idnits 2.17.1
draft-perrault-behave-natv2-mib-02.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
document.
== There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 2694 has weird spacing: '... of natv2...'
-- The document date (February 17, 2015) is 3356 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'RFC 4008' is mentioned on line 3607, but not defined
** Obsolete undefined reference: RFC 4008 (Obsoleted by RFC 7658)
== Missing Reference: 'RFC 6333' is mentioned on line 3200, but not defined
-- No information found for draft-perrault-behave-deprecate-nat-mib-v1 - is
the name correct?
-- Obsolete informational reference (is this intentional?): RFC 2460
(Obsoleted by RFC 8200)
-- Obsolete informational reference (is this intentional?): RFC 3489
(Obsoleted by RFC 5389)
-- Obsolete informational reference (is this intentional?): RFC 4008
(Obsoleted by RFC 7658)
Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 5 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group S. Perreault
3 Internet-Draft Jive Communications
4 Intended status: Standards Track T. Tsou
5 Expires: August 21, 2015 Huawei Technologies
6 S. Sivakumar
7 Cisco Systems
8 T. Taylor
9 PT Taylor Consulting
10 February 17, 2015
12 Definitions of Managed Objects for Network Address Translators (NAT)
13 draft-perrault-behave-natv2-mib-02
15 Abstract
17 This memo defines a portion of the Management Information Base (MIB)
18 for devices implementing the Network Address Translator (NAT)
19 function. The new MIB module defined in this document, NATV2-MIB, is
20 intended to replace module NAT-MIB (RFC 4008). NATV2-MIB is not
21 backwards compatible with NAT-MIB, for reasons given in the text of
22 this document. A companion document deprecates all objects in NAT-
23 MIB. NATV2-MIB can be used for monitoring of NAT instances on a
24 device capable of NAT function. Compliance levels are defined for
25 three application scenarios: basic NAT, pooled NAT, and carrier-grade
26 NAT (CGN).
28 Status of This Memo
30 This Internet-Draft is submitted in full conformance with the
31 provisions of BCP 78 and BCP 79.
33 Internet-Drafts are working documents of the Internet Engineering
34 Task Force (IETF). Note that other groups may also distribute
35 working documents as Internet-Drafts. The list of current Internet-
36 Drafts is at http://datatracker.ietf.org/drafts/current/.
38 Internet-Drafts are draft documents valid for a maximum of six months
39 and may be updated, replaced, or obsoleted by other documents at any
40 time. It is inappropriate to use Internet-Drafts as reference
41 material or to cite them other than as "work in progress."
43 This Internet-Draft will expire on August 21, 2015.
45 Copyright Notice
47 Copyright (c) 2015 IETF Trust and the persons identified as the
48 document authors. All rights reserved.
50 This document is subject to BCP 78 and the IETF Trust's Legal
51 Provisions Relating to IETF Documents
52 (http://trustee.ietf.org/license-info) in effect on the date of
53 publication of this document. Please review these documents
54 carefully, as they describe your rights and restrictions with respect
55 to this document. Code Components extracted from this document must
56 include Simplified BSD License text as described in Section 4.e of
57 the Trust Legal Provisions and are provided without warranty as
58 described in the Simplified BSD License.
60 Table of Contents
62 1. The SNMP Management Framework . . . . . . . . . . . . . . . . 3
63 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
64 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5
65 3.1. Content Provided by the NATV2-MIB Module . . . . . . . . 5
66 3.1.1. Configuration Data . . . . . . . . . . . . . . . . . 5
67 3.1.2. Notifications . . . . . . . . . . . . . . . . . . . . 6
68 3.1.3. State Information . . . . . . . . . . . . . . . . . . 9
69 3.1.4. Statistics . . . . . . . . . . . . . . . . . . . . . 9
70 3.2. Outline of MIB Module Organization . . . . . . . . . . . 11
71 3.3. Detailed MIB Module Walk-Through . . . . . . . . . . . . 13
72 3.3.1. Textual Conventions . . . . . . . . . . . . . . . . . 13
73 3.3.2. Notifications . . . . . . . . . . . . . . . . . . . . 13
74 3.3.3. The Subscriber Table: natv2SubscriberTable . . . . . 13
75 3.3.4. The Instance Table: natv2InstanceTable . . . . . . . 14
76 3.3.5. The Protocol Table: natv2ProtocolTable . . . . . . . 15
77 3.3.6. The Address Pool Table: natv2PoolTable . . . . . . . 15
78 3.3.7. The Address Pool Address Range Table:
79 natv2PoolRangeTable . . . . . . . . . . . . . . . . . 16
80 3.3.8. The Address Map Table: natv2AddressMapTable . . . . . 16
81 3.3.9. The Port Map Table: natv2PortMapTable . . . . . . . . 17
82 3.4. Conformance: Three Application Scenarios . . . . . . . . 17
83 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 18
84 5. Operational and Management Considerations . . . . . . . . . . 74
85 5.1. Configuration Requirements . . . . . . . . . . . . . . . 74
86 5.2. Transition From and Coexistence With NAT-MIB [RFC 4008] 76
87 6. Security Considerations . . . . . . . . . . . . . . . . . . . 78
88 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80
89 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 81
90 8.1. Normative References . . . . . . . . . . . . . . . . . . 81
91 8.2. Informative References . . . . . . . . . . . . . . . . . 82
92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82
94 1. The SNMP Management Framework
96 For a detailed overview of the documents that describe the current
97 Internet-Standard Management Framework, please refer to section 7 of
98 RFC 3410 [RFC3410].
100 Managed objects are accessed via a virtual information store, termed
101 the Management Information Base or MIB. MIB objects are generally
102 accessed through the Simple Network Management Protocol (SNMP).
103 Objects in the MIB are defined using the mechanisms defined in the
104 Structure of Management Information (SMI). This memo specifies a MIB
105 module that is compliant to the SMIv2, which is described in STD 58,
106 [RFC2578], [RFC2579] and [RFC2580].
108 2. Introduction
110 Note to RFC Ed.: please replace RFC yyyy with actual RFC number
111 throughout this document and remove this note.
113 This memo defines a portion of the Management Information Base (MIB)
114 for devices implementing NAT functions. This MIB module, NATV2-MIB,
115 may be used for monitoring of such devices. NATV2-MIB supersedes
116 NAT-MIB [RFC4008], which did not fit well with existing NAT
117 implementations, and hence was not itself much implemented.
118 [I-D.perrault-behave-deprecate-nat-mib-v1] provides a detailed
119 analysis of the deficiencies of NAT-MIB.
121 Relative to [RFC4008] and based on the analysis just mentioned, the
122 present document introduces the following changes:
124 o removed all writable configuration except that related to control
125 of the generation of notifications and the setting of quotas on
126 the use of NAT resources;
128 o minimized the read-only exposure of configuration to what is
129 needed to provide context for the state and statistical
130 information presented by the MIB module;
132 o removed the association between mapping and interfaces, retaining
133 only the mapping aspect;
135 o replaced references to NAT types with references to NAT behaviors
136 as specified in [RFC4787];
138 o replaced a module-specific enumeration of protocols with the
139 standard protocol numbers provided by the IANA Assigned Internet
140 Protocol Numbers registry.
142 This MIB module adds the following features not present in [RFC4008]:
144 o additional writable protective limits on NAT state data;
146 o additional objects to report state, statistics, and notifications;
148 o support for the carrier grade NAT (CGN) application, including
149 subscriber-awareness, support for an arbitrary number of address
150 realms, and support for multiple NAT instances running on a single
151 device;
153 o expanded support for address pools;
155 o revised indexing of port map entries to simplify traceback from
156 externally observable packet parameters to the corresponding
157 internal endpoint.
159 These features are described in more detail below.
161 The remainder of this document is organized as follows:
163 o Section 3 provides a verbal description of the content and
164 organization of the MIB module.
166 o Section 4 provides the MIB module definition.
168 o Section 5 discusses operational and management issues relating to
169 the deployment of NATV2-MIB. One of these issues is NAT
170 management when both NAT-MIB [RFC4008] and NATV2-MIB are deployed.
172 o Section 6 and Section 7 provide a security discussion and a
173 request to IANA for allocation of an object identifier for the
174 module in the mib-2 tree, respectively.
176 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
177 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
178 "OPTIONAL" in this document are to be interpreted as described in
179 [RFC2119].
181 This document uses the following terminology:
183 Upper layer protocol: The protocol following the outer IP header of
184 a packet. This follows the terminology of [RFC2460], but as that
185 document points out, "upper" is not necessarily a correct
186 description of the protocol relationships (e.g., where IP is
187 encapsulated in IP). The abbreviated term "protocol" will often
188 be used where it is unambiguous.
190 Trigger: With respect to notifications, the logical recognition of
191 the event that the notification is intended to report.
193 Report: The actual production of a notification message. Reporting
194 can happen later than triggering, or may never happen for a given
195 notification instance, because of the operation of notification
196 rate controls.
198 Address realm: A network domain in which the network addresses are
199 uniquely assigned to entities such that datagrams can be routed to
200 them. (Definition taken from [RFC2663] Section 2.1.) The
201 abbreviated term "realm" will often be used.
203 3. Overview
205 This section provides a prose description of the contents and
206 organization of the NATV2-MIB module.
208 3.1. Content Provided by the NATV2-MIB Module
210 The content provided by the NATV2-MIB module can be classed under
211 four headings: configuration data, notifications, state information,
212 and statistics.
214 3.1.1. Configuration Data
216 As mentioned above, the intent in designing the NATV2-MIB module was
217 to minimize the amount of configuration data presented to that needed
218 to give a context for interpreting the other types of information
219 provided. Detailed descriptions of the configuration data are
220 included with the descriptions of the individual tables. In general,
221 that data is limited to what is needed for indexing and cross-
222 referencing between tables. The two exceptions are the objects
223 describing NAT instance behavior in the NAT instance table, and the
224 detailed enumeration of resources allocated to each address pool in
225 the pool table and its extension.
227 The NATV2-MIB module provides three sets of read-write objects,
228 specifically related to other aspects of the module content. The
229 first set controls the rate at which specific notifications are
230 generated. The second set provides thresholds used to trigger the
231 notifications. These objects are listed in Section 3.1.2.
233 A third set of read-write objects sets limits on resource consumption
234 per NAT instance and per subscriber. When these limits are reached,
235 packets requiring further consumption of the given resource are
236 dropped rather than translated. Statistics described in
237 Section 3.1.4 record the numbers of packets so dropped. Limits are
238 provided for:
240 o total number of address map entries over the NAT instance. Limit
241 is set by object natv2InstanceLimitAddressMapEntries in table
242 natv2InstanceTable. Dropped packets are counted in
243 natv2InstanceAddressMapEntryLimitDrops in that table.
245 o total number of port map entries over the NAT instance. Limit is
246 set by object natv2InstanceLimitPortMapEntries in table
247 natv2InstanceTable. Dropped packets are counted in
248 natv2InstancePortMapEntryLimitDrops in that table.
250 o total number of held fragments (applicable only when the NAT
251 instance can receive fragments out of order; see [RFC4787]
252 Section 11). Limit is set by object
253 natv2InstanceLimitPendingFragments in table natv2InstanceTable.
254 Dropped packets are counted by natv2InstanceFragmentDrops in the
255 same table.
257 o total number of active subscribers (i.e., subscribers having at
258 least one mapping table entry) over the NAT instance. Limit is
259 set by object natv2InstanceLimitSubscriberActives in table
260 natv2InstanceTable. Dropped packets are counted by
261 natv2InstanceSubscriberActiveLimitDrops in the same table.
263 o number of port map entries for an individual subscriber. Limit is
264 set by object natv2SubscriberLimitPortMapEntries in table
265 natv2SubscriberTable. Dropped packets are counted by
266 natv2SubscriberPortMapFailureDrops in the same table. Note that,
267 unlike in the instance table, the per-subscriber count is lumped
268 in with the count of packets dropped because of failures to
269 allocate a port map entry for other reasons to save on storage.
271 3.1.2. Notifications
273 NATV2-MIB provides five notifications, intended to provide warning of
274 the need to provision or reallocate NAT resources. As indicated in
275 the previous section, each notification is associated with two read-
276 write objects: a control on the rate at which that notification is
277 generated, and a threshold value used to trigger the notification in
278 the first place. The default setting within the MIB module
279 specification is that all notifications are disabled. The setting of
280 threshold values is discussed in Section 5.
282 The five notifications are as follows:
284 o Two notifications relate to the management of address pools. One
285 indicates that usage equals or exceeds an upper threshold, and is
286 therefore a warning that the pool may be over-utilized unless more
287 addresses are assigned to it. The other notification indicates
288 that usage equals or has fallen below a lower threshold,
289 suggesting that some addresses allocated to that pool could be
290 reallocated to other pools. Address pool usage is calculated as
291 the percentage of the total number of ports allocated to the
292 address pool that are already in use, for the most-mapped protocol
293 at the time the notification is generated. The notifications
294 identify that protocol and report the number of port map entries
295 for that protocol in the given address pool at the moment the
296 notification was triggered.
298 o Two notifications relate to the number of address and port map
299 entries respectively, in total over the whole NAT instance. In
300 both cases the threshold that triggers the notification is an
301 upper threshold. The notifications return the number of mapping
302 entries of the given type, plus a cumulative counter of the number
303 of entries created in that mapping table at the moment the
304 notification was triggered. The intent is that the notifications
305 provide a warning that the total number of address or port map
306 entries is approaching the configured limit.
308 o The final notification is generated on a per-subscriber basis when
309 the number of port map entries for that subscriber crosses the
310 associated threshold. The objects returned by this notification
311 are similar to those returned for the instance-level mapping
312 notifications. This notification is a warning that the number of
313 port map entries for the subscriber is approaching the configured
314 limit for that subscriber.
316 Here is a detailed specification of the notifications. A given
317 notification can be disabled by setting the threshold to 0 (default),
318 with the exception noted below.
320 Notification: natv2NotificationPoolUsageLow. Indicates that address
321 pool usage for the most-mapped protocol equals or is less than the
322 threshold value.
324 Compared value: natv2PoolNotifiedPortMapEntries as a percentage of
325 total available ports in the pool.
327 Threshold: natv2PoolThresholdUsageLow in natv2PoolTable. To allow
328 for a threshold of zero usage, disabling of the
329 natv2NotificationPoolUsageLow is done by setting
330 natv2PoolThresholdUsageLow to -1 rather than 0, in contrast to all
331 of the other notifications.
333 Objects returned: natv2PoolNotifiedPortMapEntries and
334 natv2PoolNotifiedPortMapProtocol in natv2PoolTable;
336 Rate control: natv2PoolNotificationInterval in
337 natv2PoolTable (default 20 seconds between notifications for a
338 given address pool).
340 Notification: natv2NotificationPoolUsageHigh. Indicates that address
341 pool usage for the most-mapped protocol has risen to the threshold
342 value or more.
344 Compared value: natv2PoolNotifiedPortMapEntries as a percentage of
345 total available ports in the pool.
347 Threshold: natv2PoolThresholdUsageHigh in natv2PoolTable;
349 Objects returned: natv2PoolNotifiedPortMapEntries,
350 natv2PoolNotifiedPortMapProtocol in natv2PoolTable;
352 Rate control: natv2PoolNotificationInterval in
353 natv2PoolTable (default 20 seconds between notifications for a
354 given address pool).
356 Notification: natv2NotificationInstanceAddressMapEntriesHigh.
357 Indicates that the total number of entries in the address map table
358 over the whole NAT instance equals or exceeds the threshold value.
360 Compared value: natv2InstanceAddressMapEntries in
361 natv2InstanceTable;
363 Threshold: natv2InstanceThresholdAddressMapEntriesHigh in
364 natv2InstanceTable;
366 Objects returned: natv2InstanceAddressMapEntries,
367 natv2InstanceAddressMapCreations in natv2InstanceTable;
369 Rate control: natv2InstanceNotificationInterval in
370 natv2InstanceTable (default 10 seconds between notifications for a
371 given NAT instance).
373 Notification: natv2NotificationInstancePortMapEntriesHigh. Indicates
374 that the total number of entries in the port map table over the whole
375 NAT instance equals or exceeds the threshold value.
377 Compared value: natv2InstancePortMapEntries in natv2InstanceTable;
379 Threshold: natv2InstanceThresholdPortMapEntriesHigh in
380 natv2InstanceTable;
382 Objects returned: natv2InstancePortMapEntries,
383 natv2InstancePortMapCreations in natv2InstanceTable;
385 Rate control: natv2InstanceNotificationInterval in
386 natv2InstanceTable (default 10 seconds between notifications for a
387 given NAT instance).
389 Notification: natv2NotificationSubscriberPortMapEntriesHigh.
390 Indicates that the total number of entries in the port map table for
391 the given subscriber equals or exceeds the threshold value configured
392 for that subscriber.
394 Compared value: natv2SubscriberPortMapEntries in
395 natv2SubscriberTable;
397 Threshold: natv2SubscriberThresholdPortMapEntriesHigh in
398 natv2SubscriberTable;
400 Objects returned: natv2SubscriberPortMapEntries,
401 natv2SubscriberPortMapCreations in natv2SubscriberTable;
403 Rate control: natv2SubscriberNotificationInterval in
404 natv2SubscriberTable (default 60 seconds between notifications for
405 a given subscriber).
407 3.1.3. State Information
409 State information provides a snapshot of the content and extent of
410 the NAT mapping tables at a given moment of time. The address and
411 port mapping tables are described in detail below. In addition to
412 these tables, two state variables are provided: current number of
413 entries in the address mapping table, and current number of entries
414 in the port mapping table. With one exception, these are provided at
415 four levels of granularity: per NAT instance, per protocol, per
416 address pool, and per subscriber. Address map entries are not
417 tracked per protocol, since address mapping is protocol-independent.
419 3.1.4. Statistics
421 NATV2-MIB provides a number of counters, intended to help both with
422 provisioning of the NAT and debugging of problems. As with the state
423 data, these counters are provided at the four levels of NAT instance,
424 protocol, address pool, and subscriber when they make sense. Each
425 counter is cumulative beginning from a "last discontuity time"
426 recorded by an object that is usually in the table containing the
427 counter.
429 The basic set of counters, as reflected in the NAT instance table, is
430 as follows:
432 Translations: number of packets processed and translated (in this
433 case, in total for the NAT instance);
435 Address map entry creations: cumulative number of address map
436 entries created, including static mappings;
438 Port map entry creations: cumulative number of port map entries
439 created, including static mappings;
441 Address map limit drops: cumulative number of packets dropped rather
442 than translated because the packet would have triggered the
443 creation of a new address mapping, but the configured limit on
444 number of address map entries has already been reached.
446 Port map limit drops: cumulative number of packets dropped rather
447 than translated because the packet would have triggered the
448 creation of a new port mapping, but the configured limit on number
449 of port map entries has already been reached.
451 Active subscriber limit drops: cumulative number of packets dropped
452 rather than translated because the packet would have triggered the
453 creation of a new address and/or port mapping for a subscriber
454 with no existing entries in either table, but the configured limit
455 on number of active subscribers has already been reached.
457 Address mapping failure drops: cumulative number of packets dropped
458 because the packet would have triggered the creation of a new
459 address mapping, but no address could be allocated in the external
460 realm concerned because all addresses from the selected address
461 pool (or the whole realm, if no address pool has been configured
462 for that realm) have already been fully allocated.
464 Port mapping failure drops: cumulative number of packets dropped
465 because the packet would have triggered the creation of a new port
466 mapping, but no port could be allocated for the protocol
467 concerned. The precise conditions under which these packet drops
468 occur depend on the pooling behavior [RFC4787] configured or
469 implemented in the NAT instance. See the DESCRIPTION clause for
470 the natv2InstancePortMapFailureDrops object for a detailed
471 description of the different cases. These cases were defined with
472 care to ensure that address mapping failure could be distinguished
473 from port mapping failure.
475 Fragment drops: cumulative number of packets dropped because the
476 packet contains a fragment and the fragment behavior [RFC4787]
477 configured or implemented in the NAT instance indicates that the
478 packet should be dropped. The main case is a NAT instance that
479 meets REQ-14 of [RFC4787], hence can receive and process out-of-
480 order fragments. In that case, dropping occurs only when the
481 configured limit on pending fragments provided by NATV2-MIB has
482 already been reached. The other cases are detailed in the
483 DESCRIPTION clause of the natv2InstanceFragmentBehavior object.
485 Other resource drops: cumulative number of packets dropped because
486 of unavailability of some other resource. The most likely case
487 would be packets where the upper layer protocol is not one
488 supported by the NAT instance.
