draft-ietf-behave-nat-mib-02.txt   draft-ietf-behave-nat-mib-03.txt 
Network Working Group S. Perreault Network Working Group S. Perreault
Internet-Draft Viagenie Internet-Draft Viagenie
Intended status: Standards Track T. Tsou Obsoletes: 4008 (if approved) T. Tsou
Expires: January 17, 2013 Huawei Technologies (USA) Intended status: Standards Track Huawei Technologies (USA)
S. Sivakumar Expires: February 16, 2013 S. Sivakumar
Cisco Systems Cisco Systems
July 16, 2012 August 15, 2012
Additional Managed Objects for Network Address Translators (NAT) Additional Managed Objects for Network Address Translators (NAT)
draft-ietf-behave-nat-mib-02 draft-ietf-behave-nat-mib-03
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for devices implementing Network Address Translator (NAT) function. for devices implementing Network Address Translator (NAT) function.
This MIB module may be used for monitoring of a device capable of NAT This MIB module may be used for monitoring of a device capable of NAT
function. function.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 17, 2013. This Internet-Draft will expire on February 16, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3
2.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. New Features . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 69 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 69 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 69 5. Security Considerations . . . . . . . . . . . . . . . . . . . 72
6.1. Normative References . . . . . . . . . . . . . . . . . . . 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73
6.2. Informative References . . . . . . . . . . . . . . . . . . 70 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Appendix A. Change Log (to be removed by RFC Editor prior to 7.1. Normative References . . . . . . . . . . . . . . . . . . . 73
publication) . . . . . . . . . . . . . . . . . . . . 70 7.2. Informative References . . . . . . . . . . . . . . . . . . 74
A.1. Changed in -01 . . . . . . . . . . . . . . . . . . . . . . 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 74
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 70
1. Introduction 1. Introduction
[RFC4008] defines some objects for managing network address This memo defines a portion of the Management Information Base (MIB)
translators (NATs). Current operational practice often requires for devices implementing NAT function. This MIB module may be used
additional objects, in particular for enterprise and Internet service for monitoring of a device capable of NAT function. Using it for
provider (ISP) deployments. This document defines those additional configuration is deprecated. NAT types and their characteristics are
objects. defined in [RFC2663]. Traditional NAT function, in particular is
defined in [RFC3022]. This MIB does not address the firewall
functions and must not be used for configuring or monitoring these.
Section 2 provides references to the SNMP management framework, which
was used as the basis for the MIB module definition. Section 3
provides an overview of the MIB features. Lastly, Section 4 has the
complete NAT MIB definition.
This module is designed to be completely independent from [RFC4008]. 2. The Internet-Standard Management Framework
A NAT implementation could be managed using this module, the one from
[RFC4008], or both.
2. Overview For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
[RFC3410].
2.1. Deprecated Features Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in
[RFC2578], [RFC2579] and [RFC2580].
3. Overview
3.1. Deprecated Features
All objects defined in [RFC4008] have been marked with "STATUS All objects defined in [RFC4008] have been marked with "STATUS
deprecated" for the following reasons: deprecated" for the following reasons:
Writability: Experience with NAT has shown that implementations vary Writability: Experience with NAT has shown that implementations vary
tremendously. The NAT algorithms and data structures have little tremendously. The NAT algorithms and data structures have little
in common across devices, and this results in wildly incompatible in common across devices, and this results in wildly incompatible
configuration parameters. Therefore, few implementations were configuration parameters. Therefore, few implementations were
ever able to claim full compliance. ever able to claim full compliance.
skipping to change at page 4, line 21 skipping to change at page 4, line 40
Limited transport protocol set: The set of transport protocols was Limited transport protocol set: The set of transport protocols was
defined as: other, icmp, udp, tcp. Furthermore, the numeric defined as: other, icmp, udp, tcp. Furthermore, the numeric
values corresponding to those labels were arbitrary, without values corresponding to those labels were arbitrary, without
relation to the actual standard protocol numbers. This meant that relation to the actual standard protocol numbers. This meant that
NAT implementations were limited to those protocols and were NAT implementations were limited to those protocols and were
unable to expose information about DCCP, SCTP, etc. unable to expose information about DCCP, SCTP, etc.
