idnits 2.17.1 

draft-perrault-behave-natv2-mib-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
     document.

  == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 2694 has weird spacing: '...     of  natv2...'

  -- The document date (February 17, 2015) is 3356 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC 4008' is mentioned on line 3607, but not defined

  ** Obsolete undefined reference: RFC 4008 (Obsoleted by RFC 7658)

  == Missing Reference: 'RFC 6333' is mentioned on line 3200, but not defined

  -- No information found for draft-perrault-behave-deprecate-nat-mib-v1 - is
     the name correct?

  -- Obsolete informational reference (is this intentional?): RFC 2460
     (Obsoleted by RFC 8200)

  -- Obsolete informational reference (is this intentional?): RFC 3489
     (Obsoleted by RFC 5389)

  -- Obsolete informational reference (is this intentional?): RFC 4008
     (Obsoleted by RFC 7658)


     Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 5 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                       S. Perreault
3	Internet-Draft                                       Jive Communications
4	Intended status: Standards Track                                 T. Tsou
5	Expires: August 21, 2015                             Huawei Technologies
6	                                                            S. Sivakumar
7	                                                           Cisco Systems
8	                                                               T. Taylor
9	                                                    PT Taylor Consulting
10	                                                       February 17, 2015

12	  Definitions of Managed Objects for Network Address Translators (NAT)
13	                   draft-perrault-behave-natv2-mib-02

15	Abstract

17	   This memo defines a portion of the Management Information Base (MIB)
18	   for devices implementing the Network Address Translator (NAT)
19	   function.  The new MIB module defined in this document, NATV2-MIB, is
20	   intended to replace module NAT-MIB (RFC 4008).  NATV2-MIB is not
21	   backwards compatible with NAT-MIB, for reasons given in the text of
22	   this document.  A companion document deprecates all objects in NAT-
23	   MIB.  NATV2-MIB can be used for monitoring of NAT instances on a
24	   device capable of NAT function.  Compliance levels are defined for
25	   three application scenarios: basic NAT, pooled NAT, and carrier-grade
26	   NAT (CGN).

28	Status of This Memo

30	   This Internet-Draft is submitted in full conformance with the
31	   provisions of BCP 78 and BCP 79.

33	   Internet-Drafts are working documents of the Internet Engineering
34	   Task Force (IETF).  Note that other groups may also distribute
35	   working documents as Internet-Drafts.  The list of current Internet-
36	   Drafts is at http://datatracker.ietf.org/drafts/current/.

38	   Internet-Drafts are draft documents valid for a maximum of six months
39	   and may be updated, replaced, or obsoleted by other documents at any
40	   time.  It is inappropriate to use Internet-Drafts as reference
41	   material or to cite them other than as "work in progress."

43	   This Internet-Draft will expire on August 21, 2015.

45	Copyright Notice

47	   Copyright (c) 2015 IETF Trust and the persons identified as the
48	   document authors.  All rights reserved.

50	   This document is subject to BCP 78 and the IETF Trust's Legal
51	   Provisions Relating to IETF Documents
52	   (http://trustee.ietf.org/license-info) in effect on the date of
53	   publication of this document.  Please review these documents
54	   carefully, as they describe your rights and restrictions with respect
55	   to this document.  Code Components extracted from this document must
56	   include Simplified BSD License text as described in Section 4.e of
57	   the Trust Legal Provisions and are provided without warranty as
58	   described in the Simplified BSD License.

60	Table of Contents

62	   1.  The SNMP Management Framework . . . . . . . . . . . . . . . .   3
63	   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
64	   3.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
65	     3.1.  Content Provided by the NATV2-MIB Module  . . . . . . . .   5
66	       3.1.1.  Configuration Data  . . . . . . . . . . . . . . . . .   5
67	       3.1.2.  Notifications . . . . . . . . . . . . . . . . . . . .   6
68	       3.1.3.  State Information . . . . . . . . . . . . . . . . . .   9
69	       3.1.4.  Statistics  . . . . . . . . . . . . . . . . . . . . .   9
70	     3.2.  Outline of MIB Module Organization  . . . . . . . . . . .  11
71	     3.3.  Detailed MIB Module Walk-Through  . . . . . . . . . . . .  13
72	       3.3.1.  Textual Conventions . . . . . . . . . . . . . . . . .  13
73	       3.3.2.  Notifications . . . . . . . . . . . . . . . . . . . .  13
74	       3.3.3.  The Subscriber Table: natv2SubscriberTable  . . . . .  13
75	       3.3.4.  The Instance Table: natv2InstanceTable  . . . . . . .  14
76	       3.3.5.  The Protocol Table: natv2ProtocolTable  . . . . . . .  15
77	       3.3.6.  The Address Pool Table: natv2PoolTable  . . . . . . .  15
78	       3.3.7.  The Address Pool Address Range Table:
79	               natv2PoolRangeTable . . . . . . . . . . . . . . . . .  16
80	       3.3.8.  The Address Map Table: natv2AddressMapTable . . . . .  16
81	       3.3.9.  The Port Map Table: natv2PortMapTable . . . . . . . .  17
82	     3.4.  Conformance: Three Application Scenarios  . . . . . . . .  17
83	   4.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .  18
84	   5.  Operational and Management Considerations . . . . . . . . . .  74
85	     5.1.  Configuration Requirements  . . . . . . . . . . . . . . .  74
86	     5.2.  Transition From and Coexistence With NAT-MIB  [RFC 4008]   76
87	   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  78
88	   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  80
89	   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  81
90	     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  81
91	     8.2.  Informative References  . . . . . . . . . . . . . . . . .  82
92	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  82

94	1.  The SNMP Management Framework

96	   For a detailed overview of the documents that describe the current
97	   Internet-Standard Management Framework, please refer to section 7 of
98	   RFC 3410 [RFC3410].

100	   Managed objects are accessed via a virtual information store, termed
101	   the Management Information Base or MIB.  MIB objects are generally
102	   accessed through the Simple Network Management Protocol (SNMP).
103	   Objects in the MIB are defined using the mechanisms defined in the
104	   Structure of Management Information (SMI).  This memo specifies a MIB
105	   module that is compliant to the SMIv2, which is described in STD 58,
106	   [RFC2578], [RFC2579] and [RFC2580].

108	2.  Introduction

110	   Note to RFC Ed.: please replace RFC yyyy with actual RFC number
111	   throughout this document and remove this note.

113	   This memo defines a portion of the Management Information Base (MIB)
114	   for devices implementing NAT functions.  This MIB module, NATV2-MIB,
115	   may be used for monitoring of such devices.  NATV2-MIB supersedes
116	   NAT-MIB [RFC4008], which did not fit well with existing NAT
117	   implementations, and hence was not itself much implemented.
118	   [I-D.perrault-behave-deprecate-nat-mib-v1] provides a detailed
119	   analysis of the deficiencies of NAT-MIB.

121	   Relative to [RFC4008] and based on the analysis just mentioned, the
122	   present document introduces the following changes:

124	   o  removed all writable configuration except that related to control
125	      of the generation of notifications and the setting of quotas on
126	      the use of NAT resources;

128	   o  minimized the read-only exposure of configuration to what is
129	      needed to provide context for the state and statistical
130	      information presented by the MIB module;

132	   o  removed the association between mapping and interfaces, retaining
133	      only the mapping aspect;

135	   o  replaced references to NAT types with references to NAT behaviors
136	      as specified in [RFC4787];

138	   o  replaced a module-specific enumeration of protocols with the
139	      standard protocol numbers provided by the IANA Assigned Internet
140	      Protocol Numbers registry.

142	   This MIB module adds the following features not present in [RFC4008]:

144	   o  additional writable protective limits on NAT state data;

146	   o  additional objects to report state, statistics, and notifications;

148	   o  support for the carrier grade NAT (CGN) application, including
149	      subscriber-awareness, support for an arbitrary number of address
150	      realms, and support for multiple NAT instances running on a single
151	      device;

153	   o  expanded support for address pools;

155	   o  revised indexing of port map entries to simplify traceback from
156	      externally observable packet parameters to the corresponding
157	      internal endpoint.

159	   These features are described in more detail below.

161	   The remainder of this document is organized as follows:

163	   o  Section 3 provides a verbal description of the content and
164	      organization of the MIB module.

166	   o  Section 4 provides the MIB module definition.

168	   o  Section 5 discusses operational and management issues relating to
169	      the deployment of NATV2-MIB.  One of these issues is NAT
170	      management when both NAT-MIB [RFC4008] and NATV2-MIB are deployed.

172	   o  Section 6 and Section 7 provide a security discussion and a
173	      request to IANA for allocation of an object identifier for the
174	      module in the mib-2 tree, respectively.

176	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
177	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
178	   "OPTIONAL" in this document are to be interpreted as described in
179	   [RFC2119].

181	   This document uses the following terminology:

183	   Upper layer protocol:  The protocol following the outer IP header of
184	      a packet.  This follows the terminology of [RFC2460], but as that
185	      document points out, "upper" is not necessarily a correct
186	      description of the protocol relationships (e.g., where IP is
187	      encapsulated in IP).  The abbreviated term "protocol" will often
188	      be used where it is unambiguous.

190	   Trigger:  With respect to notifications, the logical recognition of
191	      the event that the notification is intended to report.

193	   Report:  The actual production of a notification message.  Reporting
194	      can happen later than triggering, or may never happen for a given
195	      notification instance, because of the operation of notification
196	      rate controls.

198	   Address realm:  A network domain in which the network addresses are
199	      uniquely assigned to entities such that datagrams can be routed to
200	      them.  (Definition taken from [RFC2663] Section 2.1.)  The
201	      abbreviated term "realm" will often be used.

203	3.  Overview

205	   This section provides a prose description of the contents and
206	   organization of the NATV2-MIB module.

208	3.1.  Content Provided by the NATV2-MIB Module

210	   The content provided by the NATV2-MIB module can be classed under
211	   four headings: configuration data, notifications, state information,
212	   and statistics.

214	3.1.1.  Configuration Data

216	   As mentioned above, the intent in designing the NATV2-MIB module was
217	   to minimize the amount of configuration data presented to that needed
218	   to give a context for interpreting the other types of information
219	   provided.  Detailed descriptions of the configuration data are
220	   included with the descriptions of the individual tables.  In general,
221	   that data is limited to what is needed for indexing and cross-
222	   referencing between tables.  The two exceptions are the objects
223	   describing NAT instance behavior in the NAT instance table, and the
224	   detailed enumeration of resources allocated to each address pool in
225	   the pool table and its extension.

227	   The NATV2-MIB module provides three sets of read-write objects,
228	   specifically related to other aspects of the module content.  The
229	   first set controls the rate at which specific notifications are
230	   generated.  The second set provides thresholds used to trigger the
231	   notifications.  These objects are listed in Section 3.1.2.

233	   A third set of read-write objects sets limits on resource consumption
234	   per NAT instance and per subscriber.  When these limits are reached,
235	   packets requiring further consumption of the given resource are
236	   dropped rather than translated.  Statistics described in
237	   Section 3.1.4 record the numbers of packets so dropped.  Limits are
238	   provided for:

240	   o  total number of address map entries over the NAT instance.  Limit
241	      is set by object natv2InstanceLimitAddressMapEntries in table
242	      natv2InstanceTable.  Dropped packets are counted in
243	      natv2InstanceAddressMapEntryLimitDrops in that table.

245	   o  total number of port map entries over the NAT instance.  Limit is
246	      set by object natv2InstanceLimitPortMapEntries in table
247	      natv2InstanceTable.  Dropped packets are counted in
248	      natv2InstancePortMapEntryLimitDrops in that table.

250	   o  total number of held fragments (applicable only when the NAT
251	      instance can receive fragments out of order; see [RFC4787]
252	      Section 11).  Limit is set by object
253	      natv2InstanceLimitPendingFragments in table natv2InstanceTable.
254	      Dropped packets are counted by natv2InstanceFragmentDrops in the
255	      same table.

257	   o  total number of active subscribers (i.e., subscribers having at
258	      least one mapping table entry) over the NAT instance.  Limit is
259	      set by object natv2InstanceLimitSubscriberActives in table
260	      natv2InstanceTable.  Dropped packets are counted by
261	      natv2InstanceSubscriberActiveLimitDrops in the same table.

263	   o  number of port map entries for an individual subscriber.  Limit is
264	      set by object natv2SubscriberLimitPortMapEntries in table
265	      natv2SubscriberTable.  Dropped packets are counted by
266	      natv2SubscriberPortMapFailureDrops in the same table.  Note that,
267	      unlike in the instance table, the per-subscriber count is lumped
268	      in with the count of packets dropped because of failures to
269	      allocate a port map entry for other reasons to save on storage.

271	3.1.2.  Notifications

273	   NATV2-MIB provides five notifications, intended to provide warning of
274	   the need to provision or reallocate NAT resources.  As indicated in
275	   the previous section, each notification is associated with two read-
276	   write objects: a control on the rate at which that notification is
277	   generated, and a threshold value used to trigger the notification in
278	   the first place.  The default setting within the MIB module
279	   specification is that all notifications are disabled.  The setting of
280	   threshold values is discussed in Section 5.

282	   The five notifications are as follows:

284	   o  Two notifications relate to the management of address pools.  One
285	      indicates that usage equals or exceeds an upper threshold, and is
286	      therefore a warning that the pool may be over-utilized unless more
287	      addresses are assigned to it.  The other notification indicates
288	      that usage equals or has fallen below a lower threshold,
289	      suggesting that some addresses allocated to that pool could be
290	      reallocated to other pools.  Address pool usage is calculated as
291	      the percentage of the total number of ports allocated to the
292	      address pool that are already in use, for the most-mapped protocol
293	      at the time the notification is generated.  The notifications
294	      identify that protocol and report the number of port map entries
295	      for that protocol in the given address pool at the moment the
296	      notification was triggered.

298	   o  Two notifications relate to the number of address and port map
299	      entries respectively, in total over the whole NAT instance.  In
300	      both cases the threshold that triggers the notification is an
301	      upper threshold.  The notifications return the number of mapping
302	      entries of the given type, plus a cumulative counter of the number
303	      of entries created in that mapping table at the moment the
304	      notification was triggered.  The intent is that the notifications
305	      provide a warning that the total number of address or port map
306	      entries is approaching the configured limit.

308	   o  The final notification is generated on a per-subscriber basis when
309	      the number of port map entries for that subscriber crosses the
310	      associated threshold.  The objects returned by this notification
311	      are similar to those returned for the instance-level mapping
312	      notifications.  This notification is a warning that the number of
313	      port map entries for the subscriber is approaching the configured
314	      limit for that subscriber.

316	   Here is a detailed specification of the notifications.  A given
317	   notification can be disabled by setting the threshold to 0 (default),
318	   with the exception noted below.

320	   Notification: natv2NotificationPoolUsageLow.  Indicates that address
321	   pool usage for the most-mapped protocol equals or is less than the
322	   threshold value.

324	   Compared value:  natv2PoolNotifiedPortMapEntries as a percentage of
325	      total available ports in the pool.

327	   Threshold:  natv2PoolThresholdUsageLow in natv2PoolTable.  To allow
328	      for a threshold of zero usage, disabling of the
329	      natv2NotificationPoolUsageLow is done by setting
330	      natv2PoolThresholdUsageLow to -1 rather than 0, in contrast to all
331	      of the other notifications.

333	   Objects returned:  natv2PoolNotifiedPortMapEntries and
334	      natv2PoolNotifiedPortMapProtocol in natv2PoolTable;

336	   Rate control:  natv2PoolNotificationInterval in
337	      natv2PoolTable (default 20 seconds between notifications for a
338	      given address pool).

340	   Notification: natv2NotificationPoolUsageHigh.  Indicates that address
341	   pool usage for the most-mapped protocol has risen to the threshold
342	   value or more.

344	   Compared value:  natv2PoolNotifiedPortMapEntries as a percentage of
345	      total available ports in the pool.

347	   Threshold:  natv2PoolThresholdUsageHigh in natv2PoolTable;

349	   Objects returned:  natv2PoolNotifiedPortMapEntries,
350	      natv2PoolNotifiedPortMapProtocol in natv2PoolTable;

352	   Rate control:  natv2PoolNotificationInterval in
353	      natv2PoolTable (default 20 seconds between notifications for a
354	      given address pool).

356	   Notification: natv2NotificationInstanceAddressMapEntriesHigh.
357	   Indicates that the total number of entries in the address map table
358	   over the whole NAT instance equals or exceeds the threshold value.

360	   Compared value:  natv2InstanceAddressMapEntries in
361	      natv2InstanceTable;

363	   Threshold:  natv2InstanceThresholdAddressMapEntriesHigh in
364	      natv2InstanceTable;

366	   Objects returned:  natv2InstanceAddressMapEntries,
367	      natv2InstanceAddressMapCreations in natv2InstanceTable;

369	   Rate control:  natv2InstanceNotificationInterval in
370	      natv2InstanceTable (default 10 seconds between notifications for a
371	      given NAT instance).

373	   Notification: natv2NotificationInstancePortMapEntriesHigh.  Indicates
374	   that the total number of entries in the port map table over the whole
375	   NAT instance equals or exceeds the threshold value.

377	   Compared value:  natv2InstancePortMapEntries in natv2InstanceTable;

379	   Threshold:  natv2InstanceThresholdPortMapEntriesHigh in
380	      natv2InstanceTable;

382	   Objects returned:  natv2InstancePortMapEntries,
383	      natv2InstancePortMapCreations in natv2InstanceTable;

385	   Rate control:  natv2InstanceNotificationInterval in
386	      natv2InstanceTable (default 10 seconds between notifications for a
387	      given NAT instance).

389	   Notification: natv2NotificationSubscriberPortMapEntriesHigh.
390	   Indicates that the total number of entries in the port map table for
391	   the given subscriber equals or exceeds the threshold value configured
392	   for that subscriber.

394	   Compared value:  natv2SubscriberPortMapEntries in
395	      natv2SubscriberTable;

397	   Threshold:  natv2SubscriberThresholdPortMapEntriesHigh in
398	      natv2SubscriberTable;

400	   Objects returned:  natv2SubscriberPortMapEntries,
401	      natv2SubscriberPortMapCreations in natv2SubscriberTable;

403	   Rate control:  natv2SubscriberNotificationInterval in
404	      natv2SubscriberTable (default 60 seconds between notifications for
405	      a given subscriber).

407	3.1.3.  State Information

409	   State information provides a snapshot of the content and extent of
410	   the NAT mapping tables at a given moment of time.  The address and
411	   port mapping tables are described in detail below.  In addition to
412	   these tables, two state variables are provided: current number of
413	   entries in the address mapping table, and current number of entries
414	   in the port mapping table.  With one exception, these are provided at
415	   four levels of granularity: per NAT instance, per protocol, per
416	   address pool, and per subscriber.  Address map entries are not
417	   tracked per protocol, since address mapping is protocol-independent.

419	3.1.4.  Statistics

421	   NATV2-MIB provides a number of counters, intended to help both with
422	   provisioning of the NAT and debugging of problems.  As with the state
423	   data, these counters are provided at the four levels of NAT instance,
424	   protocol, address pool, and subscriber when they make sense.  Each
425	   counter is cumulative beginning from a "last discontuity time"
426	   recorded by an object that is usually in the table containing the
427	   counter.

429	   The basic set of counters, as reflected in the NAT instance table, is
430	   as follows:

432	   Translations:  number of packets processed and translated (in this
433	      case, in total for the NAT instance);

435	   Address map entry creations:  cumulative number of address map
436	      entries created, including static mappings;

438	   Port map entry creations:  cumulative number of port map entries
439	      created, including static mappings;

441	   Address map limit drops:  cumulative number of packets dropped rather
442	      than translated because the packet would have triggered the
443	      creation of a new address mapping, but the configured limit on
444	      number of address map entries has already been reached.

446	   Port map limit drops:  cumulative number of packets dropped rather
447	      than translated because the packet would have triggered the
448	      creation of a new port mapping, but the configured limit on number
449	      of port map entries has already been reached.

451	   Active subscriber limit drops:  cumulative number of packets dropped
452	      rather than translated because the packet would have triggered the
453	      creation of a new address and/or port mapping for a subscriber
454	      with no existing entries in either table, but the configured limit
455	      on number of active subscribers has already been reached.

457	   Address mapping failure drops:  cumulative number of packets dropped
458	      because the packet would have triggered the creation of a new
459	      address mapping, but no address could be allocated in the external
460	      realm concerned because all addresses from the selected address
461	      pool (or the whole realm, if no address pool has been configured
462	      for that realm) have already been fully allocated.

464	   Port mapping failure drops:  cumulative number of packets dropped
465	      because the packet would have triggered the creation of a new port
466	      mapping, but no port could be allocated for the protocol
467	      concerned.  The precise conditions under which these packet drops
468	      occur depend on the pooling behavior [RFC4787] configured or
469	      implemented in the NAT instance.  See the DESCRIPTION clause for
470	      the natv2InstancePortMapFailureDrops object for a detailed
471	      description of the different cases.  These cases were defined with
472	      care to ensure that address mapping failure could be distinguished
473	      from port mapping failure.

475	   Fragment drops:  cumulative number of packets dropped because the
476	      packet contains a fragment and the fragment behavior [RFC4787]
477	      configured or implemented in the NAT instance indicates that the
478	      packet should be dropped.  The main case is a NAT instance that
479	      meets REQ-14 of [RFC4787], hence can receive and process out-of-
480	      order fragments.  In that case, dropping occurs only when the
481	      configured limit on pending fragments provided by NATV2-MIB has
482	      already been reached.  The other cases are detailed in the
483	      DESCRIPTION clause of the natv2InstanceFragmentBehavior object.