490 Table 1 indicates the granularities at which these statistics are
491 reported.
493 +-----------------------+------------+----------+------+------------+
494 | Statistic | NAT | Protocol | Pool | Subscriber |
495 | | Instance | | | |
496 +-----------------------+------------+----------+------+------------+
497 | Translations | Yes | Yes | No | Yes |
498 | Address map entry | Yes | No | Yes | Yes |
499 | creations | | | | |
500 | Port map entry | Yes | Yes | Yes | Yes |
501 | creations | | | | |
502 | Address map limit | Yes | No | No | No |
503 | drops | | | | |
504 | Port map limit drops | Yes | No | No | Yes |
505 | Active subscriber | Yes | No | No | No |
506 | limit drops | | | | |
507 | Address mapping | Yes | No | Yes | Yes |
508 | failure drops | | | | |
509 | Port mapping failure | Yes | Yes | Yes | Yes |
510 | drops | | | | |
511 | Fragment drops | Yes | No | No | No |
512 | Other resource drops | Yes | No | No | No |
513 +-----------------------+------------+----------+------+------------+
515 Table 1: Statistics Provided By Level of Granularity
517 3.2. Outline of MIB Module Organization
519 Figure 1 shows how object identifiers are organized in the NATV2-MIB
520 module. Under the general natv2MIB object identifier in the mib-2
521 tree, the objects are classed into four groups:
523 natv2MIBNotifications(0) identifies the five notifications described
524 in Section 3.1.2;
526 natv2MIBDeviceObjects(1) identifies objects relating to the whole
527 device, specifically, the subscriber table.
529 natv2MIBInstanceObjects(2) identifies objects relating to individual
530 NAT instances. These include the NAT instance table, the protocol
531 table, the address pool table and its address range expansion, the
532 address map table, and the port map table.
534 natv2MIBConformance(3) identifies the group and compliance clauses,
535 specified for the three application scenarios described in
536 Section 3.4.
538 natv2MIB
539 |
540 +-------------+-------------+-------------+
541 | | | |
542 | | |
543 0 | | |
544 natv2MIBNotifications | | |
545 | | |
546 | 1 | |
547 | natv2MIBDeviceObjects | |
548 Five | |
549 notifications | 2 |
550 | natv2MIBInstanceObjects |
551 | |
552 Subscriber | 3
553 table | natv2MIBConformance
554 | |
555 | |
556 Six per-NAT- |
557 instance tables |
558 |
559 +----------------------+-------
560 | |
561 | |
563 1 2
564 natv2MIBCompliances natv2MIBGroups
565 | |
566 | |
567 Basic Basic
568 Pooled Pooled
569 Carrier grade NAT Carrier grade NAT
571 Figure 1: Organization of Object Identifiers For NATV2-MIB
573 3.3. Detailed MIB Module Walk-Through
575 This section reviews the contents of the NATV2-MIB module. The table
576 descriptions include references to subsections of Section 3.1 where
577 desirable to avoid repetition of that information.
579 3.3.1. Textual Conventions
581 The module defines four key textual conventions: ProtocolNumber,
582 Natv2SubscriberIndex, Natv2InstanceIndex, and Natv2PoolIndex.
583 ProtocolNumber is based on the IANA registry of protocol numbers,
584 hence is potentially reusable by other MIB modules.
586 Objects of type Natv2SubscriberIndex identify individual subscribers
587 served by the the NAT device. The values of these identifiers are
588 administered and, in intent, are permanently associated with their
589 respective subscribers. Reuse of a value after a subscriber has been
590 deleted is discouraged. The scope of the subscriber index was
591 defined to be at device rather than NAT instance level to make it
592 easier to shift subscribers between instances (e.g., for load
593 balancing).
595 Objects of type Natv2InstanceIndex identify specific NAT instances on
596 the device. Again, these are administered values intended to be
597 permanently associated with the NAT instances to which they have been
598 assigned.
600 Objects of type Natv2PoolIndex identify individual address pools in a
601 given NAT instance. As with the subscriber and instance index
602 objects, the pool identifiers are administered and intended to be
603 permanently associated with their respective pools.
605 3.3.2. Notifications
607 Notifications were described in Section 3.1.2.
609 3.3.3. The Subscriber Table: natv2SubscriberTable
611 Table natv2SubscriberTable is indexed by subscriber index. One
612 conceptual row contains information relating to a specific
613 subscriber: the subscriber's internal address or prefix for
614 correlation with other management information; state and statistical
615 information as described in Section 3.1.3 and Section 3.1.4, the per-
616 subscriber control objects described in Section 3.1.1, and
617 natv2SubscriberDiscontinuityTime, which provides a timestamp of the
618 latest time following which the statistics have accumulated without
619 discontinuity.
621 Turning back to the address information for a moment: this
622 information includes the identity of the address realm in which the
623 address is routable. That enables support of an arbitrary number of
624 address realms on the same NAT instance. Address realm identifiers
625 are administered values in the form of a limited-length
626 SnmpAdminString. In the absence of configuration to the contrary,
627 the default realm for all internal addresses as recorded in mapping
628 entries is "internal".
630 The term "address realm" is defined in [RFC2663] Section 2.1 and
631 reused in subsequent NAT-related documents.
633 In the special case of DS-Lite [RFC6333], for unique matching of the
634 subscriber data to other information in the MIB module, it is
635 necessary that the address information should relate to the outer
636 IPv6 header of packets going to or from the host, with the address
637 realm being the one in which that IPv6 address is routable. The
638 presentation of address information for other types of tunneled
639 access to the NAT is out of scope.
641 3.3.4. The Instance Table: natv2InstanceTable
643 Table natv2InstanceTable is indexed by an object of type
644 Natv2InstanceIndex. A conceptual row of this table provides
645 information relating to a particular NAT instance configured on the
646 device.
648 Configuration information provided by this table includes an instance
649 name of type DisplayString that may have been configured for this
650 instance, and a set of objects indicating respectively the port
651 mapping, filtering, pooling, and fragment behaviors configured or
652 implemented in the instance. These behaviors are all defined in
653 [RFC4787]. Their values affect the interpretation of some of the
654 statistics provided in the instance table.
656 Read-write objects listed in Section 3.1.2 set the notification rate
657 for instance-level notifications and set the thresholds that trigger
658 them. Additional read-write objects described in Section 3.1.1 set
659 limits on the number of address and port mapping entries, number of
660 pending fragments, and number of active subscribers for the instance.
662 The state and statistical information provided by this table consists
663 of the per-instance items described in Section 3.1.3 and
664 Section 3.1.4 respectively. natv2InstanceDiscontinuityTime is a
665 timestamp giving the time beyond which all of the statistical
666 counters in natv2InstanceTable are guaranteed to have accumulated
667 continuously.
669 3.3.5. The Protocol Table: natv2ProtocolTable
671 The protocol table is indexed by the NAT instance number and an
672 object of type ProtocolNumber as described in Section 3.3.1 (i.e., an
673 IANA-registered protocol number). The set of protocols supported by
674 the NAT instance is implementation-dependent, but MUST include
675 ICMP(1), TCP(6), UDP(17), and ICMPv6(58). Depending on the
676 application, it SHOULD include IPv4 encapsulation(4), IPv6
677 encapsulation(41), IPSec AH(51), and SCTP(132). Support of PIM(103)
678 is highly desirable.
680 This table includes no configuration information. The state and
681 statistical information provided by this table consists of the per-
682 protocol items described in Section 3.1.3 and Section 3.1.4
683 respectively. natv2InstanceDiscontinuityTime in natv2InstanceTable is
684 reused as the timestamp giving the time beyond which all of the
685 statistical counters in natv2ProtocolTable are guaranteed to have
686 accumulated continuously. The reasoning is that any event affecting
687 the continuity of per-protocol statistics will affect the continuity
688 of NAT instance statistics, and vice versa.
690 3.3.6. The Address Pool Table: natv2PoolTable
692 The address pool table is indexed by the NAT instance identifier for
693 the instance on which it is provisioned, plus a pool index of type
694 Natv2PoolIndex. Configuration information provided includes the
695 address realm for which the pool provides addresses, the type of
696 address (IPv4 or IPv6) supported by the realm, plus the port range it
697 makes available for allocation. The same set of port numbers (or, in
698 the ICMP case, identifier values), is made available for every
699 protocol supported by the NAT instance. The port range is specified
700 in terms of minimum and maximum port number.
702 The state and statistical information provided by this table consists
703 of the per-pool items described in Section 3.1.3 and Section 3.1.4
704 respectively, plus two additional state objects described below.
705 natv2PoolTable provides the pool-specific object
706 natv2PoolDiscontinuityTime to indicate the time since which the
707 statistical counters have accumulated continuously.
709 Read-write objects to set high and low thresholds for pool usage
710 notifications and for governing notification rate were identified in
711 Section 3.1.2. The default interval between notifications for a
712 given address pool is set to 20 seconds.
714 Implementation note: the thresholds are defined in terms of
715 percentage of available port utilization. The number of available
716 ports in a pool is equal to (max port - min port + 1) (from the
717 natv2PoolTable configuration information) multiplied by the number
718 of addresses provisioned in the pool (sum of number of addresses
719 provided by each natv2PoolRangeTable conceptual row relating to
720 that pool). At configuration time, the thresholds can be
721 recalculated in terms of total number of port map entries
722 corresponding to the configured percentage, so that runtime
723 comparisons to the current number of port map entries require no
724 further arithmetic operations.
726 natv2PoolTable also provides two state objects that are returned with
727 the notifications. natv2PoolNotifiedPortMapProtocol identifies the
728 most-mapped protocol at the time the notification was triggered.
729 natv2PoolNotifiedPortMapEntries provides the total number of port map
730 entries for that protocol using addresses owned by this pool at that
731 same time.
733 3.3.7. The Address Pool Address Range Table: natv2PoolRangeTable
735 natv2PoolRangeTable provides configuration information only. It is
736 an expansion of natv2PoolTable giving the address ranges with which a
737 given address pool has been configured. As such, it is indexed by
738 the combination of NAT instance index, address pool index, and a
739 conceptual row index, where each conceptual row conveys a different
740 address range. The address range is specified in terms of lowest
741 address, highest address rather than the usual prefix notation to
742 provide maximum flexibility.
744 3.3.8. The Address Map Table: natv2AddressMapTable
746 The address map table provides a table of mappings from internal to
747 external address at a given moment. It is indexed by the combination
748 of NAT instance index, internal realm, internal address type (IPv4 or
749 IPv6) in that realm, the internal address of the local host for which
750 the map entry was created, and a conceptual row index to traverse all
751 of the entries relating to the same internal address.
753 In the special case of DS-Lite [RFC6333], the internal address and
754 realm used in the index are those of the IPv6 outer header. The IPv4
755 source address for the inner header, for which [RFC6333] has reserved
756 addresses in the 192.0.0.0/29 range, is captured in two additional
757 objects in the corresponding conceptual row:
758 natv2AddressMapInternalMappedAddressType, and
759 natv2AddressMapInternalMappedAddress. In cases other than DS-Lite
760 access these objects have no meaning. (Other tunneled access is out
761 of scope.)
763 The additional information provided by natv2AddressMapTable consists
764 of the external realm, address type in that realm, and mapped
765 external address. Depending on implementation support, the table
766 also provides the index of the address pool from which the external
767 address was drawn and the index of the subscriber to which the map
768 entry belongs.
770 3.3.9. The Port Map Table: natv2PortMapTable
772 The port map table provides a table of mappings by protocol from
773 external port, address, and realm to internal port, address, and
774 realm. As such, it is indexed by the combination of NAT instance
775 index, protocol number, external realm identifier, address type in
776 that realm, external address, and external port. The mapping from
777 external realm, address, and port to internal realm, address, and
778 port is unique, so no conceptual row index is needed. The indexing
779 is designed to make it easy to trace individual sessions back to the
780 host, based on the contents of packets observed in the external
781 realm.
783 Beyond the indexing, the information provided by the port map table
784 consists of the internal realm, address type, address, and port
785 number, and, depending on implementation support, the index of the
786 subscriber to which the map entry belongs.
788 As with the address map table, special provision is made for the case
789 of DS-Lite [RFC6333]. The realm and outgoing source address are
790 those for the outer header, and the address type is IPv6. Additional
791 objects natv2PortMapInternalMappedAddressType and
792 natv2PortMapInternalMappedAddress capture the outgoing source address
793 in the inner header, which will be in the well-known 192.0.0.0/29
794 range.
796 3.4. Conformance: Three Application Scenarios
798 The conformance statements in NATV2-MIB provide for three application
799 scenarios: basic NAT, NAT supporting address pools, and carrier grade
800 NAT (CGN).
802 A basic NAT MAY limit the number of NAT instances it supports to one,
803 but MUST support indexing by NAT instance. Similarly, a basic NAT
804 MAY limit the number of realms it supports to two. By definition, a
805 basic NAT is not required to support the subscriber table, the
806 address pool table, or the address pool address range table. Some
807 individual objects in other tables are also not relevant to basic
808 NAT.
810 A NAT supporting address pools adds the address pool table and the
811 address pool address range table to what it implements. Some
812 individual objects in other tables also need to be implemented. A
813 NAT supporting address pools MUST support more than two realms.
815 Finally, a CGN MUST support the full contents of the MIB module.
816 That includes the subscriber table, but also includes the special
817 provision for DS-Lite access in the address and port map tables.
819 4. Definitions
821 This MIB module IMPORTs objects from [RFC2578], [RFC2579], [RFC2580],
822 [RFC3411], and [RFC4001].
824 NATV2-MIB DEFINITIONS ::= BEGIN
826 IMPORTS
827 MODULE-IDENTITY,
828 OBJECT-TYPE,
829 Integer32,
830 Unsigned32,
831 Counter64,
832 mib-2,
833 NOTIFICATION-TYPE
834 FROM SNMPv2-SMI -- RFC 2578
835 TEXTUAL-CONVENTION,
836 DisplayString,
837 TimeStamp
838 FROM SNMPv2-TC -- RFC 2579
839 MODULE-COMPLIANCE,
840 NOTIFICATION-GROUP,
841 OBJECT-GROUP
842 FROM SNMPv2-CONF -- RFC 2580
843 SnmpAdminString
844 FROM SNMP-FRAMEWORK-MIB -- RFC 3411
845 InetAddressType,
846 InetAddress,
847 InetAddressPrefixLength,
848 InetPortNumber
849 FROM INET-ADDRESS-MIB; -- RFC 4001
851 natv2MIB MODULE-IDENTITY
852 LAST-UPDATED "201502170000Z"
853 -- RFC Ed.: set to publication date
854 ORGANIZATION
855 "IETF Behavior Engineering for Hindrance Avoidance
856 (BEHAVE) Working Group"
857 CONTACT-INFO
858 "Working Group Email: behave@ietf.org
859 Simon Perreault
860 Jive Communications
861 Quebec, QC
862 Canada
864 Email: sperreault@jive.com
866 Tina Tsou
867 Huawei Technologies
868 Bantian, Longgang
869 Shenzhen 518129
870 PR China
872 Email: tina.tsou.zouting@huawei.com
874 Senthil Sivakumar
875 Cisco Systems
876 7100-8 Kit Creek Road
877 Research Triangle Park, North Carolina 27709
878 USA
880 Phone: +1 919 392 5158
881 Email: ssenthil@cisco.com
883 Tom Taylor
884 PT Taylor Consulting
885 Ottawa
886 Canada
888 Email: tom.taylor.stds@gmail.com"
890 DESCRIPTION
891 "This MIB module defines the generic managed objects
892 for NAT.
894 Copyright (C) The Internet Society (2015). This
895 version of this MIB module is part of RFC yyyy; see
896 the RFC itself for full legal notices."
897 REVISION "201502170000Z"
898 -- RFC Ed.: set to publication date
899 DESCRIPTION
900 "Complete rewrite, published as RFC yyyy.
901 Replaces former version published as RFC 4008."
902 -- RFC Ed.: replace yyyy with actual RFC number and set date"
903 ::= { mib-2 123 }
904 -- temporary for compilation pending IANA assignment
906 -- textual conventions
908 ProtocolNumber ::= TEXTUAL-CONVENTION
909 DISPLAY-HINT "d"
910 STATUS current
911 DESCRIPTION
912 "A protocol number, from the 'protocol-numbers' IANA
913 registry."
914 REFERENCE
915 "IANA Protocol Numbers,
916 http://www.iana.org/assignments/protocol-numbers/protocol-
917 numbers.xhtml#protocol-numbers-1"
918 SYNTAX Unsigned32 (0..255)
920 Natv2SubscriberIndex ::= TEXTUAL-CONVENTION
921 DISPLAY-HINT "d"
922 STATUS current
923 DESCRIPTION
924 "A unique value, greater than zero, for each subscriber
925 in the managed system. The value for each
926 subscriber MUST remain constant at least from one
927 update of the entity's natv2SubscriberDiscontinuityTime
928 object until the next update of that object. If a
929 subscriber is deleted, its assigned index value MUST NOT
930 be assigned to another subscriber at least until
931 reinitialization of the entity's management system."
932 SYNTAX Unsigned32 (1..4294967295)
934 Natv2SubscriberIndexOrZero ::= TEXTUAL-CONVENTION
935 DISPLAY-HINT "d"
936 STATUS current
937 DESCRIPTION
938 "This textual convention is an extension of the
939 Natv2SubscriberIndex convention. The latter defines a
940 greater than zero value used to identify a subscriber in
941 the managed system. This extension permits the additional
942 value of zero, which serves as a placeholder when no
943 subscriber is associated with the object."
944 SYNTAX Unsigned32 (0|1..4294967295)
946 Natv2InstanceIndex ::= TEXTUAL-CONVENTION
947 DISPLAY-HINT "d"
948 STATUS current
949 DESCRIPTION
950 "A unique value, greater than zero, for each NAT instance
951 in the managed system. It is RECOMMENDED that values are
952 assigned contiguously starting from 1. The value for each
953 NAT instance MUST remain constant at least from one
954 update of the entity's natv2InstanceDiscontinuityTime
955 object until the next update of that object. If a NAT
956 instance is deleted, its assigned index value MUST NOT
957 be assigned to another NAT instance at least until
958 reinitialization of the entity's management system."
959 SYNTAX Unsigned32 (1..4294967295)
961 Natv2PoolIndex ::= TEXTUAL-CONVENTION
962 DISPLAY-HINT "d"
963 STATUS current
964 DESCRIPTION
965 "A unique value over the containing NAT instance, greater than
966 zero, for each address pool supported by that NAT instance.
967 It is RECOMMENDED that values are assigned contiguously
968 starting from 1. The value for each address pool MUST remain
969 constant at least from one update of the entity's
970 natv2PoolDiscontinuityTime object until the next update of
971 that object. If an address pool is deleted, its assigned
972 index value MUST NOT be assigned to another address pool for
973 the same NAT instance at least until reinitialization of the
974 entity's management system."
975 SYNTAX Unsigned32 (1..4294967295)
977 Natv2PoolIndexOrZero ::= TEXTUAL-CONVENTION
978 DISPLAY-HINT "d"
979 STATUS current
980 DESCRIPTION
981 "This textual convention is an extension of the
982 Natv2PoolIndex convention. The latter defines a greater
983 than zero value used to identify address pools in the
984 managed system. This extension permits the additional
985 value of zero, which serves as a placeholder when the
986 implementation does not support address pools or no address
987 pool is configured in a given external realm."
988 SYNTAX Unsigned32 (0|1..4294967295)
990 -- notifications
992 natv2MIBNotifications OBJECT IDENTIFIER ::= { natv2MIB 0 }
994 natv2NotificationPoolUsageLow NOTIFICATION-TYPE
995 OBJECTS { natv2PoolNotifiedPortMapEntries,
996 natv2PoolNotifiedPortMapProtocol }
997 STATUS current
998 DESCRIPTION
999 "This notification is triggered when an address pool's usage
1000 becomes less than or equal to the value of the
1001 natv2PoolThresholdUsageLow object for that pool, unless the
1002 notification has been disabled by setting the value of the
1003 threshold to -1. It is reported subject to the rate
1004 limitation specified by natv2PortMapNotificationInterval.
