idnits 2.17.1
draft-perrault-behave-natv2-mib-05.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
document.
== There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 2683 has weird spacing: '... of natv2...'
-- The document date (June 16, 2015) is 3230 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'RFC 4008' is mentioned on line 3600, but not defined
** Obsolete undefined reference: RFC 4008 (Obsoleted by RFC 7658)
== Missing Reference: 'RFC 6333' is mentioned on line 3196, but not defined
-- No information found for draft-perrault-behave-deprecate-nat-mib-v1 - is
the name correct?
-- Obsolete informational reference (is this intentional?): RFC 2460
(Obsoleted by RFC 8200)
-- Obsolete informational reference (is this intentional?): RFC 3489
(Obsoleted by RFC 5389)
-- Obsolete informational reference (is this intentional?): RFC 4008
(Obsoleted by RFC 7658)
Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 5 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group S. Perreault
3 Internet-Draft Jive Communications
4 Intended status: Standards Track T. Tsou
5 Expires: December 18, 2015 Huawei Technologies
6 S. Sivakumar
7 Cisco Systems
8 T. Taylor
9 PT Taylor Consulting
10 June 16, 2015
12 Definitions of Managed Objects for Network Address Translators (NAT)
13 draft-perrault-behave-natv2-mib-05
15 Abstract
17 This memo defines a portion of the Management Information Base (MIB)
18 for devices implementing the Network Address Translator (NAT)
19 function. The new MIB module defined in this document, NATV2-MIB, is
20 intended to replace module NAT-MIB (RFC 4008). NATV2-MIB is not
21 backwards compatible with NAT-MIB, for reasons given in the text of
22 this document. A companion document deprecates all objects in NAT-
23 MIB. NATV2-MIB can be used for monitoring of NAT instances on a
24 device capable of NAT function. Compliance levels are defined for
25 three application scenarios: basic NAT, pooled NAT, and carrier-grade
26 NAT (CGN).
28 Status of This Memo
30 This Internet-Draft is submitted in full conformance with the
31 provisions of BCP 78 and BCP 79.
33 Internet-Drafts are working documents of the Internet Engineering
34 Task Force (IETF). Note that other groups may also distribute
35 working documents as Internet-Drafts. The list of current Internet-
36 Drafts is at http://datatracker.ietf.org/drafts/current/.
38 Internet-Drafts are draft documents valid for a maximum of six months
39 and may be updated, replaced, or obsoleted by other documents at any
40 time. It is inappropriate to use Internet-Drafts as reference
41 material or to cite them other than as "work in progress."
43 This Internet-Draft will expire on December 18, 2015.
45 Copyright Notice
47 Copyright (c) 2015 IETF Trust and the persons identified as the
48 document authors. All rights reserved.
50 This document is subject to BCP 78 and the IETF Trust's Legal
51 Provisions Relating to IETF Documents
52 (http://trustee.ietf.org/license-info) in effect on the date of
53 publication of this document. Please review these documents
54 carefully, as they describe your rights and restrictions with respect
55 to this document. Code Components extracted from this document must
56 include Simplified BSD License text as described in Section 4.e of
57 the Trust Legal Provisions and are provided without warranty as
58 described in the Simplified BSD License.
60 Table of Contents
62 1. The SNMP Management Framework . . . . . . . . . . . . . . . . 3
63 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
64 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5
65 3.1. Content Provided by the NATV2-MIB Module . . . . . . . . 5
66 3.1.1. Configuration Data . . . . . . . . . . . . . . . . . 5
67 3.1.2. Notifications . . . . . . . . . . . . . . . . . . . . 6
68 3.1.3. State Information . . . . . . . . . . . . . . . . . . 9
69 3.1.4. Statistics . . . . . . . . . . . . . . . . . . . . . 9
70 3.2. Outline of MIB Module Organization . . . . . . . . . . . 11
71 3.3. Detailed MIB Module Walk-Through . . . . . . . . . . . . 13
72 3.3.1. Textual Conventions . . . . . . . . . . . . . . . . . 13
73 3.3.2. Notifications . . . . . . . . . . . . . . . . . . . . 13
74 3.3.3. The Subscriber Table: natv2SubscriberTable . . . . . 13
75 3.3.4. The Instance Table: natv2InstanceTable . . . . . . . 14
76 3.3.5. The Protocol Table: natv2ProtocolTable . . . . . . . 15
77 3.3.6. The Address Pool Table: natv2PoolTable . . . . . . . 15
78 3.3.7. The Address Pool Address Range Table:
79 natv2PoolRangeTable . . . . . . . . . . . . . . . . . 16
80 3.3.8. The Address Map Table: natv2AddressMapTable . . . . . 16
81 3.3.9. The Port Map Table: natv2PortMapTable . . . . . . . . 17
82 3.4. Conformance: Three Application Scenarios . . . . . . . . 17
83 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 18
84 5. Operational and Management Considerations . . . . . . . . . . 74
85 5.1. Configuration Requirements . . . . . . . . . . . . . . . 74
86 5.2. Transition From and Coexistence With NAT-MIB [RFC 4008] 76
87 6. Security Considerations . . . . . . . . . . . . . . . . . . . 78
88 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 81
89 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 81
90 8.1. Normative References . . . . . . . . . . . . . . . . . . 81
91 8.2. Informative References . . . . . . . . . . . . . . . . . 82
92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 83
94 1. The SNMP Management Framework
96 For a detailed overview of the documents that describe the current
97 Internet-Standard Management Framework, please refer to section 7 of
98 RFC 3410 [RFC3410].
100 Managed objects are accessed via a virtual information store, termed
101 the Management Information Base or MIB. MIB objects are generally
102 accessed through the Simple Network Management Protocol (SNMP).
103 Objects in the MIB are defined using the mechanisms defined in the
104 Structure of Management Information (SMI). This memo specifies a MIB
105 module that is compliant to the SMIv2, which is described in STD 58,
106 [RFC2578], [RFC2579] and [RFC2580].
108 2. Introduction
110 Note to RFC Ed.: please replace RFC yyyy with actual RFC number
111 throughout this document and remove this note.
113 This memo defines a portion of the Management Information Base (MIB)
114 for devices implementing NAT functions. This MIB module, NATV2-MIB,
115 may be used for monitoring of such devices. NATV2-MIB supersedes
116 NAT-MIB [RFC4008], which did not fit well with existing NAT
117 implementations, and hence was not itself much implemented.
118 [I-D.perrault-behave-deprecate-nat-mib-v1] provides a detailed
119 analysis of the deficiencies of NAT-MIB.
121 Relative to [RFC4008] and based on the analysis just mentioned, the
122 present document introduces the following changes:
124 o removed all writable configuration except that related to control
125 of the generation of notifications and the setting of quotas on
126 the use of NAT resources;
128 o minimized the read-only exposure of configuration to what is
129 needed to provide context for the state and statistical
130 information presented by the MIB module;
132 o removed the association between mapping and interfaces, retaining
133 only the mapping aspect;
135 o replaced references to NAT types with references to NAT behaviors
136 as specified in [RFC4787];
138 o replaced a module-specific enumeration of protocols with the
139 standard protocol numbers provided by the IANA Assigned Internet
140 Protocol Numbers registry.
142 This MIB module adds the following features not present in [RFC4008]:
144 o additional writable protective limits on NAT state data;
146 o additional objects to report state, statistics, and notifications;
148 o support for the carrier grade NAT (CGN) application, including
149 subscriber-awareness, support for an arbitrary number of address
150 realms, and support for multiple NAT instances running on a single
151 device;
153 o expanded support for address pools;
155 o revised indexing of port map entries to simplify traceback from
156 externally observable packet parameters to the corresponding
157 internal endpoint.
159 These features are described in more detail below.
161 The remainder of this document is organized as follows:
163 o Section 3 provides a verbal description of the content and
164 organization of the MIB module.
166 o Section 4 provides the MIB module definition.
168 o Section 5 discusses operational and management issues relating to
169 the deployment of NATV2-MIB. One of these issues is NAT
170 management when both NAT-MIB [RFC4008] and NATV2-MIB are deployed.
172 o Section 6 and Section 7 provide a security discussion and a
173 request to IANA for allocation of an object identifier for the
174 module in the mib-2 tree, respectively.
176 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
177 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
178 "OPTIONAL" in this document are to be interpreted as described in
179 [RFC2119].
181 This document uses the following terminology:
183 Upper layer protocol: The protocol following the outer IP header of
184 a packet. This follows the terminology of [RFC2460], but as that
185 document points out, "upper" is not necessarily a correct
186 description of the protocol relationships (e.g., where IP is
187 encapsulated in IP). The abbreviated term "protocol" will often
188 be used where it is unambiguous.
190 Trigger: With respect to notifications, the logical recognition of
191 the event that the notification is intended to report.
193 Report: The actual production of a notification message. Reporting
194 can happen later than triggering, or may never happen for a given
195 notification instance, because of the operation of notification
196 rate controls.
198 Address realm: A network domain in which the network addresses are
199 uniquely assigned to entities such that datagrams can be routed to
200 them. (Definition taken from [RFC2663] Section 2.1.) The
201 abbreviated term "realm" will often be used.
203 3. Overview
205 This section provides a prose description of the contents and
206 organization of the NATV2-MIB module.
208 3.1. Content Provided by the NATV2-MIB Module
210 The content provided by the NATV2-MIB module can be classed under
211 four headings: configuration data, notifications, state information,
212 and statistics.
214 3.1.1. Configuration Data
216 As mentioned above, the intent in designing the NATV2-MIB module was
217 to minimize the amount of configuration data presented to that needed
218 to give a context for interpreting the other types of information
219 provided. Detailed descriptions of the configuration data are
220 included with the descriptions of the individual tables. In general,
221 that data is limited to what is needed for indexing and cross-
222 referencing between tables. The two exceptions are the objects
223 describing NAT instance behavior in the NAT instance table, and the
224 detailed enumeration of resources allocated to each address pool in
225 the pool table and its extension.
227 The NATV2-MIB module provides three sets of read-write objects,
228 specifically related to other aspects of the module content. The
229 first set controls the rate at which specific notifications are
230 generated. The second set provides thresholds used to trigger the
231 notifications. These objects are listed in Section 3.1.2.
233 A third set of read-write objects sets limits on resource consumption
234 per NAT instance and per subscriber. When these limits are reached,
235 packets requiring further consumption of the given resource are
236 dropped rather than translated. Statistics described in
237 Section 3.1.4 record the numbers of packets so dropped. Limits are
238 provided for:
240 o total number of address map entries over the NAT instance. Limit
241 is set by object natv2InstanceLimitAddressMapEntries in table
242 natv2InstanceTable. Dropped packets are counted in
243 natv2InstanceAddressMapEntryLimitDrops in that table.
245 o total number of port map entries over the NAT instance. Limit is
246 set by object natv2InstanceLimitPortMapEntries in table
247 natv2InstanceTable. Dropped packets are counted in
248 natv2InstancePortMapEntryLimitDrops in that table.
250 o total number of held fragments (applicable only when the NAT
251 instance can receive fragments out of order; see [RFC4787]
252 Section 11). Limit is set by object
253 natv2InstanceLimitPendingFragments in table natv2InstanceTable.
254 Dropped packets are counted by natv2InstanceFragmentDrops in the
255 same table.
257 o total number of active subscribers (i.e., subscribers having at
258 least one mapping table entry) over the NAT instance. Limit is
259 set by object natv2InstanceLimitSubscriberActives in table
260 natv2InstanceTable. Dropped packets are counted by
261 natv2InstanceSubscriberActiveLimitDrops in the same table.
263 o number of port map entries for an individual subscriber. Limit is
264 set by object natv2SubscriberLimitPortMapEntries in table
265 natv2SubscriberTable. Dropped packets are counted by
266 natv2SubscriberPortMapFailureDrops in the same table. Note that,
267 unlike in the instance table, the per-subscriber count is lumped
268 in with the count of packets dropped because of failures to
269 allocate a port map entry for other reasons to save on storage.
271 3.1.2. Notifications
273 NATV2-MIB provides five notifications, intended to provide warning of
274 the need to provision or reallocate NAT resources. As indicated in
275 the previous section, each notification is associated with two read-
276 write objects: a control on the rate at which that notification is
277 generated, and a threshold value used to trigger the notification in
278 the first place. The default setting within the MIB module
279 specification is that all notifications are disabled. The setting of
280 threshold values is discussed in Section 5.
282 The five notifications are as follows:
284 o Two notifications relate to the management of address pools. One
285 indicates that usage equals or exceeds an upper threshold, and is
286 therefore a warning that the pool may be over-utilized unless more
287 addresses are assigned to it. The other notification indicates
288 that usage equals or has fallen below a lower threshold,
289 suggesting that some addresses allocated to that pool could be
290 reallocated to other pools. Address pool usage is calculated as
291 the percentage of the total number of ports allocated to the
292 address pool that are already in use, for the most-mapped protocol
293 at the time the notification is generated. The notifications
294 identify that protocol and report the number of port map entries
295 for that protocol in the given address pool at the moment the
296 notification was triggered.
298 o Two notifications relate to the number of address and port map
299 entries respectively, in total over the whole NAT instance. In
300 both cases the threshold that triggers the notification is an
301 upper threshold. The notifications return the number of mapping
302 entries of the given type, plus a cumulative counter of the number
303 of entries created in that mapping table at the moment the
304 notification was triggered. The intent is that the notifications
305 provide a warning that the total number of address or port map
306 entries is approaching the configured limit.
308 o The final notification is generated on a per-subscriber basis when
309 the number of port map entries for that subscriber crosses the
310 associated threshold. The objects returned by this notification
311 are similar to those returned for the instance-level mapping
312 notifications. This notification is a warning that the number of
313 port map entries for the subscriber is approaching the configured
314 limit for that subscriber.
316 Here is a detailed specification of the notifications. A given
317 notification can be disabled by setting the threshold to 0 (default),
318 with the exception noted below.
320 Notification: natv2NotificationPoolUsageLow. Indicates that address
321 pool usage for the most-mapped protocol equals or is less than the
322 threshold value.
324 Compared value: natv2PoolNotifiedPortMapEntries as a percentage of
325 total available ports in the pool.
327 Threshold: natv2PoolThresholdUsageLow in natv2PoolTable. To allow
328 for a threshold of zero usage, disabling of the
329 natv2NotificationPoolUsageLow is done by setting
330 natv2PoolThresholdUsageLow to -1 rather than 0, in contrast to all
331 of the other notifications.
333 Objects returned: natv2PoolNotifiedPortMapEntries and
334 natv2PoolNotifiedPortMapProtocol in natv2PoolTable;
336 Rate control: natv2PoolNotificationInterval in natv2PoolTable.
338 Notification: natv2NotificationPoolUsageHigh. Indicates that address
339 pool usage for the most-mapped protocol has risen to the threshold
340 value or more.
342 Compared value: natv2PoolNotifiedPortMapEntries as a percentage of
343 total available ports in the pool.
345 Threshold: natv2PoolThresholdUsageHigh in natv2PoolTable;
347 Objects returned: natv2PoolNotifiedPortMapEntries,
348 natv2PoolNotifiedPortMapProtocol in natv2PoolTable;
350 Rate control: natv2PoolNotificationInterval in natv2PoolTable.
352 Notification: natv2NotificationInstanceAddressMapEntriesHigh.
353 Indicates that the total number of entries in the address map table
354 over the whole NAT instance equals or exceeds the threshold value.
356 Compared value: natv2InstanceAddressMapEntries in
357 natv2InstanceTable;
359 Threshold: natv2InstanceThresholdAddressMapEntriesHigh in
360 natv2InstanceTable;
362 Objects returned: natv2InstanceAddressMapEntries,
363 natv2InstanceAddressMapCreations in natv2InstanceTable;
365 Rate control: natv2InstanceNotificationInterval in
366 natv2InstanceTable.
368 Notification: natv2NotificationInstancePortMapEntriesHigh. Indicates
369 that the total number of entries in the port map table over the whole
370 NAT instance equals or exceeds the threshold value.
372 Compared value: natv2InstancePortMapEntries in natv2InstanceTable;
374 Threshold: natv2InstanceThresholdPortMapEntriesHigh in
375 natv2InstanceTable;
377 Objects returned: natv2InstancePortMapEntries,
378 natv2InstancePortMapCreations in natv2InstanceTable;
380 Rate control: natv2InstanceNotificationInterval in
381 natv2InstanceTable.
383 Notification: natv2NotificationSubscriberPortMapEntriesHigh.
384 Indicates that the total number of entries in the port map table for
385 the given subscriber equals or exceeds the threshold value configured
386 for that subscriber.
388 Compared value: natv2SubscriberPortMapEntries in
389 natv2SubscriberTable;
391 Threshold: natv2SubscriberThresholdPortMapEntriesHigh in
392 natv2SubscriberTable;
394 Objects returned: natv2SubscriberPortMapEntries,
395 natv2SubscriberPortMapCreations in natv2SubscriberTable;
397 Rate control: natv2SubscriberNotificationInterval in
398 natv2SubscriberTable.
400 3.1.3. State Information
402 State information provides a snapshot of the content and extent of
403 the NAT mapping tables at a given moment of time. The address and
404 port mapping tables are described in detail below. In addition to
405 these tables, two state variables are provided: current number of
406 entries in the address mapping table, and current number of entries
407 in the port mapping table. With one exception, these are provided at
408 four levels of granularity: per NAT instance, per protocol, per
409 address pool, and per subscriber. Address map entries are not
410 tracked per protocol, since address mapping is protocol-independent.
412 3.1.4. Statistics
414 NATV2-MIB provides a number of counters, intended to help both with
415 provisioning of the NAT and debugging of problems. As with the state
416 data, these counters are provided at the four levels of NAT instance,
417 protocol, address pool, and subscriber when they make sense. Each
418 counter is cumulative beginning from a "last discontuity time"
419 recorded by an object that is usually in the table containing the
420 counter.
422 The basic set of counters, as reflected in the NAT instance table, is
423 as follows:
425 Translations: number of packets processed and translated (in this
426 case, in total for the NAT instance);
428 Address map entry creations: cumulative number of address map
429 entries created, including static mappings;
431 Port map entry creations: cumulative number of port map entries
432 created, including static mappings;
434 Address map limit drops: cumulative number of packets dropped rather
435 than translated because the packet would have triggered the
436 creation of a new address mapping, but the configured limit on
437 number of address map entries has already been reached.
439 Port map limit drops: cumulative number of packets dropped rather
440 than translated because the packet would have triggered the
441 creation of a new port mapping, but the configured limit on number
442 of port map entries has already been reached.
444 Active subscriber limit drops: cumulative number of packets dropped
445 rather than translated because the packet would have triggered the
446 creation of a new address and/or port mapping for a subscriber
447 with no existing entries in either table, but the configured limit
448 on number of active subscribers has already been reached.
450 Address mapping failure drops: cumulative number of packets dropped
451 because the packet would have triggered the creation of a new
452 address mapping, but no address could be allocated in the external
453 realm concerned because all addresses from the selected address
454 pool (or the whole realm, if no address pool has been configured
455 for that realm) have already been fully allocated.
457 Port mapping failure drops: cumulative number of packets dropped
458 because the packet would have triggered the creation of a new port
459 mapping, but no port could be allocated for the protocol
460 concerned. The precise conditions under which these packet drops
461 occur depend on the pooling behavior [RFC4787] configured or
462 implemented in the NAT instance. See the DESCRIPTION clause for
463 the natv2InstancePortMapFailureDrops object for a detailed
464 description of the different cases. These cases were defined with
465 care to ensure that address mapping failure could be distinguished
466 from port mapping failure.
468 Fragment drops: cumulative number of packets dropped because the
469 packet contains a fragment and the fragment behavior [RFC4787]
470 configured or implemented in the NAT instance indicates that the
471 packet should be dropped. The main case is a NAT instance that
472 meets REQ-14 of [RFC4787], hence can receive and process out-of-
473 order fragments. In that case, dropping occurs only when the
474 configured limit on pending fragments provided by NATV2-MIB has
475 already been reached. The other cases are detailed in the
476 DESCRIPTION clause of the natv2InstanceFragmentBehavior object.
478 Other resource drops: cumulative number of packets dropped because
479 of unavailability of some other resource. The most likely case
480 would be packets where the upper layer protocol is not one
481 supported by the NAT instance.
