OBJECT-TYPE
2537 SYNTAX Counter64
2538 MAX-ACCESS read-only
2539 STATUS current
2540 DESCRIPTION
2541 "The cumulative number of packets originated by the
2542 subscriber that were dropped because the packet would have
2543 triggered the creation of a new address map entry, but no
2544 address could be allocated from this address pool because
2545 all addresses in the pool have already been fully allocated.
2546 Counters of this event are also provided per instance, per
2547 protocol and per subscriber.
2549 This value MUST be monotone increasing in the periods
2550 between updates of the entity's
2551 natv2PoolDiscontinuityTime. If a manager detects a
2552 change in the latter since the last time it sampled this
2553 counter, it SHOULD NOT make use of the difference between
2554 the latest value of the counter and any value retrieved
2555 before the new value of natv2PoolDiscontinuityTime."
2556 ::= { natv2PoolEntry 11 }
2558 natv2PoolPortMapFailureDrops OBJECT-TYPE
2559 SYNTAX Counter64
2560 MAX-ACCESS read-only
2561 STATUS current
2562 DESCRIPTION
2563 "The cumulative number of packets dropped because the packet
2564 would have triggered the creation of a new port map entry,
2565 but no port could be allocated for the protocol concerned.
2566 The usual case for this will be for a NAT instance that
2567 supports the 'paired' pooling behavior recommended by RFC
2568 4787, where the internal endpoint has used up all of the
2569 ports allocated to it for the address it was mapped to in
2570 this pool and cannot be given more ports because
2571 - policy or implementation prevents it from having a
2572 second address in the same pool, and
2573 - policy or unavailability prevents it from acquiring
2574 more ports at its originally assigned address.
2576 If the NAT instance pooling behavior is 'arbitrary' (meaning
2577 that the NAT instance can allocate a new port mapping for
2578 the given internal endpoint on any address in the selected
2579 address pool and is not bound to what it has already mapped
2580 for that endpoint), then this counter is incremented when
2581 all ports for the protocol concerned over the whole of this
2582 address pool are already in use.
2584 This value MUST be monotone increasing in the periods
2585 between updates of the entity's
2586 natv2PoolDiscontinuityTime. If a manager detects a
2587 change in the latter since the last time it sampled this
2588 counter, it SHOULD NOT make use of the difference between
2589 the latest value of the counter and any value retrieved
2590 before the new value of natv2PoolDiscontinuityTime."
2591 REFERENCE
2592 "Pooling behavior: RFC 4787, end of section 4.1."
2593 ::= { natv2PoolEntry 12 }
2595 natv2PoolOtherResourceFailureDrops OBJECT-TYPE
2596 SYNTAX Counter64
2597 MAX-ACCESS read-only
2598 STATUS current
2599 DESCRIPTION
2600 "The cumulative number of packets dropped because of
2601 unavailability of a resource other than an address or
2602 port that would have been required to process it.
2604 This value MUST be monotone increasing in the periods
2605 between updates of the entity's
2606 natv2PoolDiscontinuityTime. If a manager detects a
2607 change in the latter since the last time it sampled this
2608 counter, it SHOULD NOT make use of the difference between
2609 the latest value of the counter and any value retrieved
2610 before the new value of natv2PoolDiscontinuityTime."
2611 ::= { natv2PoolEntry 13 }
2613 natv2PoolDiscontinuityTime OBJECT-TYPE
2614 SYNTAX TimeStamp
2615 MAX-ACCESS read-only
2616 STATUS current
2617 DESCRIPTION
2618 "Snapshot of the value of the sysUpTime object at the
2619 beginning of the latest period of continuity of the
2620 statistical counters associated with this address
2621 pool. This MUST be initialized when the address pool
2622 is configured and MUST be updated whenever the port
2623 or address ranges allocated to the pool change."
2624 ::= { natv2PoolEntry 14 }
2626 -- Notification thresholds and objects returned by notifications
2627 natv2PoolThresholdUsageLow OBJECT-TYPE
2628 SYNTAX Integer32 (-1|0..100)
2629 UNITS "Percent"
2630 MAX-ACCESS read-write
2631 STATUS current
2632 DESCRIPTION
2633 "Threshold for reporting low utilization of the address pool.
2634 Utilization at a given instant is calculated as the
2635 percentage of ports allocated in port map entries for the
2636 most-used protocol at that instant. If utilization is less
2637 than or equal to natv2PoolThresholdUsageLow, an instance of
2638 natv2NotificationPoolUsageLow may be triggered, unless
2639 disabled by setting it to -1. Note the difference from the
2640 disabling setting for other notifications. Reporting is
2641 subject to the per-pool notification interval given by
2642 natv2PoolNotificationInterval. If multiple notifications are
2643 triggered during one interval, the agent MUST report only
2644 the one with the lowest value of
2645 natv2PoolNotifiedPortMapEntries and discard the others.
2647 Implementation note: the percentage specified by this object
2648 can be converted to a number of port map entries at
2649 configuration time (after port and address ranges have been
2650 configured or reconfigured) and compared to the current
2651 value of natv2PoolNotifiedPortMapEntries."
2652 REFERENCE
2653 "RFC yyyy Section 3.1.2 and Section 3.3.6."
2654 DEFVAL { -1 }
2655 ::= { natv2PoolEntry 15 }
2657 natv2PoolThresholdUsageHigh OBJECT-TYPE
2658 SYNTAX Unsigned32 (0..100)
2659 UNITS "Percent"
2660 MAX-ACCESS read-write
2661 STATUS current
2662 DESCRIPTION
2663 "Threshold for reporting high utilization of the address
2664 pool. Utilization at a given instant is calculated as the
2665 percentage of ports allocated in port map entries for the
2666 most-used protocol at that instant. If utilization is
2667 greater than or equal to natv2PoolThresholdUsageHigh, an
2668 instance of natv2NotificationPoolUsageHigh may be triggered,
2669 unless disabled by setting it to 0.
2671 Reporting is subject to the per-pool notification interval
2672 given by natv2PoolNotificationInterval. If multiple
2673 notifications are triggered during one interval, the agent
2674 MUST report only the one with the highest value of
2675 natv2PoolNotifiedPortMapEntries and discard the others. In
2676 the very unlikely case where both upper and lower thresholds
2677 are crossed in the same interval, the agent MUST report only
2678 the upper threshold notification.