1006 Address pool usage is calculated as the percentage of the
1007 total number of ports allocated to the address pool that are
1008 already in use, for the most-mapped protocol at the time
1009 the notification is triggered. The two returned objects are
1010 members of natv2PoolTable indexed by the NAT instance and
1011 pool indices for which the event is being reported. They
1012 give the number of port map entries using external addresses
1013 configured on the pool for the most-mapped protocol and
1014 identify that protocol at the time the notification was
1015 triggered."
1016 REFERENCE
1017 "RFC yyyy Section 3.1.2 and Section 3.3.6."
1018 ::= { natv2MIBNotifications 1 }
1020 natv2NotificationPoolUsageHigh NOTIFICATION-TYPE
1021 OBJECTS { natv2PoolNotifiedPortMapEntries,
1022 natv2PoolNotifiedPortMapProtocol }
1023 STATUS current
1024 DESCRIPTION
1025 "This notification is triggered when an address pool's usage
1026 becomes greater than or equal to the value of the
1027 natv2PoolThresholdUsageHigh object for that pool, unless
1028 the notification has been disabled by setting the value of
1029 the threshold to 0. It is reported subject to the rate
1030 limitation specified by natv2PortMapNotificationInterval.
1032 Address pool usage is calculated as the percentage of the
1033 total number of ports allocated to the address pool that are
1034 already in use, for the most-mapped protocol at the time the
1035 notification is triggered. The two returned objects are
1036 members of natv2PoolTable indexed by the NAT instance and
1037 pool indices for which the event is being reported. They
1038 give the number of port map entries using external addresses
1039 configured on the pool for the most-mapped protocol and
1040 identify that protocol at the time the notification was
1041 triggered."
1042 REFERENCE
1043 "RFC yyyy Section 3.1.2 and Section 3.3.6."
1044 ::= { natv2MIBNotifications 2 }
1046 natv2NotificationInstanceAddressMapEntriesHigh NOTIFICATION-TYPE
1047 OBJECTS { natv2InstanceAddressMapEntries,
1048 natv2InstanceAddressMapCreations }
1050 STATUS current
1051 DESCRIPTION
1052 "This notification is triggered when the value of
1053 natv2InstanceAddressMapEntries equals or exceeds the value
1054 of the natv2InstanceThresholdAddressMapEntriesHigh object
1055 for the NAT instance, unless disabled by setting that
1056 threshold to 0. Reporting is subject to the rate limitation
1057 given by natv2InstanceNotificationInterval.
1059 natv2InstanceAddressMapEntries and
1060 natv2InstanceAddressMapCreations are members of table
1061 natv2InstanceTable indexed by the identifier of the NAT
1062 instance for which the event is being reported. The values
1063 reported are those observed at the moment the notification
1064 was triggered."
1065 REFERENCE
1066 "RFC yyyy Section 3.1.2."
1067 ::= { natv2MIBNotifications 3 }
1069 natv2NotificationInstancePortMapEntriesHigh NOTIFICATION-TYPE
1070 OBJECTS { natv2InstancePortMapEntries,
1071 natv2InstancePortMapCreations }
1072 STATUS current
1073 DESCRIPTION
1074 "This notification is triggered when the value of
1075 natv2InstancePortMapEntries becomes greater than or equal to
1076 the value of natv2InstanceThresholdPortMapEntriesHigh,
1077 unless disabled by setting that threshold to 0. Reporting is
1078 subject to the rate limitation given by
1079 natv2InstanceNotificationInterval.
1081 natv2InstancePortMapEntries and
1082 natv2InstancePortMapCreations are members of table
1083 natv2InstanceTable indexed by the identifier of the NAT
1084 instance for which the event is being reported. The values
1085 reported are those observed at the moment the notification
1086 was triggered."
1087 ::= { natv2MIBNotifications 4 }
1089 natv2NotificationSubscriberPortMappingEntriesHigh
1090 NOTIFICATION-TYPE
1091 OBJECTS { natv2SubscriberPortMapEntries,
1092 natv2SubscriberPortMapCreations }
1093 STATUS current
1094 DESCRIPTION
1095 "This notification is triggered when the value of
1096 natv2SubscriberPortMapEntries for an individual subscriber
1097 becomes greater than or equal to the value of the
1098 natv2SubscriberThresholdPortMapEntriesHigh object for that
1099 subscriber, unless disabled by setting that threshold to 0.
1100 Reporting is subject to the rate limitation given by
1101 natv2SubscriberNotificationInterval.
1103 natv2SubscriberPortMapEntries and
1104 natv2SubscriberPortMapCreations are members of table
1105 natv2SubscriberTable indexed by the subscriber for
1106 which the event is being reported. The values
1107 reported are those observed at the moment the notification
1108 was triggered."
1109 ::= { natv2MIBNotifications 5 }
1111 -- Device-level objects
1113 natv2MIBDeviceObjects OBJECT IDENTIFIER ::= { natv2MIB 1 }
1115 -- subscriber table
1117 natv2SubscriberTable OBJECT-TYPE
1118 SYNTAX SEQUENCE OF Natv2SubscriberEntry
1119 MAX-ACCESS not-accessible
1120 STATUS current
1121 DESCRIPTION
1122 "Table of subscribers. As well as the subscriber index, it
1123 provides per-subscriber state and counter objects, a last
1124 discontinuity time object for the counters, and writable
1125 threshold value and limit on port consumption."
1126 REFERENCE
1127 "RFC yyyy Section 3.3.3."
1128 ::= { natv2MIBDeviceObjects 1 }
1130 natv2SubscriberEntry OBJECT-TYPE
1131 SYNTAX Natv2SubscriberEntry
1132 MAX-ACCESS not-accessible
1133 STATUS current
1134 DESCRIPTION
1135 "Each entry describes a single subscriber."
1136 INDEX { natv2SubscriberIndex }
1137 ::= { natv2SubscriberTable 1 }
1139 Natv2SubscriberEntry ::=
1140 SEQUENCE {
1141 natv2SubscriberIndex Natv2SubscriberIndex,
1142 natv2SubscriberInternalRealm SnmpAdminString,
1143 natv2SubscriberInternalPrefixType InetAddressType,
1144 natv2SubscriberInternalPrefix InetAddress,
1145 natv2SubscriberInternalPrefixLength InetAddressPrefixLength,
1146 -- State
1147 natv2SubscriberAddressMapEntries Unsigned32,
1148 natv2SubscriberPortMapEntries Unsigned32,
1149 -- Counters and last discontinuity time
1150 natv2SubscriberTranslations Counter64,
1151 natv2SubscriberAddressMapCreations Counter64,
1152 natv2SubscriberPortMapCreations Counter64,
1153 natv2SubscriberAddressMapFailureDrops Counter64,
1154 natv2SubscriberPortMapFailureDrops Counter64,
1155 natv2SubscriberDiscontinuityTime TimeStamp,
1156 -- Read-write controls
1157 natv2SubscriberLimitPortMapEntries Unsigned32,
1158 -- Disable limit by setting to 0 (default)
1159 natv2SubscriberThresholdPortMapEntriesHigh Unsigned32,
1160 -- Disable notifications by setting threshold to 0 (default)
1161 natv2SubscriberNotificationInterval Unsigned32
1162 -- Default is 60 seconds
1163 }
1165 natv2SubscriberIndex OBJECT-TYPE
1166 SYNTAX Natv2SubscriberIndex
1167 MAX-ACCESS not-accessible
1168 STATUS current
1169 DESCRIPTION
1170 "A unique value, greater than zero, for each subscriber
1171 in the managed system. The value for each
1172 subscriber MUST remain constant at least from one
1173 update of the entity's natv2SubscriberDiscontinuityTime
1174 object until the next update of that object. If a
1175 subscriber is deleted, its assigned index value MUST NOT
1176 be assigned to another subscriber at least until
1177 reinitialization of the entity's management system."
1178 ::= { natv2SubscriberEntry 1 }
1180 -- Configuration for this subscriber: realm, internal address(es)
1182 natv2SubscriberInternalRealm OBJECT-TYPE
1183 SYNTAX SnmpAdminString (SIZE(0..32))
1184 MAX-ACCESS read-only
1185 STATUS current
1186 DESCRIPTION
1187 "The address realm to which this subscriber belongs. A realm
1188 defines an address space. All NATs support at least two
1189 realms.
1191 The default realm for subscribers is 'internal'.
1192 Administrators can set other values for individual
1193 subscribers when they are configured. The administrator MAY
1194 configure a new value of natv2SubscriberRealm at any time
1195 subsequent to initial configuration of the subscriber. If
1196 this happens, it MUST be treated as a point of discontinuity
1197 requiring an update of natv2SubscriberDiscontinuityTime.
1199 When the subscriber sends a packet to the NAT through a
1200 DS-Lite [RFC 6333] tunnel, this is the realm of the outer
1201 packet header source address. Other tunneled access is out
1202 of scope."
1203 REFERENCE
1204 "Address realm: RFC 2663. DS-Lite: RFC 6333."
1205 DEFVAL
1206 { "internal" }
1207 ::= { natv2SubscriberEntry 2 }
1209 natv2SubscriberInternalPrefixType OBJECT-TYPE
1210 SYNTAX InetAddressType
1211 MAX-ACCESS read-only
1212 STATUS current
1213 DESCRIPTION
1214 "Subscriber's internal prefix type. Any value other than
1215 ipv4(1) or ipv6(2) would be unexpected. In the case of
1216 DS-Lite access, this is the prefix type (IPv6(2)) used in
1217 the outer packet header."
1218 REFERENCE
1219 "DS-Lite: RFC 6333."
1220 ::= { natv2SubscriberEntry 3 }
1222 natv2SubscriberInternalPrefix OBJECT-TYPE
1223 SYNTAX InetAddress
1224 MAX-ACCESS read-only
1225 STATUS current
1226 DESCRIPTION
1227 "Prefix assigned to a subscriber's CPE. Source addresses of
1228 packets outgoing from the subscriber will be contained
1229 within this prefix. In the case of DS-Lite access,
1230 the source address taken from the prefix will be
1231 that of the outer header."
1232 REFERENCE
1233 "DS-Lite: RFC 6333."
1234 ::= { natv2SubscriberEntry 4 }
1236 natv2SubscriberInternalPrefixLength OBJECT-TYPE
1237 SYNTAX InetAddressPrefixLength
1238 MAX-ACCESS read-only
1239 STATUS current
1240 DESCRIPTION
1241 "Length of the prefix assigned to a subscriber's CPE, in
1242 bits. If a single address is assigned, this will be 32
1243 for IPv4 and 128 for IPv6."
1244 ::= { natv2SubscriberEntry 5 }
1246 -- State objects
1248 natv2SubscriberAddressMapEntries OBJECT-TYPE
1249 SYNTAX Unsigned32
1250 MAX-ACCESS read-only
1251 STATUS current
1252 DESCRIPTION
1253 "The current number of address map entries for the
1254 subscriber, including static mappings. An address map entry
1255 maps from a given internal address and realm to an external
1256 address in a particular external realm. This definition
1257 includes 'hairpin' mappings, where the external realm is the
1258 same as the internal one. Address map entries are also
1259 tracked per instance and per address pool within the
1260 instance."
1261 REFERENCE
1262 "RFC yyyy Section 3.3.8."
1263 ::= { natv2SubscriberEntry 6 }
1265 natv2SubscriberPortMapEntries OBJECT-TYPE
1266 SYNTAX Unsigned32
1267 MAX-ACCESS read-only
1268 STATUS current
1269 DESCRIPTION
1270 "The current number of port map entries in the port map table
1271 for the subscriber, including static mappings. A port map
1272 entry maps from a given external realm, address, and port
1273 for a given protocol to an internal realm, address, and
1274 port. This definition includes 'hairpin' mappings, where the
1275 external realm is the same as the internal one. Port map
1276 entries are also tracked per instance and per protocol and
1277 address pool within the instance."
1278 REFERENCE
1279 "RFC yyyy Section 3.3.9."
1280 ::= { natv2SubscriberEntry 7 }
1282 -- Counters and last discontinuity time
1284 natv2SubscriberTranslations OBJECT-TYPE
1285 SYNTAX Counter64
1286 MAX-ACCESS read-only
1287 STATUS current
1288 DESCRIPTION
1289 "The cumulative number of translated packets received from or
1290 sent to this subscriber. This value MUST be monotone
1291 increasing in the periods between updates of the entity's
1292 natv2SubscriberDiscontinuityTime. If a manager detects a
1293 change in the latter since the last time it sampled this
1294 counter, it SHOULD NOT make use of the difference between
1295 the latest value of the counter and any value retrieved
1296 before the new value of natv2SubscriberDiscontinuityTime."
1297 ::= { natv2SubscriberEntry 8 }
1299 natv2SubscriberAddressMapCreations OBJECT-TYPE
1300 SYNTAX Counter64
1301 MAX-ACCESS read-only
1302 STATUS current
1303 DESCRIPTION
1304 "The cumulative number of address map entries created for
1305 this subscriber, including static mappings. Address map
1306 entries are also tracked per instance and per protocol and
1307 address pool within the instance.
1309 This value MUST be monotone increasing in
1310 the periods between updates of the entity's
1311 natv2SubscriberDiscontinuityTime. If a manager detects a
1312 change in the latter since the last time it sampled this
1313 counter, it SHOULD NOT make use of the difference between
1314 the latest value of the counter and any value retrieved
1315 before the new value of natv2SubscriberDiscontinuityTime."
1316 ::= { natv2SubscriberEntry 9 }
1318 natv2SubscriberPortMapCreations OBJECT-TYPE
1319 SYNTAX Counter64
1320 MAX-ACCESS read-only
1321 STATUS current
1322 DESCRIPTION
1323 "The cumulative number of port map entries created for this
1324 subscriber, including static mappings. Port map entries are
1325 also tracked per instance and per protocol and address pool
1326 within the instance.
1328 This value MUST be monotone increasing in the periods
1329 between updates of the entity's
1330 natv2SubscriberDiscontinuityTime. If a manager detects a
1331 change in the latter since the last time it sampled this
1332 counter, it SHOULD NOT make use of the difference between
1333 the latest value of the counter and any value retrieved
1334 before the new value of natv2SubscriberDiscontinuityTime."
1335 ::= { natv2SubscriberEntry 10 }
1337 natv2SubscriberAddressMapFailureDrops OBJECT-TYPE
1338 SYNTAX Counter64
1339 MAX-ACCESS read-only
1340 STATUS current
1341 DESCRIPTION
1342 "The cumulative number of packets originated by this
1343 subscriber that were dropped because the packet would have
1344 triggered the creation of a new address map entry, but no
1345 address could be allocated in the selected external realm
1346 because all addresses from the selected address pool (or the
1347 whole realm, if no address pool has been configured for that
1348 realm) have already been fully allocated.
1350 This value MUST be monotone increasing in the periods
1351 between updates of the entity's
1352 natv2SubscriberDiscontinuityTime. If a manager detects a
1353 change in the latter since the last time it sampled this
1354 counter, it SHOULD NOT make use of the difference between
1355 the latest value of the counter and any value retrieved
1356 before the new value of natv2SubscriberDiscontinuityTime."
1357 ::= { natv2SubscriberEntry 11 }
1359 natv2SubscriberPortMapFailureDrops OBJECT-TYPE
1360 SYNTAX Counter64
1361 MAX-ACCESS read-only
1362 STATUS current
1363 DESCRIPTION
1364 "The cumulative number of packets dropped because the
1365 packet would have triggered the creation of a new
1366 port mapping, but no port could be allocated for the
1367 protocol concerned. The usual case for this will be
1368 for a NAT instance that supports address pooling and
1369 the 'paired' pooling behavior recommended by RFC 4787,
1370 where the internal endpoint has used up all of the
1371 ports allocated to it for the address it was mapped to
1372 in the selected address pool in the external realm
1373 concerned and cannot be given more ports because
1374 - policy or implementation prevents it from having a
1375 second address in the same pool, and
1376 - policy or unavailability prevents it from acquiring
1377 more ports at its originally assigned address.
1379 If the NAT instance supports address pooling but its
1380 pooling behavior is 'arbitrary' (meaning that
1381 the NAT instance can allocate a new port mapping for
1382 the given internal endpoint on any address in the
1383 selected address pool and is not bound to what it has
1384 already mapped for that endpoint), then this counter
1385 is incremented when all ports for the protocol concerned
1386 over the whole of the selected address pool are already
1387 in use.
1389 As a third case, if no address pools have been configured
1390 for the external realm concerned, then this counter is
1391 incremented because all ports for the protocol involved over
1392 the whole set of addresses available for that external realm
1393 are already in use.
1395 Finally, this counter is incremented if the packet would
1396 have triggered the creation of a new port mapping, but the
1397 current value of natv2SubscriberPortMapEntries equals or
1398 exceeds the value of natv2SubscriberLimitPortMapEntries
1399 for this subscriber (unless that limit is disabled).
1401 This value MUST be monotone increasing in the periods
1402 between updates of the entity's
1403 natv2SubscriberDiscontinuityTime. If a manager detects a
1404 change in the latter since the last time it sampled this
1405 counter, it SHOULD NOT make use of the difference between
1406 the latest value of the counter and any value retrieved
1407 before the new value of natv2SubscriberDiscontinuityTime."
1408 REFERENCE
1409 "Pooling behavior: RFC 4787, end of section 4.1."
1410 ::= { natv2SubscriberEntry 12 }
1412 natv2SubscriberDiscontinuityTime OBJECT-TYPE
1413 SYNTAX TimeStamp
1414 MAX-ACCESS read-only
1415 STATUS current
1416 DESCRIPTION
1417 "Snapshot of the value of the sysUpTime object at the
1418 beginning of the latest period of continuity of the
1419 statistical counters associated with this subscriber."
1420 ::= { natv2SubscriberEntry 14 }
1422 -- Per-subscriber limit and threshold on port mappings
1423 -- Disabled if set to zero
1424 natv2SubscriberLimitPortMapEntries OBJECT-TYPE
1425 SYNTAX Unsigned32
1426 MAX-ACCESS read-write
1427 STATUS current
1428 DESCRIPTION
1429 "Limit on total number of port mappings active for this
1430 subscriber (natv2SubscriberPortMapEntries). Once this limit
1431 is reached, packets that might have triggered new port
1432 mappings are dropped. The number of such packets dropped is
1433 counted in natv2InstancePortMapFailureDrops.
1435 Limit is disabled if set to zero (default)."
1436 DEFVAL
1437 { 0 }
1438 ::= { natv2SubscriberEntry 15 }
1440 natv2SubscriberThresholdPortMapEntriesHigh OBJECT-TYPE
1441 SYNTAX Unsigned32
1442 MAX-ACCESS read-write
1443 STATUS current
1444 DESCRIPTION
1445 "Notification threshold for total number of port mappings
1446 active for this subscriber. Whenever
1447 natv2SubscriberPortMapEntries is updated, if it equals or
1448 exceeds natv2SubscriberThresholdPortMapEntriesHigh, the
1449 notification
1450 natv2NotificationSubscriberPortMappingEntriesHigh is
1451 triggered, unless the notification is disabled by setting
1452 the threshold to 0. Reporting is subject to the minimum
1453 inter-notification interval given by
1454 natv2SubscriberNotificationInterval. If multiple
1455 notifications are triggered during one interval, the agent
1456 MUST report only the one containing the highest value of
1457 natv2SubscriberPortMapEntries and discard the others."
1458 DEFVAL
1459 { 0 }
1460 ::= { natv2SubscriberEntry 16 }
1462 natv2SubscriberNotificationInterval OBJECT-TYPE
1463 SYNTAX Unsigned32 (1..3600)
1464 UNITS
1465 "Seconds"
1466 MAX-ACCESS read-write
1467 STATUS current
1468 DESCRIPTION
1469 "Minimum number of seconds (default 60) between successive
1470 reporting of notifications for this subscriber. Controls the
1471 reporting of
1472 natv2NotificationSubscriberPortMappingEntriesHigh."
