idnits 2.17.1 

draft-perrault-behave-natv2-mib-05.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
     document.

  == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 2683 has weird spacing: '...     of  natv2...'

  -- The document date (June 16, 2015) is 3230 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC 4008' is mentioned on line 3600, but not defined

  ** Obsolete undefined reference: RFC 4008 (Obsoleted by RFC 7658)

  == Missing Reference: 'RFC 6333' is mentioned on line 3196, but not defined

  -- No information found for draft-perrault-behave-deprecate-nat-mib-v1 - is
     the name correct?

  -- Obsolete informational reference (is this intentional?): RFC 2460
     (Obsoleted by RFC 8200)

  -- Obsolete informational reference (is this intentional?): RFC 3489
     (Obsoleted by RFC 5389)

  -- Obsolete informational reference (is this intentional?): RFC 4008
     (Obsoleted by RFC 7658)


     Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 5 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                       S. Perreault
3	Internet-Draft                                       Jive Communications
4	Intended status: Standards Track                                 T. Tsou
5	Expires: December 18, 2015                           Huawei Technologies
6	                                                            S. Sivakumar
7	                                                           Cisco Systems
8	                                                               T. Taylor
9	                                                    PT Taylor Consulting
10	                                                           June 16, 2015

12	  Definitions of Managed Objects for Network Address Translators (NAT)
13	                   draft-perrault-behave-natv2-mib-05

15	Abstract

17	   This memo defines a portion of the Management Information Base (MIB)
18	   for devices implementing the Network Address Translator (NAT)
19	   function.  The new MIB module defined in this document, NATV2-MIB, is
20	   intended to replace module NAT-MIB (RFC 4008).  NATV2-MIB is not
21	   backwards compatible with NAT-MIB, for reasons given in the text of
22	   this document.  A companion document deprecates all objects in NAT-
23	   MIB.  NATV2-MIB can be used for monitoring of NAT instances on a
24	   device capable of NAT function.  Compliance levels are defined for
25	   three application scenarios: basic NAT, pooled NAT, and carrier-grade
26	   NAT (CGN).

28	Status of This Memo

30	   This Internet-Draft is submitted in full conformance with the
31	   provisions of BCP 78 and BCP 79.

33	   Internet-Drafts are working documents of the Internet Engineering
34	   Task Force (IETF).  Note that other groups may also distribute
35	   working documents as Internet-Drafts.  The list of current Internet-
36	   Drafts is at http://datatracker.ietf.org/drafts/current/.

38	   Internet-Drafts are draft documents valid for a maximum of six months
39	   and may be updated, replaced, or obsoleted by other documents at any
40	   time.  It is inappropriate to use Internet-Drafts as reference
41	   material or to cite them other than as "work in progress."

43	   This Internet-Draft will expire on December 18, 2015.

45	Copyright Notice

47	   Copyright (c) 2015 IETF Trust and the persons identified as the
48	   document authors.  All rights reserved.

50	   This document is subject to BCP 78 and the IETF Trust's Legal
51	   Provisions Relating to IETF Documents
52	   (http://trustee.ietf.org/license-info) in effect on the date of
53	   publication of this document.  Please review these documents
54	   carefully, as they describe your rights and restrictions with respect
55	   to this document.  Code Components extracted from this document must
56	   include Simplified BSD License text as described in Section 4.e of
57	   the Trust Legal Provisions and are provided without warranty as
58	   described in the Simplified BSD License.

60	Table of Contents

62	   1.  The SNMP Management Framework . . . . . . . . . . . . . . . .   3
63	   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
64	   3.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
65	     3.1.  Content Provided by the NATV2-MIB Module  . . . . . . . .   5
66	       3.1.1.  Configuration Data  . . . . . . . . . . . . . . . . .   5
67	       3.1.2.  Notifications . . . . . . . . . . . . . . . . . . . .   6
68	       3.1.3.  State Information . . . . . . . . . . . . . . . . . .   9
69	       3.1.4.  Statistics  . . . . . . . . . . . . . . . . . . . . .   9
70	     3.2.  Outline of MIB Module Organization  . . . . . . . . . . .  11
71	     3.3.  Detailed MIB Module Walk-Through  . . . . . . . . . . . .  13
72	       3.3.1.  Textual Conventions . . . . . . . . . . . . . . . . .  13
73	       3.3.2.  Notifications . . . . . . . . . . . . . . . . . . . .  13
74	       3.3.3.  The Subscriber Table: natv2SubscriberTable  . . . . .  13
75	       3.3.4.  The Instance Table: natv2InstanceTable  . . . . . . .  14
76	       3.3.5.  The Protocol Table: natv2ProtocolTable  . . . . . . .  15
77	       3.3.6.  The Address Pool Table: natv2PoolTable  . . . . . . .  15
78	       3.3.7.  The Address Pool Address Range Table:
79	               natv2PoolRangeTable . . . . . . . . . . . . . . . . .  16
80	       3.3.8.  The Address Map Table: natv2AddressMapTable . . . . .  16
81	       3.3.9.  The Port Map Table: natv2PortMapTable . . . . . . . .  17
82	     3.4.  Conformance: Three Application Scenarios  . . . . . . . .  17
83	   4.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .  18
84	   5.  Operational and Management Considerations . . . . . . . . . .  74
85	     5.1.  Configuration Requirements  . . . . . . . . . . . . . . .  74
86	     5.2.  Transition From and Coexistence With NAT-MIB  [RFC 4008]   76
87	   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  78
88	   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  81
89	   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  81
90	     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  81
91	     8.2.  Informative References  . . . . . . . . . . . . . . . . .  82
92	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  83

94	1.  The SNMP Management Framework

96	   For a detailed overview of the documents that describe the current
97	   Internet-Standard Management Framework, please refer to section 7 of
98	   RFC 3410 [RFC3410].

100	   Managed objects are accessed via a virtual information store, termed
101	   the Management Information Base or MIB.  MIB objects are generally
102	   accessed through the Simple Network Management Protocol (SNMP).
103	   Objects in the MIB are defined using the mechanisms defined in the
104	   Structure of Management Information (SMI).  This memo specifies a MIB
105	   module that is compliant to the SMIv2, which is described in STD 58,
106	   [RFC2578], [RFC2579] and [RFC2580].

108	2.  Introduction

110	   Note to RFC Ed.: please replace RFC yyyy with actual RFC number
111	   throughout this document and remove this note.

113	   This memo defines a portion of the Management Information Base (MIB)
114	   for devices implementing NAT functions.  This MIB module, NATV2-MIB,
115	   may be used for monitoring of such devices.  NATV2-MIB supersedes
116	   NAT-MIB [RFC4008], which did not fit well with existing NAT
117	   implementations, and hence was not itself much implemented.
118	   [I-D.perrault-behave-deprecate-nat-mib-v1] provides a detailed
119	   analysis of the deficiencies of NAT-MIB.

121	   Relative to [RFC4008] and based on the analysis just mentioned, the
122	   present document introduces the following changes:

124	   o  removed all writable configuration except that related to control
125	      of the generation of notifications and the setting of quotas on
126	      the use of NAT resources;

128	   o  minimized the read-only exposure of configuration to what is
129	      needed to provide context for the state and statistical
130	      information presented by the MIB module;

132	   o  removed the association between mapping and interfaces, retaining
133	      only the mapping aspect;

135	   o  replaced references to NAT types with references to NAT behaviors
136	      as specified in [RFC4787];

138	   o  replaced a module-specific enumeration of protocols with the
139	      standard protocol numbers provided by the IANA Assigned Internet
140	      Protocol Numbers registry.

142	   This MIB module adds the following features not present in [RFC4008]:

144	   o  additional writable protective limits on NAT state data;

146	   o  additional objects to report state, statistics, and notifications;

148	   o  support for the carrier grade NAT (CGN) application, including
149	      subscriber-awareness, support for an arbitrary number of address
150	      realms, and support for multiple NAT instances running on a single
151	      device;

153	   o  expanded support for address pools;

155	   o  revised indexing of port map entries to simplify traceback from
156	      externally observable packet parameters to the corresponding
157	      internal endpoint.

159	   These features are described in more detail below.

161	   The remainder of this document is organized as follows:

163	   o  Section 3 provides a verbal description of the content and
164	      organization of the MIB module.

166	   o  Section 4 provides the MIB module definition.

168	   o  Section 5 discusses operational and management issues relating to
169	      the deployment of NATV2-MIB.  One of these issues is NAT
170	      management when both NAT-MIB [RFC4008] and NATV2-MIB are deployed.

172	   o  Section 6 and Section 7 provide a security discussion and a
173	      request to IANA for allocation of an object identifier for the
174	      module in the mib-2 tree, respectively.

176	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
177	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
178	   "OPTIONAL" in this document are to be interpreted as described in
179	   [RFC2119].

181	   This document uses the following terminology:

183	   Upper layer protocol:  The protocol following the outer IP header of
184	      a packet.  This follows the terminology of [RFC2460], but as that
185	      document points out, "upper" is not necessarily a correct
186	      description of the protocol relationships (e.g., where IP is
187	      encapsulated in IP).  The abbreviated term "protocol" will often
188	      be used where it is unambiguous.

190	   Trigger:  With respect to notifications, the logical recognition of
191	      the event that the notification is intended to report.

193	   Report:  The actual production of a notification message.  Reporting
194	      can happen later than triggering, or may never happen for a given
195	      notification instance, because of the operation of notification
196	      rate controls.

198	   Address realm:  A network domain in which the network addresses are
199	      uniquely assigned to entities such that datagrams can be routed to
200	      them.  (Definition taken from [RFC2663] Section 2.1.)  The
201	      abbreviated term "realm" will often be used.

203	3.  Overview

205	   This section provides a prose description of the contents and
206	   organization of the NATV2-MIB module.

208	3.1.  Content Provided by the NATV2-MIB Module

210	   The content provided by the NATV2-MIB module can be classed under
211	   four headings: configuration data, notifications, state information,
212	   and statistics.

214	3.1.1.  Configuration Data

216	   As mentioned above, the intent in designing the NATV2-MIB module was
217	   to minimize the amount of configuration data presented to that needed
218	   to give a context for interpreting the other types of information
219	   provided.  Detailed descriptions of the configuration data are
220	   included with the descriptions of the individual tables.  In general,
221	   that data is limited to what is needed for indexing and cross-
222	   referencing between tables.  The two exceptions are the objects
223	   describing NAT instance behavior in the NAT instance table, and the
224	   detailed enumeration of resources allocated to each address pool in
225	   the pool table and its extension.

227	   The NATV2-MIB module provides three sets of read-write objects,
228	   specifically related to other aspects of the module content.  The
229	   first set controls the rate at which specific notifications are
230	   generated.  The second set provides thresholds used to trigger the
231	   notifications.  These objects are listed in Section 3.1.2.

233	   A third set of read-write objects sets limits on resource consumption
234	   per NAT instance and per subscriber.  When these limits are reached,
235	   packets requiring further consumption of the given resource are
236	   dropped rather than translated.  Statistics described in
237	   Section 3.1.4 record the numbers of packets so dropped.  Limits are
238	   provided for:

240	   o  total number of address map entries over the NAT instance.  Limit
241	      is set by object natv2InstanceLimitAddressMapEntries in table
242	      natv2InstanceTable.  Dropped packets are counted in
243	      natv2InstanceAddressMapEntryLimitDrops in that table.

245	   o  total number of port map entries over the NAT instance.  Limit is
246	      set by object natv2InstanceLimitPortMapEntries in table
247	      natv2InstanceTable.  Dropped packets are counted in
248	      natv2InstancePortMapEntryLimitDrops in that table.

250	   o  total number of held fragments (applicable only when the NAT
251	      instance can receive fragments out of order; see [RFC4787]
252	      Section 11).  Limit is set by object
253	      natv2InstanceLimitPendingFragments in table natv2InstanceTable.
254	      Dropped packets are counted by natv2InstanceFragmentDrops in the
255	      same table.

257	   o  total number of active subscribers (i.e., subscribers having at
258	      least one mapping table entry) over the NAT instance.  Limit is
259	      set by object natv2InstanceLimitSubscriberActives in table
260	      natv2InstanceTable.  Dropped packets are counted by
261	      natv2InstanceSubscriberActiveLimitDrops in the same table.

263	   o  number of port map entries for an individual subscriber.  Limit is
264	      set by object natv2SubscriberLimitPortMapEntries in table
265	      natv2SubscriberTable.  Dropped packets are counted by
266	      natv2SubscriberPortMapFailureDrops in the same table.  Note that,
267	      unlike in the instance table, the per-subscriber count is lumped
268	      in with the count of packets dropped because of failures to
269	      allocate a port map entry for other reasons to save on storage.

271	3.1.2.  Notifications

273	   NATV2-MIB provides five notifications, intended to provide warning of
274	   the need to provision or reallocate NAT resources.  As indicated in
275	   the previous section, each notification is associated with two read-
276	   write objects: a control on the rate at which that notification is
277	   generated, and a threshold value used to trigger the notification in
278	   the first place.  The default setting within the MIB module
279	   specification is that all notifications are disabled.  The setting of
280	   threshold values is discussed in Section 5.

282	   The five notifications are as follows:

284	   o  Two notifications relate to the management of address pools.  One
285	      indicates that usage equals or exceeds an upper threshold, and is
286	      therefore a warning that the pool may be over-utilized unless more
287	      addresses are assigned to it.  The other notification indicates
288	      that usage equals or has fallen below a lower threshold,
289	      suggesting that some addresses allocated to that pool could be
290	      reallocated to other pools.  Address pool usage is calculated as
291	      the percentage of the total number of ports allocated to the
292	      address pool that are already in use, for the most-mapped protocol
293	      at the time the notification is generated.  The notifications
294	      identify that protocol and report the number of port map entries
295	      for that protocol in the given address pool at the moment the
296	      notification was triggered.

298	   o  Two notifications relate to the number of address and port map
299	      entries respectively, in total over the whole NAT instance.  In
300	      both cases the threshold that triggers the notification is an
301	      upper threshold.  The notifications return the number of mapping
302	      entries of the given type, plus a cumulative counter of the number
303	      of entries created in that mapping table at the moment the
304	      notification was triggered.  The intent is that the notifications
305	      provide a warning that the total number of address or port map
306	      entries is approaching the configured limit.

308	   o  The final notification is generated on a per-subscriber basis when
309	      the number of port map entries for that subscriber crosses the
310	      associated threshold.  The objects returned by this notification
311	      are similar to those returned for the instance-level mapping
312	      notifications.  This notification is a warning that the number of
313	      port map entries for the subscriber is approaching the configured
314	      limit for that subscriber.

316	   Here is a detailed specification of the notifications.  A given
317	   notification can be disabled by setting the threshold to 0 (default),
318	   with the exception noted below.

320	   Notification: natv2NotificationPoolUsageLow.  Indicates that address
321	   pool usage for the most-mapped protocol equals or is less than the
322	   threshold value.

324	   Compared value:  natv2PoolNotifiedPortMapEntries as a percentage of
325	      total available ports in the pool.

327	   Threshold:  natv2PoolThresholdUsageLow in natv2PoolTable.  To allow
328	      for a threshold of zero usage, disabling of the
329	      natv2NotificationPoolUsageLow is done by setting
330	      natv2PoolThresholdUsageLow to -1 rather than 0, in contrast to all
331	      of the other notifications.

333	   Objects returned:  natv2PoolNotifiedPortMapEntries and
334	      natv2PoolNotifiedPortMapProtocol in natv2PoolTable;

336	   Rate control:  natv2PoolNotificationInterval in natv2PoolTable.

338	   Notification: natv2NotificationPoolUsageHigh.  Indicates that address
339	   pool usage for the most-mapped protocol has risen to the threshold
340	   value or more.

342	   Compared value:  natv2PoolNotifiedPortMapEntries as a percentage of
343	      total available ports in the pool.

345	   Threshold:  natv2PoolThresholdUsageHigh in natv2PoolTable;

347	   Objects returned:  natv2PoolNotifiedPortMapEntries,
348	      natv2PoolNotifiedPortMapProtocol in natv2PoolTable;

350	   Rate control:  natv2PoolNotificationInterval in natv2PoolTable.

352	   Notification: natv2NotificationInstanceAddressMapEntriesHigh.
353	   Indicates that the total number of entries in the address map table
354	   over the whole NAT instance equals or exceeds the threshold value.

356	   Compared value:  natv2InstanceAddressMapEntries in
357	      natv2InstanceTable;

359	   Threshold:  natv2InstanceThresholdAddressMapEntriesHigh in
360	      natv2InstanceTable;

362	   Objects returned:  natv2InstanceAddressMapEntries,
363	      natv2InstanceAddressMapCreations in natv2InstanceTable;

365	   Rate control:  natv2InstanceNotificationInterval in
366	      natv2InstanceTable.

368	   Notification: natv2NotificationInstancePortMapEntriesHigh.  Indicates
369	   that the total number of entries in the port map table over the whole
370	   NAT instance equals or exceeds the threshold value.

372	   Compared value:  natv2InstancePortMapEntries in natv2InstanceTable;

374	   Threshold:  natv2InstanceThresholdPortMapEntriesHigh in
375	      natv2InstanceTable;

377	   Objects returned:  natv2InstancePortMapEntries,
378	      natv2InstancePortMapCreations in natv2InstanceTable;

380	   Rate control:  natv2InstanceNotificationInterval in
381	      natv2InstanceTable.

383	   Notification: natv2NotificationSubscriberPortMapEntriesHigh.
384	   Indicates that the total number of entries in the port map table for
385	   the given subscriber equals or exceeds the threshold value configured
386	   for that subscriber.

388	   Compared value:  natv2SubscriberPortMapEntries in
389	      natv2SubscriberTable;

391	   Threshold:  natv2SubscriberThresholdPortMapEntriesHigh in
392	      natv2SubscriberTable;

394	   Objects returned:  natv2SubscriberPortMapEntries,
395	      natv2SubscriberPortMapCreations in natv2SubscriberTable;

397	   Rate control:  natv2SubscriberNotificationInterval in
398	      natv2SubscriberTable.

400	3.1.3.  State Information

402	   State information provides a snapshot of the content and extent of
403	   the NAT mapping tables at a given moment of time.  The address and
404	   port mapping tables are described in detail below.  In addition to
405	   these tables, two state variables are provided: current number of
406	   entries in the address mapping table, and current number of entries
407	   in the port mapping table.  With one exception, these are provided at
408	   four levels of granularity: per NAT instance, per protocol, per
409	   address pool, and per subscriber.  Address map entries are not
410	   tracked per protocol, since address mapping is protocol-independent.

412	3.1.4.  Statistics

414	   NATV2-MIB provides a number of counters, intended to help both with
415	   provisioning of the NAT and debugging of problems.  As with the state
416	   data, these counters are provided at the four levels of NAT instance,
417	   protocol, address pool, and subscriber when they make sense.  Each
418	   counter is cumulative beginning from a "last discontuity time"
419	   recorded by an object that is usually in the table containing the
420	   counter.

422	   The basic set of counters, as reflected in the NAT instance table, is
423	   as follows:

425	   Translations:  number of packets processed and translated (in this
426	      case, in total for the NAT instance);

428	   Address map entry creations:  cumulative number of address map
429	      entries created, including static mappings;

431	   Port map entry creations:  cumulative number of port map entries
432	      created, including static mappings;

434	   Address map limit drops:  cumulative number of packets dropped rather
435	      than translated because the packet would have triggered the
436	      creation of a new address mapping, but the configured limit on
437	      number of address map entries has already been reached.

439	   Port map limit drops:  cumulative number of packets dropped rather
440	      than translated because the packet would have triggered the
441	      creation of a new port mapping, but the configured limit on number
442	      of port map entries has already been reached.

444	   Active subscriber limit drops:  cumulative number of packets dropped
445	      rather than translated because the packet would have triggered the
446	      creation of a new address and/or port mapping for a subscriber
447	      with no existing entries in either table, but the configured limit
448	      on number of active subscribers has already been reached.

450	   Address mapping failure drops:  cumulative number of packets dropped
451	      because the packet would have triggered the creation of a new
452	      address mapping, but no address could be allocated in the external
453	      realm concerned because all addresses from the selected address
454	      pool (or the whole realm, if no address pool has been configured
455	      for that realm) have already been fully allocated.

457	   Port mapping failure drops:  cumulative number of packets dropped
458	      because the packet would have triggered the creation of a new port
459	      mapping, but no port could be allocated for the protocol
460	      concerned.  The precise conditions under which these packet drops
461	      occur depend on the pooling behavior [RFC4787] configured or
462	      implemented in the NAT instance.  See the DESCRIPTION clause for
463	      the natv2InstancePortMapFailureDrops object for a detailed
464	      description of the different cases.  These cases were defined with
465	      care to ensure that address mapping failure could be distinguished
466	      from port mapping failure.

468	   Fragment drops:  cumulative number of packets dropped because the
469	      packet contains a fragment and the fragment behavior [RFC4787]
470	      configured or implemented in the NAT instance indicates that the
471	      packet should be dropped.  The main case is a NAT instance that
472	      meets REQ-14 of [RFC4787], hence can receive and process out-of-
473	      order fragments.  In that case, dropping occurs only when the
474	      configured limit on pending fragments provided by NATV2-MIB has
475	      already been reached.  The other cases are detailed in the
476	      DESCRIPTION clause of the natv2InstanceFragmentBehavior object.

478	   Other resource drops:  cumulative number of packets dropped because
479	      of unavailability of some other resource.  The most likely case
480	      would be packets where the upper layer protocol is not one
481	      supported by the NAT instance.