2680 Implementation note: the percentage specified by this object
2681 can be converted to a number of port map entries at
2682 configuration time (after port and address ranges have been
2683 configured or reconfigured) and compared to the current
2684 value of natv2PoolNotifiedPortMapEntries."
2685 DEFVAL { 0 }
2686 ::= { natv2PoolEntry 16 }
2688 natv2PoolNotifiedPortMapEntries OBJECT-TYPE
2689 SYNTAX Unsigned32
2690 MAX-ACCESS read-only
2691 STATUS current
2692 DESCRIPTION
2693 "Number of port map entries using addresses and ports from
2694 this address pool for the most-used protocol at a given
2695 instant. One of the objects returned by
2696 natv2NotificationPoolUsageLow and
2697 natv2NotificationPoolUsageHigh."
2698 ::= { natv2PoolEntry 17 }
2700 natv2PoolNotifiedPortMapProtocol OBJECT-TYPE
2701 SYNTAX ProtocolNumber
2702 MAX-ACCESS read-only
2703 STATUS current
2704 DESCRIPTION
2705 "The most-used protocol (i.e., with the largest number of
2706 port map entries) mapped into this address pool at a given
2707 instant. One of the objects returned by
2708 natv2NotificationPoolUsageLow and
2709 natv2NotificationPoolUsageHigh."
2710 ::= { natv2PoolEntry 18 }
2712 natv2PoolNotificationInterval OBJECT-TYPE
2713 SYNTAX Unsigned32 (1..3600)
2714 UNITS
2715 "Seconds"
2716 MAX-ACCESS read-write
2717 STATUS current
2718 DESCRIPTION
2719 "Minimum number of seconds (default 20) between successive
2720 notifications for this address pool. Controls the generation
2721 of natv2NotificationPoolUsageLow and
2722 natv2NotificationPoolUsageHigh."
2723 DEFVAL
2724 { 20 }
2725 ::= { natv2PoolEntry 19 }
2727 natv2PoolRangeTable OBJECT-TYPE
2728 SYNTAX SEQUENCE OF Natv2PoolRangeEntry
2729 MAX-ACCESS not-accessible
2730 STATUS current
2731 DESCRIPTION
2732 "This table contains address ranges used by pool entries.
2733 It is an expansion of natv2PoolTable."
2734 REFERENCE
2735 "RFC yyyy ."
2736 ::= { natv2MIBInstanceObjects 4 }
2738 natv2PoolRangeEntry OBJECT-TYPE
2739 SYNTAX Natv2PoolRangeEntry
2740 MAX-ACCESS not-accessible
2741 STATUS current
2742 DESCRIPTION
2743 "NAT pool address range."
2744 INDEX {
2745 natv2PoolRangeInstanceIndex,
2746 natv2PoolRangePoolIndex,
2747 natv2PoolRangeRowIndex
2748 }
2749 ::= { natv2PoolRangeTable 1 }
2751 Natv2PoolRangeEntry ::=
2752 SEQUENCE {
2753 natv2PoolRangeInstanceIndex Natv2InstanceIndex,
2754 natv2PoolRangePoolIndex Natv2PoolIndex,
2755 natv2PoolRangeRowIndex Unsigned32,
2756 natv2PoolRangeBegin InetAddress,
2757 natv2PoolRangeEnd InetAddress
2758 }
2760 natv2PoolRangeInstanceIndex OBJECT-TYPE
2761 SYNTAX Natv2InstanceIndex
2762 MAX-ACCESS not-accessible
2763 STATUS current
2764 DESCRIPTION
2765 "Index of the NAT instance on which the address pool and this
2766 address range are configured. See Natv2InstanceIndex."
2767 ::= { natv2PoolRangeEntry 1 }
2769 natv2PoolRangePoolIndex OBJECT-TYPE
2770 SYNTAX Natv2PoolIndex
2771 MAX-ACCESS not-accessible
2772 STATUS current
2773 DESCRIPTION
2774 "Index of the address pool to which this address range
2775 belongs. See Natv2PoolIndex."
2776 ::= { natv2PoolRangeEntry 2 }
2778 natv2PoolRangeRowIndex OBJECT-TYPE
2779 SYNTAX Unsigned32
2780 MAX-ACCESS not-accessible
2781 STATUS current
2782 DESCRIPTION
2783 "Row index for successive range entries for the same
2784 address pool."
2785 ::= { natv2PoolRangeEntry 3 }
2787 natv2PoolRangeBegin OBJECT-TYPE
2788 SYNTAX InetAddress
2789 MAX-ACCESS read-only
2790 STATUS current
2791 DESCRIPTION
2792 "Lowest address included in this range. The type of address
2793 (IPv4 or IPv6) is given by natv2PoolAddressType
2794 in natv2PoolTable."
2795 ::= { natv2PoolRangeEntry 4 }
2797 natv2PoolRangeEnd OBJECT-TYPE
2798 SYNTAX InetAddress
2799 MAX-ACCESS read-only
2800 STATUS current
2801 DESCRIPTION
2802 "Highest address included in this range. The type of address
2803 (IPv4 or IPv6) is given by natv2PoolAddressType
2804 in natv2PoolTable."
2805 ::= { natv2PoolRangeEntry 5 }
2807 -- indexed mapping tables
2809 -- Address Map Table. Mapped from internal to external address.
2811 natv2AddressMapTable OBJECT-TYPE
2812 SYNTAX SEQUENCE OF Natv2AddressMapEntry
2813 MAX-ACCESS not-accessible
2814 STATUS current
2815 DESCRIPTION
2816 "Table of mappings from internal to external address. By
2817 definition, this is a snapshot of NAT instance state at a
2818 given moment. Indexed by NAT instance, internal realm, and
2819 internal address in that realm. Provides the mapped external
2820 address and, depending on implementation support, identifies
2821 the address pool from which the external address and port
2822 were taken and the index of the subscriber to which the
2823 mapping has been allocated.
2825 In the case of DS-Lite [RFC 6333], the indexing realm and
2826 address are those of the IPv6 encapsulation rather than the
2827 IPv4 inner packet."
2828 REFERENCE
2829 "RFC yyyy . DS-Lite: RFC 6333"
2830 ::= { natv2MIBInstanceObjects 5 }
2832 natv2AddressMapEntry OBJECT-TYPE
2833 SYNTAX Natv2AddressMapEntry
2834 MAX-ACCESS not-accessible
2835 STATUS current
2836 DESCRIPTION
2837 "Mapping from internal to external address."
