draft-ietf-behave-nat-mib-05.txt   draft-ietf-behave-nat-mib-06.txt 
Network Working Group S. Perreault Network Working Group S. Perreault
Internet-Draft Viagenie Internet-Draft Viagenie
Obsoletes: 4008 (if approved) T. Tsou Obsoletes: 4008 (if approved) T. Tsou
Intended status: Standards Track Huawei Technologies (USA) Intended status: Standards Track Huawei Technologies (USA)
Expires: August 26, 2013 S. Sivakumar Expires: November 02, 2013 S. Sivakumar
Cisco Systems Cisco Systems
February 22, 2013 May 01, 2013
Additional Managed Objects for Network Address Translators (NAT) Additional Managed Objects for Network Address Translators (NAT)
draft-ietf-behave-nat-mib-05 draft-ietf-behave-nat-mib-06
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for devices implementing Network Address Translator (NAT) function. for devices implementing Network Address Translator (NAT) function.
This MIB module may be used for monitoring of a device capable of NAT This MIB module may be used for monitoring of a device capable of NAT
function. function.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 26, 2013. This Internet-Draft will expire on November 02, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Internet-Standard Management Framework . . . . . . . . . 2 2. The Internet-Standard Management Framework . . . . . . . . . 2
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3
3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4
3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 78 5. Security Considerations . . . . . . . . . . . . . . . . . . . 78
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 79 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 79 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 80
7.1. Normative References . . . . . . . . . . . . . . . . . . 79 7.1. Normative References . . . . . . . . . . . . . . . . . . 80
7.2. Informative References . . . . . . . . . . . . . . . . . 80 7.2. Informative References . . . . . . . . . . . . . . . . . 81
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82
1. Introduction 1. Introduction
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for devices implementing NAT function. This MIB module may be used for devices implementing NAT function. This MIB module may be used
for monitoring of a device capable of NAT function. Using it for for monitoring of a device capable of NAT function. Using it for
configuration is deprecated. NAT types and their characteristics are configuration is deprecated. NAT types and their characteristics are
defined in [RFC2663]. Traditional NAT function, in particular is defined in [RFC2663]. Traditional NAT function, in particular is
defined in [RFC3022]. This MIB does not address the firewall defined in [RFC3022]. This MIB does not address the firewall
functions and must not be used for configuring or monitoring these. functions and must not be used for configuring or monitoring these.
Section 2 provides references to the SNMP management framework, which Section 2 provides references to the SNMP management framework, which
was used as the basis for the MIB module definition. Section 3 was used as the basis for the MIB module definition. Section 3
provides an overview of the MIB features. Lastly, Section 4 has the provides an overview of the MIB features. Lastly, Section 4 has the
complete NAT MIB definition. complete NAT MIB definition.
2. The Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
[RFC3410]. RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in module that is compliant to the SMIv2, which is described in STD 58,
[RFC2578], [RFC2579] and [RFC2580]. RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
3. Overview 3. Overview
3.1. Deprecated Features 3.1. Deprecated Features
All objects defined in [RFC4008] have been marked with "STATUS All objects defined in [RFC4008] have been marked with "STATUS
deprecated" for the following reasons: deprecated" for the following reasons:
Writability: Experience with NAT has shown that implementations vary Writability: Experience with NAT has shown that implementations vary
tremendously. The NAT algorithms and data structures have little tremendously. The NAT algorithms and data structures have little
skipping to change at page 5, line 52 skipping to change at page 5, line 52
NOTIFICATION-GROUP, NOTIFICATION-GROUP,
OBJECT-GROUP OBJECT-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
ifIndex, ifIndex,
ifCounterDiscontinuityGroup ifCounterDiscontinuityGroup
FROM IF-MIB FROM IF-MIB
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB FROM SNMP-FRAMEWORK-MIB
InetAddressType, InetAddressType,
InetAddress, InetAddress,
InetAddressPrefixLength,
InetPortNumber InetPortNumber
FROM INET-ADDRESS-MIB; FROM INET-ADDRESS-MIB;
natMIB MODULE-IDENTITY natMIB MODULE-IDENTITY
LAST-UPDATED "200001010000Z" LAST-UPDATED "201304260000Z"
ORGANIZATION "TBD" -- RFC Ed.: set to publication date
CONTACT-INFO "TBD" ORGANIZATION
"IETF Behavior Engineering for Hindrance Avoidance
(BEHAVE) Working Group"
CONTACT-INFO
"Working Group Email: behave@ietf.org
Simon Perreault
Viagenie
246 Aberdeen
Quebec, QC G1R 2E1
Canada
Phone: +1 418 656 9254
Email: simon.perreault@viagenie.ca
URI: http://viagenie.ca
Tina Tsou
Huawei Technologies (USA)
2330 Central Expressway
Santa Clara, CA 95050
USA
Phone: +1 408 330 4424
Email: tina.tsou.zouting@huawei.com
Senthil Sivakumar
Cisco Systems
7100-8 Kit Creek Road
Research Triangle Park, North Carolina 27709
USA
Phone: +1 919 392 5158
Email: ssenthil@cisco.com"
DESCRIPTION DESCRIPTION
"This MIB module defines the generic managed objects "This MIB module defines the generic managed objects
for NAT." for NAT.
