[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 draft-ietf-midcom-mib

Midcom working Group                                     P. Srisuresh
INTERNET-DRAFT                                         Caymas Systems
Category: Standards Track
Expires: April 27, 2003                                  October 2003

    SNMP managed objects for Middlebox Communications (MIDCOM)
              <draft-srisuresh-midcom-mib-01.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time. It is inappropriate to use
   Internet-Drafts as reference material or to cite them other than
   as "work in progress."

   The list of current Internet-Drafts can be accessed at
        http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at
        http://www.ietf.org/shadow.html.

Copyright Notice

   Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

   Middlebox communication (midcom) was conceived to move
   application level gateway (ALG) intelligence out of
   middleboxes into application specific midcom agents. Midcom
   agents will be assumed to use midcom to control middlebox
   resources so as to permit applications to traverse a
   middlebox. The scope of the middleboxes is limited to NAT and
   firewall devices. This document defines SNMP managed midcom
   objects to control middlebox resources and justifies adapting
   SNMPv3 as the midcom protocol.









Srisuresh                                                       [Page 1]


Internet-Draft                 Midcom MIB                   October 2003


Table of Contents

   1. Overview.......................................................2
   2. Terminology....................................................3
   2.1. "Midcom agent" or "agent"....................................3
   2.2. SNMP agent...................................................3
   2.3. NAT session..................................................3
   3. SNMP Management Framework......................................4
   4. MIDCOM Overview and SNMP Applicability.........................4
   5. SNMP and the MIDCOM data model.................................5
      5.1 Secure Communications......................................7
      5.2 Device Configuration.......................................8
      5.3 Service Configuration......................................8
      5.4 Midcom compatibility requirements on NAT and Firewall......9
   6. Midcom MIB....................................................10
   7. Security Considerations.......................................49
   8. Acknowledgements..............................................49
   9. References....................................................49
   Normative References.............................................49
   Informative References...........................................51
   Author's address.................................................51
   Full Copyright Statement.........................................52

1. Overview

   The principal objective of the document is to describe how SNMPv3
   may be adapted as the MIDCOM protocol. MIDCOM MIB is defined to
   facilitate transactions between a midcom agent and a middlebox.

   The scope of the middleboxes considered in the document is
   limited to NAT and Firewall devices. This document refers
   external documents for NAT and firewall MIBs and states the
   compliance criteria for the external MIBS to be MIDCOM compliant.

   Section 1 provides an overview of the SNMP Management Framework.
   Section 2 provides further background on SNMP and its
   applicability to the MIDCOM Protocol Framework, Requirements
   and semantics.

   Section 3 provides a high level overview of the SNMPv3 protocol,
   the MIB data model and its applicability tigether as a MIDCOM
   protocol.

   Section 6 has the midcom mib described in detail.


2. Terminology




Srisuresh                                                       [Page 2]


Internet-Draft                 Midcom MIB                   October 2003


   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
   this document are to be interpreted as described in RFC 2119
   [RFC2119].

   The Midcom terms used throughout this document are mostly as per
   RFC 3303. The NAT terms used in the document are mostly as per
   RFC 2663. Definition for the term "Symmetric NAT" may be found
   in RFC 3489. Symmetric NAT is a variation of NAPT in that a port
   bind is not retained across multiple sessions from the same
   private source port. The following terms used extensively in the
   document are reiterated here for clarity.

2.1. "Midcom agent" or "agent"

   Midcom agent, hereafter refered simply as agent, is an entity
   performing ALG functions, logically external to a middlebox.
   MIDCOM agents possess a combination of application awareness
   and knowledge of the middlebox function.

   A midcom agent may be located anywhere in the end-2-end path
   of an application path, including the middlebox itself. The
   exact interface through which a midcom agent engages in a
   midcom session with the middlebox is irrelevant to the
   enforcement of midcom.

2.2. SNMP agent

   SNMP agent is an entity on middlebox servicing SNMP requests
   from SNMP applications, including midcom agents.

2.3. NAT session

   A NAT session is an association between a session as seen in
   the private realm and a session as seen in the public realm,
   by virtue of NAT translation. If a session in the private
   realm were to be represented as (PrivateSrcAddr,
   PrivateDstAddr, TransportProtocol, PrivateSrcPort,
   PrivateDstPort) and the same session in the public realm were
   to be represented as (PublicSrcAddr, PublicDstAddr,
   TransportProtocol, PublicSrcPort, PublicDstPort), the NAT
   session will provide the translation glue between the two
   session representations.

3. SNMP Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard (SNMP) Management Framework, please refer to



Srisuresh                                                       [Page 3]


Internet-Draft                 Midcom MIB                   October 2003


   section 7 of RFC 3410 [RFC3410].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI). This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC
   2580[RFC2580].

4. MIDCOM Overview and SNMP Applicability

   The MIDCOM architecture and framework [RFC3303] defines a model in
   which trusted third parties can be delegated to assist middleboxes
   in performing their operations, without requiring application
   intelligence be embedded in the middleboxes. This trusted third
   party is referred to as the MIDCOM Agent.  The MIDCOM protocol is
   defined between the MIDCOM agent and middlebox.

   The SNMP management framework provides functions equivalent to those
   defined by the MIDCOM framework, although there are a few
   architectural differences.

   For SNMP, application intelligence is captured in MIB modules,
   rather than in the messaging protocol. MIB modules define a data
   model of the information that can be collected and configured for
   managed functionality. The SNMP messaging protocol transports the
   data in a standardized format without needing to understand the
   semantics of the data being transferred. The endpoints of the
   communication understand the semantics of the data.

   Traditionally, the SNMP endpoints have been called Manager and
   Agent. An SNMP manager is an entity capable of generating
   requests and receiving notifications, and a SNMP agent is an
   entity capable of responding to requests and generating
   notifications. As applied to the MIDCOM framework, the SNMP
   Manager corresponds to the MIDCOM agent and the SNMP Agent
   corresponds to the Middlebox.

   The MIDCOM protocol is divided into three phases, per section 4
   of [RFC3303]:
     . Session Setup
     . Run-time (involving real-time configuration of the middlebox)
     . Session Termination

   A MIDCOM session is defined to be a lasting association between
   a MIDCOM agent and a middlebox. The MIDCOM agent should initiate



Srisuresh                                                       [Page 4]


Internet-Draft                 Midcom MIB                   October 2003


   the session prior to the start of the application. Although the
   SNMP management framework does not have the concept of a
   session, session-like associations can be established through
   the use of managed objects. Requests from the MIDCOM agent to
   the Middlebox are performed using Read/write access to managed
   objects defined in MIB modules. The middlebox (SNMP agent)
   responds to requests by sending an SNMP response message
   indicating the success or failure of the request. The MIDCOM
   agent (SNMP manager) MAY verify this information by reading or
   polling the corresponding managed objects.

   The MIDCOM Protocol semantics [MDCSEM] defines two basic
   transaction types: request transactions and notify
   transactions. SNMPv3 uses the architecture detailed in
   [RFC3411], where all SNMP entities are capable of performing
   certain functions, such as the generation of requests,
   response to requests, the generation of asynchronous
   notifications and the receipt of notifications. SNMP is used
   to read and manipulate a virtual database (the MIB) which is
   composed of objects representing commands, controls, status,
   and statistics, which are defined in
   managed-application-specific MIB modules.


5. SNMPv3 for use as MIDCOM protocol

   The following diagram (Figure 1) is an operational model
   assumed by the MIDCOM protocol. Requirements on the Midcom
   protocol is identified by the MIDCOM protocol framework,
   requirements and semantics documents. Specification of
   policies via the MIDCOM PDP is outside the scope of the
   MIDCOM protocol and is omitted in the discussion in the
   remainder of this document.


















Srisuresh                                                       [Page 5]


Internet-Draft                 Midcom MIB                   October 2003


              +----------------------+
              |   Application        |
              |                      |
              | +---------------+    |
              | | MIDCOM agent  |    |
              | |               |    |
              | +---------------+    |        +------------+
              +------------^---------+        |            |
                           .                  | Policy     |
                           .                  |            |
                           .                  | +--------+ |
               Application . Asynchronous     | | MIDCOM | |
                  Requests . Notifications   /+-|  PDP   | |
                           .                / | +--------+ |
                           .               /  +------------+
                           .              /
                           .             /
                           .            /
                           .            |
                           v            v
           +-------------------------------------------+
           |   Middlebox   *            *              |
           |               * a.         * b.           |
           |               v            v              |
           |     +-------------------------------+     |
           |     |  Middlebox Communication      |     |
           |     |  Protocol (MIDCOM) Interface  |     |
           |     +-------------------------------+     |
           |                     *                     |
           |                     * c.                  |
           |                     v                     |
           |     +-------------------------------+     |
           |     |    Dynamic Device/Service     |     |
           |     |         Configuration         |     |
           |     +-------------------------------+     |
           |                                           |
           +-------------------------------------------+

         Legend: .... Middlebox Communication Protocol (MIDCOM)
                 //// MIDCOM PDP Interface (outside scope of this
                      document)
                 **** Managed objects relevant to the MIDCOM Interface
                      (with the associated letters referencing the
                       MIB modules potentially applicable summarized
                       below:

        Figure 1: operational model assumed by the MIDCOM protocol




Srisuresh                                                       [Page 6]


Internet-Draft                 Midcom MIB                   October 2003


5.1 SNMP MIB data model on a middlebox

   The following diagram (Figure 2) restates the Midcom
   operational model when SNMPv3 is adapted as the Midcom
   protocol. The SNMP based model below includes midcom
   MIB and middlebox function MIBs objects. These MIBs are
   described in detail in the remainder of this document.