483	   Table 1 indicates the granularities at which these statistics are
484	   reported.

486	   +-----------------------+------------+----------+------+------------+
487	   | Statistic             |    NAT     | Protocol | Pool | Subscriber |
488	   |                       |  Instance  |          |      |            |
489	   +-----------------------+------------+----------+------+------------+
490	   | Translations          |    Yes     |   Yes    |  No  |    Yes     |
491	   | Address map entry     |    Yes     |    No    | Yes  |    Yes     |
492	   | creations             |            |          |      |            |
493	   | Port map entry        |    Yes     |   Yes    | Yes  |    Yes     |
494	   | creations             |            |          |      |            |
495	   | Address map limit     |    Yes     |    No    |  No  |     No     |
496	   | drops                 |            |          |      |            |
497	   | Port map limit drops  |    Yes     |    No    |  No  |    Yes     |
498	   | Active subscriber     |    Yes     |    No    |  No  |     No     |
499	   | limit drops           |            |          |      |            |
500	   | Address mapping       |    Yes     |    No    | Yes  |    Yes     |
501	   | failure drops         |            |          |      |            |
502	   | Port mapping failure  |    Yes     |   Yes    | Yes  |    Yes     |
503	   | drops                 |            |          |      |            |
504	   | Fragment drops        |    Yes     |    No    |  No  |     No     |
505	   | Other resource drops  |    Yes     |    No    |  No  |     No     |
506	   +-----------------------+------------+----------+------+------------+

508	           Table 1: Statistics Provided By Level of Granularity

510	3.2.  Outline of MIB Module Organization

512	   Figure 1 shows how object identifiers are organized in the NATV2-MIB
513	   module.  Under the general natv2MIB object identifier in the mib-2
514	   tree, the objects are classed into four groups:

516	   natv2MIBNotifications(0)  identifies the five notifications described
517	      in Section 3.1.2;

519	   natv2MIBDeviceObjects(1)  identifies objects relating to the whole
520	      device, specifically, the subscriber table.

522	   natv2MIBInstanceObjects(2)  identifies objects relating to individual
523	      NAT instances.  These include the NAT instance table, the protocol
524	      table, the address pool table and its address range expansion, the
525	      address map table, and the port map table.

527	   natv2MIBConformance(3)  identifies the group and compliance clauses,
528	      specified for the three application scenarios described in
529	      Section 3.4.

531	                              natv2MIB
532	                                  |
533	              +-------------+-------------+-------------+
534	              |             |             |             |
535	                            |             |             |
536	              0             |             |             |
537	    natv2MIBNotifications   |             |             |
538	       |                                  |             |
539	       |                    1             |             |
540	       |          natv2MIBDeviceObjects   |             |
541	      Five            |                                 |
542	   notifications      |                   2             |
543	                      |         natv2MIBInstanceObjects |
544	                      |             |
545	                  Subscriber        |                   3
546	                  table             |         natv2MIBConformance
547	                                    |                   |
548	                                    |                   |
549	                                Six per-NAT-            |
550	                                instance tables         |
551	                                                        |
552	                          +----------------------+-------
553	                          |                      |
554	                          |                      |

556	                          1                      2
557	                 natv2MIBCompliances       natv2MIBGroups
558	                          |                      |
559	                          |                      |
560	                        Basic                  Basic
561	                        Pooled                 Pooled
562	                   Carrier grade NAT     Carrier grade NAT

564	        Figure 1: Organization of Object Identifiers For NATV2-MIB

566	3.3.  Detailed MIB Module Walk-Through

568	   This section reviews the contents of the NATV2-MIB module.  The table
569	   descriptions include references to subsections of Section 3.1 where
570	   desirable to avoid repetition of that information.

572	3.3.1.  Textual Conventions

574	   The module defines four key textual conventions: ProtocolNumber,
575	   Natv2SubscriberIndex, Natv2InstanceIndex, and Natv2PoolIndex.
576	   ProtocolNumber is based on the IANA registry of protocol numbers,
577	   hence is potentially reusable by other MIB modules.

579	   Objects of type Natv2SubscriberIndex identify individual subscribers
580	   served by the the NAT device.  The values of these identifiers are
581	   administered and, in intent, are permanently associated with their
582	   respective subscribers.  Reuse of a value after a subscriber has been
583	   deleted is discouraged.  The scope of the subscriber index was
584	   defined to be at device rather than NAT instance level to make it
585	   easier to shift subscribers between instances (e.g., for load
586	   balancing).

588	   Objects of type Natv2InstanceIndex identify specific NAT instances on
589	   the device.  Again, these are administered values intended to be
590	   permanently associated with the NAT instances to which they have been
591	   assigned.

593	   Objects of type Natv2PoolIndex identify individual address pools in a
594	   given NAT instance.  As with the subscriber and instance index
595	   objects, the pool identifiers are administered and intended to be
596	   permanently associated with their respective pools.

598	3.3.2.  Notifications

600	   Notifications were described in Section 3.1.2.

602	3.3.3.  The Subscriber Table: natv2SubscriberTable

604	   Table natv2SubscriberTable is indexed by subscriber index.  One
605	   conceptual row contains information relating to a specific
606	   subscriber: the subscriber's internal address or prefix for
607	   correlation with other management information; state and statistical
608	   information as described in Section 3.1.3 and Section 3.1.4, the per-
609	   subscriber control objects described in Section 3.1.1, and
610	   natv2SubscriberDiscontinuityTime, which provides a timestamp of the
611	   latest time following which the statistics have accumulated without
612	   discontinuity.

614	   Turning back to the address information for a moment: this
615	   information includes the identity of the address realm in which the
616	   address is routable.  That enables support of an arbitrary number of
617	   address realms on the same NAT instance.  Address realm identifiers
618	   are administered values in the form of a limited-length
619	   SnmpAdminString.  In the absence of configuration to the contrary,
620	   the default realm for all internal addresses as recorded in mapping
621	   entries is "internal".

623	      The term "address realm" is defined in [RFC2663] Section 2.1 and
624	      reused in subsequent NAT-related documents.

626	   In the special case of DS-Lite [RFC6333], for unique matching of the
627	   subscriber data to other information in the MIB module, it is
628	   necessary that the address information should relate to the outer
629	   IPv6 header of packets going to or from the host, with the address
630	   realm being the one in which that IPv6 address is routable.  The
631	   presentation of address information for other types of tunneled
632	   access to the NAT is out of scope.

634	3.3.4.  The Instance Table: natv2InstanceTable

636	   Table natv2InstanceTable is indexed by an object of type
637	   Natv2InstanceIndex.  A conceptual row of this table provides
638	   information relating to a particular NAT instance configured on the
639	   device.

641	   Configuration information provided by this table includes an instance
642	   name of type DisplayString that may have been configured for this
643	   instance, and a set of objects indicating respectively the port
644	   mapping, filtering, pooling, and fragment behaviors configured or
645	   implemented in the instance.  These behaviors are all defined in
646	   [RFC4787].  Their values affect the interpretation of some of the
647	   statistics provided in the instance table.

649	   Read-write objects listed in Section 3.1.2 set the notification rate
650	   for instance-level notifications and set the thresholds that trigger
651	   them.  Additional read-write objects described in Section 3.1.1 set
652	   limits on the number of address and port mapping entries, number of
653	   pending fragments, and number of active subscribers for the instance.

655	   The state and statistical information provided by this table consists
656	   of the per-instance items described in Section 3.1.3 and
657	   Section 3.1.4 respectively. natv2InstanceDiscontinuityTime is a
658	   timestamp giving the time beyond which all of the statistical
659	   counters in natv2InstanceTable are guaranteed to have accumulated
660	   continuously.

662	3.3.5.  The Protocol Table: natv2ProtocolTable

664	   The protocol table is indexed by the NAT instance number and an
665	   object of type ProtocolNumber as described in Section 3.3.1 (i.e., an
666	   IANA-registered protocol number).  The set of protocols supported by
667	   the NAT instance is implementation-dependent, but MUST include
668	   ICMP(1), TCP(6), UDP(17), and ICMPv6(58).  Depending on the
669	   application, it SHOULD include IPv4 encapsulation(4), IPv6
670	   encapsulation(41), IPSec AH(51), and SCTP(132).  Support of PIM(103)
671	   is highly desirable.

673	   This table includes no configuration information.  The state and
674	   statistical information provided by this table consists of the per-
675	   protocol items described in Section 3.1.3 and Section 3.1.4
676	   respectively. natv2InstanceDiscontinuityTime in natv2InstanceTable is
677	   reused as the timestamp giving the time beyond which all of the
678	   statistical counters in natv2ProtocolTable are guaranteed to have
679	   accumulated continuously.  The reasoning is that any event affecting
680	   the continuity of per-protocol statistics will affect the continuity
681	   of NAT instance statistics, and vice versa.

683	3.3.6.  The Address Pool Table: natv2PoolTable

685	   The address pool table is indexed by the NAT instance identifier for
686	   the instance on which it is provisioned, plus a pool index of type
687	   Natv2PoolIndex.  Configuration information provided includes the
688	   address realm for which the pool provides addresses, the type of
689	   address (IPv4 or IPv6) supported by the realm, plus the port range it
690	   makes available for allocation.  The same set of port numbers (or, in
691	   the ICMP case, identifier values), is made available for every
692	   protocol supported by the NAT instance.  The port range is specified
693	   in terms of minimum and maximum port number.

695	   The state and statistical information provided by this table consists
696	   of the per-pool items described in Section 3.1.3 and Section 3.1.4
697	   respectively, plus two additional state objects described below.
698	   natv2PoolTable provides the pool-specific object
699	   natv2PoolDiscontinuityTime to indicate the time since which the
700	   statistical counters have accumulated continuously.

702	   Read-write objects to set high and low thresholds for pool usage
703	   notifications and for governing notification rate were identified in
704	   Section 3.1.2.

706	      Implementation note: the thresholds are defined in terms of
707	      percentage of available port utilization.  The number of available
708	      ports in a pool is equal to (max port - min port + 1) (from the
709	      natv2PoolTable configuration information) multiplied by the number
710	      of addresses provisioned in the pool (sum of number of addresses
711	      provided by each natv2PoolRangeTable conceptual row relating to
712	      that pool).  At configuration time, the thresholds can be
713	      recalculated in terms of total number of port map entries
714	      corresponding to the configured percentage, so that runtime
715	      comparisons to the current number of port map entries require no
716	      further arithmetic operations.

718	   natv2PoolTable also provides two state objects that are returned with
719	   the notifications.  natv2PoolNotifiedPortMapProtocol identifies the
720	   most-mapped protocol at the time the notification was triggered.
721	   natv2PoolNotifiedPortMapEntries provides the total number of port map
722	   entries for that protocol using addresses owned by this pool at that
723	   same time.

725	3.3.7.  The Address Pool Address Range Table: natv2PoolRangeTable

727	   natv2PoolRangeTable provides configuration information only.  It is
728	   an expansion of natv2PoolTable giving the address ranges with which a
729	   given address pool has been configured.  As such, it is indexed by
730	   the combination of NAT instance index, address pool index, and a
731	   conceptual row index, where each conceptual row conveys a different
732	   address range.  The address range is specified in terms of lowest
733	   address, highest address rather than the usual prefix notation to
734	   provide maximum flexibility.

736	3.3.8.  The Address Map Table: natv2AddressMapTable

738	   The address map table provides a table of mappings from internal to
739	   external address at a given moment.  It is indexed by the combination
740	   of NAT instance index, internal realm, internal address type (IPv4 or
741	   IPv6) in that realm, the internal address of the local host for which
742	   the map entry was created, and a conceptual row index to traverse all
743	   of the entries relating to the same internal address.

745	   In the special case of DS-Lite [RFC6333], the internal address and
746	   realm used in the index are those of the IPv6 outer header.  The IPv4
747	   source address for the inner header, for which [RFC6333] has reserved
748	   addresses in the 192.0.0.0/29 range, is captured in two additional
749	   objects in the corresponding conceptual row:
750	   natv2AddressMapInternalMappedAddressType, and
751	   natv2AddressMapInternalMappedAddress.  In cases other than DS-Lite
752	   access these objects have no meaning.  (Other tunneled access is out
753	   of scope.)

755	   The additional information provided by natv2AddressMapTable consists
756	   of the external realm, address type in that realm, and mapped
757	   external address.  Depending on implementation support, the table
758	   also provides the index of the address pool from which the external
759	   address was drawn and the index of the subscriber to which the map
760	   entry belongs.

762	3.3.9.  The Port Map Table: natv2PortMapTable

764	   The port map table provides a table of mappings by protocol from
765	   external port, address, and realm to internal port, address, and
766	   realm.  As such, it is indexed by the combination of NAT instance
767	   index, protocol number, external realm identifier, address type in
768	   that realm, external address, and external port.  The mapping from
769	   external realm, address, and port to internal realm, address, and
770	   port is unique, so no conceptual row index is needed.  The indexing
771	   is designed to make it easy to trace individual sessions back to the
772	   host, based on the contents of packets observed in the external
773	   realm.

775	   Beyond the indexing, the information provided by the port map table
776	   consists of the internal realm, address type, address, and port
777	   number, and, depending on implementation support, the index of the
778	   subscriber to which the map entry belongs.

780	   As with the address map table, special provision is made for the case
781	   of DS-Lite [RFC6333].  The realm and outgoing source address are
782	   those for the outer header, and the address type is IPv6.  Additional
783	   objects natv2PortMapInternalMappedAddressType and
784	   natv2PortMapInternalMappedAddress capture the outgoing source address
785	   in the inner header, which will be in the well-known 192.0.0.0/29
786	   range.

788	3.4.  Conformance: Three Application Scenarios

790	   The conformance statements in NATV2-MIB provide for three application
791	   scenarios: basic NAT, NAT supporting address pools, and carrier grade
792	   NAT (CGN).

794	   A basic NAT MAY limit the number of NAT instances it supports to one,
795	   but MUST support indexing by NAT instance.  Similarly, a basic NAT
796	   MAY limit the number of realms it supports to two.  By definition, a
797	   basic NAT is not required to support the subscriber table, the
798	   address pool table, or the address pool address range table.  Some
799	   individual objects in other tables are also not relevant to basic
800	   NAT.

802	   A NAT supporting address pools adds the address pool table and the
803	   address pool address range table to what it implements.  Some
804	   individual objects in other tables also need to be implemented.  A
805	   NAT supporting address pools MUST support more than two realms.

807	   Finally, a CGN MUST support the full contents of the MIB module.
808	   That includes the subscriber table, but also includes the special
809	   provision for DS-Lite access in the address and port map tables.

811	4.  Definitions

813	   This MIB module IMPORTs objects from [RFC2578], [RFC2579], [RFC2580],
814	   [RFC3411], and [RFC4001].

816	   NATV2-MIB DEFINITIONS ::= BEGIN

818	   IMPORTS
819	        MODULE-IDENTITY,
820	        OBJECT-TYPE,
821	        Integer32,
822	        Unsigned32,
823	        Counter64,
824	        mib-2,
825	        NOTIFICATION-TYPE
826	                FROM SNMPv2-SMI          -- RFC 2578
827	        TEXTUAL-CONVENTION,
828	        DisplayString,
829	        TimeStamp
830	                FROM SNMPv2-TC           -- RFC 2579
831	        MODULE-COMPLIANCE,
832	        NOTIFICATION-GROUP,
833	        OBJECT-GROUP
834	                FROM SNMPv2-CONF         -- RFC 2580
835	        SnmpAdminString
836	                FROM SNMP-FRAMEWORK-MIB  -- RFC 3411
837	        InetAddressType,
838	        InetAddress,
839	        InetAddressPrefixLength,
840	        InetPortNumber
841	                FROM INET-ADDRESS-MIB;    -- RFC 4001

843	   natv2MIB MODULE-IDENTITY
844	        LAST-UPDATED "201502170000Z"
845	   -- RFC Ed.: set to publication date
846	        ORGANIZATION
847	                "IETF Behavior Engineering for Hindrance
848	                  Avoidance (BEHAVE) Working Group"
849	        CONTACT-INFO
850	                "Working Group Email: behave@ietf.org

852	                 Simon Perreault
853	                 Jive Communications
854	                 Quebec, QC
855	                 Canada

857	                 Email: sperreault@jive.com

859	                 Tina Tsou
860	                 Huawei Technologies
861	                 Bantian, Longgang
862	                 Shenzhen 518129
863	                 PR China

865	                 Email: tina.tsou.zouting@huawei.com

867	                 Senthil Sivakumar
868	                 Cisco Systems
869	                 7100-8 Kit Creek Road
870	                 Research Triangle Park, North Carolina  27709
871	                 USA

873	                 Phone: +1 919 392 5158
874	                 Email: ssenthil@cisco.com

876	                 Tom Taylor
877	                 PT Taylor Consulting
878	                 Ottawa
879	                 Canada

881	                 Email: tom.taylor.stds@gmail.com"

883	        DESCRIPTION
884	                "This MIB module defines the generic managed objects
885	                 for NAT.

887	                 Copyright (C) The Internet Society (2015).  This
888	                 version of this MIB module is part of RFC yyyy; see
889	                 the RFC itself for full legal notices."
890	        REVISION     "201502170000Z"
891	   -- RFC Ed.: set to publication date
892	        DESCRIPTION
893	                "Complete rewrite, published as RFC yyyy.
894	                 Replaces former version published as RFC 4008."
895	   -- RFC Ed.: replace yyyy with actual RFC number and set date"
896	        ::= { mib-2 123 }
897	          -- temporary for compilation pending IANA assignment

899	   -- textual conventions
900	   ProtocolNumber ::= TEXTUAL-CONVENTION
901	       DISPLAY-HINT "d"
902	       STATUS current
903	       DESCRIPTION
904	           "A protocol number, from the 'protocol-numbers' IANA
905	            registry."
906	       REFERENCE
907	           "IANA Protocol Numbers,
908	            http://www.iana.org/assignments/protocol-numbers
909	            /protocol-numbers.xhtml#protocol-numbers-1"
910	       SYNTAX Unsigned32 (0..255)

912	   Natv2SubscriberIndex ::= TEXTUAL-CONVENTION
913	       DISPLAY-HINT "d"
914	       STATUS current
915	       DESCRIPTION
916	           "A unique value, greater than zero, for each subscriber
917	            in the managed system.  The value for each
918	            subscriber MUST remain constant at least from one
919	            update of the entity's natv2SubscriberDiscontinuityTime
920	            object until the next update of that object. If a
921	            subscriber is deleted, its assigned index value MUST NOT
922	            be assigned to another subscriber at least until
923	            reinitialization of the entity's management system."
924	       SYNTAX Unsigned32 (1..4294967295)

926	   Natv2SubscriberIndexOrZero ::= TEXTUAL-CONVENTION
927	       DISPLAY-HINT "d"
928	       STATUS current
929	       DESCRIPTION
930	           "This textual convention is an extension of the
931	            Natv2SubscriberIndex convention.  The latter defines a
932	            greater than zero value used to identify a subscriber in
933	            the managed system. This extension permits the additional
934	            value of zero, which serves as a placeholder when no
935	            subscriber is associated with the object."
936	       SYNTAX Unsigned32 (0|1..4294967295)

938	   Natv2InstanceIndex ::= TEXTUAL-CONVENTION
939	       DISPLAY-HINT "d"
940	       STATUS current
941	       DESCRIPTION
942	           "A unique value, greater than zero, for each NAT instance
943	            in the managed system.  It is RECOMMENDED that values are
944	            assigned contiguously starting from 1.  The value for each
945	            NAT instance MUST remain constant at least from one
946	            update of the entity's natv2InstanceDiscontinuityTime
947	            object until the next update of that object. If a NAT
948	            instance is deleted, its assigned index value MUST NOT
949	            be assigned to another NAT instance at least until
950	            reinitialization of the entity's management system."
951	       SYNTAX Unsigned32 (1..4294967295)

953	   Natv2PoolIndex ::= TEXTUAL-CONVENTION
954	       DISPLAY-HINT "d"
955	       STATUS current
956	       DESCRIPTION
957	          "A unique value over the containing NAT instance, greater than
958	           zero, for each address pool supported by that NAT instance.
959	           It is RECOMMENDED that values are assigned contiguously
960	           starting from 1.  The value for each address pool MUST remain
961	           constant at least from one update of the entity's
962	           natv2PoolDiscontinuityTime object until the next update of
963	           that object. If an address pool is deleted, its assigned
964	           index value MUST NOT be assigned to another address pool for
965	           the same NAT instance at least until reinitialization of the
966	           entity's management system."
967	       SYNTAX Unsigned32 (1..4294967295)

969	   Natv2PoolIndexOrZero ::= TEXTUAL-CONVENTION
970	       DISPLAY-HINT "d"
971	       STATUS current
972	       DESCRIPTION
973	           "This textual convention is an extension of the
974	            Natv2PoolIndex convention.  The latter defines a greater
975	            than zero value used to identify address pools in the
976	            managed system.  This extension permits the additional
977	            value of zero, which serves as a placeholder when the
978	            implementation does not support address pools or no address
979	            pool is configured in a given external realm."
980	       SYNTAX Unsigned32 (0|1..4294967295)

982	   -- notifications

984	   natv2MIBNotifications OBJECT IDENTIFIER ::= { natv2MIB 0 }

986	   natv2NotificationPoolUsageLow NOTIFICATION-TYPE
987	       OBJECTS { natv2PoolNotifiedPortMapEntries,
988	                 natv2PoolNotifiedPortMapProtocol  }
989	       STATUS current
990	       DESCRIPTION
991	           "This notification is triggered when an address pool's usage
992	            becomes less than or equal to the value of the
993	            natv2PoolThresholdUsageLow object for that pool, unless the
994	            notification has been disabled by setting the value of the
995	            threshold to -1. It is reported subject to the rate
996	            limitation specified by natv2PortMapNotificationInterval.