1473 DEFVAL
1474 { 60 }
1475 ::= { natv2SubscriberEntry 17 }
1477 -- Per-NAT-instance objects
1479 natv2MIBInstanceObjects OBJECT IDENTIFIER ::= { natv2MIB 2 }
1480 -- Instance table
1482 natv2InstanceTable OBJECT-TYPE
1483 SYNTAX SEQUENCE OF Natv2InstanceEntry
1484 MAX-ACCESS not-accessible
1485 STATUS current
1486 DESCRIPTION
1487 "Table of NAT instances. As well as state and counter
1488 objects, it provides the instance index, instance name, and
1489 the last discontinuity time object which is applicable to
1490 the counters. It also contains writable thresholds for
1491 reporting of notifications and limits on usage of resources
1492 at the level of the NAT instance.
1494 It is assumed that NAT instances can be created and deleted
1495 dynamically, but this MIB module does not provide the means
1496 to do so. For restrictions on assignment and maintenance of
1497 the NAT index instance see the description of
1498 natv2InstanceIndex in the table below. For the requirements
1499 on maintenance of the values of the counters in this table
1500 see the description of natv2InstanceDiscontinuityTime in
1501 this table.
1503 Each NAT instance has its own resources and behavior. The
1504 resources include memory as reflected in space for map
1505 entries, processing power as reflected in the rate of map
1506 creation and deletion, and mappable addresses in each realm
1507 that can play the role of an external realm for at least
1508 some mappings for that instance. The NAT instance table
1509 includes limits and notification thresholds that relate to
1510 memory usage for mapping at the level of the whole instance.
1511 The limit on number of subscribers with active mappings is a
1512 limit to some extent on processor usage.
1514 The mappable 'external' addresses may or may not be
1515 organized into address pools. For a definition of address
1516 pools see the description of natv2PoolTable. If the instance
1517 does support address pools, it also has a pooling behavior.
1518 Mapping, filtering, and pooling behavior are defined in the
1519 descriptions of the natv2InstancePortMappingBehavior,
1520 natv2InstanceFilteringBehavior, and
1521 natv2InstancePoolingBehavior objects in this table. The
1522 instance also has a fragmentation behavior, defined in the
1523 description of the natv2InstanceFragmentBehavior object."
1524 REFERENCE
1525 "RFC yyyy Section 3.3.4. NAT behaviors: RFC 4787
1526 (primary, UDP); RFC 5382 (TCP), RFC 5508 (ICMP), RFC5597
1527 (DCCP)."
1529 ::= { natv2MIBInstanceObjects 1 }
1531 natv2InstanceEntry OBJECT-TYPE
1532 SYNTAX Natv2InstanceEntry
1533 MAX-ACCESS not-accessible
1534 STATUS current
1535 DESCRIPTION
1536 "Objects related to a single NAT instance."
1537 INDEX { natv2InstanceIndex }
1538 ::= { natv2InstanceTable 1 }
1540 Natv2InstanceEntry ::=
1541 SEQUENCE {
1542 natv2InstanceIndex Natv2InstanceIndex,
1543 natv2InstanceAlias DisplayString,
1544 -- Configured behaviors
1545 natv2InstancePortMappingBehavior INTEGER,
1546 natv2InstanceFilteringBehavior INTEGER,
1547 natv2InstancePoolingBehavior INTEGER,
1548 natv2InstanceFragmentBehavior INTEGER,
1549 -- State
1550 natv2InstanceAddressMapEntries Unsigned32,
1551 natv2InstancePortMapEntries Unsigned32,
1552 -- Statistics and discontinuity time
1553 natv2InstanceTranslations Counter64,
1554 natv2InstanceAddressMapCreations Counter64,
1555 natv2InstancePortMapCreations Counter64,
1556 natv2InstanceAddressMapEntryLimitDrops Counter64,
1557 natv2InstancePortMapEntryLimitDrops Counter64,
1558 natv2InstanceSubscriberActiveLimitDrops Counter64,
1559 natv2InstanceAddressMapFailureDrops Counter64,
1560 natv2InstancePortMapFailureDrops Counter64,
1561 natv2InstanceFragmentDrops Counter64,
1562 natv2InstanceOtherResourceFailureDrops Counter64,
1563 natv2InstanceDiscontinuityTime TimeStamp,
1564 -- Notification thresholds, disabled if set to 0
1565 natv2InstanceThresholdAddressMapEntriesHigh Unsigned32,
1566 natv2InstanceThresholdPortMapEntriesHigh Unsigned32,
1567 natv2InstanceNotificationInterval Unsigned32,
1568 -- Limits, disabled if set to 0
1569 natv2InstanceLimitAddressMapEntries Unsigned32,
1570 natv2InstanceLimitPortMapEntries Unsigned32,
1571 natv2InstanceLimitPendingFragments Unsigned32,
1572 natv2InstanceLimitSubscriberActives Unsigned32
1573 }
1575 natv2InstanceIndex OBJECT-TYPE
1576 SYNTAX Natv2InstanceIndex
1577 MAX-ACCESS not-accessible
1578 STATUS current
1579 DESCRIPTION
1580 "NAT instance index. It is up to the implementation to
1581 determine which values correspond to in-service NAT
1582 instances. This object is used as an index for all tables
1583 defined below."
1584 ::= { natv2InstanceEntry 1 }
1586 natv2InstanceAlias OBJECT-TYPE
1587 SYNTAX DisplayString (SIZE (0..64))
1588 MAX-ACCESS read-only
1589 STATUS current
1590 DESCRIPTION
1591 "This object is an 'alias' name for the NAT instance as
1592 specified by a network manager, and provides a non-volatile
1593 'handle' for the instance.
1595 An example of the value which a network manager might store
1596 in this object for a NAT instance is the name/identifier of
1597 the interface that brings in internal traffic for this NAT
1598 instance or the name of the VRF for internal traffic."
1599 ::= { natv2InstanceEntry 2 }
1601 -- Configured behaviors
1603 natv2InstancePortMappingBehavior OBJECT-TYPE
1604 SYNTAX INTEGER {
1605 endpointIndependent (0),
1606 addressDependent (1),
1607 addressAndPortDependent (2)
1608 }
1609 MAX-ACCESS read-only
1610 STATUS current
1611 DESCRIPTION
1612 "Port mapping behavior is the policy governing selection of
1613 external address and port in a given realm for a given
1614 five-tuple of source address and port, destination address
1615 and port, and protocol.
1617 endpointIndependent(0), the behavior REQUIRED by RFC 4787
1618 REQ-1, maps the source address and port to the same
1619 external address and port for all destination address and
1620 port combinations reached through the same external realm
1621 and using the given protocol.
1623 addressDependent(1) maps to the same external address and
1624 port for all destination ports at the same destination
1625 address reached through the same external realm and using
1626 the given protocol.
1628 addressAndPortDependent(2) maps to a separate external
1629 address and port combination for each different
1630 destination address and port combination reached through
1631 the same external realm."
1632 REFERENCE
1633 "RFC 4787 section 4.1."
1634 ::= { natv2InstanceEntry 3 }
1636 natv2InstanceFilteringBehavior OBJECT-TYPE
1637 SYNTAX INTEGER {
1638 endpointIndependent (0),
1639 addressDependent (1),
1640 addressAndPortDependent (2)
1641 }
1642 MAX-ACCESS read-only
1643 STATUS current
1644 DESCRIPTION
1645 "Filtering behavior is the policy governing acceptance or
1646 dropping of packets incoming from remote sources via a
1647 given external realm and destined to a specific three-tuple
1648 of external address, port, and protocol at the NAT instance
1649 that has been assigned in a port mapping.
1651 endpointIndependent(0) accepts for translation packets from
1652 all combinations of remote address and port destined to the
1653 mapped external address and port via the given external
1654 realm and using the given protocol.
1656 addressDependent(1) accepts for translation packets from all
1657 remote ports from the same remote source address destined to
1658 the mapped external address and port via the given external
1659 realm and using the given protocol.
1661 addressAndPortDependent(2) accepts for translation only
1662 those packets with the same remote source address, port, and
1663 protocol incoming from the same external realm as identified
1664 when the applicable port map entry was created.
1666 RFC 4787 REQ-8 recommends either endpointIndependent(0) or
1667 addressDependent(1) filtering behavior depending on whether
1668 application-friendliness or security takes priority."
1669 REFERENCE
1670 "RFC 4787 section 5."
1671 ::= { natv2InstanceEntry 4 }
1673 natv2InstancePoolingBehavior OBJECT-TYPE
1674 SYNTAX INTEGER {
1675 arbitrary (0),
1676 paired (1)
1677 }
1678 MAX-ACCESS read-only
1679 STATUS current
1680 DESCRIPTION
1681 "Pooling behavior is the policy used to select the address
1682 for a new port mapping within a given address pool to which
1683 the internal address has already been mapped.
1685 arbitrary(0) pooling behavior means that the NAT instance
1686 may create the new port mapping using any address in the
1687 pool that has a free port for the protocol concerned.
1689 paired(1) pooling behavior, the behavior RECOMMENDED by RFC
1690 4787 REQ-2, means that once a given internal address has
1691 been mapped to a particular address in a particular pool,
1692 further mappings of the same internal address to that pool
1693 will reuse the previously assigned pool member address."
1694 REFERENCE
1695 "RFC 4787 near the end of section 4.1"
1696 ::= { natv2InstanceEntry 5 }
1698 natv2InstanceFragmentBehavior OBJECT-TYPE
1699 SYNTAX INTEGER {
1700 fragmentNone (0),
1701 fragmentInOrder (1),
1702 fragmentOutOfOrder (2)
1703 }
1704 MAX-ACCESS read-only
1705 STATUS current
1706 DESCRIPTION
1707 "Fragment behavior is the NAT instance's capability to
1708 receive and translate fragments incoming from remote
1709 sources.
1711 fragmentNone(0) implies no capability to translate incoming
1712 fragments, so all received fragments are dropped. Each
1713 dropped fragment is counted in natv2InstanceFragmentDrops.
1715 fragmentInOrder(1) implies the ability to translate
1716 fragments only if they are received in order, so that in
1717 particular the header is in the first packet. If a fragment
1718 is received out of order, it is dropped and counted in
1719 natv2InstanceFragmentDrops.
1721 fragmentOutOfOrder(2), the capability REQUIRED by RFC 4787
1722 REQ-14, implies the capability to translate fragments even
1723 when they arrive out of order, subject to a protective
1724 limit natv2InstanceLimitPendingFragments on total number of
1725 fragments awaiting the first fragment of the chain. If the
1726 implementation supports this capability,
1727 natv2InstanceFragmentDrops is incremented only when a new
1728 fragment arrives but is dropped because the limit on pending
1729 fragments has already been reached."
1730 REFERENCE
1731 "RFC 4787 section 11."
1732 ::= { natv2InstanceEntry 6 }
1734 -- State
1736 natv2InstanceAddressMapEntries OBJECT-TYPE
1737 SYNTAX Unsigned32
1738 MAX-ACCESS read-only
1739 STATUS current
1740 DESCRIPTION
1741 "The current number of address map entries in total over the
1742 whole NAT instance, including static mappings. An address
1743 map entry maps from a given internal address and realm to an
1744 external address in a particular external realm. This
1745 definition includes 'hairpin' mappings, where the external
1746 realm is the same as the internal one. Address map entries
1747 are also tracked per subscriber and per address pool within
1748 the instance."
1749 REFERENCE
1750 "RFC yyyy Section 3.3.8. RFC 4787 section 6."
1751 ::= { natv2InstanceEntry 7 }
1753 natv2InstancePortMapEntries OBJECT-TYPE
1754 SYNTAX Unsigned32
1755 MAX-ACCESS read-only
1756 STATUS current
1757 DESCRIPTION
1758 "The current number of entries in the port map table in total
1759 over the whole NAT instance, including static mappings. A
1760 port map entry maps from a given external realm, address,
1761 and port for a given protocol to an internal realm, address,
1762 and port. This definition includes 'hairpin' mappings, where
1763 the external realm is the same as the internal one. Port map
1764 entries are also tracked per subscriber and per protocol and
1765 address pool within the instance."
1766 REFERENCE
1767 "RFC yyyy Section 3.3.9.
1768 Hairpinning: RFC 4787 Section 6."
1770 ::= { natv2InstanceEntry 8 }
1772 -- Statistics
1774 natv2InstanceTranslations OBJECT-TYPE
1775 SYNTAX Counter64
1776 MAX-ACCESS read-only
1777 STATUS current
1778 DESCRIPTION
1779 "The cumulative number of translated packets passing through
1780 this NAT instance. This value MUST be monotone increasing in
1781 the periods between updates of
1782 natv2InstanceDiscontinuityTime. If a manager detects a
1783 change in the latter since the last time it sampled this
1784 counter, it SHOULD NOT make use of the difference between
1785 the latest value of the counter and any value retrieved
1786 before the new value of natv2InstanceDiscontinuityTime."
1787 ::= { natv2InstanceEntry 9 }
1789 natv2InstanceAddressMapCreations OBJECT-TYPE
1790 SYNTAX Counter64
1791 MAX-ACCESS read-only
1792 STATUS current
1793 DESCRIPTION
1794 "The cumulative number of address map entries created by the
1795 NAT instance, including static mappings. Address map
1796 creations are also tracked per address pool within the
1797 instance and per subscriber.
1799 This value MUST be monotone increasing in
1800 the periods between updates of
1801 natv2InstanceDiscontinuityTime. If a manager detects a
1802 change in the latter since the last time it sampled this
1803 counter, it SHOULD NOT make use of the difference between
1804 the latest value of the counter and any value retrieved
1805 before the new value of natv2InstanceDiscontinuityTime."
1806 ::= { natv2InstanceEntry 10 }
1808 natv2InstancePortMapCreations OBJECT-TYPE
1809 SYNTAX Counter64
1810 MAX-ACCESS read-only
1811 STATUS current
1812 DESCRIPTION
1813 "The cumulative number of port map entries created by the
1814 NAT instance, including static mappings. Port map
1815 creations are also tracked per protocol and address pool
1816 within the instance and per subscriber.
1818 This value MUST be monotone increasing in
1819 the periods between updates of
1820 natv2InstanceDiscontinuityTime. If a manager detects a
1821 change in the latter since the last time it sampled this
1822 counter, it SHOULD NOT make use of the difference between
1823 the latest value of the counter and any value retrieved
1824 before the new value of natv2InstanceDiscontinuityTime."
1825 ::= { natv2InstanceEntry 11 }
1827 natv2InstanceAddressMapEntryLimitDrops OBJECT-TYPE
1828 SYNTAX Counter64
1829 MAX-ACCESS read-only
1830 STATUS current
1831 DESCRIPTION
1832 "The cumulative number of packets dropped rather than
1833 translated because the packet would have triggered
1834 the creation of a new address map entry but the limit
1835 on number of address map entries for the NAT instance
1836 given by natv2InstanceLimitAddressMapEntries has
1837 already been reached.
1839 This value MUST be monotone increasing in the periods
1840 between updates of the entity's
1841 natv2InstanceDiscontinuityTime. If a manager detects a
1842 change in the latter since the last time it sampled this
1843 counter, it SHOULD NOT make use of the difference between
1844 the latest value of the counter and any value retrieved
1845 before the new value of natv2InstanceDiscontinuityTime."
1846 ::= { natv2InstanceEntry 12 }
1848 natv2InstancePortMapEntryLimitDrops OBJECT-TYPE
1849 SYNTAX Counter64
1850 MAX-ACCESS read-only
1851 STATUS current
1852 DESCRIPTION
1853 "The cumulative number of packets dropped rather than
1854 translated because the packet would have triggered
1855 the creation of a new port map entry but the limit
1856 on number of port map entries for the NAT instance
1857 given by natv2InstanceLimitPortMapEntries has
1858 already been reached.
1860 This value MUST be monotone increasing in the periods
1861 between updates of the entity's
1862 natv2InstanceDiscontinuityTime. If a manager detects a
1863 change in the latter since the last time it sampled this
1864 counter, it SHOULD NOT make use of the difference between
1865 the latest value of the counter and any value retrieved
1866 before the new value of natv2InstanceDiscontinuityTime."
1867 ::= { natv2InstanceEntry 13 }
1869 natv2InstanceSubscriberActiveLimitDrops OBJECT-TYPE
1870 SYNTAX Counter64
1871 MAX-ACCESS read-only
1872 STATUS current
1873 DESCRIPTION
1874 "The cumulative number of packets dropped rather than
1875 translated because the packet would have triggered the
1876 creation of a new mapping for a subscriber with no other
1877 active mappings, but the limit on number of active
1878 subscribers for the NAT instance given by
1879 natv2InstanceLimitSubscriberActives has already been
1880 reached.
1882 This value MUST be monotone increasing in the periods
1883 between updates of the entity's
1884 natv2InstanceDiscontinuityTime. If a manager detects a
1885 change in the latter since the last time it sampled this
1886 counter, it SHOULD NOT make use of the difference between
1887 the latest value of the counter and any value retrieved
1888 before the new value of natv2InstanceDiscontinuityTime."
1889 ::= { natv2InstanceEntry 14 }
1891 natv2InstanceAddressMapFailureDrops OBJECT-TYPE
1892 SYNTAX Counter64
1893 MAX-ACCESS read-only
1894 STATUS current
1895 DESCRIPTION
1896 "The cumulative number of packets dropped because the packet
1897 would have triggered the creation of a new address map
1898 entry, but no address could be allocated in the selected
1899 external realm because all addresses from the selected
1900 address pool (or the whole realm, if no address pool has
1901 been configured for that realm) have already been fully
1902 allocated.
1904 This value MUST be monotone increasing in the periods
1905 between updates of the entity's
1906 natv2InstanceDiscontinuityTime. If a manager detects a
1907 change in the latter since the last time it sampled this
1908 counter, it SHOULD NOT make use of the difference between
1909 the latest value of the counter and any value retrieved
1910 before the new value of natv2InstanceDiscontinuityTime."
1911 ::= { natv2InstanceEntry 15 }
1913 natv2InstancePortMapFailureDrops OBJECT-TYPE
1914 SYNTAX Counter64
1915 MAX-ACCESS read-only
1916 STATUS current
1917 DESCRIPTION
1918 "The cumulative number of packets dropped because the
1919 packet would have triggered the creation of a new
1920 port map entry, but no port could be allocated for the
1921 protocol concerned. The usual case for this will be
1922 for a NAT instance that supports address pooling and
1923 the 'paired' pooling behavior recommended by RFC 4787,
1924 where the internal endpoint has used up all of the
1925 ports allocated to it for the address it was mapped to
1926 in the selected address pool in the external realm
1927 concerned and cannot be given more ports because
1928 - policy or implementation prevents it from having a
1929 second address in the same pool, and
1930 - policy or unavailability prevents it from acquiring
1931 more ports at its originally assigned address.
1933 If the NAT instance supports address pooling but its
1934 pooling behavior is 'arbitrary' (meaning that
1935 the NAT instance can allocate a new port mapping for
1936 the given internal endpoint on any address in the
1937 selected address pool and is not bound to what it has
1938 already mapped for that endpoint), then this counter
1939 is incremented when all ports for the protocol concerned
1940 over the whole of the selected address pool are already
1941 in use.
1943 Finally, if no address pools have been configured for the
1944 external realm concerned, then this counter is incremented
1945 because all ports for the protocol involved over the whole
1946 set of addresses available for that external realm are
1947 already in use.
1949 This value MUST be monotone increasing in the periods
1950 between updates of the entity's
1951 natv2InstanceDiscontinuityTime. If a manager detects a
1952 change in the latter since the last time it sampled this
1953 counter, it SHOULD NOT make use of the difference between
1954 the latest value of the counter and any value retrieved
1955 before the new value of natv2InstanceDiscontinuityTime."
1956 REFERENCE
1957 "Pooling behavior: RFC 4787, end of section 4.1."
1958 ::= { natv2InstanceEntry 16 }
1960 natv2InstanceFragmentDrops OBJECT-TYPE
1961 SYNTAX Counter64
1962 MAX-ACCESS read-only
1963 STATUS current
1964 DESCRIPTION
1965 "The cumulative number of fragments received by the NAT
1966 instance but dropped rather than translated. When the NAT
1967 instance supports the 'Receive Fragment Out of Order'
1968 capability as required by RFC 4787, this occurs because the
1969 fragment was received out of order and would be added to the
1970 queue of fragments awaiting the initial fragment of the
1971 chain, but the queue has already reached the limit set by
1972 natv2InstanceLimitsPendingFragments. Counting in other cases
1973 is specified in the description of
1974 natv2InstanceFragmentBehavior.