485	   Other resource drops:  cumulative number of packets dropped because
486	      of unavailability of some other resource.  The most likely case
487	      would be packets where the upper layer protocol is not one
488	      supported by the NAT instance.

490	   Table 1 indicates the granularities at which these statistics are
491	   reported.

493	   +-----------------------+------------+----------+------+------------+
494	   | Statistic             |    NAT     | Protocol | Pool | Subscriber |
495	   |                       |  Instance  |          |      |            |
496	   +-----------------------+------------+----------+------+------------+
497	   | Translations          |    Yes     |   Yes    |  No  |    Yes     |
498	   | Address map entry     |    Yes     |    No    | Yes  |    Yes     |
499	   | creations             |            |          |      |            |
500	   | Port map entry        |    Yes     |   Yes    | Yes  |    Yes     |
501	   | creations             |            |          |      |            |
502	   | Address map limit     |    Yes     |    No    |  No  |     No     |
503	   | drops                 |            |          |      |            |
504	   | Port map limit drops  |    Yes     |    No    |  No  |    Yes     |
505	   | Active subscriber     |    Yes     |    No    |  No  |     No     |
506	   | limit drops           |            |          |      |            |
507	   | Address mapping       |    Yes     |    No    | Yes  |    Yes     |
508	   | failure drops         |            |          |      |            |
509	   | Port mapping failure  |    Yes     |   Yes    | Yes  |    Yes     |
510	   | drops                 |            |          |      |            |
511	   | Fragment drops        |    Yes     |    No    |  No  |     No     |
512	   | Other resource drops  |    Yes     |    No    |  No  |     No     |
513	   +-----------------------+------------+----------+------+------------+

515	           Table 1: Statistics Provided By Level of Granularity

517	3.2.  Outline of MIB Module Organization

519	   Figure 1 shows how object identifiers are organized in the NATV2-MIB
520	   module.  Under the general natv2MIB object identifier in the mib-2
521	   tree, the objects are classed into four groups:

523	   natv2MIBNotifications(0)  identifies the five notifications described
524	      in Section 3.1.2;

526	   natv2MIBDeviceObjects(1)  identifies objects relating to the whole
527	      device, specifically, the subscriber table.

529	   natv2MIBInstanceObjects(2)  identifies objects relating to individual
530	      NAT instances.  These include the NAT instance table, the protocol
531	      table, the address pool table and its address range expansion, the
532	      address map table, and the port map table.

534	   natv2MIBConformance(3)  identifies the group and compliance clauses,
535	      specified for the three application scenarios described in
536	      Section 3.4.

538	                              natv2MIB
539	                                  |
540	              +-------------+-------------+-------------+
541	              |             |             |             |
542	                            |             |             |
543	              0             |             |             |
544	    natv2MIBNotifications   |             |             |
545	       |                                  |             |
546	       |                    1             |             |
547	       |          natv2MIBDeviceObjects   |             |
548	      Five            |                                 |
549	   notifications      |                   2             |
550	                      |         natv2MIBInstanceObjects |
551	                      |             |
552	                  Subscriber        |                   3
553	                  table             |         natv2MIBConformance
554	                                    |                   |
555	                                    |                   |
556	                                Six per-NAT-            |
557	                                instance tables         |
558	                                                        |
559	                          +----------------------+-------
560	                          |                      |
561	                          |                      |

563	                          1                      2
564	                 natv2MIBCompliances       natv2MIBGroups
565	                          |                      |
566	                          |                      |
567	                        Basic                  Basic
568	                        Pooled                 Pooled
569	                   Carrier grade NAT     Carrier grade NAT

571	        Figure 1: Organization of Object Identifiers For NATV2-MIB

573	3.3.  Detailed MIB Module Walk-Through

575	   This section reviews the contents of the NATV2-MIB module.  The table
576	   descriptions include references to subsections of Section 3.1 where
577	   desirable to avoid repetition of that information.

579	3.3.1.  Textual Conventions

581	   The module defines four key textual conventions: ProtocolNumber,
582	   Natv2SubscriberIndex, Natv2InstanceIndex, and Natv2PoolIndex.
583	   ProtocolNumber is based on the IANA registry of protocol numbers,
584	   hence is potentially reusable by other MIB modules.

586	   Objects of type Natv2SubscriberIndex identify individual subscribers
587	   served by the the NAT device.  The values of these identifiers are
588	   administered and, in intent, are permanently associated with their
589	   respective subscribers.  Reuse of a value after a subscriber has been
590	   deleted is discouraged.  The scope of the subscriber index was
591	   defined to be at device rather than NAT instance level to make it
592	   easier to shift subscribers between instances (e.g., for load
593	   balancing).

595	   Objects of type Natv2InstanceIndex identify specific NAT instances on
596	   the device.  Again, these are administered values intended to be
597	   permanently associated with the NAT instances to which they have been
598	   assigned.

600	   Objects of type Natv2PoolIndex identify individual address pools in a
601	   given NAT instance.  As with the subscriber and instance index
602	   objects, the pool identifiers are administered and intended to be
603	   permanently associated with their respective pools.

605	3.3.2.  Notifications

607	   Notifications were described in Section 3.1.2.

609	3.3.3.  The Subscriber Table: natv2SubscriberTable

611	   Table natv2SubscriberTable is indexed by subscriber index.  One
612	   conceptual row contains information relating to a specific
613	   subscriber: the subscriber's internal address or prefix for
614	   correlation with other management information; state and statistical
615	   information as described in Section 3.1.3 and Section 3.1.4, the per-
616	   subscriber control objects described in Section 3.1.1, and
617	   natv2SubscriberDiscontinuityTime, which provides a timestamp of the
618	   latest time following which the statistics have accumulated without
619	   discontinuity.

621	   Turning back to the address information for a moment: this
622	   information includes the identity of the address realm in which the
623	   address is routable.  That enables support of an arbitrary number of
624	   address realms on the same NAT instance.  Address realm identifiers
625	   are administered values in the form of a limited-length
626	   SnmpAdminString.  In the absence of configuration to the contrary,
627	   the default realm for all internal addresses as recorded in mapping
628	   entries is "internal".

630	      The term "address realm" is defined in [RFC2663] Section 2.1 and
631	      reused in subsequent NAT-related documents.

633	   In the special case of DS-Lite [RFC6333], for unique matching of the
634	   subscriber data to other information in the MIB module, it is
635	   necessary that the address information should relate to the outer
636	   IPv6 header of packets going to or from the host, with the address
637	   realm being the one in which that IPv6 address is routable.  The
638	   presentation of address information for other types of tunneled
639	   access to the NAT is out of scope.

641	3.3.4.  The Instance Table: natv2InstanceTable

643	   Table natv2InstanceTable is indexed by an object of type
644	   Natv2InstanceIndex.  A conceptual row of this table provides
645	   information relating to a particular NAT instance configured on the
646	   device.

648	   Configuration information provided by this table includes an instance
649	   name of type DisplayString that may have been configured for this
650	   instance, and a set of objects indicating respectively the port
651	   mapping, filtering, pooling, and fragment behaviors configured or
652	   implemented in the instance.  These behaviors are all defined in
653	   [RFC4787].  Their values affect the interpretation of some of the
654	   statistics provided in the instance table.

656	   Read-write objects listed in Section 3.1.2 set the notification rate
657	   for instance-level notifications and set the thresholds that trigger
658	   them.  Additional read-write objects described in Section 3.1.1 set
659	   limits on the number of address and port mapping entries, number of
660	   pending fragments, and number of active subscribers for the instance.

662	   The state and statistical information provided by this table consists
663	   of the per-instance items described in Section 3.1.3 and
664	   Section 3.1.4 respectively. natv2InstanceDiscontinuityTime is a
665	   timestamp giving the time beyond which all of the statistical
666	   counters in natv2InstanceTable are guaranteed to have accumulated
667	   continuously.

669	3.3.5.  The Protocol Table: natv2ProtocolTable

671	   The protocol table is indexed by the NAT instance number and an
672	   object of type ProtocolNumber as described in Section 3.3.1 (i.e., an
673	   IANA-registered protocol number).  The set of protocols supported by
674	   the NAT instance is implementation-dependent, but MUST include
675	   ICMP(1), TCP(6), UDP(17), and ICMPv6(58).  Depending on the
676	   application, it SHOULD include IPv4 encapsulation(4), IPv6
677	   encapsulation(41), IPSec AH(51), and SCTP(132).  Support of PIM(103)
678	   is highly desirable.

680	   This table includes no configuration information.  The state and
681	   statistical information provided by this table consists of the per-
682	   protocol items described in Section 3.1.3 and Section 3.1.4
683	   respectively. natv2InstanceDiscontinuityTime in natv2InstanceTable is
684	   reused as the timestamp giving the time beyond which all of the
685	   statistical counters in natv2ProtocolTable are guaranteed to have
686	   accumulated continuously.  The reasoning is that any event affecting
687	   the continuity of per-protocol statistics will affect the continuity
688	   of NAT instance statistics, and vice versa.

690	3.3.6.  The Address Pool Table: natv2PoolTable

692	   The address pool table is indexed by the NAT instance identifier for
693	   the instance on which it is provisioned, plus a pool index of type
694	   Natv2PoolIndex.  Configuration information provided includes the
695	   address realm for which the pool provides addresses, the type of
696	   address (IPv4 or IPv6) supported by the realm, plus the port range it
697	   makes available for allocation.  The same set of port numbers (or, in
698	   the ICMP case, identifier values), is made available for every
699	   protocol supported by the NAT instance.  The port range is specified
700	   in terms of minimum and maximum port number.

702	   The state and statistical information provided by this table consists
703	   of the per-pool items described in Section 3.1.3 and Section 3.1.4
704	   respectively, plus two additional state objects described below.
705	   natv2PoolTable provides the pool-specific object
706	   natv2PoolDiscontinuityTime to indicate the time since which the
707	   statistical counters have accumulated continuously.

709	   Read-write objects to set high and low thresholds for pool usage
710	   notifications and for governing notification rate were identified in
711	   Section 3.1.2.  The default interval between notifications for a
712	   given address pool is set to 20 seconds.

714	      Implementation note: the thresholds are defined in terms of
715	      percentage of available port utilization.  The number of available
716	      ports in a pool is equal to (max port - min port + 1) (from the
717	      natv2PoolTable configuration information) multiplied by the number
718	      of addresses provisioned in the pool (sum of number of addresses
719	      provided by each natv2PoolRangeTable conceptual row relating to
720	      that pool).  At configuration time, the thresholds can be
721	      recalculated in terms of total number of port map entries
722	      corresponding to the configured percentage, so that runtime
723	      comparisons to the current number of port map entries require no
724	      further arithmetic operations.

726	   natv2PoolTable also provides two state objects that are returned with
727	   the notifications.  natv2PoolNotifiedPortMapProtocol identifies the
728	   most-mapped protocol at the time the notification was triggered.
729	   natv2PoolNotifiedPortMapEntries provides the total number of port map
730	   entries for that protocol using addresses owned by this pool at that
731	   same time.

733	3.3.7.  The Address Pool Address Range Table: natv2PoolRangeTable

735	   natv2PoolRangeTable provides configuration information only.  It is
736	   an expansion of natv2PoolTable giving the address ranges with which a
737	   given address pool has been configured.  As such, it is indexed by
738	   the combination of NAT instance index, address pool index, and a
739	   conceptual row index, where each conceptual row conveys a different
740	   address range.  The address range is specified in terms of lowest
741	   address, highest address rather than the usual prefix notation to
742	   provide maximum flexibility.

744	3.3.8.  The Address Map Table: natv2AddressMapTable

746	   The address map table provides a table of mappings from internal to
747	   external address at a given moment.  It is indexed by the combination
748	   of NAT instance index, internal realm, internal address type (IPv4 or
749	   IPv6) in that realm, the internal address of the local host for which
750	   the map entry was created, and a conceptual row index to traverse all
751	   of the entries relating to the same internal address.

753	   In the special case of DS-Lite [RFC6333], the internal address and
754	   realm used in the index are those of the IPv6 outer header.  The IPv4
755	   source address for the inner header, for which [RFC6333] has reserved
756	   addresses in the 192.0.0.0/29 range, is captured in two additional
757	   objects in the corresponding conceptual row:
758	   natv2AddressMapInternalMappedAddressType, and
759	   natv2AddressMapInternalMappedAddress.  In cases other than DS-Lite
760	   access these objects have no meaning.  (Other tunneled access is out
761	   of scope.)

763	   The additional information provided by natv2AddressMapTable consists
764	   of the external realm, address type in that realm, and mapped
765	   external address.  Depending on implementation support, the table
766	   also provides the index of the address pool from which the external
767	   address was drawn and the index of the subscriber to which the map
768	   entry belongs.

770	3.3.9.  The Port Map Table: natv2PortMapTable

772	   The port map table provides a table of mappings by protocol from
773	   external port, address, and realm to internal port, address, and
774	   realm.  As such, it is indexed by the combination of NAT instance
775	   index, protocol number, external realm identifier, address type in
776	   that realm, external address, and external port.  The mapping from
777	   external realm, address, and port to internal realm, address, and
778	   port is unique, so no conceptual row index is needed.  The indexing
779	   is designed to make it easy to trace individual sessions back to the
780	   host, based on the contents of packets observed in the external
781	   realm.

783	   Beyond the indexing, the information provided by the port map table
784	   consists of the internal realm, address type, address, and port
785	   number, and, depending on implementation support, the index of the
786	   subscriber to which the map entry belongs.

788	   As with the address map table, special provision is made for the case
789	   of DS-Lite [RFC6333].  The realm and outgoing source address are
790	   those for the outer header, and the address type is IPv6.  Additional
791	   objects natv2PortMapInternalMappedAddressType and
792	   natv2PortMapInternalMappedAddress capture the outgoing source address
793	   in the inner header, which will be in the well-known 192.0.0.0/29
794	   range.

796	3.4.  Conformance: Three Application Scenarios

798	   The conformance statements in NATV2-MIB provide for three application
799	   scenarios: basic NAT, NAT supporting address pools, and carrier grade
800	   NAT (CGN).

802	   A basic NAT MAY limit the number of NAT instances it supports to one,
803	   but MUST support indexing by NAT instance.  Similarly, a basic NAT
804	   MAY limit the number of realms it supports to two.  By definition, a
805	   basic NAT is not required to support the subscriber table, the
806	   address pool table, or the address pool address range table.  Some
807	   individual objects in other tables are also not relevant to basic
808	   NAT.

810	   A NAT supporting address pools adds the address pool table and the
811	   address pool address range table to what it implements.  Some
812	   individual objects in other tables also need to be implemented.  A
813	   NAT supporting address pools MUST support more than two realms.

815	   Finally, a CGN MUST support the full contents of the MIB module.
816	   That includes the subscriber table, but also includes the special
817	   provision for DS-Lite access in the address and port map tables.

819	4.  Definitions

821	   This MIB module IMPORTs objects from [RFC2578], [RFC2579], [RFC2580],
822	   [RFC3411], and [RFC4001].

824	   NATV2-MIB DEFINITIONS ::= BEGIN

826	   IMPORTS
827	        MODULE-IDENTITY,
828	        OBJECT-TYPE,
829	        Integer32,
830	        Unsigned32,
831	        Counter64,
832	        mib-2,
833	        NOTIFICATION-TYPE
834	                FROM SNMPv2-SMI          -- RFC 2578
835	        TEXTUAL-CONVENTION,
836	        DisplayString,
837	        TimeStamp
838	                FROM SNMPv2-TC           -- RFC 2579
839	        MODULE-COMPLIANCE,
840	        NOTIFICATION-GROUP,
841	        OBJECT-GROUP
842	                FROM SNMPv2-CONF         -- RFC 2580
843	        SnmpAdminString
844	                FROM SNMP-FRAMEWORK-MIB  -- RFC 3411
845	        InetAddressType,
846	        InetAddress,
847	        InetAddressPrefixLength,
848	        InetPortNumber
849	                FROM INET-ADDRESS-MIB;    -- RFC 4001

851	   natv2MIB MODULE-IDENTITY
852	        LAST-UPDATED "201502170000Z"
853	   -- RFC Ed.: set to publication date
854	        ORGANIZATION
855	                "IETF Behavior Engineering for Hindrance Avoidance
856	                 (BEHAVE) Working Group"
857	        CONTACT-INFO
858	                "Working Group Email: behave@ietf.org
859	                 Simon Perreault
860	                 Jive Communications
861	                 Quebec, QC
862	                 Canada

864	                 Email: sperreault@jive.com

866	                 Tina Tsou
867	                 Huawei Technologies
868	                 Bantian, Longgang
869	                 Shenzhen 518129
870	                 PR China

872	                 Email: tina.tsou.zouting@huawei.com

874	                 Senthil Sivakumar
875	                 Cisco Systems
876	                 7100-8 Kit Creek Road
877	                 Research Triangle Park, North Carolina  27709
878	                 USA

880	                 Phone: +1 919 392 5158
881	                 Email: ssenthil@cisco.com

883	                 Tom Taylor
884	                 PT Taylor Consulting
885	                 Ottawa
886	                 Canada

888	                 Email: tom.taylor.stds@gmail.com"

890	        DESCRIPTION
891	                "This MIB module defines the generic managed objects
892	                 for NAT.

894	                 Copyright (C) The Internet Society (2015).  This
895	                 version of this MIB module is part of RFC yyyy; see
896	                 the RFC itself for full legal notices."
897	        REVISION     "201502170000Z"
898	   -- RFC Ed.: set to publication date
899	        DESCRIPTION
900	                "Complete rewrite, published as RFC yyyy.
901	                 Replaces former version published as RFC 4008."
902	   -- RFC Ed.: replace yyyy with actual RFC number and set date"
903	        ::= { mib-2 123 }
904	          -- temporary for compilation pending IANA assignment

906	   -- textual conventions

908	   ProtocolNumber ::= TEXTUAL-CONVENTION
909	       DISPLAY-HINT "d"
910	       STATUS current
911	       DESCRIPTION
912	           "A protocol number, from the 'protocol-numbers' IANA
913	            registry."
914	       REFERENCE
915	           "IANA Protocol Numbers,
916	            http://www.iana.org/assignments/protocol-numbers/protocol-
917	            numbers.xhtml#protocol-numbers-1"
918	       SYNTAX Unsigned32 (0..255)

920	   Natv2SubscriberIndex ::= TEXTUAL-CONVENTION
921	       DISPLAY-HINT "d"
922	       STATUS current
923	       DESCRIPTION
924	           "A unique value, greater than zero, for each subscriber
925	            in the managed system.  The value for each
926	            subscriber MUST remain constant at least from one
927	            update of the entity's natv2SubscriberDiscontinuityTime
928	            object until the next update of that object. If a
929	            subscriber is deleted, its assigned index value MUST NOT
930	            be assigned to another subscriber at least until
931	            reinitialization of the entity's management system."
932	       SYNTAX Unsigned32 (1..4294967295)

934	   Natv2SubscriberIndexOrZero ::= TEXTUAL-CONVENTION
935	       DISPLAY-HINT "d"
936	       STATUS current
937	       DESCRIPTION
938	           "This textual convention is an extension of the
939	            Natv2SubscriberIndex convention.  The latter defines a
940	            greater than zero value used to identify a subscriber in
941	            the managed system. This extension permits the additional
942	            value of zero, which serves as a placeholder when no
943	            subscriber is associated with the object."
944	       SYNTAX Unsigned32 (0|1..4294967295)

946	   Natv2InstanceIndex ::= TEXTUAL-CONVENTION
947	       DISPLAY-HINT "d"
948	       STATUS current
949	       DESCRIPTION
950	           "A unique value, greater than zero, for each NAT instance
951	            in the managed system.  It is RECOMMENDED that values are
952	            assigned contiguously starting from 1.  The value for each
953	            NAT instance MUST remain constant at least from one
954	            update of the entity's natv2InstanceDiscontinuityTime
955	            object until the next update of that object. If a NAT
956	            instance is deleted, its assigned index value MUST NOT
957	            be assigned to another NAT instance at least until
958	            reinitialization of the entity's management system."
959	       SYNTAX Unsigned32 (1..4294967295)

961	   Natv2PoolIndex ::= TEXTUAL-CONVENTION
962	       DISPLAY-HINT "d"
963	       STATUS current
964	       DESCRIPTION
965	          "A unique value over the containing NAT instance, greater than
966	           zero, for each address pool supported by that NAT instance.
967	           It is RECOMMENDED that values are assigned contiguously
968	           starting from 1.  The value for each address pool MUST remain
969	           constant at least from one update of the entity's
970	           natv2PoolDiscontinuityTime object until the next update of
971	           that object. If an address pool is deleted, its assigned
972	           index value MUST NOT be assigned to another address pool for
973	           the same NAT instance at least until reinitialization of the
974	           entity's management system."
975	       SYNTAX Unsigned32 (1..4294967295)

977	   Natv2PoolIndexOrZero ::= TEXTUAL-CONVENTION
978	       DISPLAY-HINT "d"
979	       STATUS current
980	       DESCRIPTION
981	           "This textual convention is an extension of the
982	            Natv2PoolIndex convention.  The latter defines a greater
983	            than zero value used to identify address pools in the
984	            managed system.  This extension permits the additional
985	            value of zero, which serves as a placeholder when the
986	            implementation does not support address pools or no address
987	            pool is configured in a given external realm."
988	       SYNTAX Unsigned32 (0|1..4294967295)

990	   -- notifications

992	   natv2MIBNotifications OBJECT IDENTIFIER ::= { natv2MIB 0 }

994	   natv2NotificationPoolUsageLow NOTIFICATION-TYPE
995	       OBJECTS { natv2PoolNotifiedPortMapEntries,
996	                 natv2PoolNotifiedPortMapProtocol  }
997	       STATUS current
998	       DESCRIPTION
999	           "This notification is triggered when an address pool's usage
1000	            becomes less than or equal to the value of the
1001	            natv2PoolThresholdUsageLow object for that pool, unless the
1002	            notification has been disabled by setting the value of the
1003	            threshold to -1. It is reported subject to the rate
1004	            limitation specified by natv2PortMapNotificationInterval.