483 Table 1 indicates the granularities at which these statistics are
484 reported.
486 +-----------------------+------------+----------+------+------------+
487 | Statistic | NAT | Protocol | Pool | Subscriber |
488 | | Instance | | | |
489 +-----------------------+------------+----------+------+------------+
490 | Translations | Yes | Yes | No | Yes |
491 | Address map entry | Yes | No | Yes | Yes |
492 | creations | | | | |
493 | Port map entry | Yes | Yes | Yes | Yes |
494 | creations | | | | |
495 | Address map limit | Yes | No | No | No |
496 | drops | | | | |
497 | Port map limit drops | Yes | No | No | Yes |
498 | Active subscriber | Yes | No | No | No |
499 | limit drops | | | | |
500 | Address mapping | Yes | No | Yes | Yes |
501 | failure drops | | | | |
502 | Port mapping failure | Yes | Yes | Yes | Yes |
503 | drops | | | | |
504 | Fragment drops | Yes | No | No | No |
505 | Other resource drops | Yes | No | No | No |
506 +-----------------------+------------+----------+------+------------+
508 Table 1: Statistics Provided By Level of Granularity
510 3.2. Outline of MIB Module Organization
512 Figure 1 shows how object identifiers are organized in the NATV2-MIB
513 module. Under the general natv2MIB object identifier in the mib-2
514 tree, the objects are classed into four groups:
516 natv2MIBNotifications(0) identifies the five notifications described
517 in Section 3.1.2;
519 natv2MIBDeviceObjects(1) identifies objects relating to the whole
520 device, specifically, the subscriber table.
522 natv2MIBInstanceObjects(2) identifies objects relating to individual
523 NAT instances. These include the NAT instance table, the protocol
524 table, the address pool table and its address range expansion, the
525 address map table, and the port map table.
527 natv2MIBConformance(3) identifies the group and compliance clauses,
528 specified for the three application scenarios described in
529 Section 3.4.
531 natv2MIB
532 |
533 +-------------+-------------+-------------+
534 | | | |
535 | | |
536 0 | | |
537 natv2MIBNotifications | | |
538 | | |
539 | 1 | |
540 | natv2MIBDeviceObjects | |
541 Five | |
542 notifications | 2 |
543 | natv2MIBInstanceObjects |
544 | |
545 Subscriber | 3
546 table | natv2MIBConformance
547 | |
548 | |
549 Six per-NAT- |
550 instance tables |
551 |
552 +----------------------+-------
553 | |
554 | |
556 1 2
557 natv2MIBCompliances natv2MIBGroups
558 | |
559 | |
560 Basic Basic
561 Pooled Pooled
562 Carrier grade NAT Carrier grade NAT
564 Figure 1: Organization of Object Identifiers For NATV2-MIB
566 3.3. Detailed MIB Module Walk-Through
568 This section reviews the contents of the NATV2-MIB module. The table
569 descriptions include references to subsections of Section 3.1 where
570 desirable to avoid repetition of that information.
572 3.3.1. Textual Conventions
574 The module defines four key textual conventions: ProtocolNumber,
575 Natv2SubscriberIndex, Natv2InstanceIndex, and Natv2PoolIndex.
576 ProtocolNumber is based on the IANA registry of protocol numbers,
577 hence is potentially reusable by other MIB modules.
579 Objects of type Natv2SubscriberIndex identify individual subscribers
580 served by the the NAT device. The values of these identifiers are
581 administered and, in intent, are permanently associated with their
582 respective subscribers. Reuse of a value after a subscriber has been
583 deleted is discouraged. The scope of the subscriber index was
584 defined to be at device rather than NAT instance level to make it
585 easier to shift subscribers between instances (e.g., for load
586 balancing).
588 Objects of type Natv2InstanceIndex identify specific NAT instances on
589 the device. Again, these are administered values intended to be
590 permanently associated with the NAT instances to which they have been
591 assigned.
593 Objects of type Natv2PoolIndex identify individual address pools in a
594 given NAT instance. As with the subscriber and instance index
595 objects, the pool identifiers are administered and intended to be
596 permanently associated with their respective pools.
598 3.3.2. Notifications
600 Notifications were described in Section 3.1.2.
602 3.3.3. The Subscriber Table: natv2SubscriberTable
604 Table natv2SubscriberTable is indexed by subscriber index. One
605 conceptual row contains information relating to a specific
606 subscriber: the subscriber's internal address or prefix for
607 correlation with other management information; state and statistical
608 information as described in Section 3.1.3 and Section 3.1.4, the per-
609 subscriber control objects described in Section 3.1.1, and
610 natv2SubscriberDiscontinuityTime, which provides a timestamp of the
611 latest time following which the statistics have accumulated without
612 discontinuity.
614 Turning back to the address information for a moment: this
615 information includes the identity of the address realm in which the
616 address is routable. That enables support of an arbitrary number of
617 address realms on the same NAT instance. Address realm identifiers
618 are administered values in the form of a limited-length
619 SnmpAdminString. In the absence of configuration to the contrary,
620 the default realm for all internal addresses as recorded in mapping
621 entries is "internal".
623 The term "address realm" is defined in [RFC2663] Section 2.1 and
624 reused in subsequent NAT-related documents.
626 In the special case of DS-Lite [RFC6333], for unique matching of the
627 subscriber data to other information in the MIB module, it is
628 necessary that the address information should relate to the outer
629 IPv6 header of packets going to or from the host, with the address
630 realm being the one in which that IPv6 address is routable. The
631 presentation of address information for other types of tunneled
632 access to the NAT is out of scope.
634 3.3.4. The Instance Table: natv2InstanceTable
636 Table natv2InstanceTable is indexed by an object of type
637 Natv2InstanceIndex. A conceptual row of this table provides
638 information relating to a particular NAT instance configured on the
639 device.
641 Configuration information provided by this table includes an instance
642 name of type DisplayString that may have been configured for this
643 instance, and a set of objects indicating respectively the port
644 mapping, filtering, pooling, and fragment behaviors configured or
645 implemented in the instance. These behaviors are all defined in
646 [RFC4787]. Their values affect the interpretation of some of the
647 statistics provided in the instance table.
649 Read-write objects listed in Section 3.1.2 set the notification rate
650 for instance-level notifications and set the thresholds that trigger
651 them. Additional read-write objects described in Section 3.1.1 set
652 limits on the number of address and port mapping entries, number of
653 pending fragments, and number of active subscribers for the instance.
655 The state and statistical information provided by this table consists
656 of the per-instance items described in Section 3.1.3 and
657 Section 3.1.4 respectively. natv2InstanceDiscontinuityTime is a
658 timestamp giving the time beyond which all of the statistical
659 counters in natv2InstanceTable are guaranteed to have accumulated
660 continuously.
662 3.3.5. The Protocol Table: natv2ProtocolTable
664 The protocol table is indexed by the NAT instance number and an
665 object of type ProtocolNumber as described in Section 3.3.1 (i.e., an
666 IANA-registered protocol number). The set of protocols supported by
667 the NAT instance is implementation-dependent, but MUST include
668 ICMP(1), TCP(6), UDP(17), and ICMPv6(58). Depending on the
669 application, it SHOULD include IPv4 encapsulation(4), IPv6
670 encapsulation(41), IPSec AH(51), and SCTP(132). Support of PIM(103)
671 is highly desirable.
673 This table includes no configuration information. The state and
674 statistical information provided by this table consists of the per-
675 protocol items described in Section 3.1.3 and Section 3.1.4
676 respectively. natv2InstanceDiscontinuityTime in natv2InstanceTable is
677 reused as the timestamp giving the time beyond which all of the
678 statistical counters in natv2ProtocolTable are guaranteed to have
679 accumulated continuously. The reasoning is that any event affecting
680 the continuity of per-protocol statistics will affect the continuity
681 of NAT instance statistics, and vice versa.
683 3.3.6. The Address Pool Table: natv2PoolTable
685 The address pool table is indexed by the NAT instance identifier for
686 the instance on which it is provisioned, plus a pool index of type
687 Natv2PoolIndex. Configuration information provided includes the
688 address realm for which the pool provides addresses, the type of
689 address (IPv4 or IPv6) supported by the realm, plus the port range it
690 makes available for allocation. The same set of port numbers (or, in
691 the ICMP case, identifier values), is made available for every
692 protocol supported by the NAT instance. The port range is specified
693 in terms of minimum and maximum port number.
695 The state and statistical information provided by this table consists
696 of the per-pool items described in Section 3.1.3 and Section 3.1.4
697 respectively, plus two additional state objects described below.
698 natv2PoolTable provides the pool-specific object
699 natv2PoolDiscontinuityTime to indicate the time since which the
700 statistical counters have accumulated continuously.
702 Read-write objects to set high and low thresholds for pool usage
703 notifications and for governing notification rate were identified in
704 Section 3.1.2.
706 Implementation note: the thresholds are defined in terms of
707 percentage of available port utilization. The number of available
708 ports in a pool is equal to (max port - min port + 1) (from the
709 natv2PoolTable configuration information) multiplied by the number
710 of addresses provisioned in the pool (sum of number of addresses
711 provided by each natv2PoolRangeTable conceptual row relating to
712 that pool). At configuration time, the thresholds can be
713 recalculated in terms of total number of port map entries
714 corresponding to the configured percentage, so that runtime
715 comparisons to the current number of port map entries require no
716 further arithmetic operations.
718 natv2PoolTable also provides two state objects that are returned with
719 the notifications. natv2PoolNotifiedPortMapProtocol identifies the
720 most-mapped protocol at the time the notification was triggered.
721 natv2PoolNotifiedPortMapEntries provides the total number of port map
722 entries for that protocol using addresses owned by this pool at that
723 same time.
725 3.3.7. The Address Pool Address Range Table: natv2PoolRangeTable
727 natv2PoolRangeTable provides configuration information only. It is
728 an expansion of natv2PoolTable giving the address ranges with which a
729 given address pool has been configured. As such, it is indexed by
730 the combination of NAT instance index, address pool index, and a
731 conceptual row index, where each conceptual row conveys a different
732 address range. The address range is specified in terms of lowest
733 address, highest address rather than the usual prefix notation to
734 provide maximum flexibility.
736 3.3.8. The Address Map Table: natv2AddressMapTable
738 The address map table provides a table of mappings from internal to
739 external address at a given moment. It is indexed by the combination
740 of NAT instance index, internal realm, internal address type (IPv4 or
741 IPv6) in that realm, the internal address of the local host for which
742 the map entry was created, and a conceptual row index to traverse all
743 of the entries relating to the same internal address.
745 In the special case of DS-Lite [RFC6333], the internal address and
746 realm used in the index are those of the IPv6 outer header. The IPv4
747 source address for the inner header, for which [RFC6333] has reserved
748 addresses in the 192.0.0.0/29 range, is captured in two additional
749 objects in the corresponding conceptual row:
750 natv2AddressMapInternalMappedAddressType, and
751 natv2AddressMapInternalMappedAddress. In cases other than DS-Lite
752 access these objects have no meaning. (Other tunneled access is out
753 of scope.)
755 The additional information provided by natv2AddressMapTable consists
756 of the external realm, address type in that realm, and mapped
757 external address. Depending on implementation support, the table
758 also provides the index of the address pool from which the external
759 address was drawn and the index of the subscriber to which the map
760 entry belongs.
762 3.3.9. The Port Map Table: natv2PortMapTable
764 The port map table provides a table of mappings by protocol from
765 external port, address, and realm to internal port, address, and
766 realm. As such, it is indexed by the combination of NAT instance
767 index, protocol number, external realm identifier, address type in
768 that realm, external address, and external port. The mapping from
769 external realm, address, and port to internal realm, address, and
770 port is unique, so no conceptual row index is needed. The indexing
771 is designed to make it easy to trace individual sessions back to the
772 host, based on the contents of packets observed in the external
773 realm.
775 Beyond the indexing, the information provided by the port map table
776 consists of the internal realm, address type, address, and port
777 number, and, depending on implementation support, the index of the
778 subscriber to which the map entry belongs.
780 As with the address map table, special provision is made for the case
781 of DS-Lite [RFC6333]. The realm and outgoing source address are
782 those for the outer header, and the address type is IPv6. Additional
783 objects natv2PortMapInternalMappedAddressType and
784 natv2PortMapInternalMappedAddress capture the outgoing source address
785 in the inner header, which will be in the well-known 192.0.0.0/29
786 range.
788 3.4. Conformance: Three Application Scenarios
790 The conformance statements in NATV2-MIB provide for three application
791 scenarios: basic NAT, NAT supporting address pools, and carrier grade
792 NAT (CGN).
794 A basic NAT MAY limit the number of NAT instances it supports to one,
795 but MUST support indexing by NAT instance. Similarly, a basic NAT
796 MAY limit the number of realms it supports to two. By definition, a
797 basic NAT is not required to support the subscriber table, the
798 address pool table, or the address pool address range table. Some
799 individual objects in other tables are also not relevant to basic
800 NAT.
802 A NAT supporting address pools adds the address pool table and the
803 address pool address range table to what it implements. Some
804 individual objects in other tables also need to be implemented. A
805 NAT supporting address pools MUST support more than two realms.
807 Finally, a CGN MUST support the full contents of the MIB module.
808 That includes the subscriber table, but also includes the special
809 provision for DS-Lite access in the address and port map tables.
811 4. Definitions
813 This MIB module IMPORTs objects from [RFC2578], [RFC2579], [RFC2580],
814 [RFC3411], and [RFC4001].
816 NATV2-MIB DEFINITIONS ::= BEGIN
818 IMPORTS
819 MODULE-IDENTITY,
820 OBJECT-TYPE,
821 Integer32,
822 Unsigned32,
823 Counter64,
824 mib-2,
825 NOTIFICATION-TYPE
826 FROM SNMPv2-SMI -- RFC 2578
827 TEXTUAL-CONVENTION,
828 DisplayString,
829 TimeStamp
830 FROM SNMPv2-TC -- RFC 2579
831 MODULE-COMPLIANCE,
832 NOTIFICATION-GROUP,
833 OBJECT-GROUP
834 FROM SNMPv2-CONF -- RFC 2580
835 SnmpAdminString
836 FROM SNMP-FRAMEWORK-MIB -- RFC 3411
837 InetAddressType,
838 InetAddress,
839 InetAddressPrefixLength,
840 InetPortNumber
841 FROM INET-ADDRESS-MIB; -- RFC 4001
843 natv2MIB MODULE-IDENTITY
844 LAST-UPDATED "201502170000Z"
845 -- RFC Ed.: set to publication date
846 ORGANIZATION
847 "IETF Behavior Engineering for Hindrance
848 Avoidance (BEHAVE) Working Group"
849 CONTACT-INFO
850 "Working Group Email: behave@ietf.org
852 Simon Perreault
853 Jive Communications
854 Quebec, QC
855 Canada
857 Email: sperreault@jive.com
859 Tina Tsou
860 Huawei Technologies
861 Bantian, Longgang
862 Shenzhen 518129
863 PR China
865 Email: tina.tsou.zouting@huawei.com
867 Senthil Sivakumar
868 Cisco Systems
869 7100-8 Kit Creek Road
870 Research Triangle Park, North Carolina 27709
871 USA
873 Phone: +1 919 392 5158
874 Email: ssenthil@cisco.com
876 Tom Taylor
877 PT Taylor Consulting
878 Ottawa
879 Canada
881 Email: tom.taylor.stds@gmail.com"
883 DESCRIPTION
884 "This MIB module defines the generic managed objects
885 for NAT.
887 Copyright (C) The Internet Society (2015). This
888 version of this MIB module is part of RFC yyyy; see
889 the RFC itself for full legal notices."
890 REVISION "201502170000Z"
891 -- RFC Ed.: set to publication date
892 DESCRIPTION
893 "Complete rewrite, published as RFC yyyy.
894 Replaces former version published as RFC 4008."
895 -- RFC Ed.: replace yyyy with actual RFC number and set date"
896 ::= { mib-2 123 }
897 -- temporary for compilation pending IANA assignment
899 -- textual conventions
900 ProtocolNumber ::= TEXTUAL-CONVENTION
901 DISPLAY-HINT "d"
902 STATUS current
903 DESCRIPTION
904 "A protocol number, from the 'protocol-numbers' IANA
905 registry."
906 REFERENCE
907 "IANA Protocol Numbers,
908 http://www.iana.org/assignments/protocol-numbers
909 /protocol-numbers.xhtml#protocol-numbers-1"
910 SYNTAX Unsigned32 (0..255)
912 Natv2SubscriberIndex ::= TEXTUAL-CONVENTION
913 DISPLAY-HINT "d"
914 STATUS current
915 DESCRIPTION
916 "A unique value, greater than zero, for each subscriber
917 in the managed system. The value for each
918 subscriber MUST remain constant at least from one
919 update of the entity's natv2SubscriberDiscontinuityTime
920 object until the next update of that object. If a
921 subscriber is deleted, its assigned index value MUST NOT
922 be assigned to another subscriber at least until
923 reinitialization of the entity's management system."
924 SYNTAX Unsigned32 (1..4294967295)
926 Natv2SubscriberIndexOrZero ::= TEXTUAL-CONVENTION
927 DISPLAY-HINT "d"
928 STATUS current
929 DESCRIPTION
930 "This textual convention is an extension of the
931 Natv2SubscriberIndex convention. The latter defines a
932 greater than zero value used to identify a subscriber in
933 the managed system. This extension permits the additional
934 value of zero, which serves as a placeholder when no
935 subscriber is associated with the object."
936 SYNTAX Unsigned32 (0|1..4294967295)
938 Natv2InstanceIndex ::= TEXTUAL-CONVENTION
939 DISPLAY-HINT "d"
940 STATUS current
941 DESCRIPTION
942 "A unique value, greater than zero, for each NAT instance
943 in the managed system. It is RECOMMENDED that values are
944 assigned contiguously starting from 1. The value for each
945 NAT instance MUST remain constant at least from one
946 update of the entity's natv2InstanceDiscontinuityTime
947 object until the next update of that object. If a NAT
948 instance is deleted, its assigned index value MUST NOT
949 be assigned to another NAT instance at least until
950 reinitialization of the entity's management system."
951 SYNTAX Unsigned32 (1..4294967295)
953 Natv2PoolIndex ::= TEXTUAL-CONVENTION
954 DISPLAY-HINT "d"
955 STATUS current
956 DESCRIPTION
957 "A unique value over the containing NAT instance, greater than
958 zero, for each address pool supported by that NAT instance.
959 It is RECOMMENDED that values are assigned contiguously
960 starting from 1. The value for each address pool MUST remain
961 constant at least from one update of the entity's
962 natv2PoolDiscontinuityTime object until the next update of
963 that object. If an address pool is deleted, its assigned
964 index value MUST NOT be assigned to another address pool for
965 the same NAT instance at least until reinitialization of the
966 entity's management system."
967 SYNTAX Unsigned32 (1..4294967295)
969 Natv2PoolIndexOrZero ::= TEXTUAL-CONVENTION
970 DISPLAY-HINT "d"
971 STATUS current
972 DESCRIPTION
973 "This textual convention is an extension of the
974 Natv2PoolIndex convention. The latter defines a greater
975 than zero value used to identify address pools in the
976 managed system. This extension permits the additional
977 value of zero, which serves as a placeholder when the
978 implementation does not support address pools or no address
979 pool is configured in a given external realm."
980 SYNTAX Unsigned32 (0|1..4294967295)
982 -- notifications
984 natv2MIBNotifications OBJECT IDENTIFIER ::= { natv2MIB 0 }
986 natv2NotificationPoolUsageLow NOTIFICATION-TYPE
987 OBJECTS { natv2PoolNotifiedPortMapEntries,
988 natv2PoolNotifiedPortMapProtocol }
989 STATUS current
990 DESCRIPTION
991 "This notification is triggered when an address pool's usage
992 becomes less than or equal to the value of the
993 natv2PoolThresholdUsageLow object for that pool, unless the
994 notification has been disabled by setting the value of the
995 threshold to -1. It is reported subject to the rate
996 limitation specified by natv2PortMapNotificationInterval.
998 Address pool usage is calculated as the percentage of the
999 total number of ports allocated to the address pool that are
1000 already in use, for the most-mapped protocol at the time
1001 the notification is triggered. The two returned objects are
1002 members of natv2PoolTable indexed by the NAT instance and
1003 pool indices for which the event is being reported. They
1004 give the number of port map entries using external addresses
1005 configured on the pool for the most-mapped protocol and
1006 identify that protocol at the time the notification was
1007 triggered."