Copyright (C) The Internet Society (2013). This
version of this MIB module is part of RFC yyyy; see
the RFC itself for full legal notices."
-- RFC Ed.: replace yyyy with actual RFC number & remove this note"
REVISION "201304260000Z"
-- RFC Ed.: set to publication date
DESCRIPTION
"Complete rewrite, published as RFC yyyy."
-- RFC Ed.: replace yyyy with actual RFC number & set date"
REVISION "200503210000Z" -- 21th March 2005 REVISION "200503210000Z" -- 21th March 2005
DESCRIPTION DESCRIPTION
"Initial version, published as RFC 4008." "Initial version, published as RFC 4008."
REVISION "200001010000Z"
DESCRIPTION
"Dummy version. RFC Editor must replace this."
::= { mib-2 123 } ::= { mib-2 123 }
natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 } natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 }
NatProtocolType ::= TEXTUAL-CONVENTION NatProtocolType ::= TEXTUAL-CONVENTION
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"A list of protocols that support the network "A list of protocols that support the network
address translation. Inclusion of the values is address translation. Inclusion of the values is
not intended to imply that those protocols not intended to imply that those protocols
skipping to change at page 24, line 4 skipping to change at page 24, line 43
natAddrBindGlobalAddr InetAddress, natAddrBindGlobalAddr InetAddress,
natAddrBindId NatBindId, natAddrBindId NatBindId,
natAddrBindTranslationEntity NatTranslationEntity, natAddrBindTranslationEntity NatTranslationEntity,
natAddrBindType NatAssociationType, natAddrBindType NatAssociationType,
natAddrBindMapIndex NatAddrMapId, natAddrBindMapIndex NatAddrMapId,
natAddrBindSessions Gauge32, natAddrBindSessions Gauge32,
natAddrBindMaxIdleTime TimeTicks, natAddrBindMaxIdleTime TimeTicks,
natAddrBindCurrentIdleTime TimeTicks, natAddrBindCurrentIdleTime TimeTicks,
natAddrBindInTranslates Counter64, natAddrBindInTranslates Counter64,
natAddrBindOutTranslates Counter64 natAddrBindOutTranslates Counter64
} }
natAddrBindLocalAddrType OBJECT-TYPE natAddrBindLocalAddrType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"This object specifies the address type used for "This object specifies the address type used for
natAddrBindLocalAddr." natAddrBindLocalAddr."
::= { natAddrBindEntry 1 } ::= { natAddrBindEntry 1 }
natAddrBindLocalAddr OBJECT-TYPE natAddrBindLocalAddr OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress (SIZE (4|16))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"This object represents the private-realm specific "This object represents the private-realm specific
network layer address, which maps to the public-realm network layer address, which maps to the public-realm
address represented by natAddrBindGlobalAddr. address represented by natAddrBindGlobalAddr.
The type of this address is determined by the value of The type of this address is determined by the value of
the natAddrBindLocalAddrType object." the natAddrBindLocalAddrType object."
::= { natAddrBindEntry 2 } ::= { natAddrBindEntry 2 }
skipping to change at page 28, line 50 skipping to change at page 29, line 41
natAddrPortBindLocalAddrType OBJECT-TYPE natAddrPortBindLocalAddrType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"This object specifies the address type used for "This object specifies the address type used for
natAddrPortBindLocalAddr." natAddrPortBindLocalAddr."