2838 INDEX { natv2AddressMapInstanceIndex,
2839 natv2AddressMapInternalRealm,
2840 natv2AddressMapInternalAddressType,
2841 natv2AddressMapInternalAddress,
2842 natv2AddressMapRowIndex }
2843 ::= { natv2AddressMapTable 1 }
2845 Natv2AddressMapEntry ::=
2846 SEQUENCE {
2847 natv2AddressMapInstanceIndex Natv2InstanceIndex,
2848 natv2AddressMapInternalRealm SnmpAdminString,
2849 natv2AddressMapInternalRealmAddressType InetAddressType,
2850 natv2AddressMapInternalRealmAddress InetAddress,
2851 natv2AddressMapRowIndex Unsigned32,
2852 natv2AddressMapInternalMappedAddressType InetAddressType,
2853 natv2AddressMapInternalMappedAddress InetAddress,
2854 natv2AddressMapExternalRealm SnmpAdminString,
2855 natv2AddressMapExternalAddressType InetAddressType,
2856 natv2AddressMapExternalAddress InetAddress,
2857 natv2AddressMapExternalPool Natv2PoolIndexOrZero,
2858 natv2AddressMapSubscriberIndex Natv2SubscriberIndexOrZero
2859 }
2861 natv2AddressMapInstanceIndex OBJECT-TYPE
2862 SYNTAX Natv2InstanceIndex
2863 MAX-ACCESS not-accessible
2864 STATUS current
2865 DESCRIPTION
2866 "Index of the NAT instance that generated this address map."
2867 ::= { natv2AddressMapEntry 1 }
2869 natv2AddressMapInternalRealm OBJECT-TYPE
2870 SYNTAX SnmpAdminString (SIZE(0..32))
2871 MAX-ACCESS not-accessible
2872 STATUS current
2873 DESCRIPTION
2874 "Realm to which the internal address belongs. In most cases
2875 this is the realm defining the address space of the packet
2876 being translated. However, in the case of DS-Lite [RFC
2877 6333], this realm defines the IPv6 outer header address
2878 space, while it is the combination of that outer header and
2879 the inner IPv4 packet header that is remapped to the
2880 external address and realm. The corresponding IPv4 realm is
2881 restricted in scope to the tunnel, so there is no point in
2882 identifying it. The mapped IPv4 address will normally be the
2883 well-known value 192.0.0.2, or at least lie in the reserved
2884 192.0.0.0/29 range.
2886 If natv2AddressMapSubscriberIndex in this table is a valid
2887 subscriber index (i.e., greater than zero), then the value
2888 of natv2AddressMapInternalRealm MUST be identical to the
2889 value of natv2SubscriberRealm associated with that index."
2890 REFERENCE
2891 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2892 Section 6.6 on the need to have the IPv6 tunnel address in
2893 the NAT mapping tables."
2894 ::= { natv2AddressMapEntry 2 }
2896 natv2AddressMapInternalRealmAddressType OBJECT-TYPE
2897 SYNTAX InetAddressType
2898 MAX-ACCESS read-only
2899 STATUS current
2900 DESCRIPTION
2901 "Address type in the header of packets on the
2902 interior side of this mapping. Any value other than ipv4(1)
2903 or ipv6(2) would be unexpected.
2905 In the DS-Lite case, the address type is ipv6(2)."
2906 REFERENCE
2907 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2908 Section 6.6 on the need to have the IPv6 tunnel source
2909 address in the NAT mapping tables."
2910 ::= { natv2AddressMapEntry 3 }
2912 natv2AddressMapInternalRealmAddress OBJECT-TYPE
2913 SYNTAX InetAddress
2914 MAX-ACCESS read-only
2915 STATUS current
2916 DESCRIPTION
2917 "Source address of packets originating from the interior
2918 of the association provided by this mapping.
2920 In the case of DS-Lite [RFC 6333], this is the IPv6 tunnel
2921 source address. The mapping in this case is considered to
2922 be from the combination of the IPv6 tunnel source address
2923 natv2AddressMapInternalRealmAddress and the well-known IPv4
2924 inner source address natv2AddressMapInternalMappedAddress to
2925 the external address."
2926 REFERENCE
2927 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2928 Section 6.6 on the need to have the IPv6 tunnel address in
2929 the NAT mapping tables."
2930 ::= { natv2AddressMapEntry 4 }
2932 natv2AddressMapRowIndex OBJECT-TYPE
2933 SYNTAX Unsigned32
2934 MAX-ACCESS not-accessible
2935 STATUS current
2936 DESCRIPTION
2937 "Index of a conceptual row corresponding to a mapping of the
2938 given internal realm and address to a single external realm
2939 and address. Multiple rows will be present because of a
2940 promiscuous external address selection policy, policies
2941 associating the same internal address with different address
2942 pools, or because the same internal realm-address
2943 combination is communicating with multiple external address
2944 realms."
2945 ::= { natv2AddressMapEntry 5 }
2947 natv2AddressMapInternalMappedAddressType OBJECT-TYPE
2948 SYNTAX InetAddressType
2949 MAX-ACCESS read-only
2950 STATUS current
2951 DESCRIPTION
2952 "Internal address type actually translated by this mapping.
2953 Any value other than ipv4(1) or ipv6(2) would be unexpected.
2954 In the general case, this is the same as given by
2955 natv2AddressMapInternalRealmAddressType. In the
2956 tunneled case it is the address type used in the
2957 encapsulated packet header. In particular, in the DS-Lite
2958 case, the mapped address type is ipv4(1). Other forms of
2959 tunneled access are out of scope."
2960 REFERENCE
2961 "DS-Lite: RFC 6333."
2962 ::= { natv2AddressMapEntry 6 }
2964 natv2AddressMapInternalMappedAddress OBJECT-TYPE
2965 SYNTAX InetAddress
2966 MAX-ACCESS read-only
2967 STATUS current
2968 DESCRIPTION
2969 "Internal address actually translated by this mapping. In the
2970 general case, this is the same as
2971 natv2AddressMapInternalRealmAddress. In the case of DS-Lite
2972 [RFC 6333], this is the source address of the encapsulated
2973 IPv4 packet, selected from the well-known range
2974 192.0.0.0/29. The mapping in this case is considered to be
2975 from the combination of the IPv6 tunnel source address
2976 natv2AddressMapInternalRealmAddress and the well-known IPv4
2977 inner source address natv2AddressMapInternalMappedAddress to
2978 the external address."