1008 REFERENCE
1009 "RFC yyyy Section 3.1.2 and Section 3.3.6."
1010 ::= { natv2MIBNotifications 1 }
1012 natv2NotificationPoolUsageHigh NOTIFICATION-TYPE
1013 OBJECTS { natv2PoolNotifiedPortMapEntries,
1014 natv2PoolNotifiedPortMapProtocol }
1015 STATUS current
1016 DESCRIPTION
1017 "This notification is triggered when an address pool's usage
1018 becomes greater than or equal to the value of the
1019 natv2PoolThresholdUsageHigh object for that pool, unless
1020 the notification has been disabled by setting the value of
1021 the threshold to -1. It is reported subject to the rate
1022 limitation specified by natv2PortMapNotificationInterval.
1024 Address pool usage is calculated as the percentage of the
1025 total number of ports allocated to the address pool that are
1026 already in use, for the most-mapped protocol at the time the
1027 notification is triggered. The two returned objects are
1028 members of natv2PoolTable indexed by the NAT instance and
1029 pool indices for which the event is being reported. They
1030 give the number of port map entries using external addresses
1031 configured on the pool for the most-mapped protocol and
1032 identify that protocol at the time the notification was
1033 triggered."
1034 REFERENCE
1035 "RFC yyyy Section 3.1.2 and Section 3.3.6."
1036 ::= { natv2MIBNotifications 2 }
1038 natv2NotificationInstanceAddressMapEntriesHigh NOTIFICATION-TYPE
1039 OBJECTS { natv2InstanceAddressMapEntries,
1040 natv2InstanceAddressMapCreations }
1041 STATUS current
1042 DESCRIPTION
1043 "This notification is triggered when the value of
1044 natv2InstanceAddressMapEntries equals or exceeds the value
1045 of the natv2InstanceThresholdAddressMapEntriesHigh object
1046 for the NAT instance, unless disabled by setting that
1047 threshold to -1. Reporting is subject to the rate limitation
1048 given by natv2InstanceNotificationInterval.
1050 natv2InstanceAddressMapEntries and
1051 natv2InstanceAddressMapCreations are members of table
1052 natv2InstanceTable indexed by the identifier of the NAT
1053 instance for which the event is being reported. The values
1054 reported are those observed at the moment the notification
1055 was triggered."
1056 REFERENCE
1057 "RFC yyyy Section 3.1.2."
1058 ::= { natv2MIBNotifications 3 }
1060 natv2NotificationInstancePortMapEntriesHigh NOTIFICATION-TYPE
1061 OBJECTS { natv2InstancePortMapEntries,
1062 natv2InstancePortMapCreations }
1063 STATUS current
1064 DESCRIPTION
1065 "This notification is triggered when the value of
1066 natv2InstancePortMapEntries becomes greater than or equal
1067 to the value of natv2InstanceThresholdPortMapEntriesHigh,
1068 unless disabled by setting that threshold to -1. Reporting
1069 is subject to the rate limitation given by
1070 natv2InstanceNotificationInterval.
1072 natv2InstancePortMapEntries and
1073 natv2InstancePortMapCreations are members of table
1074 natv2InstanceTable indexed by the identifier of the NAT
1075 instance for which the event is being reported. The values
1076 reported are those observed at the moment the notification
1077 was triggered."
1078 ::= { natv2MIBNotifications 4 }
1080 natv2NotificationSubscriberPortMappingEntriesHigh
1081 NOTIFICATION-TYPE
1082 OBJECTS { natv2SubscriberPortMapEntries,
1083 natv2SubscriberPortMapCreations }
1084 STATUS current
1085 DESCRIPTION
1086 "This notification is triggered when the value of
1087 natv2SubscriberPortMapEntries for an individual subscriber
1088 becomes greater than or equal to the value of the
1089 natv2SubscriberThresholdPortMapEntriesHigh object for that
1090 subscriber, unless disabled by setting that threshold to -1.
1092 Reporting is subject to the rate limitation given by
1093 natv2SubscriberNotificationInterval.
1095 natv2SubscriberPortMapEntries and
1096 natv2SubscriberPortMapCreations are members of table
1097 natv2SubscriberTable indexed by the subscriber for
1098 which the event is being reported. The values
1099 reported are those observed at the moment the notification
1100 was triggered."
1101 ::= { natv2MIBNotifications 5 }
1103 -- Device-level objects
1105 natv2MIBDeviceObjects OBJECT IDENTIFIER ::= { natv2MIB 1 }
1107 -- subscriber table
1109 natv2SubscriberTable OBJECT-TYPE
1110 SYNTAX SEQUENCE OF Natv2SubscriberEntry
1111 MAX-ACCESS not-accessible
1112 STATUS current
1113 DESCRIPTION
1114 "Table of subscribers. As well as the subscriber index, it
1115 provides per-subscriber state and counter objects, a last
1116 discontinuity time object for the counters, and writable
1117 threshold value and limit on port consumption."
1118 REFERENCE
1119 "RFC yyyy Section 3.3.3."
1120 ::= { natv2MIBDeviceObjects 1 }
1122 natv2SubscriberEntry OBJECT-TYPE
1123 SYNTAX Natv2SubscriberEntry
1124 MAX-ACCESS not-accessible
1125 STATUS current
1126 DESCRIPTION
1127 "Each entry describes a single subscriber."
1128 INDEX { natv2SubscriberIndex }
1129 ::= { natv2SubscriberTable 1 }
1131 Natv2SubscriberEntry ::=
1132 SEQUENCE {
1133 natv2SubscriberIndex Natv2SubscriberIndex,
1134 natv2SubscriberInternalRealm SnmpAdminString,
1135 natv2SubscriberInternalPrefixType InetAddressType,
1136 natv2SubscriberInternalPrefix InetAddress,
1137 natv2SubscriberInternalPrefixLength InetAddressPrefixLength,
1138 -- State
1139 natv2SubscriberAddressMapEntries Unsigned32,
1140 natv2SubscriberPortMapEntries Unsigned32,
1141 -- Counters and last discontinuity time
1142 natv2SubscriberTranslations Counter64,
1143 natv2SubscriberAddressMapCreations Counter64,
1144 natv2SubscriberPortMapCreations Counter64,
1145 natv2SubscriberAddressMapFailureDrops Counter64,
1146 natv2SubscriberPortMapFailureDrops Counter64,
1147 natv2SubscriberDiscontinuityTime TimeStamp,
1148 -- Read-write controls
1149 natv2SubscriberLimitPortMapEntries Unsigned32,
1150 -- Disable notifications by setting threshold to -1
1151 natv2SubscriberThresholdPortMapEntriesHigh Integer32,
1152 -- Disable limit by setting to 0
1153 natv2SubscriberNotificationInterval Unsigned32
1154 }
1156 natv2SubscriberIndex OBJECT-TYPE
1157 SYNTAX Natv2SubscriberIndex
1158 MAX-ACCESS not-accessible
1159 STATUS current
1160 DESCRIPTION
1161 "A unique value, greater than zero, for each subscriber
1162 in the managed system. The value for each
1163 subscriber MUST remain constant at least from one
1164 update of the entity's natv2SubscriberDiscontinuityTime
1165 object until the next update of that object. If a
1166 subscriber is deleted, its assigned index value MUST NOT
1167 be assigned to another subscriber at least until
1168 reinitialization of the entity's management system."
1169 ::= { natv2SubscriberEntry 1 }
1171 -- Configuration for this subscriber: realm, internal address(es)
1173 natv2SubscriberInternalRealm OBJECT-TYPE
1174 SYNTAX SnmpAdminString (SIZE(0..32))
1175 MAX-ACCESS read-only
1176 STATUS current
1177 DESCRIPTION
1178 "The address realm to which this subscriber belongs. A realm
1179 defines an address space. All NATs support at least two
1180 realms.
1182 The default realm for subscribers is 'internal'.
1183 Administrators can set other values for individual
1184 subscribers when they are configured. The administrator MAY
1185 configure a new value of natv2SubscriberRealm at any time
1186 subsequent to initial configuration of the subscriber. If
1187 this happens, it MUST be treated as a point of discontinuity
1188 requiring an update of natv2SubscriberDiscontinuityTime.
1190 When the subscriber sends a packet to the NAT through a
1191 DS-Lite [RFC 6333] tunnel, this is the realm of the outer
1192 packet header source address. Other tunneled access is out
1193 of scope."
1194 REFERENCE
1195 "Address realm: RFC 2663. DS-Lite: RFC 6333."
1196 DEFVAL
1197 { "internal" }
1198 ::= { natv2SubscriberEntry 2 }
1200 natv2SubscriberInternalPrefixType OBJECT-TYPE
1201 SYNTAX InetAddressType
1202 MAX-ACCESS read-only
1203 STATUS current
1204 DESCRIPTION
1205 "Subscriber's internal prefix type. Any value other than
1206 ipv4(1) or ipv6(2) would be unexpected. In the case of
1207 DS-Lite access, this is the prefix type (IPv6(2)) used in
1208 the outer packet header."
1209 REFERENCE
1210 "DS-Lite: RFC 6333."
1211 ::= { natv2SubscriberEntry 3 }
1213 natv2SubscriberInternalPrefix OBJECT-TYPE
1214 SYNTAX InetAddress
1215 MAX-ACCESS read-only
1216 STATUS current
1217 DESCRIPTION
1218 "Prefix assigned to a subscriber's CPE. The type of this
1219 prefix is given by natv2SubscriberInternalPrefixType. Source
1220 addresses of packets outgoing from the subscriber will be
1221 contained within this prefix. In the case of DS-Lite
1222 access, the source address taken from the prefix will be
1223 that of the outer header."
1224 REFERENCE
1225 "DS-Lite: RFC 6333."
1226 ::= { natv2SubscriberEntry 4 }
1228 natv2SubscriberInternalPrefixLength OBJECT-TYPE
1229 SYNTAX InetAddressPrefixLength
1230 MAX-ACCESS read-only
1231 STATUS current
1232 DESCRIPTION
1233 "Length of the prefix assigned to a subscriber's CPE, in
1234 bits. If a single address is assigned, this will be 32
1235 for IPv4 and 128 for IPv6."
1236 ::= { natv2SubscriberEntry 5 }
1238 -- State objects
1240 natv2SubscriberAddressMapEntries OBJECT-TYPE
1241 SYNTAX Unsigned32
1242 MAX-ACCESS read-only
1243 STATUS current
1244 DESCRIPTION
1245 "The current number of address map entries for the
1246 subscriber, including static mappings. An address map entry
1247 maps from a given internal address and realm to an external
1248 address in a particular external realm. This definition
1249 includes 'hairpin' mappings, where the external realm is the
1250 same as the internal one. Address map entries are also
1251 tracked per instance and per address pool within the
1252 instance."
1253 REFERENCE
1254 "RFC yyyy Section 3.3.8."
1255 ::= { natv2SubscriberEntry 6 }
1257 natv2SubscriberPortMapEntries OBJECT-TYPE
1258 SYNTAX Unsigned32
1259 MAX-ACCESS read-only
1260 STATUS current
1261 DESCRIPTION
1262 "The current number of port map entries in the port map table
1263 for the subscriber, including static mappings. A port map
1264 entry maps from a given external realm, address, and port
1265 for a given protocol to an internal realm, address, and
1266 port. This definition includes 'hairpin' mappings, where the
1267 external realm is the same as the internal one. Port map
1268 entries are also tracked per instance and per protocol and
1269 address pool within the instance."
1270 REFERENCE
1271 "RFC yyyy Section 3.3.9."
1272 ::= { natv2SubscriberEntry 7 }
1274 -- Counters and last discontinuity time
1276 natv2SubscriberTranslations OBJECT-TYPE
1277 SYNTAX Counter64
1278 MAX-ACCESS read-only
1279 STATUS current
1280 DESCRIPTION
1281 "The cumulative number of translated packets received from or
1282 sent to this subscriber. This value MUST be monotone
1283 increasing in the periods between updates of the entity's
1284 natv2SubscriberDiscontinuityTime. If a manager detects a
1285 change in the latter since the last time it sampled this
1286 counter, it SHOULD NOT make use of the difference between
1287 the latest value of the counter and any value retrieved
1288 before the new value of natv2SubscriberDiscontinuityTime."
1289 ::= { natv2SubscriberEntry 8 }
1291 natv2SubscriberAddressMapCreations OBJECT-TYPE
1292 SYNTAX Counter64
1293 MAX-ACCESS read-only
1294 STATUS current
1295 DESCRIPTION
1296 "The cumulative number of address map entries created for
1297 this subscriber, including static mappings. Address map
1298 entries are also tracked per instance and per protocol and
1299 address pool within the instance.
1301 This value MUST be monotone increasing in
1302 the periods between updates of the entity's
1303 natv2SubscriberDiscontinuityTime. If a manager detects a
1304 change in the latter since the last time it sampled this
1305 counter, it SHOULD NOT make use of the difference between
1306 the latest value of the counter and any value retrieved
1307 before the new value of natv2SubscriberDiscontinuityTime."
1308 ::= { natv2SubscriberEntry 9 }
1310 natv2SubscriberPortMapCreations OBJECT-TYPE
1311 SYNTAX Counter64
1312 MAX-ACCESS read-only
1313 STATUS current
1314 DESCRIPTION
1315 "The cumulative number of port map entries created for this
1316 subscriber, including static mappings. Port map entries are
1317 also tracked per instance and per protocol and address pool
1318 within the instance.
1320 This value MUST be monotone increasing in the periods
1321 between updates of the entity's
1322 natv2SubscriberDiscontinuityTime. If a manager detects a
1323 change in the latter since the last time it sampled this
1324 counter, it SHOULD NOT make use of the difference between
1325 the latest value of the counter and any value retrieved
1326 before the new value of natv2SubscriberDiscontinuityTime."
1327 ::= { natv2SubscriberEntry 10 }
1329 natv2SubscriberAddressMapFailureDrops OBJECT-TYPE
1330 SYNTAX Counter64
1331 MAX-ACCESS read-only
1332 STATUS current
1333 DESCRIPTION
1334 "The cumulative number of packets originated by this
1335 subscriber that were dropped because the packet would have
1336 triggered the creation of a new address map entry, but no
1337 address could be allocated in the selected external realm
1338 because all addresses from the selected address pool (or the
1339 whole realm, if no address pool has been configured for that
1340 realm) have already been fully allocated.
1342 This value MUST be monotone increasing in the periods
1343 between updates of the entity's
1344 natv2SubscriberDiscontinuityTime. If a manager detects a
1345 change in the latter since the last time it sampled this
1346 counter, it SHOULD NOT make use of the difference between
1347 the latest value of the counter and any value retrieved
1348 before the new value of natv2SubscriberDiscontinuityTime."
1349 ::= { natv2SubscriberEntry 11 }
1351 natv2SubscriberPortMapFailureDrops OBJECT-TYPE
1352 SYNTAX Counter64
1353 MAX-ACCESS read-only
1354 STATUS current
1355 DESCRIPTION
1356 "The cumulative number of packets dropped because the
1357 packet would have triggered the creation of a new
1358 port mapping, but no port could be allocated for the
1359 protocol concerned. The usual case for this will be
1360 for a NAT instance that supports address pooling and
1361 the 'paired' pooling behavior recommended by RFC 4787,
1362 where the internal endpoint has used up all of the
1363 ports allocated to it for the address it was mapped to
1364 in the selected address pool in the external realm
1365 concerned and cannot be given more ports because
1366 - policy or implementation prevents it from having a
1367 second address in the same pool, and
1368 - policy or unavailability prevents it from acquiring
1369 more ports at its originally assigned address.
1371 If the NAT instance supports address pooling but its
1372 pooling behavior is 'arbitrary' (meaning that
1373 the NAT instance can allocate a new port mapping for
1374 the given internal endpoint on any address in the
1375 selected address pool and is not bound to what it has
1376 already mapped for that endpoint), then this counter
1377 is incremented when all ports for the protocol concerned
1378 over the whole of the selected address pool are already
1379 in use.
1381 As a third case, if no address pools have been configured
1382 for the external realm concerned, then this counter is
1383 incremented because all ports for the protocol involved over
1384 the whole set of addresses available for that external realm
1385 are already in use.
1387 Finally, this counter is incremented if the packet would
1388 have triggered the creation of a new port mapping, but the
1389 current value of natv2SubscriberPortMapEntries equals or
1390 exceeds the value of natv2SubscriberLimitPortMapEntries
1391 for this subscriber (unless that limit is disabled).
1393 This value MUST be monotone increasing in the periods
1394 between updates of the entity's
1395 natv2SubscriberDiscontinuityTime. If a manager detects a
1396 change in the latter since the last time it sampled this
1397 counter, it SHOULD NOT make use of the difference between
1398 the latest value of the counter and any value retrieved
1399 before the new value of natv2SubscriberDiscontinuityTime."
1400 REFERENCE
1401 "Pooling behavior: RFC 4787, end of section 4.1."
1402 ::= { natv2SubscriberEntry 12 }
1404 natv2SubscriberDiscontinuityTime OBJECT-TYPE
1405 SYNTAX TimeStamp
1406 MAX-ACCESS read-only
1407 STATUS current
1408 DESCRIPTION
1409 "Snapshot of the value of the sysUpTime object at the
1410 beginning of the latest period of continuity of the
1411 statistical counters associated with this subscriber."
1412 ::= { natv2SubscriberEntry 14 }
1414 -- Per-subscriber limit and threshold on port mappings
1415 -- Disabled if set to zero
1416 natv2SubscriberLimitPortMapEntries OBJECT-TYPE
1417 SYNTAX Unsigned32
1418 MAX-ACCESS read-write
1419 STATUS current
1420 DESCRIPTION
1421 "Limit on total number of port mappings active for this
1422 subscriber (natv2SubscriberPortMapEntries). Once this limit
1423 is reached, packets that might have triggered new port
1424 mappings are dropped. The number of such packets dropped is
1425 counted in natv2InstancePortMapFailureDrops.
1427 Limit is disabled if set to zero."
1428 DEFVAL
1429 { 0 }
1430 ::= { natv2SubscriberEntry 15 }
1432 natv2SubscriberThresholdPortMapEntriesHigh OBJECT-TYPE
1433 SYNTAX Integer32
1434 MAX-ACCESS read-write
1435 STATUS current
1436 DESCRIPTION
1437 "Notification threshold for total number of port mappings
1438 active for this subscriber. Whenever
1439 natv2SubscriberPortMapEntries is updated, if it equals or
1440 exceeds natv2SubscriberThresholdPortMapEntriesHigh, the
1441 notification
1442 natv2NotificationSubscriberPortMappingEntriesHigh is
1443 triggered, unless the notification is disabled by setting
1444 the threshold to -1. Reporting is subject to the minimum
1445 inter-notification interval given by
1446 natv2SubscriberNotificationInterval. If multiple
1447 notifications are triggered during one interval, the agent
1448 MUST report only the one containing the highest value of
1449 natv2SubscriberPortMapEntries and discard the others."
1450 DEFVAL
1451 { -1 }
1452 ::= { natv2SubscriberEntry 16 }
1454 natv2SubscriberNotificationInterval OBJECT-TYPE
1455 SYNTAX Unsigned32 (1..3600)
1456 UNITS
1457 "Seconds"
1458 MAX-ACCESS read-write
1459 STATUS current
1460 DESCRIPTION
1461 "Minimum number of seconds between successive
1462 reporting of notifications for this subscriber. Controls the
1463 reporting of
1464 natv2NotificationSubscriberPortMappingEntriesHigh."
1465 DEFVAL
1466 { 60 }
1467 ::= { natv2SubscriberEntry 17 }
1469 -- Per-NAT-instance objects
1471 natv2MIBInstanceObjects OBJECT IDENTIFIER ::= { natv2MIB 2 }
1473 -- Instance table
1474 natv2InstanceTable OBJECT-TYPE
1475 SYNTAX SEQUENCE OF Natv2InstanceEntry
1476 MAX-ACCESS not-accessible
1477 STATUS current
1478 DESCRIPTION
1479 "Table of NAT instances. As well as state and counter
1480 objects, it provides the instance index, instance name, and
1481 the last discontinuity time object which is applicable to
1482 the counters. It also contains writable thresholds for
1483 reporting of notifications and limits on usage of resources
1484 at the level of the NAT instance.