              +----------------------+
              |   Application        |
              |                      |
              | +---------------+    |
              | | MIDCOM agent  |    |
              | |               |    |
              | +---------------+    |
              +------------^---------+
                           .
               Application . Asynchronous
                  Requests . Notifications
              (via SNMPv3) . (via SNMPv3)
                           .
                           v
           +-----------------------------------------------+
           |   Middlebox   .                               |
           |               v a.                            |
           |         +------------+   +-------------+      |
           |         |  SNMP-v3   |---| SNMP object |      |
           |         |  Agent     |   | Database    |      |
           |         +------------+   +-------------+      |
           |           |   |   |                           |
           |           |   |   +---------------+           |
           |           |   +---------+         |           |
           |           v             |         |           |
           |  +-----------------+    |         |           |
           |  | MIDCOM MIB      |    |         |           |
           |  | & MIB methods   |    |         |           |
           |  +-----------------+    |         |           |
           |         *    *          |         |           |
           |         *    ******************   |           |
           |         *               |     *   |           |
           |         *        +------+     *   |           |
           |         *        |            *   |           |
           |         v        v            v   v           |
           |  +------------------+   +------------------+  |
           |  | MIDCOM-compliant |   | MIDCOM-compliant |  |
           |  | Nat MIB &        |   | Firewall MIB  &  |  |
           |  | MIB methods      |   | MIB methods      |  |
           |  +------------------+   +------------------+  |



Srisuresh                                                       [Page 7]


Internet-Draft                 Midcom MIB                   October 2003


           +-----------------------------------------------+

         Legend: .... SNMP used as the MIDCOM protocol
                 ---- Interface between the SNMP agent and
                      the MIB modules.
                 **** The MIB methods of the Midcom MIB
                      accessing middlebox function specific
                      objects.

        Figure 2: SNMPv3 operating as the Midcom protocol

5.2 Secure Communications

   MIDCOM requirements include mutual authentication, message integrity
   checking, timeliness checking to prevent replay, message encryption,
   and authorization controls to ensure only certain agents can modify
   certain subsets of middlebox configurations. MIDCOM requires secure
   request-response capabilities and secure notifications.

   SNMPv3 is designed to provide secure communications between two
   end-points.  SNMPv3 defines MIB modules to allow the monitoring and
   configuration of all these security features. They are defined in
   RFC3411-RFC3418, and RFC3410 provides an overview of these
   capabilities.


5.3. Midcom functions

   Midcom MIB does not assume a middlebox to have implemented
   MIBs (standard or vendor proprietary) for NAT and firewall
   functions. Middlebox functions may be configured and managed
   independently of the midcom MIB. However, midcom MIB will have
   rule-change parameters and a pointer to the FW/NAT MIB objects
   (even if vendor proprietary). The FW and NAT MIBS actually
   contain the detailed objects. For instance, multiple agents
   might end up using the same NAT BIND, yet each agent might
   define their own Lifetime parameter and directionality for
   the bind. As a result, the agent specific Bind identifier is
   set uniquely, independent of the NAT native bind. Yet, the
   agent specific bind has a pointer to the NAt bind.

   Midcom MIB below is designed to meet the midcom requirements
   (RFC 3304). A set of MIB objects, one per each middlebox
   resource type, are defined to run midcom transactions. The
   resulting resources, along with rule-changing parameters and
   a pointer to FW/NAT MIB objects are maintained as MIB tables,
   one for each resource type. Also defined are group based
   transaction objects and group tables, as required by RFC



Srisuresh                                                       [Page 8]


Internet-Draft                 Midcom MIB                   October 2003


   3304.

5.3.1. Agent registration for notification

   midcomAgentTable is designed to include all the agents
   that engage in a midcom session with the middlebox.
   Each active row of the table corresponds to a midcom
   agent. The agent includes the notify parameters within
   this row to allow middleboxes to send asynchronous
   notifications back to the agent. Also included is an
   agent-unique Middlebox Identifier a middlebox should use
   to identify itself during the notifications.

5.3.2. Middlebox Configuration for midcom

   Not every middlebox is required to enable midcom on
   all its interfaces. midcomConfig is designed to configure
   midcom on a per-interface basis on a middlebox.

5.3.3. Midcom transactions and relevant tables

   Midcom transactions may be divided into group
   transactions and resource transactions. A transaction is
   atomic and the results of a transaction are saved into
   relevant tables at the end of the transaction. Results of
   a transaction conducted by an agent may be reviewed
   anytime prior to executing another transaction of the
   same kind by the same agent.

   midcomTransGroupTable is defined to allow multiple agents
   to simultaneously add or delete Group identifiers and set
   group-wide parameters such as LifeTime and MaxIdletime.
   Results of the transaction are transferred into
   midcomGroupTable for later reference and further
   parameter modification by the agent.

   midcomTransBindTable, midcomTransNatSessionTable, and
   midcomTransFilterTable are defined to allow multiple agents
   to simultaneously request middlebox resources and set
   parameters such as LifeTime and MaxIdletime. Results of
   the transactions are transferred respectively into the
   relevant resource table, namely midcomBindTable,
   midcomNatSessionTable and midcomFiltertable for later
   reference and further parameter modification by the agent.

5.4. Midcom compatibility requirements on NAT and Firewall

   Middlebox function resources (bind, NatSession and firewall



Srisuresh                                                       [Page 9]


Internet-Draft                 Midcom MIB                   October 2003


   filter) are now required to carry an additional LifeTime
   parameter.

   Given that there may be several agents refering the same
   resource (ex: bind) and each agent may choose to control
   lifetime, MaxIdleTime and Bind orientation as appropriate
   for the agent, the middlebox function is now required to use
   a superset of the settings. Further, a new AgentCount
   will be required to track the number of agents refering a
   certain resource.

   As for notification, middlebox functions might retain a
   pointer to the first active agent and the active agents
   referign the same resource might link between themselves.
   Doing this will ensure that Midcom is able to send
   notifications to all effected agents when required to do
   by the middlebox function.

   Agent precedence and inter-agent overlap on the use of
   resources could be particularly tricky in the case of
   firewall rules. For example, essentially the same filter
   can be configured by multiple agents with different
   priorities (assume, highest or lowest is all that a
   midcom transaction will specify). The last rule will take
   precedence, potentially overruling the previous agent
   transactions. Further, when some of the filters are
   specific and some are more general, there can be undesired
   ordering of the filters. Agents are advised to include
   specific rules, so as not to overrule or be overriden by
   other filter rules.

6.0. Midcom MIB

   Midcom MIB provides a means for midcom agents to control middlebox
   resources and for middlebox to asynchronously notify the midcom
   agents of relevant state changes. Midcom agents learn of the
   functions present on the middlebox using this MIB.


MIDCOM-MIB DEFINITIONS ::= BEGIN

IMPORTS
     MODULE-IDENTITY,
     OBJECT-TYPE,
     NOTIFICATION-TYPE,
     Integer32,
     Unsigned32,
     Gauge32,



Srisuresh                                                      [Page 10]


Internet-Draft                 Midcom MIB                   October 2003



     Counter64,
     TimeTicks,
     mib-2
             FROM SNMPv2-SMI             -- RFC 2578

     TEXTUAL-CONVENTION,
     StorageType, RowStatus,
     TimeInterval
             FROM SNMPv2-TC              -- RFC 2579

     MODULE-COMPLIANCE,
     NOTIFICATION-GROUP,
     OBJECT-GROUP
             FROM SNMPv2-CONF            -- RFC 2580

     ifIndex,
     InterfaceIndex
             FROM IF-MIB                 -- RFC 2863

     SnmpAdminString
             FROM SNMP-FRAMEWORK-MIB     -- RFC 3411

     InetAddressType,
     InetAddress,
     InetPortNumber
             FROM INET-ADDRESS-MIB;      -- RFC

midcomMIB MODULE-IDENTITY
     LAST-UPDATED "200310200000Z"
     ORGANIZATION "IETF Midcom Working Group"
     CONTACT-INFO
          "WG charter:
             http://www.ietf.org/html.charters/midcom-charter.html

           Mailing Lists:
             General Discussion: midcom@ietf.org
             To Subscribe: midcom-request@ietf.org
             In Body: subscribe your_email_address

           Author:
             Pyda Srisuresh
             1179-A North McDowell Blvd.
             Petaluma, CA 94954
             Tel: (707) 283-5063
             Email: srisuresh@yahoo.com
          "
     DESCRIPTION



Srisuresh                                                      [Page 11]


Internet-Draft                 Midcom MIB                   October 2003


            "This MIB module defines the managed objects
             for midcom.
            "

     REVISION     "200310200000Z"  --  20th Sept. 2003

     DESCRIPTION
             "Initial version of this MIB module."
     ::= { mib-2 4444 } -- RFC Ed.: replace 4444 with IANA-assigned
                        -- number & remove this note


midcomMIBObjects OBJECT IDENTIFIER ::= { midcomMIB 1 }

--
-- Four Groups
--
-- o midcomConfig       - Configuration of a middlebox for
--                        midcom access.
-- o midcomAgentInfo    - Active agent info, including the info
--                        necessary for asynchronous notification.
-- o midcomTables       - Results of agent initiated transactions
--                        are saved into relevant tables for later
--                        reference and parameter modification by
--                        the agents.
-- o midcomTransactions - Midcom agent initiated transactions.
--

midcomConfig        OBJECT IDENTIFIER ::=
                                    { midcomMIBObjects 1 }
midcomAgentInfo     OBJECT IDENTIFIER ::=
                                    { midcomMIBObjects 2 }
midcomTables        OBJECT IDENTIFIER ::=
                                    { midcomMIBObjects 3 }
midcomTransactions  OBJECT IDENTIFIER ::=
                                    { midcomMIBObjects 4 }

