draft-ietf-behave-nat-mib-03.txt   draft-ietf-behave-nat-mib-04.txt 
Network Working Group S. Perreault Network Working Group S. Perreault
Internet-Draft Viagenie Internet-Draft Viagenie
Obsoletes: 4008 (if approved) T. Tsou Obsoletes: 4008 (if approved) T. Tsou
Intended status: Standards Track Huawei Technologies (USA) Intended status: Standards Track Huawei Technologies (USA)
Expires: February 16, 2013 S. Sivakumar Expires: August 25, 2013 S. Sivakumar
Cisco Systems Cisco Systems
August 15, 2012 February 21, 2013
Additional Managed Objects for Network Address Translators (NAT) Additional Managed Objects for Network Address Translators (NAT)
draft-ietf-behave-nat-mib-03 draft-ietf-behave-nat-mib-04
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for devices implementing Network Address Translator (NAT) function. for devices implementing Network Address Translator (NAT) function.
This MIB module may be used for monitoring of a device capable of NAT This MIB module may be used for monitoring of a device capable of NAT
function. function.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 16, 2013. This Internet-Draft will expire on August 25, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 16 skipping to change at page 2, line 16
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3
3.2. New Features . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . . 4
3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 72 5. Security Considerations . . . . . . . . . . . . . . . . . . . 78
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 79
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 73 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 79
7.1. Normative References . . . . . . . . . . . . . . . . . . . 73 7.1. Normative References . . . . . . . . . . . . . . . . . . . 79
7.2. Informative References . . . . . . . . . . . . . . . . . . 74 7.2. Informative References . . . . . . . . . . . . . . . . . . 80
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 80
1. Introduction 1. Introduction
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for devices implementing NAT function. This MIB module may be used for devices implementing NAT function. This MIB module may be used
for monitoring of a device capable of NAT function. Using it for for monitoring of a device capable of NAT function. Using it for
configuration is deprecated. NAT types and their characteristics are configuration is deprecated. NAT types and their characteristics are
defined in [RFC2663]. Traditional NAT function, in particular is defined in [RFC2663]. Traditional NAT function, in particular is
defined in [RFC3022]. This MIB does not address the firewall defined in [RFC3022]. This MIB does not address the firewall
functions and must not be used for configuring or monitoring these. functions and must not be used for configuring or monitoring these.
skipping to change at page 5, line 28 skipping to change at page 5, line 28
address and port. This MIB provides this table with an index to address and port. This MIB provides this table with an index to
accomplish this efficiently, without having to iterate over all accomplish this efficiently, without having to iterate over all
mappings. mappings.
Realms: See Section 3.3. Realms: See Section 3.3.
RFC 4787 terminology: Mapping table entries indicate the mapping RFC 4787 terminology: Mapping table entries indicate the mapping
behavior, the filtering behavior, and the address pooling behavior behavior, the filtering behavior, and the address pooling behavior
that were used to create the mapping. that were used to create the mapping.
Subscriber awareness: With the advent of CGN deployment, a set of
subscriber specific counters, limits and parameters are added.
3.3. Realms 3.3. Realms
Current NAT devices commonly allow the internal and external parts of Current NAT devices commonly allow the internal and external parts of
a mapping to come from different realms. The meaning of "realm" is a mapping to come from different realms. The meaning of "realm" is
implementation-dependent. On some implementations it can be implementation-dependent. On some implementations it can be
equivalent to the name of a VPN Routing and Forwarding table (VRF). equivalent to the name of a VPN Routing and Forwarding table (VRF).
On others it is simply the numeric index of a virtual routing table. On others it is simply the numeric index of a virtual routing table.
Note that this usage of "realm" is completely different from the one Note that this usage of "realm" is completely different from the one
in [RFC4008]. in [RFC4008].
skipping to change at page 45, line 33 skipping to change at page 45, line 33
::= { natMIBNotifications 4 } ::= { natMIBNotifications 4 }
natNotifAddrMappings NOTIFICATION-TYPE natNotifAddrMappings NOTIFICATION-TYPE
OBJECTS { natCntAddressMappings } OBJECTS { natCntAddressMappings }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This notification is generated when natCntAddressMappings "This notification is generated when natCntAddressMappings
exceeds the value of natAddrMapNotifyThreshold." exceeds the value of natAddrMapNotifyThreshold."
::= { natMIBNotifications 5 } ::= { natMIBNotifications 5 }
natNotifSubscriberMappings NOTIFICATION-TYPE
OBJECTS { natSubscriberCntMappings }
STATUS current
DESCRIPTION
"This notification is generated when natSubscriberCntMappings
exceeds the value of natSubscriberMapNotifyThresh, unless
natSubscriberMapNotifyThresh is zero.."
::= { NatNotifications 6 }
-- --
-- Conformance information. -- Conformance information.