1486 It is assumed that NAT instances can be created and deleted
1487 dynamically, but this MIB module does not provide the means
1488 to do so. For restrictions on assignment and maintenance of
1489 the NAT index instance see the description of
1490 natv2InstanceIndex in the table below. For the requirements
1491 on maintenance of the values of the counters in this table
1492 see the description of natv2InstanceDiscontinuityTime in
1493 this table.
1495 Each NAT instance has its own resources and behavior. The
1496 resources include memory as reflected in space for map
1497 entries, processing power as reflected in the rate of map
1498 creation and deletion, and mappable addresses in each realm
1499 that can play the role of an external realm for at least
1500 some mappings for that instance. The NAT instance table
1501 includes limits and notification thresholds that relate to
1502 memory usage for mapping at the level of the whole instance.
1503 The limit on number of subscribers with active mappings is a
1504 limit to some extent on processor usage.
1506 The mappable 'external' addresses may or may not be
1507 organized into address pools. For a definition of address
1508 pools see the description of natv2PoolTable. If the instance
1509 does support address pools, it also has a pooling behavior.
1510 Mapping, filtering, and pooling behavior are defined in the
1511 descriptions of the natv2InstancePortMappingBehavior,
1512 natv2InstanceFilteringBehavior, and
1513 natv2InstancePoolingBehavior objects in this table. The
1514 instance also has a fragmentation behavior, defined in the
1515 description of the natv2InstanceFragmentBehavior object."
1516 REFERENCE
1517 "RFC yyyy Section 3.3.4. NAT behaviors: RFC 4787
1518 (primary, UDP); RFC 5382 (TCP), RFC 5508 (ICMP), RFC5597
1519 (DCCP)."
1520 ::= { natv2MIBInstanceObjects 1 }
1522 natv2InstanceEntry OBJECT-TYPE
1523 SYNTAX Natv2InstanceEntry
1524 MAX-ACCESS not-accessible
1525 STATUS current
1526 DESCRIPTION
1527 "Objects related to a single NAT instance."
1528 INDEX { natv2InstanceIndex }
1529 ::= { natv2InstanceTable 1 }
1531 Natv2InstanceEntry ::=
1532 SEQUENCE {
1533 natv2InstanceIndex Natv2InstanceIndex,
1534 natv2InstanceAlias DisplayString,
1535 -- Configured behaviors
1536 natv2InstancePortMappingBehavior INTEGER,
1537 natv2InstanceFilteringBehavior INTEGER,
1538 natv2InstancePoolingBehavior INTEGER,
1539 natv2InstanceFragmentBehavior INTEGER,
1540 -- State
1541 natv2InstanceAddressMapEntries Unsigned32,
1542 natv2InstancePortMapEntries Unsigned32,
1543 -- Statistics and discontinuity time
1544 natv2InstanceTranslations Counter64,
1545 natv2InstanceAddressMapCreations Counter64,
1546 natv2InstancePortMapCreations Counter64,
1547 natv2InstanceAddressMapEntryLimitDrops Counter64,
1548 natv2InstancePortMapEntryLimitDrops Counter64,
1549 natv2InstanceSubscriberActiveLimitDrops Counter64,
1550 natv2InstanceAddressMapFailureDrops Counter64,
1551 natv2InstancePortMapFailureDrops Counter64,
1552 natv2InstanceFragmentDrops Counter64,
1553 natv2InstanceOtherResourceFailureDrops Counter64,
1554 natv2InstanceDiscontinuityTime TimeStamp,
1555 -- Notification thresholds, disabled if set to -1
1556 natv2InstanceThresholdAddressMapEntriesHigh Integer32,
1557 natv2InstanceThresholdPortMapEntriesHigh Integer32,
1558 natv2InstanceNotificationInterval Unsigned32,
1559 -- Limits, disabled if set to 0
1560 natv2InstanceLimitAddressMapEntries Unsigned32,
1561 natv2InstanceLimitPortMapEntries Unsigned32,
1562 natv2InstanceLimitPendingFragments Unsigned32,
1563 natv2InstanceLimitSubscriberActives Unsigned32
1564 }
1566 natv2InstanceIndex OBJECT-TYPE
1567 SYNTAX Natv2InstanceIndex
1568 MAX-ACCESS not-accessible
1569 STATUS current
1570 DESCRIPTION
1571 "NAT instance index. It is up to the implementation to
1572 determine which values correspond to in-service NAT
1573 instances. This object is used as an index for all tables
1574 defined below."
1575 ::= { natv2InstanceEntry 1 }
1577 natv2InstanceAlias OBJECT-TYPE
1578 SYNTAX DisplayString (SIZE (0..64))
1579 MAX-ACCESS read-only
1580 STATUS current
1581 DESCRIPTION
1582 "This object is an 'alias' name for the NAT instance as
1583 specified by a network manager, and provides a non-volatile
1584 'handle' for the instance.
1586 An example of the value which a network manager might store
1587 in this object for a NAT instance is the name/identifier of
1588 the interface that brings in internal traffic for this NAT
1589 instance or the name of the VRF for internal traffic."
1590 ::= { natv2InstanceEntry 2 }
1592 -- Configured behaviors
1594 natv2InstancePortMappingBehavior OBJECT-TYPE
1595 SYNTAX INTEGER {
1596 endpointIndependent (0),
1597 addressDependent (1),
1598 addressAndPortDependent (2)
1599 }
1600 MAX-ACCESS read-only
1601 STATUS current
1602 DESCRIPTION
1603 "Port mapping behavior is the policy governing selection of
1604 external address and port in a given realm for a given
1605 five-tuple of source address and port, destination address
1606 and port, and protocol.
1608 endpointIndependent(0), the behavior REQUIRED by RFC 4787
1609 REQ-1, maps the source address and port to the same
1610 external address and port for all destination address and
1611 port combinations reached through the same external realm
1612 and using the given protocol.
1614 addressDependent(1) maps to the same external address and
1615 port for all destination ports at the same destination
1616 address reached through the same external realm and using
1617 the given protocol.
1619 addressAndPortDependent(2) maps to a separate external
1620 address and port combination for each different
1621 destination address and port combination reached through
1622 the same external realm."
1623 REFERENCE
1624 "RFC 4787 section 4.1."
1625 ::= { natv2InstanceEntry 3 }
1627 natv2InstanceFilteringBehavior OBJECT-TYPE
1628 SYNTAX INTEGER {
1629 endpointIndependent (0),
1630 addressDependent (1),
1631 addressAndPortDependent (2)
1632 }
1633 MAX-ACCESS read-only
1634 STATUS current
1635 DESCRIPTION
1636 "Filtering behavior is the policy governing acceptance or
1637 dropping of packets incoming from remote sources via a
1638 given external realm and destined to a specific three-tuple
1639 of external address, port, and protocol at the NAT instance
1640 that has been assigned in a port mapping.
1642 endpointIndependent(0) accepts for translation packets from
1643 all combinations of remote address and port destined to the
1644 mapped external address and port via the given external
1645 realm and using the given protocol.
1647 addressDependent(1) accepts for translation packets from all
1648 remote ports from the same remote source address destined to
1649 the mapped external address and port via the given external
1650 realm and using the given protocol.
1652 addressAndPortDependent(2) accepts for translation only
1653 those packets with the same remote source address, port, and
1654 protocol incoming from the same external realm as identified
1655 when the applicable port map entry was created.
1657 RFC 4787 REQ-8 recommends either endpointIndependent(0) or
1658 addressDependent(1) filtering behavior depending on whether
1659 application-friendliness or security takes priority."
1660 REFERENCE
1661 "RFC 4787 section 5."
1662 ::= { natv2InstanceEntry 4 }
1664 natv2InstancePoolingBehavior OBJECT-TYPE
1665 SYNTAX INTEGER {
1666 arbitrary (0),
1667 paired (1)
1668 }
1669 MAX-ACCESS read-only
1670 STATUS current
1671 DESCRIPTION
1672 "Pooling behavior is the policy used to select the address
1673 for a new port mapping within a given address pool to which
1674 the internal address has already been mapped.
1676 arbitrary(0) pooling behavior means that the NAT instance
1677 may create the new port mapping using any address in the
1678 pool that has a free port for the protocol concerned.
1680 paired(1) pooling behavior, the behavior RECOMMENDED by RFC
1681 4787 REQ-2, means that once a given internal address has
1682 been mapped to a particular address in a particular pool,
1683 further mappings of the same internal address to that pool
1684 will reuse the previously assigned pool member address."
1685 REFERENCE
1686 "RFC 4787 near the end of section 4.1"
1687 ::= { natv2InstanceEntry 5 }
1689 natv2InstanceFragmentBehavior OBJECT-TYPE
1690 SYNTAX INTEGER {
1691 fragmentNone (0),
1692 fragmentInOrder (1),
1693 fragmentOutOfOrder (2)
1694 }
1695 MAX-ACCESS read-only
1696 STATUS current
1697 DESCRIPTION
1698 "Fragment behavior is the NAT instance's capability to
1699 receive and translate fragments incoming from remote
1700 sources.
1702 fragmentNone(0) implies no capability to translate incoming
1703 fragments, so all received fragments are dropped. Each
1704 dropped fragment is counted in natv2InstanceFragmentDrops.
1706 fragmentInOrder(1) implies the ability to translate
1707 fragments only if they are received in order, so that in
1708 particular the header is in the first packet. If a fragment
1709 is received out of order, it is dropped and counted in
1710 natv2InstanceFragmentDrops.
1712 fragmentOutOfOrder(2), the capability REQUIRED by RFC 4787
1713 REQ-14, implies the capability to translate fragments even
1714 when they arrive out of order, subject to a protective
1715 limit natv2InstanceLimitPendingFragments on total number of
1716 fragments awaiting the first fragment of the chain. If the
1717 implementation supports this capability,
1718 natv2InstanceFragmentDrops is incremented only when a new
1719 fragment arrives but is dropped because the limit on pending
1720 fragments has already been reached."
1721 REFERENCE
1722 "RFC 4787 section 11."
1723 ::= { natv2InstanceEntry 6 }
1725 -- State
1727 natv2InstanceAddressMapEntries OBJECT-TYPE
1728 SYNTAX Unsigned32
1729 MAX-ACCESS read-only
1730 STATUS current
1731 DESCRIPTION
1732 "The current number of address map entries in total over the
1733 whole NAT instance, including static mappings. An address
1734 map entry maps from a given internal address and realm to an
1735 external address in a particular external realm. This
1736 definition includes 'hairpin' mappings, where the external
1737 realm is the same as the internal one. Address map entries
1738 are also tracked per subscriber and per address pool within
1739 the instance."
1740 REFERENCE
1741 "RFC yyyy Section 3.3.8. RFC 4787 section 6."
1742 ::= { natv2InstanceEntry 7 }
1744 natv2InstancePortMapEntries OBJECT-TYPE
1745 SYNTAX Unsigned32
1746 MAX-ACCESS read-only
1747 STATUS current
1748 DESCRIPTION
1749 "The current number of entries in the port map table in total
1750 over the whole NAT instance, including static mappings. A
1751 port map entry maps from a given external realm, address,
1752 and port for a given protocol to an internal realm, address,
1753 and port. This definition includes 'hairpin' mappings, where
1754 the external realm is the same as the internal one. Port map
1755 entries are also tracked per subscriber and per protocol and
1756 address pool within the instance."
1757 REFERENCE
1758 "RFC yyyy Section 3.3.9.
1759 Hairpinning: RFC 4787 Section 6."
1760 ::= { natv2InstanceEntry 8 }
1762 -- Statistics
1763 natv2InstanceTranslations OBJECT-TYPE
1764 SYNTAX Counter64
1765 MAX-ACCESS read-only
1766 STATUS current
1767 DESCRIPTION
1768 "The cumulative number of translated packets passing through
1769 this NAT instance. This value MUST be monotone increasing in
1770 the periods between updates of
1771 natv2InstanceDiscontinuityTime. If a manager detects a
1772 change in the latter since the last time it sampled this
1773 counter, it SHOULD NOT make use of the difference between
1774 the latest value of the counter and any value retrieved
1775 before the new value of natv2InstanceDiscontinuityTime."
1776 ::= { natv2InstanceEntry 9 }
1778 natv2InstanceAddressMapCreations OBJECT-TYPE
1779 SYNTAX Counter64
1780 MAX-ACCESS read-only
1781 STATUS current
1782 DESCRIPTION
1783 "The cumulative number of address map entries created by the
1784 NAT instance, including static mappings. Address map
1785 creations are also tracked per address pool within the
1786 instance and per subscriber.
1788 This value MUST be monotone increasing in
1789 the periods between updates of
1790 natv2InstanceDiscontinuityTime. If a manager detects a
1791 change in the latter since the last time it sampled this
1792 counter, it SHOULD NOT make use of the difference between
1793 the latest value of the counter and any value retrieved
1794 before the new value of natv2InstanceDiscontinuityTime."
1795 ::= { natv2InstanceEntry 10 }
1797 natv2InstancePortMapCreations OBJECT-TYPE
1798 SYNTAX Counter64
1799 MAX-ACCESS read-only
1800 STATUS current
1801 DESCRIPTION
1802 "The cumulative number of port map entries created by the
1803 NAT instance, including static mappings. Port map
1804 creations are also tracked per protocol and address pool
1805 within the instance and per subscriber.
1807 This value MUST be monotone increasing in
1808 the periods between updates of
1809 natv2InstanceDiscontinuityTime. If a manager detects a
1810 change in the latter since the last time it sampled this
1811 counter, it SHOULD NOT make use of the difference between
1812 the latest value of the counter and any value retrieved
1813 before the new value of natv2InstanceDiscontinuityTime."
1814 ::= { natv2InstanceEntry 11 }
1816 natv2InstanceAddressMapEntryLimitDrops OBJECT-TYPE
1817 SYNTAX Counter64
1818 MAX-ACCESS read-only
1819 STATUS current
1820 DESCRIPTION
1821 "The cumulative number of packets dropped rather than
1822 translated because the packet would have triggered
1823 the creation of a new address map entry but the limit
1824 on number of address map entries for the NAT instance
1825 given by natv2InstanceLimitAddressMapEntries has
1826 already been reached.
1828 This value MUST be monotone increasing in the periods
1829 between updates of the entity's
1830 natv2InstanceDiscontinuityTime. If a manager detects a
1831 change in the latter since the last time it sampled this
1832 counter, it SHOULD NOT make use of the difference between
1833 the latest value of the counter and any value retrieved
1834 before the new value of natv2InstanceDiscontinuityTime."
1835 ::= { natv2InstanceEntry 12 }
1837 natv2InstancePortMapEntryLimitDrops OBJECT-TYPE
1838 SYNTAX Counter64
1839 MAX-ACCESS read-only
1840 STATUS current
1841 DESCRIPTION
1842 "The cumulative number of packets dropped rather than
1843 translated because the packet would have triggered
1844 the creation of a new port map entry but the limit
1845 on number of port map entries for the NAT instance
1846 given by natv2InstanceLimitPortMapEntries has
1847 already been reached.
1849 This value MUST be monotone increasing in the periods
1850 between updates of the entity's
1851 natv2InstanceDiscontinuityTime. If a manager detects a
1852 change in the latter since the last time it sampled this
1853 counter, it SHOULD NOT make use of the difference between
1854 the latest value of the counter and any value retrieved
1855 before the new value of natv2InstanceDiscontinuityTime."
1856 ::= { natv2InstanceEntry 13 }
1858 natv2InstanceSubscriberActiveLimitDrops OBJECT-TYPE
1859 SYNTAX Counter64
1860 MAX-ACCESS read-only
1861 STATUS current
1862 DESCRIPTION
1863 "The cumulative number of packets dropped rather than
1864 translated because the packet would have triggered the
1865 creation of a new mapping for a subscriber with no other
1866 active mappings, but the limit on number of active
1867 subscribers for the NAT instance given by
1868 natv2InstanceLimitSubscriberActives has already been
1869 reached.
1871 This value MUST be monotone increasing in the periods
1872 between updates of the entity's
1873 natv2InstanceDiscontinuityTime. If a manager detects a
1874 change in the latter since the last time it sampled this
1875 counter, it SHOULD NOT make use of the difference between
1876 the latest value of the counter and any value retrieved
1877 before the new value of natv2InstanceDiscontinuityTime."
1878 ::= { natv2InstanceEntry 14 }
1880 natv2InstanceAddressMapFailureDrops OBJECT-TYPE
1881 SYNTAX Counter64
1882 MAX-ACCESS read-only
1883 STATUS current
1884 DESCRIPTION
1885 "The cumulative number of packets dropped because the packet
1886 would have triggered the creation of a new address map
1887 entry, but no address could be allocated in the selected
1888 external realm because all addresses from the selected
1889 address pool (or the whole realm, if no address pool has
1890 been configured for that realm) have already been fully
1891 allocated.
1893 This value MUST be monotone increasing in the periods
1894 between updates of the entity's
1895 natv2InstanceDiscontinuityTime. If a manager detects a
1896 change in the latter since the last time it sampled this
1897 counter, it SHOULD NOT make use of the difference between
1898 the latest value of the counter and any value retrieved
1899 before the new value of natv2InstanceDiscontinuityTime."
1900 ::= { natv2InstanceEntry 15 }
1902 natv2InstancePortMapFailureDrops OBJECT-TYPE
1903 SYNTAX Counter64
1904 MAX-ACCESS read-only
1905 STATUS current
1906 DESCRIPTION
1907 "The cumulative number of packets dropped because the
1908 packet would have triggered the creation of a new
1909 port map entry, but no port could be allocated for the
1910 protocol concerned. The usual case for this will be
1911 for a NAT instance that supports address pooling and
1912 the 'paired' pooling behavior recommended by RFC 4787,
1913 where the internal endpoint has used up all of the
1914 ports allocated to it for the address it was mapped to
1915 in the selected address pool in the external realm
1916 concerned and cannot be given more ports because
1917 - policy or implementation prevents it from having a
1918 second address in the same pool, and
1919 - policy or unavailability prevents it from acquiring
1920 more ports at its originally assigned address.
1922 If the NAT instance supports address pooling but its
1923 pooling behavior is 'arbitrary' (meaning that
1924 the NAT instance can allocate a new port mapping for
1925 the given internal endpoint on any address in the
1926 selected address pool and is not bound to what it has
1927 already mapped for that endpoint), then this counter
1928 is incremented when all ports for the protocol concerned
1929 over the whole of the selected address pool are already
1930 in use.
1932 Finally, if no address pools have been configured for the
1933 external realm concerned, then this counter is incremented
1934 because all ports for the protocol involved over the whole
1935 set of addresses available for that external realm are
1936 already in use.
1938 This value MUST be monotone increasing in the periods
1939 between updates of the entity's
1940 natv2InstanceDiscontinuityTime. If a manager detects a
1941 change in the latter since the last time it sampled this
1942 counter, it SHOULD NOT make use of the difference between
1943 the latest value of the counter and any value retrieved
1944 before the new value of natv2InstanceDiscontinuityTime."
1945 REFERENCE
1946 "Pooling behavior: RFC 4787, end of section 4.1."
1947 ::= { natv2InstanceEntry 16 }
1949 natv2InstanceFragmentDrops OBJECT-TYPE
1950 SYNTAX Counter64
1951 MAX-ACCESS read-only
1952 STATUS current
1953 DESCRIPTION
1954 "The cumulative number of fragments received by the NAT
1955 instance but dropped rather than translated. When the NAT
1956 instance supports the 'Receive Fragment Out of Order'
1957 capability as required by RFC 4787, this occurs because the
1958 fragment was received out of order and would be added to the
1959 queue of fragments awaiting the initial fragment of the
1960 chain, but the queue has already reached the limit set by
1961 natv2InstanceLimitsPendingFragments. Counting in other cases
1962 is specified in the description of
1963 natv2InstanceFragmentBehavior.
1965 This value MUST be monotone increasing in the periods
1966 between updates of the entity's
1967 natv2InstanceDiscontinuityTime. If a manager detects a
1968 change in the latter since the last time it sampled this
1969 counter, it SHOULD NOT make use of the difference between
1970 the latest value of the counter and any value retrieved
1971 before the new value of natv2InstanceDiscontinuityTime."