::= { natAddrPortBindEntry 1 } ::= { natAddrPortBindEntry 1 }
natAddrPortBindLocalAddr OBJECT-TYPE natAddrPortBindLocalAddr OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress (SIZE (4|16))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"This object represents the private-realm specific "This object represents the private-realm specific
network layer address which, in conjunction with network layer address which, in conjunction with
natAddrPortBindLocalPort, maps to the public-realm natAddrPortBindLocalPort, maps to the public-realm
network layer address and transport id represented by network layer address and transport id represented by
natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort
respectively. respectively.
skipping to change at page 54, line 23 skipping to change at page 55, line 14
OBJECT natSessionPublicDstAddr OBJECT natSessionPublicDstAddr
SYNTAX InetAddress (SIZE(4|16)) SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION DESCRIPTION
"An implementation is required to support global IPv4 "An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for and/or IPv6 addresses, depending on its support for
IPv4 and IPv6." IPv4 and IPv6."
::= { natMIBCompliances 2 } ::= { natMIBCompliances 2 }
--------------------------------------------------------------------- --===================================================================
-- END OF DEPRECATED OBJECTS. CURRENT OBJECTS FOLLOW. -- END OF DEPRECATED OBJECTS. CURRENT OBJECTS FOLLOW.
-- textual conventions -- textual conventions
ProtocolNumber ::= TEXTUAL-CONVENTION ProtocolNumber ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d" DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A transport protocol number, from the 'protocol-numbers' "A transport protocol number, from the 'protocol-numbers'
IANA registry." IANA registry."
skipping to change at page 56, line 14 skipping to change at page 57, line 4
exceeds the value of natAddrMapNotifyThreshold." exceeds the value of natAddrMapNotifyThreshold."
::= { natMIBNotifications 5 } ::= { natMIBNotifications 5 }
natNotifSubscriberMappings NOTIFICATION-TYPE natNotifSubscriberMappings NOTIFICATION-TYPE
OBJECTS { natSubscriberCntMappings } OBJECTS { natSubscriberCntMappings }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This notification is generated when natSubscriberCntMappings "This notification is generated when natSubscriberCntMappings
exceeds the value of natSubscriberMapNotifyThresh, unless exceeds the value of natSubscriberMapNotifyThresh, unless
natSubscriberMapNotifyThresh is zero.." natSubscriberMapNotifyThresh is zero.."
::= { NatNotifications 6 }
::= { natMIBNotifications 6 }
-- counters -- counters
natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 } natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 }
natCntTranslates OBJECT-TYPE natCntTranslates OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 70, line 27 skipping to change at page 71, line 18
SYNTAX NatPoolingType SYNTAX NatPoolingType
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Type of address pooling behavior that was used to create "Type of address pooling behavior that was used to create
this mapping." this mapping."
::= { natMappingTableEntry 13 } ::= { natMappingTableEntry 13 }
-- subscribers -- subscribers
natSubscribers OBJECT IDENTIFIER ::= { NatObjects 5 } natSubscribers OBJECT IDENTIFIER ::= { natMIBObjects 15 }
natSubscribersTable OBJECT-TYPE natSubscribersTable OBJECT-TYPE
SYNTAX SEQUENCE OF natSubscribersTableEntry SYNTAX SEQUENCE OF NatSubscribersTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Table of CGN subscribers." "Table of CGN subscribers."
::= { natSubscribers 1 } ::= { natSubscribers 1 }
natSubscribersTableEntry OBJECT-TYPE natSubscribersTableEntry OBJECT-TYPE
SYNTAX natSubscribersTableEntry SYNTAX NatSubscribersTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Each entry describes a single CGN subscriber." "Each entry describes a single CGN subscriber."
INDEX { natSubscriberIdentifierType, INDEX { natSubscriberIdentifierType,
natSubscriberIdentifier } natSubscriberIdentifier }
::= { natSubscribersTable 1 } ::= { natSubscribersTable 1 }
natSubscribersTableEntry ::= NatSubscribersTableEntry ::=
SEQUENCE { SEQUENCE {
natSubscriberIdentifierType InetAddressType, natSubscriberIdentifierType InetAddressType,
natSubscriberIdentifier InetAddress, natSubscriberIdentifier InetAddress,
natSubscriberIntPrefixType InetAddressType, natSubscriberIntPrefixType InetAddressType,
natSubscriberIntPrefix InetAddress, natSubscriberIntPrefix InetAddress,
natSubscriberIntPrefixLength InetAddressPrefixLength, natSubscriberIntPrefixLength InetAddressPrefixLength,
natSubscriberPool NatPoolIndex, natSubscriberPool NatPoolId,
natSubscriberCntTranslates Counter64, natSubscriberCntTranslates Counter64,
natSubscriberCntOOP Counter64, natSubscriberCntOOP Counter64,
natSubscriberCntResource Counter64, natSubscriberCntResource Counter64,
natSubscriberCntStateMismatch Counter64, natSubscriberCntStateMismatch Counter64,
natSubscriberCntQuota Counter64, natSubscriberCntQuota Counter64,
natSubscriberCntMappings Gauge32, natSubscriberCntMappings Gauge32,
natSubscriberCntMapCreations Counter64, natSubscriberCntMapCreations Counter64,
natSubscriberCntMapRemovals Counter64, natSubscriberCntMapRemovals Counter64,
natSubscriberLimitMappings Unsigned32, natSubscriberLimitMappings Unsigned32,
natSubscriberMapNotifyThresh Unsigned32 natSubscriberMapNotifyThresh Unsigned32
skipping to change at page 72, line 21 skipping to change at page 73, line 11
SYNTAX InetAddressPrefixLength SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Length of the prefix assigned to a subscriber's CPE, in "Length of the prefix assigned to a subscriber's CPE, in
bits. In case a single address is assigned, this will be 32 bits. In case a single address is assigned, this will be 32
for IPv4 and 128 for IPv6." for IPv4 and 128 for IPv6."