-- --
natMIBConformance OBJECT IDENTIFIER ::= { natMIB 2 } natMIBConformance OBJECT IDENTIFIER ::= { natMIB 2 }
natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 } natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 }
natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 } natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 }
-- --
-- Units of conformance -- Units of conformance
-- --
natConfigGroup OBJECT-GROUP natConfigGroup OBJECT-GROUP
OBJECTS { natInterfaceRealm, OBJECTS { natInterfaceRealm,
natInterfaceServiceType, natInterfaceServiceType,
natInterfaceStorageType, natInterfaceStorageType,
natInterfaceRowStatus, natInterfaceRowStatus,
natAddrMapName, natAddrMapName,
skipping to change at page 50, line 15 skipping to change at page 50, line 26
"Basic notifications." "Basic notifications."
::= { natMIBGroups 11 } ::= { natMIBGroups 11 }
natGroupAddrMapNotifications NOTIFICATION-GROUP natGroupAddrMapNotifications NOTIFICATION-GROUP
NOTIFICATIONS { natNotifAddrMappings } NOTIFICATIONS { natNotifAddrMappings }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notifications about address mappings." "Notifications about address mappings."
::= { natMIBGroups 12 } ::= { natMIBGroups 12 }
natGroupSubscriberObjects OBJECT-GROUP
OBJECTS { natSubscriberIntPrefixType,
natSubscriberIntPrefix,
natSubscriberIntPrefixLength,
natSubscriberPool,
natSubscriberCntTranslates,
natSubscriberCntOOP,
natSubscriberCntResource,
natSubscriberCntStateMismatch,
natSubscriberCntQuota,
natSubscriberCntMappings,
natSubscriberCntMapCreations,
natSubscriberCntMapRemovals,
natSubscriberLimitMappings,
natLimitSubscribers }
STATUS current
DESCRIPTION
"Per-subscriber counters, limits, and thresholds."
::= { natMIBGroups 13 }
natGroupSubscriberNotifications NOTIFICATION-GROUP
NOTIFICATIONS { natSubscriberMapNotifyThresh }
STATUS current
DESCRIPTION
"Subscriber notifications."
::= { natMIBGroups 14 }
-- --
-- Compliance statements -- Compliance statements
-- --
natMIBFullCompliance MODULE-COMPLIANCE natMIBFullCompliance MODULE-COMPLIANCE
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"When this MIB is implemented with support for "When this MIB is implemented with support for
read-create, then such an implementation can claim read-create, then such an implementation can claim
full compliance. Such devices can then be both full compliance. Such devices can then be both
skipping to change at page 58, line 37 skipping to change at page 59, line 27
DESCRIPTION DESCRIPTION
"NATs that have 'Receive Fragments Out of Order' behavior "NATs that have 'Receive Fragments Out of Order' behavior
[RFC4787] and implement the objects in this group can claim [RFC4787] and implement the objects in this group can claim
this level of compliance." this level of compliance."
MODULE -- this module MODULE -- this module
MANDATORY-GROUPS { natGroupBasicObjects, MANDATORY-GROUPS { natGroupBasicObjects,
natGroupBasicNotifications, natGroupBasicNotifications,
natGroupFragmentObjects } natGroupFragmentObjects }
::= { natMIBCompliances 5 } ::= { natMIBCompliances 5 }
natCGNCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"NATs that have 'Paired IP address pooling' and 'Receive
Fragments Out of Order' behavior [RFC4787] and implement the
objects in this group can claim this level of compliance.
This level of compliance is to be expected of a CGN compliant
with [I-D.ietf-behave-lsn-requiremnents]."
MODULE -- this module
MANDATORY-GROUPS { natGroupBasicObjects,
natGroupBasicNotifications,
natGroupAddrMapObjects,
natGroupAddrMapNotifications,
natGroupFragmentObjects,
natGroupSubscriberObjects,
natGroupSubscriberNotifications }
::= { natMIBCompliances 6 }
-- counters -- counters
natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 } natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 }
natCntTranslates OBJECT-TYPE natCntTranslates OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT has been applied." "The number of packets to which NAT has been applied."
skipping to change at page 64, line 23 skipping to change at page 65, line 31
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Global limit on the total number of fragments pending "Global limit on the total number of fragments pending
reassembly. Zero means unlimited. reassembly. Zero means unlimited.
This limit is only applicable to NATs having 'Receive This limit is only applicable to NATs having 'Receive
Fragments Out of Order' behavior [RFC4787]." Fragments Out of Order' behavior [RFC4787]."
::= { natLimits 5 } ::= { natLimits 5 }
natLimitSubscribers OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Global limit on the number of subscribers with active mappings.
Zero means unlimited."
::= { natLimits 6 }
-- pools -- pools
natPoolObjects OBJECT IDENTIFIER ::= { natMIBObjects 13 } natPoolObjects OBJECT IDENTIFIER ::= { natMIBObjects 13 }
natPoolTable OBJECT-TYPE natPoolTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatPoolEntry SYNTAX SEQUENCE OF NatPoolEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Table of pools." "Table of pools."
skipping to change at page 72, line 33 skipping to change at page 74, line 5
natMappingAddressPooling OBJECT-TYPE natMappingAddressPooling OBJECT-TYPE
SYNTAX NatPoolingType SYNTAX NatPoolingType
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Type of address pooling behavior that was used to create this "Type of address pooling behavior that was used to create this
mapping." mapping."