1972 REFERENCE
1973 "RFC 4787, section 11."
1974 ::= { natv2InstanceEntry 17 }
1976 natv2InstanceOtherResourceFailureDrops OBJECT-TYPE
1977 SYNTAX Counter64
1978 MAX-ACCESS read-only
1979 STATUS current
1980 DESCRIPTION
1981 "The cumulative number of packets dropped because of
1982 unavailability of a resource other than an address or port
1983 that would have been required to process it. The most likely
1984 case is where the upper layer protocol in the packet is not
1985 supported by the NAT instance.
1987 This value MUST be monotone increasing in the periods
1988 between updates of the entity's
1989 natv2InstanceDiscontinuityTime. If a manager detects a
1990 change in the latter since the last time it sampled this
1991 counter, it SHOULD NOT make use of the difference between
1992 the latest value of the counter and any value retrieved
1993 before the new value of natv2InstanceDiscontinuityTime."
1994 ::= { natv2InstanceEntry 18 }
1996 natv2InstanceDiscontinuityTime OBJECT-TYPE
1997 SYNTAX TimeStamp
1998 MAX-ACCESS read-only
1999 STATUS current
2000 DESCRIPTION
2001 "Snapshot of the value of the sysUpTime object at the
2002 beginning of the latest period of continuity of the
2003 statistical counters associated with this NAT instance."
2004 ::= { natv2InstanceEntry 19 }
2006 -- Notification thresholds, disabled by setting to zero
2008 natv2InstanceThresholdAddressMapEntriesHigh OBJECT-TYPE
2009 SYNTAX Integer32
2010 MAX-ACCESS read-write
2011 STATUS current
2012 DESCRIPTION
2013 "Notification threshold for total number of address map
2014 entries held by this NAT instance. Whenever
2015 natv2InstanceAddressMapEntries is updated, if it equals or
2016 exceeds natv2InstanceThresholdAddressMapEntriesHigh, then
2017 natv2NotificationInstanceAddressMapEntriesHigh may be
2018 triggered, unless the notification is disabled by setting
2019 the threshold to -1. Reporting is subject to the minimum
2020 inter-notification interval given by
2021 natv2InstanceNotificationInterval. If multiple notifications
2022 are triggered during one interval, the agent MUST report
2023 only the one containing the highest value of
2024 natv2InstanceAddressMapEntries and discard the others."
2025 DEFVAL
2026 { -1 }
2027 ::= { natv2InstanceEntry 20 }
2029 natv2InstanceThresholdPortMapEntriesHigh OBJECT-TYPE
2030 SYNTAX Integer32
2031 MAX-ACCESS read-write
2032 STATUS current
2033 DESCRIPTION
2034 "Notification threshold for total number of port map
2035 entries held by this NAT instance. Whenever
2036 natv2InstancePortMapEntries is updated, if it equals or
2037 exceeds natv2InstanceThresholdPortMapEntriesHigh, then
2038 natv2NotificationInstancePortMapEntriesHigh may be
2039 triggered, unless the notification is disabled by setting
2040 the threshold to -1. Reporting is subject to the minimum
2041 inter-notification interval given by
2042 natv2InstanceNotificationInterval. If multiple notifications
2043 are triggered during one interval, the agent MUST report
2044 only the one containing the highest value of
2045 natv2InstancePortMapEntries and discard the others."
2046 DEFVAL
2047 { -1 }
2048 ::= { natv2InstanceEntry 21 }
2050 natv2InstanceNotificationInterval OBJECT-TYPE
2051 SYNTAX Unsigned32 (1..3600)
2052 UNITS
2053 "Seconds"
2054 MAX-ACCESS read-write
2055 STATUS current
2056 DESCRIPTION
2057 "Minimum number of seconds between successive
2058 notifications for this NAT instance. Controls the reporting
2059 of natv2NotificationInstanceAddressMapEntriesHigh and
2060 natv2NotificationInstancePortMapEntriesHigh."
2061 DEFVAL
2062 { 10 }
2063 ::= { natv2InstanceEntry 22 }
2065 -- Limits, disabled if set to 0
2067 natv2InstanceLimitAddressMapEntries OBJECT-TYPE
2068 SYNTAX Unsigned32
2069 MAX-ACCESS read-write
2070 STATUS current
2071 DESCRIPTION
2072 "Limit on total number of address map entries supported by
2073 the NAT instance. When natv2InstanceAddressMapEntries has
2074 reached this limit, subsequent packets that would normally
2075 trigger creation of a new address map entry will be dropped
2076 and counted in natv2InstanceAddressMapEntryLimitDrops.
2077 Warning of an approach to this limit can be achieved by
2078 setting natv2InstanceThresholdAddressMapEntriesHigh to a
2079 non-zero value, for example, 80% of the limit. The limit is
2080 disabled by setting its value to zero.
2082 For further information please see the descriptions of
2083 natv2NotificationInstanceAddressMapEntriesHigh and
2084 natv2InstanceAddressMapEntries."
2085 DEFVAL
2086 { 0 }
2087 ::= { natv2InstanceEntry 23 }
2089 natv2InstanceLimitPortMapEntries OBJECT-TYPE
2090 SYNTAX Unsigned32
2091 MAX-ACCESS read-write
2092 STATUS current
2093 DESCRIPTION
2094 "Limit on total number of port map entries supported by the
2095 NAT instance. When natv2InstancePortMapEntries has reached
2096 this limit, subsequent packets that would normally trigger
2097 creation of a new port map entry will be dropped and counted
2098 in natv2InstancePortMapEntryLimitDrops. Warning of an
2099 approach to this limit can be achieved by setting
2100 natv2InstanceThresholdPortMapEntriesHigh to a non-zero
2101 value, for example, 80% of the limit. The limit is disabled
2102 by setting its value to zero.
2104 For further information please see the descriptions of
2105 natv2NotificationInstancePortMapEntriesHigh and
2106 natv2InstancePortMapEntries."
2107 DEFVAL
2108 { 0 }
2109 ::= { natv2InstanceEntry 24 }
2111 natv2InstanceLimitPendingFragments OBJECT-TYPE
2112 SYNTAX Unsigned32
2113 MAX-ACCESS read-write
2114 STATUS current
2115 DESCRIPTION
2116 "Limit on number of out-of-order fragments received by the
2117 NAT instance from remote sources and held until head of
2118 chain appears. While the number of held fragments is at this
2119 limit, subsequent packets that contain fragments not
2120 relating to those already held will be dropped and counted
2121 in natv2InstancePendingFragmentLimitDrops. The limit is
2122 disabled by setting the value to zero.
2124 Applicable only when the NAT instance supports 'Receive
2125 Fragments Out of Order' behavior, leave at default
2126 otherwise. See the description of
2127 natv2InstanceFragmentBehavior."
2128 REFERENCE
2129 "RFC 4787 Section 11"
2130 DEFVAL { 0 }
2131 ::= { natv2InstanceEntry 25 }
2133 natv2InstanceLimitSubscriberActives OBJECT-TYPE
2134 SYNTAX Unsigned32
2135 MAX-ACCESS read-write
2136 STATUS current
2137 DESCRIPTION
2138 "Limit on number of total number of active subscribers
2139 supported by the NAT instance. An active subscriber is
2140 defined as any subscriber with at least one map entry,
2141 including static mappings. While the number of active
2142 subscribers is at this limit, subsequent packets that would
2143 otherwise trigger first mappings for newly active
2144 subscribers will be dropped and counted in
2145 natv2InstanceSubscriberActiveLimitDrops. The limit is
2146 disabled by setting the value to zero."
2148 DEFVAL { 0 }
2149 ::= { natv2InstanceEntry 26 }
2151 -- Table of counters per upper layer protocol identified by the
2152 -- packet header and supported by the NAT instance
2154 natv2ProtocolTable OBJECT-TYPE
2155 SYNTAX SEQUENCE OF Natv2ProtocolEntry
2156 MAX-ACCESS not-accessible
2157 STATUS current
2158 DESCRIPTION
2159 "Table of protocols with per-protocol counters. Conceptual
2160 rows of the table are indexed by the combination of the NAT
2161 instance number and the IANA-assigned upper layer protocol
2162 number as given by the ProtocolNumber TC and contained in
2163 the packet IP header. It is up to the agent implementation
2164 to determine and operate upon only those upper layer
2165 protocol numbers supported by the NAT instance."
2166 REFERENCE
2167 "RFC yyyy Section 3.3.5."
2168 ::= { natv2MIBInstanceObjects 2 }
2170 natv2ProtocolEntry OBJECT-TYPE
2171 SYNTAX Natv2ProtocolEntry
2172 MAX-ACCESS not-accessible
2173 STATUS current
2174 DESCRIPTION
2175 "Per-protocol counters."
2176 INDEX { natv2ProtocolInstanceIndex,
2177 natv2ProtocolNumber }
2178 ::= { natv2ProtocolTable 1 }
2180 Natv2ProtocolEntry ::=
2181 SEQUENCE {
2182 natv2ProtocolInstanceIndex Natv2InstanceIndex,
2183 natv2ProtocolNumber ProtocolNumber,
2184 -- State
2185 natv2ProtocolPortMapEntries Unsigned32,
2186 -- Statistics. Discontinuity object from instance table reused here.
2187 natv2ProtocolTranslations Counter64,
2188 natv2ProtocolPortMapCreations Counter64,
2189 natv2ProtocolPortMapFailureDrops Counter64
2190 }
2192 natv2ProtocolInstanceIndex OBJECT-TYPE
2193 SYNTAX Natv2InstanceIndex
2194 MAX-ACCESS not-accessible
2195 STATUS current
2196 DESCRIPTION
2197 "NAT instance index. It is up to the implementation to
2198 determine and operate upon only those values that
2199 correspond to in-service NAT instances."
2200 ::= { natv2ProtocolEntry 1 }
2202 natv2ProtocolNumber OBJECT-TYPE
2203 SYNTAX ProtocolNumber
2204 MAX-ACCESS not-accessible
2205 STATUS current
2206 DESCRIPTION
2207 "Counters in this conceptual row apply to packets indicating
2208 the upper layer protocol identified by the value of
2209 this object. It is up to the implementation to determine and
2210 operate upon only those values that correspond to protocols
2211 supported by the NAT instance."
2212 REFERENCE
2213 "RFC yyyy Section 3.3.5.
2214 IANA Protocol Numbers, http://www.iana.org/assignments/
2215 protocol-numbers/protocol-numbers.xhtml#protocol-numbers-1"
2216 ::= { natv2ProtocolEntry 2 }
2218 -- State
2219 natv2ProtocolPortMapEntries OBJECT-TYPE
2220 SYNTAX Unsigned32
2221 MAX-ACCESS read-only
2222 STATUS current
2223 DESCRIPTION
2224 "The current number of entries in the port map table in total
2225 over the whole NAT instance for a given protocol, including
2226 static mappings. A port map entry maps from a given external
2227 realm, address, and port for a given protocol to an internal
2228 realm, address, and port. This definition includes 'hairpin'
2229 mappings, where the external realm is the same as the
2230 internal one. Port map entries are also tracked per
2231 subscriber, per instance, and per address pool within the
2232 instance."
2233 REFERENCE
2234 "RFC yyyy Section 3.3.5 and Section 3.3.9. Hairpinning:
2235 RFC 4787 Section 6."
2236 ::= { natv2ProtocolEntry 3 }
2238 -- Statistics
2239 natv2ProtocolTranslations OBJECT-TYPE
2240 SYNTAX Counter64
2241 MAX-ACCESS read-only
2242 STATUS current
2243 DESCRIPTION
2244 "The cumulative number of packets translated by the NAT
2245 instance in either direction for the given protocol.
2247 This value MUST be monotone increasing in the periods
2248 between updates of the NAT instance
2249 natv2InstanceDiscontinuityTime. If a manager detects a
2250 change in the latter since the last time it sampled this
2251 counter, it SHOULD NOT make use of the difference between
2252 the latest value of the counter and any value retrieved
2253 before the new value of natv2InstanceDiscontinuityTime."
2254 ::= { natv2ProtocolEntry 4 }
2256 natv2ProtocolPortMapCreations OBJECT-TYPE
2257 SYNTAX Counter64
2258 MAX-ACCESS read-only
2259 STATUS current
2260 DESCRIPTION
2261 "The cumulative number of port map entries created by the NAT
2262 instance for the given protocol.
2264 This value MUST be monotone increasing in the periods
2265 between updates of the NAT instance
2266 natv2InstanceDiscontinuityTime. If a manager detects a
2267 change in the latter since the last time it sampled this
2268 counter, it SHOULD NOT make use of the difference between
2269 the latest value of the counter and any value retrieved
2270 before the new value of natv2InstanceDiscontinuityTime."
2271 ::= { natv2ProtocolEntry 5 }
2273 natv2ProtocolPortMapFailureDrops OBJECT-TYPE
2274 SYNTAX Counter64
2275 MAX-ACCESS read-only
2276 STATUS current
2277 DESCRIPTION
2278 "The cumulative number of packets dropped because the packet
2279 would have triggered the creation of a new port map entry,
2280 but no port could be allocated for the protocol concerned.
2281 The usual case for this will be for a NAT instance that
2282 supports address pooling and the 'paired' pooling behavior
2283 recommended by RFC 4787, where the internal endpoint has
2284 used up all of the ports allocated to it for the address it
2285 was mapped to in the selected address pool in the external
2286 realm concerned and cannot be given more ports because
2287 - policy or implementation prevents it from having a
2288 second address in the same pool, and
2289 - policy or unavailability prevents it from acquiring
2290 more ports at its originally assigned address.
2292 If the NAT instance supports address pooling but its
2293 pooling behavior is 'arbitrary' (meaning that
2294 the NAT instance can allocate a new port mapping for
2295 the given internal endpoint on any address in the
2296 selected address pool and is not bound to what it has
2297 already mapped for that endpoint), then this counter
2298 is incremented when all ports for the protocol concerned
2299 over the whole of the selected address pool are already
2300 in use.
2302 Finally, if the NAT instance has no configured address
2303 pooling, then this counter is incremented because all
2304 ports for the protocol concerned over the whole of the
2305 NAT instance for the external realm concerned are already
2306 in use.
2308 This value MUST be monotone increasing in the periods
2309 between updates of the NAT instance
2310 natv2InstanceDiscontinuityTime. If a manager detects a
2311 change in the latter since the last time it sampled this
2312 counter, it SHOULD NOT make use of the difference between
2313 the latest value of the counter and any value retrieved
2314 before the new value of natv2InstanceDiscontinuityTime."
2315 REFERENCE
2316 "RFC 4787, end of section 4.1."
2317 ::= { natv2ProtocolEntry 6 }
2319 -- pools
2321 natv2PoolTable OBJECT-TYPE
2322 SYNTAX SEQUENCE OF Natv2PoolEntry
2323 MAX-ACCESS not-accessible
2324 STATUS current
2325 DESCRIPTION
2326 "Table of address pools, applicable only if these are
2327 supported by the NAT instance. An address pool is a set of
2328 addresses and ports in a particular realm, available for
2329 assignment to the 'external' portion of a mapping. Where more
2330 than one pool has been configured for the realm, policy
2331 determines which subscribers and/or services are mapped to
2332 which pool. natv2PoolTable provides basic information, state,
2333 statistics, and two notification thresholds for each pool.
2334 natv2PoolRangeTable is an expansion table for natv2PoolTable
2335 that identifies particular address ranges allocated to the
2336 pool."
2337 REFERENCE
2338 "RFC yyyy Section 3.3.6."
2340 ::= { natv2MIBInstanceObjects 3 }
2342 natv2PoolEntry OBJECT-TYPE
2343 SYNTAX Natv2PoolEntry
2344 MAX-ACCESS not-accessible
2345 STATUS current
2346 DESCRIPTION
2347 "Entry in the table of address pools."
2348 INDEX { natv2PoolInstanceIndex, natv2PoolIndex }
2349 ::= { natv2PoolTable 1 }
2351 Natv2PoolEntry ::=
2352 SEQUENCE {
2353 -- Index
2354 natv2PoolInstanceIndex Natv2InstanceIndex,
2355 natv2PoolIndex Natv2PoolIndex,
2356 -- Configuration
2357 natv2PoolRealm SnmpAdminString,
2358 natv2PoolAddressType InetAddressType,
2359 natv2PoolMinimumPort InetPortNumber,
2360 natv2PoolMaximumPort InetPortNumber,
2361 -- State
2362 natv2PoolAddressMapEntries Unsigned32,
2363 natv2PoolPortMapEntries Unsigned32,
2364 -- Statistics and discontinuity time
2365 natv2PoolAddressMapCreations Counter64,
2366 natv2PoolPortMapCreations Counter64,
2367 natv2PoolAddressMapFailureDrops Counter64,
2368 natv2PoolPortMapFailureDrops Counter64,
2369 natv2PoolDiscontinuityTime TimeStamp,
2370 -- Notification thresholds and objects returned by notifications
2371 natv2PoolThresholdUsageLow Integer32,
2372 natv2PoolThresholdUsageHigh Integer32,
2373 natv2PoolNotifiedPortMapEntries Unsigned32,
2374 natv2PoolNotifiedPortMapProtocol ProtocolNumber,
2375 natv2PoolNotificationInterval Unsigned32
2376 }
2378 natv2PoolInstanceIndex OBJECT-TYPE
2379 SYNTAX Natv2InstanceIndex
2380 MAX-ACCESS not-accessible
2381 STATUS current
2382 DESCRIPTION
2383 "NAT instance index. It is up to the agent implementation
2384 to determine and operate upon only those values that
2385 correspond to in-service NAT instances."
2386 ::= { natv2PoolEntry 1 }
2388 natv2PoolIndex OBJECT-TYPE
2389 SYNTAX Natv2PoolIndex
2390 MAX-ACCESS not-accessible
2391 STATUS current
2392 DESCRIPTION
2393 "Index of an address pool, unique for a given NAT instance.
2394 It is up to the agent implementation to determine and
2395 operate upon only those values that correspond to
2396 provisioned pools."
2397 ::= { natv2PoolEntry 2 }
2399 -- configuration
2400 natv2PoolRealm OBJECT-TYPE
2401 SYNTAX SnmpAdminString (SIZE (0..32))
2402 MAX-ACCESS read-only
2403 STATUS current
2404 DESCRIPTION
2405 "Address realm to which this pool's addresses belong."
2406 REFERENCE
2407 "Address realms are discussed in Section 3.3.3 of
2408 RFC yyyy. Primary reference is RFC 2663 Section 2.1."
2409 ::= { natv2PoolEntry 3 }
2411 natv2PoolAddressType OBJECT-TYPE
2412 SYNTAX InetAddressType
2413 MAX-ACCESS read-create
2414 STATUS current
2415 DESCRIPTION
2416 "Address type supplied by this address pool. This will be the
2417 same for all pools in a given realm (by definition of an
2418 address realm). Values other than ipv4(1) or ipv6(2) would
2419 be unexpected."
2420 REFERENCE
2421 "InetAddressType in RFC 4001."
2422 ::= { natv2PoolEntry 4 }
2424 natv2PoolMinimumPort OBJECT-TYPE
2425 SYNTAX InetPortNumber
2426 MAX-ACCESS read-create
2427 STATUS current
2428 DESCRIPTION
2429 "Minimum port number of the range that can be allocated in
2430 this pool. Applies to all protocols supported by the NAT
2431 instance."
2432 REFERENCE
2433 "InetPortNumber in RFC 4001."
2434 ::= { natv2PoolEntry 5 }
2436 natv2PoolMaximumPort OBJECT-TYPE
2437 SYNTAX InetPortNumber
2438 MAX-ACCESS read-create
2439 STATUS current
2440 DESCRIPTION
2441 "Maximum port number of the range that can be allocated in
2442 this pool. Applies to all protocols supported by the NAT
2443 instance."
2444 REFERENCE
2445 "InetPortNumber in RFC 4001."
2446 ::= { natv2PoolEntry 6 }
2448 -- State
2449 natv2PoolAddressMapEntries OBJECT-TYPE
2450 SYNTAX Unsigned32
2451 MAX-ACCESS read-only
2452 STATUS current
2453 DESCRIPTION
2454 "The current number of address map entries using external
2455 addresses drawn from this pool, including static mappings.