1976 This value MUST be monotone increasing in the periods
1977 between updates of the entity's
1978 natv2InstanceDiscontinuityTime. If a manager detects a
1979 change in the latter since the last time it sampled this
1980 counter, it SHOULD NOT make use of the difference between
1981 the latest value of the counter and any value retrieved
1982 before the new value of natv2InstanceDiscontinuityTime."
1983 REFERENCE
1984 "RFC 4787, section 11."
1985 ::= { natv2InstanceEntry 17 }
1987 natv2InstanceOtherResourceFailureDrops OBJECT-TYPE
1988 SYNTAX Counter64
1989 MAX-ACCESS read-only
1990 STATUS current
1991 DESCRIPTION
1992 "The cumulative number of packets dropped because of
1993 unavailability of a resource other than an address or port
1994 that would have been required to process it. The most likely
1995 case is where the upper layer protocol in the packet is not
1996 supported by the NAT instance.
1998 This value MUST be monotone increasing in the periods
1999 between updates of the entity's
2000 natv2InstanceDiscontinuityTime. If a manager detects a
2001 change in the latter since the last time it sampled this
2002 counter, it SHOULD NOT make use of the difference between
2003 the latest value of the counter and any value retrieved
2004 before the new value of natv2InstanceDiscontinuityTime."
2005 ::= { natv2InstanceEntry 18 }
2007 natv2InstanceDiscontinuityTime OBJECT-TYPE
2008 SYNTAX TimeStamp
2009 MAX-ACCESS read-only
2010 STATUS current
2011 DESCRIPTION
2012 "Snapshot of the value of the sysUpTime object at the
2013 beginning of the latest period of continuity of the
2014 statistical counters associated with this NAT instance."
2015 ::= { natv2InstanceEntry 19 }
2017 -- Notification thresholds, disabled by setting to zero
2019 natv2InstanceThresholdAddressMapEntriesHigh OBJECT-TYPE
2020 SYNTAX Unsigned32
2021 MAX-ACCESS read-write
2022 STATUS current
2023 DESCRIPTION
2024 "Notification threshold for total number of address map
2025 entries held by this NAT instance. Whenever
2026 natv2InstanceAddressMapEntries is updated, if it equals or
2027 exceeds natv2InstanceThresholdAddressMapEntriesHigh, then
2028 natv2NotificationInstanceAddressMapEntriesHigh may be
2029 triggered, unless the notification is disabled by setting
2030 the threshold to 0. Reporting is subject to the minimum
2031 inter-notification interval given by
2032 natv2InstanceNotificationInterval. If multiple notifications
2033 are triggered during one interval, the agent MUST report
2034 only the one containing the highest value of
2035 natv2InstanceAddressMapEntries and discard the others."
2036 DEFVAL
2037 { 0 }
2038 ::= { natv2InstanceEntry 20 }
2040 natv2InstanceThresholdPortMapEntriesHigh OBJECT-TYPE
2041 SYNTAX Unsigned32
2042 MAX-ACCESS read-write
2043 STATUS current
2044 DESCRIPTION
2045 "Notification threshold for total number of port map
2046 entries held by this NAT instance. Whenever
2047 natv2InstancePortMapEntries is updated, if it equals or
2048 exceeds natv2InstanceThresholdPortMapEntriesHigh, then
2049 natv2NotificationInstancePortMapEntriesHigh may be
2050 triggered, unless the notification is disabled by setting
2051 the threshold to 0. Reporting is subject to the minimum
2052 inter-notification interval given by
2053 natv2InstanceNotificationInterval. If multiple notifications
2054 are triggered during one interval, the agent MUST report
2055 only the one containing the highest value of
2056 natv2InstancePortMapEntries and discard the others."
2057 DEFVAL
2058 { 0 }
2059 ::= { natv2InstanceEntry 21 }
2061 natv2InstanceNotificationInterval OBJECT-TYPE
2062 SYNTAX Unsigned32 (1..3600)
2063 UNITS
2064 "Seconds"
2065 MAX-ACCESS read-write
2066 STATUS current
2067 DESCRIPTION
2068 "Minimum number of seconds (default 10) between successive
2069 notifications for this NAT instance. Controls the reporting
2070 of natv2NotificationInstanceAddressMapEntriesHigh and
2071 natv2NotificationInstancePortMapEntriesHigh."
2072 DEFVAL
2073 { 10 }
2074 ::= { natv2InstanceEntry 22 }
2076 -- Limits, disabled if set to 0
2078 natv2InstanceLimitAddressMapEntries OBJECT-TYPE
2079 SYNTAX Unsigned32
2080 MAX-ACCESS read-write
2081 STATUS current
2082 DESCRIPTION
2083 "Limit on total number of address map entries supported by
2084 the NAT instance. When natv2InstanceAddressMapEntries has
2085 reached this limit, subsequent packets that would normally
2086 trigger creation of a new address map entry will be dropped
2087 and counted in natv2InstanceAddressMapEntryLimitDrops.
2088 Warning of an approach to this limit can be achieved by
2089 setting natv2InstanceThresholdAddressMapEntriesHigh to a
2090 non-zero value, for example, 80% of the limit. The limit is
2091 disabled by setting its value to zero (default value).
2093 For further information please see the descriptions of
2094 natv2NotificationInstanceAddressMapEntriesHigh and
2095 natv2InstanceAddressMapEntries."
2096 DEFVAL
2097 { 0 }
2098 ::= { natv2InstanceEntry 23 }
2100 natv2InstanceLimitPortMapEntries OBJECT-TYPE
2101 SYNTAX Unsigned32
2102 MAX-ACCESS read-write
2103 STATUS current
2104 DESCRIPTION
2105 "Limit on total number of port map entries supported by the
2106 NAT instance. When natv2InstancePortMapEntries has reached
2107 this limit, subsequent packets that would normally trigger
2108 creation of a new port map entry will be dropped and counted
2109 in natv2InstancePortMapEntryLimitDrops. Warning of an
2110 approach to this limit can be achieved by setting
2111 natv2InstanceThresholdPortMapEntriesHigh to a non-zero
2112 value, for example, 80% of the limit. The limit is disabled
2113 by setting its value to zero (default value).
2115 For further information please see the descriptions of
2116 natv2NotificationInstancePortMapEntriesHigh and
2117 natv2InstancePortMapEntries."
2118 DEFVAL
2119 { 0 }
2120 ::= { natv2InstanceEntry 24 }
2122 natv2InstanceLimitPendingFragments OBJECT-TYPE
2123 SYNTAX Unsigned32
2124 MAX-ACCESS read-write
2125 STATUS current
2126 DESCRIPTION
2127 "Limit on number of out-of-order fragments received by the
2128 NAT instance from remote sources and held until head of
2129 chain appears. While the number of held fragments is at this
2130 limit, subsequent packets that contain fragments not
2131 relating to those already held will be dropped and counted
2132 in natv2InstancePendingFragmentLimitDrops. The limit is
2133 disabled by setting the value to zero (default value).
2135 Applicable only when the NAT instance supports 'Receive
2136 Fragments Out of Order' behavior, leave at default
2137 otherwise. See the description of
2138 natv2InstanceFragmentBehavior."
2139 REFERENCE
2140 "RFC 4787 Section 11"
2141 DEFVAL { 0 }
2142 ::= { natv2InstanceEntry 25 }
2144 natv2InstanceLimitSubscriberActives OBJECT-TYPE
2145 SYNTAX Unsigned32
2146 MAX-ACCESS read-write
2147 STATUS current
2148 DESCRIPTION
2149 "Limit on number of total number of active subscribers
2150 supported by the NAT instance. An active subscriber is
2151 defined as any subscriber with at least one map entry,
2152 including static mappings. While the number of active
2153 subscribers is at this limit, subsequent packets that would
2154 otherwise trigger first mappings for newly active
2155 subscribers will be dropped and counted in
2156 natv2InstanceSubscriberActiveLimitDrops. The limit is
2157 disabled by setting the value to zero (default value)."
2158 DEFVAL { 0 }
2159 ::= { natv2InstanceEntry 26 }
2161 -- Table of counters per upper layer protocol identified by the
2162 -- packet header and supported by the NAT instance
2164 natv2ProtocolTable OBJECT-TYPE
2165 SYNTAX SEQUENCE OF Natv2ProtocolEntry
2166 MAX-ACCESS not-accessible
2167 STATUS current
2168 DESCRIPTION
2169 "Table of protocols with per-protocol counters. Conceptual
2170 rows of the table are indexed by the combination of the NAT
2171 instance number and the IANA-assigned upper layer protocol
2172 number as given by the ProtocolNumber TC and contained in
2173 the packet IP header. It is up to the agent implementation
2174 to determine and operate upon only those upper layer
2175 protocol numbers supported by the NAT instance."
2176 REFERENCE
2177 "RFC yyyy Section 3.3.5."
2178 ::= { natv2MIBInstanceObjects 2 }
2180 natv2ProtocolEntry OBJECT-TYPE
2181 SYNTAX Natv2ProtocolEntry
2182 MAX-ACCESS not-accessible
2183 STATUS current
2184 DESCRIPTION
2185 "Per-protocol counters."
2186 INDEX { natv2ProtocolInstanceIndex,
2187 natv2ProtocolNumber }
2188 ::= { natv2ProtocolTable 1 }
2190 Natv2ProtocolEntry ::=
2191 SEQUENCE {
2192 natv2ProtocolInstanceIndex Natv2InstanceIndex,
2193 natv2ProtocolNumber ProtocolNumber,
2194 -- State
2195 natv2ProtocolPortMapEntries Unsigned32,
2196 -- Statistics. Discontinuity object from instance table reused here.
2197 natv2ProtocolTranslations Counter64,
2198 natv2ProtocolPortMapCreations Counter64,
2199 natv2ProtocolPortMapFailureDrops Counter64
2200 }
2202 natv2ProtocolInstanceIndex OBJECT-TYPE
2203 SYNTAX Natv2InstanceIndex
2204 MAX-ACCESS not-accessible
2205 STATUS current
2206 DESCRIPTION
2207 "NAT instance index. It is up to the implementation to
2208 determine and operate upon only those values that
2209 correspond to in-service NAT instances."
2210 ::= { natv2ProtocolEntry 1 }
2212 natv2ProtocolNumber OBJECT-TYPE
2213 SYNTAX ProtocolNumber
2214 MAX-ACCESS not-accessible
2215 STATUS current
2216 DESCRIPTION
2217 "Counters in this conceptual row apply to packets indicating
2218 the upper layer protocol identified by the value of
2219 this object. It is up to the implementation to determine and
2220 operate upon only those values that correspond to protocols
2221 supported by the NAT instance."
2222 REFERENCE
2223 "RFC yyyy Section 3.3.5.
2224 IANA Protocol Numbers, http://www.iana.org/assignments/
2225 protocol-numbers/protocol-numbers.xhtml#protocol-numbers-1"
2226 ::= { natv2ProtocolEntry 2 }
2228 -- State
2229 natv2ProtocolPortMapEntries OBJECT-TYPE
2230 SYNTAX Unsigned32
2231 MAX-ACCESS read-only
2232 STATUS current
2233 DESCRIPTION
2234 "The current number of entries in the port map table in total
2235 over the whole NAT instance for a given protocol, including
2236 static mappings. A port map entry maps from a given external
2237 realm, address, and port for a given protocol to an internal
2238 realm, address, and port. This definition includes 'hairpin'
2239 mappings, where the external realm is the same as the
2240 internal one. Port map entries are also tracked per
2241 subscriber, per instance, and per address pool within the
2242 instance."
2243 REFERENCE
2244 "RFC yyyy Section 3.3.5 and Section 3.3.9. Hairpinning:
2245 RFC 4787 Section 6."
2246 ::= { natv2ProtocolEntry 3 }
2248 -- Statistics
2249 natv2ProtocolTranslations OBJECT-TYPE
2250 SYNTAX Counter64
2251 MAX-ACCESS read-only
2252 STATUS current
2253 DESCRIPTION
2254 "The cumulative number of packets translated by the NAT
2255 instance in either direction for the given protocol.
2257 This value MUST be monotone increasing in the periods
2258 between updates of the NAT instance
2259 natv2InstanceDiscontinuityTime. If a manager detects a
2260 change in the latter since the last time it sampled this
2261 counter, it SHOULD NOT make use of the difference between
2262 the latest value of the counter and any value retrieved
2263 before the new value of natv2InstanceDiscontinuityTime."
2264 ::= { natv2ProtocolEntry 4 }
2266 natv2ProtocolPortMapCreations OBJECT-TYPE
2267 SYNTAX Counter64
2268 MAX-ACCESS read-only
2269 STATUS current
2270 DESCRIPTION
2271 "The cumulative number of port map entries created by the NAT
2272 instance for the given protocol.
2274 This value MUST be monotone increasing in the periods
2275 between updates of the NAT instance
2276 natv2InstanceDiscontinuityTime. If a manager detects a
2277 change in the latter since the last time it sampled this
2278 counter, it SHOULD NOT make use of the difference between
2279 the latest value of the counter and any value retrieved
2280 before the new value of natv2InstanceDiscontinuityTime."
2281 ::= { natv2ProtocolEntry 5 }
2283 natv2ProtocolPortMapFailureDrops OBJECT-TYPE
2284 SYNTAX Counter64
2285 MAX-ACCESS read-only
2286 STATUS current
2287 DESCRIPTION
2288 "The cumulative number of packets dropped because the packet
2289 would have triggered the creation of a new port map entry,
2290 but no port could be allocated for the protocol concerned.
2291 The usual case for this will be for a NAT instance that
2292 supports address pooling and the 'paired' pooling behavior
2293 recommended by RFC 4787, where the internal endpoint has
2294 used up all of the ports allocated to it for the address it
2295 was mapped to in the selected address pool in the external
2296 realm concerned and cannot be given more ports because
2297 - policy or implementation prevents it from having a
2298 second address in the same pool, and
2299 - policy or unavailability prevents it from acquiring
2300 more ports at its originally assigned address.
2302 If the NAT instance supports address pooling but its
2303 pooling behavior is 'arbitrary' (meaning that
2304 the NAT instance can allocate a new port mapping for
2305 the given internal endpoint on any address in the
2306 selected address pool and is not bound to what it has
2307 already mapped for that endpoint), then this counter
2308 is incremented when all ports for the protocol concerned
2309 over the whole of the selected address pool are already
2310 in use.
2312 Finally, if the NAT instance has no configured address
2313 pooling, then this counter is incremented because all
2314 ports for the protocol concerned over the whole of the
2315 NAT instance for the external realm concerned are already
2316 in use.
2318 This value MUST be monotone increasing in the periods
2319 between updates of the NAT instance
2320 natv2InstanceDiscontinuityTime. If a manager detects a
2321 change in the latter since the last time it sampled this
2322 counter, it SHOULD NOT make use of the difference between
2323 the latest value of the counter and any value retrieved
2324 before the new value of natv2InstanceDiscontinuityTime."
2325 REFERENCE
2326 "RFC 4787, end of section 4.1."
2327 ::= { natv2ProtocolEntry 6 }
2329 -- pools
2331 natv2PoolTable OBJECT-TYPE
2332 SYNTAX SEQUENCE OF Natv2PoolEntry
2333 MAX-ACCESS not-accessible
2334 STATUS current
2335 DESCRIPTION
2336 "Table of address pools, applicable only if these are
2337 supported by the NAT instance. An address pool is a set of
2338 addresses and ports in a particular realm, available for
2339 assignment to the 'external' portion of a mapping. Where more
2340 than one pool has been configured for the realm, policy
2341 determines which subscribers and/or services are mapped to
2342 which pool. natv2PoolTable provides basic information, state,
2343 statistics, and two notification thresholds for each pool.
2344 natv2PoolRangeTable is an expansion table for natv2PoolTable
2345 that identifies particular address ranges allocated to the
2346 pool."
2347 REFERENCE
2348 "RFC yyyy Section 3.3.6."
2349 ::= { natv2MIBInstanceObjects 3 }
2351 natv2PoolEntry OBJECT-TYPE
2352 SYNTAX Natv2PoolEntry
2353 MAX-ACCESS not-accessible
2354 STATUS current
2355 DESCRIPTION
2356 "Entry in the table of address pools."
2357 INDEX { natv2PoolInstanceIndex, natv2PoolIndex }
2358 ::= { natv2PoolTable 1 }
2360 Natv2PoolEntry ::=
2361 SEQUENCE {
2362 -- Index
2363 natv2PoolInstanceIndex Natv2InstanceIndex,
2364 natv2PoolIndex Natv2PoolIndex,
2365 -- Configuration
2366 natv2PoolRealm SnmpAdminString,
2367 natv2PoolAddressType InetAddressType,
2368 natv2PoolMinimumPort InetPortNumber,
2369 natv2PoolMaximumPort InetPortNumber,
2370 -- State
2371 natv2PoolAddressMapEntries Unsigned32,
2372 natv2PoolPortMapEntries Unsigned32,
2373 -- Statistics and discontinuity time
2374 natv2PoolAddressMapCreations Counter64,
2375 natv2PoolPortMapCreations Counter64,
2376 natv2PoolAddressMapFailureDrops Counter64,
2377 natv2PoolPortMapFailureDrops Counter64,
2378 natv2PoolDiscontinuityTime TimeStamp,
2379 -- Notification thresholds and objects returned by notifications
2380 natv2PoolThresholdUsageLow Integer32,
2381 natv2PoolThresholdUsageHigh Unsigned32,
2382 natv2PoolNotifiedPortMapEntries Unsigned32,
2383 natv2PoolNotifiedPortMapProtocol ProtocolNumber,
2384 natv2PoolNotificationInterval Unsigned32
2385 }
2387 natv2PoolInstanceIndex OBJECT-TYPE
2388 SYNTAX Natv2InstanceIndex
2389 MAX-ACCESS not-accessible
2390 STATUS current
2391 DESCRIPTION
2392 "NAT instance index. It is up to the agent implementation
2393 to determine and operate upon only those values that
2394 correspond to in-service NAT instances."
2395 ::= { natv2PoolEntry 1 }
2397 natv2PoolIndex OBJECT-TYPE
2398 SYNTAX Natv2PoolIndex
2399 MAX-ACCESS not-accessible
2400 STATUS current
2401 DESCRIPTION
2402 "Index of an address pool, unique for a given NAT instance.
2403 It is up to the agent implementation to determine and
2404 operate upon only those values that correspond to
2405 provisioned pools."
2406 ::= { natv2PoolEntry 2 }
2408 -- configuration
2409 natv2PoolRealm OBJECT-TYPE
2410 SYNTAX SnmpAdminString (SIZE (0..32))
2411 MAX-ACCESS read-only
2412 STATUS current
2413 DESCRIPTION
2414 "Address realm to which this pool's addresses belong."
2415 REFERENCE
2416 "Address realms are discussed in Section 3.3.3 of
2417 RFC yyyy. Primary reference is RFC 2663 Section 2.1."
2418 ::= { natv2PoolEntry 3 }
2420 natv2PoolAddressType OBJECT-TYPE
2421 SYNTAX InetAddressType
2422 MAX-ACCESS read-create
2423 STATUS current
2424 DESCRIPTION
2425 "Address type supplied by this address pool. This will be the
2426 same for all pools in a given realm (by definition of an
2427 address realm). Values other than ipv4(1) or ipv6(2) would
2428 be unexpected."
2429 REFERENCE
2430 "InetAddressType in RFC 4001."
2431 ::= { natv2PoolEntry 4 }
2433 natv2PoolMinimumPort OBJECT-TYPE
2434 SYNTAX InetPortNumber
2435 MAX-ACCESS read-create
2436 STATUS current
2437 DESCRIPTION
2438 "Minimum port number of the range that can be allocated in
2439 this pool. Applies to all protocols supported by the NAT
2440 instance."
2442 REFERENCE
2443 "InetPortNumber in RFC 4001."
2444 ::= { natv2PoolEntry 5 }
2446 natv2PoolMaximumPort OBJECT-TYPE
2447 SYNTAX InetPortNumber
2448 MAX-ACCESS read-create
2449 STATUS current
2450 DESCRIPTION
2451 "Maximum port number of the range that can be allocated in
2452 this pool. Applies to all protocols supported by the NAT
2453 instance."