--
-- Textual conventions used
--

--
-- The following TC are copied as is from NAT-MIB.
-- In the future, these will be IMPORTS from NAT-MIB.
--
NATProtocolType ::= TEXTUAL-CONVENTION
       STATUS       current
       DESCRIPTION



Srisuresh                                                      [Page 12]


Internet-Draft                 Midcom MIB                   October 2003


               "A list of protocols that support
                the network address translation. Inclusion of
                values is not intended to imply that those
                protocols need to be supported. Any change
                in this TEXTUAL-CONVENTION should also be
                reflected in the definition of NATProtocolMap
                which is a BITS representation of this "
       SYNTAX   INTEGER {
                     none (1),  -- not specified
                     other (2), -- none of the following
                     icmp (3),
                     udp (4),
                     tcp (5)
                }

NatBindIdOrZero ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
               "A unique id that is assigned to each bind by
                a NAT enabled device. The bind id will be zero
                in case of a symmetric NAT."
       SYNTAX   Unsigned32 (0..4294967295)


NatBindId ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
               "A unique id that is assigned to each bind by
                a NAT enabled device."
       SYNTAX   Unsigned32 (1..4294967295)


NatSessionId ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
               "A unique id that is assigned to each session by
                a NAT enabled device."
       SYNTAX   Unsigned32 (1..4294967295)


NatBindMode ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
               "An indication whether the bind is
                an address bind or an address-port bind."
       SYNTAX   INTEGER {
                     addressBind (1),
                     addressPortBind (2)



Srisuresh                                                      [Page 13]


Internet-Draft                 Midcom MIB                   October 2003


                }


NatBindType ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
               "An indication whether the bind is
                static or dynamic."
       SYNTAX   INTEGER {
                     static (1),
                     dynamic (2)
                }

NatTranslationEntity ::= TEXTUAL-CONVENTION
       STATUS       current
       DESCRIPTION
               "An indication for the direction of a session for
                which a) an address map entry, address bind or port
                bind is applicable, and b) the entity (source or
                detination) within the session that is subject to
                translation."
       SYNTAX   BITS {
                  inboundSrcEndPoint (1),
                  outboundDstEndPoint(2),
                  inboundDstEndPoint (3),
                  outboundSrcEndPoint(4)
                }

MidcomMBFunctionEnum ::= TEXTUAL-CONVENTION
       STATUS       current
       DESCRIPTION
               "An enumeration of Middlebox functions that are
                supported by the midcom protocol. Inclusion of
                values is not intended to imply that those
                functions need to be supported. Any change
                in this TEXTUAL-CONVENTION should also be
                reflected in the definition of
                midcomConfMBFunctionType object which is
                a BITS representation of this
                TEXTUAL-CONVENTION."
       SYNTAX   INTEGER {
                     none (1),  -- not specified
                     nat  (2),
                     firewall (3)
                  }

MidcomMBFunctionBITS ::= TEXTUAL-CONVENTION
       STATUS       current



Srisuresh                                                      [Page 14]


Internet-Draft                 Midcom MIB                   October 2003


       DESCRIPTION
               "A BITS representation of Middlebox functions
                for which MIDCOM is enabled on a middlebox.
                Any change in this TEXTUAL-CONVENTION should
                also be reflected in the definition of
                midcomConfMBFunctionEnum object which is
                an enumeration of the middlebox functions
                summported"
       SYNTAX  BITS {
                nat (0),
                firewall (1)
            }

MidcomMBResource ::= TEXTUAL-CONVENTION
       STATUS       current
       DESCRIPTION
               "An enumeration of Middlebox function specific
                resource types that are supported by the midcom
                protocol. Inclusion of values is not intended
                to imply that those functions need to be
                supported. "
       SYNTAX   INTEGER {
                     none (1),  -- not specified
                     natBind(2),
                     natSession(3),
                     firewallFilter(4)
                  }

MidcomAgentIndex ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
               "A unique id that is assigned to each midcom


                session by the middlebox."
       SYNTAX   Unsigned32 (1..4294967295)


MidcomBindMode ::= TEXTUAL-CONVENTION
       STATUS       current
       DESCRIPTION
               "An indication of whether a bind is address bind
                or port bind.
               "
       SYNTAX   INTEGER {
                     addressBind (1),
                     portBind    (2)
                  }



Srisuresh                                                      [Page 15]


Internet-Draft                 Midcom MIB                   October 2003


--
-- midcomConfig
--   The Configuration Group
--   The per-interface Midcom Configuration Table
--

midcomConfInterfaceTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF MidcomConfInterfaceEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This table specifies the midcom configuration
             attributes per interface on a device supporting
             midcom access."
    ::= { midcomConfig 1 }


midcomConfInterfaceEntry OBJECT-TYPE
    SYNTAX      MidcomConfInterfaceEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry in the midcomConfInterfaceTable
             holds a set of Midcom configuration parameters
             pertaining to an interface"
    INDEX   { ifIndex }
    ::= { midcomConfInterfaceTable 1 }

MidcomConfInterfaceEntry ::= SEQUENCE {
    midcomConfMBFunctionType       MidcomMBFunctionBITS,
    midcomConfStorageType          StorageType,
    midcomConfRowStatus            RowStatus
}


midcomConfMBFunctionType OBJECT-TYPE
    SYNTAX      MidcomMBFunctionBITS
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "Middlebox functions for which Midcom processing is
             enabled."
    ::= { midcomConfInterfaceEntry 1 }

midcomConfStorageType OBJECT-TYPE
    SYNTAX      StorageType
    MAX-ACCESS  read-create
    STATUS      current



Srisuresh                                                      [Page 16]


Internet-Draft                 Midcom MIB                   October 2003


    DESCRIPTION
            "The storage type for this conceptual row."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    DEFVAL { nonVolatile }
    ::= { midcomConfInterfaceEntry 2 }

midcomConfRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             None of the objects in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2."
    ::= { midcomConfInterfaceEntry 3 }

--
--
-- midcomAgentInfo
--   Agent specific tables managed by the midcom MIB.
--
--

midcomAgentIndexNext OBJECT-TYPE
       SYNTAX      MidcomAgentIndex
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "When retrieved, this object returns an unused index into
            Agent table for the USM user that issued the read-request.
            The returned value can be used for creating a new entry
            in the midcomAgentTable. The same return value also serves
            to create new entries in midcomTransGroup, midcomTransBind,
            midcomTransSession & midcomTransFilter tables. In all
            these tables, the first index would be set to the
            AgentIndex returned here and is set to read-only.

            A value retuned when reading this object is not returned
            again on subsequent read-requests as long as possible.
            This ensures that the same USM user can engage in
            multiple independent midcom sessions with the middlebox.
            Each midcom agent might be responsible for a different
            application."
  ::=    { midcomAgentInfo 1 }




Srisuresh                                                      [Page 17]


Internet-Draft                 Midcom MIB                   October 2003


--
-- midcomAgentTable
--      Agent Registration with Middlebox with
--      all the requisite information for notification.
--

midcomAgentTable OBJECT-TYPE
     SYNTAX       SEQUENCE OF MidcomAgentEntry
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION  "Lists the active Midcom agents."
  ::=    { midcomAgentInfo 2 }

midcomAgentEntry OBJECT-TYPE
    SYNTAX      MidcomAgentEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry in the midcomAgentTable pertains to
             a midcom agent. Parameters associated with the
             midcom agent are stored in this table.

             Each entry contains objects describing where
             notifications are to be sent to the MIDCOM agent.
            "
    INDEX   { midcomAgentIndex }
    ::= { midcomAgentTable 1 }

MidcomAgentEntry ::= SEQUENCE {
     midcomAgentIndex       MidcomAgentIndex,
     midcomAgentName        SnmpAdminString,
     midcomAgentMBId        Unsigned32,
     midcomAgentAddrType    InetAddressType,
     midcomAgentAddress     InetAddress,
     midcomAgentPort        InetPortNumber,
     midcomAgentStatus      RowStatus
  }

midcomAgentIndex OBJECT-TYPE
   SYNTAX       MidcomAgentIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "A middlebox-unique index or Identifier for each
                 midcom agent in the Table. This object allows the
                 same USM user to engage in multiple midcom
                 sessions, perhaps one for each application.
                 Each midcom agent will have a unique agentIndex.
                "



Srisuresh                                                      [Page 18]


Internet-Draft                 Midcom MIB                   October 2003


   ::= { midcomAgentEntry 1 }


midcomAgentName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE (1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The name of the SNMP manager that represents the midcom
            agent in this midcomAgentTable.
           "
       ::= { midcomAgentEntry 2 }

midcomAgentMBId OBJECT-TYPE
   SYNTAX       Unsigned32
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "This is a agent-unique Identifier issued by
                 agent to the middlebox.