Lesson learned: use standard transport protocol numbers. Lesson learned: use standard transport protocol numbers.
2.2. New Features 3.2. New Features
New features in this module are as follows: New features in this module are as follows:
Counters: Many new counters are introduced. Most of them are Counters: Many new counters are introduced. Most of them are
available in two variants: global and per-transport protocol. available in two variants: global and per-transport protocol.
Limits: A few limits on the quantity of state data stored by the NAT Limits: A few limits on the quantity of state data stored by the NAT
device. Some of them can trigger notifications. device. Some of them can trigger notifications.
Address+Port Pools: Pools of external addresses and ports are often Address+Port Pools: Pools of external addresses and ports are often
skipping to change at page 4, line 48 skipping to change at page 5, line 22
"Paired" [RFC4787] maintain a mapping from internal address to "Paired" [RFC4787] maintain a mapping from internal address to
external address. This module allows inspection of this mapping external address. This module allows inspection of this mapping
table. table.
Mapping table indexed by external 3-tuple: It is often necessary to Mapping table indexed by external 3-tuple: It is often necessary to
determine the internal address that is mapped to a given external determine the internal address that is mapped to a given external
address and port. This MIB provides this table with an index to address and port. This MIB provides this table with an index to
accomplish this efficiently, without having to iterate over all accomplish this efficiently, without having to iterate over all
mappings. mappings.
3. Definitions Realms: See Section 3.3.
RFC 4787 terminology: Mapping table entries indicate the mapping
behavior, the filtering behavior, and the address pooling behavior
that were used to create the mapping.
3.3. Realms
Current NAT devices commonly allow the internal and external parts of
a mapping to come from different realms. The meaning of "realm" is
implementation-dependent. On some implementations it can be
equivalent to the name of a VPN Routing and Forwarding table (VRF).
On others it is simply the numeric index of a virtual routing table.
Note that this usage of "realm" is completely different from the one
in [RFC4008].
This MIB allows the realm to be indicated where it makes sense. The
format is an SnmpAdminString. On platforms that identify realms with
integers, the string representation of the integer is used instead.
The empty string has special meaning: it refers to the default realm.
Note that many MIBs implicitly support realms in one form or another
by using SNMPv3 contexts. See for example the OSPFv2 MIB [RFC4750].
This method cannot be used for the NAT MIB because mapppings can
belong to two realms simultaneously: the internal part can be in one
realm while the external part is in another. In such cases the NAT
function acts like a "wormhole" between two realms. Using contexts
would implicitly impose the restriction that all objects would have
to belong to the same realm.
4. Definitions
This MIB module IMPORTs objects from [RFC2578], [RFC2579], and This MIB module IMPORTs objects from [RFC2578], [RFC2579], and
[RFC4001]. [RFC4001].
NAT-MIB DEFINITIONS ::= BEGIN NAT-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, MODULE-IDENTITY,
OBJECT-TYPE, OBJECT-TYPE,
Integer32, Integer32,
skipping to change at page 8, line 22 skipping to change at page 9, line 28
registry." registry."
SYNTAX Unsigned32 (0..255) SYNTAX Unsigned32 (0..255)
NatPoolId ::= TEXTUAL-CONVENTION NatPoolId ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d" DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique ID that is assigned to each pool." "A unique ID that is assigned to each pool."
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
NatBehaviorType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Behavior type as described in [RFC4787] sections 4.1 and 5."
SYNTAX INTEGER {
endpointIndependent (0),
addressDependent (1),
addressAndPortDependent (2)
}
NatPoolingType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Pooling type as described in [RFC4787] sections 4.1."