2454 REFERENCE
2455 "InetPortNumber in RFC 4001."
2456 ::= { natv2PoolEntry 6 }
2458 -- State
2459 natv2PoolAddressMapEntries OBJECT-TYPE
2460 SYNTAX Unsigned32
2461 MAX-ACCESS read-only
2462 STATUS current
2463 DESCRIPTION
2464 "The current number of address map entries using external
2465 addresses drawn from this pool, including static mappings.
2466 This definition includes 'hairpin' mappings, where the
2467 external realm is the same as the internal one. Address map
2468 entries are also tracked per subscriber and per instance."
2469 REFERENCE
2470 "RFC yyyy Section 3.3.8. Hairpinning: RFC 4787 section 6."
2471 ::= { natv2PoolEntry 7 }
2473 natv2PoolPortMapEntries OBJECT-TYPE
2474 SYNTAX Unsigned32
2475 MAX-ACCESS read-only
2476 STATUS current
2477 DESCRIPTION
2478 "The current number of entries in the port map table using
2479 external addresses and ports drawn from this pool, including
2480 static mappings. This definition includes 'hairpin'
2481 mappings, where the external realm is the same as the
2482 internal one. Port map entries are also tracked per
2483 subscriber, per instance, and per protocol within the
2484 instance."
2485 REFERENCE
2486 "RFC yyyy Section 3.3.9. Hairpinning: RFC 4787 Section 6."
2487 ::= { natv2PoolEntry 8 }
2489 -- Statistics and discontinuity time
2490 natv2PoolAddressMapCreations OBJECT-TYPE
2491 SYNTAX Counter64
2492 MAX-ACCESS read-only
2493 STATUS current
2494 DESCRIPTION
2495 "The cumulative number of address map entries created in this
2496 pool, including static mappings. Address map entries are
2497 also tracked per instance and per subscriber.
2499 This value MUST be monotone increasing in
2500 the periods between updates of the entity's
2501 natv2PoolDiscontinuityTime. If a manager detects a
2502 change in the latter since the last time it sampled this
2503 counter, it SHOULD NOT make use of the difference between
2504 the latest value of the counter and any value retrieved
2505 before the new value of natv2PoolDiscontinuityTime."
2506 ::= { natv2PoolEntry 9 }
2508 natv2PoolPortMapCreations OBJECT-TYPE
2509 SYNTAX Counter64
2510 MAX-ACCESS read-only
2511 STATUS current
2512 DESCRIPTION
2513 "The cumulative number of port map entries created in this
2514 pool, including static mappings. Port map entries are also
2515 tracked per instance, per protocol, and per subscriber.
2517 This value MUST be monotone increasing in the periods
2518 between updates of the entity's
2519 natv2PoolDiscontinuityTime. If a manager detects a
2520 change in the latter since the last time it sampled this
2521 counter, it SHOULD NOT make use of the difference between
2522 the latest value of the counter and any value retrieved
2523 before the new value of natv2PoolDiscontinuityTime."
2524 ::= { natv2PoolEntry 10 }
2526 natv2PoolAddressMapFailureDrops OBJECT-TYPE
2527 SYNTAX Counter64
2528 MAX-ACCESS read-only
2529 STATUS current
2530 DESCRIPTION
2531 "The cumulative number of packets originated by the
2532 subscriber that were dropped because the packet would have
2533 triggered the creation of a new address map entry, but no
2534 address could be allocated from this address pool because
2535 all addresses in the pool have already been fully allocated.
2536 Counters of this event are also provided per instance, per
2537 protocol and per subscriber.
2539 This value MUST be monotone increasing in the periods
2540 between updates of the entity's
2541 natv2PoolDiscontinuityTime. If a manager detects a
2542 change in the latter since the last time it sampled this
2543 counter, it SHOULD NOT make use of the difference between
2544 the latest value of the counter and any value retrieved
2545 before the new value of natv2PoolDiscontinuityTime."
2546 ::= { natv2PoolEntry 11 }
2548 natv2PoolPortMapFailureDrops OBJECT-TYPE
2549 SYNTAX Counter64
2550 MAX-ACCESS read-only
2551 STATUS current
2552 DESCRIPTION
2553 "The cumulative number of packets dropped because the packet
2554 would have triggered the creation of a new port map entry,
2555 but no port could be allocated for the protocol concerned.
2556 The usual case for this will be for a NAT instance that
2557 supports the 'paired' pooling behavior recommended by RFC
2558 4787, where the internal endpoint has used up all of the
2559 ports allocated to it for the address it was mapped to in
2560 this pool and cannot be given more ports because
2561 - policy or implementation prevents it from having a
2562 second address in the same pool, and
2563 - policy or unavailability prevents it from acquiring
2564 more ports at its originally assigned address.
2566 If the NAT instance pooling behavior is 'arbitrary' (meaning
2567 that the NAT instance can allocate a new port mapping for
2568 the given internal endpoint on any address in the selected
2569 address pool and is not bound to what it has already mapped
2570 for that endpoint), then this counter is incremented when
2571 all ports for the protocol concerned over the whole of this
2572 address pool are already in use.
2574 This value MUST be monotone increasing in the periods
2575 between updates of the entity's
2576 natv2PoolDiscontinuityTime. If a manager detects a
2577 change in the latter since the last time it sampled this
2578 counter, it SHOULD NOT make use of the difference between
2579 the latest value of the counter and any value retrieved
2580 before the new value of natv2PoolDiscontinuityTime."
2581 REFERENCE
2582 "Pooling behavior: RFC 4787, end of section 4.1."
2583 ::= { natv2PoolEntry 12 }
2585 natv2PoolDiscontinuityTime OBJECT-TYPE
2586 SYNTAX TimeStamp
2587 MAX-ACCESS read-only
2588 STATUS current
2589 DESCRIPTION
2590 "Snapshot of the value of the sysUpTime object at the
2591 beginning of the latest period of continuity of the
2592 statistical counters associated with this address
2593 pool. This MUST be initialized when the address pool
2594 is configured and MUST be updated whenever the port
2595 or address ranges allocated to the pool change."
2596 ::= { natv2PoolEntry 14 }
2598 -- Notification thresholds and objects returned by notifications
2599 natv2PoolThresholdUsageLow OBJECT-TYPE
2600 SYNTAX Integer32 (-1|0..100)
2601 UNITS "Percent"
2602 MAX-ACCESS read-write
2603 STATUS current
2604 DESCRIPTION
2605 "Threshold for reporting low utilization of the address pool.
2606 Utilization at a given instant is calculated as the
2607 percentage of ports allocated in port map entries for the
2608 most-used protocol at that instant. If utilization is less
2609 than or equal to natv2PoolThresholdUsageLow, an instance of
2610 natv2NotificationPoolUsageLow may be triggered, unless
2611 disabled by setting it to -1. Note the difference from the
2612 disabling setting for other notifications. Reporting is
2613 subject to the per-pool notification interval given by
2614 natv2PoolNotificationInterval. If multiple notifications are
2615 triggered during one interval, the agent MUST report only
2616 the one with the lowest value of
2617 natv2PoolNotifiedPortMapEntries and discard the others.
2619 Implementation note: the percentage specified by this object
2620 can be converted to a number of port map entries at
2621 configuration time (after port and address ranges have been
2622 configured or reconfigured) and compared to the current
2623 value of natv2PoolNotifiedPortMapEntries."
2624 REFERENCE
2625 "RFC yyyy Section 3.1.2 and Section 3.3.6."
2626 DEFVAL { -1 }
2627 ::= { natv2PoolEntry 15 }
2629 natv2PoolThresholdUsageHigh OBJECT-TYPE
2630 SYNTAX Unsigned32 (0..100)
2631 UNITS "Percent"
2632 MAX-ACCESS read-write
2633 STATUS current
2634 DESCRIPTION
2635 "Threshold for reporting high utilization of the address
2636 pool. Utilization at a given instant is calculated as the
2637 percentage of ports allocated in port map entries for the
2638 most-used protocol at that instant. If utilization is
2639 greater than or equal to natv2PoolThresholdUsageHigh, an
2640 instance of natv2NotificationPoolUsageHigh may be triggered,
2641 unless disabled by setting it to 0.
2643 Reporting is subject to the per-pool notification interval
2644 given by natv2PoolNotificationInterval. If multiple
2645 notifications are triggered during one interval, the agent
2646 MUST report only the one with the highest value of
2647 natv2PoolNotifiedPortMapEntries and discard the others. In
2648 the rare case where both upper and lower thresholds
2649 are crossed in the same interval, the agent MUST report only
2650 the upper threshold notification.
2652 Implementation note: the percentage specified by this object
2653 can be converted to a number of port map entries at
2654 configuration time (after port and address ranges have been
2655 configured or reconfigured) and compared to the current
2656 value of natv2PoolNotifiedPortMapEntries."
2657 DEFVAL { 0 }
2658 ::= { natv2PoolEntry 16 }
2660 natv2PoolNotifiedPortMapEntries OBJECT-TYPE
2661 SYNTAX Unsigned32
2662 MAX-ACCESS accessible-for-notify
2663 STATUS current
2664 DESCRIPTION
2665 "Number of port map entries using addresses and ports from
2666 this address pool for the most-used protocol at a given
2667 instant. One of the objects returned by
2668 natv2NotificationPoolUsageLow and
2669 natv2NotificationPoolUsageHigh."
2670 ::= { natv2PoolEntry 17 }
2672 natv2PoolNotifiedPortMapProtocol OBJECT-TYPE
2673 SYNTAX ProtocolNumber
2674 MAX-ACCESS accessible-for-notify
2675 STATUS current
2676 DESCRIPTION
2677 "The most-used protocol (i.e., with the largest number of
2678 port map entries) mapped into this address pool at a given
2679 instant. One of the objects returned by
2680 natv2NotificationPoolUsageLow and
2681 natv2NotificationPoolUsageHigh."
2683 ::= { natv2PoolEntry 18 }
2685 natv2PoolNotificationInterval OBJECT-TYPE
2686 SYNTAX Unsigned32 (1..3600)
2687 UNITS
2688 "Seconds"
2689 MAX-ACCESS read-write
2690 STATUS current
2691 DESCRIPTION
2692 "Minimum number of seconds (default 20) between successive
2693 notifications for this address pool. Controls the generation
2694 of natv2NotificationPoolUsageLow and
2695 natv2NotificationPoolUsageHigh."
2696 DEFVAL
2697 { 20 }
2698 ::= { natv2PoolEntry 19 }
2700 natv2PoolRangeTable OBJECT-TYPE
2701 SYNTAX SEQUENCE OF Natv2PoolRangeEntry
2702 MAX-ACCESS not-accessible
2703 STATUS current
2704 DESCRIPTION
2705 "This table contains address ranges used by pool entries.
2706 It is an expansion of natv2PoolTable."
2707 REFERENCE
2708 "RFC yyyy ."
2709 ::= { natv2MIBInstanceObjects 4 }
2711 natv2PoolRangeEntry OBJECT-TYPE
2712 SYNTAX Natv2PoolRangeEntry
2713 MAX-ACCESS not-accessible
2714 STATUS current
2715 DESCRIPTION
2716 "NAT pool address range."
2717 INDEX {
2718 natv2PoolRangeInstanceIndex,
2719 natv2PoolRangePoolIndex,
2720 natv2PoolRangeRowIndex
2721 }
2722 ::= { natv2PoolRangeTable 1 }
2724 Natv2PoolRangeEntry ::=
2725 SEQUENCE {
2726 natv2PoolRangeInstanceIndex Natv2InstanceIndex,
2727 natv2PoolRangePoolIndex Natv2PoolIndex,
2728 natv2PoolRangeRowIndex Unsigned32,
2729 natv2PoolRangeBegin InetAddress,
2730 natv2PoolRangeEnd InetAddress
2731 }
2733 natv2PoolRangeInstanceIndex OBJECT-TYPE
2734 SYNTAX Natv2InstanceIndex
2735 MAX-ACCESS not-accessible
2736 STATUS current
2737 DESCRIPTION
2738 "Index of the NAT instance on which the address pool and this
2739 address range are configured. See Natv2InstanceIndex."
2740 ::= { natv2PoolRangeEntry 1 }
2742 natv2PoolRangePoolIndex OBJECT-TYPE
2743 SYNTAX Natv2PoolIndex
2744 MAX-ACCESS not-accessible
2745 STATUS current
2746 DESCRIPTION
2747 "Index of the address pool to which this address range
2748 belongs. See Natv2PoolIndex."
2749 ::= { natv2PoolRangeEntry 2 }
2751 natv2PoolRangeRowIndex OBJECT-TYPE
2752 SYNTAX Unsigned32
2753 MAX-ACCESS not-accessible
2754 STATUS current
2755 DESCRIPTION
2756 "Row index for successive range entries for the same
2757 address pool."
2758 ::= { natv2PoolRangeEntry 3 }
2760 natv2PoolRangeBegin OBJECT-TYPE
2761 SYNTAX InetAddress
2762 MAX-ACCESS read-only
2763 STATUS current
2764 DESCRIPTION
2765 "Lowest address included in this range. The type of address
2766 (IPv4 or IPv6) is given by natv2PoolAddressType
2767 in natv2PoolTable."
2768 ::= { natv2PoolRangeEntry 4 }
2770 natv2PoolRangeEnd OBJECT-TYPE
2771 SYNTAX InetAddress
2772 MAX-ACCESS read-only
2773 STATUS current
2774 DESCRIPTION
2775 "Highest address included in this range. The type of address
2776 (IPv4 or IPv6) is given by natv2PoolAddressType
2777 in natv2PoolTable."
2779 ::= { natv2PoolRangeEntry 5 }
2781 -- indexed mapping tables
2783 -- Address Map Table. Mapped from internal to external address.
2785 natv2AddressMapTable OBJECT-TYPE
2786 SYNTAX SEQUENCE OF Natv2AddressMapEntry
2787 MAX-ACCESS not-accessible
2788 STATUS current
2789 DESCRIPTION
2790 "Table of mappings from internal to external address. By
2791 definition, this is a snapshot of NAT instance state at a
2792 given moment. Indexed by NAT instance, internal realm, and
2793 internal address in that realm. Provides the mapped external
2794 address and, depending on implementation support, identifies
2795 the address pool from which the external address and port
2796 were taken and the index of the subscriber to which the
2797 mapping has been allocated.
2799 In the case of DS-Lite [RFC 6333], the indexing realm and
2800 address are those of the IPv6 encapsulation rather than the
2801 IPv4 inner packet."
2802 REFERENCE
2803 "RFC yyyy Section 3.3.8. DS-Lite: RFC 6333"
2804 ::= { natv2MIBInstanceObjects 5 }
2806 natv2AddressMapEntry OBJECT-TYPE
2807 SYNTAX Natv2AddressMapEntry
2808 MAX-ACCESS not-accessible
2809 STATUS current
2810 DESCRIPTION
2811 "Mapping from internal to external address."
2812 INDEX { natv2AddressMapInstanceIndex,
2813 natv2AddressMapInternalRealm,
2814 natv2AddressMapInternalAddressType,
2815 natv2AddressMapInternalAddress,
2816 natv2AddressMapRowIndex }
2817 ::= { natv2AddressMapTable 1 }
2819 Natv2AddressMapEntry ::=
2820 SEQUENCE {
2821 natv2AddressMapInstanceIndex Natv2InstanceIndex,
2822 natv2AddressMapInternalRealm SnmpAdminString,
2823 natv2AddressMapInternalAddressType InetAddressType,
2824 natv2AddressMapInternalAddress InetAddress,
2825 natv2AddressMapRowIndex Unsigned32,
2826 natv2AddressMapInternalMappedAddressType InetAddressType,
2827 natv2AddressMapInternalMappedAddress InetAddress,
2828 natv2AddressMapExternalRealm SnmpAdminString,
2829 natv2AddressMapExternalAddressType InetAddressType,
2830 natv2AddressMapExternalAddress InetAddress,
2831 natv2AddressMapExternalPoolIndex Natv2PoolIndexOrZero,
2832 natv2AddressMapSubscriberIndex Natv2SubscriberIndexOrZero
2833 }
2835 natv2AddressMapInstanceIndex OBJECT-TYPE
2836 SYNTAX Natv2InstanceIndex
2837 MAX-ACCESS not-accessible
2838 STATUS current
2839 DESCRIPTION
2840 "Index of the NAT instance that generated this address map."
2841 ::= { natv2AddressMapEntry 1 }
2843 natv2AddressMapInternalRealm OBJECT-TYPE
2844 SYNTAX SnmpAdminString (SIZE(0..32))
2845 MAX-ACCESS not-accessible
2846 STATUS current
2847 DESCRIPTION
2848 "Realm to which the internal address belongs. In most cases
2849 this is the realm defining the address space of the packet
2850 being translated. However, in the case of DS-Lite [RFC
2851 6333], this realm defines the IPv6 outer header address
2852 space. It is the combination of that outer header and
2853 the inner IPv4 packet header that is remapped to the
2854 external address and realm. The corresponding IPv4 realm is
2855 restricted in scope to the tunnel, so there is no point in
2856 identifying it. The mapped IPv4 address will normally be the
2857 well-known value 192.0.0.2, or at least lie in the reserved
2858 192.0.0.0/29 range.
2860 If natv2AddressMapSubscriberIndex in this table is a valid
2861 subscriber index (i.e., greater than zero), then the value
2862 of natv2AddressMapInternalRealm MUST be identical to the
2863 value of natv2SubscriberRealm associated with that index."
2864 REFERENCE
2865 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2866 Section 6.6 on the need to have the IPv6 tunnel address in
2867 the NAT mapping tables."
2868 ::= { natv2AddressMapEntry 2 }
2870 natv2AddressMapInternalAddressType OBJECT-TYPE
2871 SYNTAX InetAddressType
2872 MAX-ACCESS not-accessible
2873 STATUS current
2874 DESCRIPTION
2875 "Address type in the header of packets on the
2876 interior side of this mapping. Any value other than ipv4(1)
2877 or ipv6(2) would be unexpected.
2879 In the DS-Lite case, the address type is ipv6(2)."
2880 REFERENCE
2881 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2882 Section 6.6 on the need to have the IPv6 tunnel source
2883 address in the NAT mapping tables."
2884 ::= { natv2AddressMapEntry 3 }
2886 natv2AddressMapInternalAddress OBJECT-TYPE
2887 SYNTAX InetAddress
2888 MAX-ACCESS not-accessible
2889 STATUS current
2890 DESCRIPTION
2891 "Source address of packets originating from the interior
2892 of the association provided by this mapping.
2894 In the case of DS-Lite [RFC 6333], this is the IPv6 tunnel
2895 source address. The mapping in this case is considered to
2896 be from the combination of the IPv6 tunnel source address
2897 natv2AddressMapInternalRealmAddress and the well-known IPv4
2898 inner source address natv2AddressMapInternalMappedAddress to
2899 the external address."
2900 REFERENCE
2901 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2902 Section 6.6 on the need to have the IPv6 tunnel address in
2903 the NAT mapping tables."
2904 ::= { natv2AddressMapEntry 4 }
2906 natv2AddressMapRowIndex OBJECT-TYPE
2907 SYNTAX Unsigned32
2908 MAX-ACCESS not-accessible
2909 STATUS current
2910 DESCRIPTION
2911 "Index of a conceptual row corresponding to a mapping of the
2912 given internal realm and address to a single external realm
2913 and address. Multiple rows will be present because of a
2914 promiscuous external address selection policy, policies
2915 associating the same internal address with different address
2916 pools, or because the same internal realm-address
2917 combination is communicating with multiple external address
2918 realms."
2919 ::= { natv2AddressMapEntry 5 }
2921 natv2AddressMapInternalMappedAddressType OBJECT-TYPE
2922 SYNTAX InetAddressType
2923 MAX-ACCESS read-only
2924 STATUS current
2925 DESCRIPTION
2926 "Internal address type actually translated by this mapping.
2927 Any value other than ipv4(1) or ipv6(2) would be unexpected.
2928 In the general case, this is the same as given by
2929 natv2AddressMapInternalRealmAddressType. In the
2930 tunneled case it is the address type used in the
2931 encapsulated packet header. In particular, in the DS-Lite
2932 case, the mapped address type is ipv4(1)."