                 This identifier is to be used by the middlebox
                 during asynchronous notifications to the agent.
                "
   ::= { midcomAgentEntry 3 }

midcomAgentAddrType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This object specifies the address type used for
             midcomAgentEntryAddress"
    ::= { midcomAgentEntry 4 }

midcomAgentAddress OBJECT-TYPE
    SYNTAX     InetAddress (SIZE (0..20))
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This object represents the network layer
             address of the Midcom agent. This address, in
             conjunction with AddrType and the UDP port
             midcomAgentPort may be used by the middlebox
             functions for asynchronous notification to the
             agent.
            "
    ::= { midcomAgentEntry 5 }




Srisuresh                                                      [Page 19]


Internet-Draft                 Midcom MIB                   October 2003


midcomAgentPort OBJECT-TYPE
    SYNTAX     InetPortNumber
    MAX-ACCESS not-accessible
    STATUS     current
    DESCRIPTION
            "This object represents the UDP port of the
             Midcom agent. The combinations of (AddressType,
             Address, Port) are to be used by the middlebox
             functions for asynchronous notification to the
             agent.
            "
    ::= { midcomAgentEntry 6 }

midcomAgentStatus  OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             Objects in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2"
   ::= { midcomAgentEntry 7 }

--
-- midcomTables       - Results of agent initiated transactions
--                      are saved into relevant tables for later
--                      reference and parameter modification by
--                      the agents.
--

--
-- midcomGroupTable



--      group Ids per each agent.
--
midcomGroupTable OBJECT-TYPE
     SYNTAX       SEQUENCE OF MidcomGroupEntry
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION  "Lists the groups registered by each agent."
  ::=    { midcomTables 1 }

midcomGroupEntry OBJECT-TYPE
    SYNTAX      MidcomGroupEntry



Srisuresh                                                      [Page 20]


Internet-Draft                 Midcom MIB                   October 2003


    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry in the GroupTable holds a unique tuple
             of parameters associated with a group Identifier.
             Group identifiers are registered by an agent with
             midcom."

    INDEX   { midcomGroupAgentIndex,
              midcomGroupMBResource,
              midcomGroupId }
    ::= { midcomGroupTable 1 }

MidcomGroupEntry ::= SEQUENCE {
     midcomGroupAgentIndex  MidcomAgentIndex,
     midcomGroupMBResource  MidcomMBResource,
     midcomGroupId          Unsigned32,
     midcomGroupLifetime    TimeInterval,
     midcomGroupMaxIdletime TimeInterval,
     midcomGroupStatus      RowStatus
  }

midcomGroupAgentIndex OBJECT-TYPE
   SYNTAX       MidcomAgentIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Unique Identifier for an agent in the table"
   ::= { midcomGroupEntry 1 }

midcomGroupMBResource OBJECT-TYPE
   SYNTAX       MidcomMBResource
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Middlebox resource type for which the GroupId
                 is registered by the agent.
                "
   ::= { midcomGroupEntry 2 }

midcomGroupId OBJECT-TYPE
   SYNTAX       Unsigned32
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "A unique Group Identifier registered by the
                 agent for the resource the agent owns.
                "
   ::= { midcomGroupEntry 3 }

midcomGroupLifetime OBJECT-TYPE



Srisuresh                                                      [Page 21]


Internet-Draft                 Midcom MIB                   October 2003


   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Default Lifetime of the resources that are
                 assigned this group Id."
   ::= { midcomGroupEntry 4 }

midcomGroupMaxIdletime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Default MaxIdletime of the resources that
                 are assigned this group Id."
   ::= { midcomGroupEntry 5 }

midcomGroupStatus  OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             Objects in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2"
   ::= { midcomGroupEntry 6 }


--
-- midcomBindTable
--      Bind Ids managed by each agent.
--
midcomBindTable OBJECT-TYPE
     SYNTAX       SEQUENCE OF MidcomBindEntry
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION  "Lists NAT binds owned by each agent."
  ::=    { midcomTables 2 }

midcomBindEntry OBJECT-TYPE
    SYNTAX      MidcomBindEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry in the BindTable holds a unique tuple
             of parameters associated with a Bind.
            "




Srisuresh                                                      [Page 22]


Internet-Draft                 Midcom MIB                   October 2003


    INDEX   { midcomBindAgentIndex,
              midcomBindGroupId,
              midcomBindId }
    ::= { midcomBindTable 1 }

MidcomBindEntry ::= SEQUENCE {
    midcomBindAgentIndex           MidcomAgentIndex,
    midcomBindGroupId              Unsigned32,
    midcomBindId                   NatBindId,
    midcomBindLifetime             TimeInterval,
    midcomBindMaxIdleTime          TimeInterval,
    midcomBindIfIndex              InterfaceIndex,
    midcomBindTranslationEntity    NatTranslationEntity,
    midcomBindMBId                 NatBindId,
    midcomBindMode                 MidcomBindMode,
    midcomBindStatus               RowStatus
}

midcomBindAgentIndex OBJECT-TYPE
   SYNTAX       MidcomAgentIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Unique Identifier for an agent in the table"
   ::= { midcomBindEntry 1 }

midcomBindGroupId OBJECT-TYPE
   SYNTAX       Unsigned32
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Group Identifier assigend to this bind
                 resource.

                 A value of 0 implies that the bind does
                 not belong to a group membership.
                "
   ::= { midcomBindEntry 2 }

midcomBindId OBJECT-TYPE
   SYNTAX       NatBindId
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Unique Bind Identifier assigend to this midcom
                 bind resource. This identifier is independent
                 of the bind identifier midcomBindMBId that is
                 managed by the NAT middlebox.
                "
   ::= { midcomBindEntry 3 }




Srisuresh                                                      [Page 23]


Internet-Draft                 Midcom MIB                   October 2003


midcomBindLifetime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Lifetime of the bind resource.
                 When this is set to 0 and GroupId is
                 set to non-zero, the Lifetime of the
                 GroupId is used to determine the
                 lifetime of this resource.
                "
   ::= { midcomBindEntry 4 }

midcomBindMaxIdleTime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "MaxIdletime of the Bind resource.
                 When this is set to 0 and GroupId is
                 set to non-zero, the MaxIdletime of the
                 GroupId is used to determine the
                 Maxidletime of this resource.
                "
   ::= { midcomBindEntry 5 }

midcomBindIfIndex OBJECT-TYPE
   SYNTAX       InterfaceIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Interface Index for which the bind is defined.

                 This value may be set to 0 to mean any
                 IP interface on the middlebox. This value
                 may also be set to 0, when the middlebox has
                 just one interface on which midcom is
                 configured.
                "
   ::= { midcomBindEntry 6 }


midcomBindTranslationEntity OBJECT-TYPE
    SYNTAX     NatTranslationEntity
    MAX-ACCESS read-create
    STATUS     current
    DESCRIPTION
            "This object represents the direction of the session
             for which this BIND is applicable and entity within
             the first packet that is subject to translation.
            "



Srisuresh                                                      [Page 24]


Internet-Draft                 Midcom MIB                   October 2003


    ::= { midcomBindEntry 7 }

midcomBindMBId OBJECT-TYPE
   SYNTAX       NatBindId
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Unique Bind Identifier managed by the NAT
                 middlebox function. This identifier is
                 independent of the bind identifier
                 midcomBindId that is used in conjunction
                 with midcom. Multiple midcomBindIds may be
                 associated with the same midcomBindMBId.
                "
   ::= { midcomBindEntry 8 }

midcomBindMode  OBJECT-TYPE
   SYNTAX       MidcomBindMode
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Indicates whethr the bind is address bind
                 or port bind.
                "
   ::= { midcomBindEntry 9 }

midcomBindStatus  OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             Objects in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2"
   ::= { midcomBindEntry 10 }

--
-- midcomNatSessionTable

--     NAT Session Ids per each agent.
--

midcomNatSessionTable OBJECT-TYPE
     SYNTAX       SEQUENCE OF MidcomNatSessionEntry
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION  "Lists NAT sessions owned by each agent."
  ::=    { midcomTables 3 }



Srisuresh                                                      [Page 25]


Internet-Draft                 Midcom MIB                   October 2003



midcomNatSessionEntry OBJECT-TYPE
    SYNTAX      MidcomNatSessionEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry in the NatSessionTable holds a
             unique tuple of parameters associated with
             a NAT session.
            "
    INDEX   { midcomNatSessionAgentIndex,
              midcomNatSessionGroupId,
              midcomNatSessionId }
    ::= { midcomNatSessionTable 1 }

MidcomNatSessionEntry ::= SEQUENCE {
    midcomNatSessionAgentIndex           MidcomAgentIndex,
    midcomNatSessionGroupId              Unsigned32,
    midcomNatSessionId                   NatSessionId,
    midcomNatSessionLifetime             TimeInterval,
    midcomNatSessionMaxIdleTime          TimeInterval,
    midcomNatSessionIfIndex              InterfaceIndex,
    midcomNatSessionStatus               RowStatus
}

midcomNatSessionAgentIndex OBJECT-TYPE
   SYNTAX       MidcomAgentIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Unique Identifier for an agent in the table"
   ::= { midcomNatSessionEntry 1 }

midcomNatSessionGroupId OBJECT-TYPE
   SYNTAX       Unsigned32
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Group Identifier assigend to this
                 resource.