SYNTAX INTEGER {
arbitrary (0),
paired (1)
}
-- --
-- Default Values for the Bind and NAT Protocol Timers -- Default Values for the Bind and NAT Protocol Timers
-- --
natDefTimeouts OBJECT IDENTIFIER ::= { natMIBObjects 1 } natDefTimeouts OBJECT IDENTIFIER ::= { natMIBObjects 1 }
natNotifCtrl OBJECT IDENTIFIER ::= { natMIBObjects 2 } natNotifCtrl OBJECT IDENTIFIER ::= { natMIBObjects 2 }
-- --
-- Address Bind and Port Bind related NAT configuration -- Address Bind and Port Bind related NAT configuration
-- --
natBindDefIdleTimeout OBJECT-TYPE natBindDefIdleTimeout OBJECT-TYPE
SYNTAX Unsigned32 (0..4294967295) SYNTAX Unsigned32 (0..4294967295)
skipping to change at page 47, line 23 skipping to change at page 48, line 51
natCntProtocolOOP, natCntProtocolOOP,
natCntProtocolResource, natCntProtocolResource,
natCntProtocolStateMismatch, natCntProtocolStateMismatch,
natCntProtocolQuota, natCntProtocolQuota,
natCntProtocolMappings, natCntProtocolMappings,
natCntProtocolMapCreations, natCntProtocolMapCreations,
natCntProtocolMapRemovals, natCntProtocolMapRemovals,
natLimitMappings, natLimitMappings,
natMappingsNotifyThreshold, natMappingsNotifyThreshold,
natPoolIndex, natPoolIndex,
natPoolRealm,
natPoolUsage, natPoolUsage,
natPoolWatermarkLow, natPoolWatermarkLow,
natPoolWatermarkHigh, natPoolWatermarkHigh,
natPoolPortMin, natPoolPortMin,
natPoolPortMax, natPoolPortMax,
natPoolRangePoolIndex, natPoolRangePoolIndex,
natPoolRangeEnd, natPoolRangeEnd,
natPoolRangeAllocatedPorts, natPoolRangeAllocatedPorts,
natMappingIntRealm,
natMappingIntAddressType, natMappingIntAddressType,
natMappingIntAddress, natMappingIntAddress,
natMappingIntPort, natMappingIntPort,
natMappingPool } natMappingPool,
natMappingMapBehavior,
natMappingFilterBehavior,
natMappingAddressPooling }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Basic counters, limits, and thresholds." "Basic counters, limits, and thresholds."
::= { natMIBGroups 7 } ::= { natMIBGroups 7 }
natGroupAddrMapObjects OBJECT-GROUP natGroupAddrMapObjects OBJECT-GROUP
OBJECTS { natCntAddressMappings, OBJECTS { natCntAddressMappings,
natCntAddrMapCreations, natCntAddrMapCreations,
natCntAddrMapRemovals, natCntAddrMapRemovals,
natLimitAddressMappings, natLimitAddressMappings,
natAddrMapNotifyThreshold, natAddrMapNotifyThreshold,
natMapIntAddrExtRealm,
natMapIntAddrExt } natMapIntAddrExt }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects that require 'Paired IP address pooling' behavior "Objects that require 'Paired IP address pooling' behavior
[RFC4787]." [RFC4787]."
::= { natMIBGroups 8 } ::= { natMIBGroups 8 }
natGroupFragmentObjects OBJECT-GROUP natGroupFragmentObjects OBJECT-GROUP
OBJECTS { natLimitFragments } OBJECTS { natLimitFragments }
STATUS current STATUS current
skipping to change at page 61, line 39 skipping to change at page 63, line 29
natLimits OBJECT IDENTIFIER ::= { natMIBObjects 12 } natLimits OBJECT IDENTIFIER ::= { natMIBObjects 12 }
natLimitMappings OBJECT-TYPE natLimitMappings OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Global limit on the total number of mappings. Zero means "Global limit on the total number of mappings. Zero means
unlimited." unlimited."
::= { natLimits 1 } ::= { natLimits 1 }
natMappingsNotifyThreshold OBJECT-TYPE natMappingsNotifyThreshold OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"See natNotifMappings." "See natNotifMappings."