1006	            Address pool usage is calculated as the percentage of the
1007	            total number of ports allocated to the address pool that are
1008	            already in use, for the most-mapped protocol at the time
1009	            the notification is triggered. The two returned objects are
1010	            members of natv2PoolTable indexed by the NAT instance and
1011	            pool indices for which the event is being reported. They
1012	            give the number of port map entries using external addresses
1013	            configured on the pool for the most-mapped protocol and
1014	            identify that protocol at the time the notification was
1015	            triggered."
1016	       REFERENCE
1017	           "RFC yyyy Section 3.1.2 and Section 3.3.6."
1018	       ::= { natv2MIBNotifications 1 }

1020	   natv2NotificationPoolUsageHigh NOTIFICATION-TYPE
1021	       OBJECTS { natv2PoolNotifiedPortMapEntries,
1022	                 natv2PoolNotifiedPortMapProtocol  }
1023	       STATUS current
1024	       DESCRIPTION
1025	           "This notification is triggered when an address pool's usage
1026	            becomes greater than or equal to the value of the
1027	            natv2PoolThresholdUsageHigh object for that pool, unless
1028	            the notification has been disabled by setting the value of
1029	            the threshold to 0. It is reported subject to the rate
1030	            limitation specified by natv2PortMapNotificationInterval.

1032	            Address pool usage is calculated as the percentage of the
1033	            total number of ports allocated to the address pool that are
1034	            already in use, for the most-mapped protocol at the time the
1035	            notification is triggered. The two returned objects are
1036	            members of natv2PoolTable indexed by the NAT instance and
1037	            pool indices for which the event is being reported. They
1038	            give the number of port map entries using external addresses
1039	            configured on the pool for the most-mapped protocol and
1040	            identify that protocol at the time the notification was
1041	            triggered."
1042	       REFERENCE
1043	           "RFC yyyy Section 3.1.2 and Section 3.3.6."
1044	       ::= { natv2MIBNotifications 2 }

1046	   natv2NotificationInstanceAddressMapEntriesHigh NOTIFICATION-TYPE
1047	       OBJECTS { natv2InstanceAddressMapEntries,
1048	                 natv2InstanceAddressMapCreations }

1050	       STATUS current
1051	       DESCRIPTION
1052	           "This notification is triggered when the value of
1053	            natv2InstanceAddressMapEntries equals or exceeds the value
1054	            of the natv2InstanceThresholdAddressMapEntriesHigh object
1055	            for the NAT instance, unless disabled by setting that
1056	            threshold to 0. Reporting is subject to the rate limitation
1057	            given by natv2InstanceNotificationInterval.

1059	            natv2InstanceAddressMapEntries and
1060	            natv2InstanceAddressMapCreations are members of table
1061	            natv2InstanceTable indexed by the identifier of the NAT
1062	            instance for which the event is being reported. The values
1063	            reported are those observed at the moment the notification
1064	            was triggered."
1065	       REFERENCE
1066	           "RFC yyyy Section 3.1.2."
1067	       ::= { natv2MIBNotifications 3 }

1069	   natv2NotificationInstancePortMapEntriesHigh NOTIFICATION-TYPE
1070	       OBJECTS { natv2InstancePortMapEntries,
1071	                 natv2InstancePortMapCreations }
1072	       STATUS current
1073	       DESCRIPTION
1074	           "This notification is triggered when the value of
1075	            natv2InstancePortMapEntries becomes greater than or equal to
1076	            the value of natv2InstanceThresholdPortMapEntriesHigh,
1077	            unless disabled by setting that threshold to 0. Reporting is
1078	            subject to the rate limitation given by
1079	            natv2InstanceNotificationInterval.

1081	            natv2InstancePortMapEntries and
1082	            natv2InstancePortMapCreations are members of table
1083	            natv2InstanceTable indexed by the identifier of the NAT
1084	            instance for which the event is being reported.  The values
1085	            reported are those observed at the moment the notification
1086	            was triggered."
1087	       ::= { natv2MIBNotifications 4 }

1089	   natv2NotificationSubscriberPortMappingEntriesHigh
1090	   NOTIFICATION-TYPE
1091	       OBJECTS { natv2SubscriberPortMapEntries,
1092	                 natv2SubscriberPortMapCreations }
1093	       STATUS current
1094	       DESCRIPTION
1095	           "This notification is triggered when the value of
1096	            natv2SubscriberPortMapEntries for an individual subscriber
1097	            becomes greater than or equal to the value of the
1098	            natv2SubscriberThresholdPortMapEntriesHigh object for that
1099	            subscriber, unless disabled by setting that threshold to 0.
1100	            Reporting is subject to the rate limitation given by
1101	            natv2SubscriberNotificationInterval.

1103	            natv2SubscriberPortMapEntries and
1104	            natv2SubscriberPortMapCreations are members of table
1105	            natv2SubscriberTable indexed by the subscriber for
1106	            which the event is being reported.  The values
1107	            reported are those observed at the moment the notification
1108	            was triggered."
1109	       ::= { natv2MIBNotifications 5 }

1111	   -- Device-level objects

1113	   natv2MIBDeviceObjects OBJECT IDENTIFIER ::= { natv2MIB 1 }

1115	   -- subscriber table

1117	   natv2SubscriberTable OBJECT-TYPE
1118	       SYNTAX SEQUENCE OF Natv2SubscriberEntry
1119	       MAX-ACCESS not-accessible
1120	       STATUS current
1121	       DESCRIPTION
1122	           "Table of subscribers. As well as the subscriber index, it
1123	            provides per-subscriber state and counter objects, a last
1124	            discontinuity time object for the counters, and writable
1125	            threshold value and limit on port consumption."
1126	       REFERENCE
1127	           "RFC yyyy Section 3.3.3."
1128	       ::= { natv2MIBDeviceObjects 1 }

1130	   natv2SubscriberEntry OBJECT-TYPE
1131	       SYNTAX Natv2SubscriberEntry
1132	       MAX-ACCESS not-accessible
1133	       STATUS current
1134	       DESCRIPTION
1135	           "Each entry describes a single subscriber."
1136	       INDEX { natv2SubscriberIndex }
1137	       ::= { natv2SubscriberTable 1 }

1139	   Natv2SubscriberEntry ::=
1140	       SEQUENCE {
1141	           natv2SubscriberIndex                  Natv2SubscriberIndex,
1142	           natv2SubscriberInternalRealm               SnmpAdminString,
1143	           natv2SubscriberInternalPrefixType          InetAddressType,
1144	           natv2SubscriberInternalPrefix              InetAddress,
1145	           natv2SubscriberInternalPrefixLength InetAddressPrefixLength,
1146	   -- State
1147	           natv2SubscriberAddressMapEntries           Unsigned32,
1148	           natv2SubscriberPortMapEntries              Unsigned32,
1149	   -- Counters and last discontinuity time
1150	           natv2SubscriberTranslations                Counter64,
1151	           natv2SubscriberAddressMapCreations         Counter64,
1152	           natv2SubscriberPortMapCreations            Counter64,
1153	           natv2SubscriberAddressMapFailureDrops      Counter64,
1154	           natv2SubscriberPortMapFailureDrops         Counter64,
1155	           natv2SubscriberDiscontinuityTime           TimeStamp,
1156	   -- Read-write controls
1157	           natv2SubscriberLimitPortMapEntries         Unsigned32,
1158	   -- Disable limit by setting to 0 (default)
1159	           natv2SubscriberThresholdPortMapEntriesHigh Unsigned32,
1160	   -- Disable notifications by setting threshold to 0 (default)
1161	           natv2SubscriberNotificationInterval        Unsigned32
1162	   -- Default is 60 seconds
1163	       }

1165	   natv2SubscriberIndex OBJECT-TYPE
1166	       SYNTAX Natv2SubscriberIndex
1167	       MAX-ACCESS not-accessible
1168	       STATUS current
1169	       DESCRIPTION
1170	           "A unique value, greater than zero, for each subscriber
1171	            in the managed system.  The value for each
1172	            subscriber MUST remain constant at least from one
1173	            update of the entity's natv2SubscriberDiscontinuityTime
1174	            object until the next update of that object. If a
1175	            subscriber is deleted, its assigned index value MUST NOT
1176	            be assigned to another subscriber at least until
1177	            reinitialization of the entity's management system."
1178	       ::= { natv2SubscriberEntry 1 }

1180	   -- Configuration for this subscriber: realm, internal address(es)

1182	   natv2SubscriberInternalRealm OBJECT-TYPE
1183	       SYNTAX SnmpAdminString (SIZE(0..32))
1184	       MAX-ACCESS read-only
1185	       STATUS current
1186	       DESCRIPTION
1187	           "The address realm to which this subscriber belongs. A realm
1188	            defines an address space. All NATs support at least two
1189	            realms.

1191	            The default realm for subscribers is 'internal'.
1192	            Administrators can set other values for individual
1193	            subscribers when they are configured. The administrator MAY
1194	            configure a new value of natv2SubscriberRealm at any time
1195	            subsequent to initial configuration of the subscriber. If
1196	            this happens, it MUST be treated as a point of discontinuity
1197	            requiring an update of natv2SubscriberDiscontinuityTime.

1199	            When the subscriber sends a packet to the NAT through a
1200	            DS-Lite [RFC 6333] tunnel, this is the realm of the outer
1201	            packet header source address. Other tunneled access is out
1202	            of scope."
1203	       REFERENCE
1204	            "Address realm: RFC 2663. DS-Lite: RFC 6333."
1205	       DEFVAL
1206	           { "internal" }
1207	       ::= { natv2SubscriberEntry 2 }

1209	   natv2SubscriberInternalPrefixType OBJECT-TYPE
1210	       SYNTAX InetAddressType
1211	       MAX-ACCESS read-only
1212	       STATUS current
1213	       DESCRIPTION
1214	           "Subscriber's internal prefix type. Any value other than
1215	            ipv4(1) or ipv6(2) would be unexpected. In the case of
1216	            DS-Lite access, this is the prefix type (IPv6(2)) used in
1217	            the outer packet header."
1218	       REFERENCE
1219	           "DS-Lite: RFC 6333."
1220	       ::= { natv2SubscriberEntry 3 }

1222	   natv2SubscriberInternalPrefix OBJECT-TYPE
1223	       SYNTAX InetAddress
1224	       MAX-ACCESS read-only
1225	       STATUS current
1226	       DESCRIPTION
1227	           "Prefix assigned to a subscriber's CPE. Source addresses of
1228	            packets outgoing from the subscriber will be contained
1229	            within this prefix.  In the case of DS-Lite access,
1230	            the source address taken from the prefix will be
1231	            that of the outer header."
1232	       REFERENCE
1233	           "DS-Lite: RFC 6333."
1234	       ::= { natv2SubscriberEntry 4 }

1236	   natv2SubscriberInternalPrefixLength OBJECT-TYPE
1237	       SYNTAX InetAddressPrefixLength
1238	       MAX-ACCESS read-only
1239	       STATUS current
1240	       DESCRIPTION
1241	           "Length of the prefix assigned to a subscriber's CPE, in
1242	            bits.  If a single address is assigned, this will be 32
1243	            for IPv4 and 128 for IPv6."
1244	       ::= { natv2SubscriberEntry 5 }

1246	   -- State objects

1248	   natv2SubscriberAddressMapEntries OBJECT-TYPE
1249	       SYNTAX Unsigned32
1250	       MAX-ACCESS read-only
1251	       STATUS current
1252	       DESCRIPTION
1253	           "The current number of address map entries for the
1254	            subscriber, including static mappings. An address map entry
1255	            maps from a given internal address and realm to an external
1256	            address in a particular external realm. This definition
1257	            includes 'hairpin' mappings, where the external realm is the
1258	            same as the internal one. Address map entries are also
1259	            tracked per instance and per address pool within the
1260	            instance."
1261	       REFERENCE
1262	           "RFC yyyy Section 3.3.8."
1263	       ::= { natv2SubscriberEntry 6 }

1265	   natv2SubscriberPortMapEntries OBJECT-TYPE
1266	       SYNTAX Unsigned32
1267	       MAX-ACCESS read-only
1268	       STATUS current
1269	       DESCRIPTION
1270	           "The current number of port map entries in the port map table
1271	            for the subscriber, including static mappings. A port map
1272	            entry maps from a given external realm, address, and port
1273	            for a given protocol to an internal realm, address, and
1274	            port. This definition includes 'hairpin' mappings, where the
1275	            external realm is the same as the internal one. Port map
1276	            entries are also tracked per instance and per protocol and
1277	            address pool within the instance."
1278	       REFERENCE
1279	           "RFC yyyy Section 3.3.9."
1280	       ::= { natv2SubscriberEntry 7 }

1282	   -- Counters and last discontinuity time

1284	   natv2SubscriberTranslations OBJECT-TYPE
1285	       SYNTAX Counter64
1286	       MAX-ACCESS read-only
1287	       STATUS current
1288	       DESCRIPTION
1289	           "The cumulative number of translated packets received from or
1290	            sent to this subscriber. This value MUST be monotone
1291	            increasing in the periods between updates of the entity's
1292	            natv2SubscriberDiscontinuityTime. If a manager detects a
1293	            change in the latter since the last time it sampled this
1294	            counter, it SHOULD NOT make use of the difference between
1295	            the latest value of the counter and any value retrieved
1296	            before the new value of natv2SubscriberDiscontinuityTime."
1297	       ::= { natv2SubscriberEntry 8 }

1299	   natv2SubscriberAddressMapCreations OBJECT-TYPE
1300	       SYNTAX Counter64
1301	       MAX-ACCESS read-only
1302	       STATUS current
1303	       DESCRIPTION
1304	           "The cumulative number of address map entries created for
1305	            this subscriber, including static mappings. Address map
1306	            entries are also tracked per instance and per protocol and
1307	            address pool within the instance.

1309	            This value MUST be monotone increasing in
1310	            the periods between updates of the entity's
1311	            natv2SubscriberDiscontinuityTime. If a manager detects a
1312	            change in the latter since the last time it sampled this
1313	            counter, it SHOULD NOT make use of the difference between
1314	            the latest value of the counter and any value retrieved
1315	            before the new value of natv2SubscriberDiscontinuityTime."
1316	       ::= { natv2SubscriberEntry 9 }

1318	   natv2SubscriberPortMapCreations OBJECT-TYPE
1319	       SYNTAX Counter64
1320	       MAX-ACCESS read-only
1321	       STATUS current
1322	       DESCRIPTION
1323	           "The cumulative number of port map entries created for this
1324	            subscriber, including static mappings. Port map entries are
1325	            also tracked per instance and per protocol and address pool
1326	            within the instance.

1328	            This value MUST be monotone increasing in the periods
1329	            between updates of the entity's
1330	            natv2SubscriberDiscontinuityTime. If a manager detects a
1331	            change in the latter since the last time it sampled this
1332	            counter, it SHOULD NOT make use of the difference between
1333	            the latest value of the counter and any value retrieved
1334	            before the new value of natv2SubscriberDiscontinuityTime."
1335	       ::= { natv2SubscriberEntry 10 }

1337	   natv2SubscriberAddressMapFailureDrops OBJECT-TYPE
1338	       SYNTAX Counter64
1339	       MAX-ACCESS read-only
1340	       STATUS current
1341	       DESCRIPTION
1342	           "The cumulative number of packets originated by this
1343	            subscriber that were dropped because the packet would have
1344	            triggered the creation of a new address map entry, but no
1345	            address could be allocated in the selected external realm
1346	            because all addresses from the selected address pool (or the
1347	            whole realm, if no address pool has been configured for that
1348	            realm) have already been fully allocated.

1350	            This value MUST be monotone increasing in the periods
1351	            between updates of the entity's
1352	            natv2SubscriberDiscontinuityTime. If a manager detects a
1353	            change in the latter since the last time it sampled this
1354	            counter, it SHOULD NOT make use of the difference between
1355	            the latest value of the counter and any value retrieved
1356	            before the new value of natv2SubscriberDiscontinuityTime."
1357	       ::= { natv2SubscriberEntry 11 }

1359	   natv2SubscriberPortMapFailureDrops OBJECT-TYPE
1360	       SYNTAX Counter64
1361	       MAX-ACCESS read-only
1362	       STATUS current
1363	       DESCRIPTION
1364	           "The cumulative number of packets dropped because the
1365	            packet would have triggered the creation of a new
1366	            port mapping, but no port could be allocated for the
1367	            protocol concerned. The usual case for this will be
1368	            for a NAT instance that supports address pooling and
1369	            the 'paired' pooling behavior recommended by RFC 4787,
1370	            where the internal endpoint has used up all of the
1371	            ports allocated to it for the address it was mapped to
1372	            in the selected address pool in the external realm
1373	            concerned and cannot be given more ports because
1374	            - policy or implementation prevents it from having a
1375	              second address in the same pool, and
1376	            - policy or unavailability prevents it from acquiring
1377	              more ports at its originally assigned address.

1379	            If the NAT instance supports address pooling but its
1380	            pooling behavior is 'arbitrary' (meaning that
1381	            the NAT instance can allocate a new port mapping for
1382	            the given internal endpoint on any address in the
1383	            selected address pool and is not bound to what it has
1384	            already mapped for that endpoint), then this counter
1385	            is incremented when all ports for the protocol concerned
1386	            over the whole of the selected address pool are already
1387	            in use.

1389	            As a third case, if no address pools have been configured
1390	            for the external realm concerned, then this counter is
1391	            incremented because all ports for the protocol involved over
1392	            the whole set of addresses available for that external realm
1393	            are already in use.

1395	            Finally, this counter is incremented if the packet would
1396	            have triggered the creation of a new port mapping, but the
1397	            current value of natv2SubscriberPortMapEntries equals or
1398	            exceeds the value of natv2SubscriberLimitPortMapEntries
1399	            for this subscriber (unless that limit is disabled).

1401	            This value MUST be monotone increasing in the periods
1402	            between updates of the entity's
1403	            natv2SubscriberDiscontinuityTime. If a manager detects a
1404	            change in the latter since the last time it sampled this
1405	            counter, it SHOULD NOT make use of the difference between
1406	            the latest value of the counter and any value retrieved
1407	            before the new value of natv2SubscriberDiscontinuityTime."
1408	       REFERENCE
1409	           "Pooling behavior: RFC 4787, end of section 4.1."
1410	       ::= { natv2SubscriberEntry 12 }

1412	   natv2SubscriberDiscontinuityTime OBJECT-TYPE
1413	       SYNTAX TimeStamp
1414	       MAX-ACCESS read-only
1415	       STATUS current
1416	       DESCRIPTION
1417	           "Snapshot of the value of the sysUpTime object at the
1418	            beginning of the latest period of continuity of the
1419	            statistical counters associated with this subscriber."
1420	       ::= { natv2SubscriberEntry 14 }

1422	   -- Per-subscriber limit and threshold on port mappings
1423	   -- Disabled if set to zero
1424	   natv2SubscriberLimitPortMapEntries OBJECT-TYPE
1425	       SYNTAX Unsigned32
1426	       MAX-ACCESS read-write
1427	       STATUS current
1428	       DESCRIPTION
1429	           "Limit on total number of port mappings active for this
1430	            subscriber (natv2SubscriberPortMapEntries). Once this limit
1431	            is reached, packets that might have triggered new port
1432	            mappings are dropped. The number of such packets dropped is
1433	            counted in natv2InstancePortMapFailureDrops.

1435	            Limit is disabled if set to zero (default)."
1436	       DEFVAL
1437	            { 0 }
1438	       ::= { natv2SubscriberEntry 15 }

1440	   natv2SubscriberThresholdPortMapEntriesHigh OBJECT-TYPE
1441	       SYNTAX Unsigned32
1442	       MAX-ACCESS read-write
1443	       STATUS current
1444	       DESCRIPTION
1445	           "Notification threshold for total number of port mappings
1446	            active for this subscriber. Whenever
1447	            natv2SubscriberPortMapEntries is updated, if it equals or
1448	            exceeds natv2SubscriberThresholdPortMapEntriesHigh, the
1449	            notification
1450	            natv2NotificationSubscriberPortMappingEntriesHigh is
1451	            triggered, unless the notification is disabled by setting
1452	            the threshold to 0. Reporting is subject to the minimum
1453	            inter-notification interval given by
1454	            natv2SubscriberNotificationInterval. If multiple
1455	            notifications are triggered during one interval, the agent
1456	            MUST report only the one containing the highest value of
1457	            natv2SubscriberPortMapEntries and discard the others."
1458	       DEFVAL
1459	            { 0 }
1460	       ::= { natv2SubscriberEntry 16 }

1462	   natv2SubscriberNotificationInterval OBJECT-TYPE
1463	       SYNTAX Unsigned32 (1..3600)
1464	       UNITS
1465	           "Seconds"
1466	       MAX-ACCESS read-write
1467	       STATUS current
1468	       DESCRIPTION
1469	           "Minimum number of seconds (default 60) between successive
1470	            reporting of notifications for this subscriber. Controls the
1471	            reporting of
1472	            natv2NotificationSubscriberPortMappingEntriesHigh."
1473	       DEFVAL
1474	            { 60 }
1475	       ::= { natv2SubscriberEntry 17 }

1477	   -- Per-NAT-instance objects

1479	   natv2MIBInstanceObjects OBJECT IDENTIFIER ::= { natv2MIB 2 }
1480	   -- Instance table

1482	   natv2InstanceTable OBJECT-TYPE
1483	       SYNTAX SEQUENCE OF Natv2InstanceEntry
1484	       MAX-ACCESS not-accessible
1485	       STATUS current
1486	       DESCRIPTION
1487	           "Table of NAT instances. As well as state and counter
1488	            objects, it provides the instance index, instance name, and
1489	            the last discontinuity time object which is applicable to
1490	            the counters. It also contains writable thresholds for
1491	            reporting of notifications and limits on usage of resources
1492	            at the level of the NAT instance.