::= { natSubscribersTableEntry 5 } ::= { natSubscribersTableEntry 5 }
natSubscriberPool OBJECT-TYPE natSubscriberPool OBJECT-TYPE
SYNTAX NatPoolIndex SYNTAX NatPoolId
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"External address pool to which this subscriber belongs." "External address pool to which this subscriber belongs."
::= { natSubscribersTableEntry 6 } ::= { natSubscribersTableEntry 6 }
natSubscriberCntTranslates OBJECT-TYPE natSubscriberCntTranslates OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
skipping to change at page 74, line 27 skipping to change at page 75, line 17
DESCRIPTION DESCRIPTION
"Limit on the number of active mappings created by or for "Limit on the number of active mappings created by or for
this subscriber. Zero means unlimited." this subscriber. Zero means unlimited."
::= { natSubscribersTableEntry 15 } ::= { natSubscribersTableEntry 15 }
natSubscriberMapNotifyThresh OBJECT-TYPE natSubscriberMapNotifyThresh OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"See NatNotifSubscriberMappings." "See natNotifSubscriberMappings."
::= { natSubscribersTableEntry 16 } ::= { natSubscribersTableEntry 16 }
-- object groups -- object groups
natGroupBasicObjects OBJECT-GROUP natGroupBasicObjects OBJECT-GROUP
OBJECTS { natCntTranslates, OBJECTS { natCntTranslates,
natCntOOP, natCntOOP,
natCntResource, natCntResource,
natCntStateMismatch, natCntStateMismatch,
natCntQuota, natCntQuota,
skipping to change at page 76, line 31 skipping to change at page 77, line 21
natSubscriberPool, natSubscriberPool,
natSubscriberCntTranslates, natSubscriberCntTranslates,
natSubscriberCntOOP, natSubscriberCntOOP,
natSubscriberCntResource, natSubscriberCntResource,
natSubscriberCntStateMismatch, natSubscriberCntStateMismatch,
natSubscriberCntQuota, natSubscriberCntQuota,
natSubscriberCntMappings, natSubscriberCntMappings,
natSubscriberCntMapCreations, natSubscriberCntMapCreations,
natSubscriberCntMapRemovals, natSubscriberCntMapRemovals,
natSubscriberLimitMappings, natSubscriberLimitMappings,
natLimitSubscribers } natLimitSubscribers,
natSubscriberMapNotifyThresh }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Per-subscriber counters, limits, and thresholds." "Per-subscriber counters, limits, and thresholds."
::= { natMIBGroups 13 } ::= { natMIBGroups 13 }
natGroupSubscriberNotifications NOTIFICATION-GROUP natGroupSubscriberNotifications NOTIFICATION-GROUP
NOTIFICATIONS { natSubscriberMapNotifyThresh } NOTIFICATIONS { natNotifSubscriberMappings }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Subscriber notifications." "Subscriber notifications."