::= { natLimits 2 } ::= { natLimits 2 }
natLimitAddressMappings OBJECT-TYPE natLimitAddressMappings OBJECT-TYPE
skipping to change at page 63, line 11 skipping to change at page 64, line 47
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Entry in the table of pools." "Entry in the table of pools."
INDEX { natPoolIndex } INDEX { natPoolIndex }
::= { natPoolTable 1 } ::= { natPoolTable 1 }
NatPoolEntry ::= NatPoolEntry ::=
SEQUENCE { SEQUENCE {
natPoolIndex NatPoolId, natPoolIndex NatPoolId,
natPoolRealm SnmpAdminString,
natPoolUsage Integer32, natPoolUsage Integer32,
natPoolWatermarkLow Integer32, natPoolWatermarkLow Integer32,
natPoolWatermarkHigh Integer32, natPoolWatermarkHigh Integer32,
natPoolPortMin InetPortNumber, natPoolPortMin InetPortNumber,
natPoolPortMax InetPortNumber natPoolPortMax InetPortNumber
-- TODO: virtual router ID, status, ref count, etc.
} }
natPoolIndex OBJECT-TYPE natPoolIndex OBJECT-TYPE
SYNTAX NatPoolId SYNTAX NatPoolId
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Index of an address pool." "Index of an address pool."
::= { natPoolEntry 1 } ::= { natPoolEntry 1 }
natPoolRealm OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Realm to which this pool's addresses belong."
::= { natPoolEntry 2 }
natPoolUsage OBJECT-TYPE natPoolUsage OBJECT-TYPE
SYNTAX Integer32 (0..100) SYNTAX Integer32 (0..100)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Percentage of the pool's total number of external ports "Percentage of the pool's total number of external ports
currently mapped." currently mapped."
::= { natPoolEntry 2 } ::= { natPoolEntry 3 }
natPoolWatermarkLow OBJECT-TYPE natPoolWatermarkLow OBJECT-TYPE
SYNTAX Integer32 (-1|0..100) SYNTAX Integer32 (-1|0..100)
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Low watermark on a pool's usage, in percentage of the total "Low watermark on a pool's usage, in percentage of the total
number of ports available. If set to -1, the watermark is number of ports available. If set to -1, the watermark is
disabled. Otherwise when natPoolUsage becomes lower than or disabled. Otherwise when natPoolUsage becomes lower than or
equal to natPoolWatermarkLow, a notification is sent. The equal to natPoolWatermarkLow, a notification is sent. The
NAT may also start behaving in low usage mode (this is NAT may also start behaving in low usage mode (this is
implementation-defined)." implementation-defined)."
::= { natPoolEntry 3 } ::= { natPoolEntry 4 }
natPoolWatermarkHigh OBJECT-TYPE natPoolWatermarkHigh OBJECT-TYPE
SYNTAX Integer32 (-1|0..100) SYNTAX Integer32 (-1|0..100)
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"High watermark on a pool's usage, in percentage of the total "High watermark on a pool's usage, in percentage of the total
number of ports available. If set to -1, the watermark is number of ports available. If set to -1, the watermark is
disabled. Otherwise, when natPoolUsage becomes higher than disabled. Otherwise, when natPoolUsage becomes higher than
or equal to natPoolWatermarkHigh, a notification is sent. or equal to natPoolWatermarkHigh, a notification is sent.
The NAT may also start behaving in high usage mode (this is The NAT may also start behaving in high usage mode (this is
implementation-defined)." implementation-defined)."
::= { natPoolEntry 4 } ::= { natPoolEntry 5 }
natPoolPortMin OBJECT-TYPE natPoolPortMin OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Minimal port number to be allocated in this pool." "Minimal port number to be allocated in this pool."
::= { natPoolEntry 5 } ::= { natPoolEntry 6 }
natPoolPortMax OBJECT-TYPE natPoolPortMax OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Maximal port number to be allocated in this pool." "Maximal port number to be allocated in this pool."
::= { natPoolEntry 6 } ::= { natPoolEntry 7 }
natPoolRangeTable OBJECT-TYPE natPoolRangeTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatPoolRangeEntry SYNTAX SEQUENCE OF NatPoolRangeEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains address ranges used by pool entries." "This table contains address ranges used by pool entries."