1494	            It is assumed that NAT instances can be created and deleted
1495	            dynamically, but this MIB module does not provide the means
1496	            to do so. For restrictions on assignment and maintenance of
1497	            the NAT index instance see the description of
1498	            natv2InstanceIndex in the table below. For the requirements
1499	            on maintenance of the values of the counters in this table
1500	            see the description of natv2InstanceDiscontinuityTime in
1501	            this table.

1503	            Each NAT instance has its own resources and behavior. The
1504	            resources include memory as reflected in space for map
1505	            entries, processing power as reflected in the rate of map
1506	            creation and deletion, and mappable addresses in each realm
1507	            that can play the role of an external realm for at least
1508	            some mappings for that instance. The NAT instance table
1509	            includes limits and notification thresholds that relate to
1510	            memory usage for mapping at the level of the whole instance.
1511	            The limit on number of subscribers with active mappings is a
1512	            limit to some extent on processor usage.

1514	            The mappable 'external' addresses may or may not be
1515	            organized into address pools. For a definition of address
1516	            pools see the description of natv2PoolTable. If the instance
1517	            does support address pools, it also has a pooling behavior.
1518	            Mapping, filtering, and pooling behavior are defined in the
1519	            descriptions of the natv2InstancePortMappingBehavior,
1520	            natv2InstanceFilteringBehavior, and
1521	            natv2InstancePoolingBehavior objects in this table. The
1522	            instance also has a fragmentation behavior, defined in the
1523	            description of the natv2InstanceFragmentBehavior object."
1524	       REFERENCE
1525	           "RFC yyyy Section 3.3.4. NAT behaviors: RFC 4787
1526	            (primary, UDP); RFC 5382 (TCP), RFC 5508 (ICMP), RFC5597
1527	            (DCCP)."

1529	       ::= { natv2MIBInstanceObjects 1 }

1531	   natv2InstanceEntry OBJECT-TYPE
1532	       SYNTAX Natv2InstanceEntry
1533	       MAX-ACCESS not-accessible
1534	       STATUS current
1535	       DESCRIPTION
1536	           "Objects related to a single NAT instance."
1537	       INDEX { natv2InstanceIndex }
1538	       ::= { natv2InstanceTable 1 }

1540	   Natv2InstanceEntry ::=
1541	       SEQUENCE {
1542	            natv2InstanceIndex                    Natv2InstanceIndex,
1543	            natv2InstanceAlias                         DisplayString,
1544	   -- Configured behaviors
1545	            natv2InstancePortMappingBehavior           INTEGER,
1546	            natv2InstanceFilteringBehavior             INTEGER,
1547	            natv2InstancePoolingBehavior               INTEGER,
1548	            natv2InstanceFragmentBehavior              INTEGER,
1549	   -- State
1550	            natv2InstanceAddressMapEntries              Unsigned32,
1551	            natv2InstancePortMapEntries                 Unsigned32,
1552	   -- Statistics and discontinuity time
1553	            natv2InstanceTranslations                   Counter64,
1554	            natv2InstanceAddressMapCreations            Counter64,
1555	            natv2InstancePortMapCreations               Counter64,
1556	            natv2InstanceAddressMapEntryLimitDrops      Counter64,
1557	            natv2InstancePortMapEntryLimitDrops         Counter64,
1558	            natv2InstanceSubscriberActiveLimitDrops     Counter64,
1559	            natv2InstanceAddressMapFailureDrops         Counter64,
1560	            natv2InstancePortMapFailureDrops            Counter64,
1561	            natv2InstanceFragmentDrops                  Counter64,
1562	            natv2InstanceOtherResourceFailureDrops      Counter64,
1563	            natv2InstanceDiscontinuityTime              TimeStamp,
1564	   -- Notification thresholds, disabled if set to 0
1565	            natv2InstanceThresholdAddressMapEntriesHigh Unsigned32,
1566	            natv2InstanceThresholdPortMapEntriesHigh    Unsigned32,
1567	            natv2InstanceNotificationInterval           Unsigned32,
1568	   -- Limits, disabled if set to 0
1569	            natv2InstanceLimitAddressMapEntries         Unsigned32,
1570	            natv2InstanceLimitPortMapEntries            Unsigned32,
1571	            natv2InstanceLimitPendingFragments          Unsigned32,
1572	            natv2InstanceLimitSubscriberActives         Unsigned32
1573	       }

1575	   natv2InstanceIndex OBJECT-TYPE
1576	       SYNTAX Natv2InstanceIndex
1577	       MAX-ACCESS not-accessible
1578	       STATUS current
1579	       DESCRIPTION
1580	           "NAT instance index. It is up to the implementation to
1581	            determine which values correspond to in-service NAT
1582	            instances. This object is used as an index for all tables
1583	            defined below."
1584	       ::= { natv2InstanceEntry 1 }

1586	   natv2InstanceAlias OBJECT-TYPE
1587	       SYNTAX DisplayString (SIZE (0..64))
1588	       MAX-ACCESS read-only
1589	       STATUS current
1590	       DESCRIPTION
1591	           "This object is an 'alias' name for the NAT instance as
1592	            specified by a network manager, and provides a non-volatile
1593	            'handle' for the instance.

1595	            An example of the value which a network manager might store
1596	            in this object for a NAT instance is the name/identifier of
1597	            the interface that brings in internal traffic for this NAT
1598	            instance or the name of the VRF for internal traffic."
1599	       ::= { natv2InstanceEntry 2 }

1601	   -- Configured behaviors

1603	   natv2InstancePortMappingBehavior OBJECT-TYPE
1604	       SYNTAX INTEGER {
1605	              endpointIndependent (0),
1606	              addressDependent (1),
1607	              addressAndPortDependent (2)
1608	           }
1609	       MAX-ACCESS read-only
1610	       STATUS current
1611	       DESCRIPTION
1612	           "Port mapping behavior is the policy governing selection of
1613	            external address and port in a given realm for a given
1614	            five-tuple of source address and port, destination address
1615	            and port, and protocol.

1617	            endpointIndependent(0), the behavior REQUIRED by RFC 4787
1618	            REQ-1, maps the source address and port to the same
1619	            external address and port for all destination address and
1620	            port combinations reached through the same external realm
1621	            and using the given protocol.

1623	            addressDependent(1) maps to the same external address and
1624	            port for all destination ports at the same destination
1625	            address reached through the same external realm and using
1626	            the given protocol.

1628	            addressAndPortDependent(2) maps to a separate external
1629	            address and port combination for each different
1630	            destination address and port combination reached through
1631	            the same external realm."
1632	       REFERENCE
1633	            "RFC 4787 section 4.1."
1634	       ::= { natv2InstanceEntry 3 }

1636	   natv2InstanceFilteringBehavior OBJECT-TYPE
1637	       SYNTAX INTEGER {
1638	              endpointIndependent (0),
1639	              addressDependent (1),
1640	              addressAndPortDependent (2)
1641	           }
1642	       MAX-ACCESS read-only
1643	       STATUS current
1644	       DESCRIPTION
1645	           "Filtering behavior is the policy governing acceptance or
1646	            dropping of packets incoming from remote sources via a
1647	            given external realm and destined to a specific three-tuple
1648	            of external address, port, and protocol at the NAT instance
1649	            that has been assigned in a port mapping.

1651	            endpointIndependent(0) accepts for translation packets from
1652	            all combinations of remote address and port destined to the
1653	            mapped external address and port via the given external
1654	            realm and using the given protocol.

1656	            addressDependent(1) accepts for translation packets from all
1657	            remote ports from the same remote source address destined to
1658	            the mapped external address and port via the given external
1659	            realm and using the given protocol.

1661	            addressAndPortDependent(2) accepts for translation only
1662	            those packets with the same remote source address, port, and
1663	            protocol incoming from the same external realm as identified
1664	            when the applicable port map entry was created.

1666	            RFC 4787 REQ-8 recommends either endpointIndependent(0) or
1667	            addressDependent(1) filtering behavior depending on whether
1668	            application-friendliness or security takes priority."
1669	       REFERENCE
1670	           "RFC 4787 section 5."
1671	       ::= { natv2InstanceEntry 4 }

1673	   natv2InstancePoolingBehavior OBJECT-TYPE
1674	       SYNTAX INTEGER {
1675	              arbitrary (0),
1676	              paired (1)
1677	           }
1678	       MAX-ACCESS read-only
1679	       STATUS current
1680	       DESCRIPTION
1681	           "Pooling behavior is the policy used to select the address
1682	            for a new port mapping within a given address pool to which
1683	            the internal address has already been mapped.

1685	            arbitrary(0) pooling behavior means that the NAT instance
1686	            may create the new port mapping using any address in the
1687	            pool that has a free port for the protocol concerned.

1689	            paired(1) pooling behavior, the behavior RECOMMENDED by RFC
1690	            4787 REQ-2, means that once a given internal address has
1691	            been mapped to a particular address in a particular pool,
1692	            further mappings of the same internal address to that pool
1693	            will reuse the previously assigned pool member address."
1694	       REFERENCE
1695	           "RFC 4787 near the end of section 4.1"
1696	       ::= { natv2InstanceEntry 5 }

1698	   natv2InstanceFragmentBehavior OBJECT-TYPE
1699	       SYNTAX INTEGER {
1700	              fragmentNone (0),
1701	              fragmentInOrder (1),
1702	              fragmentOutOfOrder (2)
1703	           }
1704	       MAX-ACCESS read-only
1705	       STATUS current
1706	       DESCRIPTION
1707	           "Fragment behavior is the NAT instance's capability to
1708	            receive and translate fragments incoming from remote
1709	            sources.

1711	            fragmentNone(0) implies no capability to translate incoming
1712	            fragments, so all received fragments are dropped. Each
1713	            dropped fragment is counted in natv2InstanceFragmentDrops.

1715	            fragmentInOrder(1) implies the ability to translate
1716	            fragments only if they are received in order, so that in
1717	            particular the header is in the first packet. If a fragment
1718	            is received out of order, it is dropped and counted in
1719	            natv2InstanceFragmentDrops.

1721	            fragmentOutOfOrder(2), the capability REQUIRED by RFC 4787
1722	            REQ-14, implies the capability to translate fragments even
1723	            when they arrive out of order, subject to a protective
1724	            limit natv2InstanceLimitPendingFragments on total number of
1725	            fragments awaiting the first fragment of the chain. If the
1726	            implementation supports this capability,
1727	            natv2InstanceFragmentDrops is incremented only when a new
1728	            fragment arrives but is dropped because the limit on pending
1729	            fragments has already been reached."
1730	       REFERENCE
1731	           "RFC 4787 section 11."
1732	       ::= { natv2InstanceEntry 6 }

1734	   -- State

1736	   natv2InstanceAddressMapEntries OBJECT-TYPE
1737	       SYNTAX Unsigned32
1738	       MAX-ACCESS read-only
1739	       STATUS current
1740	       DESCRIPTION
1741	           "The current number of address map entries in total over the
1742	            whole NAT instance, including static mappings. An address
1743	            map entry maps from a given internal address and realm to an
1744	            external address in a particular external realm. This
1745	            definition includes 'hairpin' mappings, where the external
1746	            realm is the same as the internal one. Address map entries
1747	            are also tracked per subscriber and per address pool within
1748	            the instance."
1749	       REFERENCE
1750	           "RFC yyyy Section 3.3.8. RFC 4787 section 6."
1751	       ::= { natv2InstanceEntry 7 }

1753	   natv2InstancePortMapEntries OBJECT-TYPE
1754	       SYNTAX Unsigned32
1755	       MAX-ACCESS read-only
1756	       STATUS current
1757	       DESCRIPTION
1758	           "The current number of entries in the port map table in total
1759	            over the whole NAT instance, including static mappings. A
1760	            port map entry maps from a given external realm, address,
1761	            and port for a given protocol to an internal realm, address,
1762	            and port. This definition includes 'hairpin' mappings, where
1763	            the external realm is the same as the internal one. Port map
1764	            entries are also tracked per subscriber and per protocol and
1765	            address pool within the instance."
1766	       REFERENCE
1767	           "RFC yyyy Section 3.3.9.
1768	            Hairpinning: RFC 4787 Section 6."

1770	       ::= { natv2InstanceEntry 8 }

1772	   -- Statistics

1774	   natv2InstanceTranslations OBJECT-TYPE
1775	       SYNTAX Counter64
1776	       MAX-ACCESS read-only
1777	       STATUS current
1778	       DESCRIPTION
1779	           "The cumulative number of translated packets passing through
1780	            this NAT instance. This value MUST be monotone increasing in
1781	            the periods between updates of
1782	            natv2InstanceDiscontinuityTime. If a manager detects a
1783	            change in the latter since the last time it sampled this
1784	            counter, it SHOULD NOT make use of the difference between
1785	            the latest value of the counter and any value retrieved
1786	            before the new value of natv2InstanceDiscontinuityTime."
1787	       ::= { natv2InstanceEntry 9 }

1789	   natv2InstanceAddressMapCreations OBJECT-TYPE
1790	       SYNTAX Counter64
1791	       MAX-ACCESS read-only
1792	       STATUS current
1793	       DESCRIPTION
1794	           "The cumulative number of address map entries created by the
1795	            NAT instance, including static mappings. Address map
1796	            creations are also tracked per address pool within the
1797	            instance and per subscriber.

1799	            This value MUST be monotone increasing in
1800	            the periods between updates of
1801	            natv2InstanceDiscontinuityTime. If a manager detects a
1802	            change in the latter since the last time it sampled this
1803	            counter, it SHOULD NOT make use of the difference between
1804	            the latest value of the counter and any value retrieved
1805	            before the new value of natv2InstanceDiscontinuityTime."
1806	       ::= { natv2InstanceEntry 10 }

1808	   natv2InstancePortMapCreations  OBJECT-TYPE
1809	       SYNTAX Counter64
1810	       MAX-ACCESS read-only
1811	       STATUS current
1812	       DESCRIPTION
1813	           "The cumulative number of port map entries created by the
1814	            NAT instance, including static mappings. Port map
1815	            creations are also tracked per protocol and address pool
1816	            within the instance and per subscriber.

1818	            This value MUST be monotone increasing in
1819	            the periods between updates of
1820	            natv2InstanceDiscontinuityTime. If a manager detects a
1821	            change in the latter since the last time it sampled this
1822	            counter, it SHOULD NOT make use of the difference between
1823	            the latest value of the counter and any value retrieved
1824	            before the new value of natv2InstanceDiscontinuityTime."
1825	       ::= { natv2InstanceEntry 11 }

1827	   natv2InstanceAddressMapEntryLimitDrops OBJECT-TYPE
1828	       SYNTAX Counter64
1829	       MAX-ACCESS read-only
1830	       STATUS current
1831	       DESCRIPTION
1832	           "The cumulative number of packets dropped rather than
1833	            translated because the packet would have triggered
1834	            the creation of a new address map entry but the limit
1835	            on number of address map entries for the NAT instance
1836	            given by natv2InstanceLimitAddressMapEntries has
1837	            already been reached.

1839	            This value MUST be monotone increasing in the periods
1840	            between updates of the entity's
1841	            natv2InstanceDiscontinuityTime. If a manager detects a
1842	            change in the latter since the last time it sampled this
1843	            counter, it SHOULD NOT make use of the difference between
1844	            the latest value of the counter and any value retrieved
1845	            before the new value of natv2InstanceDiscontinuityTime."
1846	       ::= { natv2InstanceEntry 12 }

1848	   natv2InstancePortMapEntryLimitDrops OBJECT-TYPE
1849	       SYNTAX Counter64
1850	       MAX-ACCESS read-only
1851	       STATUS current
1852	       DESCRIPTION
1853	           "The cumulative number of packets dropped rather than
1854	            translated because the packet would have triggered
1855	            the creation of a new port map entry but the limit
1856	            on number of port map entries for the NAT instance
1857	            given by natv2InstanceLimitPortMapEntries has
1858	            already been reached.

1860	            This value MUST be monotone increasing in the periods
1861	            between updates of the entity's
1862	            natv2InstanceDiscontinuityTime. If a manager detects a
1863	            change in the latter since the last time it sampled this
1864	            counter, it SHOULD NOT make use of the difference between
1865	            the latest value of the counter and any value retrieved
1866	            before the new value of natv2InstanceDiscontinuityTime."
1867	       ::= { natv2InstanceEntry 13 }

1869	   natv2InstanceSubscriberActiveLimitDrops OBJECT-TYPE
1870	       SYNTAX Counter64
1871	       MAX-ACCESS read-only
1872	       STATUS current
1873	       DESCRIPTION
1874	           "The cumulative number of packets dropped rather than
1875	            translated because the packet would have triggered the
1876	            creation of a new mapping for a subscriber with no other
1877	            active mappings, but the limit on number of active
1878	            subscribers for the NAT instance given by
1879	            natv2InstanceLimitSubscriberActives has already been
1880	            reached.

1882	            This value MUST be monotone increasing in the periods
1883	            between updates of the entity's
1884	            natv2InstanceDiscontinuityTime. If a manager detects a
1885	            change in the latter since the last time it sampled this
1886	            counter, it SHOULD NOT make use of the difference between
1887	            the latest value of the counter and any value retrieved
1888	            before the new value of natv2InstanceDiscontinuityTime."
1889	       ::= { natv2InstanceEntry 14 }

1891	   natv2InstanceAddressMapFailureDrops OBJECT-TYPE
1892	       SYNTAX Counter64
1893	       MAX-ACCESS read-only
1894	       STATUS current
1895	       DESCRIPTION
1896	           "The cumulative number of packets dropped because the packet
1897	            would have triggered the creation of a new address map
1898	            entry, but no address could be allocated in the selected
1899	            external realm because all addresses from the selected
1900	            address pool (or the whole realm, if no address pool has
1901	            been configured for that realm) have already been fully
1902	            allocated.

1904	            This value MUST be monotone increasing in the periods
1905	            between updates of the entity's
1906	            natv2InstanceDiscontinuityTime. If a manager detects a
1907	            change in the latter since the last time it sampled this
1908	            counter, it SHOULD NOT make use of the difference between
1909	            the latest value of the counter and any value retrieved
1910	            before the new value of natv2InstanceDiscontinuityTime."
1911	       ::= { natv2InstanceEntry 15 }

1913	   natv2InstancePortMapFailureDrops OBJECT-TYPE
1914	       SYNTAX Counter64
1915	       MAX-ACCESS read-only
1916	       STATUS current
1917	       DESCRIPTION
1918	           "The cumulative number of packets dropped because the
1919	            packet would have triggered the creation of a new
1920	            port map entry, but no port could be allocated for the
1921	            protocol concerned. The usual case for this will be
1922	            for a NAT instance that supports address pooling and
1923	            the 'paired' pooling behavior recommended by RFC 4787,
1924	            where the internal endpoint has used up all of the
1925	            ports allocated to it for the address it was mapped to
1926	            in the selected address pool in the external realm
1927	            concerned and cannot be given more ports because
1928	            - policy or implementation prevents it from having a
1929	              second address in the same pool, and
1930	            - policy or unavailability prevents it from acquiring
1931	              more ports at its originally assigned address.

1933	            If the NAT instance supports address pooling but its
1934	            pooling behavior is 'arbitrary' (meaning that
1935	            the NAT instance can allocate a new port mapping for
1936	            the given internal endpoint on any address in the
1937	            selected address pool and is not bound to what it has
1938	            already mapped for that endpoint), then this counter
1939	            is incremented when all ports for the protocol concerned
1940	            over the whole of the selected address pool are already
1941	            in use.

1943	            Finally, if no address pools have been configured for the
1944	            external realm concerned, then this counter is incremented
1945	            because all ports for the protocol involved over the whole
1946	            set of addresses available for that external realm are
1947	            already in use.

1949	            This value MUST be monotone increasing in the periods
1950	            between updates of the entity's
1951	            natv2InstanceDiscontinuityTime. If a manager detects a
1952	            change in the latter since the last time it sampled this
1953	            counter, it SHOULD NOT make use of the difference between
1954	            the latest value of the counter and any value retrieved
1955	            before the new value of natv2InstanceDiscontinuityTime."
1956	       REFERENCE
1957	           "Pooling behavior: RFC 4787, end of section 4.1."
1958	       ::= { natv2InstanceEntry 16 }

1960	   natv2InstanceFragmentDrops OBJECT-TYPE
1961	       SYNTAX Counter64
1962	       MAX-ACCESS read-only
1963	       STATUS current
1964	       DESCRIPTION
1965	           "The cumulative number of fragments received by the NAT
1966	            instance but dropped rather than translated. When the NAT
1967	            instance supports the 'Receive Fragment Out of Order'
1968	            capability as required by RFC 4787, this occurs because the
1969	            fragment was received out of order and would be added to the
1970	            queue of fragments awaiting the initial fragment of the
1971	            chain, but the queue has already reached the limit set by
1972	            natv2InstanceLimitsPendingFragments. Counting in other cases
1973	            is specified in the description of
1974	            natv2InstanceFragmentBehavior.