                 A value of 0 implies that the session does
                 not belong to a group membership.
                "
   ::= { midcomNatSessionEntry 2 }

midcomNatSessionId OBJECT-TYPE
   SYNTAX       NatSessionId
   MAX-ACCESS   read-only
   STATUS       current



Srisuresh                                                      [Page 26]


Internet-Draft                 Midcom MIB                   October 2003


   DESCRIPTION  "Unique session Identifier assigend to this midcom
                 resource. This identifier is same as the
                 session identifier that is managed by the NAT
                 middlebox.
                "
   ::= { midcomNatSessionEntry 3 }

midcomNatSessionLifetime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Lifetime of the session.
                 When this is set to 0 and GroupId is
                 set to non-zero, the Lifetime of the
                 GroupId is used to determine the
                 lifetime of this resource.
                "
   ::= { midcomNatSessionEntry 4 }

midcomNatSessionMaxIdleTime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "MaxIdletime of the session.
                 When this is set to 0 and GroupId is
                 set to non-zero, the MaxIdletime of the
                 GroupId is used to determine the
                 Maxidletime of this resource.
                "
   ::= { midcomNatSessionEntry 5 }

midcomNatSessionIfIndex OBJECT-TYPE
   SYNTAX       InterfaceIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Interface Index on which the bind is defined.

                 This value may be set to 0 to mean any
                 IP interface on the middlebox. This value
                 may also be set to 0, when the middlebox has
                 just one interface on which midcom is
                 configured.
                "
   ::= { midcomNatSessionEntry 6 }

midcomNatSessionStatus  OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create



Srisuresh                                                      [Page 27]


Internet-Draft                 Midcom MIB                   October 2003


    STATUS      current
    DESCRIPTION
            "The status of this conceptual row.
             Objects in this row may be modified
             while the value of this object is active(1)."
    REFERENCE
            "Textual Conventions for SMIv2, Section 2"
   ::= { midcomNatSessionEntry 7 }

--
-- midcomTransactions
--   The transaction Group
--   Transactions issued by the midcom agents
--   to the midcom MIB module.
--

--
--
-- Textual conventions used
--
--

MidcomInvocationStatus ::= TEXTUAL-CONVENTION
   STATUS current
   DESCRIPTION
      "Allows invocation and status queries."
   SYNTAX INTEGER {
      neverInvoked(1),
      performOperation(2),
      inProgress(3),
      success(4),
      failure(5)
   }

MidcomGroupCommand ::= TEXTUAL-CONVENTION
   STATUS current
   DESCRIPTION
      "The choice of operations on groups.

       add command:
       Midcom agent uses the command to specify the
       group-identifiers and associated parameters it
       wishes to use during the Midcom session.
       In case of success, the GroupId is tracked by
       the midcom Module midcomGroupTable. No ill effect
       in case of failure.

       delete command:



Srisuresh                                                      [Page 28]


Internet-Draft                 Midcom MIB                   October 2003


       Midcom agent uses the command to remove a
       group-identifier from its list of valid group-ids.
       In case of success, the GroupId is deleted from
       the midcomGroupTable.
      "
   SYNTAX INTEGER {
      add(1),
      delete(2)
   }

MidcomBindCommand ::= TEXTUAL-CONVENTION
   STATUS current
   DESCRIPTION
      "The choice of operations on Nat Binds.

       reserveBindInboundSrc,
       reserveBindInboundDst,
       reserveBindOutboundSrc,
       reserveBindOutboundDst
       Reserve an address or port bind, given the interface
       and a src or dst endpoint in one of private address
       realm or public address realm.

       reserveBindInboundSrcOrOutboundDst,
       reserveBindInboundDstOrOutboundSrc
       Reserve an address or portBind, given the interface
       and a src or dst endpoint in one of private address
       realm or public address realm. Set the Bind to be
       bi-directional.

       reserveBind2InboundSrc,
       reserveBind2InboundDst,
       reserveBind2OutboundSrc,
       reserveBind2OutboundDst
       Reserve two port binds, given the interface index
       and a src or dst endpoint in one of private address
       realm or public address realm. The two ports assigned
       for the two port-binds are to be contiguous and assume
       oddity as specified in an oddity parameter. If the bind
       assigned turns out to be an address bind, one address
       bind suffices independent of the port oddity requirement.

       reserveBind2InboundSrcInboundDst,
       reseverBind2OutboundSrcOutboundDst,
       Reserve two binds as in a twice NAT, given the interface
       index and the session tuple in private realm or public
       realm.
      "



Srisuresh                                                      [Page 29]


Internet-Draft                 Midcom MIB                   October 2003


   SYNTAX INTEGER {
    reserveBindInboundSrc (1),
    reserveBindInboundDst (2),
    reserveBindOutboundSrc(3),
    reserveBindOutboundDst(4),
    reserveBindInboundSrcOrOutboundDst(5),
    reserveBindInboundDstOrOutboundSrc(6),
    reserveBind2InboundSrc(7),
    reserveBind2InboundDst(8),
    reserveBind2OutboundSrc(9),
    reserveBind2OutboundDst(10),
    reserveBind2InboundSrcInboundDst(11),
    reseverBind2OutboundSrcOutboundDst(12)
   }

MidcomNatSessionCommand ::= TEXTUAL-CONVENTION
   STATUS current
   DESCRIPTION
      "The choice of commands on NAT sessions.

       createNatSession
          Create a NAT-session, given the parameters of a session
          as seen by NAT as the first packet in the ingress or
          egress direction specific to an interface. The associated
          Binds may or may not be pre-specified. When the command
          is successfully executed, a single NAT SessionId is
          created.

       create2NatSessions
          Create 2 NAT sessions, given the oddity requirement.
          When the command is successfully executed, two NAT
          session Ids are created.
      "
   SYNTAX INTEGER {
      createNatSession(1),
      create2NatSessions (2)
   }

MidcomTransInOutFlags ::= TEXTUAL-CONVENTION
       STATUS       current
       DESCRIPTION
               "A BITS representation used to specify the
                relevant parameters for input during a
                command request (or) during a command
                response.
               "
       SYNTAX  BITS {
                privateAddrType (0),



Srisuresh                                                      [Page 30]


Internet-Draft                 Midcom MIB                   October 2003


                privateSrcAddr  (1),
                privateSrcPort  (2),
                privateDstAddr  (3),
                privateDstPort  (4),
                globalAddrType  (5),
                globalSrcAddr   (6),
                globalSrcPort   (7),
                globalDstAddr   (8),
                globalDstPort   (9),
                groupId         (10),
                lifetime        (11),
                maxIdletime     (12),
                privateSrcBind  (13),
                privateDstBind  (14)
            }

MidcomSessionDirection ::= TEXTUAL-CONVENTION
   STATUS current
   DESCRIPTION
      "Describes the direction of a session specific to an
       interface.
      "
   SYNTAX INTEGER {
      inbound(1),
      outbound(2)
   }

midcomTransGroupTable OBJECT-TYPE
     SYNTAX       SEQUENCE OF MidcomTransGroupEntry
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION  "This lists Group based transactions,
                   one per each agent."
  ::=    { midcomTransactions  1 }

midcomTransGroupEntry OBJECT-TYPE
    SYNTAX      MidcomTransGroupEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry pertains to a midcom agent carrying
             out a group based transaction.
             Midcom module will respond with Success or
             Failure, with an error code.

             In the case of success, the tuples specified in the
             transaction are entered into midcomGroupTable for
             later reference and parameter modification by the



Srisuresh                                                      [Page 31]


Internet-Draft                 Midcom MIB                   October 2003


             agent.
            "
    INDEX   { midcomTransGroupAgentIndex }
    ::=    { midcomTransGroupTable 1 }

MidcomTransGroupEntry ::= SEQUENCE {
     midcomTransGroupAgentIndex   MidcomAgentIndex,
     midcomTransGroupMBResource   MidcomMBResource,
     midcomTransGroupGroupId      Unsigned32,
     midcomTransGroupLifetime     TimeInterval,
     midcomTransGroupMaxIdletime  TimeInterval,
     midcomTransGroupCommand      MidcomGroupCommand,
     midcomTransGroupStatus       MidcomInvocationStatus
}

midcomTransGroupAgentIndex OBJECT-TYPE
   SYNTAX       MidcomAgentIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "A unique Identifier for an Agent in the Table.
                 This object is set when an agent reads the object
                 midcomAgentIndexNext.
                "
   ::= { midcomTransGroupEntry 1 }

midcomTransGroupMBResource OBJECT-TYPE
   SYNTAX       MidcomMBResource
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Middlebox function specific resource type
                 for which the GroupId is applicable."
   ::= { midcomTransGroupEntry 2 }

midcomTransGroupGroupId OBJECT-TYPE
   SYNTAX       Unsigned32
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Group Identifier for which the Group
                 operation is to be performed."
   ::= { midcomTransGroupEntry 3 }

midcomTransGroupLifetime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Default Lifetime of the resources that are
                 assigned this group Id. This field is
                 required only during the add operation.



Srisuresh                                                      [Page 32]


Internet-Draft                 Midcom MIB                   October 2003


                 This field is ignored during the delete
                 operation.
                "
   ::= { midcomTransGroupEntry 4 }

midcomTransGroupMaxIdletime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Default MaxIdletime of the resources that
                 are assigned this group Id. This field
                 is required to be filled only during the
                 add operation. This field is ignored during
                 the delete operation.
                "
   ::= { midcomTransGroupEntry 5 }

midcomTransGroupCommand  OBJECT-TYPE
   SYNTAX       MidcomGroupCommand
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies the group command to be
                 executed.
                "
   ::= { midcomTransGroupEntry 6 }

midcomTransGroupStatus   OBJECT-TYPE
   SYNTAX       MidcomInvocationStatus
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "Invocation status."
   ::= { midcomTransGroupEntry 7 }

midcomTransBindTable OBJECT-TYPE
     SYNTAX       SEQUENCE OF MidcomTransBindEntry
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION  "This lists Bind based transactions,
                   one per each agent."
  ::=    { midcomTransactions  2 }

midcomTransBindEntry OBJECT-TYPE
    SYNTAX      MidcomTransBindEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry pertains to a midcom agent carrying
             out a BIND based transaction.