998	            Address pool usage is calculated as the percentage of the
999	            total number of ports allocated to the address pool that are
1000	            already in use, for the most-mapped protocol at the time
1001	            the notification is triggered. The two returned objects are
1002	            members of natv2PoolTable indexed by the NAT instance and
1003	            pool indices for which the event is being reported. They
1004	            give the number of port map entries using external addresses
1005	            configured on the pool for the most-mapped protocol and
1006	            identify that protocol at the time the notification was
1007	            triggered."
1008	       REFERENCE
1009	           "RFC yyyy Section 3.1.2 and Section 3.3.6."
1010	       ::= { natv2MIBNotifications 1 }

1012	   natv2NotificationPoolUsageHigh NOTIFICATION-TYPE
1013	       OBJECTS { natv2PoolNotifiedPortMapEntries,
1014	                 natv2PoolNotifiedPortMapProtocol  }
1015	       STATUS current
1016	       DESCRIPTION
1017	           "This notification is triggered when an address pool's usage
1018	            becomes greater than or equal to the value of the
1019	            natv2PoolThresholdUsageHigh object for that pool, unless
1020	            the notification has been disabled by setting the value of
1021	            the threshold to -1. It is reported subject to the rate
1022	            limitation specified by natv2PortMapNotificationInterval.

1024	            Address pool usage is calculated as the percentage of the
1025	            total number of ports allocated to the address pool that are
1026	            already in use, for the most-mapped protocol at the time the
1027	            notification is triggered. The two returned objects are
1028	            members of natv2PoolTable indexed by the NAT instance and
1029	            pool indices for which the event is being reported. They
1030	            give the number of port map entries using external addresses
1031	            configured on the pool for the most-mapped protocol and
1032	            identify that protocol at the time the notification was
1033	            triggered."
1034	       REFERENCE
1035	           "RFC yyyy Section 3.1.2 and Section 3.3.6."
1036	       ::= { natv2MIBNotifications 2 }

1038	   natv2NotificationInstanceAddressMapEntriesHigh NOTIFICATION-TYPE
1039	       OBJECTS { natv2InstanceAddressMapEntries,
1040	                 natv2InstanceAddressMapCreations }
1041	       STATUS current
1042	       DESCRIPTION
1043	           "This notification is triggered when the value of
1044	            natv2InstanceAddressMapEntries equals or exceeds the value
1045	            of the natv2InstanceThresholdAddressMapEntriesHigh object
1046	            for the NAT instance, unless disabled by setting that
1047	            threshold to -1. Reporting is subject to the rate limitation
1048	            given by natv2InstanceNotificationInterval.

1050	            natv2InstanceAddressMapEntries and
1051	            natv2InstanceAddressMapCreations are members of table
1052	            natv2InstanceTable indexed by the identifier of the NAT
1053	            instance for which the event is being reported. The values
1054	            reported are those observed at the moment the notification
1055	            was triggered."
1056	       REFERENCE
1057	           "RFC yyyy Section 3.1.2."
1058	       ::= { natv2MIBNotifications 3 }

1060	   natv2NotificationInstancePortMapEntriesHigh NOTIFICATION-TYPE
1061	       OBJECTS { natv2InstancePortMapEntries,
1062	                 natv2InstancePortMapCreations }
1063	       STATUS current
1064	       DESCRIPTION
1065	           "This notification is triggered when the value of
1066	            natv2InstancePortMapEntries becomes greater than or equal
1067	            to the value of natv2InstanceThresholdPortMapEntriesHigh,
1068	            unless disabled by setting that threshold to -1. Reporting
1069	            is subject to the rate limitation given by
1070	            natv2InstanceNotificationInterval.

1072	            natv2InstancePortMapEntries and
1073	            natv2InstancePortMapCreations are members of table
1074	            natv2InstanceTable indexed by the identifier of the NAT
1075	            instance for which the event is being reported.  The values
1076	            reported are those observed at the moment the notification
1077	            was triggered."
1078	       ::= { natv2MIBNotifications 4 }

1080	   natv2NotificationSubscriberPortMappingEntriesHigh
1081	   NOTIFICATION-TYPE
1082	       OBJECTS { natv2SubscriberPortMapEntries,
1083	                 natv2SubscriberPortMapCreations }
1084	       STATUS current
1085	       DESCRIPTION
1086	           "This notification is triggered when the value of
1087	            natv2SubscriberPortMapEntries for an individual subscriber
1088	            becomes greater than or equal to the value of the
1089	            natv2SubscriberThresholdPortMapEntriesHigh object for that
1090	            subscriber, unless disabled by setting that threshold to -1.

1092	            Reporting is subject to the rate limitation given by
1093	            natv2SubscriberNotificationInterval.

1095	            natv2SubscriberPortMapEntries and
1096	            natv2SubscriberPortMapCreations are members of table
1097	            natv2SubscriberTable indexed by the subscriber for
1098	            which the event is being reported.  The values
1099	            reported are those observed at the moment the notification
1100	            was triggered."
1101	       ::= { natv2MIBNotifications 5 }

1103	   -- Device-level objects

1105	   natv2MIBDeviceObjects OBJECT IDENTIFIER ::= { natv2MIB 1 }

1107	   -- subscriber table

1109	   natv2SubscriberTable OBJECT-TYPE
1110	       SYNTAX SEQUENCE OF Natv2SubscriberEntry
1111	       MAX-ACCESS not-accessible
1112	       STATUS current
1113	       DESCRIPTION
1114	           "Table of subscribers. As well as the subscriber index, it
1115	            provides per-subscriber state and counter objects, a last
1116	            discontinuity time object for the counters, and writable
1117	            threshold value and limit on port consumption."
1118	       REFERENCE
1119	           "RFC yyyy Section 3.3.3."
1120	       ::= { natv2MIBDeviceObjects 1 }

1122	   natv2SubscriberEntry OBJECT-TYPE
1123	       SYNTAX Natv2SubscriberEntry
1124	       MAX-ACCESS not-accessible
1125	       STATUS current
1126	       DESCRIPTION
1127	           "Each entry describes a single subscriber."
1128	       INDEX { natv2SubscriberIndex }
1129	       ::= { natv2SubscriberTable 1 }

1131	   Natv2SubscriberEntry ::=
1132	       SEQUENCE {
1133	           natv2SubscriberIndex                  Natv2SubscriberIndex,
1134	           natv2SubscriberInternalRealm               SnmpAdminString,
1135	           natv2SubscriberInternalPrefixType          InetAddressType,
1136	           natv2SubscriberInternalPrefix              InetAddress,
1137	           natv2SubscriberInternalPrefixLength InetAddressPrefixLength,
1138	   -- State
1139	           natv2SubscriberAddressMapEntries           Unsigned32,
1140	           natv2SubscriberPortMapEntries              Unsigned32,
1141	   -- Counters and last discontinuity time
1142	           natv2SubscriberTranslations                Counter64,
1143	           natv2SubscriberAddressMapCreations         Counter64,
1144	           natv2SubscriberPortMapCreations            Counter64,
1145	           natv2SubscriberAddressMapFailureDrops      Counter64,
1146	           natv2SubscriberPortMapFailureDrops         Counter64,
1147	           natv2SubscriberDiscontinuityTime           TimeStamp,
1148	   -- Read-write controls
1149	           natv2SubscriberLimitPortMapEntries         Unsigned32,
1150	   -- Disable notifications by setting threshold to -1
1151	           natv2SubscriberThresholdPortMapEntriesHigh Integer32,
1152	   -- Disable limit by setting to 0
1153	           natv2SubscriberNotificationInterval        Unsigned32
1154	       }

1156	   natv2SubscriberIndex OBJECT-TYPE
1157	       SYNTAX Natv2SubscriberIndex
1158	       MAX-ACCESS not-accessible
1159	       STATUS current
1160	       DESCRIPTION
1161	           "A unique value, greater than zero, for each subscriber
1162	            in the managed system.  The value for each
1163	            subscriber MUST remain constant at least from one
1164	            update of the entity's natv2SubscriberDiscontinuityTime
1165	            object until the next update of that object. If a
1166	            subscriber is deleted, its assigned index value MUST NOT
1167	            be assigned to another subscriber at least until
1168	            reinitialization of the entity's management system."
1169	       ::= { natv2SubscriberEntry 1 }

1171	   -- Configuration for this subscriber: realm, internal address(es)

1173	   natv2SubscriberInternalRealm OBJECT-TYPE
1174	       SYNTAX SnmpAdminString (SIZE(0..32))
1175	       MAX-ACCESS read-only
1176	       STATUS current
1177	       DESCRIPTION
1178	           "The address realm to which this subscriber belongs. A realm
1179	            defines an address space. All NATs support at least two
1180	            realms.

1182	            The default realm for subscribers is 'internal'.
1183	            Administrators can set other values for individual
1184	            subscribers when they are configured. The administrator MAY
1185	            configure a new value of natv2SubscriberRealm at any time
1186	            subsequent to initial configuration of the subscriber. If
1187	            this happens, it MUST be treated as a point of discontinuity
1188	            requiring an update of natv2SubscriberDiscontinuityTime.

1190	            When the subscriber sends a packet to the NAT through a
1191	            DS-Lite [RFC 6333] tunnel, this is the realm of the outer
1192	            packet header source address. Other tunneled access is out
1193	            of scope."
1194	       REFERENCE
1195	            "Address realm: RFC 2663. DS-Lite: RFC 6333."
1196	       DEFVAL
1197	           { "internal" }
1198	       ::= { natv2SubscriberEntry 2 }

1200	   natv2SubscriberInternalPrefixType OBJECT-TYPE
1201	       SYNTAX InetAddressType
1202	       MAX-ACCESS read-only
1203	       STATUS current
1204	       DESCRIPTION
1205	           "Subscriber's internal prefix type. Any value other than
1206	            ipv4(1) or ipv6(2) would be unexpected. In the case of
1207	            DS-Lite access, this is the prefix type (IPv6(2)) used in
1208	            the outer packet header."
1209	       REFERENCE
1210	           "DS-Lite: RFC 6333."
1211	       ::= { natv2SubscriberEntry 3 }

1213	   natv2SubscriberInternalPrefix OBJECT-TYPE
1214	       SYNTAX InetAddress
1215	       MAX-ACCESS read-only
1216	       STATUS current
1217	       DESCRIPTION
1218	           "Prefix assigned to a subscriber's CPE. The type of this
1219	            prefix is given by natv2SubscriberInternalPrefixType. Source
1220	            addresses of packets outgoing from the subscriber will be
1221	            contained within this prefix.  In the case of DS-Lite
1222	            access, the source address taken from the prefix will be
1223	            that of the outer header."
1224	       REFERENCE
1225	           "DS-Lite: RFC 6333."
1226	       ::= { natv2SubscriberEntry 4 }

1228	   natv2SubscriberInternalPrefixLength OBJECT-TYPE
1229	       SYNTAX InetAddressPrefixLength
1230	       MAX-ACCESS read-only
1231	       STATUS current
1232	       DESCRIPTION
1233	           "Length of the prefix assigned to a subscriber's CPE, in
1234	            bits.  If a single address is assigned, this will be 32
1235	            for IPv4 and 128 for IPv6."
1236	       ::= { natv2SubscriberEntry 5 }

1238	   -- State objects

1240	   natv2SubscriberAddressMapEntries OBJECT-TYPE
1241	       SYNTAX Unsigned32
1242	       MAX-ACCESS read-only
1243	       STATUS current
1244	       DESCRIPTION
1245	           "The current number of address map entries for the
1246	            subscriber, including static mappings. An address map entry
1247	            maps from a given internal address and realm to an external
1248	            address in a particular external realm. This definition
1249	            includes 'hairpin' mappings, where the external realm is the
1250	            same as the internal one. Address map entries are also
1251	            tracked per instance and per address pool within the
1252	            instance."
1253	       REFERENCE
1254	           "RFC yyyy Section 3.3.8."
1255	       ::= { natv2SubscriberEntry 6 }

1257	   natv2SubscriberPortMapEntries OBJECT-TYPE
1258	       SYNTAX Unsigned32
1259	       MAX-ACCESS read-only
1260	       STATUS current
1261	       DESCRIPTION
1262	           "The current number of port map entries in the port map table
1263	            for the subscriber, including static mappings. A port map
1264	            entry maps from a given external realm, address, and port
1265	            for a given protocol to an internal realm, address, and
1266	            port. This definition includes 'hairpin' mappings, where the
1267	            external realm is the same as the internal one. Port map
1268	            entries are also tracked per instance and per protocol and
1269	            address pool within the instance."
1270	       REFERENCE
1271	           "RFC yyyy Section 3.3.9."
1272	       ::= { natv2SubscriberEntry 7 }

1274	   -- Counters and last discontinuity time

1276	   natv2SubscriberTranslations OBJECT-TYPE
1277	       SYNTAX Counter64
1278	       MAX-ACCESS read-only
1279	       STATUS current
1280	       DESCRIPTION
1281	           "The cumulative number of translated packets received from or
1282	            sent to this subscriber. This value MUST be monotone
1283	            increasing in the periods between updates of the entity's
1284	            natv2SubscriberDiscontinuityTime. If a manager detects a
1285	            change in the latter since the last time it sampled this
1286	            counter, it SHOULD NOT make use of the difference between
1287	            the latest value of the counter and any value retrieved
1288	            before the new value of natv2SubscriberDiscontinuityTime."
1289	       ::= { natv2SubscriberEntry 8 }

1291	   natv2SubscriberAddressMapCreations OBJECT-TYPE
1292	       SYNTAX Counter64
1293	       MAX-ACCESS read-only
1294	       STATUS current
1295	       DESCRIPTION
1296	           "The cumulative number of address map entries created for
1297	            this subscriber, including static mappings. Address map
1298	            entries are also tracked per instance and per protocol and
1299	            address pool within the instance.

1301	            This value MUST be monotone increasing in
1302	            the periods between updates of the entity's
1303	            natv2SubscriberDiscontinuityTime. If a manager detects a
1304	            change in the latter since the last time it sampled this
1305	            counter, it SHOULD NOT make use of the difference between
1306	            the latest value of the counter and any value retrieved
1307	            before the new value of natv2SubscriberDiscontinuityTime."
1308	       ::= { natv2SubscriberEntry 9 }

1310	   natv2SubscriberPortMapCreations OBJECT-TYPE
1311	       SYNTAX Counter64
1312	       MAX-ACCESS read-only
1313	       STATUS current
1314	       DESCRIPTION
1315	           "The cumulative number of port map entries created for this
1316	            subscriber, including static mappings. Port map entries are
1317	            also tracked per instance and per protocol and address pool
1318	            within the instance.

1320	            This value MUST be monotone increasing in the periods
1321	            between updates of the entity's
1322	            natv2SubscriberDiscontinuityTime. If a manager detects a
1323	            change in the latter since the last time it sampled this
1324	            counter, it SHOULD NOT make use of the difference between
1325	            the latest value of the counter and any value retrieved
1326	            before the new value of natv2SubscriberDiscontinuityTime."
1327	       ::= { natv2SubscriberEntry 10 }

1329	   natv2SubscriberAddressMapFailureDrops OBJECT-TYPE
1330	       SYNTAX Counter64
1331	       MAX-ACCESS read-only
1332	       STATUS current
1333	       DESCRIPTION
1334	           "The cumulative number of packets originated by this
1335	            subscriber that were dropped because the packet would have
1336	            triggered the creation of a new address map entry, but no
1337	            address could be allocated in the selected external realm
1338	            because all addresses from the selected address pool (or the
1339	            whole realm, if no address pool has been configured for that
1340	            realm) have already been fully allocated.

1342	            This value MUST be monotone increasing in the periods
1343	            between updates of the entity's
1344	            natv2SubscriberDiscontinuityTime. If a manager detects a
1345	            change in the latter since the last time it sampled this
1346	            counter, it SHOULD NOT make use of the difference between
1347	            the latest value of the counter and any value retrieved
1348	            before the new value of natv2SubscriberDiscontinuityTime."
1349	       ::= { natv2SubscriberEntry 11 }

1351	   natv2SubscriberPortMapFailureDrops OBJECT-TYPE
1352	       SYNTAX Counter64
1353	       MAX-ACCESS read-only
1354	       STATUS current
1355	       DESCRIPTION
1356	           "The cumulative number of packets dropped because the
1357	            packet would have triggered the creation of a new
1358	            port mapping, but no port could be allocated for the
1359	            protocol concerned. The usual case for this will be
1360	            for a NAT instance that supports address pooling and
1361	            the 'paired' pooling behavior recommended by RFC 4787,
1362	            where the internal endpoint has used up all of the
1363	            ports allocated to it for the address it was mapped to
1364	            in the selected address pool in the external realm
1365	            concerned and cannot be given more ports because
1366	            - policy or implementation prevents it from having a
1367	              second address in the same pool, and
1368	            - policy or unavailability prevents it from acquiring
1369	              more ports at its originally assigned address.

1371	            If the NAT instance supports address pooling but its
1372	            pooling behavior is 'arbitrary' (meaning that
1373	            the NAT instance can allocate a new port mapping for
1374	            the given internal endpoint on any address in the
1375	            selected address pool and is not bound to what it has
1376	            already mapped for that endpoint), then this counter
1377	            is incremented when all ports for the protocol concerned
1378	            over the whole of the selected address pool are already
1379	            in use.

1381	            As a third case, if no address pools have been configured
1382	            for the external realm concerned, then this counter is
1383	            incremented because all ports for the protocol involved over
1384	            the whole set of addresses available for that external realm
1385	            are already in use.

1387	            Finally, this counter is incremented if the packet would
1388	            have triggered the creation of a new port mapping, but the
1389	            current value of natv2SubscriberPortMapEntries equals or
1390	            exceeds the value of natv2SubscriberLimitPortMapEntries
1391	            for this subscriber (unless that limit is disabled).

1393	            This value MUST be monotone increasing in the periods
1394	            between updates of the entity's
1395	            natv2SubscriberDiscontinuityTime. If a manager detects a
1396	            change in the latter since the last time it sampled this
1397	            counter, it SHOULD NOT make use of the difference between
1398	            the latest value of the counter and any value retrieved
1399	            before the new value of natv2SubscriberDiscontinuityTime."
1400	       REFERENCE
1401	           "Pooling behavior: RFC 4787, end of section 4.1."
1402	       ::= { natv2SubscriberEntry 12 }

1404	   natv2SubscriberDiscontinuityTime OBJECT-TYPE
1405	       SYNTAX TimeStamp
1406	       MAX-ACCESS read-only
1407	       STATUS current
1408	       DESCRIPTION
1409	           "Snapshot of the value of the sysUpTime object at the
1410	            beginning of the latest period of continuity of the
1411	            statistical counters associated with this subscriber."
1412	       ::= { natv2SubscriberEntry 14 }

1414	   -- Per-subscriber limit and threshold on port mappings
1415	   -- Disabled if set to zero
1416	   natv2SubscriberLimitPortMapEntries OBJECT-TYPE
1417	       SYNTAX Unsigned32
1418	       MAX-ACCESS read-write
1419	       STATUS current
1420	       DESCRIPTION
1421	           "Limit on total number of port mappings active for this
1422	            subscriber (natv2SubscriberPortMapEntries). Once this limit
1423	            is reached, packets that might have triggered new port
1424	            mappings are dropped. The number of such packets dropped is
1425	            counted in natv2InstancePortMapFailureDrops.

1427	            Limit is disabled if set to zero."
1428	       DEFVAL
1429	            { 0 }
1430	       ::= { natv2SubscriberEntry 15 }

1432	   natv2SubscriberThresholdPortMapEntriesHigh OBJECT-TYPE
1433	       SYNTAX Integer32
1434	       MAX-ACCESS read-write
1435	       STATUS current
1436	       DESCRIPTION
1437	           "Notification threshold for total number of port mappings
1438	            active for this subscriber. Whenever
1439	            natv2SubscriberPortMapEntries is updated, if it equals or
1440	            exceeds natv2SubscriberThresholdPortMapEntriesHigh, the
1441	            notification
1442	            natv2NotificationSubscriberPortMappingEntriesHigh is
1443	            triggered, unless the notification is disabled by setting
1444	            the threshold to -1. Reporting is subject to the minimum
1445	            inter-notification interval given by
1446	            natv2SubscriberNotificationInterval. If multiple
1447	            notifications are triggered during one interval, the agent
1448	            MUST report only the one containing the highest value of
1449	            natv2SubscriberPortMapEntries and discard the others."
1450	       DEFVAL
1451	            { -1 }
1452	       ::= { natv2SubscriberEntry 16 }

1454	   natv2SubscriberNotificationInterval OBJECT-TYPE
1455	       SYNTAX Unsigned32 (1..3600)
1456	       UNITS
1457	           "Seconds"
1458	       MAX-ACCESS read-write
1459	       STATUS current
1460	       DESCRIPTION
1461	           "Minimum number of seconds between successive
1462	            reporting of notifications for this subscriber. Controls the
1463	            reporting of
1464	            natv2NotificationSubscriberPortMappingEntriesHigh."
1465	       DEFVAL
1466	            { 60 }
1467	       ::= { natv2SubscriberEntry 17 }

1469	   -- Per-NAT-instance objects

1471	   natv2MIBInstanceObjects OBJECT IDENTIFIER ::= { natv2MIB 2 }

1473	   -- Instance table
1474	   natv2InstanceTable OBJECT-TYPE
1475	       SYNTAX SEQUENCE OF Natv2InstanceEntry
1476	       MAX-ACCESS not-accessible
1477	       STATUS current
1478	       DESCRIPTION
1479	           "Table of NAT instances. As well as state and counter
1480	            objects, it provides the instance index, instance name, and
1481	            the last discontinuity time object which is applicable to
1482	            the counters. It also contains writable thresholds for
1483	            reporting of notifications and limits on usage of resources
1484	            at the level of the NAT instance.