1976	            This value MUST be monotone increasing in the periods
1977	            between updates of the entity's
1978	            natv2InstanceDiscontinuityTime. If a manager detects a
1979	            change in the latter since the last time it sampled this
1980	            counter, it SHOULD NOT make use of the difference between
1981	            the latest value of the counter and any value retrieved
1982	            before the new value of natv2InstanceDiscontinuityTime."
1983	       REFERENCE
1984	           "RFC 4787, section 11."
1985	       ::= { natv2InstanceEntry 17 }

1987	   natv2InstanceOtherResourceFailureDrops OBJECT-TYPE
1988	       SYNTAX Counter64
1989	       MAX-ACCESS read-only
1990	       STATUS current
1991	       DESCRIPTION
1992	           "The cumulative number of packets dropped because of
1993	            unavailability of a resource other than an address or port
1994	            that would have been required to process it. The most likely
1995	            case is where the upper layer protocol in the packet is not
1996	            supported by the NAT instance.

1998	            This value MUST be monotone increasing in the periods
1999	            between updates of the entity's
2000	            natv2InstanceDiscontinuityTime. If a manager detects a
2001	            change in the latter since the last time it sampled this
2002	            counter, it SHOULD NOT make use of the difference between
2003	            the latest value of the counter and any value retrieved
2004	            before the new value of natv2InstanceDiscontinuityTime."
2005	       ::= { natv2InstanceEntry 18 }

2007	   natv2InstanceDiscontinuityTime OBJECT-TYPE
2008	       SYNTAX TimeStamp
2009	       MAX-ACCESS read-only
2010	       STATUS current
2011	       DESCRIPTION
2012	           "Snapshot of the value of the sysUpTime object at the
2013	            beginning of the latest period of continuity of the
2014	            statistical counters associated with this NAT instance."
2015	       ::= { natv2InstanceEntry 19 }

2017	   -- Notification thresholds, disabled by setting to zero

2019	   natv2InstanceThresholdAddressMapEntriesHigh OBJECT-TYPE
2020	       SYNTAX Unsigned32
2021	       MAX-ACCESS read-write
2022	       STATUS current
2023	       DESCRIPTION
2024	           "Notification threshold for total number of address map
2025	            entries held by this NAT instance. Whenever
2026	            natv2InstanceAddressMapEntries is updated, if it equals or
2027	            exceeds natv2InstanceThresholdAddressMapEntriesHigh, then
2028	            natv2NotificationInstanceAddressMapEntriesHigh may be
2029	            triggered, unless the notification is disabled by setting
2030	            the threshold to 0. Reporting is subject to the minimum
2031	            inter-notification interval given by
2032	            natv2InstanceNotificationInterval. If multiple notifications
2033	            are triggered during one interval, the agent MUST report
2034	            only the one containing the highest value of
2035	            natv2InstanceAddressMapEntries and discard the others."
2036	       DEFVAL
2037	            { 0 }
2038	       ::= { natv2InstanceEntry 20 }

2040	   natv2InstanceThresholdPortMapEntriesHigh OBJECT-TYPE
2041	       SYNTAX Unsigned32
2042	       MAX-ACCESS read-write
2043	       STATUS current
2044	       DESCRIPTION
2045	           "Notification threshold for total number of port map
2046	            entries held by this NAT instance. Whenever
2047	            natv2InstancePortMapEntries is updated, if it equals or
2048	            exceeds natv2InstanceThresholdPortMapEntriesHigh, then
2049	            natv2NotificationInstancePortMapEntriesHigh may be
2050	            triggered, unless the notification is disabled by setting
2051	            the threshold to 0. Reporting is subject to the minimum
2052	            inter-notification interval given by
2053	            natv2InstanceNotificationInterval. If multiple notifications
2054	            are triggered during one interval, the agent MUST report
2055	            only the one containing the highest value of
2056	            natv2InstancePortMapEntries and discard the others."
2057	       DEFVAL
2058	           { 0 }
2059	       ::= { natv2InstanceEntry 21 }

2061	   natv2InstanceNotificationInterval OBJECT-TYPE
2062	       SYNTAX Unsigned32 (1..3600)
2063	       UNITS
2064	           "Seconds"
2065	       MAX-ACCESS read-write
2066	       STATUS current
2067	       DESCRIPTION
2068	           "Minimum number of seconds (default 10) between successive
2069	            notifications for this NAT instance. Controls the reporting
2070	            of natv2NotificationInstanceAddressMapEntriesHigh and
2071	            natv2NotificationInstancePortMapEntriesHigh."
2072	       DEFVAL
2073	           { 10 }
2074	       ::= { natv2InstanceEntry 22 }

2076	     -- Limits, disabled if set to 0

2078	   natv2InstanceLimitAddressMapEntries OBJECT-TYPE
2079	       SYNTAX Unsigned32
2080	       MAX-ACCESS read-write
2081	       STATUS current
2082	       DESCRIPTION
2083	           "Limit on total number of address map entries supported by
2084	            the NAT instance. When natv2InstanceAddressMapEntries has
2085	            reached this limit, subsequent packets that would normally
2086	            trigger creation of a new address map entry will be dropped
2087	            and counted in natv2InstanceAddressMapEntryLimitDrops.
2088	            Warning of an approach to this limit can be achieved by
2089	            setting natv2InstanceThresholdAddressMapEntriesHigh to a
2090	            non-zero value, for example, 80% of the limit. The limit is
2091	            disabled by setting its value to zero (default value).

2093	            For further information please see the descriptions of
2094	            natv2NotificationInstanceAddressMapEntriesHigh and
2095	            natv2InstanceAddressMapEntries."
2096	       DEFVAL
2097	           { 0 }
2098	       ::= { natv2InstanceEntry 23 }

2100	   natv2InstanceLimitPortMapEntries OBJECT-TYPE
2101	       SYNTAX Unsigned32
2102	       MAX-ACCESS read-write
2103	       STATUS current
2104	       DESCRIPTION
2105	           "Limit on total number of port map entries supported by the
2106	            NAT instance. When natv2InstancePortMapEntries has reached
2107	            this limit, subsequent packets that would normally trigger
2108	            creation of a new port map entry will be dropped and counted
2109	            in natv2InstancePortMapEntryLimitDrops. Warning of an
2110	            approach to this limit can be achieved by setting
2111	            natv2InstanceThresholdPortMapEntriesHigh to a non-zero
2112	            value, for example, 80% of the limit. The limit is disabled
2113	            by setting its value to zero (default value).

2115	            For further information please see the descriptions of
2116	            natv2NotificationInstancePortMapEntriesHigh and
2117	            natv2InstancePortMapEntries."
2118	       DEFVAL
2119	           { 0 }
2120	       ::= { natv2InstanceEntry 24 }

2122	   natv2InstanceLimitPendingFragments OBJECT-TYPE
2123	       SYNTAX Unsigned32
2124	       MAX-ACCESS read-write
2125	       STATUS current
2126	       DESCRIPTION
2127	           "Limit on number of out-of-order fragments received by the
2128	            NAT instance from remote sources and held until head of
2129	            chain appears. While the number of held fragments is at this
2130	            limit, subsequent packets that contain fragments not
2131	            relating to those already held will be dropped and counted
2132	            in natv2InstancePendingFragmentLimitDrops. The limit is
2133	            disabled by setting the value to zero (default value).

2135	            Applicable only when the NAT instance supports 'Receive
2136	            Fragments Out of Order' behavior, leave at default
2137	            otherwise. See the description of
2138	            natv2InstanceFragmentBehavior."
2139	       REFERENCE
2140	            "RFC 4787 Section 11"
2141	       DEFVAL { 0 }
2142	       ::= { natv2InstanceEntry 25 }

2144	   natv2InstanceLimitSubscriberActives OBJECT-TYPE
2145	       SYNTAX Unsigned32
2146	       MAX-ACCESS read-write
2147	       STATUS current
2148	       DESCRIPTION
2149	           "Limit on number of total number of active subscribers
2150	            supported by the NAT instance. An active subscriber is
2151	            defined as any subscriber with at least one map entry,
2152	            including static mappings. While the number of active
2153	            subscribers is at this limit, subsequent packets that would
2154	            otherwise trigger first mappings for newly active
2155	            subscribers will be dropped and counted in
2156	            natv2InstanceSubscriberActiveLimitDrops. The limit is
2157	            disabled by setting the value to zero (default value)."
2158	       DEFVAL { 0 }
2159	       ::= { natv2InstanceEntry 26 }

2161	   -- Table of counters per upper layer protocol identified by the
2162	   -- packet header and supported by the NAT instance

2164	   natv2ProtocolTable  OBJECT-TYPE
2165	       SYNTAX SEQUENCE OF Natv2ProtocolEntry
2166	       MAX-ACCESS not-accessible
2167	       STATUS current
2168	       DESCRIPTION
2169	           "Table of protocols with per-protocol counters. Conceptual
2170	            rows of the table are indexed by the combination of the NAT
2171	            instance number and the IANA-assigned upper layer protocol
2172	            number as given by the ProtocolNumber TC and contained in
2173	            the packet IP header. It is up to the agent implementation
2174	            to determine and operate upon only those upper layer
2175	            protocol numbers supported by the NAT instance."
2176	       REFERENCE
2177	           "RFC yyyy Section 3.3.5."
2178	       ::= { natv2MIBInstanceObjects 2 }

2180	   natv2ProtocolEntry OBJECT-TYPE
2181	       SYNTAX Natv2ProtocolEntry
2182	       MAX-ACCESS not-accessible
2183	       STATUS current
2184	       DESCRIPTION
2185	           "Per-protocol counters."
2186	       INDEX { natv2ProtocolInstanceIndex,
2187	               natv2ProtocolNumber }
2188	       ::= { natv2ProtocolTable 1 }

2190	   Natv2ProtocolEntry ::=
2191	       SEQUENCE {
2192	           natv2ProtocolInstanceIndex          Natv2InstanceIndex,
2193	           natv2ProtocolNumber                     ProtocolNumber,
2194	   -- State
2195	           natv2ProtocolPortMapEntries             Unsigned32,
2196	   -- Statistics. Discontinuity object from instance table reused here.
2197	           natv2ProtocolTranslations               Counter64,
2198	           natv2ProtocolPortMapCreations           Counter64,
2199	           natv2ProtocolPortMapFailureDrops        Counter64
2200	       }

2202	   natv2ProtocolInstanceIndex OBJECT-TYPE
2203	       SYNTAX Natv2InstanceIndex
2204	       MAX-ACCESS not-accessible
2205	       STATUS current
2206	       DESCRIPTION
2207	           "NAT instance index. It is up to the implementation to
2208	            determine and operate upon only those values that
2209	            correspond to in-service NAT instances."
2210	       ::= { natv2ProtocolEntry 1 }

2212	   natv2ProtocolNumber OBJECT-TYPE
2213	       SYNTAX ProtocolNumber
2214	       MAX-ACCESS not-accessible
2215	       STATUS current
2216	       DESCRIPTION
2217	           "Counters in this conceptual row apply to packets indicating
2218	            the upper layer protocol identified by the value of
2219	            this object. It is up to the implementation to determine and
2220	            operate upon only those values that correspond to protocols
2221	            supported by the NAT instance."
2222	       REFERENCE
2223	           "RFC yyyy Section 3.3.5.
2224	            IANA Protocol Numbers, http://www.iana.org/assignments/
2225	            protocol-numbers/protocol-numbers.xhtml#protocol-numbers-1"
2226	       ::= { natv2ProtocolEntry 2 }

2228	    -- State
2229	   natv2ProtocolPortMapEntries OBJECT-TYPE
2230	       SYNTAX Unsigned32
2231	       MAX-ACCESS read-only
2232	       STATUS current
2233	       DESCRIPTION
2234	           "The current number of entries in the port map table in total
2235	            over the whole NAT instance for a given protocol, including
2236	            static mappings. A port map entry maps from a given external
2237	            realm, address, and port for a given protocol to an internal
2238	            realm, address, and port. This definition includes 'hairpin'
2239	            mappings, where the external realm is the same as the
2240	            internal one. Port map entries are also tracked per
2241	            subscriber, per instance, and per address pool within the
2242	            instance."
2243	       REFERENCE
2244	           "RFC yyyy Section 3.3.5 and Section 3.3.9. Hairpinning:
2245	            RFC 4787 Section 6."
2246	       ::= { natv2ProtocolEntry 3 }

2248	   -- Statistics
2249	   natv2ProtocolTranslations OBJECT-TYPE
2250	       SYNTAX Counter64
2251	       MAX-ACCESS read-only
2252	       STATUS current
2253	       DESCRIPTION
2254	           "The cumulative number of packets translated by the NAT
2255	            instance in either direction for the given protocol.

2257	            This value MUST be monotone increasing in the periods
2258	            between updates of the NAT instance
2259	            natv2InstanceDiscontinuityTime. If a manager detects a
2260	            change in the latter since the last time it sampled this
2261	            counter, it SHOULD NOT make use of the difference between
2262	            the latest value of the counter and any value retrieved
2263	            before the new value of natv2InstanceDiscontinuityTime."
2264	       ::= { natv2ProtocolEntry 4 }

2266	   natv2ProtocolPortMapCreations  OBJECT-TYPE
2267	       SYNTAX Counter64
2268	       MAX-ACCESS read-only
2269	       STATUS current
2270	       DESCRIPTION
2271	           "The cumulative number of port map entries created by the NAT
2272	            instance for the given protocol.

2274	            This value MUST be monotone increasing in the periods
2275	            between updates of the NAT instance
2276	            natv2InstanceDiscontinuityTime. If a manager detects a
2277	            change in the latter since the last time it sampled this
2278	            counter, it SHOULD NOT make use of the difference between
2279	            the latest value of the counter and any value retrieved
2280	            before the new value of natv2InstanceDiscontinuityTime."
2281	       ::= { natv2ProtocolEntry 5 }

2283	   natv2ProtocolPortMapFailureDrops OBJECT-TYPE
2284	       SYNTAX Counter64
2285	       MAX-ACCESS read-only
2286	       STATUS current
2287	       DESCRIPTION
2288	           "The cumulative number of packets dropped because the packet
2289	            would have triggered the creation of a new port map entry,
2290	            but no port could be allocated for the protocol concerned.
2291	            The usual case for this will be for a NAT instance that
2292	            supports address pooling and the 'paired' pooling behavior
2293	            recommended by RFC 4787, where the internal endpoint has
2294	            used up all of the ports allocated to it for the address it
2295	            was mapped to in the selected address pool in the external
2296	            realm concerned and cannot be given more ports because
2297	            - policy or implementation prevents it from having a
2298	              second address in the same pool, and
2299	            - policy or unavailability prevents it from acquiring
2300	              more ports at its originally assigned address.

2302	            If the NAT instance supports address pooling but its
2303	            pooling behavior is 'arbitrary' (meaning that
2304	            the NAT instance can allocate a new port mapping for
2305	            the given internal endpoint on any address in the
2306	            selected address pool and is not bound to what it has
2307	            already mapped for that endpoint), then this counter
2308	            is incremented when all ports for the protocol concerned
2309	            over the whole of the selected address pool are already
2310	            in use.

2312	            Finally, if the NAT instance has no configured address
2313	            pooling, then this counter is incremented because all
2314	            ports for the protocol concerned over the whole of the
2315	            NAT instance for the external realm concerned are already
2316	            in use.

2318	            This value MUST be monotone increasing in the periods
2319	            between updates of the NAT instance
2320	            natv2InstanceDiscontinuityTime. If a manager detects a
2321	            change in the latter since the last time it sampled this
2322	            counter, it SHOULD NOT make use of the difference between
2323	            the latest value of the counter and any value retrieved
2324	            before the new value of natv2InstanceDiscontinuityTime."
2325	       REFERENCE
2326	           "RFC 4787, end of section 4.1."
2327	       ::= { natv2ProtocolEntry 6 }

2329	   -- pools

2331	   natv2PoolTable OBJECT-TYPE
2332	       SYNTAX SEQUENCE OF Natv2PoolEntry
2333	       MAX-ACCESS not-accessible
2334	       STATUS current
2335	       DESCRIPTION
2336	          "Table of address pools, applicable only if these are
2337	           supported by the NAT instance. An address pool is a set of
2338	           addresses and ports in a particular realm, available for
2339	           assignment to the 'external' portion of a mapping. Where more
2340	           than one pool has been configured for the realm, policy
2341	           determines which subscribers and/or services are mapped to
2342	           which pool. natv2PoolTable provides basic information, state,
2343	           statistics, and two notification thresholds for each pool.
2344	           natv2PoolRangeTable is an expansion table for natv2PoolTable
2345	           that identifies particular address ranges allocated to the
2346	           pool."
2347	       REFERENCE
2348	           "RFC yyyy Section 3.3.6."
2349	       ::= { natv2MIBInstanceObjects 3 }

2351	   natv2PoolEntry OBJECT-TYPE
2352	       SYNTAX Natv2PoolEntry
2353	       MAX-ACCESS not-accessible
2354	       STATUS current
2355	       DESCRIPTION
2356	           "Entry in the table of address pools."
2357	       INDEX { natv2PoolInstanceIndex, natv2PoolIndex }
2358	       ::= { natv2PoolTable 1 }

2360	   Natv2PoolEntry ::=
2361	       SEQUENCE {
2362	   -- Index
2363	            natv2PoolInstanceIndex                 Natv2InstanceIndex,
2364	            natv2PoolIndex                         Natv2PoolIndex,
2365	   -- Configuration
2366	            natv2PoolRealm                         SnmpAdminString,
2367	            natv2PoolAddressType                   InetAddressType,
2368	            natv2PoolMinimumPort                   InetPortNumber,
2369	            natv2PoolMaximumPort                   InetPortNumber,
2370	   -- State
2371	            natv2PoolAddressMapEntries             Unsigned32,
2372	            natv2PoolPortMapEntries                Unsigned32,
2373	   -- Statistics and discontinuity time
2374	            natv2PoolAddressMapCreations           Counter64,
2375	            natv2PoolPortMapCreations              Counter64,
2376	            natv2PoolAddressMapFailureDrops        Counter64,
2377	            natv2PoolPortMapFailureDrops           Counter64,
2378	            natv2PoolDiscontinuityTime             TimeStamp,
2379	   -- Notification thresholds and objects returned by notifications
2380	            natv2PoolThresholdUsageLow             Integer32,
2381	            natv2PoolThresholdUsageHigh            Unsigned32,
2382	            natv2PoolNotifiedPortMapEntries        Unsigned32,
2383	            natv2PoolNotifiedPortMapProtocol       ProtocolNumber,
2384	            natv2PoolNotificationInterval          Unsigned32
2385	       }

2387	   natv2PoolInstanceIndex OBJECT-TYPE
2388	       SYNTAX Natv2InstanceIndex
2389	       MAX-ACCESS not-accessible
2390	       STATUS current
2391	       DESCRIPTION
2392	           "NAT instance index. It is up to the agent implementation
2393	            to determine and operate upon only those values that
2394	            correspond to in-service NAT instances."
2395	       ::= { natv2PoolEntry 1 }

2397	   natv2PoolIndex OBJECT-TYPE
2398	       SYNTAX Natv2PoolIndex
2399	       MAX-ACCESS not-accessible
2400	       STATUS current
2401	       DESCRIPTION
2402	           "Index of an address pool, unique for a given NAT instance.
2403	            It is up to the agent implementation to determine and
2404	            operate upon only those values that correspond to
2405	            provisioned pools."
2406	       ::= { natv2PoolEntry 2 }

2408	   -- configuration
2409	   natv2PoolRealm OBJECT-TYPE
2410	       SYNTAX SnmpAdminString (SIZE (0..32))
2411	       MAX-ACCESS read-only
2412	       STATUS current
2413	       DESCRIPTION
2414	           "Address realm to which this pool's addresses belong."
2415	       REFERENCE
2416	           "Address realms are discussed in Section 3.3.3 of
2417	            RFC yyyy. Primary reference is RFC 2663 Section 2.1."
2418	       ::= { natv2PoolEntry 3 }

2420	   natv2PoolAddressType OBJECT-TYPE
2421	       SYNTAX InetAddressType
2422	       MAX-ACCESS read-create
2423	       STATUS current
2424	       DESCRIPTION
2425	           "Address type supplied by this address pool. This will be the
2426	            same for all pools in a given realm (by definition of an
2427	            address realm). Values other than ipv4(1) or ipv6(2) would
2428	            be unexpected."
2429	       REFERENCE
2430	           "InetAddressType in RFC 4001."
2431	       ::= { natv2PoolEntry 4 }

2433	   natv2PoolMinimumPort OBJECT-TYPE
2434	       SYNTAX InetPortNumber
2435	       MAX-ACCESS read-create
2436	       STATUS current
2437	       DESCRIPTION
2438	           "Minimum port number of the range that can be allocated in
2439	            this pool. Applies to all protocols supported by the NAT
2440	            instance."