2979 REFERENCE
2980 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2981 Section 6.6 on the need to have the IPv6 tunnel address in
2982 the NAT mapping tables."
2983 ::= { natv2AddressMapEntry 7 }
2985 natv2AddressMapExternalRealm OBJECT-TYPE
2986 SYNTAX SnmpAdminString (SIZE(0..32))
2987 MAX-ACCESS read-only
2988 STATUS current
2989 DESCRIPTION
2990 "External address realm to which this mapping maps the
2991 internal address. This can be the same as the internal realm
2992 in the case of a 'hairpin' connection, but otherwise will be
2993 different."
2994 ::= { natv2AddressMapEntry 8 }
2996 natv2AddressMapExternalAddressType OBJECT-TYPE
2997 SYNTAX InetAddressType
2998 MAX-ACCESS read-only
2999 STATUS current
3000 DESCRIPTION
3001 "Address type for the external realm. Any value other than
3002 ipv4(1) or ipv6(2) would be unexpected."
3003 ::= { natv2AddressMapEntry 9 }
3005 natv2AddressMapExternalAddress OBJECT-TYPE
3006 SYNTAX InetAddress
3007 MAX-ACCESS read-only
3008 STATUS current
3009 DESCRIPTION
3010 "External address to which the internal address is mapped.
3012 In the DS-Lite case, the mapping is from the combination of
3013 the internal IPv6 tunnel source address as presented in this
3014 table and the well-known IPv4 source address of the
3015 encapsulated IPv4 packet."
3016 REFERENCE
3017 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3018 Section 6.6 on the need to have the IPv6 tunnel address in
3019 the NAT mapping tables."
3020 ::= { natv2AddressMapEntry 10 }
3022 natv2PortMapExternalPool OBJECT-TYPE
3023 SYNTAX Natv2PoolIndexOrZero
3024 MAX-ACCESS read-only
3025 STATUS current
3026 DESCRIPTION
3027 "Index of the address pool in the external realm from which
3028 the mapped external address given in
3029 natv2AddressMapExternalAddress was taken. Zero if the
3030 implementation does not support address pools but has chosen
3031 to support this object, or if no pool was configured for the
3032 given external realm."
3033 ::= { natv2AddressMapEntry 11 }
3035 natv2AddressMapSubscriberIndex OBJECT-TYPE
3036 SYNTAX Natv2SubscriberIndexOrZero
3037 MAX-ACCESS read-only
3038 STATUS current
3039 DESCRIPTION
3040 "Index of the subscriber to which this address mapping
3041 applies, or zero if no subscribers are configured on
3042 this NAT instance."
3043 ::= { natv2AddressMapEntry 12 }
3045 -- natv2PortMapTable
3046 natv2PortMapTable OBJECT-TYPE
3047 SYNTAX SEQUENCE OF Natv2PortMapEntry
3048 MAX-ACCESS not-accessible
3049 STATUS current
3050 DESCRIPTION
3051 "Table of port map entries indexed by NAT instance, protocol,
3052 and external realm and address. A port map entry associates
3053 an internal 'next protocol' endpoint with an endpoint for
3054 the same 'next protocol' in the given external realm. By
3055 definition, this is a snapshot of NAT instance state at a
3056 given moment. The table provides the basic mapping
3057 information.
3059 In the case of DS-Lite [RFC 6333], the table provides the
3060 internal IPv6 tunnel source address in
3061 natv2PortMapInternalRealmAddress and the IPv4 source address
3062 of the encapsulated packet that is actually translated in
3063 natv2PortMapInternalMappedAddress. In the general (non-DS-
3064 Lite) case, those two objects will have the same value."
3065 REFERENCE
3066 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3067 Section 6.6 on the need to have the IPv6 tunnel address in
3068 the NAT mapping tables."
3069 REFERENCE
3070 "RFC yyyy Section 3.3.9
3071 ::= { natv2MIBInstanceObjects 6 }
3073 natv2PortMapEntry OBJECT-TYPE
3074 SYNTAX Natv2PortMapEntry
3075 MAX-ACCESS not-accessible
3076 STATUS current
3077 DESCRIPTION
3078 "A single NAT mapping."
3079 INDEX { natv2PortMapInstanceIndex,
3080 natv2PortMapProtocol,
3081 natv2PortMapExternalRealm,
3082 natv2PortMapExternalAddressType,
3083 natv2PortMapExternalAddress,
3084 natv2PortMapExternalPort }
3085 ::= { natv2PortMapTable 1 }
3087 Natv2PortMapEntry ::=
3088 SEQUENCE {
3089 natv2PortMapInstanceIndex Natv2InstanceIndex,
3090 natv2PortMapProtocol ProtocolNumber,
3091 natv2PortMapExternalRealm SnmpAdminString,
3092 natv2PortMapExternalAddressType InetAddressType,
3093 natv2PortMapExternalAddress InetAddress,
3094 natv2PortMapExternalPort InetPortNumber,
3095 natv2PortMapInternalRealm SnmpAdminString,
3096 natv2PortMapInternalRealmAddressType InetAddressType,
3097 natv2PortMapInternalRealmAddress InetAddress,
3098 natv2PortMapInternalMappedAddressType InetAddressType,
3099 natv2PortMapInternalMappedAddress InetAddress,
3100 natv2PortMapInternalPort InetPortNumber,
3101 natv2PortMapSubscriberIndex Natv2SubscriberIndexOrZero
3102 }
3104 natv2PortMapInstanceIndex OBJECT-TYPE
3105 SYNTAX Natv2InstanceIndex
3106 MAX-ACCESS not-accessible
3107 STATUS current
3108 DESCRIPTION
3109 "Index of the NAT instance that created this port map entry."
3110 ::= { natv2PortMapEntry 1 }
3112 natv2PortMapProtocol OBJECT-TYPE
3113 SYNTAX ProtocolNumber
3114 MAX-ACCESS not-accessible
3115 STATUS current
3116 DESCRIPTION
3117 "The map entry's 'next protocol' number."
3118 ::= { natv2PortMapEntry 2 }
3120 natv2PortMapExternalRealm OBJECT-TYPE
3121 SYNTAX SnmpAdminString (SIZE(0..32))
3122 MAX-ACCESS not-accessible
3123 STATUS current
3124 DESCRIPTION
3125 "The realm to which natv2PortMapExternalAddress belongs."