2456 This definition includes 'hairpin' mappings, where the
2457 external realm is the same as the internal one. Address map
2458 entries are also tracked per subscriber and per instance."
2459 REFERENCE
2460 "RFC yyyy Section 3.3.8. Hairpinning: RFC 4787 section 6."
2461 ::= { natv2PoolEntry 7 }
2463 natv2PoolPortMapEntries OBJECT-TYPE
2464 SYNTAX Unsigned32
2465 MAX-ACCESS read-only
2466 STATUS current
2467 DESCRIPTION
2468 "The current number of entries in the port map table using
2469 external addresses and ports drawn from this pool, including
2470 static mappings. This definition includes 'hairpin'
2471 mappings, where the external realm is the same as the
2472 internal one. Port map entries are also tracked per
2473 subscriber, per instance, and per protocol within the
2474 instance."
2475 REFERENCE
2476 "RFC yyyy Section 3.3.9. Hairpinning: RFC 4787 Section 6."
2477 ::= { natv2PoolEntry 8 }
2479 -- Statistics and discontinuity time
2480 natv2PoolAddressMapCreations OBJECT-TYPE
2481 SYNTAX Counter64
2482 MAX-ACCESS read-only
2483 STATUS current
2484 DESCRIPTION
2485 "The cumulative number of address map entries created in this
2486 pool, including static mappings. Address map entries are
2487 also tracked per instance and per subscriber.
2489 This value MUST be monotone increasing in
2490 the periods between updates of the entity's
2491 natv2PoolDiscontinuityTime. If a manager detects a
2492 change in the latter since the last time it sampled this
2493 counter, it SHOULD NOT make use of the difference between
2494 the latest value of the counter and any value retrieved
2495 before the new value of natv2PoolDiscontinuityTime."
2496 ::= { natv2PoolEntry 9 }
2498 natv2PoolPortMapCreations OBJECT-TYPE
2499 SYNTAX Counter64
2500 MAX-ACCESS read-only
2501 STATUS current
2502 DESCRIPTION
2503 "The cumulative number of port map entries created in this
2504 pool, including static mappings. Port map entries are also
2505 tracked per instance, per protocol, and per subscriber.
2507 This value MUST be monotone increasing in the periods
2508 between updates of the entity's
2509 natv2PoolDiscontinuityTime. If a manager detects a
2510 change in the latter since the last time it sampled this
2511 counter, it SHOULD NOT make use of the difference between
2512 the latest value of the counter and any value retrieved
2513 before the new value of natv2PoolDiscontinuityTime."
2514 ::= { natv2PoolEntry 10 }
2516 natv2PoolAddressMapFailureDrops OBJECT-TYPE
2517 SYNTAX Counter64
2518 MAX-ACCESS read-only
2519 STATUS current
2520 DESCRIPTION
2521 "The cumulative number of packets originated by the
2522 subscriber that were dropped because the packet would have
2523 triggered the creation of a new address map entry, but no
2524 address could be allocated from this address pool because
2525 all addresses in the pool have already been fully allocated.
2526 Counters of this event are also provided per instance, per
2527 protocol and per subscriber.
2529 This value MUST be monotone increasing in the periods
2530 between updates of the entity's
2531 natv2PoolDiscontinuityTime. If a manager detects a
2532 change in the latter since the last time it sampled this
2533 counter, it SHOULD NOT make use of the difference between
2534 the latest value of the counter and any value retrieved
2535 before the new value of natv2PoolDiscontinuityTime."
2536 ::= { natv2PoolEntry 11 }
2538 natv2PoolPortMapFailureDrops OBJECT-TYPE
2539 SYNTAX Counter64
2540 MAX-ACCESS read-only
2541 STATUS current
2542 DESCRIPTION
2543 "The cumulative number of packets dropped because the packet
2544 would have triggered the creation of a new port map entry,
2545 but no port could be allocated for the protocol concerned.
2546 The usual case for this will be for a NAT instance that
2547 supports the 'paired' pooling behavior recommended by RFC
2548 4787, where the internal endpoint has used up all of the
2549 ports allocated to it for the address it was mapped to in
2550 this pool and cannot be given more ports because
2551 - policy or implementation prevents it from having a
2552 second address in the same pool, and
2553 - policy or unavailability prevents it from acquiring
2554 more ports at its originally assigned address.
2556 If the NAT instance pooling behavior is 'arbitrary' (meaning
2557 that the NAT instance can allocate a new port mapping for
2558 the given internal endpoint on any address in the selected
2559 address pool and is not bound to what it has already mapped
2560 for that endpoint), then this counter is incremented when
2561 all ports for the protocol concerned over the whole of this
2562 address pool are already in use.
2564 This value MUST be monotone increasing in the periods
2565 between updates of the entity's
2566 natv2PoolDiscontinuityTime. If a manager detects a
2567 change in the latter since the last time it sampled this
2568 counter, it SHOULD NOT make use of the difference between
2569 the latest value of the counter and any value retrieved
2570 before the new value of natv2PoolDiscontinuityTime."
2571 REFERENCE
2572 "Pooling behavior: RFC 4787, end of section 4.1."
2573 ::= { natv2PoolEntry 12 }
2575 natv2PoolDiscontinuityTime OBJECT-TYPE
2576 SYNTAX TimeStamp
2577 MAX-ACCESS read-only
2578 STATUS current
2579 DESCRIPTION
2580 "Snapshot of the value of the sysUpTime object at the
2581 beginning of the latest period of continuity of the
2582 statistical counters associated with this address
2583 pool. This MUST be initialized when the address pool
2584 is configured and MUST be updated whenever the port
2585 or address ranges allocated to the pool change."
2586 ::= { natv2PoolEntry 13 }
2588 -- Notification thresholds and objects returned by notifications
2589 natv2PoolThresholdUsageLow OBJECT-TYPE
2590 SYNTAX Integer32 (-1|0..100)
2591 UNITS "Percent"
2592 MAX-ACCESS read-write
2593 STATUS current
2594 DESCRIPTION
2595 "Threshold for reporting low utilization of the address pool.
2596 Utilization at a given instant is calculated as the
2597 percentage of ports allocated in port map entries for the
2598 most-used protocol at that instant. If utilization is less
2599 than or equal to natv2PoolThresholdUsageLow, an instance of
2600 natv2NotificationPoolUsageLow may be triggered, unless
2601 disabled by setting it to -1. Note the difference from the
2602 disabling setting for other notifications. Reporting is
2603 subject to the per-pool notification interval given by
2604 natv2PoolNotificationInterval. If multiple notifications are
2605 triggered during one interval, the agent MUST report only
2606 the one with the lowest value of
2607 natv2PoolNotifiedPortMapEntries and discard the others.
2609 Implementation note: the percentage specified by this object
2610 can be converted to a number of port map entries at
2611 configuration time (after port and address ranges have been
2612 configured or reconfigured) and compared to the current
2613 value of natv2PoolNotifiedPortMapEntries."
2614 REFERENCE
2615 "RFC yyyy Section 3.1.2 and Section 3.3.6."
2616 DEFVAL { -1 }
2617 ::= { natv2PoolEntry 14 }
2619 natv2PoolThresholdUsageHigh OBJECT-TYPE
2620 SYNTAX Integer32 (-1|0..100)
2621 UNITS "Percent"
2622 MAX-ACCESS read-write
2623 STATUS current
2624 DESCRIPTION
2625 "Threshold for reporting high utilization of the address
2626 pool. Utilization at a given instant is calculated as the
2627 percentage of ports allocated in port map entries for the
2628 most-used protocol at that instant. If utilization is
2629 greater than or equal to natv2PoolThresholdUsageHigh, an
2630 instance of natv2NotificationPoolUsageHigh may be triggered,
2631 unless disabled by setting it to -1.
2633 Reporting is subject to the per-pool notification interval
2634 given by natv2PoolNotificationInterval. If multiple
2635 notifications are triggered during one interval, the agent
2636 MUST report only the one with the highest value of
2637 natv2PoolNotifiedPortMapEntries and discard the others. In
2638 the rare case where both upper and lower thresholds
2639 are crossed in the same interval, the agent MUST report only
2640 the upper threshold notification.
2642 Implementation note: the percentage specified by this object
2643 can be converted to a number of port map entries at
2644 configuration time (after port and address ranges have been
2645 configured or reconfigured) and compared to the current
2646 value of natv2PoolNotifiedPortMapEntries."
2647 DEFVAL { -1 }
2648 ::= { natv2PoolEntry 15 }
2650 natv2PoolNotifiedPortMapEntries OBJECT-TYPE
2651 SYNTAX Unsigned32
2652 MAX-ACCESS accessible-for-notify
2653 STATUS current
2654 DESCRIPTION
2655 "Number of port map entries using addresses and ports from
2656 this address pool for the most-used protocol at a given
2657 instant. One of the objects returned by
2658 natv2NotificationPoolUsageLow and
2659 natv2NotificationPoolUsageHigh."
2660 ::= { natv2PoolEntry 16 }
2662 natv2PoolNotifiedPortMapProtocol OBJECT-TYPE
2663 SYNTAX ProtocolNumber
2664 MAX-ACCESS accessible-for-notify
2665 STATUS current
2666 DESCRIPTION
2667 "The most-used protocol (i.e., with the largest number of
2668 port map entries) mapped into this address pool at a given
2669 instant. One of the objects returned by
2670 natv2NotificationPoolUsageLow and
2671 natv2NotificationPoolUsageHigh."
2672 ::= { natv2PoolEntry 17 }
2674 natv2PoolNotificationInterval OBJECT-TYPE
2675 SYNTAX Unsigned32 (1..3600)
2676 UNITS
2677 "Seconds"
2678 MAX-ACCESS read-write
2679 STATUS current
2680 DESCRIPTION
2681 "Minimum number of seconds between successive
2682 notifications for this address pool. Controls the generation
2683 of natv2NotificationPoolUsageLow and
2684 natv2NotificationPoolUsageHigh."
2685 DEFVAL
2686 { 20 }
2687 ::= { natv2PoolEntry 18 }
2689 natv2PoolRangeTable OBJECT-TYPE
2690 SYNTAX SEQUENCE OF Natv2PoolRangeEntry
2691 MAX-ACCESS not-accessible
2692 STATUS current
2693 DESCRIPTION
2694 "This table contains address ranges used by pool entries.
2695 It is an expansion of natv2PoolTable."
2696 REFERENCE
2697 "RFC yyyy ."
2698 ::= { natv2MIBInstanceObjects 4 }
2700 natv2PoolRangeEntry OBJECT-TYPE
2701 SYNTAX Natv2PoolRangeEntry
2702 MAX-ACCESS not-accessible
2703 STATUS current
2704 DESCRIPTION
2705 "NAT pool address range."
2706 INDEX {
2707 natv2PoolRangeInstanceIndex,
2708 natv2PoolRangePoolIndex,
2709 natv2PoolRangeRowIndex
2710 }
2711 ::= { natv2PoolRangeTable 1 }
2713 Natv2PoolRangeEntry ::=
2714 SEQUENCE {
2715 natv2PoolRangeInstanceIndex Natv2InstanceIndex,
2716 natv2PoolRangePoolIndex Natv2PoolIndex,
2717 natv2PoolRangeRowIndex Unsigned32,
2718 natv2PoolRangeBegin InetAddress,
2719 natv2PoolRangeEnd InetAddress
2720 }
2722 natv2PoolRangeInstanceIndex OBJECT-TYPE
2723 SYNTAX Natv2InstanceIndex
2724 MAX-ACCESS not-accessible
2725 STATUS current
2726 DESCRIPTION
2727 "Index of the NAT instance on which the address pool and this
2728 address range are configured. See Natv2InstanceIndex."
2729 ::= { natv2PoolRangeEntry 1 }
2731 natv2PoolRangePoolIndex OBJECT-TYPE
2732 SYNTAX Natv2PoolIndex
2733 MAX-ACCESS not-accessible
2734 STATUS current
2735 DESCRIPTION
2736 "Index of the address pool to which this address range
2737 belongs. See Natv2PoolIndex."
2738 ::= { natv2PoolRangeEntry 2 }
2740 natv2PoolRangeRowIndex OBJECT-TYPE
2741 SYNTAX Unsigned32
2742 MAX-ACCESS not-accessible
2743 STATUS current
2744 DESCRIPTION
2745 "Row index for successive range entries for the same
2746 address pool."
2747 ::= { natv2PoolRangeEntry 3 }
2749 natv2PoolRangeBegin OBJECT-TYPE
2750 SYNTAX InetAddress
2751 MAX-ACCESS read-only
2752 STATUS current
2753 DESCRIPTION
2754 "Lowest address included in this range. The type of address
2755 (IPv4 or IPv6) is given by natv2PoolAddressType
2756 in natv2PoolTable."
2757 ::= { natv2PoolRangeEntry 4 }
2759 natv2PoolRangeEnd OBJECT-TYPE
2760 SYNTAX InetAddress
2761 MAX-ACCESS read-only
2762 STATUS current
2763 DESCRIPTION
2764 "Highest address included in this range. The type of address
2765 (IPv4 or IPv6) is given by natv2PoolAddressType
2766 in natv2PoolTable."
2767 ::= { natv2PoolRangeEntry 5 }
2769 -- indexed mapping tables
2771 -- Address Map Table. Mapped from internal to external address.
2773 natv2AddressMapTable OBJECT-TYPE
2774 SYNTAX SEQUENCE OF Natv2AddressMapEntry
2775 MAX-ACCESS not-accessible
2776 STATUS current
2777 DESCRIPTION
2778 "Table of mappings from internal to external address. By
2779 definition, this is a snapshot of NAT instance state at a
2780 given moment. Indexed by NAT instance, internal realm, and
2781 internal address in that realm. Provides the mapped external
2782 address and, depending on implementation support, identifies
2783 the address pool from which the external address and port
2784 were taken and the index of the subscriber to which the
2785 mapping has been allocated.
2787 In the case of DS-Lite [RFC 6333], the indexing realm and
2788 address are those of the IPv6 encapsulation rather than the
2789 IPv4 inner packet."
2790 REFERENCE
2791 "RFC yyyy Section 3.3.8. DS-Lite: RFC 6333"
2792 ::= { natv2MIBInstanceObjects 5 }
2794 natv2AddressMapEntry OBJECT-TYPE
2795 SYNTAX Natv2AddressMapEntry
2796 MAX-ACCESS not-accessible
2797 STATUS current
2798 DESCRIPTION
2799 "Mapping from internal to external address."
2800 INDEX { natv2AddressMapInstanceIndex,
2801 natv2AddressMapInternalRealm,
2802 natv2AddressMapInternalAddressType,
2803 natv2AddressMapInternalAddress,
2804 natv2AddressMapRowIndex }
2805 ::= { natv2AddressMapTable 1 }
2807 Natv2AddressMapEntry ::=
2808 SEQUENCE {
2809 natv2AddressMapInstanceIndex Natv2InstanceIndex,
2810 natv2AddressMapInternalRealm SnmpAdminString,
2811 natv2AddressMapInternalAddressType InetAddressType,
2812 natv2AddressMapInternalAddress InetAddress,
2813 natv2AddressMapRowIndex Unsigned32,
2814 natv2AddressMapInternalMappedAddressType InetAddressType,
2815 natv2AddressMapInternalMappedAddress InetAddress,
2816 natv2AddressMapExternalRealm SnmpAdminString,
2817 natv2AddressMapExternalAddressType InetAddressType,
2818 natv2AddressMapExternalAddress InetAddress,
2819 natv2AddressMapExternalPoolIndex Natv2PoolIndexOrZero,
2820 natv2AddressMapSubscriberIndex Natv2SubscriberIndexOrZero
2821 }
2823 natv2AddressMapInstanceIndex OBJECT-TYPE
2824 SYNTAX Natv2InstanceIndex
2825 MAX-ACCESS not-accessible
2826 STATUS current
2827 DESCRIPTION
2828 "Index of the NAT instance that generated this address map."
2829 ::= { natv2AddressMapEntry 1 }
2831 natv2AddressMapInternalRealm OBJECT-TYPE
2832 SYNTAX SnmpAdminString (SIZE(0..32))
2833 MAX-ACCESS not-accessible
2834 STATUS current
2835 DESCRIPTION
2836 "Realm to which the internal address belongs. In most cases
2837 this is the realm defining the address space of the packet
2838 being translated. However, in the case of DS-Lite [RFC
2839 6333], this realm defines the IPv6 outer header address
2840 space. It is the combination of that outer header and
2841 the inner IPv4 packet header that is remapped to the
2842 external address and realm. The corresponding IPv4 realm is
2843 restricted in scope to the tunnel, so there is no point in
2844 identifying it. The mapped IPv4 address will normally be the
2845 well-known value 192.0.0.2, or at least lie in the reserved
2846 192.0.0.0/29 range.
2848 If natv2AddressMapSubscriberIndex in this table is a valid
2849 subscriber index (i.e., greater than zero), then the value
2850 of natv2AddressMapInternalRealm MUST be identical to the
2851 value of natv2SubscriberRealm associated with that index."
2852 REFERENCE
2853 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2854 Section 6.6 on the need to have the IPv6 tunnel address in
2855 the NAT mapping tables."
2856 ::= { natv2AddressMapEntry 2 }
2858 natv2AddressMapInternalAddressType OBJECT-TYPE
2859 SYNTAX InetAddressType
2860 MAX-ACCESS not-accessible
2861 STATUS current
2862 DESCRIPTION
2863 "Address type in the header of packets on the
2864 interior side of this mapping. Any value other than ipv4(1)
2865 or ipv6(2) would be unexpected.
2867 In the DS-Lite case, the address type is ipv6(2)."
2868 REFERENCE
2869 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2870 Section 6.6 on the need to have the IPv6 tunnel source
2871 address in the NAT mapping tables."
2872 ::= { natv2AddressMapEntry 3 }
2874 natv2AddressMapInternalAddress OBJECT-TYPE
2875 SYNTAX InetAddress (SIZE (0..16))
2876 MAX-ACCESS not-accessible
2877 STATUS current
2878 DESCRIPTION
2879 "Source address of packets originating from the interior
2880 of the association provided by this mapping. The address
2881 type is given by natv2AddressMapInternalAddressType.
2883 In the case of DS-Lite [RFC 6333], this is the IPv6 tunnel
2884 source address. The mapping in this case is considered to
2885 be from the combination of the IPv6 tunnel source address
2886 natv2AddressMapInternalRealmAddress and the well-known IPv4
2887 inner source address natv2AddressMapInternalMappedAddress to
2888 the external address."
2889 REFERENCE
2890 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2891 Section 6.6 on the need to have the IPv6 tunnel address in
2892 the NAT mapping tables."
2893 ::= { natv2AddressMapEntry 4 }
2895 natv2AddressMapRowIndex OBJECT-TYPE
2896 SYNTAX Unsigned32
2897 MAX-ACCESS not-accessible
2898 STATUS current
2899 DESCRIPTION
2900 "Index of a conceptual row corresponding to a mapping of the
2901 given internal realm and address to a single external realm
2902 and address. Multiple rows will be present because of a
2903 promiscuous external address selection policy, policies
2904 associating the same internal address with different address
2905 pools, or because the same internal realm-address
2906 combination is communicating with multiple external address
2907 realms."
2908 ::= { natv2AddressMapEntry 5 }
2910 natv2AddressMapInternalMappedAddressType OBJECT-TYPE
2911 SYNTAX InetAddressType
2912 MAX-ACCESS read-only
2913 STATUS current
2914 DESCRIPTION
2915 "Internal address type actually translated by this mapping.
2916 Any value other than ipv4(1) or ipv6(2) would be unexpected.
2917 In the general case, this is the same as given by
2918 natv2AddressMapInternalRealmAddressType. In the
2919 tunneled case it is the address type used in the
2920 encapsulated packet header. In particular, in the DS-Lite
2921 case, the mapped address type is ipv4(1)."
2922 REFERENCE
2923 "DS-Lite: RFC 6333."
2924 ::= { natv2AddressMapEntry 6 }
2926 natv2AddressMapInternalMappedAddress OBJECT-TYPE
2927 SYNTAX InetAddress
2928 MAX-ACCESS read-only
2929 STATUS current
2930 DESCRIPTION
2931 "Internal address actually translated by this mapping. In the
2932 general case, this is the same as
2933 natv2AddressMapInternalRealmAddress. The address type is
2934 given by natv2AddressMapInternalMappedAddressType. In the
2935 case of DS-Lite [RFC 6333], this is the source address of
2936 the encapsulated IPv4 packet, normally lying the well-known
2937 range 192.0.0.0/29. The mapping in this case is considered
2938 to be from the combination of the IPv6 tunnel source address
2939 natv2AddressMapInternalRealmAddress and the well-known IPv4
2940 inner source address natv2AddressMapInternalMappedAddress to
2941 the external address."