2442	       REFERENCE
2443	           "InetPortNumber in RFC 4001."
2444	       ::= { natv2PoolEntry 5 }

2446	   natv2PoolMaximumPort OBJECT-TYPE
2447	       SYNTAX InetPortNumber
2448	       MAX-ACCESS read-create
2449	       STATUS current
2450	       DESCRIPTION
2451	           "Maximum port number of the range that can be allocated in
2452	            this pool. Applies to all protocols supported by the NAT
2453	            instance."
2454	       REFERENCE
2455	           "InetPortNumber in RFC 4001."
2456	       ::= { natv2PoolEntry 6 }

2458	   -- State
2459	   natv2PoolAddressMapEntries OBJECT-TYPE
2460	       SYNTAX Unsigned32
2461	       MAX-ACCESS read-only
2462	       STATUS current
2463	       DESCRIPTION
2464	           "The current number of address map entries using external
2465	            addresses drawn from this pool, including static mappings.
2466	            This definition includes 'hairpin' mappings, where the
2467	            external realm is the same as the internal one. Address map
2468	            entries are also tracked per subscriber and per instance."
2469	       REFERENCE
2470	           "RFC yyyy Section 3.3.8. Hairpinning: RFC 4787 section 6."
2471	       ::= { natv2PoolEntry 7 }

2473	   natv2PoolPortMapEntries OBJECT-TYPE
2474	       SYNTAX Unsigned32
2475	       MAX-ACCESS read-only
2476	       STATUS current
2477	       DESCRIPTION
2478	           "The current number of entries in the port map table using
2479	            external addresses and ports drawn from this pool, including
2480	            static mappings. This definition includes 'hairpin'
2481	            mappings, where the external realm is the same as the
2482	            internal one. Port map entries are also tracked per
2483	            subscriber, per instance, and per protocol within the
2484	            instance."
2485	       REFERENCE
2486	           "RFC yyyy Section 3.3.9. Hairpinning: RFC 4787 Section 6."
2487	       ::= { natv2PoolEntry 8 }

2489	   -- Statistics and discontinuity time
2490	   natv2PoolAddressMapCreations OBJECT-TYPE
2491	       SYNTAX Counter64
2492	       MAX-ACCESS read-only
2493	       STATUS current
2494	       DESCRIPTION
2495	           "The cumulative number of address map entries created in this
2496	            pool, including static mappings. Address map entries are
2497	            also tracked per instance and per subscriber.

2499	            This value MUST be monotone increasing in
2500	            the periods between updates of the entity's
2501	            natv2PoolDiscontinuityTime. If a manager detects a
2502	            change in the latter since the last time it sampled this
2503	            counter, it SHOULD NOT make use of the difference between
2504	            the latest value of the counter and any value retrieved
2505	            before the new value of natv2PoolDiscontinuityTime."
2506	       ::= { natv2PoolEntry 9 }

2508	   natv2PoolPortMapCreations OBJECT-TYPE
2509	       SYNTAX Counter64
2510	       MAX-ACCESS read-only
2511	       STATUS current
2512	       DESCRIPTION
2513	           "The cumulative number of port map entries created in this
2514	            pool, including static mappings. Port map entries are also
2515	            tracked per instance, per protocol, and per subscriber.

2517	            This value MUST be monotone increasing in the periods
2518	            between updates of the entity's
2519	            natv2PoolDiscontinuityTime. If a manager detects a
2520	            change in the latter since the last time it sampled this
2521	            counter, it SHOULD NOT make use of the difference between
2522	            the latest value of the counter and any value retrieved
2523	            before the new value of natv2PoolDiscontinuityTime."
2524	       ::= { natv2PoolEntry 10 }

2526	   natv2PoolAddressMapFailureDrops OBJECT-TYPE
2527	       SYNTAX Counter64
2528	       MAX-ACCESS read-only
2529	       STATUS current
2530	       DESCRIPTION
2531	           "The cumulative number of packets originated by the
2532	            subscriber that were dropped because the packet would have
2533	            triggered the creation of a new address map entry, but no
2534	            address could be allocated from this address pool because
2535	            all addresses in the pool have already been fully allocated.
2536	            Counters of this event are also provided per instance, per
2537	            protocol and per subscriber.

2539	            This value MUST be monotone increasing in the periods
2540	            between updates of the entity's
2541	            natv2PoolDiscontinuityTime. If a manager detects a
2542	            change in the latter since the last time it sampled this
2543	            counter, it SHOULD NOT make use of the difference between
2544	            the latest value of the counter and any value retrieved
2545	            before the new value of natv2PoolDiscontinuityTime."
2546	       ::= { natv2PoolEntry 11 }

2548	   natv2PoolPortMapFailureDrops OBJECT-TYPE
2549	       SYNTAX Counter64
2550	       MAX-ACCESS read-only
2551	       STATUS current
2552	       DESCRIPTION
2553	           "The cumulative number of packets dropped because the packet
2554	            would have triggered the creation of a new port map entry,
2555	            but no port could be allocated for the protocol concerned.
2556	            The usual case for this will be for a NAT instance that
2557	            supports the 'paired' pooling behavior recommended by RFC
2558	            4787, where the internal endpoint has used up all of the
2559	            ports allocated to it for the address it was mapped to in
2560	            this pool and cannot be given more ports because
2561	            - policy or implementation prevents it from having a
2562	              second address in the same pool, and
2563	            - policy or unavailability prevents it from acquiring
2564	              more ports at its originally assigned address.

2566	            If the NAT instance pooling behavior is 'arbitrary' (meaning
2567	            that the NAT instance can allocate a new port mapping for
2568	            the given internal endpoint on any address in the selected
2569	            address pool and is not bound to what it has already mapped
2570	            for that endpoint), then this counter is incremented when
2571	            all ports for the protocol concerned over the whole of this
2572	            address pool are already in use.

2574	            This value MUST be monotone increasing in the periods
2575	            between updates of the entity's
2576	            natv2PoolDiscontinuityTime. If a manager detects a
2577	            change in the latter since the last time it sampled this
2578	            counter, it SHOULD NOT make use of the difference between
2579	            the latest value of the counter and any value retrieved
2580	            before the new value of natv2PoolDiscontinuityTime."
2581	       REFERENCE
2582	           "Pooling behavior: RFC 4787, end of section 4.1."
2583	       ::= { natv2PoolEntry 12 }

2585	   natv2PoolDiscontinuityTime OBJECT-TYPE
2586	       SYNTAX TimeStamp
2587	       MAX-ACCESS read-only
2588	       STATUS current
2589	       DESCRIPTION
2590	           "Snapshot of the value of the sysUpTime object at the
2591	            beginning of the latest period of continuity of the
2592	            statistical counters associated with this address
2593	            pool. This MUST be initialized when the address pool
2594	            is configured and MUST be updated whenever the port
2595	            or address ranges allocated to the pool change."
2596	       ::= { natv2PoolEntry 14 }

2598	   -- Notification thresholds and objects returned by notifications
2599	   natv2PoolThresholdUsageLow OBJECT-TYPE
2600	       SYNTAX Integer32 (-1|0..100)
2601	       UNITS "Percent"
2602	       MAX-ACCESS read-write
2603	       STATUS current
2604	       DESCRIPTION
2605	           "Threshold for reporting low utilization of the address pool.
2606	            Utilization at a given instant is calculated as the
2607	            percentage of ports allocated in port map entries for the
2608	            most-used protocol at that instant. If utilization is less
2609	            than or equal to natv2PoolThresholdUsageLow, an instance of
2610	            natv2NotificationPoolUsageLow may be triggered, unless
2611	            disabled by setting it to -1.  Note the difference from the
2612	            disabling setting for other notifications. Reporting is
2613	            subject to the per-pool notification interval given by
2614	            natv2PoolNotificationInterval. If multiple notifications are
2615	            triggered during one interval, the agent MUST report only
2616	            the one with the lowest value of
2617	            natv2PoolNotifiedPortMapEntries and discard the others.

2619	            Implementation note: the percentage specified by this object
2620	            can be converted to a number of port map entries at
2621	            configuration time (after port and address ranges have been
2622	            configured or reconfigured) and compared to the current
2623	            value of natv2PoolNotifiedPortMapEntries."
2624	       REFERENCE
2625	           "RFC yyyy Section 3.1.2 and Section 3.3.6."
2626	       DEFVAL { -1 }
2627	       ::= { natv2PoolEntry 15 }

2629	   natv2PoolThresholdUsageHigh OBJECT-TYPE
2630	       SYNTAX Unsigned32 (0..100)
2631	       UNITS "Percent"
2632	       MAX-ACCESS read-write
2633	       STATUS current
2634	       DESCRIPTION
2635	           "Threshold for reporting high utilization of the address
2636	            pool. Utilization at a given instant is calculated as the
2637	            percentage of ports allocated in port map entries for the
2638	            most-used protocol at that instant.  If utilization is
2639	            greater than or equal to natv2PoolThresholdUsageHigh, an
2640	            instance of natv2NotificationPoolUsageHigh may be triggered,
2641	            unless disabled by setting it to 0.

2643	            Reporting is subject to the per-pool notification interval
2644	            given by natv2PoolNotificationInterval. If multiple
2645	            notifications are triggered during one interval, the agent
2646	            MUST report only the one with the highest value of
2647	            natv2PoolNotifiedPortMapEntries and discard the others. In
2648	            the rare case where both upper and lower thresholds
2649	            are crossed in the same interval, the agent MUST report only
2650	            the upper threshold notification.

2652	            Implementation note: the percentage specified by this object
2653	            can be converted to a number of port map entries at
2654	            configuration time (after port and address ranges have been
2655	            configured or reconfigured) and compared to the current
2656	            value of natv2PoolNotifiedPortMapEntries."
2657	       DEFVAL { 0 }
2658	       ::= { natv2PoolEntry 16 }

2660	   natv2PoolNotifiedPortMapEntries OBJECT-TYPE
2661	       SYNTAX Unsigned32
2662	       MAX-ACCESS accessible-for-notify
2663	       STATUS current
2664	       DESCRIPTION
2665	           "Number of port map entries using addresses and ports from
2666	            this address pool for the most-used protocol at a given
2667	            instant. One of the objects returned by
2668	            natv2NotificationPoolUsageLow and
2669	            natv2NotificationPoolUsageHigh."
2670	       ::= { natv2PoolEntry 17 }

2672	   natv2PoolNotifiedPortMapProtocol OBJECT-TYPE
2673	       SYNTAX ProtocolNumber
2674	       MAX-ACCESS accessible-for-notify
2675	       STATUS current
2676	       DESCRIPTION
2677	           "The most-used protocol (i.e., with the largest number of
2678	            port map entries) mapped into this address pool at a given
2679	            instant. One of the objects returned by
2680	            natv2NotificationPoolUsageLow and
2681	            natv2NotificationPoolUsageHigh."

2683	       ::= { natv2PoolEntry 18 }

2685	   natv2PoolNotificationInterval OBJECT-TYPE
2686	       SYNTAX Unsigned32 (1..3600)
2687	       UNITS
2688	           "Seconds"
2689	       MAX-ACCESS read-write
2690	       STATUS current
2691	       DESCRIPTION
2692	           "Minimum number of seconds (default 20) between successive
2693	            notifications for this address pool. Controls the generation
2694	            of  natv2NotificationPoolUsageLow and
2695	            natv2NotificationPoolUsageHigh."
2696	       DEFVAL
2697	           { 20 }
2698	       ::= { natv2PoolEntry 19 }

2700	   natv2PoolRangeTable OBJECT-TYPE
2701	       SYNTAX SEQUENCE OF Natv2PoolRangeEntry
2702	       MAX-ACCESS not-accessible
2703	       STATUS current
2704	       DESCRIPTION
2705	           "This table contains address ranges used by pool entries.
2706	            It is an expansion of natv2PoolTable."
2707	       REFERENCE
2708	           "RFC yyyy <xref target='poolRangeTable'/>."
2709	       ::= { natv2MIBInstanceObjects 4 }

2711	   natv2PoolRangeEntry OBJECT-TYPE
2712	       SYNTAX Natv2PoolRangeEntry
2713	       MAX-ACCESS not-accessible
2714	       STATUS current
2715	       DESCRIPTION
2716	           "NAT pool address range."
2717	       INDEX {
2718	            natv2PoolRangeInstanceIndex,
2719	            natv2PoolRangePoolIndex,
2720	            natv2PoolRangeRowIndex
2721	       }
2722	       ::= { natv2PoolRangeTable 1 }

2724	   Natv2PoolRangeEntry ::=
2725	       SEQUENCE {
2726	           natv2PoolRangeInstanceIndex    Natv2InstanceIndex,
2727	           natv2PoolRangePoolIndex        Natv2PoolIndex,
2728	           natv2PoolRangeRowIndex         Unsigned32,
2729	           natv2PoolRangeBegin            InetAddress,
2730	           natv2PoolRangeEnd              InetAddress
2731	       }

2733	   natv2PoolRangeInstanceIndex OBJECT-TYPE
2734	       SYNTAX Natv2InstanceIndex
2735	       MAX-ACCESS not-accessible
2736	       STATUS current
2737	       DESCRIPTION
2738	           "Index of the NAT instance on which the address pool and this
2739	            address range are configured. See Natv2InstanceIndex."
2740	       ::= { natv2PoolRangeEntry 1 }

2742	   natv2PoolRangePoolIndex OBJECT-TYPE
2743	       SYNTAX Natv2PoolIndex
2744	       MAX-ACCESS not-accessible
2745	       STATUS current
2746	       DESCRIPTION
2747	           "Index of the address pool to which this address range
2748	            belongs. See Natv2PoolIndex."
2749	       ::= { natv2PoolRangeEntry 2 }

2751	   natv2PoolRangeRowIndex OBJECT-TYPE
2752	       SYNTAX Unsigned32
2753	       MAX-ACCESS not-accessible
2754	       STATUS current
2755	       DESCRIPTION
2756	           "Row index for successive range entries for the same
2757	            address pool."
2758	       ::= { natv2PoolRangeEntry 3 }

2760	   natv2PoolRangeBegin OBJECT-TYPE
2761	       SYNTAX InetAddress
2762	       MAX-ACCESS read-only
2763	       STATUS current
2764	       DESCRIPTION
2765	           "Lowest address included in this range. The type of address
2766	            (IPv4 or IPv6) is given by natv2PoolAddressType
2767	            in natv2PoolTable."
2768	       ::= { natv2PoolRangeEntry 4 }

2770	   natv2PoolRangeEnd OBJECT-TYPE
2771	       SYNTAX InetAddress
2772	       MAX-ACCESS read-only
2773	       STATUS current
2774	       DESCRIPTION
2775	           "Highest address included in this range. The type of address
2776	            (IPv4 or IPv6) is given by natv2PoolAddressType
2777	            in natv2PoolTable."

2779	       ::= { natv2PoolRangeEntry 5 }

2781	   -- indexed mapping tables

2783	   -- Address Map Table. Mapped from internal to external address.

2785	   natv2AddressMapTable OBJECT-TYPE
2786	       SYNTAX SEQUENCE OF Natv2AddressMapEntry
2787	       MAX-ACCESS not-accessible
2788	       STATUS current
2789	       DESCRIPTION
2790	           "Table of mappings from internal to external address. By
2791	            definition, this is a snapshot of NAT instance state at a
2792	            given moment. Indexed by NAT instance, internal realm, and
2793	            internal address in that realm. Provides the mapped external
2794	            address and, depending on implementation support, identifies
2795	            the address pool from which the external address and port
2796	            were taken and the index of the subscriber to which the
2797	            mapping has been allocated.

2799	            In the case of DS-Lite [RFC 6333], the indexing realm and
2800	            address are those of the IPv6 encapsulation rather than the
2801	            IPv4 inner packet."
2802	       REFERENCE
2803	           "RFC yyyy Section 3.3.8. DS-Lite: RFC 6333"
2804	       ::= { natv2MIBInstanceObjects 5 }

2806	   natv2AddressMapEntry OBJECT-TYPE
2807	       SYNTAX Natv2AddressMapEntry
2808	       MAX-ACCESS not-accessible
2809	       STATUS current
2810	       DESCRIPTION
2811	           "Mapping from internal to external address."
2812	       INDEX { natv2AddressMapInstanceIndex,
2813	               natv2AddressMapInternalRealm,
2814	               natv2AddressMapInternalAddressType,
2815	               natv2AddressMapInternalAddress,
2816	               natv2AddressMapRowIndex }
2817	       ::= { natv2AddressMapTable 1 }

2819	   Natv2AddressMapEntry ::=
2820	       SEQUENCE {
2821	           natv2AddressMapInstanceIndex       Natv2InstanceIndex,
2822	           natv2AddressMapInternalRealm       SnmpAdminString,
2823	           natv2AddressMapInternalAddressType  InetAddressType,
2824	           natv2AddressMapInternalAddress      InetAddress,
2825	           natv2AddressMapRowIndex            Unsigned32,
2826	           natv2AddressMapInternalMappedAddressType InetAddressType,
2827	           natv2AddressMapInternalMappedAddress     InetAddress,
2828	           natv2AddressMapExternalRealm       SnmpAdminString,
2829	           natv2AddressMapExternalAddressType InetAddressType,
2830	           natv2AddressMapExternalAddress     InetAddress,
2831	           natv2AddressMapExternalPoolIndex   Natv2PoolIndexOrZero,
2832	           natv2AddressMapSubscriberIndex     Natv2SubscriberIndexOrZero
2833	       }

2835	   natv2AddressMapInstanceIndex OBJECT-TYPE
2836	       SYNTAX Natv2InstanceIndex
2837	       MAX-ACCESS not-accessible
2838	       STATUS current
2839	       DESCRIPTION
2840	           "Index of the NAT instance that generated this address map."
2841	       ::= { natv2AddressMapEntry 1 }

2843	   natv2AddressMapInternalRealm OBJECT-TYPE
2844	       SYNTAX SnmpAdminString (SIZE(0..32))
2845	       MAX-ACCESS not-accessible
2846	       STATUS current
2847	       DESCRIPTION
2848	           "Realm to which the internal address belongs. In most cases
2849	            this is the realm defining the address space of the packet
2850	            being translated. However, in the case of DS-Lite [RFC
2851	            6333], this realm defines the IPv6 outer header address
2852	            space. It is the combination of that outer header and
2853	            the inner IPv4 packet header that is remapped to the
2854	            external address and realm. The corresponding IPv4 realm is
2855	            restricted in scope to the tunnel, so there is no point in
2856	            identifying it. The mapped IPv4 address will normally be the
2857	            well-known value 192.0.0.2, or at least lie in the reserved
2858	            192.0.0.0/29 range.

2860	            If natv2AddressMapSubscriberIndex in this table is a valid
2861	            subscriber index (i.e., greater than zero), then the value
2862	            of natv2AddressMapInternalRealm MUST be identical to the
2863	            value of natv2SubscriberRealm associated with that index."
2864	       REFERENCE
2865	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2866	            Section 6.6 on the need to have the IPv6 tunnel address in
2867	            the NAT mapping tables."
2868	       ::= { natv2AddressMapEntry 2 }

2870	   natv2AddressMapInternalAddressType OBJECT-TYPE
2871	       SYNTAX InetAddressType
2872	       MAX-ACCESS not-accessible
2873	       STATUS current
2874	       DESCRIPTION
2875	           "Address type in the header of packets on the
2876	            interior side of this mapping. Any value other than ipv4(1)
2877	            or ipv6(2) would be unexpected.

2879	            In the DS-Lite case, the address type is ipv6(2)."
2880	       REFERENCE
2881	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2882	            Section 6.6 on the need to have the IPv6 tunnel source
2883	            address in the NAT mapping tables."
2884	       ::= { natv2AddressMapEntry 3 }

2886	   natv2AddressMapInternalAddress OBJECT-TYPE
2887	       SYNTAX InetAddress
2888	       MAX-ACCESS not-accessible
2889	       STATUS current
2890	       DESCRIPTION
2891	           "Source address of packets originating from the interior
2892	            of the association provided by this mapping.

2894	            In the case of DS-Lite [RFC 6333], this is the IPv6 tunnel
2895	            source address.  The mapping in this case is considered to
2896	            be from the combination of the IPv6 tunnel source address
2897	            natv2AddressMapInternalRealmAddress and the well-known IPv4
2898	            inner source address natv2AddressMapInternalMappedAddress to
2899	            the external address."
2900	       REFERENCE
2901	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2902	            Section 6.6 on the need to have the IPv6 tunnel address in
2903	            the NAT mapping tables."
2904	       ::= { natv2AddressMapEntry 4 }

2906	   natv2AddressMapRowIndex OBJECT-TYPE
2907	       SYNTAX Unsigned32
2908	       MAX-ACCESS not-accessible
2909	       STATUS current
2910	       DESCRIPTION
2911	           "Index of a conceptual row corresponding to a mapping of the
2912	            given internal realm and address to a single external realm
2913	            and address. Multiple rows will be present because of a
2914	            promiscuous external address selection policy, policies
2915	            associating the same internal address with different address
2916	            pools, or because the same internal realm-address
2917	            combination is communicating with multiple external address
2918	            realms."
2919	       ::= { natv2AddressMapEntry 5 }

2921	   natv2AddressMapInternalMappedAddressType OBJECT-TYPE
2922	       SYNTAX InetAddressType
2923	       MAX-ACCESS read-only
2924	       STATUS current
2925	       DESCRIPTION
2926	           "Internal address type actually translated by this mapping.
2927	            Any value other than ipv4(1) or ipv6(2) would be unexpected.
2928	            In the general case, this is the same as given by
2929	            natv2AddressMapInternalRealmAddressType. In the
2930	            tunneled case it is the address type used in the
2931	            encapsulated packet header. In particular, in the DS-Lite
2932	            case, the mapped address type is ipv4(1)."
2933	       REFERENCE
2934	           "DS-Lite: RFC 6333."
2935	       ::= { natv2AddressMapEntry 6 }

2937	   natv2AddressMapInternalMappedAddress OBJECT-TYPE
2938	       SYNTAX InetAddress
2939	       MAX-ACCESS read-only
2940	       STATUS current
2941	       DESCRIPTION
2942	           "Internal address actually translated by this mapping. In the
2943	            general case, this is the same as
2944	            natv2AddressMapInternalRealmAddress. In the case of DS-Lite
2945	            [RFC 6333], this is the source address of the encapsulated
2946	            IPv4 packet, normally lying the well-known range
2947	            192.0.0.0/29. The mapping in this case is considered to be
2948	            from the combination of the IPv6 tunnel source address
2949	            natv2AddressMapInternalRealmAddress and the well-known IPv4
2950	            inner source address natv2AddressMapInternalMappedAddress to
2951	            the external address."
2952	       REFERENCE
2953	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2954	            Section 6.6 on the need to have the IPv6 tunnel address in
2955	            the NAT mapping tables."
2956	       ::= { natv2AddressMapEntry 7 }

2958	   natv2AddressMapExternalRealm OBJECT-TYPE
2959	       SYNTAX SnmpAdminString (SIZE(0..32))
2960	       MAX-ACCESS read-only
2961	       STATUS current
2962	       DESCRIPTION
2963	           "External address realm to which this mapping maps the
2964	            internal address. This can be the same as the internal realm
2965	            in the case of a 'hairpin' connection, but otherwise will be
2966	            different."
2967	       ::= { natv2AddressMapEntry 8 }

2969	   natv2AddressMapExternalAddressType OBJECT-TYPE
2970	       SYNTAX InetAddressType
2971	       MAX-ACCESS read-only
2972	       STATUS current
2973	       DESCRIPTION
2974	           "Address type for the external realm. Any value other than
2975	            ipv4(1) or ipv6(2) would be unexpected."
2976	       ::= { natv2AddressMapEntry 9 }

2978	   natv2AddressMapExternalAddress OBJECT-TYPE
2979	       SYNTAX InetAddress
2980	       MAX-ACCESS read-only
2981	       STATUS current
2982	       DESCRIPTION
2983	           "External address to which the internal address is mapped.