Srisuresh                                                      [Page 33]


Internet-Draft                 Midcom MIB                   October 2003


             Midcom module will respond with Success or
             Failure, with an error code.

             In the case of success, there can be a maximum
             of two address or port binds returned.
             These binds are also entered into midcomBindTable
             for later use by the midcom agents.
            "
    INDEX   { midcomTransBindAgentIndex }
    ::=    { midcomTransBindTable 1 }

MidcomTransBindEntry ::= SEQUENCE {
     midcomTransBindAgentIndex         MidcomAgentIndex,
     midcomTransBindCommand            MidcomBindCommand,
     midcomTransBindOddity             INTEGER,
     midcomTransBindProtocol           NATProtocolType,
     midcomTransBindSessionDirection   MidcomSessionDirection,
     midcomTransBindIfIndex            InterfaceIndex,
     midcomTransBindInParms            MidcomTransInOutFlags,
     midcomTransBindOutParms           MidcomTransInOutFlags,
     midcomTransBindGroupId            Unsigned32,
     midcomTransBindLifetime           TimeInterval,
     midcomTransBindMaxIdletime        TimeInterval,

     midcomTransBindPrivateAddrType    InetAddressType,
     midcomTransBindPrivateSrcAddr     InetAddress,
     midcomTransBindPrivateSrcPort     InetPortNumber,
     midcomTransBindPrivateDstAddr     InetAddress,
     midcomTransBindPrivateDstPort     InetPortNumber,

     midcomTransBindGlobalAddrType     InetAddressType,
     midcomTransBindGlobalSrcAddr      InetAddress,
     midcomTransBindGlobalSrcPort      InetPortNumber,
     midcomTransBindGlobalDstAddr      InetAddress,
     midcomTransBindGlobalDstPort      InetPortNumber,

     midcomTransBindPrivateSrcBindId   NatBindIdOrZero,
     midcomTransBindPrivateSrcBindMode MidcomBindMode,
     midcomTransBindPrivateDstBindId   NatBindIdOrZero,
     midcomTransBindPrivateDstBindMode MidcomBindMode,
     midcomTransBindStatus             MidcomInvocationStatus
}

midcomTransBindAgentIndex OBJECT-TYPE
   SYNTAX       MidcomAgentIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "A unique Identifier for an Agent in the Table.



Srisuresh                                                      [Page 34]


Internet-Draft                 Midcom MIB                   October 2003


                 This object is set when an agent reads the object
                 midcomAgentIndexNext.
                "
   ::= { midcomTransBindEntry 1 }

midcomTransBindCommand  OBJECT-TYPE
   SYNTAX       MidcomBindCommand
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies the bind command to be
                 executed.
                "
   ::= { midcomTransBindEntry 2 }

midcomTransBindOddity  OBJECT-TYPE
   SYNTAX   INTEGER {
                     oddityEnforce(1),  -- Enforce oddity
                     oddityNotRequired (2) -- Oddity not required.
                }
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies whether or not
                 the bind should enforce oddity
                 to match that of the specified
                 end point or end points.
                "

   ::= { midcomTransBindEntry 3 }

midcomTransBindProtocol  OBJECT-TYPE
   SYNTAX       NATProtocolType
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies the protocol (TCP/UDP) of the
                 session that requires the bind reservation.
                "
   ::= { midcomTransBindEntry 4 }

midcomTransBindSessionDirection   OBJECT-TYPE
   SYNTAX       MidcomSessionDirection
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies the orientation of the
                 session that requires the bind reservation.
                "
   ::= { midcomTransBindEntry 5 }

midcomTransBindIfIndex OBJECT-TYPE



Srisuresh                                                      [Page 35]


Internet-Draft                 Midcom MIB                   October 2003


   SYNTAX       InterfaceIndex
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Interface Index for which the bind is
                 being requested.

                 This value may be set to 0 to mean any

                 IP interface on the middlebox. This value
                 may also be set to 0, when the middlebox has
                 just one interface on which midcom is
                 configured.
                "
   ::= { midcomTransBindEntry 6 }

midcomTransBindInParms    OBJECT-TYPE
   SYNTAX       MidcomTransInOutFlags
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "Lists the fields within the row that are
                 filled by the requestor.

                 While the transaction allows for any or
                 all of the end-points to be specified,
                 typically, no more than one end-point
                 should be defined. For Twice-Nat alone,
                 two end-points must be specified.
                "
   ::= { midcomTransBindEntry 7 }

midcomTransBindOutParms    OBJECT-TYPE
   SYNTAX       MidcomTransInOutFlags
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "Lists the fields within the row that are
                 filled by the middlebox in response to the
                 bind request from agent.

                 While the transaction allows for any or
                 all of the end-points to be filled,
                 typically, no more than one end-point
                 should be filled. For Twice-Nat alone,
                 two end-points must be specified.

                 For oddity based port binds, the second
                 bind is used to specify the second port
                 bind.
                "



Srisuresh                                                      [Page 36]


Internet-Draft                 Midcom MIB                   October 2003


   ::= { midcomTransBindEntry 8 }

midcomTransBindGroupId OBJECT-TYPE
   SYNTAX       Unsigned32
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Group Identifier assigend to this bind
                 resource.





                 A value of 0 implies that the bind is not
                 assigned a group membership.
                "
   ::= { midcomTransBindEntry 9 }

midcomTransBindLifetime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Individual Lifetime of the bind resource.
                 When this is set to 0 and GroupId is
                 set to non-zero, the Lifetime of the
                 GroupId is used to determine the
                 lifetime of this resource.
                "
   ::= { midcomTransBindEntry 10 }

midcomTransBindMaxIdletime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "MaxIdletime of the Bind resource.
                 When this is set to 0 and GroupId is
                 set to non-zero, the MaxIdletime of the
                 GroupId is used to determine the
                 Maxidletime of this resource.
                "
   ::= { midcomTransBindEntry 11 }

midcomTransBindPrivateAddrType   OBJECT-TYPE
   SYNTAX       InetAddressType
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP address type in the private realm.
                "



Srisuresh                                                      [Page 37]


Internet-Draft                 Midcom MIB                   October 2003


   ::= { midcomTransBindEntry 12 }

midcomTransBindPrivateSrcAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source address in the private realm.
                 This is relevant if the agent refers a
                 private realm address and the bind command
                 is to find a bind for private realm
                 source end point.
                "
   ::= { midcomTransBindEntry 13 }

midcomTransBindPrivateSrcPort   OBJECT-TYPE
   SYNTAX       InetPortNumber
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source port in the private realm.
                 This is relevant if the agent refers a
                 private realm address and the bind command
                 is to find a bind for private realm
                 source end point.
                "
   ::= { midcomTransBindEntry 14 }

midcomTransBindPrivateDstAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination address in the private realm.
                 This is relevant if the agent refers a
                 private realm address and the bind command
                 is to find a bind for private realm
                 destination end point.
                "
   ::= { midcomTransBindEntry 15 }

midcomTransBindPrivateDstPort   OBJECT-TYPE
   SYNTAX       InetPortNumber
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination port in the private realm.
                 This is relevant if the agent refers a
                 private realm address and the bind command
                 is to find a bind for private realm
                 destination end point.
                "



Srisuresh                                                      [Page 38]


Internet-Draft                 Midcom MIB                   October 2003


   ::= { midcomTransBindEntry 16 }

midcomTransBindGlobalAddrType   OBJECT-TYPE
   SYNTAX       InetAddressType
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP address type in the global address realm.
                "
   ::= { midcomTransBindEntry 17 }

midcomTransBindGlobalSrcAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source address in the global realm.
                 This is relevant if the agent refers a
                 global realm address and the bind command
                 is to find a bind for global realm
                 source end point.
                "
   ::= { midcomTransBindEntry 18 }

midcomTransBindGlobalSrcPort   OBJECT-TYPE
   SYNTAX       InetPortNumber
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source port in the global realm.
                 This is relevant if the agent refers a
                 global realm address and the bind command
                 is to find a bind for global realm
                 source end point.
                "
   ::= { midcomTransBindEntry 19 }

midcomTransBindGlobalDstAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination address in the global realm.
                 This is relevant if the agent refers a
                 global realm address and the bind command
                 is to find a bind for global realm
                 destination end point.
                "
   ::= { midcomTransBindEntry 20 }

midcomTransBindGlobalDstPort   OBJECT-TYPE
   SYNTAX       InetPortNumber



Srisuresh                                                      [Page 39]


Internet-Draft                 Midcom MIB                   October 2003


   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination port in the private realm.
                 This is relevant if the agent refers a
                 global realm address and the bind command
                 is to find a bind for global realm
                 destination end point.
                "
   ::= { midcomTransBindEntry 21 }

midcomTransBindPrivateSrcBindId   OBJECT-TYPE
   SYNTAX       NatBindIdOrZero
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "This is the first Bind that will be generated
                in majority of the cases.
                This will be set to 0 in the case of symmetric
                NAT.
                "
   ::= { midcomTransBindEntry 22 }

midcomTransBindPrivateSrcBindMode   OBJECT-TYPE
   SYNTAX       MidcomBindMode
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "This indicates whether PrivateSrcBind is
                 address bind or port bind.
                "
   ::= { midcomTransBindEntry 23 }

midcomTransBindPrivateDstBindId   OBJECT-TYPE
   SYNTAX       NatBindIdOrZero
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "This is the second Bind that will be generated
                in the case of twice-NAT or oddity based 2 bind
                request.