1486	            It is assumed that NAT instances can be created and deleted
1487	            dynamically, but this MIB module does not provide the means
1488	            to do so. For restrictions on assignment and maintenance of
1489	            the NAT index instance see the description of
1490	            natv2InstanceIndex in the table below. For the requirements
1491	            on maintenance of the values of the counters in this table
1492	            see the description of natv2InstanceDiscontinuityTime in
1493	            this table.

1495	            Each NAT instance has its own resources and behavior. The
1496	            resources include memory as reflected in space for map
1497	            entries, processing power as reflected in the rate of map
1498	            creation and deletion, and mappable addresses in each realm
1499	            that can play the role of an external realm for at least
1500	            some mappings for that instance. The NAT instance table
1501	            includes limits and notification thresholds that relate to
1502	            memory usage for mapping at the level of the whole instance.
1503	            The limit on number of subscribers with active mappings is a
1504	            limit to some extent on processor usage.

1506	            The mappable 'external' addresses may or may not be
1507	            organized into address pools. For a definition of address
1508	            pools see the description of natv2PoolTable. If the instance
1509	            does support address pools, it also has a pooling behavior.
1510	            Mapping, filtering, and pooling behavior are defined in the
1511	            descriptions of the natv2InstancePortMappingBehavior,
1512	            natv2InstanceFilteringBehavior, and
1513	            natv2InstancePoolingBehavior objects in this table. The
1514	            instance also has a fragmentation behavior, defined in the
1515	            description of the natv2InstanceFragmentBehavior object."
1516	       REFERENCE
1517	           "RFC yyyy Section 3.3.4. NAT behaviors: RFC 4787
1518	            (primary, UDP); RFC 5382 (TCP), RFC 5508 (ICMP), RFC5597
1519	            (DCCP)."
1520	       ::= { natv2MIBInstanceObjects 1 }

1522	   natv2InstanceEntry OBJECT-TYPE
1523	       SYNTAX Natv2InstanceEntry
1524	       MAX-ACCESS not-accessible
1525	       STATUS current
1526	       DESCRIPTION
1527	           "Objects related to a single NAT instance."
1528	       INDEX { natv2InstanceIndex }
1529	       ::= { natv2InstanceTable 1 }

1531	   Natv2InstanceEntry ::=
1532	       SEQUENCE {
1533	            natv2InstanceIndex                    Natv2InstanceIndex,
1534	            natv2InstanceAlias                         DisplayString,
1535	   -- Configured behaviors
1536	            natv2InstancePortMappingBehavior           INTEGER,
1537	            natv2InstanceFilteringBehavior             INTEGER,
1538	            natv2InstancePoolingBehavior               INTEGER,
1539	            natv2InstanceFragmentBehavior              INTEGER,
1540	   -- State
1541	            natv2InstanceAddressMapEntries              Unsigned32,
1542	            natv2InstancePortMapEntries                 Unsigned32,
1543	   -- Statistics and discontinuity time
1544	            natv2InstanceTranslations                   Counter64,
1545	            natv2InstanceAddressMapCreations            Counter64,
1546	            natv2InstancePortMapCreations               Counter64,
1547	            natv2InstanceAddressMapEntryLimitDrops      Counter64,
1548	            natv2InstancePortMapEntryLimitDrops         Counter64,
1549	            natv2InstanceSubscriberActiveLimitDrops     Counter64,
1550	            natv2InstanceAddressMapFailureDrops         Counter64,
1551	            natv2InstancePortMapFailureDrops            Counter64,
1552	            natv2InstanceFragmentDrops                  Counter64,
1553	            natv2InstanceOtherResourceFailureDrops      Counter64,
1554	            natv2InstanceDiscontinuityTime              TimeStamp,
1555	   -- Notification thresholds, disabled if set to -1
1556	            natv2InstanceThresholdAddressMapEntriesHigh Integer32,
1557	            natv2InstanceThresholdPortMapEntriesHigh    Integer32,
1558	            natv2InstanceNotificationInterval           Unsigned32,
1559	   -- Limits, disabled if set to 0
1560	            natv2InstanceLimitAddressMapEntries         Unsigned32,
1561	            natv2InstanceLimitPortMapEntries            Unsigned32,
1562	            natv2InstanceLimitPendingFragments          Unsigned32,
1563	            natv2InstanceLimitSubscriberActives         Unsigned32
1564	       }

1566	   natv2InstanceIndex OBJECT-TYPE
1567	       SYNTAX Natv2InstanceIndex
1568	       MAX-ACCESS not-accessible
1569	       STATUS current
1570	       DESCRIPTION
1571	           "NAT instance index. It is up to the implementation to
1572	            determine which values correspond to in-service NAT
1573	            instances. This object is used as an index for all tables
1574	            defined below."
1575	       ::= { natv2InstanceEntry 1 }

1577	   natv2InstanceAlias OBJECT-TYPE
1578	       SYNTAX DisplayString (SIZE (0..64))
1579	       MAX-ACCESS read-only
1580	       STATUS current
1581	       DESCRIPTION
1582	           "This object is an 'alias' name for the NAT instance as
1583	            specified by a network manager, and provides a non-volatile
1584	            'handle' for the instance.

1586	            An example of the value which a network manager might store
1587	            in this object for a NAT instance is the name/identifier of
1588	            the interface that brings in internal traffic for this NAT
1589	            instance or the name of the VRF for internal traffic."
1590	       ::= { natv2InstanceEntry 2 }

1592	   -- Configured behaviors

1594	   natv2InstancePortMappingBehavior OBJECT-TYPE
1595	       SYNTAX INTEGER {
1596	              endpointIndependent (0),
1597	              addressDependent (1),
1598	              addressAndPortDependent (2)
1599	           }
1600	       MAX-ACCESS read-only
1601	       STATUS current
1602	       DESCRIPTION
1603	           "Port mapping behavior is the policy governing selection of
1604	            external address and port in a given realm for a given
1605	            five-tuple of source address and port, destination address
1606	            and port, and protocol.

1608	            endpointIndependent(0), the behavior REQUIRED by RFC 4787
1609	            REQ-1, maps the source address and port to the same
1610	            external address and port for all destination address and
1611	            port combinations reached through the same external realm
1612	            and using the given protocol.

1614	            addressDependent(1) maps to the same external address and
1615	            port for all destination ports at the same destination
1616	            address reached through the same external realm and using
1617	            the given protocol.

1619	            addressAndPortDependent(2) maps to a separate external
1620	            address and port combination for each different
1621	            destination address and port combination reached through
1622	            the same external realm."
1623	       REFERENCE
1624	            "RFC 4787 section 4.1."
1625	       ::= { natv2InstanceEntry 3 }

1627	   natv2InstanceFilteringBehavior OBJECT-TYPE
1628	       SYNTAX INTEGER {
1629	              endpointIndependent (0),
1630	              addressDependent (1),
1631	              addressAndPortDependent (2)
1632	           }
1633	       MAX-ACCESS read-only
1634	       STATUS current
1635	       DESCRIPTION
1636	           "Filtering behavior is the policy governing acceptance or
1637	            dropping of packets incoming from remote sources via a
1638	            given external realm and destined to a specific three-tuple
1639	            of external address, port, and protocol at the NAT instance
1640	            that has been assigned in a port mapping.

1642	            endpointIndependent(0) accepts for translation packets from
1643	            all combinations of remote address and port destined to the
1644	            mapped external address and port via the given external
1645	            realm and using the given protocol.

1647	            addressDependent(1) accepts for translation packets from all
1648	            remote ports from the same remote source address destined to
1649	            the mapped external address and port via the given external
1650	            realm and using the given protocol.

1652	            addressAndPortDependent(2) accepts for translation only
1653	            those packets with the same remote source address, port, and
1654	            protocol incoming from the same external realm as identified
1655	            when the applicable port map entry was created.

1657	            RFC 4787 REQ-8 recommends either endpointIndependent(0) or
1658	            addressDependent(1) filtering behavior depending on whether
1659	            application-friendliness or security takes priority."
1660	       REFERENCE
1661	           "RFC 4787 section 5."
1662	       ::= { natv2InstanceEntry 4 }

1664	   natv2InstancePoolingBehavior OBJECT-TYPE
1665	       SYNTAX INTEGER {
1666	              arbitrary (0),
1667	              paired (1)
1668	           }
1669	       MAX-ACCESS read-only
1670	       STATUS current
1671	       DESCRIPTION
1672	           "Pooling behavior is the policy used to select the address
1673	            for a new port mapping within a given address pool to which
1674	            the internal address has already been mapped.

1676	            arbitrary(0) pooling behavior means that the NAT instance
1677	            may create the new port mapping using any address in the
1678	            pool that has a free port for the protocol concerned.

1680	            paired(1) pooling behavior, the behavior RECOMMENDED by RFC
1681	            4787 REQ-2, means that once a given internal address has
1682	            been mapped to a particular address in a particular pool,
1683	            further mappings of the same internal address to that pool
1684	            will reuse the previously assigned pool member address."
1685	       REFERENCE
1686	           "RFC 4787 near the end of section 4.1"
1687	       ::= { natv2InstanceEntry 5 }

1689	   natv2InstanceFragmentBehavior OBJECT-TYPE
1690	       SYNTAX INTEGER {
1691	              fragmentNone (0),
1692	              fragmentInOrder (1),
1693	              fragmentOutOfOrder (2)
1694	           }
1695	       MAX-ACCESS read-only
1696	       STATUS current
1697	       DESCRIPTION
1698	           "Fragment behavior is the NAT instance's capability to
1699	            receive and translate fragments incoming from remote
1700	            sources.

1702	            fragmentNone(0) implies no capability to translate incoming
1703	            fragments, so all received fragments are dropped. Each
1704	            dropped fragment is counted in natv2InstanceFragmentDrops.

1706	            fragmentInOrder(1) implies the ability to translate
1707	            fragments only if they are received in order, so that in
1708	            particular the header is in the first packet. If a fragment
1709	            is received out of order, it is dropped and counted in
1710	            natv2InstanceFragmentDrops.

1712	            fragmentOutOfOrder(2), the capability REQUIRED by RFC 4787
1713	            REQ-14, implies the capability to translate fragments even
1714	            when they arrive out of order, subject to a protective
1715	            limit natv2InstanceLimitPendingFragments on total number of
1716	            fragments awaiting the first fragment of the chain. If the
1717	            implementation supports this capability,
1718	            natv2InstanceFragmentDrops is incremented only when a new
1719	            fragment arrives but is dropped because the limit on pending
1720	            fragments has already been reached."
1721	       REFERENCE
1722	           "RFC 4787 section 11."
1723	       ::= { natv2InstanceEntry 6 }

1725	   -- State

1727	   natv2InstanceAddressMapEntries OBJECT-TYPE
1728	       SYNTAX Unsigned32
1729	       MAX-ACCESS read-only
1730	       STATUS current
1731	       DESCRIPTION
1732	           "The current number of address map entries in total over the
1733	            whole NAT instance, including static mappings. An address
1734	            map entry maps from a given internal address and realm to an
1735	            external address in a particular external realm. This
1736	            definition includes 'hairpin' mappings, where the external
1737	            realm is the same as the internal one. Address map entries
1738	            are also tracked per subscriber and per address pool within
1739	            the instance."
1740	       REFERENCE
1741	           "RFC yyyy Section 3.3.8. RFC 4787 section 6."
1742	       ::= { natv2InstanceEntry 7 }

1744	   natv2InstancePortMapEntries OBJECT-TYPE
1745	       SYNTAX Unsigned32
1746	       MAX-ACCESS read-only
1747	       STATUS current
1748	       DESCRIPTION
1749	           "The current number of entries in the port map table in total
1750	            over the whole NAT instance, including static mappings. A
1751	            port map entry maps from a given external realm, address,
1752	            and port for a given protocol to an internal realm, address,
1753	            and port. This definition includes 'hairpin' mappings, where
1754	            the external realm is the same as the internal one. Port map
1755	            entries are also tracked per subscriber and per protocol and
1756	            address pool within the instance."
1757	       REFERENCE
1758	           "RFC yyyy Section 3.3.9.
1759	            Hairpinning: RFC 4787 Section 6."
1760	       ::= { natv2InstanceEntry 8 }

1762	   -- Statistics
1763	   natv2InstanceTranslations OBJECT-TYPE
1764	       SYNTAX Counter64
1765	       MAX-ACCESS read-only
1766	       STATUS current
1767	       DESCRIPTION
1768	           "The cumulative number of translated packets passing through
1769	            this NAT instance. This value MUST be monotone increasing in
1770	            the periods between updates of
1771	            natv2InstanceDiscontinuityTime. If a manager detects a
1772	            change in the latter since the last time it sampled this
1773	            counter, it SHOULD NOT make use of the difference between
1774	            the latest value of the counter and any value retrieved
1775	            before the new value of natv2InstanceDiscontinuityTime."
1776	       ::= { natv2InstanceEntry 9 }

1778	   natv2InstanceAddressMapCreations OBJECT-TYPE
1779	       SYNTAX Counter64
1780	       MAX-ACCESS read-only
1781	       STATUS current
1782	       DESCRIPTION
1783	           "The cumulative number of address map entries created by the
1784	            NAT instance, including static mappings. Address map
1785	            creations are also tracked per address pool within the
1786	            instance and per subscriber.

1788	            This value MUST be monotone increasing in
1789	            the periods between updates of
1790	            natv2InstanceDiscontinuityTime. If a manager detects a
1791	            change in the latter since the last time it sampled this
1792	            counter, it SHOULD NOT make use of the difference between
1793	            the latest value of the counter and any value retrieved
1794	            before the new value of natv2InstanceDiscontinuityTime."
1795	       ::= { natv2InstanceEntry 10 }

1797	   natv2InstancePortMapCreations  OBJECT-TYPE
1798	       SYNTAX Counter64
1799	       MAX-ACCESS read-only
1800	       STATUS current
1801	       DESCRIPTION
1802	           "The cumulative number of port map entries created by the
1803	            NAT instance, including static mappings. Port map
1804	            creations are also tracked per protocol and address pool
1805	            within the instance and per subscriber.

1807	            This value MUST be monotone increasing in
1808	            the periods between updates of
1809	            natv2InstanceDiscontinuityTime. If a manager detects a
1810	            change in the latter since the last time it sampled this
1811	            counter, it SHOULD NOT make use of the difference between
1812	            the latest value of the counter and any value retrieved
1813	            before the new value of natv2InstanceDiscontinuityTime."
1814	       ::= { natv2InstanceEntry 11 }

1816	   natv2InstanceAddressMapEntryLimitDrops OBJECT-TYPE
1817	       SYNTAX Counter64
1818	       MAX-ACCESS read-only
1819	       STATUS current
1820	       DESCRIPTION
1821	           "The cumulative number of packets dropped rather than
1822	            translated because the packet would have triggered
1823	            the creation of a new address map entry but the limit
1824	            on number of address map entries for the NAT instance
1825	            given by natv2InstanceLimitAddressMapEntries has
1826	            already been reached.

1828	            This value MUST be monotone increasing in the periods
1829	            between updates of the entity's
1830	            natv2InstanceDiscontinuityTime. If a manager detects a
1831	            change in the latter since the last time it sampled this
1832	            counter, it SHOULD NOT make use of the difference between
1833	            the latest value of the counter and any value retrieved
1834	            before the new value of natv2InstanceDiscontinuityTime."
1835	       ::= { natv2InstanceEntry 12 }

1837	   natv2InstancePortMapEntryLimitDrops OBJECT-TYPE
1838	       SYNTAX Counter64
1839	       MAX-ACCESS read-only
1840	       STATUS current
1841	       DESCRIPTION
1842	           "The cumulative number of packets dropped rather than
1843	            translated because the packet would have triggered
1844	            the creation of a new port map entry but the limit
1845	            on number of port map entries for the NAT instance
1846	            given by natv2InstanceLimitPortMapEntries has
1847	            already been reached.

1849	            This value MUST be monotone increasing in the periods
1850	            between updates of the entity's
1851	            natv2InstanceDiscontinuityTime. If a manager detects a
1852	            change in the latter since the last time it sampled this
1853	            counter, it SHOULD NOT make use of the difference between
1854	            the latest value of the counter and any value retrieved
1855	            before the new value of natv2InstanceDiscontinuityTime."
1856	       ::= { natv2InstanceEntry 13 }

1858	   natv2InstanceSubscriberActiveLimitDrops OBJECT-TYPE
1859	       SYNTAX Counter64
1860	       MAX-ACCESS read-only
1861	       STATUS current
1862	       DESCRIPTION
1863	           "The cumulative number of packets dropped rather than
1864	            translated because the packet would have triggered the
1865	            creation of a new mapping for a subscriber with no other
1866	            active mappings, but the limit on number of active
1867	            subscribers for the NAT instance given by
1868	            natv2InstanceLimitSubscriberActives has already been
1869	            reached.

1871	            This value MUST be monotone increasing in the periods
1872	            between updates of the entity's
1873	            natv2InstanceDiscontinuityTime. If a manager detects a
1874	            change in the latter since the last time it sampled this
1875	            counter, it SHOULD NOT make use of the difference between
1876	            the latest value of the counter and any value retrieved
1877	            before the new value of natv2InstanceDiscontinuityTime."
1878	       ::= { natv2InstanceEntry 14 }

1880	   natv2InstanceAddressMapFailureDrops OBJECT-TYPE
1881	       SYNTAX Counter64
1882	       MAX-ACCESS read-only
1883	       STATUS current
1884	       DESCRIPTION
1885	           "The cumulative number of packets dropped because the packet
1886	            would have triggered the creation of a new address map
1887	            entry, but no address could be allocated in the selected
1888	            external realm because all addresses from the selected
1889	            address pool (or the whole realm, if no address pool has
1890	            been configured for that realm) have already been fully
1891	            allocated.

1893	            This value MUST be monotone increasing in the periods
1894	            between updates of the entity's
1895	            natv2InstanceDiscontinuityTime. If a manager detects a
1896	            change in the latter since the last time it sampled this
1897	            counter, it SHOULD NOT make use of the difference between
1898	            the latest value of the counter and any value retrieved
1899	            before the new value of natv2InstanceDiscontinuityTime."
1900	       ::= { natv2InstanceEntry 15 }

1902	   natv2InstancePortMapFailureDrops OBJECT-TYPE
1903	       SYNTAX Counter64
1904	       MAX-ACCESS read-only
1905	       STATUS current
1906	       DESCRIPTION
1907	           "The cumulative number of packets dropped because the
1908	            packet would have triggered the creation of a new
1909	            port map entry, but no port could be allocated for the
1910	            protocol concerned. The usual case for this will be
1911	            for a NAT instance that supports address pooling and
1912	            the 'paired' pooling behavior recommended by RFC 4787,
1913	            where the internal endpoint has used up all of the
1914	            ports allocated to it for the address it was mapped to
1915	            in the selected address pool in the external realm
1916	            concerned and cannot be given more ports because
1917	            - policy or implementation prevents it from having a
1918	              second address in the same pool, and
1919	            - policy or unavailability prevents it from acquiring
1920	              more ports at its originally assigned address.

1922	            If the NAT instance supports address pooling but its
1923	            pooling behavior is 'arbitrary' (meaning that
1924	            the NAT instance can allocate a new port mapping for
1925	            the given internal endpoint on any address in the
1926	            selected address pool and is not bound to what it has
1927	            already mapped for that endpoint), then this counter
1928	            is incremented when all ports for the protocol concerned
1929	            over the whole of the selected address pool are already
1930	            in use.

1932	            Finally, if no address pools have been configured for the
1933	            external realm concerned, then this counter is incremented
1934	            because all ports for the protocol involved over the whole
1935	            set of addresses available for that external realm are
1936	            already in use.

1938	            This value MUST be monotone increasing in the periods
1939	            between updates of the entity's
1940	            natv2InstanceDiscontinuityTime. If a manager detects a
1941	            change in the latter since the last time it sampled this
1942	            counter, it SHOULD NOT make use of the difference between
1943	            the latest value of the counter and any value retrieved
1944	            before the new value of natv2InstanceDiscontinuityTime."
1945	       REFERENCE
1946	           "Pooling behavior: RFC 4787, end of section 4.1."
1947	       ::= { natv2InstanceEntry 16 }

1949	   natv2InstanceFragmentDrops OBJECT-TYPE
1950	       SYNTAX Counter64
1951	       MAX-ACCESS read-only
1952	       STATUS current
1953	       DESCRIPTION
1954	           "The cumulative number of fragments received by the NAT
1955	            instance but dropped rather than translated. When the NAT
1956	            instance supports the 'Receive Fragment Out of Order'
1957	            capability as required by RFC 4787, this occurs because the
1958	            fragment was received out of order and would be added to the
1959	            queue of fragments awaiting the initial fragment of the
1960	            chain, but the queue has already reached the limit set by
1961	            natv2InstanceLimitsPendingFragments. Counting in other cases
1962	            is specified in the description of
1963	            natv2InstanceFragmentBehavior.