::= { natMIBGroups 14 } ::= { natMIBGroups 14 }
-- compliance statements -- compliance statements
natBasicCompliance MODULE-COMPLIANCE natBasicCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 78, line 9 skipping to change at page 78, line 49
natGroupAddrMapNotifications, natGroupAddrMapNotifications,
natGroupFragmentObjects, natGroupFragmentObjects,
natGroupSubscriberObjects, natGroupSubscriberObjects,
natGroupSubscriberNotifications } natGroupSubscriberNotifications }
::= { natMIBCompliances 6 } ::= { natMIBCompliances 6 }
END END
5. Security Considerations 5. Security Considerations
Unauthorized access to the write-able objects could cause a denial of There are a number of management objects defined in this MIB module
service and/or widespread network disturbance. Hence, the support with a MAX-ACCESS clause of read-write and/or read-create. Such
for SET operations in a non-secure environment without proper objects may be considered sensitive or vulnerable in some network
protection can have a negative effect on network operations. environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their
sensitivity/vulnerability:
At this writing, no security holes have been identified beyond those Limits: An attacker setting a very low or very high limit can easily
that SNMP Security is itself intended to address. These relate cause a denial-of-service situation.
primarily to controlled access to sensitive information and the
ability to configure a device - or which might result from operator * natLimitMappings
error, which is beyond the scope of any security architecture.
* natLimitAddressMappings
* natLimitFragments
* natLimitSubscribers
* natSubscriberLimitMappings
Notification thresholds: An attacker setting an arbitrarily low
treshold can cause many useless notifications to be generated.
Setting an arbitrarily high threshold can effectively disable
notifications, which could be used to hide another attack.
* natMappingsNotifyThreshold
* natAddrMapNotifyThreshold
* natSubscriberMapNotifyThresh
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP.
There are a number of managed objects in this MIB that may contain There are a number of managed objects in this MIB that may contain
information that may be sensitive from a business perspective, in information that may be sensitive from a business perspective, in
that they may represent NAT state information. Various objects can that they may represent NAT state information. Various objects can
reveal the identity of private hosts that are engaged in a session reveal the identity of private hosts that are engaged in a session
with external end nodes. A curious outsider could monitor these to with external end nodes. A curious outsider could monitor these to
assess the number of private hosts being supported by the NAT device. assess the number of private hosts being supported by the NAT device.
Further, a disgruntled former employee of an enterprise could use the Further, a disgruntled former employee of an enterprise could use the
information to break into specific private hosts by intercepting the information to break into specific private hosts by intercepting the
existing sessions or originating new sessions into the host. There existing sessions or originating new sessions into the host. There
are no objects that are sensitive in their own right, such as are no objects that are sensitive in their own right, such as
passwords or monetary amounts. It may even be important to control passwords or monetary amounts. It may even be important to control
GET access to these objects and possibly to encrypt the values of GET access to these objects and possibly to encrypt the values of
these objects when they are sent over the network via SNMP. Not all these objects when they are sent over the network via SNMP. Not all
versions of SNMP provide features for such a secure environment. versions of SNMP provide features for such a secure environment.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec), Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is there is no control as to who on the secure network is allowed to
allowed to access and GET/SET (read/change/create/delete) the objects access and GET/SET (read/change/create/delete) the objects in this
in this MIB. MIB module.
It is recommended that the implementers consider the security Implementations SHOULD provide the security features described by the
features as provided by the SNMPv3 framework (see [RFC3410], section SNMPv3 framework (see [RFC3410]), and implementations claiming
8), including full support for the SNMPv3 cryptographic mechanisms compliance to the SNMPv3 standard MUST include full support for
(for authentication and privacy). authentication and privacy via the User-based Security Model (USM)
[RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
MAY also provide support for the Transport Security Model (TSM)
[RFC5591] in combination with a secure transport such as SSH
[RFC5592] or TLS/DTLS [RFC6353].
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to indeed GET or SET (change/create/delete) them.
6. IANA Considerations 6. IANA Considerations
skipping to change at page 79, line 43 skipping to change at page 81, line 13
April 1999. April 1999.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", RFC Translator (NAT) Terminology and Considerations", RFC
2663, August 1999. 2663, August 1999.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, January Address Translator (Traditional NAT)", RFC 3022, January
2001. 2001.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
[RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., and F. [RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., and F.
Baker, "OSPF Version 2 Management Information Base", RFC Baker, "OSPF Version 2 Management Information Base", RFC
4750, December 2006. 4750, December 2006.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation [RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127, (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
RFC 4787, January 2007. RFC 4787, January 2007.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
for the Simple Network Management Protocol (SNMP)", RFC
5591, June 2009.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)",
RFC 6353, July 2011.
7.2. Informative References 7.2. Informative References
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
C. Wang, "Definitions of Managed Objects for Network C. Wang, "Definitions of Managed Objects for Network
Address Translators (NAT)", RFC 4008, March 2005. Address Translators (NAT)", RFC 4008, March 2005.
 End of changes. 33 change blocks. 
52 lines changed or deleted 146 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/