                This will be set to 0 in the case of symmetric
                NAT.
                "
   ::= { midcomTransBindEntry 24 }

midcomTransBindPrivateDstBindMode   OBJECT-TYPE
   SYNTAX       MidcomBindMode
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "This indicates whether PrivateDstBind is



Srisuresh                                                      [Page 40]


Internet-Draft                 Midcom MIB                   October 2003


                 address bind or port bind.
                "
   ::= { midcomTransBindEntry 25 }

midcomTransBindStatus   OBJECT-TYPE
   SYNTAX       MidcomInvocationStatus
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "Invocation status."
   ::= { midcomTransBindEntry 26 }

midcomTransNatSessionTable OBJECT-TYPE
     SYNTAX       SEQUENCE OF MidcomTransNatSessionEntry
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION  "This lists NatSession based transactions,
                   one per each agent."
  ::=    { midcomTransactions  3 }

midcomTransNatSessionEntry OBJECT-TYPE
    SYNTAX      MidcomTransNatSessionEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry pertains to a midcom agent carrying
             out a Nat session based transaction.
             Midcom module will respond with Success or
             Failure, with an error code.

             In the case of success, there can be a maximum
             of two address or port binds returned.
             These binds are entered into midcomBindTable
             for later use by the midcom agents.

             Further, the NatSession entry is included within
             the midcomNatSession table.
            "
    INDEX   { midcomTransNatSessionAgentIndex }
    ::=    { midcomTransNatSessionTable 1 }


MidcomTransNatSessionEntry ::= SEQUENCE {
     midcomTransNatSessionAgentIndex        MidcomAgentIndex,
     midcomTransNatSessionCommand           MidcomNatSessionCommand,
     midcomTransNatSessionOddity            INTEGER,
     midcomTransNatSessionProtocol          NATProtocolType,
     midcomTransNatSessionSessionDirection  MidcomSessionDirection,
     midcomTransNatSessionIfIndex           InterfaceIndex,



Srisuresh                                                      [Page 41]


Internet-Draft                 Midcom MIB                   October 2003


     midcomTransNatSessionInParms           MidcomTransInOutFlags,
     midcomTransNatSessionOutParms          MidcomTransInOutFlags,
     midcomTransNatSessionGroupId           Unsigned32,
     midcomTransNatSessionLifetime          TimeInterval,
     midcomTransNatSessionMaxIdletime       TimeInterval,

     midcomTransNatSessionPrivateAddrType   InetAddressType,
     midcomTransNatSessionPrivateSrcAddr    InetAddress,
     midcomTransNatSessionPrivateSrcPort    InetPortNumber,
     midcomTransNatSessionPrivateDstAddr    InetAddress,
     midcomTransNatSessionPrivateDstPort    InetPortNumber,

     midcomTransNatSessionGlobalAddrType    InetAddressType,
     midcomTransNatSessionGlobalSrcAddr     InetAddress,
     midcomTransNatSessionGlobalSrcPort     InetPortNumber,
     midcomTransNatSessionGlobalDstAddr     InetAddress,
     midcomTransNatSessionGlobalDstPort     InetPortNumber,

     midcomTransNatSessionPrivateSrcBindId  NatBindIdOrZero,
     midcomTransNatSessionPrivateDstBindId  NatBindIdOrZero,
     midcomTransNatSessionSessionId         NatSessionId,
     midcomTransNatSessionSessionId2        NatSessionId,
     midcomTransNatSessionStatus            MidcomInvocationStatus
}

midcomTransNatSessionAgentIndex OBJECT-TYPE
   SYNTAX       MidcomAgentIndex
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "A unique Identifier for an Agent in the Table.
                 This object is set when an agent reads the object
                 midcomAgentIndexNext.
                "
   ::= { midcomTransNatSessionEntry 1 }

midcomTransNatSessionCommand  OBJECT-TYPE
   SYNTAX       MidcomNatSessionCommand
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies the NatSession command to be
                 executed.
                "
   ::= { midcomTransNatSessionEntry 2 }

midcomTransNatSessionOddity  OBJECT-TYPE
   SYNTAX   INTEGER {
                     oddityEnforce(1),  -- Enforce oddity
                     oddityNotRequired (2) -- Oddity not required.



Srisuresh                                                      [Page 42]


Internet-Draft                 Midcom MIB                   October 2003


                }
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies whether or not the Nat-Session
                 should enforce oddity while assigning translation
                 port(s) to match that of the specified session..
                "

   ::= { midcomTransNatSessionEntry 3 }

midcomTransNatSessionProtocol  OBJECT-TYPE
   SYNTAX       NATProtocolType
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies the protocol (TCP/UDP) of the
                 session.
                "
   ::= { midcomTransNatSessionEntry 4 }

midcomTransNatSessionSessionDirection   OBJECT-TYPE
   SYNTAX       MidcomSessionDirection
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "This specifies the orientation of the
                 session with reference to the interface
                 index specified.
                "
   ::= { midcomTransNatSessionEntry 5 }

midcomTransNatSessionIfIndex OBJECT-TYPE
   SYNTAX       InterfaceIndex
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Interface Index for which the NAT-Session is
                 being requested.

                 This value may be set to 0 to mean any
                 IP interface on the middlebox. This value
                 may also be set to 0, when the middlebox has
                 just one interface on which midcom is
                 configured.
                "
   ::= { midcomTransNatSessionEntry 6 }

midcomTransNatSessionInParms    OBJECT-TYPE
   SYNTAX       MidcomTransInOutFlags
   MAX-ACCESS   read-write
   STATUS       current



Srisuresh                                                      [Page 43]


Internet-Draft                 Midcom MIB                   October 2003


   DESCRIPTION  "Lists the fields within the row that are
                 filled by the requestor.

                 While the transaction allows for any or
                 all of the session parameters to be specified,
                 typically, session parameters are filled in
                 the private alone or in the public realm
                 alone.
                "
   ::= { midcomTransNatSessionEntry 7 }

midcomTransNatSessionOutParms    OBJECT-TYPE
   SYNTAX       MidcomTransInOutFlags
   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "Lists the fields within the row that are
                 filled by the middlebox in response to the
                 session request from agent.

                 While the transaction allows for any or
                 all session parameters to be filled,
                 typically, session parameters are filled in
                 the private alone or in the public realm
                 alone.
                "
   ::= { midcomTransNatSessionEntry 8 }

midcomTransNatSessionGroupId OBJECT-TYPE
   SYNTAX       Unsigned32
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Group Identifier assigend to this
                 resource.

                 A value of 0 implies that the session is not
                 assigned a group membership.
                "
   ::= { midcomTransNatSessionEntry 9 }

midcomTransNatSessionLifetime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "Individual Lifetime of the bind resource.
                 When this is set to 0 and GroupId is
                 set to non-zero, the Lifetime of the
                 GroupId is used to determine the
                 lifetime of this resource.



Srisuresh                                                      [Page 44]


Internet-Draft                 Midcom MIB                   October 2003


                "
   ::= { midcomTransNatSessionEntry 10 }

midcomTransNatSessionMaxIdletime OBJECT-TYPE
   SYNTAX       TimeInterval
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "MaxIdletime of the Bind resource.
                 When this is set to 0 and GroupId is
                 set to non-zero, the MaxIdletime of the
                 GroupId is used to determine the
                 Maxidletime of this resource.
                "
   ::= { midcomTransNatSessionEntry 11 }

midcomTransNatSessionPrivateAddrType   OBJECT-TYPE
   SYNTAX       InetAddressType
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP address type in the private realm.
                "
   ::= { midcomTransNatSessionEntry 12 }

midcomTransNatSessionPrivateSrcAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source address in the private realm.
                 This is relevant if the agent refers a
                 private realm session.

                 Wild-card IP address is allowed and may be
                 denoted as all zeros.
                "
   ::= { midcomTransNatSessionEntry 13 }

midcomTransNatSessionPrivateSrcPort   OBJECT-TYPE
   SYNTAX       InetPortNumber
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source port in the private realm.
                 This is relevant if the agent refers a
                 private realm based session.

                 Wild-card port is allowed and may be
                 denoted as zero.
                "
   ::= { midcomTransNatSessionEntry 14 }



Srisuresh                                                      [Page 45]


Internet-Draft                 Midcom MIB                   October 2003



midcomTransNatSessionPrivateDstAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination address in the private realm.
                 This is relevant if the agent refers a
                 private realm based session.

                 Wild-card IP address is allowed and may be
                 denoted as all zeros.
                "
   ::= { midcomTransNatSessionEntry 15 }

midcomTransNatSessionPrivateDstPort   OBJECT-TYPE
   SYNTAX       InetPortNumber
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination port in the private realm.
                 This is relevant if the agent refers a
                 private realm based session.