1965	            This value MUST be monotone increasing in the periods
1966	            between updates of the entity's
1967	            natv2InstanceDiscontinuityTime. If a manager detects a
1968	            change in the latter since the last time it sampled this
1969	            counter, it SHOULD NOT make use of the difference between
1970	            the latest value of the counter and any value retrieved
1971	            before the new value of natv2InstanceDiscontinuityTime."
1972	       REFERENCE
1973	           "RFC 4787, section 11."
1974	       ::= { natv2InstanceEntry 17 }

1976	   natv2InstanceOtherResourceFailureDrops OBJECT-TYPE
1977	       SYNTAX Counter64
1978	       MAX-ACCESS read-only
1979	       STATUS current
1980	       DESCRIPTION
1981	           "The cumulative number of packets dropped because of
1982	            unavailability of a resource other than an address or port
1983	            that would have been required to process it. The most likely
1984	            case is where the upper layer protocol in the packet is not
1985	            supported by the NAT instance.

1987	            This value MUST be monotone increasing in the periods
1988	            between updates of the entity's
1989	            natv2InstanceDiscontinuityTime. If a manager detects a
1990	            change in the latter since the last time it sampled this
1991	            counter, it SHOULD NOT make use of the difference between
1992	            the latest value of the counter and any value retrieved
1993	            before the new value of natv2InstanceDiscontinuityTime."
1994	       ::= { natv2InstanceEntry 18 }

1996	   natv2InstanceDiscontinuityTime OBJECT-TYPE
1997	       SYNTAX TimeStamp
1998	       MAX-ACCESS read-only
1999	       STATUS current
2000	       DESCRIPTION
2001	           "Snapshot of the value of the sysUpTime object at the
2002	            beginning of the latest period of continuity of the
2003	            statistical counters associated with this NAT instance."
2004	       ::= { natv2InstanceEntry 19 }

2006	   -- Notification thresholds, disabled by setting to zero

2008	   natv2InstanceThresholdAddressMapEntriesHigh OBJECT-TYPE
2009	       SYNTAX Integer32
2010	       MAX-ACCESS read-write
2011	       STATUS current
2012	       DESCRIPTION
2013	           "Notification threshold for total number of address map
2014	            entries held by this NAT instance. Whenever
2015	            natv2InstanceAddressMapEntries is updated, if it equals or
2016	            exceeds natv2InstanceThresholdAddressMapEntriesHigh, then
2017	            natv2NotificationInstanceAddressMapEntriesHigh may be
2018	            triggered, unless the notification is disabled by setting
2019	            the threshold to -1. Reporting is subject to the minimum
2020	            inter-notification interval given by
2021	            natv2InstanceNotificationInterval. If multiple notifications
2022	            are triggered during one interval, the agent MUST report
2023	            only the one containing the highest value of
2024	            natv2InstanceAddressMapEntries and discard the others."
2025	       DEFVAL
2026	            { -1 }
2027	       ::= { natv2InstanceEntry 20 }

2029	   natv2InstanceThresholdPortMapEntriesHigh OBJECT-TYPE
2030	       SYNTAX Integer32
2031	       MAX-ACCESS read-write
2032	       STATUS current
2033	       DESCRIPTION
2034	           "Notification threshold for total number of port map
2035	            entries held by this NAT instance. Whenever
2036	            natv2InstancePortMapEntries is updated, if it equals or
2037	            exceeds natv2InstanceThresholdPortMapEntriesHigh, then
2038	            natv2NotificationInstancePortMapEntriesHigh may be
2039	            triggered, unless the notification is disabled by setting
2040	            the threshold to -1. Reporting is subject to the minimum
2041	            inter-notification interval given by
2042	            natv2InstanceNotificationInterval. If multiple notifications
2043	            are triggered during one interval, the agent MUST report
2044	            only the one containing the highest value of
2045	            natv2InstancePortMapEntries and discard the others."
2046	       DEFVAL
2047	           { -1 }
2048	       ::= { natv2InstanceEntry 21 }

2050	   natv2InstanceNotificationInterval OBJECT-TYPE
2051	       SYNTAX Unsigned32 (1..3600)
2052	       UNITS
2053	           "Seconds"
2054	       MAX-ACCESS read-write
2055	       STATUS current
2056	       DESCRIPTION
2057	           "Minimum number of seconds between successive
2058	            notifications for this NAT instance. Controls the reporting
2059	            of natv2NotificationInstanceAddressMapEntriesHigh and
2060	            natv2NotificationInstancePortMapEntriesHigh."
2061	       DEFVAL
2062	           { 10 }
2063	       ::= { natv2InstanceEntry 22 }

2065	     -- Limits, disabled if set to 0

2067	   natv2InstanceLimitAddressMapEntries OBJECT-TYPE
2068	       SYNTAX Unsigned32
2069	       MAX-ACCESS read-write
2070	       STATUS current
2071	       DESCRIPTION
2072	           "Limit on total number of address map entries supported by
2073	            the NAT instance. When natv2InstanceAddressMapEntries has
2074	            reached this limit, subsequent packets that would normally
2075	            trigger creation of a new address map entry will be dropped
2076	            and counted in natv2InstanceAddressMapEntryLimitDrops.
2077	            Warning of an approach to this limit can be achieved by
2078	            setting natv2InstanceThresholdAddressMapEntriesHigh to a
2079	            non-zero value, for example, 80% of the limit. The limit is
2080	            disabled by setting its value to zero.

2082	            For further information please see the descriptions of
2083	            natv2NotificationInstanceAddressMapEntriesHigh and
2084	            natv2InstanceAddressMapEntries."
2085	       DEFVAL
2086	           { 0 }
2087	       ::= { natv2InstanceEntry 23 }

2089	   natv2InstanceLimitPortMapEntries OBJECT-TYPE
2090	       SYNTAX Unsigned32
2091	       MAX-ACCESS read-write
2092	       STATUS current
2093	       DESCRIPTION
2094	           "Limit on total number of port map entries supported by the
2095	            NAT instance. When natv2InstancePortMapEntries has reached
2096	            this limit, subsequent packets that would normally trigger
2097	            creation of a new port map entry will be dropped and counted
2098	            in natv2InstancePortMapEntryLimitDrops. Warning of an
2099	            approach to this limit can be achieved by setting
2100	            natv2InstanceThresholdPortMapEntriesHigh to a non-zero
2101	            value, for example, 80% of the limit. The limit is disabled
2102	            by setting its value to zero.

2104	            For further information please see the descriptions of
2105	            natv2NotificationInstancePortMapEntriesHigh and
2106	            natv2InstancePortMapEntries."
2107	       DEFVAL
2108	           { 0 }
2109	       ::= { natv2InstanceEntry 24 }

2111	   natv2InstanceLimitPendingFragments OBJECT-TYPE
2112	       SYNTAX Unsigned32
2113	       MAX-ACCESS read-write
2114	       STATUS current
2115	       DESCRIPTION
2116	           "Limit on number of out-of-order fragments received by the
2117	            NAT instance from remote sources and held until head of
2118	            chain appears. While the number of held fragments is at this
2119	            limit, subsequent packets that contain fragments not
2120	            relating to those already held will be dropped and counted
2121	            in natv2InstancePendingFragmentLimitDrops. The limit is
2122	            disabled by setting the value to zero.

2124	            Applicable only when the NAT instance supports 'Receive
2125	            Fragments Out of Order' behavior, leave at default
2126	            otherwise. See the description of
2127	            natv2InstanceFragmentBehavior."
2128	       REFERENCE
2129	            "RFC 4787 Section 11"
2130	       DEFVAL { 0 }
2131	       ::= { natv2InstanceEntry 25 }

2133	   natv2InstanceLimitSubscriberActives OBJECT-TYPE
2134	       SYNTAX Unsigned32
2135	       MAX-ACCESS read-write
2136	       STATUS current
2137	       DESCRIPTION
2138	           "Limit on number of total number of active subscribers
2139	            supported by the NAT instance. An active subscriber is
2140	            defined as any subscriber with at least one map entry,
2141	            including static mappings. While the number of active
2142	            subscribers is at this limit, subsequent packets that would
2143	            otherwise trigger first mappings for newly active
2144	            subscribers will be dropped and counted in
2145	            natv2InstanceSubscriberActiveLimitDrops. The limit is
2146	            disabled by setting the value to zero."

2148	       DEFVAL { 0 }
2149	       ::= { natv2InstanceEntry 26 }

2151	   -- Table of counters per upper layer protocol identified by the
2152	   -- packet header and supported by the NAT instance

2154	   natv2ProtocolTable  OBJECT-TYPE
2155	       SYNTAX SEQUENCE OF Natv2ProtocolEntry
2156	       MAX-ACCESS not-accessible
2157	       STATUS current
2158	       DESCRIPTION
2159	           "Table of protocols with per-protocol counters. Conceptual
2160	            rows of the table are indexed by the combination of the NAT
2161	            instance number and the IANA-assigned upper layer protocol
2162	            number as given by the ProtocolNumber TC and contained in
2163	            the packet IP header. It is up to the agent implementation
2164	            to determine and operate upon only those upper layer
2165	            protocol numbers supported by the NAT instance."
2166	       REFERENCE
2167	           "RFC yyyy Section 3.3.5."
2168	       ::= { natv2MIBInstanceObjects 2 }

2170	   natv2ProtocolEntry OBJECT-TYPE
2171	       SYNTAX Natv2ProtocolEntry
2172	       MAX-ACCESS not-accessible
2173	       STATUS current
2174	       DESCRIPTION
2175	           "Per-protocol counters."
2176	       INDEX { natv2ProtocolInstanceIndex,
2177	               natv2ProtocolNumber }
2178	       ::= { natv2ProtocolTable 1 }

2180	   Natv2ProtocolEntry ::=
2181	       SEQUENCE {
2182	           natv2ProtocolInstanceIndex          Natv2InstanceIndex,
2183	           natv2ProtocolNumber                     ProtocolNumber,
2184	   -- State
2185	           natv2ProtocolPortMapEntries             Unsigned32,
2186	   -- Statistics. Discontinuity object from instance table reused here.
2187	           natv2ProtocolTranslations               Counter64,
2188	           natv2ProtocolPortMapCreations           Counter64,
2189	           natv2ProtocolPortMapFailureDrops        Counter64
2190	       }

2192	   natv2ProtocolInstanceIndex OBJECT-TYPE
2193	       SYNTAX Natv2InstanceIndex
2194	       MAX-ACCESS not-accessible
2195	       STATUS current
2196	       DESCRIPTION
2197	           "NAT instance index. It is up to the implementation to
2198	            determine and operate upon only those values that
2199	            correspond to in-service NAT instances."
2200	       ::= { natv2ProtocolEntry 1 }

2202	   natv2ProtocolNumber OBJECT-TYPE
2203	       SYNTAX ProtocolNumber
2204	       MAX-ACCESS not-accessible
2205	       STATUS current
2206	       DESCRIPTION
2207	           "Counters in this conceptual row apply to packets indicating
2208	            the upper layer protocol identified by the value of
2209	            this object. It is up to the implementation to determine and
2210	            operate upon only those values that correspond to protocols
2211	            supported by the NAT instance."
2212	       REFERENCE
2213	           "RFC yyyy Section 3.3.5.
2214	            IANA Protocol Numbers, http://www.iana.org/assignments/
2215	            protocol-numbers/protocol-numbers.xhtml#protocol-numbers-1"
2216	       ::= { natv2ProtocolEntry 2 }

2218	    -- State
2219	   natv2ProtocolPortMapEntries OBJECT-TYPE
2220	       SYNTAX Unsigned32
2221	       MAX-ACCESS read-only
2222	       STATUS current
2223	       DESCRIPTION
2224	           "The current number of entries in the port map table in total
2225	            over the whole NAT instance for a given protocol, including
2226	            static mappings. A port map entry maps from a given external
2227	            realm, address, and port for a given protocol to an internal
2228	            realm, address, and port. This definition includes 'hairpin'
2229	            mappings, where the external realm is the same as the
2230	            internal one. Port map entries are also tracked per
2231	            subscriber, per instance, and per address pool within the
2232	            instance."
2233	       REFERENCE
2234	           "RFC yyyy Section 3.3.5 and Section 3.3.9. Hairpinning:
2235	            RFC 4787 Section 6."
2236	       ::= { natv2ProtocolEntry 3 }

2238	   -- Statistics
2239	   natv2ProtocolTranslations OBJECT-TYPE
2240	       SYNTAX Counter64
2241	       MAX-ACCESS read-only
2242	       STATUS current
2243	       DESCRIPTION
2244	           "The cumulative number of packets translated by the NAT
2245	            instance in either direction for the given protocol.

2247	            This value MUST be monotone increasing in the periods
2248	            between updates of the NAT instance
2249	            natv2InstanceDiscontinuityTime. If a manager detects a
2250	            change in the latter since the last time it sampled this
2251	            counter, it SHOULD NOT make use of the difference between
2252	            the latest value of the counter and any value retrieved
2253	            before the new value of natv2InstanceDiscontinuityTime."
2254	       ::= { natv2ProtocolEntry 4 }

2256	   natv2ProtocolPortMapCreations  OBJECT-TYPE
2257	       SYNTAX Counter64
2258	       MAX-ACCESS read-only
2259	       STATUS current
2260	       DESCRIPTION
2261	           "The cumulative number of port map entries created by the NAT
2262	            instance for the given protocol.

2264	            This value MUST be monotone increasing in the periods
2265	            between updates of the NAT instance
2266	            natv2InstanceDiscontinuityTime. If a manager detects a
2267	            change in the latter since the last time it sampled this
2268	            counter, it SHOULD NOT make use of the difference between
2269	            the latest value of the counter and any value retrieved
2270	            before the new value of natv2InstanceDiscontinuityTime."
2271	       ::= { natv2ProtocolEntry 5 }

2273	   natv2ProtocolPortMapFailureDrops OBJECT-TYPE
2274	       SYNTAX Counter64
2275	       MAX-ACCESS read-only
2276	       STATUS current
2277	       DESCRIPTION
2278	           "The cumulative number of packets dropped because the packet
2279	            would have triggered the creation of a new port map entry,
2280	            but no port could be allocated for the protocol concerned.
2281	            The usual case for this will be for a NAT instance that
2282	            supports address pooling and the 'paired' pooling behavior
2283	            recommended by RFC 4787, where the internal endpoint has
2284	            used up all of the ports allocated to it for the address it
2285	            was mapped to in the selected address pool in the external
2286	            realm concerned and cannot be given more ports because
2287	            - policy or implementation prevents it from having a
2288	              second address in the same pool, and
2289	            - policy or unavailability prevents it from acquiring
2290	              more ports at its originally assigned address.

2292	            If the NAT instance supports address pooling but its
2293	            pooling behavior is 'arbitrary' (meaning that
2294	            the NAT instance can allocate a new port mapping for
2295	            the given internal endpoint on any address in the
2296	            selected address pool and is not bound to what it has
2297	            already mapped for that endpoint), then this counter
2298	            is incremented when all ports for the protocol concerned
2299	            over the whole of the selected address pool are already
2300	            in use.

2302	            Finally, if the NAT instance has no configured address
2303	            pooling, then this counter is incremented because all
2304	            ports for the protocol concerned over the whole of the
2305	            NAT instance for the external realm concerned are already
2306	            in use.

2308	            This value MUST be monotone increasing in the periods
2309	            between updates of the NAT instance
2310	            natv2InstanceDiscontinuityTime. If a manager detects a
2311	            change in the latter since the last time it sampled this
2312	            counter, it SHOULD NOT make use of the difference between
2313	            the latest value of the counter and any value retrieved
2314	            before the new value of natv2InstanceDiscontinuityTime."
2315	       REFERENCE
2316	           "RFC 4787, end of section 4.1."
2317	       ::= { natv2ProtocolEntry 6 }

2319	   -- pools

2321	   natv2PoolTable OBJECT-TYPE
2322	       SYNTAX SEQUENCE OF Natv2PoolEntry
2323	       MAX-ACCESS not-accessible
2324	       STATUS current
2325	       DESCRIPTION
2326	          "Table of address pools, applicable only if these are
2327	           supported by the NAT instance. An address pool is a set of
2328	           addresses and ports in a particular realm, available for
2329	           assignment to the 'external' portion of a mapping. Where more
2330	           than one pool has been configured for the realm, policy
2331	           determines which subscribers and/or services are mapped to
2332	           which pool. natv2PoolTable provides basic information, state,
2333	           statistics, and two notification thresholds for each pool.
2334	           natv2PoolRangeTable is an expansion table for natv2PoolTable
2335	           that identifies particular address ranges allocated to the
2336	           pool."
2337	       REFERENCE
2338	           "RFC yyyy Section 3.3.6."

2340	       ::= { natv2MIBInstanceObjects 3 }

2342	   natv2PoolEntry OBJECT-TYPE
2343	       SYNTAX Natv2PoolEntry
2344	       MAX-ACCESS not-accessible
2345	       STATUS current
2346	       DESCRIPTION
2347	           "Entry in the table of address pools."
2348	       INDEX { natv2PoolInstanceIndex, natv2PoolIndex }
2349	       ::= { natv2PoolTable 1 }

2351	   Natv2PoolEntry ::=
2352	       SEQUENCE {
2353	   -- Index
2354	            natv2PoolInstanceIndex                 Natv2InstanceIndex,
2355	            natv2PoolIndex                         Natv2PoolIndex,
2356	   -- Configuration
2357	            natv2PoolRealm                         SnmpAdminString,
2358	            natv2PoolAddressType                   InetAddressType,
2359	            natv2PoolMinimumPort                   InetPortNumber,
2360	            natv2PoolMaximumPort                   InetPortNumber,
2361	   -- State
2362	            natv2PoolAddressMapEntries             Unsigned32,
2363	            natv2PoolPortMapEntries                Unsigned32,
2364	   -- Statistics and discontinuity time
2365	            natv2PoolAddressMapCreations           Counter64,
2366	            natv2PoolPortMapCreations              Counter64,
2367	            natv2PoolAddressMapFailureDrops        Counter64,
2368	            natv2PoolPortMapFailureDrops           Counter64,
2369	            natv2PoolDiscontinuityTime             TimeStamp,
2370	   -- Notification thresholds and objects returned by notifications
2371	            natv2PoolThresholdUsageLow             Integer32,
2372	            natv2PoolThresholdUsageHigh            Integer32,
2373	            natv2PoolNotifiedPortMapEntries        Unsigned32,
2374	            natv2PoolNotifiedPortMapProtocol       ProtocolNumber,
2375	            natv2PoolNotificationInterval          Unsigned32
2376	       }

2378	   natv2PoolInstanceIndex OBJECT-TYPE
2379	       SYNTAX Natv2InstanceIndex
2380	       MAX-ACCESS not-accessible
2381	       STATUS current
2382	       DESCRIPTION
2383	           "NAT instance index. It is up to the agent implementation
2384	            to determine and operate upon only those values that
2385	            correspond to in-service NAT instances."
2386	       ::= { natv2PoolEntry 1 }

2388	   natv2PoolIndex OBJECT-TYPE
2389	       SYNTAX Natv2PoolIndex
2390	       MAX-ACCESS not-accessible
2391	       STATUS current
2392	       DESCRIPTION
2393	           "Index of an address pool, unique for a given NAT instance.
2394	            It is up to the agent implementation to determine and
2395	            operate upon only those values that correspond to
2396	            provisioned pools."
2397	       ::= { natv2PoolEntry 2 }

2399	   -- configuration
2400	   natv2PoolRealm OBJECT-TYPE
2401	       SYNTAX SnmpAdminString (SIZE (0..32))
2402	       MAX-ACCESS read-only
2403	       STATUS current
2404	       DESCRIPTION
2405	           "Address realm to which this pool's addresses belong."
2406	       REFERENCE
2407	           "Address realms are discussed in Section 3.3.3 of
2408	            RFC yyyy. Primary reference is RFC 2663 Section 2.1."
2409	       ::= { natv2PoolEntry 3 }

2411	   natv2PoolAddressType OBJECT-TYPE
2412	       SYNTAX InetAddressType
2413	       MAX-ACCESS read-create
2414	       STATUS current
2415	       DESCRIPTION
2416	           "Address type supplied by this address pool. This will be the
2417	            same for all pools in a given realm (by definition of an
2418	            address realm). Values other than ipv4(1) or ipv6(2) would
2419	            be unexpected."
2420	       REFERENCE
2421	           "InetAddressType in RFC 4001."
2422	       ::= { natv2PoolEntry 4 }

2424	   natv2PoolMinimumPort OBJECT-TYPE
2425	       SYNTAX InetPortNumber
2426	       MAX-ACCESS read-create
2427	       STATUS current
2428	       DESCRIPTION
2429	           "Minimum port number of the range that can be allocated in
2430	            this pool. Applies to all protocols supported by the NAT
2431	            instance."
2432	       REFERENCE
2433	           "InetPortNumber in RFC 4001."
2434	       ::= { natv2PoolEntry 5 }

2436	   natv2PoolMaximumPort OBJECT-TYPE
2437	       SYNTAX InetPortNumber
2438	       MAX-ACCESS read-create
2439	       STATUS current
2440	       DESCRIPTION
2441	           "Maximum port number of the range that can be allocated in
2442	            this pool. Applies to all protocols supported by the NAT
2443	            instance."
2444	       REFERENCE
2445	           "InetPortNumber in RFC 4001."
2446	       ::= { natv2PoolEntry 6 }

2448	   -- State
2449	   natv2PoolAddressMapEntries OBJECT-TYPE
2450	       SYNTAX Unsigned32
2451	       MAX-ACCESS read-only
2452	       STATUS current
2453	       DESCRIPTION
2454	           "The current number of address map entries using external
2455	            addresses drawn from this pool, including static mappings.
2456	            This definition includes 'hairpin' mappings, where the
2457	            external realm is the same as the internal one. Address map
2458	            entries are also tracked per subscriber and per instance."
2459	       REFERENCE
2460	           "RFC yyyy Section 3.3.8. Hairpinning: RFC 4787 section 6."
2461	       ::= { natv2PoolEntry 7 }

2463	   natv2PoolPortMapEntries OBJECT-TYPE
2464	       SYNTAX Unsigned32
2465	       MAX-ACCESS read-only
2466	       STATUS current
2467	       DESCRIPTION
2468	           "The current number of entries in the port map table using
2469	            external addresses and ports drawn from this pool, including
2470	            static mappings. This definition includes 'hairpin'
2471	            mappings, where the external realm is the same as the
2472	            internal one. Port map entries are also tracked per
2473	            subscriber, per instance, and per protocol within the
2474	            instance."
2475	       REFERENCE
2476	           "RFC yyyy Section 3.3.9. Hairpinning: RFC 4787 Section 6."
2477	       ::= { natv2PoolEntry 8 }

2479	   -- Statistics and discontinuity time
2480	   natv2PoolAddressMapCreations OBJECT-TYPE
2481	       SYNTAX Counter64
2482	       MAX-ACCESS read-only
2483	       STATUS current
2484	       DESCRIPTION
2485	           "The cumulative number of address map entries created in this
2486	            pool, including static mappings. Address map entries are
2487	            also tracked per instance and per subscriber.