2942 REFERENCE
2943 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2944 Section 6.6 on the need to have the IPv6 tunnel address in
2945 the NAT mapping tables."
2946 ::= { natv2AddressMapEntry 7 }
2948 natv2AddressMapExternalRealm OBJECT-TYPE
2949 SYNTAX SnmpAdminString (SIZE(0..32))
2950 MAX-ACCESS read-only
2951 STATUS current
2952 DESCRIPTION
2953 "External address realm to which this mapping maps the
2954 internal address. This can be the same as the internal realm
2955 in the case of a 'hairpin' connection, but otherwise will be
2956 different."
2957 ::= { natv2AddressMapEntry 8 }
2959 natv2AddressMapExternalAddressType OBJECT-TYPE
2960 SYNTAX InetAddressType
2961 MAX-ACCESS read-only
2962 STATUS current
2963 DESCRIPTION
2964 "Address type for the external realm. Any value other than
2965 ipv4(1) or ipv6(2) would be unexpected."
2966 ::= { natv2AddressMapEntry 9 }
2968 natv2AddressMapExternalAddress OBJECT-TYPE
2969 SYNTAX InetAddress
2970 MAX-ACCESS read-only
2971 STATUS current
2972 DESCRIPTION
2973 "External address to which the internal address is mapped.
2974 The address type is given by
2975 natv2AddressMapExternalAddressType.
2977 In the DS-Lite case, the mapping is from the combination of
2978 the internal IPv6 tunnel source address as presented in this
2979 table and the well-known IPv4 source address of the
2980 encapsulated IPv4 packet."
2981 REFERENCE
2982 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
2983 Section 6.6 on the need to have the IPv6 tunnel address in
2984 the NAT mapping tables."
2985 ::= { natv2AddressMapEntry 10 }
2987 natv2AddressMapExternalPoolIndex OBJECT-TYPE
2988 SYNTAX Natv2PoolIndexOrZero
2989 MAX-ACCESS read-only
2990 STATUS current
2991 DESCRIPTION
2992 "Index of the address pool in the external realm from which
2993 the mapped external address given in
2994 natv2AddressMapExternalAddress was taken. Zero if the
2995 implementation does not support address pools but has chosen
2996 to support this object, or if no pool was configured for the
2997 given external realm."
2998 ::= { natv2AddressMapEntry 11 }
3000 natv2AddressMapSubscriberIndex OBJECT-TYPE
3001 SYNTAX Natv2SubscriberIndexOrZero
3002 MAX-ACCESS read-only
3003 STATUS current
3004 DESCRIPTION
3005 "Index of the subscriber to which this address mapping
3006 applies, or zero if no subscribers are configured on
3007 this NAT instance."
3008 ::= { natv2AddressMapEntry 12 }
3010 -- natv2PortMapTable
3012 natv2PortMapTable OBJECT-TYPE
3013 SYNTAX SEQUENCE OF Natv2PortMapEntry
3014 MAX-ACCESS not-accessible
3015 STATUS current
3016 DESCRIPTION
3017 "Table of port map entries indexed by NAT instance, protocol,
3018 and external realm and address. A port map entry associates
3019 an internal upper layer protocol endpoint with an endpoint
3020 for the same protocol in the given external realm. By
3021 definition, this is a snapshot of NAT instance state at a
3022 given moment. The table provides the basic mapping
3023 information.
3025 In the case of DS-Lite [RFC 6333], the table provides the
3026 internal IPv6 tunnel source address in
3027 natv2PortMapInternalRealmAddress and the IPv4 source address
3028 of the encapsulated packet that is actually translated in
3029 natv2PortMapInternalMappedAddress. In the general (non-DS-
3030 Lite) case, those two objects will have the same value."
3031 REFERENCE
3032 "RFC yyyy Section 3.3.9. DS-Lite: RFC 6333, Section 5.7 for
3033 well-known addresses and Section 6.6 on the need to have the
3034 IPv6 tunnel address in the NAT mapping tables."
3035 ::= { natv2MIBInstanceObjects 6 }
3037 natv2PortMapEntry OBJECT-TYPE
3038 SYNTAX Natv2PortMapEntry
3039 MAX-ACCESS not-accessible
3040 STATUS current
3041 DESCRIPTION
3042 "A single NAT mapping."
3043 INDEX { natv2PortMapInstanceIndex,
3044 natv2PortMapProtocol,
3045 natv2PortMapExternalRealm,
3046 natv2PortMapExternalAddressType,
3047 natv2PortMapExternalAddress,
3048 natv2PortMapExternalPort }
3049 ::= { natv2PortMapTable 1 }
3051 Natv2PortMapEntry ::=
3052 SEQUENCE {
3053 natv2PortMapInstanceIndex Natv2InstanceIndex,
3054 natv2PortMapProtocol ProtocolNumber,
3055 natv2PortMapExternalRealm SnmpAdminString,
3056 natv2PortMapExternalAddressType InetAddressType,
3057 natv2PortMapExternalAddress InetAddress,
3058 natv2PortMapExternalPort InetPortNumber,
3059 natv2PortMapInternalRealm SnmpAdminString,
3060 natv2PortMapInternalAddressType InetAddressType,
3061 natv2PortMapInternalAddress InetAddress,
3062 natv2PortMapInternalMappedAddressType InetAddressType,
3063 natv2PortMapInternalMappedAddress InetAddress,
3064 natv2PortMapInternalPort InetPortNumber,
3065 natv2PortMapExternalPoolIndex Natv2PoolIndexOrZero,
3066 natv2PortMapSubscriberIndex Natv2SubscriberIndexOrZero
3067 }
3069 natv2PortMapInstanceIndex OBJECT-TYPE
3070 SYNTAX Natv2InstanceIndex
3071 MAX-ACCESS not-accessible
3072 STATUS current
3073 DESCRIPTION
3074 "Index of the NAT instance that created this port map entry."
3075 ::= { natv2PortMapEntry 1 }
3077 natv2PortMapProtocol OBJECT-TYPE
3078 SYNTAX ProtocolNumber
3079 MAX-ACCESS not-accessible
3080 STATUS current
3081 DESCRIPTION
3082 "The map entry's upper layer protocol number."
3083 ::= { natv2PortMapEntry 2 }
3085 natv2PortMapExternalRealm OBJECT-TYPE
3086 SYNTAX SnmpAdminString (SIZE(0..32))
3087 MAX-ACCESS not-accessible
3088 STATUS current
3089 DESCRIPTION
3090 "The realm to which natv2PortMapExternalAddress belongs."
3091 ::= { natv2PortMapEntry 3 }
3093 natv2PortMapExternalAddressType OBJECT-TYPE
3094 SYNTAX InetAddressType
3095 MAX-ACCESS not-accessible
3096 STATUS current
3097 DESCRIPTION
3098 "Address type for the external realm. A value other
3099 than ipv4(1) or ipv6(2) would be unexpected."
3100 ::= { natv2PortMapEntry 4 }
3102 natv2PortMapExternalAddress OBJECT-TYPE
3103 SYNTAX InetAddress (SIZE (0..16))
3104 MAX-ACCESS not-accessible
3105 STATUS current
3106 DESCRIPTION
3107 "The mapping's assigned external address. (This address is
3108 taken from the address pool identified by
3109 natv2PortMapExternalPoolIndex, if the implementation
3110 supports address pools and pools are configured for the
3111 given external realm.) This is the source address for
3112 translated outgoing packets. The address type is given
3113 by natv2PortMapExternalAddressType."
3115 ::= { natv2PortMapEntry 5 }
3117 natv2PortMapExternalPort OBJECT-TYPE
3118 SYNTAX InetPortNumber
3119 MAX-ACCESS not-accessible
3120 STATUS current
3121 DESCRIPTION
3122 "The mapping's assigned external port number. This is the
3123 source port for translated outgoing packets. If the internal
3124 port number given by natv2PortMapInternalPort is zero this
3125 value MUST also be zero. Otherwise this MUST be a non-zero
3126 value."
3127 ::= { natv2PortMapEntry 6 }
3129 natv2PortMapInternalRealm OBJECT-TYPE
3130 SYNTAX SnmpAdminString (SIZE(0..32))
3131 MAX-ACCESS read-only
3132 STATUS current
3133 DESCRIPTION
3134 "The realm to which natv2PortMapInternalRealmAddress belongs.
3135 In the general case, this realm contains the address that is
3136 being translated. In the DS-Lite [RFC 6333] case, this realm
3137 defines the IPv6 address space from which the tunnel source
3138 address is taken. The realm of the encapsulated IPv4 address
3139 is restricted in scope to the tunnel, so there is no point
3140 in identifying it separately."
3141 REFERENCE
3142 "RFC 6333 DS-Lite."
3143 ::= { natv2PortMapEntry 7 }
3145 natv2PortMapInternalAddressType OBJECT-TYPE
3146 SYNTAX InetAddressType
3147 MAX-ACCESS read-only
3148 STATUS current
3149 DESCRIPTION
3150 "Address type for addresses in the realm identified by
3151 natv2PortMapInternalRealm."
3152 ::= { natv2PortMapEntry 8 }
3154 natv2PortMapInternalAddress OBJECT-TYPE
3155 SYNTAX InetAddress
3156 MAX-ACCESS read-only
3157 STATUS current
3158 DESCRIPTION
3159 "Source address for packets received under this mapping on
3160 the internal side of the NAT instance. In the general case
3161 this address is the same as the address given in
3162 natv2PortMapInternalMappedAddress. In the DS-Lite case,
3163 natv2PortMapInternalAddress is the IPv6 tunnel source
3164 address. The address type is given
3165 by natv2PortMapInternalAddressType."
3166 REFERENCE
3167 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3168 Section 6.6 on the need to have the IPv6 tunnel address in
3169 the NAT mapping tables."
3170 ::= { natv2PortMapEntry 9 }
3172 natv2PortMapInternalMappedAddressType OBJECT-TYPE
3173 SYNTAX InetAddressType
3174 MAX-ACCESS read-only
3175 STATUS current
3176 DESCRIPTION
3177 "Internal address type actually translated by this mapping.
3178 Any value other than ipv4(1) or ipv6(2) would be unexpected.
3179 In the general case, this is the same as given by
3180 natv2AddressMapInternalAddressType. In the DS-Lite
3181 case, the address type is ipv4(1)."
3182 REFERENCE
3183 "DS-Lite: RFC 6333."
3184 ::= { natv2PortMapEntry 10 }
3186 natv2PortMapInternalMappedAddress OBJECT-TYPE
3187 SYNTAX InetAddress
3188 MAX-ACCESS read-only
3189 STATUS current
3190 DESCRIPTION
3191 "Internal address actually translated by this mapping. In the
3192 general case, this is the same as
3193 natv2PortMapInternalRealmAddress. The address type is given
3194 by natv2PortMapInternalMappedAddressType.
3196 In the case of DS-Lite [RFC 6333], this is the source
3197 address of the encapsulated IPv4 packet, normally selected
3198 from the well-known range 192.0.0.0/29. The mapping in this
3199 case is considered to be from the external address to the
3200 combination of the IPv6 tunnel source address
3201 natv2PortMapInternalRealmAddress and the well-known IPv4
3202 inner source address natv2PortMapInternalMappedAddress."
3203 REFERENCE
3204 "DS-Lite: RFC 6333, Section 5.7 for well-known addresses and
3205 Section 6.6 on the need to have the IPv6 tunnel address in
3206 the NAT mapping tables."
3207 ::= { natv2PortMapEntry 11 }
3209 natv2PortMapInternalPort OBJECT-TYPE
3210 SYNTAX InetPortNumber
3211 MAX-ACCESS read-only
3212 STATUS current
3213 DESCRIPTION
3214 "The mapping's internal port number. If this is zero, ports
3215 are not translated (i.e., the NAT instance is a pure NAT
3216 rather than a NAPT)."
3217 ::= { natv2PortMapEntry 12 }
3219 natv2PortMapExternalPoolIndex OBJECT-TYPE
3220 SYNTAX Natv2PoolIndexOrZero
3221 MAX-ACCESS read-only
3222 STATUS current
3223 DESCRIPTION
3224 "Identifies the address pool from which the external address
3225 in this port map entry was taken. Zero if the implementation
3226 does not support address pools but has chosen to support
3227 this object, or if no pools are configured for the given
3228 external realm."
3229 ::= { natv2PortMapEntry 13 }
3231 natv2PortMapSubscriberIndex OBJECT-TYPE
3232 SYNTAX Natv2SubscriberIndexOrZero
3233 MAX-ACCESS read-only
3234 STATUS current
3235 DESCRIPTION
3236 "Subscriber using this map entry. Zero if the implementation
3237 does not support subscribers but has chosen to support
3238 this object."
3239 ::= { natv2PortMapEntry 14 }
3241 -- Conformance section. Specifies three cumulatively more extensive
3242 -- applications: basic NAT, pooled NAT, and carrier grade NAT
3244 natv2MIBConformance OBJECT IDENTIFIER ::= { natv2MIB 3 }
3246 natv2MIBCompliances OBJECT IDENTIFIER ::= { natv2MIBConformance 1 }
3247 natv2MIBGroups OBJECT IDENTIFIER ::= { natv2MIBConformance 2 }
3248 natv2MIBBasicCompliance MODULE-COMPLIANCE
3249 STATUS current
3250 DESCRIPTION
3251 "Describes the requirements for conformance to the basic NAT
3252 application of NATv2 MIB."
3253 MODULE -- this module
3254 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3255 natv2BasicInstanceLevelGroup
3256 }
3257 GROUP natv2BasicNotificationGroup
3258 DESCRIPTION
3259 "The natv2BasicNotificationGroup is mandatory for all
3260 NAT applications."
3261 GROUP natv2BasicInstanceLevelGroup
3262 DESCRIPTION
3263 "The natv2BasicInstanceLevelGroup is mandatory for all
3264 NAT applications."
3265 ::= { natv2MIBCompliances 1 }
3267 natv2MIBPooledNATCompliance MODULE-COMPLIANCE
3268 STATUS current
3269 DESCRIPTION
3270 "Describes the requirements for conformance to the pooled NAT
3271 application of NATv2-MIB."
3272 MODULE -- this module
3273 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3274 natv2BasicInstanceLevelGroup,
3275 natv2PooledNotificationGroup,
3276 natv2PooledInstanceLevelGroup
3277 }
3278 GROUP natv2BasicNotificationGroup
3279 DESCRIPTION
3280 "The natv2BasicNotificationGroup is mandatory for all
3281 NAT applications."
3282 GROUP natv2BasicInstanceLevelGroup
3283 DESCRIPTION
3284 "The natv2BasicInstanceLevelGroup is mandatory for all
3285 NAT applications."
3286 GROUP natv2PooledNotificationGroup
3287 DESCRIPTION
3288 "The natv2PooledNotificationGroup is mandatory for
3289 the pooled and CGN applications."
3290 GROUP natv2PooledInstanceLevelGroup
3291 DESCRIPTION
3292 "The natv2PooledInstanceLevelGroup is mandatory for
3293 the pooled and CGN applications."
3294 ::= { natv2MIBCompliances 2 }
3296 natv2MIBCGNCompliance MODULE-COMPLIANCE
3297 STATUS current
3298 DESCRIPTION
3299 "Describes the requirements for conformance to the
3300 carrier grade NAT application of NATv2-MIB."
3301 MODULE -- this module
3302 MANDATORY-GROUPS { natv2BasicNotificationGroup,
3303 natv2BasicInstanceLevelGroup,
3304 natv2PooledNotificationGroup,
3305 natv2PooledInstanceLevelGroup,
3306 natv2CGNNotificationGroup,
3307 natv2CGNDeviceLevelGroup,
3308 natv2CGNInstanceLevelGroup
3309 }
3310 GROUP natv2BasicNotificationGroup
3311 DESCRIPTION
3312 "The natv2BasicNotificationGroup is mandatory for all
3313 NAT applications."
3314 GROUP natv2BasicInstanceLevelGroup
3315 DESCRIPTION
3316 "The natv2BasicInstanceLevelGroup is mandatory for all
3317 NAT applications."
3318 GROUP natv2PooledNotificationGroup
3319 DESCRIPTION
3320 "The natv2PooledNotificationGroup is mandatory for
3321 the pooled and CGN applications."
3322 GROUP natv2PooledInstanceLevelGroup
3323 DESCRIPTION
3324 "The natv2PooledInstanceLevelGroup is mandatory for
3325 the pooled and CGN applications."
3326 GROUP natv2CGNNotificationGroup
3327 DESCRIPTION
3328 "The natv2CGNNotificationGroup is mandatory
3329 for the carrier grade NAT application."
3330 GROUP natv2CGNDeviceLevelGroup
3331 DESCRIPTION
3332 "The natv2CGNDeviceLevelGroup is mandatory
3333 for the carrier grade NAT application."
3334 GROUP natv2CGNInstanceLevelGroup
3335 DESCRIPTION
3336 "The natv2CGNInstanceLevelGroup is mandatory
3337 for the carrier grade NAT application."
3338 ::= { natv2MIBCompliances 3 }
3340 -- Groups
3342 natv2BasicNotificationGroup NOTIFICATION-GROUP
3343 NOTIFICATIONS {
3344 natv2NotificationInstanceAddressMapEntriesHigh,
3345 natv2NotificationInstancePortMapEntriesHigh
3346 }
3347 STATUS current
3348 DESCRIPTION
3349 "Notifications that MUST be supported by all NAT
3350 applications."
3351 ::= { natv2MIBGroups 1 }
3353 natv2BasicInstanceLevelGroup OBJECT-GROUP
3354 OBJECTS {
3355 -- from natv2InstanceTable
3356 natv2InstanceAlias,
3357 natv2InstancePortMappingBehavior,
3358 natv2InstanceFilteringBehavior,
3359 natv2InstanceFragmentBehavior,
3360 natv2InstanceAddressMapEntries,
3361 natv2InstancePortMapEntries,
3362 natv2InstanceTranslations,
3363 natv2InstanceAddressMapCreations,
3364 natv2InstanceAddressMapEntryLimitDrops,
3365 natv2InstanceAddressMapFailureDrops,
3366 natv2InstancePortMapCreations,
3367 natv2InstancePortMapEntryLimitDrops,
3368 natv2InstancePortMapFailureDrops,
3369 natv2InstanceFragmentDrops,
3370 natv2InstanceOtherResourceFailureDrops,
3371 natv2InstanceDiscontinuityTime,
3372 natv2InstanceThresholdAddressMapEntriesHigh,
3373 natv2InstanceThresholdPortMapEntriesHigh,
3374 natv2InstanceNotificationInterval,
3375 natv2InstanceLimitAddressMapEntries,
3376 natv2InstanceLimitPortMapEntries,
3377 natv2InstanceLimitPendingFragments,
3378 -- from natv2ProtocolTable
3379 natv2ProtocolPortMapEntries,
3380 natv2ProtocolTranslations,
3381 natv2ProtocolPortMapCreations,
3382 natv2ProtocolPortMapFailureDrops,
3383 -- from natv2AddressMapTable
3384 natv2AddressMapExternalRealm,
3385 natv2AddressMapExternalAddressType,
3386 natv2AddressMapExternalAddress,
3387 -- from natv2PortMapTable
3388 natv2PortMapInternalRealm,
3389 natv2PortMapInternalAddressType,
3390 natv2PortMapInternalAddress,
3391 natv2PortMapInternalPort
3392 }
3393 STATUS current
3394 DESCRIPTION
3395 "Per-instance objects that MUST be supported by
3396 implementations of all NAT applications."
3397 ::= { natv2MIBGroups 2 }
3399 natv2PooledNotificationGroup NOTIFICATION-GROUP
3400 NOTIFICATIONS {
3401 natv2NotificationPoolUsageLow,
3402 natv2NotificationPoolUsageHigh
3403 }
3404 STATUS current
3405 DESCRIPTION
3406 "Notifications that MUST be supported by pooled and
3407 carrier-grade NAT applications."