2933 REFERENCE
2934 "DS-Lite: RFC 6333."
2935 ::= { natv2AddressMapEntry 6 }
2937 natv2AddressMapInternalMappedAddress OBJECT-TYPE
2938 SYNTAX InetAddress
2939 MAX-ACCESS read-only
2940 STATUS current
2941 DESCRIPTION
2942 "Internal address actually translated by this mapping. In the
2943 general case, this is the same as
2944 natv2AddressMapInternalRealmAddress. In the case of DS-Lite
2945 [RFC 6333], this is the source address of the encapsulated
2946 IPv4 packet, normally lying the well-known range
2947 192.0.0.0/29. The mapping in this case is considered to be
2948 from the combination of the IPv6 tunnel source address
2949 natv2AddressMapInternalRealmAddress and the well-known IPv4
2950 inner source address natv2AddressMapInternalMappedAddress to
2951 the external address."
2952 REFERENCE
2953 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2954 Section 6.6 on the need to have the IPv6 tunnel address in
2955 the NAT mapping tables."
2956 ::= { natv2AddressMapEntry 7 }
2958 natv2AddressMapExternalRealm OBJECT-TYPE
2959 SYNTAX SnmpAdminString (SIZE(0..32))
2960 MAX-ACCESS read-only
2961 STATUS current
2962 DESCRIPTION
2963 "External address realm to which this mapping maps the
2964 internal address. This can be the same as the internal realm
2965 in the case of a 'hairpin' connection, but otherwise will be
2966 different."
2967 ::= { natv2AddressMapEntry 8 }
2969 natv2AddressMapExternalAddressType OBJECT-TYPE
2970 SYNTAX InetAddressType
2971 MAX-ACCESS read-only
2972 STATUS current
2973 DESCRIPTION
2974 "Address type for the external realm. Any value other than
2975 ipv4(1) or ipv6(2) would be unexpected."
2976 ::= { natv2AddressMapEntry 9 }
2978 natv2AddressMapExternalAddress OBJECT-TYPE
2979 SYNTAX InetAddress
2980 MAX-ACCESS read-only
2981 STATUS current
2982 DESCRIPTION
2983 "External address to which the internal address is mapped.
2985 In the DS-Lite case, the mapping is from the combination of
2986 the internal IPv6 tunnel source address as presented in this
2987 table and the well-known IPv4 source address of the
2988 encapsulated IPv4 packet."
2989 REFERENCE
2990 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2991 Section 6.6 on the need to have the IPv6 tunnel address in
2992 the NAT mapping tables."
2993 ::= { natv2AddressMapEntry 10 }
2995 natv2AddressMapExternalPoolIndex OBJECT-TYPE
2996 SYNTAX Natv2PoolIndexOrZero
2997 MAX-ACCESS read-only
2998 STATUS current
2999 DESCRIPTION
3000 "Index of the address pool in the external realm from which
3001 the mapped external address given in
3002 natv2AddressMapExternalAddress was taken. Zero if the
3003 implementation does not support address pools but has chosen
3004 to support this object, or if no pool was configured for the
3005 given external realm."
3006 ::= { natv2AddressMapEntry 11 }
3008 natv2AddressMapSubscriberIndex OBJECT-TYPE
3009 SYNTAX Natv2SubscriberIndexOrZero
3010 MAX-ACCESS read-only
3011 STATUS current
3012 DESCRIPTION
3013 "Index of the subscriber to which this address mapping
3014 applies, or zero if no subscribers are configured on
3015 this NAT instance."
3016 ::= { natv2AddressMapEntry 12 }
3018 -- natv2PortMapTable
3020 natv2PortMapTable OBJECT-TYPE
3021 SYNTAX SEQUENCE OF Natv2PortMapEntry
3022 MAX-ACCESS not-accessible
3023 STATUS current
3024 DESCRIPTION
3025 "Table of port map entries indexed by NAT instance, protocol,
3026 and external realm and address. A port map entry associates
3027 an internal upper layer protocol endpoint with an endpoint
3028 for the same protocol in the given external realm. By
3029 definition, this is a snapshot of NAT instance state at a
3030 given moment. The table provides the basic mapping
3031 information.
3033 In the case of DS-Lite [RFC 6333], the table provides the
3034 internal IPv6 tunnel source address in
3035 natv2PortMapInternalRealmAddress and the IPv4 source address
3036 of the encapsulated packet that is actually translated in
3037 natv2PortMapInternalMappedAddress. In the general (non-DS-
3038 Lite) case, those two objects will have the same value."
3039 REFERENCE
3040 "RFC yyyy Section 3.3.9. DS-Lite: RFC 6333, Section 5.7 for
3041 well-known addresses and Section 6.6 on the need to have the
3042 IPv6 tunnel address in the NAT mapping tables."
3043 ::= { natv2MIBInstanceObjects 6 }
3045 natv2PortMapEntry OBJECT-TYPE
3046 SYNTAX Natv2PortMapEntry
3047 MAX-ACCESS not-accessible
3048 STATUS current
3049 DESCRIPTION
3050 "A single NAT mapping."
3051 INDEX { natv2PortMapInstanceIndex,
3052 natv2PortMapProtocol,
3053 natv2PortMapExternalRealm,
3054 natv2PortMapExternalAddressType,
3055 natv2PortMapExternalAddress,
3056 natv2PortMapExternalPort }
3057 ::= { natv2PortMapTable 1 }
3059 Natv2PortMapEntry ::=
3060 SEQUENCE {
3061 natv2PortMapInstanceIndex Natv2InstanceIndex,
3062 natv2PortMapProtocol ProtocolNumber,
3063 natv2PortMapExternalRealm SnmpAdminString,
3064 natv2PortMapExternalAddressType InetAddressType,
3065 natv2PortMapExternalAddress InetAddress,
3066 natv2PortMapExternalPort InetPortNumber,
3067 natv2PortMapInternalRealm SnmpAdminString,
3068 natv2PortMapInternalAddressType InetAddressType,
3069 natv2PortMapInternalAddress InetAddress,
3070 natv2PortMapInternalMappedAddressType InetAddressType,
3071 natv2PortMapInternalMappedAddress InetAddress,
3072 natv2PortMapInternalPort InetPortNumber,
3073 natv2PortMapExternalPoolIndex Natv2PoolIndexOrZero,
3074 natv2PortMapSubscriberIndex Natv2SubscriberIndexOrZero
3075 }
3077 natv2PortMapInstanceIndex OBJECT-TYPE
3078 SYNTAX Natv2InstanceIndex
3079 MAX-ACCESS not-accessible
3080 STATUS current
3081 DESCRIPTION
3082 "Index of the NAT instance that created this port map entry."
3083 ::= { natv2PortMapEntry 1 }
3085 natv2PortMapProtocol OBJECT-TYPE
3086 SYNTAX ProtocolNumber
3087 MAX-ACCESS not-accessible
3088 STATUS current
3089 DESCRIPTION
3090 "The map entry's upper layer protocol number."
3091 ::= { natv2PortMapEntry 2 }
3093 natv2PortMapExternalRealm OBJECT-TYPE
3094 SYNTAX SnmpAdminString (SIZE(0..32))
3095 MAX-ACCESS not-accessible
3096 STATUS current
3097 DESCRIPTION
3098 "The realm to which natv2PortMapExternalAddress belongs."
3099 ::= { natv2PortMapEntry 3 }
3101 natv2PortMapExternalAddressType OBJECT-TYPE
3102 SYNTAX InetAddressType
3103 MAX-ACCESS not-accessible
3104 STATUS current
3105 DESCRIPTION
3106 "Address type for the external realm. A value other
3107 than ipv4(1) or ipv6(2) would be unexpected."
3108 ::= { natv2PortMapEntry 4 }
3110 natv2PortMapExternalAddress OBJECT-TYPE
3111 SYNTAX InetAddress
3112 MAX-ACCESS not-accessible
3113 STATUS current
3114 DESCRIPTION
3115 "The mapping's assigned external address. (This address is
3116 taken from the address pool identified by
3117 natv2PortMapExternalPoolIndex, if the implementation
3118 supports address pools and pools are configured for the
3119 given external realm.) This is the source address for
3120 translated outgoing packets."
3122 ::= { natv2PortMapEntry 5 }
3124 natv2PortMapExternalPort OBJECT-TYPE
3125 SYNTAX InetPortNumber
3126 MAX-ACCESS not-accessible
3127 STATUS current
3128 DESCRIPTION
3129 "The mapping's assigned external port number. This is the
3130 source port for translated outgoing packets. If the internal
3131 port number given by natv2PortMapInternalPort is zero this
3132 value MUST also be zero. Otherwise this MUST be a non-zero
3133 value."
3134 ::= { natv2PortMapEntry 6 }
3136 natv2PortMapInternalRealm OBJECT-TYPE
3137 SYNTAX SnmpAdminString (SIZE(0..32))
3138 MAX-ACCESS read-only
3139 STATUS current
3140 DESCRIPTION
3141 "The realm to which natv2PortMapInternalRealmAddress belongs.
3142 In the general case, this realm contains the address that is
3143 being translated. In the DS-Lite [RFC 6333] case, this realm
3144 defines the IPv6 address space from which the tunnel source
3145 address is taken. The realm of the encapsulated IPv4 address
3146 is restricted in scope to the tunnel, so there is no point
3147 in identifying it separately."
3148 REFERENCE
3149 "RFC 6333 DS-Lite."
3150 ::= { natv2PortMapEntry 7 }
3152 natv2PortMapInternalAddressType OBJECT-TYPE
3153 SYNTAX InetAddressType
3154 MAX-ACCESS read-only
3155 STATUS current
3156 DESCRIPTION
3157 "Address type for addresses in the realm identified by
3158 natv2PortMapInternalRealm."
3159 ::= { natv2PortMapEntry 8 }
3161 natv2PortMapInternalAddress OBJECT-TYPE
3162 SYNTAX InetAddress
3163 MAX-ACCESS read-only
3164 STATUS current
3165 DESCRIPTION
3166 "Source address for packets received under this mapping on
3167 the internal side of the NAT instance. In the general case
3168 this address is the same as the address given in
3169 natv2PortMapInternalMappedAddress. In the DS-Lite case,
3170 natv2PortMapInternalAddress is the IPv6 tunnel source
3171 address."
3172 REFERENCE
3173 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3174 Section 6.6 on the need to have the IPv6 tunnel address in
3175 the NAT mapping tables."
3176 ::= { natv2PortMapEntry 9 }
3178 natv2PortMapInternalMappedAddressType OBJECT-TYPE
3179 SYNTAX InetAddressType
3180 MAX-ACCESS read-only
3181 STATUS current
3182 DESCRIPTION
3183 "Internal address type actually translated by this mapping.
3184 Any value other than ipv4(1) or ipv6(2) would be unexpected.
3185 In the general case, this is the same as given by
3186 natv2AddressMapInternalAddressType. In the DS-Lite
3187 case, the address type is ipv4(1)."
3188 REFERENCE
3189 "DS-Lite: RFC 6333."
3190 ::= { natv2PortMapEntry 10 }
3192 natv2PortMapInternalMappedAddress OBJECT-TYPE
3193 SYNTAX InetAddress
3194 MAX-ACCESS read-only
3195 STATUS current
3196 DESCRIPTION
3197 "Internal address actually translated by this mapping. In the
3198 general case, this is the same as
3199 natv2PortMapInternalRealmAddress. In the case of DS-Lite
3200 [RFC 6333], this is the source address of the encapsulated
3201 IPv4 packet, normally selected from the well-known range
3202 192.0.0.0/29. The mapping in this case is considered to be
3203 from the external address to the combination of the IPv6
3204 tunnel source address natv2PortMapInternalRealmAddress and
3205 the well-known IPv4 inner source address
3206 natv2PortMapInternalMappedAddress."
3207 REFERENCE
3208 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3209 Section 6.6 on the need to have the IPv6 tunnel address in
3210 the NAT mapping tables."
3211 ::= { natv2PortMapEntry 11 }
3213 natv2PortMapInternalPort OBJECT-TYPE
3214 SYNTAX InetPortNumber
3215 MAX-ACCESS read-only
3216 STATUS current
3217 DESCRIPTION
3218 "The mapping's internal port number. If this is zero, ports
3219 are not translated (i.e., the NAT instance is a pure NAT
3220 rather than a NAPT)."
3221 ::= { natv2PortMapEntry 12 }
3223 natv2PortMapExternalPoolIndex OBJECT-TYPE
3224 SYNTAX Natv2PoolIndexOrZero
3225 MAX-ACCESS read-only
3226 STATUS current
3227 DESCRIPTION
3228 "Identifies the address pool from which the external address
3229 in this port map entry was taken. Zero if the implementation
3230 does not support address pools but has chosen to support
3231 this object, or if no pools are configured for the given
3232 external realm."
3233 ::= { natv2PortMapEntry 13 }
3235 natv2PortMapSubscriberIndex OBJECT-TYPE
3236 SYNTAX Natv2SubscriberIndexOrZero
3237 MAX-ACCESS read-only
3238 STATUS current
3239 DESCRIPTION
3240 "Subscriber using this map entry. Zero if the implementation
3241 does not support subscribers but has chosen to support
3242 this object."
3243 ::= { natv2PortMapEntry 14 }
3245 -- Conformance section. Specifies three cumulatively more extensive
3246 -- applications: basic NAT, pooled NAT, and carrier grade NAT
3248 natv2MIBConformance OBJECT IDENTIFIER ::= { natv2MIB 3 }
3250 natv2MIBCompliances OBJECT IDENTIFIER ::= { natv2MIBConformance 1 }
3251 natv2MIBGroups OBJECT IDENTIFIER ::= { natv2MIBConformance 2 }
3253 natv2MIBBasicCompliance MODULE-COMPLIANCE
3254 STATUS current
3255 DESCRIPTION
3256 "Describes the requirements for conformance to the basic NAT
3257 application of NATv2 MIB."
3258 MODULE -- this module
3259 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3260 natv2BasicInstanceLevelGroup
3261 }
3262 GROUP natv2BasicNotificationGroup
3263 DESCRIPTION
3264 "The natv2BasicNotificationGroup is mandatory for all
3265 NAT applications."
3266 GROUP natv2BasicInstanceLevelGroup
3267 DESCRIPTION
3268 "The natv2BasicInstanceLevelGroup is mandatory for all
3269 NAT applications."
3270 ::= { natv2MIBCompliances 1 }
3272 natv2MIBPooledNATCompliance MODULE-COMPLIANCE
3273 STATUS current
3274 DESCRIPTION
3275 "Describes the requirements for conformance to the pooled NAT
3276 application of NATv2-MIB."
3277 MODULE -- this module
3278 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3279 natv2BasicInstanceLevelGroup,
3280 natv2PooledNotificationGroup,
3281 natv2PooledInstanceLevelGroup
3282 }
3283 GROUP natv2BasicNotificationGroup
3284 DESCRIPTION
3285 "The natv2BasicNotificationGroup is mandatory for all
3286 NAT applications."
3287 GROUP natv2BasicInstanceLevelGroup
3288 DESCRIPTION
3289 "The natv2BasicInstanceLevelGroup is mandatory for all
3290 NAT applications."
3291 GROUP natv2PooledNotificationGroup
3292 DESCRIPTION
3293 "The natv2PooledNotificationGroup is mandatory for
3294 the pooled and CGN applications."
3295 GROUP natv2PooledInstanceLevelGroup
3296 DESCRIPTION
3297 "The natv2PooledInstanceLevelGroup is mandatory for
3298 the pooled and CGN applications."
3299 ::= { natv2MIBCompliances 2 }
3301 natv2MIBCGNCompliance MODULE-COMPLIANCE
3302 STATUS current
3303 DESCRIPTION
3304 "Describes the requirements for conformance to the
3305 carrier grade NAT application of NATv2-MIB."
3306 MODULE -- this module
3307 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3308 natv2BasicInstanceLevelGroup,
3309 natv2PooledNotificationGroup,
3310 natv2PooledInstanceLevelGroup,
3311 natv2CGNNotificationGroup,
3312 natv2CGNDeviceLevelGroup,
3313 natv2CGNInstanceLevelGroup
3314 }
3315 GROUP natv2BasicNotificationGroup
3316 DESCRIPTION
3317 "The natv2BasicNotificationGroup is mandatory for all
3318 NAT applications."
3319 GROUP natv2BasicInstanceLevelGroup
3320 DESCRIPTION
3321 "The natv2BasicInstanceLevelGroup is mandatory for all
3322 NAT applications."
3323 GROUP natv2PooledNotificationGroup
3324 DESCRIPTION
3325 "The natv2PooledNotificationGroup is mandatory for
3326 the pooled and CGN applications."
3327 GROUP natv2PooledInstanceLevelGroup
3328 DESCRIPTION
3329 "The natv2PooledInstanceLevelGroup is mandatory for
3330 the pooled and CGN applications."
3331 GROUP natv2CGNNotificationGroup
3332 DESCRIPTION
3333 "The natv2CGNNotificationGroup is mandatory
3334 for the carrier grade NAT application."
3335 GROUP natv2CGNDeviceLevelGroup
3336 DESCRIPTION
3337 "The natv2CGNDeviceLevelGroup is mandatory
3338 for the carrier grade NAT application."
3339 GROUP natv2CGNInstanceLevelGroup
3340 DESCRIPTION
3341 "The natv2CGNInstanceLevelGroup is mandatory
3342 for the carrier grade NAT application."
3343 ::= { natv2MIBCompliances 3 }
3345 -- Groups
3347 natv2BasicNotificationGroup NOTIFICATION-GROUP
3348 NOTIFICATIONS {
3349 natv2NotificationInstanceAddressMapEntriesHigh,
3350 natv2NotificationInstancePortMapEntriesHigh
3352 }
3353 STATUS current
3354 DESCRIPTION
3355 "Notifications that MUST be supported by all NAT
3356 applications."
3357 ::= { natv2MIBGroups 1 }
3359 natv2BasicInstanceLevelGroup OBJECT-GROUP
3360 OBJECTS {
3361 -- from natv2InstanceTable
3362 natv2InstanceAlias,
3363 natv2InstancePortMappingBehavior,
3364 natv2InstanceFilteringBehavior,
3365 natv2InstanceFragmentBehavior,
3366 natv2InstanceAddressMapEntries,
3367 natv2InstancePortMapEntries,
3368 natv2InstanceTranslations,
3369 natv2InstanceAddressMapCreations,
3370 natv2InstanceAddressMapEntryLimitDrops,
3371 natv2InstanceAddressMapFailureDrops,
3372 natv2InstancePortMapCreations,
3373 natv2InstancePortMapEntryLimitDrops,
3374 natv2InstancePortMapFailureDrops,
3375 natv2InstanceFragmentDrops,
3376 natv2InstanceOtherResourceFailureDrops,
3377 natv2InstanceDiscontinuityTime,
3378 natv2InstanceThresholdAddressMapEntriesHigh,
3379 natv2InstanceThresholdPortMapEntriesHigh,
3380 natv2InstanceNotificationInterval,
3381 natv2InstanceLimitAddressMapEntries,
3382 natv2InstanceLimitPortMapEntries,
3383 natv2InstanceLimitPendingFragments,
3384 -- from natv2ProtocolTable
3385 natv2ProtocolPortMapEntries,
3386 natv2ProtocolTranslations,
3387 natv2ProtocolPortMapCreations,
3388 natv2ProtocolPortMapFailureDrops,
3389 -- from natv2AddressMapTable
3390 natv2AddressMapExternalRealm,
3391 natv2AddressMapExternalAddressType,
3392 natv2AddressMapExternalAddress,
3393 -- from natv2PortMapTable
3394 natv2PortMapInternalRealm,
3395 natv2PortMapInternalAddressType,
3396 natv2PortMapInternalAddress,
3397 natv2PortMapInternalPort
3398 }
3399 STATUS current
3400 DESCRIPTION
3401 "Per-instance objects that MUST be supported by
3402 implementations of all NAT applications."
3403 ::= { natv2MIBGroups 2 }
3405 natv2PooledNotificationGroup NOTIFICATION-GROUP
3406 NOTIFICATIONS {
3407 natv2NotificationPoolUsageLow,
3408 natv2NotificationPoolUsageHigh
3409 }
3410 STATUS current
3411 DESCRIPTION
3412 "Notifications that MUST be supported by pooled and
3413 carrier-grade NAT applications."