2489	            This value MUST be monotone increasing in
2490	            the periods between updates of the entity's
2491	            natv2PoolDiscontinuityTime. If a manager detects a
2492	            change in the latter since the last time it sampled this
2493	            counter, it SHOULD NOT make use of the difference between
2494	            the latest value of the counter and any value retrieved
2495	            before the new value of natv2PoolDiscontinuityTime."
2496	       ::= { natv2PoolEntry 9 }

2498	   natv2PoolPortMapCreations OBJECT-TYPE
2499	       SYNTAX Counter64
2500	       MAX-ACCESS read-only
2501	       STATUS current
2502	       DESCRIPTION
2503	           "The cumulative number of port map entries created in this
2504	            pool, including static mappings. Port map entries are also
2505	            tracked per instance, per protocol, and per subscriber.

2507	            This value MUST be monotone increasing in the periods
2508	            between updates of the entity's
2509	            natv2PoolDiscontinuityTime. If a manager detects a
2510	            change in the latter since the last time it sampled this
2511	            counter, it SHOULD NOT make use of the difference between
2512	            the latest value of the counter and any value retrieved
2513	            before the new value of natv2PoolDiscontinuityTime."
2514	       ::= { natv2PoolEntry 10 }

2516	   natv2PoolAddressMapFailureDrops OBJECT-TYPE
2517	       SYNTAX Counter64
2518	       MAX-ACCESS read-only
2519	       STATUS current
2520	       DESCRIPTION
2521	           "The cumulative number of packets originated by the
2522	            subscriber that were dropped because the packet would have
2523	            triggered the creation of a new address map entry, but no
2524	            address could be allocated from this address pool because
2525	            all addresses in the pool have already been fully allocated.
2526	            Counters of this event are also provided per instance, per
2527	            protocol and per subscriber.

2529	            This value MUST be monotone increasing in the periods
2530	            between updates of the entity's
2531	            natv2PoolDiscontinuityTime. If a manager detects a
2532	            change in the latter since the last time it sampled this
2533	            counter, it SHOULD NOT make use of the difference between
2534	            the latest value of the counter and any value retrieved
2535	            before the new value of natv2PoolDiscontinuityTime."
2536	       ::= { natv2PoolEntry 11 }

2538	   natv2PoolPortMapFailureDrops OBJECT-TYPE
2539	       SYNTAX Counter64
2540	       MAX-ACCESS read-only
2541	       STATUS current
2542	       DESCRIPTION
2543	           "The cumulative number of packets dropped because the packet
2544	            would have triggered the creation of a new port map entry,
2545	            but no port could be allocated for the protocol concerned.
2546	            The usual case for this will be for a NAT instance that
2547	            supports the 'paired' pooling behavior recommended by RFC
2548	            4787, where the internal endpoint has used up all of the
2549	            ports allocated to it for the address it was mapped to in
2550	            this pool and cannot be given more ports because
2551	            - policy or implementation prevents it from having a
2552	              second address in the same pool, and
2553	            - policy or unavailability prevents it from acquiring
2554	              more ports at its originally assigned address.

2556	            If the NAT instance pooling behavior is 'arbitrary' (meaning
2557	            that the NAT instance can allocate a new port mapping for
2558	            the given internal endpoint on any address in the selected
2559	            address pool and is not bound to what it has already mapped
2560	            for that endpoint), then this counter is incremented when
2561	            all ports for the protocol concerned over the whole of this
2562	            address pool are already in use.

2564	            This value MUST be monotone increasing in the periods
2565	            between updates of the entity's
2566	            natv2PoolDiscontinuityTime. If a manager detects a
2567	            change in the latter since the last time it sampled this
2568	            counter, it SHOULD NOT make use of the difference between
2569	            the latest value of the counter and any value retrieved
2570	            before the new value of natv2PoolDiscontinuityTime."
2571	       REFERENCE
2572	           "Pooling behavior: RFC 4787, end of section 4.1."
2573	       ::= { natv2PoolEntry 12 }

2575	   natv2PoolDiscontinuityTime OBJECT-TYPE
2576	       SYNTAX TimeStamp
2577	       MAX-ACCESS read-only
2578	       STATUS current
2579	       DESCRIPTION
2580	           "Snapshot of the value of the sysUpTime object at the
2581	            beginning of the latest period of continuity of the
2582	            statistical counters associated with this address
2583	            pool. This MUST be initialized when the address pool
2584	            is configured and MUST be updated whenever the port
2585	            or address ranges allocated to the pool change."
2586	       ::= { natv2PoolEntry 13 }

2588	   -- Notification thresholds and objects returned by notifications
2589	   natv2PoolThresholdUsageLow OBJECT-TYPE
2590	       SYNTAX Integer32 (-1|0..100)
2591	       UNITS "Percent"
2592	       MAX-ACCESS read-write
2593	       STATUS current
2594	       DESCRIPTION
2595	           "Threshold for reporting low utilization of the address pool.
2596	            Utilization at a given instant is calculated as the
2597	            percentage of ports allocated in port map entries for the
2598	            most-used protocol at that instant. If utilization is less
2599	            than or equal to natv2PoolThresholdUsageLow, an instance of
2600	            natv2NotificationPoolUsageLow may be triggered, unless
2601	            disabled by setting it to -1.  Note the difference from the
2602	            disabling setting for other notifications. Reporting is
2603	            subject to the per-pool notification interval given by
2604	            natv2PoolNotificationInterval. If multiple notifications are
2605	            triggered during one interval, the agent MUST report only
2606	            the one with the lowest value of
2607	            natv2PoolNotifiedPortMapEntries and discard the others.

2609	            Implementation note: the percentage specified by this object
2610	            can be converted to a number of port map entries at
2611	            configuration time (after port and address ranges have been
2612	            configured or reconfigured) and compared to the current
2613	            value of natv2PoolNotifiedPortMapEntries."
2614	       REFERENCE
2615	           "RFC yyyy Section 3.1.2 and Section 3.3.6."
2616	       DEFVAL { -1 }
2617	       ::= { natv2PoolEntry 14 }

2619	   natv2PoolThresholdUsageHigh OBJECT-TYPE
2620	       SYNTAX Integer32 (-1|0..100)
2621	       UNITS "Percent"
2622	       MAX-ACCESS read-write
2623	       STATUS current
2624	       DESCRIPTION
2625	           "Threshold for reporting high utilization of the address
2626	            pool. Utilization at a given instant is calculated as the
2627	            percentage of ports allocated in port map entries for the
2628	            most-used protocol at that instant.  If utilization is
2629	            greater than or equal to natv2PoolThresholdUsageHigh, an
2630	            instance of natv2NotificationPoolUsageHigh may be triggered,
2631	            unless disabled by setting it to -1.

2633	            Reporting is subject to the per-pool notification interval
2634	            given by natv2PoolNotificationInterval. If multiple
2635	            notifications are triggered during one interval, the agent
2636	            MUST report only the one with the highest value of
2637	            natv2PoolNotifiedPortMapEntries and discard the others. In
2638	            the rare case where both upper and lower thresholds
2639	            are crossed in the same interval, the agent MUST report only
2640	            the upper threshold notification.

2642	            Implementation note: the percentage specified by this object
2643	            can be converted to a number of port map entries at
2644	            configuration time (after port and address ranges have been
2645	            configured or reconfigured) and compared to the current
2646	            value of natv2PoolNotifiedPortMapEntries."
2647	       DEFVAL { -1 }
2648	       ::= { natv2PoolEntry 15 }

2650	   natv2PoolNotifiedPortMapEntries OBJECT-TYPE
2651	       SYNTAX Unsigned32
2652	       MAX-ACCESS accessible-for-notify
2653	       STATUS current
2654	       DESCRIPTION
2655	           "Number of port map entries using addresses and ports from
2656	            this address pool for the most-used protocol at a given
2657	            instant. One of the objects returned by
2658	            natv2NotificationPoolUsageLow and
2659	            natv2NotificationPoolUsageHigh."
2660	       ::= { natv2PoolEntry 16 }

2662	   natv2PoolNotifiedPortMapProtocol OBJECT-TYPE
2663	       SYNTAX ProtocolNumber
2664	       MAX-ACCESS accessible-for-notify
2665	       STATUS current
2666	       DESCRIPTION
2667	           "The most-used protocol (i.e., with the largest number of
2668	            port map entries) mapped into this address pool at a given
2669	            instant. One of the objects returned by
2670	            natv2NotificationPoolUsageLow and
2671	            natv2NotificationPoolUsageHigh."
2672	       ::= { natv2PoolEntry 17 }

2674	   natv2PoolNotificationInterval OBJECT-TYPE
2675	       SYNTAX Unsigned32 (1..3600)
2676	       UNITS
2677	           "Seconds"
2678	       MAX-ACCESS read-write
2679	       STATUS current
2680	       DESCRIPTION
2681	           "Minimum number of seconds between successive
2682	            notifications for this address pool. Controls the generation
2683	            of  natv2NotificationPoolUsageLow and
2684	            natv2NotificationPoolUsageHigh."
2685	       DEFVAL
2686	           { 20 }
2687	       ::= { natv2PoolEntry 18 }

2689	   natv2PoolRangeTable OBJECT-TYPE
2690	       SYNTAX SEQUENCE OF Natv2PoolRangeEntry
2691	       MAX-ACCESS not-accessible
2692	       STATUS current
2693	       DESCRIPTION
2694	           "This table contains address ranges used by pool entries.
2695	            It is an expansion of natv2PoolTable."
2696	       REFERENCE
2697	           "RFC yyyy <xref target='poolRangeTable'/>."
2698	       ::= { natv2MIBInstanceObjects 4 }

2700	   natv2PoolRangeEntry OBJECT-TYPE
2701	       SYNTAX Natv2PoolRangeEntry
2702	       MAX-ACCESS not-accessible
2703	       STATUS current
2704	       DESCRIPTION
2705	           "NAT pool address range."
2706	       INDEX {
2707	            natv2PoolRangeInstanceIndex,
2708	            natv2PoolRangePoolIndex,
2709	            natv2PoolRangeRowIndex
2710	       }
2711	       ::= { natv2PoolRangeTable 1 }

2713	   Natv2PoolRangeEntry ::=
2714	       SEQUENCE {
2715	           natv2PoolRangeInstanceIndex    Natv2InstanceIndex,
2716	           natv2PoolRangePoolIndex        Natv2PoolIndex,
2717	           natv2PoolRangeRowIndex         Unsigned32,
2718	           natv2PoolRangeBegin            InetAddress,
2719	           natv2PoolRangeEnd              InetAddress
2720	       }

2722	   natv2PoolRangeInstanceIndex OBJECT-TYPE
2723	       SYNTAX Natv2InstanceIndex
2724	       MAX-ACCESS not-accessible
2725	       STATUS current
2726	       DESCRIPTION
2727	           "Index of the NAT instance on which the address pool and this
2728	            address range are configured. See Natv2InstanceIndex."
2729	       ::= { natv2PoolRangeEntry 1 }

2731	   natv2PoolRangePoolIndex OBJECT-TYPE
2732	       SYNTAX Natv2PoolIndex
2733	       MAX-ACCESS not-accessible
2734	       STATUS current
2735	       DESCRIPTION
2736	           "Index of the address pool to which this address range
2737	            belongs. See Natv2PoolIndex."
2738	       ::= { natv2PoolRangeEntry 2 }

2740	   natv2PoolRangeRowIndex OBJECT-TYPE
2741	       SYNTAX Unsigned32
2742	       MAX-ACCESS not-accessible
2743	       STATUS current
2744	       DESCRIPTION
2745	           "Row index for successive range entries for the same
2746	            address pool."
2747	       ::= { natv2PoolRangeEntry 3 }

2749	   natv2PoolRangeBegin OBJECT-TYPE
2750	       SYNTAX InetAddress
2751	       MAX-ACCESS read-only
2752	       STATUS current
2753	       DESCRIPTION
2754	           "Lowest address included in this range. The type of address
2755	            (IPv4 or IPv6) is given by natv2PoolAddressType
2756	            in natv2PoolTable."
2757	       ::= { natv2PoolRangeEntry 4 }

2759	   natv2PoolRangeEnd OBJECT-TYPE
2760	       SYNTAX InetAddress
2761	       MAX-ACCESS read-only
2762	       STATUS current
2763	       DESCRIPTION
2764	           "Highest address included in this range. The type of address
2765	            (IPv4 or IPv6) is given by natv2PoolAddressType
2766	            in natv2PoolTable."
2767	       ::= { natv2PoolRangeEntry 5 }

2769	   -- indexed mapping tables

2771	   -- Address Map Table. Mapped from internal to external address.

2773	   natv2AddressMapTable OBJECT-TYPE
2774	       SYNTAX SEQUENCE OF Natv2AddressMapEntry
2775	       MAX-ACCESS not-accessible
2776	       STATUS current
2777	       DESCRIPTION
2778	           "Table of mappings from internal to external address. By
2779	            definition, this is a snapshot of NAT instance state at a
2780	            given moment. Indexed by NAT instance, internal realm, and
2781	            internal address in that realm. Provides the mapped external
2782	            address and, depending on implementation support, identifies
2783	            the address pool from which the external address and port
2784	            were taken and the index of the subscriber to which the
2785	            mapping has been allocated.

2787	            In the case of DS-Lite [RFC 6333], the indexing realm and
2788	            address are those of the IPv6 encapsulation rather than the
2789	            IPv4 inner packet."
2790	       REFERENCE
2791	           "RFC yyyy Section 3.3.8. DS-Lite: RFC 6333"
2792	       ::= { natv2MIBInstanceObjects 5 }

2794	   natv2AddressMapEntry OBJECT-TYPE
2795	       SYNTAX Natv2AddressMapEntry
2796	       MAX-ACCESS not-accessible
2797	       STATUS current
2798	       DESCRIPTION
2799	           "Mapping from internal to external address."
2800	       INDEX { natv2AddressMapInstanceIndex,
2801	               natv2AddressMapInternalRealm,
2802	               natv2AddressMapInternalAddressType,
2803	               natv2AddressMapInternalAddress,
2804	               natv2AddressMapRowIndex }
2805	       ::= { natv2AddressMapTable 1 }

2807	   Natv2AddressMapEntry ::=
2808	       SEQUENCE {
2809	           natv2AddressMapInstanceIndex       Natv2InstanceIndex,
2810	           natv2AddressMapInternalRealm       SnmpAdminString,
2811	           natv2AddressMapInternalAddressType  InetAddressType,
2812	           natv2AddressMapInternalAddress      InetAddress,
2813	           natv2AddressMapRowIndex            Unsigned32,
2814	           natv2AddressMapInternalMappedAddressType InetAddressType,
2815	           natv2AddressMapInternalMappedAddress     InetAddress,
2816	           natv2AddressMapExternalRealm       SnmpAdminString,
2817	           natv2AddressMapExternalAddressType InetAddressType,
2818	           natv2AddressMapExternalAddress     InetAddress,
2819	           natv2AddressMapExternalPoolIndex   Natv2PoolIndexOrZero,
2820	           natv2AddressMapSubscriberIndex     Natv2SubscriberIndexOrZero
2821	       }

2823	   natv2AddressMapInstanceIndex OBJECT-TYPE
2824	       SYNTAX Natv2InstanceIndex
2825	       MAX-ACCESS not-accessible
2826	       STATUS current
2827	       DESCRIPTION
2828	           "Index of the NAT instance that generated this address map."
2829	       ::= { natv2AddressMapEntry 1 }

2831	   natv2AddressMapInternalRealm OBJECT-TYPE
2832	       SYNTAX SnmpAdminString (SIZE(0..32))
2833	       MAX-ACCESS not-accessible
2834	       STATUS current
2835	       DESCRIPTION
2836	           "Realm to which the internal address belongs. In most cases
2837	            this is the realm defining the address space of the packet
2838	            being translated. However, in the case of DS-Lite [RFC
2839	            6333], this realm defines the IPv6 outer header address
2840	            space. It is the combination of that outer header and
2841	            the inner IPv4 packet header that is remapped to the
2842	            external address and realm. The corresponding IPv4 realm is
2843	            restricted in scope to the tunnel, so there is no point in
2844	            identifying it. The mapped IPv4 address will normally be the
2845	            well-known value 192.0.0.2, or at least lie in the reserved
2846	            192.0.0.0/29 range.

2848	            If natv2AddressMapSubscriberIndex in this table is a valid
2849	            subscriber index (i.e., greater than zero), then the value
2850	            of natv2AddressMapInternalRealm MUST be identical to the
2851	            value of natv2SubscriberRealm associated with that index."
2852	       REFERENCE
2853	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2854	            Section 6.6 on the need to have the IPv6 tunnel address in
2855	            the NAT mapping tables."
2856	       ::= { natv2AddressMapEntry 2 }

2858	   natv2AddressMapInternalAddressType OBJECT-TYPE
2859	       SYNTAX InetAddressType
2860	       MAX-ACCESS not-accessible
2861	       STATUS current
2862	       DESCRIPTION
2863	           "Address type in the header of packets on the
2864	            interior side of this mapping. Any value other than ipv4(1)
2865	            or ipv6(2) would be unexpected.

2867	            In the DS-Lite case, the address type is ipv6(2)."
2868	       REFERENCE
2869	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2870	            Section 6.6 on the need to have the IPv6 tunnel source
2871	            address in the NAT mapping tables."
2872	       ::= { natv2AddressMapEntry 3 }

2874	   natv2AddressMapInternalAddress OBJECT-TYPE
2875	       SYNTAX InetAddress (SIZE (0..16))
2876	       MAX-ACCESS not-accessible
2877	       STATUS current
2878	       DESCRIPTION
2879	           "Source address of packets originating from the interior
2880	            of the association provided by this mapping. The address
2881	            type is given by natv2AddressMapInternalAddressType.

2883	            In the case of DS-Lite [RFC 6333], this is the IPv6 tunnel
2884	            source address.  The mapping in this case is considered to
2885	            be from the combination of the IPv6 tunnel source address
2886	            natv2AddressMapInternalRealmAddress and the well-known IPv4
2887	            inner source address natv2AddressMapInternalMappedAddress to
2888	            the external address."
2889	       REFERENCE
2890	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2891	            Section 6.6 on the need to have the IPv6 tunnel address in
2892	            the NAT mapping tables."
2893	       ::= { natv2AddressMapEntry 4 }

2895	   natv2AddressMapRowIndex OBJECT-TYPE
2896	       SYNTAX Unsigned32
2897	       MAX-ACCESS not-accessible
2898	       STATUS current
2899	       DESCRIPTION
2900	           "Index of a conceptual row corresponding to a mapping of the
2901	            given internal realm and address to a single external realm
2902	            and address. Multiple rows will be present because of a
2903	            promiscuous external address selection policy, policies
2904	            associating the same internal address with different address
2905	            pools, or because the same internal realm-address
2906	            combination is communicating with multiple external address
2907	            realms."
2908	       ::= { natv2AddressMapEntry 5 }

2910	   natv2AddressMapInternalMappedAddressType OBJECT-TYPE
2911	       SYNTAX InetAddressType
2912	       MAX-ACCESS read-only
2913	       STATUS current
2914	       DESCRIPTION
2915	           "Internal address type actually translated by this mapping.
2916	            Any value other than ipv4(1) or ipv6(2) would be unexpected.
2917	            In the general case, this is the same as given by
2918	            natv2AddressMapInternalRealmAddressType. In the
2919	            tunneled case it is the address type used in the
2920	            encapsulated packet header. In particular, in the DS-Lite
2921	            case, the mapped address type is ipv4(1)."
2922	       REFERENCE
2923	           "DS-Lite: RFC 6333."
2924	       ::= { natv2AddressMapEntry 6 }

2926	   natv2AddressMapInternalMappedAddress OBJECT-TYPE
2927	       SYNTAX InetAddress
2928	       MAX-ACCESS read-only
2929	       STATUS current
2930	       DESCRIPTION
2931	           "Internal address actually translated by this mapping. In the
2932	            general case, this is the same as
2933	            natv2AddressMapInternalRealmAddress. The address type is
2934	            given by natv2AddressMapInternalMappedAddressType. In the
2935	            case of DS-Lite [RFC 6333], this is the source address of
2936	            the encapsulated IPv4 packet, normally lying the well-known
2937	            range 192.0.0.0/29. The mapping in this case is considered
2938	            to be from the combination of the IPv6 tunnel source address
2939	            natv2AddressMapInternalRealmAddress and the well-known IPv4
2940	            inner source address natv2AddressMapInternalMappedAddress to
2941	            the external address."
2942	       REFERENCE
2943	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2944	            Section 6.6 on the need to have the IPv6 tunnel address in
2945	            the NAT mapping tables."
2946	       ::= { natv2AddressMapEntry 7 }

2948	   natv2AddressMapExternalRealm OBJECT-TYPE
2949	       SYNTAX SnmpAdminString (SIZE(0..32))
2950	       MAX-ACCESS read-only
2951	       STATUS current
2952	       DESCRIPTION
2953	           "External address realm to which this mapping maps the
2954	            internal address. This can be the same as the internal realm
2955	            in the case of a 'hairpin' connection, but otherwise will be
2956	            different."
2957	       ::= { natv2AddressMapEntry 8 }

2959	   natv2AddressMapExternalAddressType OBJECT-TYPE
2960	       SYNTAX InetAddressType
2961	       MAX-ACCESS read-only
2962	       STATUS current
2963	       DESCRIPTION
2964	           "Address type for the external realm. Any value other than
2965	            ipv4(1) or ipv6(2) would be unexpected."
2966	       ::= { natv2AddressMapEntry 9 }

2968	   natv2AddressMapExternalAddress OBJECT-TYPE
2969	       SYNTAX InetAddress
2970	       MAX-ACCESS read-only
2971	       STATUS current
2972	       DESCRIPTION
2973	           "External address to which the internal address is mapped.
2974	            The address type is given by
2975	            natv2AddressMapExternalAddressType.