::= { natMappingTableEntry 13 } ::= { natMappingTableEntry 13 }
-- subscribers
natSubscribers OBJECT IDENTIFIER ::= { NatObjects 5 }
natSubscribersTable OBJECT-TYPE
SYNTAX SEQUENCE OF natSubscribersTableEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of CGN subscribers."
::= { natSubscribers 1 }
natSubscribersTableEntry OBJECT-TYPE
SYNTAX natSubscribersTableEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry describes a single CGN subscriber."
INDEX { natSubscriberIdentifierType,
natSubscriberIdentifier }
::= { natSubscribersTable 1 }
natSubscribersTableEntry ::=
SEQUENCE {
natSubscriberIdentifierType InetAddressType,
natSubscriberIdentifier InetAddress,
natSubscriberIntPrefixType InetAddressType,
natSubscriberIntPrefix InetAddress,
natSubscriberIntPrefixLength InetAddressPrefixLength,
natSubscriberPool NatPoolIndex,
natSubscriberCntTranslates Counter64,
natSubscriberCntOOP Counter64,
natSubscriberCntResource Counter64,
natSubscriberCntStateMismatch Counter64,
natSubscriberCntQuota Counter64,
natSubscriberCntMappings Gauge32,
natSubscriberCntMapCreations Counter64,
natSubscriberCntMapRemovals Counter64,
natSubscriberLimitMappings Unsigned32,
natSubscriberMapNotifyThresh Unsigned32
}
natSubscriberIdentifierType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Address type of the subscriber identifier."
::= { natSubscribersTableEntry 1 }
natSubscriberIdentifier OBJECT-TYPE
SYNTAX InetAddress (SIZE (4|16))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Address used for uniquely identifying the subscriber.
In traditional NAT, this is the internal address assigned to
the CPE. In case an address range is assigned to a subscriber,
the first address in the range is used as identifier. For
tunnelled connectivity (e.g., DS-Lite [RFC6333]), the outer
address is used as identifier (i.e., the IPv6 address in the
case of DS-Lite)."
::= { natSubscribersTableEntry 2 }
natSubscriberIntPrefixType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Subscriber's internal prefix type."
::= { natSubscribersTableEntry 3 }
natSubscriberIntPrefix OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Prefix assigned to a subscriber's CPE."
::= { natSubscribersTableEntry 4 }
natSubscriberIntPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Length of the prefix assigned to a subscriber's CPE, in bits.
In case a single address is assigned, this will be 32 for IPv4
and 128 for IPv6."
::= { natSubscribersTableEntry 5 }
natSubscriberPool OBJECT-TYPE
SYNTAX NatPoolIndex
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"External address pool to which this subscriber belongs."
::= { natSubscribersTableEntry 6 }
natSubscriberCntTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets received from or sent to this subscriber
and to which NAT has been applied."
::= { natSubscribersTableEntry 7 }
natSubscriberCntOOP OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets received from this subscriber to which
NAT could not be applied because no external port was
available, excluding quota limitations."
::= { natSubscribersTableEntry 8 }
natSubscriberCntResource OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets received from this subscriber to which
NAT could not be applied because of resource constraints
(excluding out-of-ports condition)."
::= { natSubscribersTableEntry 9 }
natSubscriberCntStateMismatch OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets received from or destined to this
subscriber to which NAT could not be applied because of mapping
state mismatch. For example, a TCP packet that matches an
existing mapping but is dropped because its flags are
incompatible with the current state of the mapping would cause
this counter to be incremented."
::= { natSubscribersTableEntry 10 }
natSubscriberCntQuota OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets received from or destined to this
subscriber to which NAT could not be applied because of quota
limitations. Quotas include absolute limits as well as limits
on the rate of allocation."
::= { natSubscribersTableEntry 11 }
natSubscriberCntMappings OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of currently active mappings created by or for this
subscriber.
Equal to natSubscriberCntMapRemovals -
natSubscriberCntMapCreations."
::= { natSubscribersTableEntry 12 }
natSubscriberCntMapCreations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of mappings created by or for this subscriber."
::= { natSubscribersTableEntry 13 }
natSubscriberCntMapRemovals OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of mappings removed by or for this subscriber."
::= { natSubscribersTableEntry 14 }
natSubscriberLimitMappings OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Limit on the number of active mappings created by or for this
subscriber. Zero means unlimited."
::= { natSubscribersTableEntry 15 }
natSubscriberMapNotifyThresh OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"See NatNotifSubscriberMappings."
::= { natSubscribersTableEntry 16 }
END END
5. Security Considerations 5. Security Considerations
Unauthorized access to the write-able objects could cause a denial of Unauthorized access to the write-able objects could cause a denial of
service and/or widespread network disturbance. Hence, the support service and/or widespread network disturbance. Hence, the support
for SET operations in a non-secure environment without proper for SET operations in a non-secure environment without proper
protection can have a negative effect on network operations. protection can have a negative effect on network operations.
At this writing, no security holes have been identified beyond those At this writing, no security holes have been identified beyond those
 End of changes. 13 change blocks. 
12 lines changed or deleted 277 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/