3126 ::= { natv2PortMapEntry 3 }
3128 natv2PortMapExternalAddressType OBJECT-TYPE
3129 SYNTAX InetAddressType
3130 MAX-ACCESS not-accessible
3131 STATUS current
3132 DESCRIPTION
3133 "Address type for the external realm. A value other
3134 than ipv4(1) or ipv6(2) would be unexpected."
3135 ::= { natv2PortMapEntry 4 }
3137 natv2PortMapExternalAddress OBJECT-TYPE
3138 SYNTAX InetAddress
3139 MAX-ACCESS not-accessible
3140 STATUS current
3141 DESCRIPTION
3142 "The mapping's assigned external address (taken from
3143 the address pool identified by natv2PortMapExternalPool,
3144 if the implementation supports address pools and pools
3145 are configured for the given external realm). This is
3146 the source address for translated outgoing packets."
3147 ::= { natv2PortMapEntry 5 }
3149 natv2PortMapExternalPort OBJECT-TYPE
3150 SYNTAX InetPortNumber
3151 MAX-ACCESS not-accessible
3152 STATUS current
3153 DESCRIPTION
3154 "The mapping's assigned external port number. This is the
3155 source port for translated outgoing packets. If the internal
3156 port number given by natv2PortMapInternalPort is zero this
3157 value MUST also be zero. Otherwise this MUST be a non-zero
3158 value."
3159 ::= { natv2PortMapEntry 6 }
3161 natv2PortMapInternalRealm OBJECT-TYPE
3162 SYNTAX SnmpAdminString (SIZE(0..32))
3163 MAX-ACCESS read-only
3164 STATUS current
3165 DESCRIPTION
3166 "The realm to which natv2PortMapInternalRealmAddress belongs.
3167 In the general case, this realm contains the address that is
3168 being translated. In the DS-Lite [RFC 6333] case, this realm
3169 defines the IPv6 address space from which the tunnel source
3170 address is taken. The realm of the encapsulated IPv4 address
3171 is restricted in scope to the tunnel, so there is no point
3172 in identifying it separately."
3173 REFERENCE
3174 "RFC 6333 DS-Lite."
3175 ::= { natv2PortMapEntry 7 }
3177 natv2PortMapInternalRealmAddressType OBJECT-TYPE
3178 SYNTAX InetAddressType
3179 MAX-ACCESS read-only
3180 STATUS current
3181 DESCRIPTION
3182 "Address type for addresses in the realm identified by
3183 natv2PortMapInternalRealm."
3184 ::= { natv2PortMapEntry 8 }
3186 natv2PortMapInternalRealmAddress OBJECT-TYPE
3187 SYNTAX InetAddress
3188 MAX-ACCESS read-only
3189 STATUS current
3190 DESCRIPTION
3191 "Source address for packets received under this mapping on
3192 the internal side of the NAT instance. In the general case
3193 this address is the same as the address given in
3194 natv2PortMapInternalMappedAddress. In the DS-Lite case,
3195 natv2PortMapInternalRealmAddress is the IPv6 tunnel source
3196 address."
3197 REFERENCE
3198 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3199 Section 6.6 on the need to have the IPv6 tunnel address in
3200 the NAT mapping tables."
3201 ::= { natv2PortMapEntry 9 }
3203 natv2PortMapInternalMappedAddressType OBJECT-TYPE
3204 SYNTAX InetAddressType
3205 MAX-ACCESS read-only
3206 STATUS current
3207 DESCRIPTION
3208 "Internal address type actually translated by this mapping.
3209 Any value other than ipv4(1) or ipv6(2) would be unexpected.
3210 In the general case, this is the same as given by
3211 natv2AddressMapInternalRealmAddressType. In the DS-Lite
3212 case, the address type is ipv4(1)."
3213 REFERENCE
3214 "DS-Lite: RFC 6333."
3215 ::= { natv2PortMapEntry 10 }
3217 natv2PortMapInternalMappedAddress OBJECT-TYPE
3218 SYNTAX InetAddress
3219 MAX-ACCESS read-only
3220 STATUS current
3221 DESCRIPTION
3222 "Internal address actually translated by this mapping. In the
3223 general case, this is the same as
3224 natv2PortMapInternalRealmAddress. In the case of DS-Lite
3225 [RFC 6333], this is the source address of the encapsulated
3226 IPv4 packet, selected from the well-known range
3227 192.0.0.0/29. The mapping in this case is considered to be
3228 from the external address to the combination of the IPv6
3229 tunnel source address natv2PortMapInternalRealmAddress and
3230 the well-known IPv4 inner source address
3231 natv2PortMapInternalMappedAddress."
3232 REFERENCE
3233 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3234 Section 6.6 on the need to have the IPv6 tunnel address in
3235 the NAT mapping tables."
3236 ::= { natv2PortMapEntry 11 }
3238 natv2PortMapInternalPort OBJECT-TYPE
3239 SYNTAX InetPortNumber
3240 MAX-ACCESS read-only
3241 STATUS current
3242 DESCRIPTION
3243 "The mapping's internal port number. If this is zero, ports
3244 are not translated (i.e., the NAT instance is a pure NAT
3245 rather than a NAPT)."
3246 ::= { natv2PortMapEntry 12 }
3248 natv2PortMapSubscriberIndex OBJECT-TYPE
3249 SYNTAX Natv2SubscriberIndexOrZero
3250 MAX-ACCESS read-only
3251 STATUS current
3252 DESCRIPTION
3253 "Subscriber using this map entry. Zero if the implementation
3254 does not support subscribers but has chosen to support
3255 this object."
3256 ::= { natv2PortMapEntry 13 }
3258 -- Conformance section. Specifies three cumulatively more extensive
3259 -- applications: basic NAT, pooled NAT, and carrier grade NAT
3261 natv2MIBConformance OBJECT IDENTIFIER ::= { natv2MIB 3 }
3263 natv2MIBCompliances OBJECT IDENTIFIER ::= { natv2MIBConformance 1 }
3264 natv2MIBGroups OBJECT IDENTIFIER ::= { natv2MIBConformance 2 }
3266 natv2MIBBasicCompliance MODULE-COMPLIANCE
3267 STATUS current
3268 DESCRIPTION
3269 "Describes the requirements for conformance to the basic NAT
3270 application of NATv2 MIB."