3414 ::= { natv2MIBGroups 3 }
3416 natv2PooledInstanceLevelGroup OBJECT-GROUP
3417 OBJECTS {
3418 -- from natv2InstanceTable
3419 natv2InstancePoolingBehavior,
3420 -- from natv2PoolTable
3421 natv2PoolRealm,
3422 natv2PoolAddressType,
3423 natv2PoolMinimumPort,
3424 natv2PoolMaximumPort,
3425 natv2PoolAddressMapEntries,
3426 natv2PoolPortMapEntries,
3427 natv2PoolAddressMapCreations,
3428 natv2PoolPortMapCreations,
3429 natv2PoolAddressMapFailureDrops,
3430 natv2PoolPortMapFailureDrops,
3431 natv2PoolDiscontinuityTime,
3432 natv2PoolThresholdUsageLow,
3433 natv2PoolThresholdUsageHigh,
3434 natv2PoolNotifiedPortMapEntries,
3435 natv2PoolNotifiedPortMapProtocol,
3436 natv2PoolNotificationInterval,
3437 -- from natv2PoolRangeTable
3438 natv2PoolRangeBegin,
3439 natv2PoolRangeEnd,
3440 -- from natv2AddressMapTable
3441 natv2AddressMapExternalPoolIndex,
3442 -- from natv2PortMapTable
3443 natv2PortMapExternalPoolIndex
3444 }
3445 STATUS current
3446 DESCRIPTION
3447 "Per-instance objects that MUST be supported by
3448 implementations of the pooled and carrier grade
3449 NAT applications."
3450 ::= { natv2MIBGroups 4 }
3452 natv2CGNNotificationGroup NOTIFICATION-GROUP
3453 NOTIFICATIONS {
3454 natv2NotificationSubscriberPortMappingEntriesHigh
3455 }
3456 STATUS current
3457 DESCRIPTION
3458 "Notification that MUST be supported by implementations
3459 of the carrier grade NAT application."
3460 ::= { natv2MIBGroups 5 }
3462 natv2CGNDeviceLevelGroup OBJECT-GROUP
3463 OBJECTS {
3464 -- from table natv2SubscriberTable
3465 natv2SubscriberInternalRealm,
3466 natv2SubscriberInternalPrefixType,
3467 natv2SubscriberInternalPrefix,
3468 natv2SubscriberInternalPrefixLength,
3469 natv2SubscriberAddressMapEntries,
3470 natv2SubscriberPortMapEntries,
3471 natv2SubscriberTranslations,
3472 natv2SubscriberAddressMapCreations,
3473 natv2SubscriberPortMapCreations,
3474 natv2SubscriberAddressMapFailureDrops,
3475 natv2SubscriberPortMapFailureDrops,
3476 natv2SubscriberDiscontinuityTime,
3477 natv2SubscriberLimitPortMapEntries,
3478 natv2SubscriberThresholdPortMapEntriesHigh,
3479 natv2SubscriberNotificationInterval
3480 }
3481 STATUS current
3482 DESCRIPTION
3483 "Device-level objects that MUST be supported by the
3484 carrier-grade NAT application."
3485 ::= { natv2MIBGroups 6 }
3487 natv2CGNInstanceLevelGroup OBJECT-GROUP
3488 OBJECTS {
3489 -- from natv2InstanceTable
3490 natv2InstanceSubscriberActiveLimitDrops,
3491 natv2InstanceLimitSubscriberActives,
3492 -- from natv2AddressMapTable
3493 natv2AddressMapInternalMappedAddressType,
3494 natv2AddressMapInternalMappedAddress,
3495 natv2AddressMapSubscriberIndex,
3497 -- from natv2PortMapTable
3498 natv2PortMapInternalMappedAddressType,
3499 natv2PortMapInternalMappedAddress,
3500 natv2PortMapSubscriberIndex
3501 }
3502 STATUS current
3503 DESCRIPTION
3504 "Per-instance objects that MUST be supported by the
3505 carrier grade NAT application."
3506 ::= { natv2MIBGroups 7 }
3508 END
3510 5. Operational and Management Considerations
3512 This section covers two particular areas of operations and
3513 management: configuration requirements, and transition from or
3514 coexistence with the [RFC4008] MIB module.
3516 5.1. Configuration Requirements
3518 This MIB module assumes that the following information is configured
3519 on the NAT device by means outside the scope of the present document
3520 or is imposed by the implementation:
3522 o the set of address realms to which the device connects;
3524 o For the CGN application, per-subscriber information including
3525 subscriber index, address realm, assigned prefix or address, and
3526 (possibly) policies regarding address pool selection in the
3527 various possible address realms to which the subscriber may
3528 connect. In the particular case of DS-Lite [RFC6333] access, as
3529 well as the assigned outer layer (IPv6) prefix or address, the
3530 subscriber information will include an inner (IPv4) source
3531 address, usually 192.0.0.2.
3533 o the set of NAT instances running on the device, identified by NAT
3534 instance index and name;
3536 o the port mapping, filtering, pooling, and fragment behavior for
3537 each NAT instance;
3539 o the set of protocols supported by each NAT instance;
3541 o for the pooled NAT and CGN applications, address pool information
3542 for each NAT instance, including for each pool the pool index,
3543 address realm, address type, minimum and maximum port number, the
3544 address ranges assigned to that pool, and policies for access to
3545 that pool's resources;
3547 o static address and port map entries.
3549 As described in previous sections, this MIB module does provide read-
3550 write objects for control of notifications (see especially
3551 Section 3.1.2) and limiting of resource consumption (Section 3.1.1).
3552 This document is written in advance of any practical experience with
3553 the setting of these values, and can thus provide only general
3554 principles for how to set them.
3556 By default, the MIB module definition disables notifications until
3557 they are explicitly enabled by the operator, using the associated
3558 threshold value to do so. To make use of the notifications, the
3559 operator may wish to take the following considerations into account.
3561 Except for the low address pool utilization notification, the
3562 notifications imply that some sort of administrative action is
3563 required to mitigate an impending shortage of a particular resource.
3564 The choice of value for the triggering threshold needs to take two
3565 factors into account: the volatility of usage of the given resource,
3566 and the amount of time the operator needs to mitigate the potential
3567 overload situation. That time could vary from almost immediate to
3568 several weeks required to order and install new hardware or software.
3570 To give a numeric example, if average utilization is going up 1% per
3571 week but can vary 10% around that average in any given hour, and it
3572 takes two weeks to carry through mitigating measures, the threshold
3573 should be set to 88% of the corresponding limit (two weeks' growth
3574 plus 10% volatility margin). If mitigating measures can be carried
3575 out immediately, this can rise to 90%. For this particular example
3576 that change is insignificant, but in other cases the difference may
3577 be large enough to matter in terms of reduced load on the management
3578 plane.
3580 The notification rate limit settings really depend on the operator's
3581 processes, but are a tradeoff between reliably reporting the notified
3582 condition and not having it overload the management plane.
3583 Reliability rises in importance with the importance of the resource
3584 involved. Thus the default notification intervals defined in this
3585 MIB module range from 10 seconds (high reliability) for the address
3586 and port map entry thresholds up to 60 seconds (lower reliability)
3587 for the per-subscriber port entry thresholds. Experience may suggest
3588 better values.
3590 The limits on number of instance-level address map and port map
3591 entries and held fragments relate directly to memory allocations for
3592 these tables. The relationship between number of map entries or
3593 number of held fragments and memory required will be implementation-
3594 specific. Hence it is up to the implementor to provide specific
3595 advice on the setting of these limits.
3597 The limit on simultaneous number of active subscribers is indirectly
3598 related to memory consumption for map entries, but also to processor
3599 usage by the NAT instance. The best strategy for setting this limit
3600 would seem to be to leave it disabled during an initial period while
3601 observing device processor utilization, then to implement a trial
3602 setting while observing the number of blocked packets affected by the
3603 new limit. The setting may vary by NAT instance if a suitable
3604 estimator of likely load (e.g., total number of hosts served by that
3605 instance) is available.
3607 5.2. Transition From and Coexistence With NAT-MIB [RFC 4008]
3609 A manager may have to deal with a mixture of devices supporting the
3610 NAT-MIB module [RFC4008] and the NATV2-MIB module defined in the
3611 present document. It is even possible that both modules are
3612 supported on the same device. The following discussion brings out
3613 the limits of comparability between the two MIB modules. A first
3614 point to note is that NAT-MIB is primarily focussed on configuration,
3615 while NATV2-MIB is primarily focussed on measurements.
3617 To summarize the model used by [RFC4008]:
3619 o The basic unit of NAT configuration is the interface.
3621 o An interface connects to a single realm, either "private", or
3622 "public". In principle that means there could be multiple
3623 instances of one type of realm or the other, but the number is
3624 physically limited by the number of interfaces on the NAT device.
3626 o Before the NAT can operate on a given interface, an "address map"
3627 has to be configured on it. The [RFC4008] address map is
3628 equivalent to the pool tables in the present document. Since just
3629 one "address map" is configured per interface, this is the
3630 equivalent of a single address pool per interface.
3632 o The address binding and port binding tables are roughly equivalent
3633 to the address map and port map tables in the present document in
3634 their content, but can be either uni- directional or
3635 bidirectional. The [RFC4008] model shows the address binding and
3636 port binding as alternative precursors to session establishment,
3637 depending on whether the device does address translation only or
3638 address and port translation. In contrast, NATV2-MIB assumes a
3639 model where bidirectional port mappings are based on bidirectional
3640 address mappings that have conceptually been established
3641 beforehand.
3643 o The equivalent to an [RFC4008] session in NATV2-MIB would be a
3644 pair of port map entries. The added complexity in [RFC4008] is
3645 due to the modelling of NAT service types as defined in [RFC3489]
3646 (the symmetric NAT in particular) instead of the more granular set
3647 of behaviors described in [RFC4787].
3649 With regard to that last point, the mapping between [RFC3489] service
3650 types and [RFC4787] NAT behaviours is as follows:
3652 o A full cone NAT exhibits endpoint-independent port mapping
3653 behavior and endpoint-independent filtering behavior.
3655 o A restricted cone NAT exhibits endpoint-independent port mapping
3656 behavior, but address-dependent filtering behavior.
3658 o A port restricted cone NAT exhibits endpoint-independent port
3659 mapping behavior, but address-and-port-dependent filtering
3660 behavior.
3662 o A symmetric NAT exhibits address-and-port-dependent port mapping
3663 and filtering behaviors.
3665 Note that these NAT types are a subset of the types that could be
3666 configured according to the [RFC4787] behavioral classification used
3667 in NATV2-MIB, but they include the two possibilities (full and
3668 restricted cone NAT) that satisfy requirements REQ-1 and REQ-8 of
3669 [RFC4787]. Note further that other behaviors defined in [RFC4787]
3670 are not considered in [RFC4008].
3672 Having established a context for discussion, we are now in a position
3673 to compare the outputs provided to management from the [RFC4008] and
3674 NATV2-MIB modules. This comparison relates to the ability to compare
3675 results if testing with both MIBs implemented on the same device
3676 during a transition period.
3678 [RFC4008] provides three counters: incoming translations, outgoing
3679 translations, and discarded packets, at the granularities of
3680 interface, address map, and protocol, and incoming and outgoing
3681 translations at the levels of individual address bind, address port
3682 bind, and session entries. Implementation at the protocol and
3683 address map levels is optional. NATV2-MIB provides a single total
3684 (both directions) translations counter at the instance, protocol
3685 within instance, and subscriber levels. Given the differences in
3686 granularity, it appears that the only comparable measurement of
3687 translations between the two MIB modules would be through aggregation
3688 of the [RFC4008] interface counters to give a total number of
3689 translations for the NAT instance.
3691 NATV2-MIB has broken out the single discard counter into a number of
3692 different counters reflecting the cause of the discard in more
3693 detail, to help in trouble-shooting. Again, with the differing
3694 levels of granularity, the only comparable statistic would be through
3695 aggregation to a single value of total discards per NAT instance.
3697 Moving on to state variables, [RFC4008] offers counts of number of
3698 "address map" (i.e., address pool) entries used (excluding static
3699 entries) at the address map level, and number of entries in the
3700 address bind and address and port bind tables respectively. Finally,
3701 [RFC4008] provides a count of the number of sessions currently using
3702 each entry in the address and port bind table. None of these counts
3703 are directly comparable with the state values offered by NATV2-MIB,
3704 because of the exclusion of static entries at the address map level,
3705 and because of the differing models of the translation tables between
3706 [RFC4008] and the NATV2=MIB.
3708 6. Security Considerations
3710 A number of management objects defined in this MIB module have a MAX-
3711 ACCESS clause of read-write. Such objects may be considered
3712 sensitive or vulnerable in some network environments. The support
3713 for SET operations in a non-secure environment without proper
3714 protection can have a negative effect on network operations. These
3715 are the tables and objects and their sensitivity/vulnerability:
3717 Limits: An attacker setting a very low or very high limit can easily
3718 cause a denial-of-service situation.
3720 * natv2InstanceLimitAddressMapEntries;
3722 * natv2InstanceLimitPortMapEntries;
3724 * natv2InstanceLimitPendingFragments;
3726 * natv2InstanceLimitSubscriberActives;
3728 * natv2SubscriberLimitPortMapEntries.
3730 Notification thresholds: An attacker setting an arbitrarily low
3731 threshold can cause many useless notifications to be generated
3732 (subject to the notification interval). Setting an arbitrarily
3733 high threshold can effectively disable notifications, which could
3734 be used to hide another attack.
3736 * natv2InstanceThresholdAddressMapEntriesHigh;
3738 * natv2InstanceThresholdPortMapEntriesHigh;
3740 * natv2PoolThresholdUsageLow;
3742 * natv2PoolThresholdUsageHigh;
3744 * natv2SubscriberThresholdPortMapEntriesHigh.
3746 Notification intervals: An attacker setting a low notification
3747 interval in combination with a low threshold value can cause many
3748 useless notifications to be generated.
3750 * natv2InstanceNotificationInterval;
3752 * natv2PoolNotificationInterval;
3754 * natv2SubscriberNotificationInterval.
3756 Some of the readable objects in this MIB module (i.e., objects with a
3757 MAX-ACCESS other than not-accessible) may be considered sensitive or
3758 vulnerable in some network environments. It is thus important to
3759 control even GET and/or NOTIFY access to these objects and possibly
3760 to even encrypt the values of these objects when sending them over
3761 the network via SNMP. These are the tables and objects and their
3762 sensitivity/vulnerability:
3764 Objects that reveal host identities: Various objects can reveal the
3765 identity of private hosts that are engaged in a session with
3766 external end nodes. A curious outsider could monitor these to
3767 assess the number of private hosts being supported by the NAT
3768 device. Further, a disgruntled former employee of an enterprise
3769 could use the information to break into specific private hosts by
3770 intercepting the existing sessions or originating new sessions
3771 into the host.
3773 * entries in the natv2AddressMapTable;
3775 * entries in the natv2PortMapTable.
3777 Other objects that reveal NAT state: Other managed objects in this
3778 MIB may contain information that may be sensitive from a business
3779 perspective, in that they may represent NAT capabilities, business
3780 policies, and state information.
3782 * natv2SubscriberLimitPortMapEntries;
3783 * natv2InstancePortMappingBehavior;
3785 * natv2InstanceFilteringBehavior;
3787 * natv2InstancePoolingBehavior;
3789 * natv2InstanceFragmentBehavior;
3791 * natv2InstanceAddressMapEntries;
3793 * natv2InstancePortMapEntries.
3795 There are no objects that are sensitive in their own right, such as
3796 passwords or monetary amounts.
3798 SNMP versions prior to SNMPv3 did not include adequate security.
3799 Even if the network itself is secure (for example by using IPsec),
3800 there is no control as to who on the secure network is allowed to
3801 access and GET/SET (read/change/create/delete) the objects in this
3802 MIB module.
3804 Implementations SHOULD provide the security features described by the
3805 SNMPv3 framework (see [RFC3410]), and implementations claiming
3806 compliance to the SNMPv3 standard MUST include full support for
3807 authentication and privacy via the User-based Security Model (USM)
3808 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
3809 MAY also provide support for the Transport Security Model (TSM)
3810 [RFC5591] in combination with a secure transport such as SSH
3811 [RFC5592] or TLS/DTLS [RFC6353].
3813 Further, deployment of SNMP versions prior to SNMPv3 is NOT
3814 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
3815 enable cryptographic security. It is then a customer/operator
3816 responsibility to ensure that the SNMP entity giving access to an
3817 instance of this MIB module is properly configured to give access to
3818 the objects only to those principals (users) that have legitimate
3819 rights to indeed GET or SET (change/create/delete) them.
3821 7. IANA Considerations
3823 IANA is requested to assign an object identifier to the natv2MIB
3824 module, with prefix iso.org.dod.internet.mgmt.mib-2 in the Network
3825 Management Parameters registry [SMI-NUMBERS].
3827 8. References
3829 8.1. Normative References
3831 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
3832 Requirement Levels", BCP 14, RFC 2119, March 1997.
3834 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
3835 Schoenwaelder, Ed., "Structure of Management Information
3836 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
3838 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
3839 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
3840 58, RFC 2579, April 1999.
3842 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
3843 "Conformance Statements for SMIv2", STD 58, RFC 2580,
3844 April 1999.
3846 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
3847 Architecture for Describing Simple Network Management
3848 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
3849 December 2002.
3851 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
3852 (USM) for version 3 of the Simple Network Management
3853 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
3855 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
3856 Advanced Encryption Standard (AES) Cipher Algorithm in the
3857 SNMP User-based Security Model", RFC 3826, June 2004.
3859 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
3860 Schoenwaelder, "Textual Conventions for Internet Network
3861 Addresses", RFC 4001, February 2005.
3863 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation
3864 (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
3865 RFC 4787, January 2007.
3867 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
3868 for the Simple Network Management Protocol (SNMP)", STD
3869 78, RFC 5591, June 2009.
3871 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
3872 Shell Transport Model for the Simple Network Management
3873 Protocol (SNMP)", RFC 5592, June 2009.
3875 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
3876 Model for the Simple Network Management Protocol (SNMP)",
3877 STD 78, RFC 6353, July 2011.
3879 8.2. Informative References
3881 [I-D.perrault-behave-deprecate-nat-mib-v1]
3882 Perrault, S., Tsou, T., Sivakumar, S., and T. Taylor,
3883 "Deprecation of MIB Module NAT-MIB (Managed Objects for
3884 Network Address Translators (NAT)) (Work in Progress)",
3885 October 2014.
3887 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
3888 (IPv6) Specification", RFC 2460, December 1998.
3890 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
3891 Translator (NAT) Terminology and Considerations", RFC
3892 2663, August 1999.
3894 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
3895 "Introduction and Applicability Statements for Internet-
3896 Standard Management Framework", RFC 3410, December 2002.
3898 [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,
3899 "STUN - Simple Traversal of User Datagram Protocol (UDP)
3900 Through Network Address Translators (NATs)", RFC 3489,
3901 March 2003.
3903 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
3904 C. Wang, "Definitions of Managed Objects for Network
3905 Address Translators (NAT)", RFC 4008, March 2005.
3907 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
3908 Stack Lite Broadband Deployments Following IPv4
3909 Exhaustion", RFC 6333, August 2011.
3911 [SMI-NUMBERS]
3912 "Network Management Parameters registry at IANA",
3913 .
3915 Authors' Addresses
3917 Simon Perreault
3918 Jive Communications
3919 Quebec, QC
3920 Canada
3922 Email: sperreault@jive.com
3923 Tina Tsou
3924 Huawei Technologies
3925 Bantian, Longgang District
3926 Shenzhen 518129
3927 PR China
3929 Email: tina.tsou.zouting@huawei.com
3931 Senthil Sivakumar
3932 Cisco Systems
3933 7100-8 Kit Creek Road
3934 Research Triangle Park, North Carolina 27709
3935 USA
3937 Phone: +1 919 392 5158
3938 Email: ssenthil@cisco.com
3940 Tom Taylor
3941 PT Taylor Consulting
3942 Ottawa
3943 Canada
3945 Email: tom.taylor.stds@gmail.com