2977	            In the DS-Lite case, the mapping is from the combination of
2978	            the internal IPv6 tunnel source address as presented in this
2979	            table and the well-known IPv4 source address of the
2980	            encapsulated IPv4 packet."
2981	       REFERENCE
2982	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2983	            Section 6.6 on the need to have the IPv6 tunnel address in
2984	            the NAT mapping tables."
2985	       ::= { natv2AddressMapEntry 10 }

2987	   natv2AddressMapExternalPoolIndex OBJECT-TYPE
2988	       SYNTAX Natv2PoolIndexOrZero
2989	       MAX-ACCESS read-only
2990	       STATUS current
2991	       DESCRIPTION
2992	           "Index of the address pool in the external realm from which
2993	            the mapped external address given in
2994	            natv2AddressMapExternalAddress was taken. Zero if the
2995	            implementation does not support address pools but has chosen
2996	            to support this object, or if no pool was configured for the
2997	            given external realm."
2998	       ::= { natv2AddressMapEntry 11 }

3000	   natv2AddressMapSubscriberIndex OBJECT-TYPE
3001	       SYNTAX Natv2SubscriberIndexOrZero
3002	       MAX-ACCESS read-only
3003	       STATUS current
3004	       DESCRIPTION
3005	           "Index of the subscriber to which this address mapping
3006	            applies, or zero if no subscribers are configured on
3007	            this NAT instance."
3008	       ::= { natv2AddressMapEntry 12 }

3010	   -- natv2PortMapTable

3012	   natv2PortMapTable OBJECT-TYPE
3013	       SYNTAX SEQUENCE OF Natv2PortMapEntry
3014	       MAX-ACCESS not-accessible
3015	       STATUS current
3016	       DESCRIPTION
3017	           "Table of port map entries indexed by NAT instance, protocol,
3018	            and external realm and address. A port map entry associates
3019	            an internal upper layer protocol endpoint with an endpoint
3020	            for the same protocol in the given external realm. By
3021	            definition, this is a snapshot of NAT instance state at a
3022	            given moment. The table provides the basic mapping
3023	            information.

3025	            In the case of DS-Lite [RFC 6333], the table provides the
3026	            internal IPv6 tunnel source address in
3027	            natv2PortMapInternalRealmAddress and the IPv4 source address
3028	            of the encapsulated packet that is actually translated in
3029	            natv2PortMapInternalMappedAddress. In the general (non-DS-
3030	            Lite) case, those two objects will have the same value."
3031	       REFERENCE
3032	           "RFC yyyy Section 3.3.9. DS-Lite: RFC 6333, Section 5.7 for
3033	            well-known addresses and Section 6.6 on the need to have the
3034	            IPv6 tunnel address in the NAT mapping tables."
3035	       ::= { natv2MIBInstanceObjects 6 }

3037	   natv2PortMapEntry OBJECT-TYPE
3038	       SYNTAX Natv2PortMapEntry
3039	       MAX-ACCESS not-accessible
3040	       STATUS current
3041	       DESCRIPTION
3042	           "A single NAT mapping."
3043	       INDEX { natv2PortMapInstanceIndex,
3044	               natv2PortMapProtocol,
3045	               natv2PortMapExternalRealm,
3046	               natv2PortMapExternalAddressType,
3047	               natv2PortMapExternalAddress,
3048	               natv2PortMapExternalPort }
3049	       ::= { natv2PortMapTable 1 }

3051	   Natv2PortMapEntry ::=
3052	       SEQUENCE {
3053	           natv2PortMapInstanceIndex        Natv2InstanceIndex,
3054	           natv2PortMapProtocol             ProtocolNumber,
3055	           natv2PortMapExternalRealm        SnmpAdminString,
3056	           natv2PortMapExternalAddressType  InetAddressType,
3057	           natv2PortMapExternalAddress      InetAddress,
3058	           natv2PortMapExternalPort         InetPortNumber,
3059	           natv2PortMapInternalRealm        SnmpAdminString,
3060	           natv2PortMapInternalAddressType  InetAddressType,
3061	           natv2PortMapInternalAddress      InetAddress,
3062	           natv2PortMapInternalMappedAddressType InetAddressType,
3063	           natv2PortMapInternalMappedAddress     InetAddress,
3064	           natv2PortMapInternalPort         InetPortNumber,
3065	           natv2PortMapExternalPoolIndex    Natv2PoolIndexOrZero,
3066	           natv2PortMapSubscriberIndex      Natv2SubscriberIndexOrZero
3067	       }

3069	   natv2PortMapInstanceIndex OBJECT-TYPE
3070	       SYNTAX Natv2InstanceIndex
3071	       MAX-ACCESS not-accessible
3072	       STATUS current
3073	       DESCRIPTION
3074	           "Index of the NAT instance that created this port map entry."
3075	       ::= { natv2PortMapEntry 1 }

3077	   natv2PortMapProtocol OBJECT-TYPE
3078	       SYNTAX ProtocolNumber
3079	       MAX-ACCESS not-accessible
3080	       STATUS current
3081	       DESCRIPTION
3082	           "The map entry's upper layer protocol number."
3083	       ::= { natv2PortMapEntry 2 }

3085	   natv2PortMapExternalRealm OBJECT-TYPE
3086	       SYNTAX SnmpAdminString (SIZE(0..32))
3087	       MAX-ACCESS not-accessible
3088	       STATUS current
3089	       DESCRIPTION
3090	           "The realm to which natv2PortMapExternalAddress belongs."
3091	       ::= { natv2PortMapEntry 3 }

3093	   natv2PortMapExternalAddressType OBJECT-TYPE
3094	       SYNTAX InetAddressType
3095	       MAX-ACCESS not-accessible
3096	       STATUS current
3097	       DESCRIPTION
3098	           "Address type for the external realm. A value other
3099	            than ipv4(1) or ipv6(2) would be unexpected."
3100	       ::= { natv2PortMapEntry 4 }

3102	   natv2PortMapExternalAddress OBJECT-TYPE
3103	       SYNTAX InetAddress (SIZE (0..16))
3104	       MAX-ACCESS not-accessible
3105	       STATUS current
3106	       DESCRIPTION
3107	           "The mapping's assigned external address. (This address is
3108	            taken from the address pool identified by
3109	            natv2PortMapExternalPoolIndex, if the implementation
3110	            supports address pools and pools are configured for the
3111	            given external realm.) This is the source address for
3112	            translated outgoing packets. The address type is given
3113	            by natv2PortMapExternalAddressType."

3115	       ::= { natv2PortMapEntry 5 }

3117	   natv2PortMapExternalPort OBJECT-TYPE
3118	       SYNTAX InetPortNumber
3119	       MAX-ACCESS not-accessible
3120	       STATUS current
3121	       DESCRIPTION
3122	           "The mapping's assigned external port number. This is the
3123	            source port for translated outgoing packets. If the internal
3124	            port number given by natv2PortMapInternalPort is zero this
3125	            value MUST also be zero. Otherwise this MUST be a non-zero
3126	            value."
3127	       ::= { natv2PortMapEntry 6 }

3129	   natv2PortMapInternalRealm OBJECT-TYPE
3130	       SYNTAX SnmpAdminString (SIZE(0..32))
3131	       MAX-ACCESS read-only
3132	       STATUS current
3133	       DESCRIPTION
3134	           "The realm to which natv2PortMapInternalRealmAddress belongs.
3135	            In the general case, this realm contains the address that is
3136	            being translated. In the DS-Lite [RFC 6333] case, this realm
3137	            defines the IPv6 address space from which the tunnel source
3138	            address is taken. The realm of the encapsulated IPv4 address
3139	            is restricted in scope to the tunnel, so there is no point
3140	            in identifying it separately."
3141	       REFERENCE
3142	           "RFC 6333 DS-Lite."
3143	       ::= { natv2PortMapEntry 7 }

3145	   natv2PortMapInternalAddressType OBJECT-TYPE
3146	       SYNTAX InetAddressType
3147	       MAX-ACCESS read-only
3148	       STATUS current
3149	       DESCRIPTION
3150	           "Address type for addresses in the realm identified by
3151	            natv2PortMapInternalRealm."
3152	       ::= { natv2PortMapEntry 8 }

3154	   natv2PortMapInternalAddress OBJECT-TYPE
3155	       SYNTAX InetAddress
3156	       MAX-ACCESS read-only
3157	       STATUS current
3158	       DESCRIPTION
3159	           "Source address for packets received under this mapping on
3160	            the internal side of the NAT instance. In the general case
3161	            this address is the same as the address given in
3162	            natv2PortMapInternalMappedAddress. In the DS-Lite case,
3163	            natv2PortMapInternalAddress is the IPv6 tunnel source
3164	            address. The address type is given
3165	            by natv2PortMapInternalAddressType."
3166	       REFERENCE
3167	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3168	            Section 6.6 on the need to have the IPv6 tunnel address in
3169	            the NAT mapping tables."
3170	       ::= { natv2PortMapEntry 9 }

3172	   natv2PortMapInternalMappedAddressType OBJECT-TYPE
3173	       SYNTAX InetAddressType
3174	       MAX-ACCESS read-only
3175	       STATUS current
3176	       DESCRIPTION
3177	           "Internal address type actually translated by this mapping.
3178	            Any value other than ipv4(1) or ipv6(2) would be unexpected.
3179	            In the general case, this is the same as given by
3180	            natv2AddressMapInternalAddressType. In the DS-Lite
3181	            case, the address type is ipv4(1)."
3182	       REFERENCE
3183	           "DS-Lite: RFC 6333."
3184	      ::= { natv2PortMapEntry 10 }

3186	   natv2PortMapInternalMappedAddress OBJECT-TYPE
3187	       SYNTAX InetAddress
3188	       MAX-ACCESS read-only
3189	       STATUS current
3190	       DESCRIPTION
3191	           "Internal address actually translated by this mapping. In the
3192	            general case, this is the same as
3193	            natv2PortMapInternalRealmAddress.  The address type is given
3194	            by natv2PortMapInternalMappedAddressType.

3196	            In the case of DS-Lite [RFC 6333], this is the source
3197	            address of the encapsulated IPv4 packet, normally selected
3198	            from the well-known range 192.0.0.0/29. The mapping in this
3199	            case is considered to be from the external address to the
3200	            combination of the IPv6 tunnel source address
3201	            natv2PortMapInternalRealmAddress and the well-known IPv4
3202	            inner source address natv2PortMapInternalMappedAddress."
3203	       REFERENCE
3204	           "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3205	            Section 6.6 on the need to have the IPv6 tunnel address in
3206	            the NAT mapping tables."
3207	       ::= { natv2PortMapEntry 11 }

3209	   natv2PortMapInternalPort OBJECT-TYPE
3210	       SYNTAX InetPortNumber
3211	       MAX-ACCESS read-only
3212	       STATUS current
3213	       DESCRIPTION
3214	           "The mapping's internal port number. If this is zero, ports
3215	            are not translated (i.e., the NAT instance is a pure NAT
3216	            rather than a NAPT)."
3217	       ::= { natv2PortMapEntry 12 }

3219	   natv2PortMapExternalPoolIndex OBJECT-TYPE
3220	       SYNTAX Natv2PoolIndexOrZero
3221	       MAX-ACCESS read-only
3222	       STATUS current
3223	       DESCRIPTION
3224	           "Identifies the address pool from which the external address
3225	            in this port map entry was taken. Zero if the implementation
3226	            does not support address pools but has chosen to support
3227	            this object, or if no pools are configured for the given
3228	            external realm."
3229	       ::= { natv2PortMapEntry 13 }

3231	   natv2PortMapSubscriberIndex OBJECT-TYPE
3232	       SYNTAX Natv2SubscriberIndexOrZero
3233	       MAX-ACCESS read-only
3234	       STATUS current
3235	       DESCRIPTION
3236	           "Subscriber using this map entry. Zero if the implementation
3237	            does not support subscribers but has chosen to support
3238	            this object."
3239	       ::= { natv2PortMapEntry 14 }

3241	   -- Conformance section. Specifies three cumulatively more extensive
3242	   -- applications: basic NAT, pooled NAT, and carrier grade NAT

3244	   natv2MIBConformance OBJECT IDENTIFIER ::= { natv2MIB 3 }

3246	   natv2MIBCompliances OBJECT IDENTIFIER ::= { natv2MIBConformance 1 }
3247	   natv2MIBGroups      OBJECT IDENTIFIER ::= { natv2MIBConformance 2 }
3248	   natv2MIBBasicCompliance MODULE-COMPLIANCE
3249	       STATUS current
3250	       DESCRIPTION
3251	           "Describes the requirements for conformance to the basic NAT
3252	            application of NATv2 MIB."
3253	       MODULE  -- this module
3254	           MANDATORY-GROUPS { natv2BasicNotificationGroup,
3255	                              natv2BasicInstanceLevelGroup
3256	                            }
3257	           GROUP  natv2BasicNotificationGroup
3258	           DESCRIPTION
3259	               "The natv2BasicNotificationGroup is mandatory for all
3260	                NAT applications."
3261	           GROUP  natv2BasicInstanceLevelGroup
3262	           DESCRIPTION
3263	               "The natv2BasicInstanceLevelGroup is mandatory for all
3264	                NAT applications."
3265	       ::= { natv2MIBCompliances 1 }

3267	   natv2MIBPooledNATCompliance MODULE-COMPLIANCE
3268	       STATUS current
3269	       DESCRIPTION
3270	           "Describes the requirements for conformance to the pooled NAT
3271	            application of NATv2-MIB."
3272	       MODULE  -- this module
3273	           MANDATORY-GROUPS { natv2BasicNotificationGroup,
3274	                              natv2BasicInstanceLevelGroup,
3275	                              natv2PooledNotificationGroup,
3276	                              natv2PooledInstanceLevelGroup
3277	                            }
3278	           GROUP  natv2BasicNotificationGroup
3279	           DESCRIPTION
3280	               "The natv2BasicNotificationGroup is mandatory for all
3281	                NAT applications."
3282	           GROUP  natv2BasicInstanceLevelGroup
3283	           DESCRIPTION
3284	               "The natv2BasicInstanceLevelGroup is mandatory for all
3285	                NAT applications."
3286	           GROUP  natv2PooledNotificationGroup
3287	           DESCRIPTION
3288	               "The natv2PooledNotificationGroup is mandatory for
3289	                the pooled and CGN applications."
3290	           GROUP  natv2PooledInstanceLevelGroup
3291	           DESCRIPTION
3292	               "The natv2PooledInstanceLevelGroup is mandatory for
3293	                the pooled and CGN applications."
3294	       ::= { natv2MIBCompliances 2 }

3296	   natv2MIBCGNCompliance MODULE-COMPLIANCE
3297	       STATUS current
3298	       DESCRIPTION
3299	           "Describes the requirements for conformance to the
3300	            carrier grade NAT application of NATv2-MIB."
3301	       MODULE  -- this module
3302	           MANDATORY-GROUPS { natv2BasicNotificationGroup,
3303	                              natv2BasicInstanceLevelGroup,
3304	                              natv2PooledNotificationGroup,
3305	                              natv2PooledInstanceLevelGroup,
3306	                              natv2CGNNotificationGroup,
3307	                              natv2CGNDeviceLevelGroup,
3308	                              natv2CGNInstanceLevelGroup
3309	                            }
3310	           GROUP  natv2BasicNotificationGroup
3311	           DESCRIPTION
3312	               "The natv2BasicNotificationGroup is mandatory for all
3313	                NAT applications."
3314	           GROUP  natv2BasicInstanceLevelGroup
3315	           DESCRIPTION
3316	               "The natv2BasicInstanceLevelGroup is mandatory for all
3317	                NAT applications."
3318	           GROUP  natv2PooledNotificationGroup
3319	           DESCRIPTION
3320	               "The natv2PooledNotificationGroup is mandatory for
3321	                the pooled and CGN applications."
3322	           GROUP  natv2PooledInstanceLevelGroup
3323	           DESCRIPTION
3324	               "The natv2PooledInstanceLevelGroup is mandatory for
3325	                the pooled and CGN applications."
3326	           GROUP  natv2CGNNotificationGroup
3327	           DESCRIPTION
3328	               "The natv2CGNNotificationGroup is mandatory
3329	                for the carrier grade NAT application."
3330	           GROUP  natv2CGNDeviceLevelGroup
3331	           DESCRIPTION
3332	               "The natv2CGNDeviceLevelGroup is mandatory
3333	                for the carrier grade NAT application."
3334	           GROUP  natv2CGNInstanceLevelGroup
3335	           DESCRIPTION
3336	               "The natv2CGNInstanceLevelGroup is mandatory
3337	                for the carrier grade NAT application."
3338	       ::= { natv2MIBCompliances 3 }

3340	   -- Groups

3342	   natv2BasicNotificationGroup NOTIFICATION-GROUP
3343	       NOTIFICATIONS {
3344	            natv2NotificationInstanceAddressMapEntriesHigh,
3345	            natv2NotificationInstancePortMapEntriesHigh
3346	       }
3347	       STATUS  current
3348	       DESCRIPTION
3349	           "Notifications that MUST be supported by all NAT
3350	            applications."
3351	       ::= { natv2MIBGroups 1 }

3353	   natv2BasicInstanceLevelGroup OBJECT-GROUP
3354	       OBJECTS {
3355	   -- from natv2InstanceTable
3356	                 natv2InstanceAlias,
3357	                 natv2InstancePortMappingBehavior,
3358	                 natv2InstanceFilteringBehavior,
3359	                 natv2InstanceFragmentBehavior,
3360	                 natv2InstanceAddressMapEntries,
3361	                 natv2InstancePortMapEntries,
3362	                 natv2InstanceTranslations,
3363	                 natv2InstanceAddressMapCreations,
3364	                 natv2InstanceAddressMapEntryLimitDrops,
3365	                 natv2InstanceAddressMapFailureDrops,
3366	                 natv2InstancePortMapCreations,
3367	                 natv2InstancePortMapEntryLimitDrops,
3368	                 natv2InstancePortMapFailureDrops,
3369	                 natv2InstanceFragmentDrops,
3370	                 natv2InstanceOtherResourceFailureDrops,
3371	                 natv2InstanceDiscontinuityTime,
3372	                 natv2InstanceThresholdAddressMapEntriesHigh,
3373	                 natv2InstanceThresholdPortMapEntriesHigh,
3374	                 natv2InstanceNotificationInterval,
3375	                 natv2InstanceLimitAddressMapEntries,
3376	                 natv2InstanceLimitPortMapEntries,
3377	                 natv2InstanceLimitPendingFragments,
3378	   -- from natv2ProtocolTable
3379	                 natv2ProtocolPortMapEntries,
3380	                 natv2ProtocolTranslations,
3381	                 natv2ProtocolPortMapCreations,
3382	                 natv2ProtocolPortMapFailureDrops,
3383	   -- from natv2AddressMapTable
3384	                 natv2AddressMapExternalRealm,
3385	                 natv2AddressMapExternalAddressType,
3386	                 natv2AddressMapExternalAddress,
3387	   -- from natv2PortMapTable
3388	                 natv2PortMapInternalRealm,
3389	                 natv2PortMapInternalAddressType,
3390	                 natv2PortMapInternalAddress,
3391	                 natv2PortMapInternalPort
3392	               }
3393	       STATUS current
3394	       DESCRIPTION
3395	           "Per-instance objects that MUST be supported by
3396	            implementations of all NAT applications."
3397	       ::= { natv2MIBGroups 2 }

3399	   natv2PooledNotificationGroup NOTIFICATION-GROUP
3400	       NOTIFICATIONS {
3401	            natv2NotificationPoolUsageLow,
3402	            natv2NotificationPoolUsageHigh
3403	                     }
3404	       STATUS  current
3405	       DESCRIPTION
3406	           "Notifications that MUST be supported by pooled and
3407	            carrier-grade NAT applications."
3408	       ::= { natv2MIBGroups 3 }