3271 MODULE -- this module
3272 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3273 natv2BasicInstanceLevelGroup
3274 }
3275 GROUP natv2BasicNotificationGroup
3276 DESCRIPTION
3277 "The natv2BasicNotificationGroup is mandatory for all
3278 NAT applications."
3279 GROUP natv2BasicInstanceLevelGroup
3280 DESCRIPTION
3281 "The natv2BasicInstanceLevelGroup is mandatory for all
3282 NAT applications."
3283 ::= { natv2MIBCompliances 1 }
3285 natv2MIBPooledNATCompliance MODULE-COMPLIANCE
3286 STATUS current
3287 DESCRIPTION
3288 "Describes the requirements for conformance to the pooled NAT
3289 application of NATv2-MIB."
3290 MODULE -- this module
3291 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3292 natv2BasicInstanceLevelGroup,
3293 natv2PooledNotificationGroup,
3294 natv2PooledInstanceLevelGroup
3295 }
3296 GROUP natv2BasicNotificationGroup
3297 DESCRIPTION
3298 "The natv2BasicNotificationGroup is mandatory for all
3299 NAT applications."
3300 GROUP natv2BasicInstanceLevelGroup
3301 DESCRIPTION
3302 "The natv2BasicInstanceLevelGroup is mandatory for all
3303 NAT applications."
3304 GROUP natv2PooledNotificationGroup
3305 DESCRIPTION
3306 "The natv2PooledNotificationGroup is mandatory for
3307 the pooled and CGN applications."
3308 GROUP natv2PooledInstanceLevelGroup
3309 DESCRIPTION
3310 "The natv2PooledInstanceLevelGroup is mandatory for
3311 the pooled and CGN applications."
3312 ::= { natv2MIBCompliances 2 }
3314 natv2MIBCGNCompliance MODULE-COMPLIANCE
3315 STATUS current
3316 DESCRIPTION
3317 "Describes the requirements for conformance to the
3318 carrier grade NAT application of NATv2-MIB."
3319 MODULE -- this module
3320 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3321 natv2BasicInstanceLevelGroup,
3322 natv2PooledNotificationGroup,
3323 natv2PooledInstanceLevelGroup,
3324 natv2CGNNotificationGroup,
3325 natv2CGNDeviceLevelGroup,
3326 natv2CGNInstanceLevelGroup
3327 }
3328 GROUP natv2BasicNotificationGroup
3329 DESCRIPTION
3330 "The natv2BasicNotificationGroup is mandatory for all
3331 NAT applications."
3332 GROUP natv2BasicInstanceLevelGroup
3333 DESCRIPTION
3334 "The natv2BasicInstanceLevelGroup is mandatory for all
3335 NAT applications."
3336 GROUP natv2PooledNotificationGroup
3337 DESCRIPTION
3338 "The natv2PooledNotificationGroup is mandatory for
3339 the pooled and CGN applications."
3340 GROUP natv2PooledInstanceLevelGroup
3341 DESCRIPTION
3342 "The natv2PooledInstanceLevelGroup is mandatory for
3343 the pooled and CGN applications."
3344 GROUP natv2CGNNotificationGroup
3345 DESCRIPTION
3346 "The natv2CGNNotificationGroup is mandatory
3347 for the carrier grade NAT application."
3348 GROUP natv2CGNDeviceLevelGroup
3349 DESCRIPTION
3350 "The natv2CGNDeviceLevelGroup is mandatory
3351 for the carrier grade NAT application."
3352 GROUP natv2CGNInstanceLevelGroup
3353 DESCRIPTION
3354 "The natv2CGNInstanceLevelGroup is mandatory
3355 for the carrier grade NAT application."
3356 ::= { natv2MIBCompliances 3 }
3358 -- Groups
3360 natv2BasicNotificationGroup NOTIFICATION-GROUP
3361 NOTIFICATIONS {
3362 natv2NotificationInstanceAddressMapEntriesHigh,
3363 natv2NotificationInstancePortMapEntriesHigh
3364 }
3365 STATUS current
3366 DESCRIPTION
3367 "Notifications that MUST be supported by all NAT
3368 applications."
3369 ::= { natv2MIBGroups 1 }
3371 natv2BasicInstanceLevelGroup OBJECT-GROUP
3372 OBJECTS {
3373 -- from natv2InstanceTable
3374 natv2InstanceIndex,
3375 natv2InstanceAlias,
3376 natv2InstancePortMappingBehavior,
3377 natv2InstanceFilteringBehavior,
3378 natv2InstanceFragmentBehavior,
3379 natv2InstanceAddressMapEntries,
3380 natv2InstancePortMapEntries,
3381 natv2InstanceTranslations,
3382 natv2InstanceAddressMapCreations,
3383 natv2InstanceAddressMapEntryLimitDrops,
3384 natv2InstanceAddressMapFailureDrops,
3385 natv2InstancePortMapCreations,
3386 natv2InstancePortMapEntryLimitDrops,
3387 natv2InstancePortMapFailureDrops,
3388 natv2InstanceFragmentDrops,
3389 natv2InstanceOtherResourceFailureDrops,
3390 natv2InstanceDiscontinuityTime,
3391 natv2InstanceThresholdAddressMapEntriesHigh,
3392 natv2InstanceThresholdPortMapEntriesHigh,
3393 natv2InstanceNotificationInterval,
3394 natv2InstanceLimitAddressMapEntries,
3395 natv2InstanceLimitPortMapEntries,
3396 natv2InstanceLimitPendingFragments,
3397 -- from natv2NextProtocolTable
3398 natv2NextProtocolInstanceIndex,
3399 natv2NextProtocolNumber,
3400 natv2NextProtocolPortMapEntries,
3401 natv2NextProtocolTranslations,
3402 natv2NextProtocolPortMapCreations,
3403 natv2NextProtocolPortMapFailureDrops,
3404 natv2NextProtocolOtherResourceFailureDrops,
3405 -- from natv2AddressMapTable
3406 natv2AddressMapInstanceIndex,
3407 natv2AddressMapInternalRealm,
3408 natv2AddressMapInternalRealmAddressType,
3409 natv2AddressMapInternalRealmAddress,
3410 natv2AddressMapRowIndex,
3411 natv2AddressMapExternalRealm,
3412 natv2AddressMapExternalAddressType,
3413 natv2AddressMapExternalAddress,
3414 -- from natv2PortMapTable
3415 natv2PortMapInstanceIndex,
3416 natv2PortMapProtocol,
3417 natv2PortMapExternalRealm,
3418 natv2PortMapExternalAddressType,
3419 natv2PortMapExternalAddress,
3420 natv2PortMapExternalPort,
3421 natv2PortMapInternalRealm,
3422 natv2PortMapInternalRealmAddressType,
3423 natv2PortMapInternalRealmAddress,
3424 natv2PortMapInternalPort
3425 }
3426 STATUS current
3427 DESCRIPTION
3428 "Per-instance objects that MUST be supported by
3429 implementations of all NAT applications."