2985	            In the DS-Lite case, the mapping is from the combination of
2986	            the internal IPv6 tunnel source address as presented in this
2987	            table and the well-known IPv4 source address of the
2988	            encapsulated IPv4 packet."
2989	       REFERENCE
2990	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2991	            Section 6.6 on the need to have the IPv6 tunnel address in
2992	            the NAT mapping tables."
2993	       ::= { natv2AddressMapEntry 10 }

2995	   natv2AddressMapExternalPoolIndex OBJECT-TYPE
2996	       SYNTAX Natv2PoolIndexOrZero
2997	       MAX-ACCESS read-only
2998	       STATUS current
2999	       DESCRIPTION
3000	           "Index of the address pool in the external realm from which
3001	            the mapped external address given in
3002	            natv2AddressMapExternalAddress was taken. Zero if the
3003	            implementation does not support address pools but has chosen
3004	            to support this object, or if no pool was configured for the
3005	            given external realm."
3006	       ::= { natv2AddressMapEntry 11 }

3008	   natv2AddressMapSubscriberIndex OBJECT-TYPE
3009	       SYNTAX Natv2SubscriberIndexOrZero
3010	       MAX-ACCESS read-only
3011	       STATUS current
3012	       DESCRIPTION
3013	           "Index of the subscriber to which this address mapping
3014	            applies, or zero if no subscribers are configured on
3015	            this NAT instance."
3016	       ::= { natv2AddressMapEntry 12 }

3018	   -- natv2PortMapTable

3020	   natv2PortMapTable OBJECT-TYPE
3021	       SYNTAX SEQUENCE OF Natv2PortMapEntry
3022	       MAX-ACCESS not-accessible
3023	       STATUS current
3024	       DESCRIPTION
3025	           "Table of port map entries indexed by NAT instance, protocol,
3026	            and external realm and address. A port map entry associates
3027	            an internal upper layer protocol endpoint with an endpoint
3028	            for the same protocol in the given external realm. By
3029	            definition, this is a snapshot of NAT instance state at a
3030	            given moment. The table provides the basic mapping
3031	            information.

3033	            In the case of DS-Lite [RFC 6333], the table provides the
3034	            internal IPv6 tunnel source address in
3035	            natv2PortMapInternalRealmAddress and the IPv4 source address
3036	            of the encapsulated packet that is actually translated in
3037	            natv2PortMapInternalMappedAddress. In the general (non-DS-
3038	            Lite) case, those two objects will have the same value."
3039	       REFERENCE
3040	           "RFC yyyy Section 3.3.9. DS-Lite: RFC 6333, Section 5.7 for
3041	            well-known addresses and Section 6.6 on the need to have the
3042	            IPv6 tunnel address in the NAT mapping tables."
3043	       ::= { natv2MIBInstanceObjects 6 }

3045	   natv2PortMapEntry OBJECT-TYPE
3046	       SYNTAX Natv2PortMapEntry
3047	       MAX-ACCESS not-accessible
3048	       STATUS current
3049	       DESCRIPTION
3050	           "A single NAT mapping."
3051	       INDEX { natv2PortMapInstanceIndex,
3052	               natv2PortMapProtocol,
3053	               natv2PortMapExternalRealm,
3054	               natv2PortMapExternalAddressType,
3055	               natv2PortMapExternalAddress,
3056	               natv2PortMapExternalPort }
3057	       ::= { natv2PortMapTable 1 }

3059	   Natv2PortMapEntry ::=
3060	       SEQUENCE {
3061	           natv2PortMapInstanceIndex        Natv2InstanceIndex,
3062	           natv2PortMapProtocol             ProtocolNumber,
3063	           natv2PortMapExternalRealm        SnmpAdminString,
3064	           natv2PortMapExternalAddressType  InetAddressType,
3065	           natv2PortMapExternalAddress      InetAddress,
3066	           natv2PortMapExternalPort         InetPortNumber,
3067	           natv2PortMapInternalRealm        SnmpAdminString,
3068	           natv2PortMapInternalAddressType  InetAddressType,
3069	           natv2PortMapInternalAddress      InetAddress,
3070	           natv2PortMapInternalMappedAddressType InetAddressType,
3071	           natv2PortMapInternalMappedAddress     InetAddress,
3072	           natv2PortMapInternalPort         InetPortNumber,
3073	           natv2PortMapExternalPoolIndex    Natv2PoolIndexOrZero,
3074	           natv2PortMapSubscriberIndex      Natv2SubscriberIndexOrZero
3075	       }

3077	   natv2PortMapInstanceIndex OBJECT-TYPE
3078	       SYNTAX Natv2InstanceIndex
3079	       MAX-ACCESS not-accessible
3080	       STATUS current
3081	       DESCRIPTION
3082	           "Index of the NAT instance that created this port map entry."
3083	       ::= { natv2PortMapEntry 1 }

3085	   natv2PortMapProtocol OBJECT-TYPE
3086	       SYNTAX ProtocolNumber
3087	       MAX-ACCESS not-accessible
3088	       STATUS current
3089	       DESCRIPTION
3090	           "The map entry's upper layer protocol number."
3091	       ::= { natv2PortMapEntry 2 }

3093	   natv2PortMapExternalRealm OBJECT-TYPE
3094	       SYNTAX SnmpAdminString (SIZE(0..32))
3095	       MAX-ACCESS not-accessible
3096	       STATUS current
3097	       DESCRIPTION
3098	           "The realm to which natv2PortMapExternalAddress belongs."
3099	       ::= { natv2PortMapEntry 3 }

3101	   natv2PortMapExternalAddressType OBJECT-TYPE
3102	       SYNTAX InetAddressType
3103	       MAX-ACCESS not-accessible
3104	       STATUS current
3105	       DESCRIPTION
3106	           "Address type for the external realm. A value other
3107	            than ipv4(1) or ipv6(2) would be unexpected."
3108	       ::= { natv2PortMapEntry 4 }

3110	   natv2PortMapExternalAddress OBJECT-TYPE
3111	       SYNTAX InetAddress
3112	       MAX-ACCESS not-accessible
3113	       STATUS current
3114	       DESCRIPTION
3115	           "The mapping's assigned external address. (This address is
3116	            taken from the address pool identified by
3117	            natv2PortMapExternalPoolIndex, if the implementation
3118	            supports address pools and pools are configured for the
3119	            given external realm.) This is the source address for
3120	            translated outgoing packets."

3122	       ::= { natv2PortMapEntry 5 }

3124	   natv2PortMapExternalPort OBJECT-TYPE
3125	       SYNTAX InetPortNumber
3126	       MAX-ACCESS not-accessible
3127	       STATUS current
3128	       DESCRIPTION
3129	           "The mapping's assigned external port number. This is the
3130	            source port for translated outgoing packets. If the internal
3131	            port number given by natv2PortMapInternalPort is zero this
3132	            value MUST also be zero. Otherwise this MUST be a non-zero
3133	            value."
3134	       ::= { natv2PortMapEntry 6 }

3136	   natv2PortMapInternalRealm OBJECT-TYPE
3137	       SYNTAX SnmpAdminString (SIZE(0..32))
3138	       MAX-ACCESS read-only
3139	       STATUS current
3140	       DESCRIPTION
3141	           "The realm to which natv2PortMapInternalRealmAddress belongs.
3142	            In the general case, this realm contains the address that is
3143	            being translated. In the DS-Lite [RFC 6333] case, this realm
3144	            defines the IPv6 address space from which the tunnel source
3145	            address is taken. The realm of the encapsulated IPv4 address
3146	            is restricted in scope to the tunnel, so there is no point
3147	            in identifying it separately."
3148	       REFERENCE
3149	           "RFC 6333 DS-Lite."
3150	       ::= { natv2PortMapEntry 7 }

3152	   natv2PortMapInternalAddressType OBJECT-TYPE
3153	       SYNTAX InetAddressType
3154	       MAX-ACCESS read-only
3155	       STATUS current
3156	       DESCRIPTION
3157	           "Address type for addresses in the realm identified by
3158	            natv2PortMapInternalRealm."
3159	       ::= { natv2PortMapEntry 8 }

3161	   natv2PortMapInternalAddress OBJECT-TYPE
3162	       SYNTAX InetAddress
3163	       MAX-ACCESS read-only
3164	       STATUS current
3165	       DESCRIPTION
3166	           "Source address for packets received under this mapping on
3167	            the internal side of the NAT instance. In the general case
3168	            this address is the same as the address given in
3169	            natv2PortMapInternalMappedAddress. In the DS-Lite case,
3170	            natv2PortMapInternalAddress is the IPv6 tunnel source
3171	            address."
3172	       REFERENCE
3173	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3174	            Section 6.6 on the need to have the IPv6 tunnel address in
3175	            the NAT mapping tables."
3176	       ::= { natv2PortMapEntry 9 }

3178	   natv2PortMapInternalMappedAddressType OBJECT-TYPE
3179	       SYNTAX InetAddressType
3180	       MAX-ACCESS read-only
3181	       STATUS current
3182	       DESCRIPTION
3183	           "Internal address type actually translated by this mapping.
3184	            Any value other than ipv4(1) or ipv6(2) would be unexpected.
3185	            In the general case, this is the same as given by
3186	            natv2AddressMapInternalAddressType. In the DS-Lite
3187	            case, the address type is ipv4(1)."
3188	       REFERENCE
3189	           "DS-Lite: RFC 6333."
3190	      ::= { natv2PortMapEntry 10 }

3192	   natv2PortMapInternalMappedAddress OBJECT-TYPE
3193	       SYNTAX InetAddress
3194	       MAX-ACCESS read-only
3195	       STATUS current
3196	       DESCRIPTION
3197	           "Internal address actually translated by this mapping. In the
3198	            general case, this is the same as
3199	            natv2PortMapInternalRealmAddress. In the case of DS-Lite
3200	            [RFC 6333], this is the source address of the encapsulated
3201	            IPv4 packet, normally selected from the well-known range
3202	            192.0.0.0/29. The mapping in this case is considered to be
3203	            from the external address to the combination of the IPv6
3204	            tunnel source address natv2PortMapInternalRealmAddress and
3205	            the well-known IPv4 inner source address
3206	            natv2PortMapInternalMappedAddress."
3207	       REFERENCE
3208	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3209	            Section 6.6 on the need to have the IPv6 tunnel address in
3210	            the NAT mapping tables."
3211	       ::= { natv2PortMapEntry 11 }

3213	   natv2PortMapInternalPort OBJECT-TYPE
3214	       SYNTAX InetPortNumber
3215	       MAX-ACCESS read-only
3216	       STATUS current
3217	       DESCRIPTION
3218	           "The mapping's internal port number. If this is zero, ports
3219	            are not translated (i.e., the NAT instance is a pure NAT
3220	            rather than a NAPT)."
3221	       ::= { natv2PortMapEntry 12 }

3223	   natv2PortMapExternalPoolIndex OBJECT-TYPE
3224	       SYNTAX Natv2PoolIndexOrZero
3225	       MAX-ACCESS read-only
3226	       STATUS current
3227	       DESCRIPTION
3228	           "Identifies the address pool from which the external address
3229	            in this port map entry was taken. Zero if the implementation
3230	            does not support address pools but has chosen to support
3231	            this object, or if no pools are configured for the given
3232	            external realm."
3233	       ::= { natv2PortMapEntry 13 }

3235	   natv2PortMapSubscriberIndex OBJECT-TYPE
3236	       SYNTAX Natv2SubscriberIndexOrZero
3237	       MAX-ACCESS read-only
3238	       STATUS current
3239	       DESCRIPTION
3240	           "Subscriber using this map entry. Zero if the implementation
3241	            does not support subscribers but has chosen to support
3242	            this object."
3243	       ::= { natv2PortMapEntry 14 }

3245	   -- Conformance section. Specifies three cumulatively more extensive
3246	   -- applications: basic NAT, pooled NAT, and carrier grade NAT

3248	   natv2MIBConformance OBJECT IDENTIFIER ::= { natv2MIB 3 }

3250	   natv2MIBCompliances OBJECT IDENTIFIER ::= { natv2MIBConformance 1 }
3251	   natv2MIBGroups      OBJECT IDENTIFIER ::= { natv2MIBConformance 2 }

3253	   natv2MIBBasicCompliance MODULE-COMPLIANCE
3254	       STATUS current
3255	       DESCRIPTION
3256	           "Describes the requirements for conformance to the basic NAT
3257	            application of NATv2 MIB."
3258	       MODULE  -- this module
3259	           MANDATORY-GROUPS { natv2BasicNotificationGroup,
3260	                              natv2BasicInstanceLevelGroup
3261	                            }
3262	           GROUP  natv2BasicNotificationGroup
3263	           DESCRIPTION
3264	               "The natv2BasicNotificationGroup is mandatory for all
3265	                NAT applications."
3266	           GROUP  natv2BasicInstanceLevelGroup
3267	           DESCRIPTION
3268	               "The natv2BasicInstanceLevelGroup is mandatory for all
3269	                NAT applications."
3270	       ::= { natv2MIBCompliances 1 }

3272	   natv2MIBPooledNATCompliance MODULE-COMPLIANCE
3273	       STATUS current
3274	       DESCRIPTION
3275	           "Describes the requirements for conformance to the pooled NAT
3276	            application of NATv2-MIB."
3277	       MODULE  -- this module
3278	           MANDATORY-GROUPS { natv2BasicNotificationGroup,
3279	                              natv2BasicInstanceLevelGroup,
3280	                              natv2PooledNotificationGroup,
3281	                              natv2PooledInstanceLevelGroup
3282	                            }
3283	           GROUP  natv2BasicNotificationGroup
3284	           DESCRIPTION
3285	               "The natv2BasicNotificationGroup is mandatory for all
3286	                NAT applications."
3287	           GROUP  natv2BasicInstanceLevelGroup
3288	           DESCRIPTION
3289	               "The natv2BasicInstanceLevelGroup is mandatory for all
3290	                NAT applications."
3291	           GROUP  natv2PooledNotificationGroup
3292	           DESCRIPTION
3293	               "The natv2PooledNotificationGroup is mandatory for
3294	                the pooled and CGN applications."
3295	           GROUP  natv2PooledInstanceLevelGroup
3296	           DESCRIPTION
3297	               "The natv2PooledInstanceLevelGroup is mandatory for
3298	                the pooled and CGN applications."
3299	       ::= { natv2MIBCompliances 2 }

3301	   natv2MIBCGNCompliance MODULE-COMPLIANCE
3302	       STATUS current
3303	       DESCRIPTION
3304	           "Describes the requirements for conformance to the
3305	            carrier grade NAT application of NATv2-MIB."
3306	       MODULE  -- this module
3307	           MANDATORY-GROUPS { natv2BasicNotificationGroup,
3308	                              natv2BasicInstanceLevelGroup,
3309	                              natv2PooledNotificationGroup,
3310	                              natv2PooledInstanceLevelGroup,
3311	                              natv2CGNNotificationGroup,
3312	                              natv2CGNDeviceLevelGroup,
3313	                              natv2CGNInstanceLevelGroup
3314	                            }
3315	           GROUP  natv2BasicNotificationGroup
3316	           DESCRIPTION
3317	               "The natv2BasicNotificationGroup is mandatory for all
3318	                NAT applications."
3319	           GROUP  natv2BasicInstanceLevelGroup
3320	           DESCRIPTION
3321	               "The natv2BasicInstanceLevelGroup is mandatory for all
3322	                NAT applications."
3323	           GROUP  natv2PooledNotificationGroup
3324	           DESCRIPTION
3325	               "The natv2PooledNotificationGroup is mandatory for
3326	                the pooled and CGN applications."
3327	           GROUP  natv2PooledInstanceLevelGroup
3328	           DESCRIPTION
3329	               "The natv2PooledInstanceLevelGroup is mandatory for
3330	                the pooled and CGN applications."
3331	           GROUP  natv2CGNNotificationGroup
3332	           DESCRIPTION
3333	               "The natv2CGNNotificationGroup is mandatory
3334	                for the carrier grade NAT application."
3335	           GROUP  natv2CGNDeviceLevelGroup
3336	           DESCRIPTION
3337	               "The natv2CGNDeviceLevelGroup is mandatory
3338	                for the carrier grade NAT application."
3339	           GROUP  natv2CGNInstanceLevelGroup
3340	           DESCRIPTION
3341	               "The natv2CGNInstanceLevelGroup is mandatory
3342	                for the carrier grade NAT application."
3343	       ::= { natv2MIBCompliances 3 }

3345	   -- Groups

3347	   natv2BasicNotificationGroup NOTIFICATION-GROUP
3348	       NOTIFICATIONS {
3349	            natv2NotificationInstanceAddressMapEntriesHigh,
3350	            natv2NotificationInstancePortMapEntriesHigh

3352	       }
3353	       STATUS  current
3354	       DESCRIPTION
3355	           "Notifications that MUST be supported by all NAT
3356	            applications."
3357	       ::= { natv2MIBGroups 1 }

3359	   natv2BasicInstanceLevelGroup OBJECT-GROUP
3360	       OBJECTS {
3361	   -- from natv2InstanceTable
3362	                 natv2InstanceAlias,
3363	                 natv2InstancePortMappingBehavior,
3364	                 natv2InstanceFilteringBehavior,
3365	                 natv2InstanceFragmentBehavior,
3366	                 natv2InstanceAddressMapEntries,
3367	                 natv2InstancePortMapEntries,
3368	                 natv2InstanceTranslations,
3369	                 natv2InstanceAddressMapCreations,
3370	                 natv2InstanceAddressMapEntryLimitDrops,
3371	                 natv2InstanceAddressMapFailureDrops,
3372	                 natv2InstancePortMapCreations,
3373	                 natv2InstancePortMapEntryLimitDrops,
3374	                 natv2InstancePortMapFailureDrops,
3375	                 natv2InstanceFragmentDrops,
3376	                 natv2InstanceOtherResourceFailureDrops,
3377	                 natv2InstanceDiscontinuityTime,
3378	                 natv2InstanceThresholdAddressMapEntriesHigh,
3379	                 natv2InstanceThresholdPortMapEntriesHigh,
3380	                 natv2InstanceNotificationInterval,
3381	                 natv2InstanceLimitAddressMapEntries,
3382	                 natv2InstanceLimitPortMapEntries,
3383	                 natv2InstanceLimitPendingFragments,
3384	   -- from natv2ProtocolTable
3385	                 natv2ProtocolPortMapEntries,
3386	                 natv2ProtocolTranslations,
3387	                 natv2ProtocolPortMapCreations,
3388	                 natv2ProtocolPortMapFailureDrops,
3389	   -- from natv2AddressMapTable
3390	                 natv2AddressMapExternalRealm,
3391	                 natv2AddressMapExternalAddressType,
3392	                 natv2AddressMapExternalAddress,
3393	   -- from natv2PortMapTable
3394	                 natv2PortMapInternalRealm,
3395	                 natv2PortMapInternalAddressType,
3396	                 natv2PortMapInternalAddress,
3397	                 natv2PortMapInternalPort
3398	               }
3399	       STATUS current
3400	       DESCRIPTION
3401	           "Per-instance objects that MUST be supported by
3402	            implementations of all NAT applications."
3403	       ::= { natv2MIBGroups 2 }

3405	   natv2PooledNotificationGroup NOTIFICATION-GROUP
3406	       NOTIFICATIONS {
3407	            natv2NotificationPoolUsageLow,
3408	            natv2NotificationPoolUsageHigh
3409	                     }
3410	       STATUS  current
3411	       DESCRIPTION
3412	           "Notifications that MUST be supported by pooled and
3413	            carrier-grade NAT applications."
3414	       ::= { natv2MIBGroups 3 }