::= { natPoolObjects 2 } ::= { natPoolObjects 2 }
natPoolRangeEntry OBJECT-TYPE natPoolRangeEntry OBJECT-TYPE
skipping to change at page 65, line 8 skipping to change at page 67, line 5
natPoolRangeBegin } natPoolRangeBegin }
::= { natPoolRangeTable 1 } ::= { natPoolRangeTable 1 }
NatPoolRangeEntry ::= NatPoolRangeEntry ::=
SEQUENCE { SEQUENCE {
natPoolRangePoolIndex NatPoolId, natPoolRangePoolIndex NatPoolId,
natPoolRangeType InetAddressType, natPoolRangeType InetAddressType,
natPoolRangeBegin InetAddress, natPoolRangeBegin InetAddress,
natPoolRangeEnd InetAddress, natPoolRangeEnd InetAddress,
natPoolRangeAllocatedPorts Gauge32 natPoolRangeAllocatedPorts Gauge32
-- TODO: the usual bookkeeping things
} }
natPoolRangePoolIndex OBJECT-TYPE natPoolRangePoolIndex OBJECT-TYPE
SYNTAX NatPoolId SYNTAX NatPoolId
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Index of the address pool to which this address range belongs. "Index of the address pool to which this address range belongs.
See natPoolIndex." See natPoolIndex."
::= { natPoolRangeEntry 1 } ::= { natPoolRangeEntry 1 }
skipping to change at page 66, line 28 skipping to change at page 68, line 23
This table is only applicable to NATs that have an 'IP address This table is only applicable to NATs that have an 'IP address
pooling' behavior of 'Paired' [RFC4787]." pooling' behavior of 'Paired' [RFC4787]."
::= { natMapObjects 1 } ::= { natMapObjects 1 }
natMapIntAddrEntry OBJECT-TYPE natMapIntAddrEntry OBJECT-TYPE
SYNTAX NatMapIntAddrEntry SYNTAX NatMapIntAddrEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Mapping from internal to external address." "Mapping from internal to external address."
INDEX { natMapIntAddrType, INDEX { natMapIntAddrIntRealm,
natMapIntAddrType,
natMapIntAddrInt } natMapIntAddrInt }
::= { natMapIntAddrTable 1 } ::= { natMapIntAddrTable 1 }
NatMapIntAddrEntry ::= NatMapIntAddrEntry ::=
SEQUENCE { SEQUENCE {
natMapIntAddrType InetAddressType, natMapIntAddrIntRealm SnmpAdminString,
natMapIntAddrInt InetAddress, natMapIntAddrExtRealm SnmpAdminString,
natMapIntAddrExt InetAddress natMapIntAddrType InetAddressType,
natMapIntAddrInt InetAddress,
natMapIntAddrExt InetAddress
} }
natMapIntAddrIntRealm OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Realm to which natMapIntAddrInt belongs."
::= { natMapIntAddrEntry 1 }
natMapIntAddrExtRealm OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Realm to which natMapIntAddrExt belongs."
::= { natMapIntAddrEntry 2 }
natMapIntAddrType OBJECT-TYPE natMapIntAddrType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Address type for natMapIntAddrInt and natMapIntAddrExt." "Address type for natMapIntAddrInt and natMapIntAddrExt."
::= { natMapIntAddrEntry 1 } ::= { natMapIntAddrEntry 3 }
natMapIntAddrInt OBJECT-TYPE natMapIntAddrInt OBJECT-TYPE
SYNTAX InetAddress (SIZE (4|16)) SYNTAX InetAddress (SIZE (4|16))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Internal address." "Internal address."
::= { natMapIntAddrEntry 2 } ::= { natMapIntAddrEntry 4 }
natMapIntAddrExt OBJECT-TYPE natMapIntAddrExt OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"External address." "External address."