3430 ::= { natv2MIBGroups 2 }
3432 natv2PooledNotificationGroup NOTIFICATION-GROUP
3433 NOTIFICATIONS {
3434 natv2NotificationPoolUsageLow,
3435 natv2NotificationPoolUsageHigh
3436 }
3437 STATUS current
3438 DESCRIPTION
3439 "Notifications that MUST be supported by pooled and
3440 carrier-grade NAT applications."
3441 ::= { natv2MIBGroups 3 }
3443 natv2PooledInstanceLevelGroup OBJECT-GROUP
3444 OBJECTS {
3445 -- from natv2InstanceTable
3446 natv2InstancePoolingBehavior,
3447 -- from natv2PoolTable
3448 natv2PoolInstanceIndex,
3449 natv2PoolIndex,
3450 natv2PoolRealm,
3451 natv2PoolAddressType,
3452 natv2PoolPortMin,
3453 natv2PoolPortMax,
3454 natv2PoolAddressMapEntries
3455 natv2PoolPortMapEntries
3456 natv2PoolAddressMapCreations,
3457 natv2PoolPortMapCreations
3458 natv2PoolAddressMapFailureDrops,
3459 natv2PoolPortMapFailureDrops
3460 natv2PoolOtherResourceFailureDrops
3461 natv2PoolDiscontinuityTime,
3462 natv2PoolThresholdUsageLow,
3463 natv2PoolThresholdUsageHigh,
3464 natv2PoolNotifiedPortMapEntries,
3465 natv2PoolNotifiedPortMapProtocol,
3466 natv2PoolNotificationInterval,
3467 -- from natv2PoolRangeTable
3468 natv2PoolRangeInstanceIndex,
3469 natv2PoolRangePoolIndex,
3470 natv2PoolRangeRowIndex,
3471 natv2PoolRangeBegin,
3472 natv2PoolRangeEnd,
3473 -- from natv2AddressMapTable
3474 natv2AddressMapExternalPool
3475 }
3477 STATUS current
3478 DESCRIPTION
3479 "Per-instance objects that MUST be supported by
3480 implementations of the pooled and carrier grade
3481 NAT applications."
3482 ::= { natv2MIBGroups 4 }
3484 natv2CGNNotificationGroup NOTIFICATION-GROUP
3485 NOTIFICATIONS {
3486 natv2NotificationSubscriberPortMappingEntriesHigh
3487 }
3488 STATUS current
3489 DESCRIPTION
3490 "Notification that MUST be supported by implementations
3491 of the carrier grade NAT application."
3492 ::= { natv2MIBGroups 5 }
3494 natv2CGNDeviceLevelGroup OBJECT-GROUP
3495 OBJECTS {
3496 -- from table natv2SubscriberTable
3497 natv2SubscriberIndex,
3498 natv2SubscriberRealm,
3499 natv2SubscriberInternalPrefixType,
3500 natv2SubscriberInternalPrefix,
3501 natv2SubscriberInternalPrefixLength,
3502 natv2SubscriberAddressMapEntries,
3503 natv2SubscriberPortMapEntries,
3504 natv2SubscriberTranslations,
3505 natv2SubscriberAddressMapCreations,
3506 natv2SubscriberPortMapCreations,
3507 natv2SubscriberAddressMapFailureDrops,
3508 natv2SubscriberPortMapFailureDrops,
3509 natv2SubscriberOtherResourceFailureDrops,
3510 natv2SubscriberDiscontinuityTime,
3511 natv2SubscriberLimitPortMapEntries,
3512 natv2SubscriberThresholdPortMapEntriesHigh,
3513 natv2SubscriberNotificationInterval
3514 }
3515 STATUS current
3516 DESCRIPTION
3517 "Device-level objects that MUST be supported by the
3518 subscriber-aware NAT application."
3519 ::= { natv2MIBGroups 6 }
3521 natv2CGNInstanceLevelGroup OBJECT-GROUP
3522 OBJECTS {
3523 -- from natv2InstanceTable
3524 natv2InstanceSubscriberActiveLimitDrops,
3525 natv2InstanceLimitSubscriberActives,
3526 -- from natv2AddressMapTable
3527 natv2AddressMapSubscriberIndex,
3528 -- from natv2PortMapTable
3529 natv2PortMapSubscriberIndex
3530 }
3531 STATUS current
3532 DESCRIPTION
3533 "Per-instance objects that MUST be supported by the
3534 carrier grade NAT application."
3535 ::= { natv2MIBGroups 7 }
3537 END
3539 5. Operational and Management Considerations
3541 This section will be added in the next version.
3543 6. Security Considerations
3545 THIS SECTION WILL BE REVISED IN THE NEXT VERSION. PLEASE IGNORE FOR
3546 NOW.
3548 There are a number of management objects defined in this MIB module
3549 with a MAX-ACCESS clause of read-write and/or read- create. Such
3550 objects may be considered sensitive or vulnerable in some network
3551 environments. The support for SET operations in a non-secure
3552 environment without proper protection can have a negative effect on
3553 network operations. These are the tables and objects and their
3554 sensitivity/vulnerability:
3556 Limits: An attacker setting a very low or very high limit can easily
3557 cause a denial-of-service situation.
3559 * natv2LimitMappings
3561 * natv2LimitAddressMaps
3563 * natv2LimitFragments
3565 * natv2LimitSubscribers
3567 * natv2SubscriberLimitMappings
3569 Notification thresholds: An attacker setting an arbitrarily low
3570 treshold can cause many useless notifications to be generated.
3572 Setting an arbitrarily high threshold can effectively disable
3573 notifications, which could be used to hide another attack.