3410	   natv2PooledInstanceLevelGroup OBJECT-GROUP
3411	       OBJECTS {
3412	   -- from natv2InstanceTable
3413	                       natv2InstancePoolingBehavior,
3414	   -- from natv2PoolTable
3415	                       natv2PoolRealm,
3416	                       natv2PoolAddressType,
3417	                       natv2PoolMinimumPort,
3418	                       natv2PoolMaximumPort,
3419	                       natv2PoolAddressMapEntries,
3420	                       natv2PoolPortMapEntries,
3421	                       natv2PoolAddressMapCreations,
3422	                       natv2PoolPortMapCreations,
3423	                       natv2PoolAddressMapFailureDrops,
3424	                       natv2PoolPortMapFailureDrops,
3425	                       natv2PoolDiscontinuityTime,
3426	                       natv2PoolThresholdUsageLow,
3427	                       natv2PoolThresholdUsageHigh,
3428	                       natv2PoolNotifiedPortMapEntries,
3429	                       natv2PoolNotifiedPortMapProtocol,
3430	                       natv2PoolNotificationInterval,
3431	   -- from natv2PoolRangeTable
3432	                       natv2PoolRangeBegin,
3433	                       natv2PoolRangeEnd,
3434	   -- from natv2AddressMapTable
3435	                       natv2AddressMapExternalPoolIndex,
3436	   -- from natv2PortMapTable
3437	                       natv2PortMapExternalPoolIndex
3438	               }

3440	       STATUS current
3441	       DESCRIPTION
3442	           "Per-instance objects that MUST be supported by
3443	            implementations of the pooled and carrier grade
3444	            NAT applications."
3445	       ::= { natv2MIBGroups 4 }

3447	   natv2CGNNotificationGroup NOTIFICATION-GROUP
3448	       NOTIFICATIONS {
3449	            natv2NotificationSubscriberPortMappingEntriesHigh
3450	       }
3451	       STATUS  current
3452	       DESCRIPTION
3453	           "Notification that MUST be supported by implementations
3454	            of the carrier grade NAT application."
3455	       ::= { natv2MIBGroups 5 }

3457	   natv2CGNDeviceLevelGroup OBJECT-GROUP
3458	       OBJECTS {
3459	   -- from table natv2SubscriberTable
3460	                 natv2SubscriberInternalRealm,
3461	                 natv2SubscriberInternalPrefixType,
3462	                 natv2SubscriberInternalPrefix,
3463	                 natv2SubscriberInternalPrefixLength,
3464	                 natv2SubscriberAddressMapEntries,
3465	                 natv2SubscriberPortMapEntries,
3466	                 natv2SubscriberTranslations,
3467	                 natv2SubscriberAddressMapCreations,
3468	                 natv2SubscriberPortMapCreations,
3469	                 natv2SubscriberAddressMapFailureDrops,
3470	                 natv2SubscriberPortMapFailureDrops,
3471	                 natv2SubscriberDiscontinuityTime,
3472	                 natv2SubscriberLimitPortMapEntries,
3473	                 natv2SubscriberThresholdPortMapEntriesHigh,
3474	                 natv2SubscriberNotificationInterval
3475	               }
3476	       STATUS current
3477	       DESCRIPTION
3478	           "Device-level objects that MUST be supported by the
3479	            carrier-grade NAT application."
3480	       ::= { natv2MIBGroups 6 }

3482	   natv2CGNInstanceLevelGroup OBJECT-GROUP
3483	       OBJECTS {
3484	      -- from natv2InstanceTable
3485	                 natv2InstanceSubscriberActiveLimitDrops,
3486	                 natv2InstanceLimitSubscriberActives,
3487	      -- from natv2AddressMapTable
3488	                 natv2AddressMapInternalMappedAddressType,
3489	                 natv2AddressMapInternalMappedAddress,
3490	                 natv2AddressMapSubscriberIndex,
3491	      -- from natv2PortMapTable
3492	                 natv2PortMapInternalMappedAddressType,
3493	                 natv2PortMapInternalMappedAddress,
3494	                 natv2PortMapSubscriberIndex
3495	               }
3496	       STATUS current
3497	       DESCRIPTION
3498	           "Per-instance objects that MUST be supported by the
3499	            carrier grade NAT application."
3500	       ::= { natv2MIBGroups 7 }

3502	   END

3504	5.  Operational and Management Considerations

3506	   This section covers two particular areas of operations and
3507	   management: configuration requirements, and transition from or
3508	   coexistence with the [RFC4008] MIB module.

3510	5.1.  Configuration Requirements

3512	   This MIB module assumes that the following information is configured
3513	   on the NAT device by means outside the scope of the present document
3514	   or is imposed by the implementation:

3516	   o  the set of address realms to which the device connects;

3518	   o  For the CGN application, per-subscriber information including
3519	      subscriber index, address realm, assigned prefix or address, and
3520	      (possibly) policies regarding address pool selection in the
3521	      various possible address realms to which the subscriber may
3522	      connect.  In the particular case of DS-Lite [RFC6333] access, as
3523	      well as the assigned outer layer (IPv6) prefix or address, the
3524	      subscriber information will include an inner (IPv4) source
3525	      address, usually 192.0.0.2.

3527	   o  the set of NAT instances running on the device, identified by NAT
3528	      instance index and name;

3530	   o  the port mapping, filtering, pooling, and fragment behavior for
3531	      each NAT instance;

3533	   o  the set of protocols supported by each NAT instance;
3534	   o  for the pooled NAT and CGN applications, address pool information
3535	      for each NAT instance, including for each pool the pool index,
3536	      address realm, address type, minimum and maximum port number, the
3537	      address ranges assigned to that pool, and policies for access to
3538	      that pool's resources;

3540	   o  static address and port map entries.

3542	   As described in previous sections, this MIB module does provide read-
3543	   write objects for control of notifications (see especially
3544	   Section 3.1.2) and limiting of resource consumption (Section 3.1.1).
3545	   This document is written in advance of any practical experience with
3546	   the setting of these values, and can thus provide only general
3547	   principles for how to set them.

3549	   By default, the MIB module definition disables notifications until
3550	   they are explicitly enabled by the operator, using the associated
3551	   threshold value to do so.  To make use of the notifications, the
3552	   operator may wish to take the following considerations into account.

3554	   Except for the low address pool utilization notification, the
3555	   notifications imply that some sort of administrative action is
3556	   required to mitigate an impending shortage of a particular resource.
3557	   The choice of value for the triggering threshold needs to take two
3558	   factors into account: the volatility of usage of the given resource,
3559	   and the amount of time the operator needs to mitigate the potential
3560	   overload situation.  That time could vary from almost immediate to
3561	   several weeks required to order and install new hardware or software.

3563	   To give a numeric example, if average utilization is going up 1% per
3564	   week but can vary 10% around that average in any given hour, and it
3565	   takes two weeks to carry through mitigating measures, the threshold
3566	   should be set to 88% of the corresponding limit (two weeks' growth
3567	   plus 10% volatility margin).  If mitigating measures can be carried
3568	   out immediately, this can rise to 90%. For this particular example
3569	   that change is insignificant, but in other cases the difference may
3570	   be large enough to matter in terms of reduced load on the management
3571	   plane.

3573	   The notification rate limit settings really depend on the operator's
3574	   processes, but are a tradeoff between reliably reporting the notified
3575	   condition and not having it overload the management plane.
3576	   Reliability rises in importance with the importance of the resource
3577	   involved.  Thus the default notification intervals defined in this
3578	   MIB module range from 10 seconds (high reliability) for the address
3579	   and port map entry thresholds up to 60 seconds (lower reliability)
3580	   for the per-subscriber port entry thresholds.  Experience may suggest
3581	   better values.

3583	   The limits on number of instance-level address map and port map
3584	   entries and held fragments relate directly to memory allocations for
3585	   these tables.  The relationship between number of map entries or
3586	   number of held fragments and memory required will be implementation-
3587	   specific.  Hence it is up to the implementor to provide specific
3588	   advice on the setting of these limits.

3590	   The limit on simultaneous number of active subscribers is indirectly
3591	   related to memory consumption for map entries, but also to processor
3592	   usage by the NAT instance.  The best strategy for setting this limit
3593	   would seem to be to leave it disabled during an initial period while
3594	   observing device processor utilization, then to implement a trial
3595	   setting while observing the number of blocked packets affected by the
3596	   new limit.  The setting may vary by NAT instance if a suitable
3597	   estimator of likely load (e.g., total number of hosts served by that
3598	   instance) is available.

3600	5.2.  Transition From and Coexistence With NAT-MIB [RFC 4008]

3602	   A manager may have to deal with a mixture of devices supporting the
3603	   NAT-MIB module [RFC4008] and the NATV2-MIB module defined in the
3604	   present document.  It is even possible that both modules are
3605	   supported on the same device.  The following discussion brings out
3606	   the limits of comparability between the two MIB modules.  A first
3607	   point to note is that NAT-MIB is primarily focussed on configuration,
3608	   while NATV2-MIB is primarily focussed on measurements.

3610	   To summarize the model used by [RFC4008]:

3612	   o  The basic unit of NAT configuration is the interface.

3614	   o  An interface connects to a single realm, either "private", or
3615	      "public".  In principle that means there could be multiple
3616	      instances of one type of realm or the other, but the number is
3617	      physically limited by the number of interfaces on the NAT device.

3619	   o  Before the NAT can operate on a given interface, an "address map"
3620	      has to be configured on it.  The [RFC4008] address map is
3621	      equivalent to the pool tables in the present document.  Since just
3622	      one "address map" is configured per interface, this is the
3623	      equivalent of a single address pool per interface.

3625	   o  The address binding and port binding tables are roughly equivalent
3626	      to the address map and port map tables in the present document in
3627	      their content, but can be either uni- directional or
3628	      bidirectional.  The [RFC4008] model shows the address binding and
3629	      port binding as alternative precursors to session establishment,
3630	      depending on whether the device does address translation only or
3631	      address and port translation.  In contrast, NATV2-MIB assumes a
3632	      model where bidirectional port mappings are based on bidirectional
3633	      address mappings that have conceptually been established
3634	      beforehand.

3636	   o  The equivalent to an [RFC4008] session in NATV2-MIB would be a
3637	      pair of port map entries.  The added complexity in [RFC4008] is
3638	      due to the modelling of NAT service types as defined in [RFC3489]
3639	      (the symmetric NAT in particular) instead of the more granular set
3640	      of behaviors described in [RFC4787].

3642	   With regard to that last point, the mapping between [RFC3489] service
3643	   types and [RFC4787] NAT behaviours is as follows:

3645	   o  A full cone NAT exhibits endpoint-independent port mapping
3646	      behavior and endpoint-independent filtering behavior.

3648	   o  A restricted cone NAT exhibits endpoint-independent port mapping
3649	      behavior, but address-dependent filtering behavior.

3651	   o  A port restricted cone NAT exhibits endpoint-independent port
3652	      mapping behavior, but address-and-port-dependent filtering
3653	      behavior.

3655	   o  A symmetric NAT exhibits address-and-port-dependent port mapping
3656	      and filtering behaviors.

3658	   Note that these NAT types are a subset of the types that could be
3659	   configured according to the [RFC4787] behavioral classification used
3660	   in NATV2-MIB, but they include the two possibilities (full and
3661	   restricted cone NAT) that satisfy requirements REQ-1 and REQ-8 of
3662	   [RFC4787].  Note further that other behaviors defined in [RFC4787]
3663	   are not considered in [RFC4008].

3665	   Having established a context for discussion, we are now in a position
3666	   to compare the outputs provided to management from the [RFC4008] and
3667	   NATV2-MIB modules.  This comparison relates to the ability to compare
3668	   results if testing with both MIBs implemented on the same device
3669	   during a transition period.

3671	   [RFC4008] provides three counters: incoming translations, outgoing
3672	   translations, and discarded packets, at the granularities of
3673	   interface, address map, and protocol, and incoming and outgoing
3674	   translations at the levels of individual address bind, address port
3675	   bind, and session entries.  Implementation at the protocol and
3676	   address map levels is optional.  NATV2-MIB provides a single total
3677	   (both directions) translations counter at the instance, protocol
3678	   within instance, and subscriber levels.  Given the differences in
3679	   granularity, it appears that the only comparable measurement of
3680	   translations between the two MIB modules would be through aggregation
3681	   of the [RFC4008] interface counters to give a total number of
3682	   translations for the NAT instance.

3684	   NATV2-MIB has broken out the single discard counter into a number of
3685	   different counters reflecting the cause of the discard in more
3686	   detail, to help in trouble-shooting.  Again, with the differing
3687	   levels of granularity, the only comparable statistic would be through
3688	   aggregation to a single value of total discards per NAT instance.

3690	   Moving on to state variables, [RFC4008] offers counts of number of
3691	   "address map" (i.e., address pool) entries used (excluding static
3692	   entries) at the address map level, and number of entries in the
3693	   address bind and address and port bind tables respectively.  Finally,
3694	   [RFC4008] provides a count of the number of sessions currently using
3695	   each entry in the address and port bind table.  None of these counts
3696	   are directly comparable with the state values offered by NATV2-MIB,
3697	   because of the exclusion of static entries at the address map level,
3698	   and because of the differing models of the translation tables between
3699	   [RFC4008] and the NATV2=MIB.

3701	6.  Security Considerations

3703	   There are a number of management objects defined in this MIB module
3704	   with a MAX-ACCESS clause of read-write and/or read-create.  Such
3705	   objects may be considered sensitive or vulnerable in some network
3706	   environments.  The support for SET operations in a non-secure
3707	   environment without proper protection opens devices to attack.  These
3708	   are the tables and objects and their sensitivity/vulnerability:

3710	   Limits:  An attacker setting a very low or very high limit can easily
3711	      cause a denial-of-service situation.

3713	      *  natv2InstanceLimitAddressMapEntries;

3715	      *  natv2InstanceLimitPortMapEntries;

3717	      *  natv2InstanceLimitPendingFragments;

3719	      *  natv2InstanceLimitSubscriberActives;

3721	      *  natv2SubscriberLimitPortMapEntries.

3723	   Notification thresholds:  An attacker setting an arbitrarily low
3724	      threshold can cause many useless notifications to be generated
3725	      (subject to the notification interval).  Setting an arbitrarily
3726	      high threshold can effectively disable notifications, which could
3727	      be used to hide another attack.

3729	      *  natv2InstanceThresholdAddressMapEntriesHigh;

3731	      *  natv2InstanceThresholdPortMapEntriesHigh;

3733	      *  natv2PoolThresholdUsageLow;

3735	      *  natv2PoolThresholdUsageHigh;

3737	      *  natv2SubscriberThresholdPortMapEntriesHigh.

3739	   Notification intervals:  An attacker setting a low notification
3740	      interval in combination with a low threshold value can cause many
3741	      useless notifications to be generated.

3743	      *  natv2InstanceNotificationInterval;

3745	      *  natv2PoolNotificationInterval;

3747	      *  natv2SubscriberNotificationInterval.

3749	   Some of the readable objects in this MIB module (i.e., objects with a
3750	   MAX-ACCESS other than not-accessible) may be considered sensitive or
3751	   vulnerable in some network environments.  It is thus important to
3752	   control even GET and/or NOTIFY access to these objects and possibly
3753	   to even encrypt the values of these objects when sending them over
3754	   the network via SNMP.  These are the tables and objects and their
3755	   sensitivity/vulnerability:

3757	   Objects that reveal host identities:  Various objects can reveal the
3758	      identity of private hosts that are engaged in a session with
3759	      external end nodes.  A curious outsider could monitor these to
3760	      assess the number of private hosts being supported by the NAT
3761	      device.  Further, a disgruntled former employee of an enterprise
3762	      could use the information to break into specific private hosts by
3763	      intercepting the existing sessions or originating new sessions
3764	      into the host.  If nothing else, unauthorized monitoring of these
3765	      objects will violate individual subscribers' privacy.

3767	      *  entries in the natv2SubscriberTable;

3769	      *  entries in the natv2AddressMapTable;

3771	      *  entries in the natv2PortMapTable.

3773	   Other objects that reveal NAT state:  Other managed objects in this
3774	      MIB may contain information that may be sensitive from a business
3775	      perspective, in that they may represent NAT capabilities, business
3776	      policies, and state information.

3778	      *  natv2SubscriberLimitPortMapEntries;

3780	      *  natv2InstancePortMappingBehavior;

3782	      *  natv2InstanceFilteringBehavior;

3784	      *  natv2InstancePoolingBehavior;

3786	      *  natv2InstanceFragmentBehavior;

3788	      *  natv2InstanceAddressMapEntries;

3790	      *  natv2InstancePortMapEntries.

3792	   There are no objects that are sensitive in their own right, such as
3793	   passwords or monetary amounts.

3795	   SNMP versions prior to SNMPv3 did not include adequate security.
3796	   Even if the network itself is secure (for example by using IPsec),
3797	   there is no control as to who on the secure network is allowed to
3798	   access and GET/SET (read/change/create/delete) the objects in this
3799	   MIB module.

3801	   Implementations SHOULD provide the security features described by the
3802	   SNMPv3 framework (see [RFC3410]), and implementations claiming
3803	   compliance to the SNMPv3 standard MUST include full support for
3804	   authentication and privacy via the User-based Security Model (USM)
3805	   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
3806	   MAY also provide support for the Transport Security Model (TSM)
3807	   [RFC5591] in combination with a secure transport such as SSH
3808	   [RFC5592] or TLS/DTLS [RFC6353].

3810	   Further, deployment of SNMP versions prior to SNMPv3 is NOT
3811	   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
3812	   enable cryptographic security.  It is then a customer/operator
3813	   responsibility to ensure that the SNMP entity giving access to an
3814	   instance of this MIB module is properly configured to give access to
3815	   the objects only to those principals (users) that have legitimate
3816	   rights to indeed GET or SET (change/create/delete) them.

3818	7.  IANA Considerations

3820	   IANA is requested to assign an object identifier to the natv2MIB
3821	   module, with prefix iso.org.dod.internet.mgmt.mib-2 in the Network
3822	   Management Parameters registry [SMI-NUMBERS].

3824	8.  References

3826	8.1.  Normative References

3828	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
3829	              Requirement Levels", BCP 14, RFC 2119, March 1997.

3831	   [RFC2578]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
3832	              Schoenwaelder, Ed., "Structure of Management Information
3833	              Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

3835	   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
3836	              Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
3837	              58, RFC 2579, April 1999.

3839	   [RFC2580]  McCloghrie, K., Perkins, D., and J. Schoenwaelder,
3840	              "Conformance Statements for SMIv2", STD 58, RFC 2580,
3841	              April 1999.

3843	   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
3844	              Architecture for Describing Simple Network Management
3845	              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
3846	              December 2002.

3848	   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
3849	              (USM) for version 3 of the Simple Network Management
3850	              Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

3852	   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
3853	              Advanced Encryption Standard (AES) Cipher Algorithm in the
3854	              SNMP User-based Security Model", RFC 3826, June 2004.

3856	   [RFC4001]  Daniele, M., Haberman, B., Routhier, S., and J.
3857	              Schoenwaelder, "Textual Conventions for Internet Network
3858	              Addresses", RFC 4001, February 2005.

3860	   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
3861	              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
3862	              RFC 4787, January 2007.

3864	   [RFC5591]  Harrington, D. and W. Hardaker, "Transport Security Model
3865	              for the Simple Network Management Protocol (SNMP)", STD
3866	              78, RFC 5591, June 2009.

3868	   [RFC5592]  Harrington, D., Salowey, J., and W. Hardaker, "Secure
3869	              Shell Transport Model for the Simple Network Management
3870	              Protocol (SNMP)", RFC 5592, June 2009.

3872	   [RFC6353]  Hardaker, W., "Transport Layer Security (TLS) Transport
3873	              Model for the Simple Network Management Protocol (SNMP)",
3874	              STD 78, RFC 6353, July 2011.

3876	8.2.  Informative References

3878	   [I-D.perrault-behave-deprecate-nat-mib-v1]
3879	              Perrault, S., Tsou, T., Sivakumar, S., and T. Taylor,
3880	              "Deprecation of MIB Module NAT-MIB (Managed Objects for
3881	              Network Address Translators (NAT)) (Work in Progress)",
3882	              October 2014.

3884	   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
3885	              (IPv6) Specification", RFC 2460, December 1998.

3887	   [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network Address
3888	              Translator (NAT) Terminology and Considerations", RFC
3889	              2663, August 1999.

3891	   [RFC3410]  Case, J., Mundy, R., Partain, D., and B. Stewart,
3892	              "Introduction and Applicability Statements for Internet-
3893	              Standard Management Framework", RFC 3410, December 2002.

3895	   [RFC3489]  Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,
3896	              "STUN - Simple Traversal of User Datagram Protocol (UDP)
3897	              Through Network Address Translators (NATs)", RFC 3489,
3898	              March 2003.

3900	   [RFC4008]  Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
3901	              C. Wang, "Definitions of Managed Objects for Network
3902	              Address Translators (NAT)", RFC 4008, March 2005.

3904	   [RFC6333]  Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
3905	              Stack Lite Broadband Deployments Following IPv4
3906	              Exhaustion", RFC 6333, August 2011.

3908	   [SMI-NUMBERS]
3909	              "Network Management Parameters registry at IANA",
3910	              <http://www.iana.org/assignments/smi-numbers>.

3912	Authors' Addresses

3914	   Simon Perreault
3915	   Jive Communications
3916	   Quebec, QC
3917	   Canada

3919	   Email: sperreault@jive.com

3921	   Tina Tsou
3922	   Huawei Technologies
3923	   Bantian, Longgang District
3924	   Shenzhen  518129
3925	   PR China

3927	   Email: tina.tsou.zouting@huawei.com

3929	   Senthil Sivakumar
3930	   Cisco Systems
3931	   7100-8 Kit Creek Road
3932	   Research Triangle Park, North Carolina  27709
3933	   USA

3935	   Phone: +1 919 392 5158
3936	   Email: ssenthil@cisco.com

3938	   Tom Taylor
3939	   PT Taylor Consulting
3940	   Ottawa
3941	   Canada

3943	   Email: tom.taylor.stds@gmail.com