3408 ::= { natv2MIBGroups 3 }
3410 natv2PooledInstanceLevelGroup OBJECT-GROUP
3411 OBJECTS {
3412 -- from natv2InstanceTable
3413 natv2InstancePoolingBehavior,
3414 -- from natv2PoolTable
3415 natv2PoolRealm,
3416 natv2PoolAddressType,
3417 natv2PoolMinimumPort,
3418 natv2PoolMaximumPort,
3419 natv2PoolAddressMapEntries,
3420 natv2PoolPortMapEntries,
3421 natv2PoolAddressMapCreations,
3422 natv2PoolPortMapCreations,
3423 natv2PoolAddressMapFailureDrops,
3424 natv2PoolPortMapFailureDrops,
3425 natv2PoolDiscontinuityTime,
3426 natv2PoolThresholdUsageLow,
3427 natv2PoolThresholdUsageHigh,
3428 natv2PoolNotifiedPortMapEntries,
3429 natv2PoolNotifiedPortMapProtocol,
3430 natv2PoolNotificationInterval,
3431 -- from natv2PoolRangeTable
3432 natv2PoolRangeBegin,
3433 natv2PoolRangeEnd,
3434 -- from natv2AddressMapTable
3435 natv2AddressMapExternalPoolIndex,
3436 -- from natv2PortMapTable
3437 natv2PortMapExternalPoolIndex
3438 }
3440 STATUS current
3441 DESCRIPTION
3442 "Per-instance objects that MUST be supported by
3443 implementations of the pooled and carrier grade
3444 NAT applications."
3445 ::= { natv2MIBGroups 4 }
3447 natv2CGNNotificationGroup NOTIFICATION-GROUP
3448 NOTIFICATIONS {
3449 natv2NotificationSubscriberPortMappingEntriesHigh
3450 }
3451 STATUS current
3452 DESCRIPTION
3453 "Notification that MUST be supported by implementations
3454 of the carrier grade NAT application."
3455 ::= { natv2MIBGroups 5 }
3457 natv2CGNDeviceLevelGroup OBJECT-GROUP
3458 OBJECTS {
3459 -- from table natv2SubscriberTable
3460 natv2SubscriberInternalRealm,
3461 natv2SubscriberInternalPrefixType,
3462 natv2SubscriberInternalPrefix,
3463 natv2SubscriberInternalPrefixLength,
3464 natv2SubscriberAddressMapEntries,
3465 natv2SubscriberPortMapEntries,
3466 natv2SubscriberTranslations,
3467 natv2SubscriberAddressMapCreations,
3468 natv2SubscriberPortMapCreations,
3469 natv2SubscriberAddressMapFailureDrops,
3470 natv2SubscriberPortMapFailureDrops,
3471 natv2SubscriberDiscontinuityTime,
3472 natv2SubscriberLimitPortMapEntries,
3473 natv2SubscriberThresholdPortMapEntriesHigh,
3474 natv2SubscriberNotificationInterval
3475 }
3476 STATUS current
3477 DESCRIPTION
3478 "Device-level objects that MUST be supported by the
3479 carrier-grade NAT application."
3480 ::= { natv2MIBGroups 6 }
3482 natv2CGNInstanceLevelGroup OBJECT-GROUP
3483 OBJECTS {
3484 -- from natv2InstanceTable
3485 natv2InstanceSubscriberActiveLimitDrops,
3486 natv2InstanceLimitSubscriberActives,
3487 -- from natv2AddressMapTable
3488 natv2AddressMapInternalMappedAddressType,
3489 natv2AddressMapInternalMappedAddress,
3490 natv2AddressMapSubscriberIndex,
3491 -- from natv2PortMapTable
3492 natv2PortMapInternalMappedAddressType,
3493 natv2PortMapInternalMappedAddress,
3494 natv2PortMapSubscriberIndex
3495 }
3496 STATUS current
3497 DESCRIPTION
3498 "Per-instance objects that MUST be supported by the
3499 carrier grade NAT application."
3500 ::= { natv2MIBGroups 7 }
3502 END
3504 5. Operational and Management Considerations
3506 This section covers two particular areas of operations and
3507 management: configuration requirements, and transition from or
3508 coexistence with the [RFC4008] MIB module.
3510 5.1. Configuration Requirements
3512 This MIB module assumes that the following information is configured
3513 on the NAT device by means outside the scope of the present document
3514 or is imposed by the implementation:
3516 o the set of address realms to which the device connects;
3518 o For the CGN application, per-subscriber information including
3519 subscriber index, address realm, assigned prefix or address, and
3520 (possibly) policies regarding address pool selection in the
3521 various possible address realms to which the subscriber may
3522 connect. In the particular case of DS-Lite [RFC6333] access, as
3523 well as the assigned outer layer (IPv6) prefix or address, the
3524 subscriber information will include an inner (IPv4) source
3525 address, usually 192.0.0.2.
3527 o the set of NAT instances running on the device, identified by NAT
3528 instance index and name;
3530 o the port mapping, filtering, pooling, and fragment behavior for
3531 each NAT instance;
3533 o the set of protocols supported by each NAT instance;
3534 o for the pooled NAT and CGN applications, address pool information
3535 for each NAT instance, including for each pool the pool index,
3536 address realm, address type, minimum and maximum port number, the
3537 address ranges assigned to that pool, and policies for access to
3538 that pool's resources;
3540 o static address and port map entries.
3542 As described in previous sections, this MIB module does provide read-
3543 write objects for control of notifications (see especially
3544 Section 3.1.2) and limiting of resource consumption (Section 3.1.1).
3545 This document is written in advance of any practical experience with
3546 the setting of these values, and can thus provide only general
3547 principles for how to set them.
3549 By default, the MIB module definition disables notifications until
3550 they are explicitly enabled by the operator, using the associated
3551 threshold value to do so. To make use of the notifications, the
3552 operator may wish to take the following considerations into account.
3554 Except for the low address pool utilization notification, the
3555 notifications imply that some sort of administrative action is
3556 required to mitigate an impending shortage of a particular resource.
3557 The choice of value for the triggering threshold needs to take two
3558 factors into account: the volatility of usage of the given resource,
3559 and the amount of time the operator needs to mitigate the potential
3560 overload situation. That time could vary from almost immediate to
3561 several weeks required to order and install new hardware or software.
3563 To give a numeric example, if average utilization is going up 1% per
3564 week but can vary 10% around that average in any given hour, and it
3565 takes two weeks to carry through mitigating measures, the threshold
3566 should be set to 88% of the corresponding limit (two weeks' growth
3567 plus 10% volatility margin). If mitigating measures can be carried
3568 out immediately, this can rise to 90%. For this particular example
3569 that change is insignificant, but in other cases the difference may
3570 be large enough to matter in terms of reduced load on the management
3571 plane.
3573 The notification rate limit settings really depend on the operator's
3574 processes, but are a tradeoff between reliably reporting the notified
3575 condition and not having it overload the management plane.
3576 Reliability rises in importance with the importance of the resource
3577 involved. Thus the default notification intervals defined in this
3578 MIB module range from 10 seconds (high reliability) for the address
3579 and port map entry thresholds up to 60 seconds (lower reliability)
3580 for the per-subscriber port entry thresholds. Experience may suggest
3581 better values.
3583 The limits on number of instance-level address map and port map
3584 entries and held fragments relate directly to memory allocations for
3585 these tables. The relationship between number of map entries or
3586 number of held fragments and memory required will be implementation-
3587 specific. Hence it is up to the implementor to provide specific
3588 advice on the setting of these limits.
3590 The limit on simultaneous number of active subscribers is indirectly
3591 related to memory consumption for map entries, but also to processor
3592 usage by the NAT instance. The best strategy for setting this limit
3593 would seem to be to leave it disabled during an initial period while
3594 observing device processor utilization, then to implement a trial
3595 setting while observing the number of blocked packets affected by the
3596 new limit. The setting may vary by NAT instance if a suitable
3597 estimator of likely load (e.g., total number of hosts served by that
3598 instance) is available.
3600 5.2. Transition From and Coexistence With NAT-MIB [RFC 4008]
3602 A manager may have to deal with a mixture of devices supporting the
3603 NAT-MIB module [RFC4008] and the NATV2-MIB module defined in the
3604 present document. It is even possible that both modules are
3605 supported on the same device. The following discussion brings out
3606 the limits of comparability between the two MIB modules. A first
3607 point to note is that NAT-MIB is primarily focussed on configuration,
3608 while NATV2-MIB is primarily focussed on measurements.
3610 To summarize the model used by [RFC4008]:
3612 o The basic unit of NAT configuration is the interface.
3614 o An interface connects to a single realm, either "private", or
3615 "public". In principle that means there could be multiple
3616 instances of one type of realm or the other, but the number is
3617 physically limited by the number of interfaces on the NAT device.
3619 o Before the NAT can operate on a given interface, an "address map"
3620 has to be configured on it. The [RFC4008] address map is
3621 equivalent to the pool tables in the present document. Since just
3622 one "address map" is configured per interface, this is the
3623 equivalent of a single address pool per interface.
3625 o The address binding and port binding tables are roughly equivalent
3626 to the address map and port map tables in the present document in
3627 their content, but can be either uni- directional or
3628 bidirectional. The [RFC4008] model shows the address binding and
3629 port binding as alternative precursors to session establishment,
3630 depending on whether the device does address translation only or
3631 address and port translation. In contrast, NATV2-MIB assumes a
3632 model where bidirectional port mappings are based on bidirectional
3633 address mappings that have conceptually been established
3634 beforehand.
3636 o The equivalent to an [RFC4008] session in NATV2-MIB would be a
3637 pair of port map entries. The added complexity in [RFC4008] is
3638 due to the modelling of NAT service types as defined in [RFC3489]
3639 (the symmetric NAT in particular) instead of the more granular set
3640 of behaviors described in [RFC4787].
3642 With regard to that last point, the mapping between [RFC3489] service
3643 types and [RFC4787] NAT behaviours is as follows:
3645 o A full cone NAT exhibits endpoint-independent port mapping
3646 behavior and endpoint-independent filtering behavior.
3648 o A restricted cone NAT exhibits endpoint-independent port mapping
3649 behavior, but address-dependent filtering behavior.
3651 o A port restricted cone NAT exhibits endpoint-independent port
3652 mapping behavior, but address-and-port-dependent filtering
3653 behavior.
3655 o A symmetric NAT exhibits address-and-port-dependent port mapping
3656 and filtering behaviors.
3658 Note that these NAT types are a subset of the types that could be
3659 configured according to the [RFC4787] behavioral classification used
3660 in NATV2-MIB, but they include the two possibilities (full and
3661 restricted cone NAT) that satisfy requirements REQ-1 and REQ-8 of
3662 [RFC4787]. Note further that other behaviors defined in [RFC4787]
3663 are not considered in [RFC4008].
3665 Having established a context for discussion, we are now in a position
3666 to compare the outputs provided to management from the [RFC4008] and
3667 NATV2-MIB modules. This comparison relates to the ability to compare
3668 results if testing with both MIBs implemented on the same device
3669 during a transition period.
3671 [RFC4008] provides three counters: incoming translations, outgoing
3672 translations, and discarded packets, at the granularities of
3673 interface, address map, and protocol, and incoming and outgoing
3674 translations at the levels of individual address bind, address port
3675 bind, and session entries. Implementation at the protocol and
3676 address map levels is optional. NATV2-MIB provides a single total
3677 (both directions) translations counter at the instance, protocol
3678 within instance, and subscriber levels. Given the differences in
3679 granularity, it appears that the only comparable measurement of
3680 translations between the two MIB modules would be through aggregation
3681 of the [RFC4008] interface counters to give a total number of
3682 translations for the NAT instance.
3684 NATV2-MIB has broken out the single discard counter into a number of
3685 different counters reflecting the cause of the discard in more
3686 detail, to help in trouble-shooting. Again, with the differing
3687 levels of granularity, the only comparable statistic would be through
3688 aggregation to a single value of total discards per NAT instance.
3690 Moving on to state variables, [RFC4008] offers counts of number of
3691 "address map" (i.e., address pool) entries used (excluding static
3692 entries) at the address map level, and number of entries in the
3693 address bind and address and port bind tables respectively. Finally,
3694 [RFC4008] provides a count of the number of sessions currently using
3695 each entry in the address and port bind table. None of these counts
3696 are directly comparable with the state values offered by NATV2-MIB,
3697 because of the exclusion of static entries at the address map level,
3698 and because of the differing models of the translation tables between
3699 [RFC4008] and the NATV2=MIB.
3701 6. Security Considerations
3703 There are a number of management objects defined in this MIB module
3704 with a MAX-ACCESS clause of read-write and/or read-create. Such
3705 objects may be considered sensitive or vulnerable in some network
3706 environments. The support for SET operations in a non-secure
3707 environment without proper protection opens devices to attack. These
3708 are the tables and objects and their sensitivity/vulnerability:
3710 Limits: An attacker setting a very low or very high limit can easily
3711 cause a denial-of-service situation.
3713 * natv2InstanceLimitAddressMapEntries;
3715 * natv2InstanceLimitPortMapEntries;
3717 * natv2InstanceLimitPendingFragments;
3719 * natv2InstanceLimitSubscriberActives;
3721 * natv2SubscriberLimitPortMapEntries.
3723 Notification thresholds: An attacker setting an arbitrarily low
3724 threshold can cause many useless notifications to be generated
3725 (subject to the notification interval). Setting an arbitrarily
3726 high threshold can effectively disable notifications, which could
3727 be used to hide another attack.
3729 * natv2InstanceThresholdAddressMapEntriesHigh;
3731 * natv2InstanceThresholdPortMapEntriesHigh;
3733 * natv2PoolThresholdUsageLow;
3735 * natv2PoolThresholdUsageHigh;
3737 * natv2SubscriberThresholdPortMapEntriesHigh.
3739 Notification intervals: An attacker setting a low notification
3740 interval in combination with a low threshold value can cause many
3741 useless notifications to be generated.
3743 * natv2InstanceNotificationInterval;
3745 * natv2PoolNotificationInterval;
3747 * natv2SubscriberNotificationInterval.
3749 Some of the readable objects in this MIB module (i.e., objects with a
3750 MAX-ACCESS other than not-accessible) may be considered sensitive or
3751 vulnerable in some network environments. It is thus important to
3752 control even GET and/or NOTIFY access to these objects and possibly
3753 to even encrypt the values of these objects when sending them over
3754 the network via SNMP. These are the tables and objects and their
3755 sensitivity/vulnerability:
3757 Objects that reveal host identities: Various objects can reveal the
3758 identity of private hosts that are engaged in a session with
3759 external end nodes. A curious outsider could monitor these to
3760 assess the number of private hosts being supported by the NAT
3761 device. Further, a disgruntled former employee of an enterprise
3762 could use the information to break into specific private hosts by
3763 intercepting the existing sessions or originating new sessions
3764 into the host. If nothing else, unauthorized monitoring of these
3765 objects will violate individual subscribers' privacy.
3767 * entries in the natv2SubscriberTable;
3769 * entries in the natv2AddressMapTable;
3771 * entries in the natv2PortMapTable.
3773 Other objects that reveal NAT state: Other managed objects in this
3774 MIB may contain information that may be sensitive from a business
3775 perspective, in that they may represent NAT capabilities, business
3776 policies, and state information.
3778 * natv2SubscriberLimitPortMapEntries;
3780 * natv2InstancePortMappingBehavior;
3782 * natv2InstanceFilteringBehavior;
3784 * natv2InstancePoolingBehavior;
3786 * natv2InstanceFragmentBehavior;
3788 * natv2InstanceAddressMapEntries;
3790 * natv2InstancePortMapEntries.
3792 There are no objects that are sensitive in their own right, such as
3793 passwords or monetary amounts.
3795 SNMP versions prior to SNMPv3 did not include adequate security.
3796 Even if the network itself is secure (for example by using IPsec),
3797 there is no control as to who on the secure network is allowed to
3798 access and GET/SET (read/change/create/delete) the objects in this
3799 MIB module.
3801 Implementations SHOULD provide the security features described by the
3802 SNMPv3 framework (see [RFC3410]), and implementations claiming
3803 compliance to the SNMPv3 standard MUST include full support for
3804 authentication and privacy via the User-based Security Model (USM)
3805 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
3806 MAY also provide support for the Transport Security Model (TSM)
3807 [RFC5591] in combination with a secure transport such as SSH
3808 [RFC5592] or TLS/DTLS [RFC6353].
3810 Further, deployment of SNMP versions prior to SNMPv3 is NOT
3811 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
3812 enable cryptographic security. It is then a customer/operator
3813 responsibility to ensure that the SNMP entity giving access to an
3814 instance of this MIB module is properly configured to give access to
3815 the objects only to those principals (users) that have legitimate
3816 rights to indeed GET or SET (change/create/delete) them.
3818 7. IANA Considerations
3820 IANA is requested to assign an object identifier to the natv2MIB
3821 module, with prefix iso.org.dod.internet.mgmt.mib-2 in the Network
3822 Management Parameters registry [SMI-NUMBERS].
3824 8. References
3826 8.1. Normative References
3828 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
3829 Requirement Levels", BCP 14, RFC 2119, March 1997.
3831 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
3832 Schoenwaelder, Ed., "Structure of Management Information
3833 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
3835 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
3836 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
3837 58, RFC 2579, April 1999.
3839 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
3840 "Conformance Statements for SMIv2", STD 58, RFC 2580,
3841 April 1999.
3843 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
3844 Architecture for Describing Simple Network Management
3845 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
3846 December 2002.
3848 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
3849 (USM) for version 3 of the Simple Network Management
3850 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
3852 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
3853 Advanced Encryption Standard (AES) Cipher Algorithm in the
3854 SNMP User-based Security Model", RFC 3826, June 2004.
3856 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
3857 Schoenwaelder, "Textual Conventions for Internet Network
3858 Addresses", RFC 4001, February 2005.
3860 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation
3861 (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
3862 RFC 4787, January 2007.
3864 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
3865 for the Simple Network Management Protocol (SNMP)", STD
3866 78, RFC 5591, June 2009.
3868 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
3869 Shell Transport Model for the Simple Network Management
3870 Protocol (SNMP)", RFC 5592, June 2009.
3872 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
3873 Model for the Simple Network Management Protocol (SNMP)",
3874 STD 78, RFC 6353, July 2011.
3876 8.2. Informative References
3878 [I-D.perrault-behave-deprecate-nat-mib-v1]
3879 Perrault, S., Tsou, T., Sivakumar, S., and T. Taylor,
3880 "Deprecation of MIB Module NAT-MIB (Managed Objects for
3881 Network Address Translators (NAT)) (Work in Progress)",
3882 October 2014.
3884 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
3885 (IPv6) Specification", RFC 2460, December 1998.
3887 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
3888 Translator (NAT) Terminology and Considerations", RFC
3889 2663, August 1999.
3891 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
3892 "Introduction and Applicability Statements for Internet-
3893 Standard Management Framework", RFC 3410, December 2002.
3895 [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,
3896 "STUN - Simple Traversal of User Datagram Protocol (UDP)
3897 Through Network Address Translators (NATs)", RFC 3489,
3898 March 2003.
3900 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
3901 C. Wang, "Definitions of Managed Objects for Network
3902 Address Translators (NAT)", RFC 4008, March 2005.
3904 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
3905 Stack Lite Broadband Deployments Following IPv4
3906 Exhaustion", RFC 6333, August 2011.
3908 [SMI-NUMBERS]
3909 "Network Management Parameters registry at IANA",
3910 .
3912 Authors' Addresses
3914 Simon Perreault
3915 Jive Communications
3916 Quebec, QC
3917 Canada
3919 Email: sperreault@jive.com
3921 Tina Tsou
3922 Huawei Technologies
3923 Bantian, Longgang District
3924 Shenzhen 518129
3925 PR China
3927 Email: tina.tsou.zouting@huawei.com
3929 Senthil Sivakumar
3930 Cisco Systems
3931 7100-8 Kit Creek Road
3932 Research Triangle Park, North Carolina 27709
3933 USA
3935 Phone: +1 919 392 5158
3936 Email: ssenthil@cisco.com
3938 Tom Taylor
3939 PT Taylor Consulting
3940 Ottawa
3941 Canada
3943 Email: tom.taylor.stds@gmail.com