3575 * natv2MappingsNotifyThreshold
3577 * natv2AddrMapNotifyThreshold
3579 * natv2SubscriberMapNotifyThresh
3581 Some of the readable objects in this MIB module (i.e., objects with a
3582 MAX-ACCESS other than not-accessible) may be considered sensitive or
3583 vulnerable in some network environments. It is thus important to
3584 control even GET and/or NOTIFY access to these objects and possibly
3585 to even encrypt the values of these objects when sending them over
3586 the network via SNMP. These are the tables and objects and their
3587 sensitivity/vulnerability:
3589 Objects that reveal host identities: Various objects can reveal the
3590 identity of private hosts that are engaged in a session with
3591 external end nodes. A curious outsider could monitor these to
3592 assess the number of private hosts being supported by the NAT
3593 device. Further, a disgruntled former employee of an enterprise
3594 could use the information to break into specific private hosts by
3595 intercepting the existing sessions or originating new sessions
3596 into the host.
3598 * natv2AddressMapType
3600 * natv2AddressMapInt
3602 * natv2AddressMapExternal
3604 * natv2MappingIntRealm
3606 * natv2MappingIntAddressType
3608 * natv2MappingIntAddress
3610 * natv2MappingIntPort
3612 * natv2MappingMapBehavior
3614 * natv2MappingFilterBehavior
3616 * natv2MappingAddressPooling
3618 * natv2SubscriberIntPrefixType
3619 * natv2SubscriberIntPrefix
3621 * natv2SubscriberIntPrefixLength
3623 Other objects that reveal NAT state: Other managed objects in this
3624 MIB may contain information that may be sensitive from a business
3625 perspective, in that they may represent NAT state information.
3627 * natv2CntAddressMaps
3629 * natv2CntProtocolMappings
3631 * natv2PoolUsage
3633 * natv2PoolRangeAllocatedPorts
3635 * natv2SubscriberCntMappings
3637 There are no objects that are sensitive in their own right, such as
3638 passwords or monetary amounts.
3640 SNMP versions prior to SNMPv3 did not include adequate security.
3641 Even if the network itself is secure (for example by using IPsec),
3642 there is no control as to who on the secure network is allowed to
3643 access and GET/SET (read/change/create/delete) the objects in this
3644 MIB module.
3646 Implementations SHOULD provide the security features described by the
3647 SNMPv3 framework (see [RFC3410]), and implementations claiming
3648 compliance to the SNMPv3 standard MUST include full support for
3649 authentication and privacy via the User-based Security Model (USM)
3650 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
3651 MAY also provide support for the Transport Security Model (TSM)
3652 [RFC5591] in combination with a secure transport such as SSH
3653 [RFC5592] or TLS/DTLS [RFC6353].
3655 Further, deployment of SNMP versions prior to SNMPv3 is NOT
3656 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
3657 enable cryptographic security. It is then a customer/operator
3658 responsibility to ensure that the SNMP entity giving access to an
3659 instance of this MIB module is properly configured to give access to
3660 the objects only to those principals (users) that have legitimate
3661 rights to indeed GET or SET (change/create/delete) them.
3663 7. IANA Considerations
3665 IANA is requested to assign an object identifier to the natv2MIB
3666 module, with prefix iso.org.dod.internet.mgmt.mib-2 in the Network
3667 Management Parameters registry [SMI-NUMBERS].
3669 8. References
3671 8.1. Normative References
3673 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
3674 Requirement Levels", BCP 14, RFC 2119, March 1997.
3676 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
3677 Schoenwaelder, Ed., "Structure of Management Information
3678 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
3680 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
3681 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
3682 58, RFC 2579, April 1999.
3684 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
3685 "Conformance Statements for SMIv2", STD 58, RFC 2580,
3686 April 1999.
3688 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
3689 Architecture for Describing Simple Network Management
3690 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
3691 December 2002.
3693 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
3694 (USM) for version 3 of the Simple Network Management
3695 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
3697 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
3698 Advanced Encryption Standard (AES) Cipher Algorithm in the
3699 SNMP User-based Security Model", RFC 3826, June 2004.
3701 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
3702 Schoenwaelder, "Textual Conventions for Internet Network
3703 Addresses", RFC 4001, February 2005.
3705 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation
3706 (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
3707 RFC 4787, January 2007.
3709 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
3710 for the Simple Network Management Protocol (SNMP)", STD
3711 78, RFC 5591, June 2009.
3713 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
3714 Shell Transport Model for the Simple Network Management
3715 Protocol (SNMP)", RFC 5592, June 2009.
3717 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
3718 Model for the Simple Network Management Protocol (SNMP)",
3719 STD 78, RFC 6353, July 2011.
3721 8.2. Informative References
3723 [I-D.perrault-behave-deprecate-nat-mib-v1]
3724 Perrault, S., Tsou, T., Sivakumar, S., and T. Taylor,
3725 "Deprecation of MIB Module NAT-MIB (Managed Objects for
3726 Network Address Translators (NAT)) (Work in Progress)",
3727 October 2014.
3729 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
3730 Translator (NAT) Terminology and Considerations", RFC
3731 2663, August 1999.
3733 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
3734 "Introduction and Applicability Statements for Internet-
3735 Standard Management Framework", RFC 3410, December 2002.
3737 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
3738 C. Wang, "Definitions of Managed Objects for Network
3739 Address Translators (NAT)", RFC 4008, March 2005.
3741 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
3742 Stack Lite Broadband Deployments Following IPv4
3743 Exhaustion", RFC 6333, August 2011.
3745 [SMI-NUMBERS]
3746 "Network Management Parameters registry at IANA",
3747 .
3749 Authors' Addresses
3751 Simon Perreault
3752 Jive Communications
3753 Quebec, QC
3754 Canada
3756 Email: sperreault@jive.com
3757 Tina Tsou
3758 Huawei Technologies
3759 Bantian, Longgang District
3760 Shenzhen 518129
3761 PR China
3763 Email: tina.tsou.zouting@huawei.com
3765 Senthil Sivakumar
3766 Cisco Systems
3767 7100-8 Kit Creek Road
3768 Research Triangle Park, North Carolina 27709
3769 USA
3771 Phone: +1 919 392 5158
3772 Email: ssenthil@cisco.com
3774 Tom Taylor
3775 PT Taylor Consulting
3776 Ottawa
3777 Canada
3779 Email: tom.taylor.stds@gmail.com