::= { natMapIntAddrEntry 3 } ::= { natMapIntAddrEntry 5 }
natMappingTable OBJECT-TYPE natMappingTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatMappingTableEntry SYNTAX SEQUENCE OF NatMappingTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Table of mappings indexed by external 3-tuple." "Table of mappings indexed by external 3-tuple."
::= { natMapObjects 2 } ::= { natMapObjects 2 }
natMappingTableEntry OBJECT-TYPE natMappingTableEntry OBJECT-TYPE
SYNTAX NatMappingTableEntry SYNTAX NatMappingTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A single NAT mapping." "A single NAT mapping."
INDEX { natMappingProto, INDEX { natMappingProto,
natMappingExtRealm,
natMappingExtAddressType, natMappingExtAddressType,
natMappingExtAddress, natMappingExtAddress,
natMappingExtPort } natMappingExtPort }
::= { natMappingTable 1 } ::= { natMappingTable 1 }
NatMappingTableEntry ::= NatMappingTableEntry ::=
SEQUENCE { SEQUENCE {
natMappingProto ProtocolNumber, natMappingProto ProtocolNumber,
natMappingExtRealm SnmpAdminString,
natMappingExtAddressType InetAddressType, natMappingExtAddressType InetAddressType,
natMappingExtAddress InetAddress, natMappingExtAddress InetAddress,
natMappingExtPort InetPortNumber, natMappingExtPort InetPortNumber,
natMappingIntRealm SnmpAdminString,
natMappingIntAddressType InetAddressType, natMappingIntAddressType InetAddressType,
natMappingIntAddress InetAddress, natMappingIntAddress InetAddress,
natMappingIntPort InetPortNumber, natMappingIntPort InetPortNumber,
natMappingPool NatPoolId natMappingPool NatPoolId,
natMappingMapBehavior NatBehaviorType,
natMappingFilterBehavior NatBehaviorType,
natMappingAddressPooling NatPoolingType
} }
natMappingProto OBJECT-TYPE natMappingProto OBJECT-TYPE
SYNTAX ProtocolNumber SYNTAX ProtocolNumber
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mapping's transport protocol number." "The mapping's transport protocol number."
::= { natMappingTableEntry 1 } ::= { natMappingTableEntry 1 }
natMappingExtRealm OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The realm to which natMappingExtAddress belongs."
::= { natMappingTableEntry 2 }
natMappingExtAddressType OBJECT-TYPE natMappingExtAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Type of the mapping's external address." "Type of the mapping's external address."
::= { natMappingTableEntry 2 } ::= { natMappingTableEntry 3 }
natMappingExtAddress OBJECT-TYPE natMappingExtAddress OBJECT-TYPE
SYNTAX InetAddress (SIZE (4|16)) SYNTAX InetAddress (SIZE (4|16))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mapping's external address. If this is the undefined "The mapping's external address. If this is the undefined
address, all external addresses are mapped to the internal address, all external addresses are mapped to the internal
address." address."
::= { natMappingTableEntry 3 } ::= { natMappingTableEntry 4 }
natMappingExtPort OBJECT-TYPE natMappingExtPort OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mapping's external port number. If this is zero, all "The mapping's external port number. If this is zero, all
external ports are mapped to the internal port." external ports are mapped to the internal port."
::= { natMappingTableEntry 4 } ::= { natMappingTableEntry 5 }
natMappingIntRealm OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The realm to which natMappingIntAddress belongs."
::= { natMappingTableEntry 6 }
natMappingIntAddressType OBJECT-TYPE natMappingIntAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Type of the mapping's internal address." "Type of the mapping's internal address."
::= { natMappingTableEntry 5 } ::= { natMappingTableEntry 7 }
natMappingIntAddress OBJECT-TYPE natMappingIntAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mapping's internal address. If this is the undefined "The mapping's internal address. If this is the undefined
address, addresses are not translated." address, addresses are not translated."
::= { natMappingTableEntry 6 } ::= { natMappingTableEntry 8 }
natMappingIntPort OBJECT-TYPE natMappingIntPort OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mapping's internal port number. If this is zero, ports are "The mapping's internal port number. If this is zero, ports are
not translated." not translated."