                 Wild-card port is allowed and may be
                 denoted as zero.
                "
   ::= { midcomTransNatSessionEntry 16 }

midcomTransNatSessionGlobalAddrType   OBJECT-TYPE
   SYNTAX       InetAddressType
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP address type in the global address realm.
                "
   ::= { midcomTransNatSessionEntry 17 }

midcomTransNatSessionGlobalSrcAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source address in the global realm.
                 This is relevant if the agent refers a
                 global realm based session.

                 Wild-card IP address is allowed and may be
                 denoted as all zeros.
                "
   ::= { midcomTransNatSessionEntry 18 }




Srisuresh                                                      [Page 46]


Internet-Draft                 Midcom MIB                   October 2003


midcomTransNatSessionGlobalSrcPort   OBJECT-TYPE
   SYNTAX       InetPortNumber
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP source port in the global realm.
                 This is relevant if the agent refers a
                 global realm based session.

                 Wild-card port is allowed and may be
                 denoted as zero.
                "
   ::= { midcomTransNatSessionEntry 19 }

midcomTransNatSessionGlobalDstAddr   OBJECT-TYPE
   SYNTAX       InetAddress
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination address in the global realm.
                 This is relevant if the agent refers a
                 global realm based session.

                 Wild-card IP address is allowed and may be
                 denoted as all zeros.
                "
   ::= { midcomTransNatSessionEntry 20 }

midcomTransNatSessionGlobalDstPort   OBJECT-TYPE
   SYNTAX       InetPortNumber
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "IP destination port in the private realm.
                 This is relevant if the agent refers a
                 global realm based session.

                 Wild-card port is allowed and may be
                 denoted as zero.
                "
   ::= { midcomTransNatSessionEntry 21 }

midcomTransNatSessionPrivateSrcBindId   OBJECT-TYPE
   SYNTAX       NatBindIdOrZero
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "This is the first Bind that may be supplied
                by the agent. This BindId is the unique bindId
                for the midcom agent and is independent of what
                the NAT middlebox might have.




Srisuresh                                                      [Page 47]


Internet-Draft                 Midcom MIB                   October 2003


                This may be set to 0 in the case requestor does
                not have a BIND pre-assigned.
                "
   ::= { midcomTransNatSessionEntry 22 }

midcomTransNatSessionPrivateDstBindId   OBJECT-TYPE
   SYNTAX       NatBindIdOrZero
   MAX-ACCESS   read-create
   STATUS       current
   DESCRIPTION  "This is the second Bind (as in twice-NAT) that
                 may be supplied by the midcom agent for a session.
                 In the case the command is to create two sessions,
                 the second Bind refers to the sesond session.

                 This BindId is the unique bindId
                 for the midcom agent and is independent of what
                 the NAT middlebox might have.

                 This may be set to 0 in the case requestor does
                 not have a BIND pre-assigned or the session needs
                 no more than one BIND.
                "
   ::= { midcomTransNatSessionEntry 23 }

midcomTransNatSessionSessionId OBJECT-TYPE
   SYNTAX       NatSessionId
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Unique session Identifier returned upon successful
                 execution of the session command.
                "
   ::= { midcomTransNatSessionEntry 24 }

midcomTransNatSessionSessionId2 OBJECT-TYPE
   SYNTAX       NatSessionId
   MAX-ACCESS   read-only
   STATUS       current
   DESCRIPTION  "Second session Identifier assigned upon successful
                 execution of the session command.

                 This is set when the command is to create two
                 sessions using the oddity basis, for two consecutive
                 ports.
                "
   ::= { midcomTransNatSessionEntry 25 }

midcomTransNatSessionStatus   OBJECT-TYPE
   SYNTAX       MidcomInvocationStatus



Srisuresh                                                      [Page 48]


Internet-Draft                 Midcom MIB                   October 2003


   MAX-ACCESS   read-write
   STATUS       current
   DESCRIPTION  "Invocation status."
   ::= { midcomTransNatSessionEntry 26 }

END


7. Security Considerations

   The MIDCOM requirements [RFC3304] defines the general security
   requirements for the MIDCOM protocol. The SNMPv3 User-based
   Security Model (USM, [RFC2574]) satisfies those requirements.
   USM defines
   three standardized methods for providing authentication,
   confidentiality, and integrity. The method to use can be optionally
   chosen.  The methods operate securely across untrusted domains.
   Additionally, USM has specific built-in mechanisms for preventing
   replay attacks including unique protocol engine IDs, timers and
   counters per engine and time windows for the validity of messages.

8. Acknowledgements

   The author wishes to thank Wes Hardekar for kindly playing
   the role of MIB doctor on the raw initial versions of this
   document. The author also wishes to thank Dave Harrington
   for providing clarity on how and where to draw the line in
   defining the MIBs, given the interrelation between Midcom MIB
   and middlebox function MIBs. Lastly, the author wishes to thank
   Martin Stiemerling, Juergen Quittek, Tom Taylor and Mary Barnes
   for the numerous valuable e-mail discussions, phone
   conversations and feedback on the subject.

9. References

Normative References

   [RFC3304] R. Swale, P. Mart, P. Sijben, S. Brim, M. Shore,
   "Middlebox Communications (MIDCOM) Protocol Requirements",
   RFC 3304, August, 2002.

   [RFC3303] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, A.
   Rayhan, "Middlebox Communications Architecture and Framework", RFC
   3303, August, 2002.

   [MDCSEM] Stiemerling, M., Quittek, J., Taylor, T., "MIDCOM Protocol
   Semantics", draft-ietf-midcom-semantics-02.txt, May, 2003.




Srisuresh                                                      [Page 49]


Internet-Draft                 Midcom MIB                   October 2003


   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", RFC 2119, March 1997.

   [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
   Rose, M., and S. Waldbusser, "Structure of Management Information
   Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

   [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
   Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2",
   STD 58, RFC 2579, April 1999.

   [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
   Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2",
   STD 58, RFC 2580, April 1999.

   [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
   Architecture for Describing SNMP Management Frameworks",
   STD 62, RFC 3411, November 2002.

   [RFC3412] Case, J., Harrington D., Presuhn R., and B. Wijnen,
   "Message Processing and Dispatching for the Simple Network
   Management Protocol (SNMP)", STD 62, RFC 3412, November 2002.

   [RFC3413] Levi, D., Meyer, P., and B. Stewart, "SNMPv3
   Applications", STD 62, RFC 3413, November 2002.

   [RFC3414] Blumenthal, U., and B. Wijnen, "User-based Security
   Model(USM) for version 3 of the Simple Network Management Protocol
   (SNMPv3)", STD 62, RFC 3414, November 2002.

   [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
   Access Control Model (VACM) for the Simple Network Management
   Protocol (SNMP)", STD 62, RFC 3415, November 2002.

   [NATMIB] Raghunarayan, R., Pai, N., Rohit, R., Wang, C., Srisuresh,
   P., "Definitions of Managed Objects for Network Address Translators
   (NAT)", draft-ietf-nat-natmib-06.txt, September, 2003.

   [PBMMIB]  Waldbusser, S., Saperia, J., Hongal, T., "Policy Based
   Management MIB", draft-ietf-snmpconf-pm-13.txt, March, 2003.

   [IPCMIB] Baer, M., Charlet, R., Hardaker, W., Story, R., Wang, C.,
   "IPsec Policy Configuration MIB module", draft-ietf-ipsp-ipsec-conf-
   MIB-06.txt, March, 2003.







Srisuresh                                                      [Page 50]


Internet-Draft                 Midcom MIB                   October 2003


Informative References

   [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
   "Introduction to Version 3 of the Internet-standard Network
   Management Framework", 3410, November 2002.

   [MDCPEV] Barnes, M., "Middlebox Communications (MIDCOM) Protocol
   Evaluation", draft-ietf-midcom-protocol-eval-06.txt, November, 2002.

   [RFC2287] Krupczak, C. and J. Saperia, "Definitions of System-Level
   Managed Objects for Applications", RFC 2287, February 1998.

   [RFC 2475] Blake, S., et al, "An Architecture for Differentiated
   Service", RFC 2475, December 1998.

   [RFC2564] C. Kalbfleisch, C. Krupczak, R.Presuhn, J. Saperia,
   "Application Management MIB", May 1999.

   [RFC2594] H. Hazewinkel, C. Kalbfleisch, J. Schoenwaelder,
   "Definitions of Managed Objects for WWW Services", May 1999.

   [RFC2788] N. Freed, S. Kille, "Network Services Monitoring MIB",
   RFC 2788, March 2000.

   [RFC2790] S. Waldbusser, P. Grillo, "Host Resources MIB",
   March 2000.

   [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
   MIB using SMIv2", RFC 2863, June 2000.

   [RFC3289] Baker, F., Chan, K., Smith, A., "Management Information
   Base for the Differentiated Services Architecture", RFC 3289, May
   2002.

   [RFC3290] Bernet, Y., et al, "An Informal Management Model for
   Differentiated Services Routers", RFC 3290, May 2002.


Authors' Address

   P. Srisuresh
   Caymas Systems, Inc.
   1179-A North McDowell Blvd.
   Petaluma, CA 94954
   Tel: (707) 283-5063
   Email: srisuresh@yahoo.com





Srisuresh                                                      [Page 51]


Internet-Draft                 Midcom MIB                   October 2003


Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.  The limited permissions granted above are perpetual and
   will not be revoked by the Internet Society or its successors or
   assigns.  This document and the information contained
   herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
   THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
   ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
   PARTICULAR PURPOSE.


























Srisuresh                                                      [Page 52]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/