3416	   natv2PooledInstanceLevelGroup OBJECT-GROUP
3417	       OBJECTS {
3418	   -- from natv2InstanceTable
3419	                       natv2InstancePoolingBehavior,
3420	   -- from natv2PoolTable
3421	                       natv2PoolRealm,
3422	                       natv2PoolAddressType,
3423	                       natv2PoolMinimumPort,
3424	                       natv2PoolMaximumPort,
3425	                       natv2PoolAddressMapEntries,
3426	                       natv2PoolPortMapEntries,
3427	                       natv2PoolAddressMapCreations,
3428	                       natv2PoolPortMapCreations,
3429	                       natv2PoolAddressMapFailureDrops,
3430	                       natv2PoolPortMapFailureDrops,
3431	                       natv2PoolDiscontinuityTime,
3432	                       natv2PoolThresholdUsageLow,
3433	                       natv2PoolThresholdUsageHigh,
3434	                       natv2PoolNotifiedPortMapEntries,
3435	                       natv2PoolNotifiedPortMapProtocol,
3436	                       natv2PoolNotificationInterval,
3437	   -- from natv2PoolRangeTable
3438	                       natv2PoolRangeBegin,
3439	                       natv2PoolRangeEnd,
3440	   -- from natv2AddressMapTable
3441	                       natv2AddressMapExternalPoolIndex,
3442	   -- from natv2PortMapTable
3443	                       natv2PortMapExternalPoolIndex
3444	               }
3445	       STATUS current
3446	       DESCRIPTION
3447	           "Per-instance objects that MUST be supported by
3448	            implementations of the pooled and carrier grade
3449	            NAT applications."
3450	       ::= { natv2MIBGroups 4 }

3452	   natv2CGNNotificationGroup NOTIFICATION-GROUP
3453	       NOTIFICATIONS {
3454	            natv2NotificationSubscriberPortMappingEntriesHigh
3455	       }
3456	       STATUS  current
3457	       DESCRIPTION
3458	           "Notification that MUST be supported by implementations
3459	            of the carrier grade NAT application."
3460	       ::= { natv2MIBGroups 5 }

3462	   natv2CGNDeviceLevelGroup OBJECT-GROUP
3463	       OBJECTS {
3464	   -- from table natv2SubscriberTable
3465	                 natv2SubscriberInternalRealm,
3466	                 natv2SubscriberInternalPrefixType,
3467	                 natv2SubscriberInternalPrefix,
3468	                 natv2SubscriberInternalPrefixLength,
3469	                 natv2SubscriberAddressMapEntries,
3470	                 natv2SubscriberPortMapEntries,
3471	                 natv2SubscriberTranslations,
3472	                 natv2SubscriberAddressMapCreations,
3473	                 natv2SubscriberPortMapCreations,
3474	                 natv2SubscriberAddressMapFailureDrops,
3475	                 natv2SubscriberPortMapFailureDrops,
3476	                 natv2SubscriberDiscontinuityTime,
3477	                 natv2SubscriberLimitPortMapEntries,
3478	                 natv2SubscriberThresholdPortMapEntriesHigh,
3479	                 natv2SubscriberNotificationInterval
3480	               }
3481	       STATUS current
3482	       DESCRIPTION
3483	           "Device-level objects that MUST be supported by the
3484	            carrier-grade NAT application."
3485	       ::= { natv2MIBGroups 6 }

3487	   natv2CGNInstanceLevelGroup OBJECT-GROUP
3488	       OBJECTS {
3489	      -- from natv2InstanceTable
3490	                 natv2InstanceSubscriberActiveLimitDrops,
3491	                 natv2InstanceLimitSubscriberActives,
3492	      -- from natv2AddressMapTable
3493	                 natv2AddressMapInternalMappedAddressType,
3494	                 natv2AddressMapInternalMappedAddress,
3495	                 natv2AddressMapSubscriberIndex,

3497	      -- from natv2PortMapTable
3498	                 natv2PortMapInternalMappedAddressType,
3499	                 natv2PortMapInternalMappedAddress,
3500	                 natv2PortMapSubscriberIndex
3501	               }
3502	       STATUS current
3503	       DESCRIPTION
3504	           "Per-instance objects that MUST be supported by the
3505	            carrier grade NAT application."
3506	       ::= { natv2MIBGroups 7 }

3508	   END

3510	5.  Operational and Management Considerations

3512	   This section covers two particular areas of operations and
3513	   management: configuration requirements, and transition from or
3514	   coexistence with the [RFC4008] MIB module.

3516	5.1.  Configuration Requirements

3518	   This MIB module assumes that the following information is configured
3519	   on the NAT device by means outside the scope of the present document
3520	   or is imposed by the implementation:

3522	   o  the set of address realms to which the device connects;

3524	   o  For the CGN application, per-subscriber information including
3525	      subscriber index, address realm, assigned prefix or address, and
3526	      (possibly) policies regarding address pool selection in the
3527	      various possible address realms to which the subscriber may
3528	      connect.  In the particular case of DS-Lite [RFC6333] access, as
3529	      well as the assigned outer layer (IPv6) prefix or address, the
3530	      subscriber information will include an inner (IPv4) source
3531	      address, usually 192.0.0.2.

3533	   o  the set of NAT instances running on the device, identified by NAT
3534	      instance index and name;

3536	   o  the port mapping, filtering, pooling, and fragment behavior for
3537	      each NAT instance;

3539	   o  the set of protocols supported by each NAT instance;

3541	   o  for the pooled NAT and CGN applications, address pool information
3542	      for each NAT instance, including for each pool the pool index,
3543	      address realm, address type, minimum and maximum port number, the
3544	      address ranges assigned to that pool, and policies for access to
3545	      that pool's resources;

3547	   o  static address and port map entries.

3549	   As described in previous sections, this MIB module does provide read-
3550	   write objects for control of notifications (see especially
3551	   Section 3.1.2) and limiting of resource consumption (Section 3.1.1).
3552	   This document is written in advance of any practical experience with
3553	   the setting of these values, and can thus provide only general
3554	   principles for how to set them.

3556	   By default, the MIB module definition disables notifications until
3557	   they are explicitly enabled by the operator, using the associated
3558	   threshold value to do so.  To make use of the notifications, the
3559	   operator may wish to take the following considerations into account.

3561	   Except for the low address pool utilization notification, the
3562	   notifications imply that some sort of administrative action is
3563	   required to mitigate an impending shortage of a particular resource.
3564	   The choice of value for the triggering threshold needs to take two
3565	   factors into account: the volatility of usage of the given resource,
3566	   and the amount of time the operator needs to mitigate the potential
3567	   overload situation.  That time could vary from almost immediate to
3568	   several weeks required to order and install new hardware or software.

3570	   To give a numeric example, if average utilization is going up 1% per
3571	   week but can vary 10% around that average in any given hour, and it
3572	   takes two weeks to carry through mitigating measures, the threshold
3573	   should be set to 88% of the corresponding limit (two weeks' growth
3574	   plus 10% volatility margin).  If mitigating measures can be carried
3575	   out immediately, this can rise to 90%. For this particular example
3576	   that change is insignificant, but in other cases the difference may
3577	   be large enough to matter in terms of reduced load on the management
3578	   plane.

3580	   The notification rate limit settings really depend on the operator's
3581	   processes, but are a tradeoff between reliably reporting the notified
3582	   condition and not having it overload the management plane.
3583	   Reliability rises in importance with the importance of the resource
3584	   involved.  Thus the default notification intervals defined in this
3585	   MIB module range from 10 seconds (high reliability) for the address
3586	   and port map entry thresholds up to 60 seconds (lower reliability)
3587	   for the per-subscriber port entry thresholds.  Experience may suggest
3588	   better values.

3590	   The limits on number of instance-level address map and port map
3591	   entries and held fragments relate directly to memory allocations for
3592	   these tables.  The relationship between number of map entries or
3593	   number of held fragments and memory required will be implementation-
3594	   specific.  Hence it is up to the implementor to provide specific
3595	   advice on the setting of these limits.

3597	   The limit on simultaneous number of active subscribers is indirectly
3598	   related to memory consumption for map entries, but also to processor
3599	   usage by the NAT instance.  The best strategy for setting this limit
3600	   would seem to be to leave it disabled during an initial period while
3601	   observing device processor utilization, then to implement a trial
3602	   setting while observing the number of blocked packets affected by the
3603	   new limit.  The setting may vary by NAT instance if a suitable
3604	   estimator of likely load (e.g., total number of hosts served by that
3605	   instance) is available.

3607	5.2.  Transition From and Coexistence With NAT-MIB [RFC 4008]

3609	   A manager may have to deal with a mixture of devices supporting the
3610	   NAT-MIB module [RFC4008] and the NATV2-MIB module defined in the
3611	   present document.  It is even possible that both modules are
3612	   supported on the same device.  The following discussion brings out
3613	   the limits of comparability between the two MIB modules.  A first
3614	   point to note is that NAT-MIB is primarily focussed on configuration,
3615	   while NATV2-MIB is primarily focussed on measurements.

3617	   To summarize the model used by [RFC4008]:

3619	   o  The basic unit of NAT configuration is the interface.

3621	   o  An interface connects to a single realm, either "private", or
3622	      "public".  In principle that means there could be multiple
3623	      instances of one type of realm or the other, but the number is
3624	      physically limited by the number of interfaces on the NAT device.

3626	   o  Before the NAT can operate on a given interface, an "address map"
3627	      has to be configured on it.  The [RFC4008] address map is
3628	      equivalent to the pool tables in the present document.  Since just
3629	      one "address map" is configured per interface, this is the
3630	      equivalent of a single address pool per interface.

3632	   o  The address binding and port binding tables are roughly equivalent
3633	      to the address map and port map tables in the present document in
3634	      their content, but can be either uni- directional or
3635	      bidirectional.  The [RFC4008] model shows the address binding and
3636	      port binding as alternative precursors to session establishment,
3637	      depending on whether the device does address translation only or
3638	      address and port translation.  In contrast, NATV2-MIB assumes a
3639	      model where bidirectional port mappings are based on bidirectional
3640	      address mappings that have conceptually been established
3641	      beforehand.

3643	   o  The equivalent to an [RFC4008] session in NATV2-MIB would be a
3644	      pair of port map entries.  The added complexity in [RFC4008] is
3645	      due to the modelling of NAT service types as defined in [RFC3489]
3646	      (the symmetric NAT in particular) instead of the more granular set
3647	      of behaviors described in [RFC4787].

3649	   With regard to that last point, the mapping between [RFC3489] service
3650	   types and [RFC4787] NAT behaviours is as follows:

3652	   o  A full cone NAT exhibits endpoint-independent port mapping
3653	      behavior and endpoint-independent filtering behavior.

3655	   o  A restricted cone NAT exhibits endpoint-independent port mapping
3656	      behavior, but address-dependent filtering behavior.

3658	   o  A port restricted cone NAT exhibits endpoint-independent port
3659	      mapping behavior, but address-and-port-dependent filtering
3660	      behavior.

3662	   o  A symmetric NAT exhibits address-and-port-dependent port mapping
3663	      and filtering behaviors.

3665	   Note that these NAT types are a subset of the types that could be
3666	   configured according to the [RFC4787] behavioral classification used
3667	   in NATV2-MIB, but they include the two possibilities (full and
3668	   restricted cone NAT) that satisfy requirements REQ-1 and REQ-8 of
3669	   [RFC4787].  Note further that other behaviors defined in [RFC4787]
3670	   are not considered in [RFC4008].

3672	   Having established a context for discussion, we are now in a position
3673	   to compare the outputs provided to management from the [RFC4008] and
3674	   NATV2-MIB modules.  This comparison relates to the ability to compare
3675	   results if testing with both MIBs implemented on the same device
3676	   during a transition period.

3678	   [RFC4008] provides three counters: incoming translations, outgoing
3679	   translations, and discarded packets, at the granularities of
3680	   interface, address map, and protocol, and incoming and outgoing
3681	   translations at the levels of individual address bind, address port
3682	   bind, and session entries.  Implementation at the protocol and
3683	   address map levels is optional.  NATV2-MIB provides a single total
3684	   (both directions) translations counter at the instance, protocol
3685	   within instance, and subscriber levels.  Given the differences in
3686	   granularity, it appears that the only comparable measurement of
3687	   translations between the two MIB modules would be through aggregation
3688	   of the [RFC4008] interface counters to give a total number of
3689	   translations for the NAT instance.

3691	   NATV2-MIB has broken out the single discard counter into a number of
3692	   different counters reflecting the cause of the discard in more
3693	   detail, to help in trouble-shooting.  Again, with the differing
3694	   levels of granularity, the only comparable statistic would be through
3695	   aggregation to a single value of total discards per NAT instance.

3697	   Moving on to state variables, [RFC4008] offers counts of number of
3698	   "address map" (i.e., address pool) entries used (excluding static
3699	   entries) at the address map level, and number of entries in the
3700	   address bind and address and port bind tables respectively.  Finally,
3701	   [RFC4008] provides a count of the number of sessions currently using
3702	   each entry in the address and port bind table.  None of these counts
3703	   are directly comparable with the state values offered by NATV2-MIB,
3704	   because of the exclusion of static entries at the address map level,
3705	   and because of the differing models of the translation tables between
3706	   [RFC4008] and the NATV2=MIB.

3708	6.  Security Considerations

3710	   A number of management objects defined in this MIB module have a MAX-
3711	   ACCESS clause of read-write.  Such objects may be considered
3712	   sensitive or vulnerable in some network environments.  The support
3713	   for SET operations in a non-secure environment without proper
3714	   protection can have a negative effect on network operations.  These
3715	   are the tables and objects and their sensitivity/vulnerability:

3717	   Limits:  An attacker setting a very low or very high limit can easily
3718	      cause a denial-of-service situation.

3720	      *  natv2InstanceLimitAddressMapEntries;

3722	      *  natv2InstanceLimitPortMapEntries;

3724	      *  natv2InstanceLimitPendingFragments;

3726	      *  natv2InstanceLimitSubscriberActives;

3728	      *  natv2SubscriberLimitPortMapEntries.

3730	   Notification thresholds:  An attacker setting an arbitrarily low
3731	      threshold can cause many useless notifications to be generated
3732	      (subject to the notification interval).  Setting an arbitrarily
3733	      high threshold can effectively disable notifications, which could
3734	      be used to hide another attack.

3736	      *  natv2InstanceThresholdAddressMapEntriesHigh;

3738	      *  natv2InstanceThresholdPortMapEntriesHigh;

3740	      *  natv2PoolThresholdUsageLow;

3742	      *  natv2PoolThresholdUsageHigh;

3744	      *  natv2SubscriberThresholdPortMapEntriesHigh.

3746	   Notification intervals:  An attacker setting a low notification
3747	      interval in combination with a low threshold value can cause many
3748	      useless notifications to be generated.

3750	      *  natv2InstanceNotificationInterval;

3752	      *  natv2PoolNotificationInterval;

3754	      *  natv2SubscriberNotificationInterval.

3756	   Some of the readable objects in this MIB module (i.e., objects with a
3757	   MAX-ACCESS other than not-accessible) may be considered sensitive or
3758	   vulnerable in some network environments.  It is thus important to
3759	   control even GET and/or NOTIFY access to these objects and possibly
3760	   to even encrypt the values of these objects when sending them over
3761	   the network via SNMP.  These are the tables and objects and their
3762	   sensitivity/vulnerability:

3764	   Objects that reveal host identities:  Various objects can reveal the
3765	      identity of private hosts that are engaged in a session with
3766	      external end nodes.  A curious outsider could monitor these to
3767	      assess the number of private hosts being supported by the NAT
3768	      device.  Further, a disgruntled former employee of an enterprise
3769	      could use the information to break into specific private hosts by
3770	      intercepting the existing sessions or originating new sessions
3771	      into the host.

3773	      *  entries in the natv2AddressMapTable;

3775	      *  entries in the natv2PortMapTable.

3777	   Other objects that reveal NAT state:  Other managed objects in this
3778	      MIB may contain information that may be sensitive from a business
3779	      perspective, in that they may represent NAT capabilities, business
3780	      policies, and state information.

3782	      *  natv2SubscriberLimitPortMapEntries;
3783	      *  natv2InstancePortMappingBehavior;

3785	      *  natv2InstanceFilteringBehavior;

3787	      *  natv2InstancePoolingBehavior;

3789	      *  natv2InstanceFragmentBehavior;

3791	      *  natv2InstanceAddressMapEntries;

3793	      *  natv2InstancePortMapEntries.

3795	   There are no objects that are sensitive in their own right, such as
3796	   passwords or monetary amounts.

3798	   SNMP versions prior to SNMPv3 did not include adequate security.
3799	   Even if the network itself is secure (for example by using IPsec),
3800	   there is no control as to who on the secure network is allowed to
3801	   access and GET/SET (read/change/create/delete) the objects in this
3802	   MIB module.

3804	   Implementations SHOULD provide the security features described by the
3805	   SNMPv3 framework (see [RFC3410]), and implementations claiming
3806	   compliance to the SNMPv3 standard MUST include full support for
3807	   authentication and privacy via the User-based Security Model (USM)
3808	   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
3809	   MAY also provide support for the Transport Security Model (TSM)
3810	   [RFC5591] in combination with a secure transport such as SSH
3811	   [RFC5592] or TLS/DTLS [RFC6353].

3813	   Further, deployment of SNMP versions prior to SNMPv3 is NOT
3814	   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
3815	   enable cryptographic security.  It is then a customer/operator
3816	   responsibility to ensure that the SNMP entity giving access to an
3817	   instance of this MIB module is properly configured to give access to
3818	   the objects only to those principals (users) that have legitimate
3819	   rights to indeed GET or SET (change/create/delete) them.

3821	7.  IANA Considerations

3823	   IANA is requested to assign an object identifier to the natv2MIB
3824	   module, with prefix iso.org.dod.internet.mgmt.mib-2 in the Network
3825	   Management Parameters registry [SMI-NUMBERS].

3827	8.  References

3829	8.1.  Normative References

3831	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
3832	              Requirement Levels", BCP 14, RFC 2119, March 1997.

3834	   [RFC2578]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
3835	              Schoenwaelder, Ed., "Structure of Management Information
3836	              Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

3838	   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
3839	              Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
3840	              58, RFC 2579, April 1999.

3842	   [RFC2580]  McCloghrie, K., Perkins, D., and J. Schoenwaelder,
3843	              "Conformance Statements for SMIv2", STD 58, RFC 2580,
3844	              April 1999.

3846	   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
3847	              Architecture for Describing Simple Network Management
3848	              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
3849	              December 2002.

3851	   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
3852	              (USM) for version 3 of the Simple Network Management
3853	              Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

3855	   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
3856	              Advanced Encryption Standard (AES) Cipher Algorithm in the
3857	              SNMP User-based Security Model", RFC 3826, June 2004.

3859	   [RFC4001]  Daniele, M., Haberman, B., Routhier, S., and J.
3860	              Schoenwaelder, "Textual Conventions for Internet Network
3861	              Addresses", RFC 4001, February 2005.

3863	   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
3864	              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
3865	              RFC 4787, January 2007.

3867	   [RFC5591]  Harrington, D. and W. Hardaker, "Transport Security Model
3868	              for the Simple Network Management Protocol (SNMP)", STD
3869	              78, RFC 5591, June 2009.

3871	   [RFC5592]  Harrington, D., Salowey, J., and W. Hardaker, "Secure
3872	              Shell Transport Model for the Simple Network Management
3873	              Protocol (SNMP)", RFC 5592, June 2009.

3875	   [RFC6353]  Hardaker, W., "Transport Layer Security (TLS) Transport
3876	              Model for the Simple Network Management Protocol (SNMP)",
3877	              STD 78, RFC 6353, July 2011.

3879	8.2.  Informative References

3881	   [I-D.perrault-behave-deprecate-nat-mib-v1]
3882	              Perrault, S., Tsou, T., Sivakumar, S., and T. Taylor,
3883	              "Deprecation of MIB Module NAT-MIB (Managed Objects for
3884	              Network Address Translators (NAT)) (Work in Progress)",
3885	              October 2014.

3887	   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
3888	              (IPv6) Specification", RFC 2460, December 1998.

3890	   [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network Address
3891	              Translator (NAT) Terminology and Considerations", RFC
3892	              2663, August 1999.

3894	   [RFC3410]  Case, J., Mundy, R., Partain, D., and B. Stewart,
3895	              "Introduction and Applicability Statements for Internet-
3896	              Standard Management Framework", RFC 3410, December 2002.

3898	   [RFC3489]  Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,
3899	              "STUN - Simple Traversal of User Datagram Protocol (UDP)
3900	              Through Network Address Translators (NATs)", RFC 3489,
3901	              March 2003.

3903	   [RFC4008]  Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
3904	              C. Wang, "Definitions of Managed Objects for Network
3905	              Address Translators (NAT)", RFC 4008, March 2005.

3907	   [RFC6333]  Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
3908	              Stack Lite Broadband Deployments Following IPv4
3909	              Exhaustion", RFC 6333, August 2011.

3911	   [SMI-NUMBERS]
3912	              "Network Management Parameters registry at IANA",
3913	              <http://www.iana.org/assignments/smi-numbers>.

3915	Authors' Addresses

3917	   Simon Perreault
3918	   Jive Communications
3919	   Quebec, QC
3920	   Canada

3922	   Email: sperreault@jive.com
3923	   Tina Tsou
3924	   Huawei Technologies
3925	   Bantian, Longgang District
3926	   Shenzhen  518129
3927	   PR China

3929	   Email: tina.tsou.zouting@huawei.com

3931	   Senthil Sivakumar
3932	   Cisco Systems
3933	   7100-8 Kit Creek Road
3934	   Research Triangle Park, North Carolina  27709
3935	   USA

3937	   Phone: +1 919 392 5158
3938	   Email: ssenthil@cisco.com

3940	   Tom Taylor
3941	   PT Taylor Consulting
3942	   Ottawa
3943	   Canada

3945	   Email: tom.taylor.stds@gmail.com