::= { natMappingTableEntry 7 } ::= { natMappingTableEntry 9 }
natMappingPool OBJECT-TYPE natMappingPool OBJECT-TYPE
SYNTAX NatPoolId (0|1..4294967295) SYNTAX NatPoolId (0|1..4294967295)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Index of the pool that contains this mapping's external address "Index of the pool that contains this mapping's external address
and port. If zero, no pool is associated with this mapping." and port. If zero, no pool is associated with this mapping."
::= { natMappingTableEntry 8 } ::= { natMappingTableEntry 10 }
natMappingMapBehavior OBJECT-TYPE
SYNTAX NatBehaviorType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Mapping behavior as described in [RFC4787] section 4.1."
::= { natMappingTableEntry 11 }
natMappingFilterBehavior OBJECT-TYPE
SYNTAX NatBehaviorType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Filtering behavior as described in [RFC4787] section 5."
::= { natMappingTableEntry 12 }
natMappingAddressPooling OBJECT-TYPE
SYNTAX NatPoolingType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Type of address pooling behavior that was used to create this
mapping."
::= { natMappingTableEntry 13 }
END END
4. Security Considerations 5. Security Considerations
TBD Unauthorized access to the write-able objects could cause a denial of
service and/or widespread network disturbance. Hence, the support
for SET operations in a non-secure environment without proper
protection can have a negative effect on network operations.
5. IANA Considerations At this writing, no security holes have been identified beyond those
that SNMP Security is itself intended to address. These relate
primarily to controlled access to sensitive information and the
ability to configure a device - or which might result from operator
error, which is beyond the scope of any security architecture.
TBD There are a number of managed objects in this MIB that may contain
information that may be sensitive from a business perspective, in
that they may represent NAT state information. Various objects can
reveal the identity of private hosts that are engaged in a session
with external end nodes. A curious outsider could monitor these to
assess the number of private hosts being supported by the NAT device.
Further, a disgruntled former employee of an enterprise could use the
information to break into specific private hosts by intercepting the
existing sessions or originating new sessions into the host. There
are no objects that are sensitive in their own right, such as
passwords or monetary amounts. It may even be important to control
GET access to these objects and possibly to encrypt the values of
these objects when they are sent over the network via SNMP. Not all
versions of SNMP provide features for such a secure environment.
6. References SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB.
6.1. Normative References It is recommended that the implementers consider the security
features as provided by the SNMPv3 framework (see [RFC3410], section
8), including full support for the SNMPv3 cryptographic mechanisms
(for authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
6. IANA Considerations
IANA has assigned object identifier 123 to the natMIB module, with
prefix iso.org.dod.internet.mgmt.mib-2 in the Network Management
Parameters registry [1].
7. References
7.1. Normative References
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2", Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999. STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations",
RFC 2663, August 1999.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022,
January 2001.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
[RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., and F.
Baker, "OSPF Version 2 Management Information Base",
RFC 4750, December 2006.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation [RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127, (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
RFC 4787, January 2007. RFC 4787, January 2007.
6.2. Informative References 7.2. Informative References
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
C. Wang, "Definitions of Managed Objects for Network C. Wang, "Definitions of Managed Objects for Network
Address Translators (NAT)", RFC 4008, March 2005. Address Translators (NAT)", RFC 4008, March 2005.
Appendix A. Change Log (to be removed by RFC Editor prior to URIs
publication)
A.1. Changed in -01
o Added CGN stuff (per-subscriber quotas, counters, notifications).
o Added conformance groups and compliance statements.
o Added mapping table indexed by external 3-tuple. [1] <http://www.iana.org/assignments/smi-numbers>
Authors' Addresses Authors' Addresses
Simon Perreault Simon Perreault
Viagenie Viagenie
246 Aberdeen 246 Aberdeen
Quebec, QC G1R 2E1 Quebec, QC G1R 2E1
Canada Canada
Phone: +1 418 656 9254 Phone: +1 418 656 9254
 End of changes. 55 change blocks. 
71 lines changed or deleted 272 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/