--- 1/draft-ietf-behave-nat-mib-05.txt 2013-05-02 07:40:15.548107461 +0100 +++ 2/draft-ietf-behave-nat-mib-06.txt 2013-05-02 07:40:17.892163917 +0100 @@ -1,21 +1,21 @@ Network Working Group S. Perreault Internet-Draft Viagenie Obsoletes: 4008 (if approved) T. Tsou Intended status: Standards Track Huawei Technologies (USA) -Expires: August 26, 2013 S. Sivakumar +Expires: November 02, 2013 S. Sivakumar Cisco Systems - February 22, 2013 + May 01, 2013 Additional Managed Objects for Network Address Translators (NAT) - draft-ietf-behave-nat-mib-05 + draft-ietf-behave-nat-mib-06 Abstract This memo defines a portion of the Management Information Base (MIB) for devices implementing Network Address Translator (NAT) function. This MIB module may be used for monitoring of a device capable of NAT function. Status of This Memo @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 26, 2013. + This Internet-Draft will expire on November 02, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -52,54 +52,54 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The Internet-Standard Management Framework . . . . . . . . . 2 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 78 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 79 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 79 - 7.1. Normative References . . . . . . . . . . . . . . . . . . 79 - 7.2. Informative References . . . . . . . . . . . . . . . . . 80 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 80 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 80 + 7.2. Informative References . . . . . . . . . . . . . . . . . 81 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82 1. Introduction This memo defines a portion of the Management Information Base (MIB) for devices implementing NAT function. This MIB module may be used for monitoring of a device capable of NAT function. Using it for configuration is deprecated. NAT types and their characteristics are defined in [RFC2663]. Traditional NAT function, in particular is defined in [RFC3022]. This MIB does not address the firewall functions and must not be used for configuring or monitoring these. Section 2 provides references to the SNMP management framework, which was used as the basis for the MIB module definition. Section 3 provides an overview of the MIB features. Lastly, Section 4 has the complete NAT MIB definition. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of - [RFC3410]. + RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). - Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB - module that is compliant to the SMIv2, which is described in - [RFC2578], [RFC2579] and [RFC2580]. + module that is compliant to the SMIv2, which is described in STD 58, + RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 + [RFC2580]. 3. Overview 3.1. Deprecated Features All objects defined in [RFC4008] have been marked with "STATUS deprecated" for the following reasons: Writability: Experience with NAT has shown that implementations vary tremendously. The NAT algorithms and data structures have little @@ -230,36 +230,77 @@ NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF ifIndex, ifCounterDiscontinuityGroup FROM IF-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress, + InetAddressPrefixLength, InetPortNumber FROM INET-ADDRESS-MIB; natMIB MODULE-IDENTITY - LAST-UPDATED "200001010000Z" - ORGANIZATION "TBD" - CONTACT-INFO "TBD" + LAST-UPDATED "201304260000Z" + -- RFC Ed.: set to publication date + ORGANIZATION + "IETF Behavior Engineering for Hindrance Avoidance + (BEHAVE) Working Group" + CONTACT-INFO + "Working Group Email: behave@ietf.org + + Simon Perreault + Viagenie + 246 Aberdeen + Quebec, QC G1R 2E1 + Canada + + Phone: +1 418 656 9254 + Email: simon.perreault@viagenie.ca + URI: http://viagenie.ca + + Tina Tsou + Huawei Technologies (USA) + 2330 Central Expressway + Santa Clara, CA 95050 + USA + + Phone: +1 408 330 4424 + Email: tina.tsou.zouting@huawei.com + + Senthil Sivakumar + Cisco Systems + 7100-8 Kit Creek Road + Research Triangle Park, North Carolina 27709 + USA + + Phone: +1 919 392 5158 + Email: ssenthil@cisco.com" DESCRIPTION "This MIB module defines the generic managed objects - for NAT." + for NAT. + + Copyright (C) The Internet Society (2013). This + version of this MIB module is part of RFC yyyy; see + the RFC itself for full legal notices." + + -- RFC Ed.: replace yyyy with actual RFC number & remove this note" + REVISION "201304260000Z" + -- RFC Ed.: set to publication date + DESCRIPTION + "Complete rewrite, published as RFC yyyy." + -- RFC Ed.: replace yyyy with actual RFC number & set date" REVISION "200503210000Z" -- 21th March 2005 DESCRIPTION "Initial version, published as RFC 4008." - REVISION "200001010000Z" - DESCRIPTION - "Dummy version. RFC Editor must replace this." ::= { mib-2 123 } natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 } NatProtocolType ::= TEXTUAL-CONVENTION STATUS deprecated DESCRIPTION "A list of protocols that support the network address translation. Inclusion of the values is not intended to imply that those protocols @@ -1092,34 +1135,34 @@ natAddrBindGlobalAddr InetAddress, natAddrBindId NatBindId, natAddrBindTranslationEntity NatTranslationEntity, natAddrBindType NatAssociationType, natAddrBindMapIndex NatAddrMapId, natAddrBindSessions Gauge32, natAddrBindMaxIdleTime TimeTicks, natAddrBindCurrentIdleTime TimeTicks, natAddrBindInTranslates Counter64, natAddrBindOutTranslates Counter64 - } natAddrBindLocalAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "This object specifies the address type used for natAddrBindLocalAddr." + ::= { natAddrBindEntry 1 } natAddrBindLocalAddr OBJECT-TYPE - SYNTAX InetAddress + SYNTAX InetAddress (SIZE (4|16)) MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "This object represents the private-realm specific network layer address, which maps to the public-realm address represented by natAddrBindGlobalAddr. The type of this address is determined by the value of the natAddrBindLocalAddrType object." ::= { natAddrBindEntry 2 } @@ -1331,21 +1375,21 @@ natAddrPortBindLocalAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "This object specifies the address type used for natAddrPortBindLocalAddr." ::= { natAddrPortBindEntry 1 } natAddrPortBindLocalAddr OBJECT-TYPE - SYNTAX InetAddress + SYNTAX InetAddress (SIZE (4|16)) MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "This object represents the private-realm specific network layer address which, in conjunction with natAddrPortBindLocalPort, maps to the public-realm network layer address and transport id represented by natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort respectively. @@ -2551,21 +2597,21 @@ OBJECT natSessionPublicDstAddr SYNTAX InetAddress (SIZE(4|16)) DESCRIPTION "An implementation is required to support global IPv4 and/or IPv6 addresses, depending on its support for IPv4 and IPv6." ::= { natMIBCompliances 2 } - --------------------------------------------------------------------- + --=================================================================== -- END OF DEPRECATED OBJECTS. CURRENT OBJECTS FOLLOW. -- textual conventions ProtocolNumber ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A transport protocol number, from the 'protocol-numbers' IANA registry." @@ -2635,21 +2682,22 @@ exceeds the value of natAddrMapNotifyThreshold." ::= { natMIBNotifications 5 } natNotifSubscriberMappings NOTIFICATION-TYPE OBJECTS { natSubscriberCntMappings } STATUS current DESCRIPTION "This notification is generated when natSubscriberCntMappings exceeds the value of natSubscriberMapNotifyThresh, unless natSubscriberMapNotifyThresh is zero.." - ::= { NatNotifications 6 } + + ::= { natMIBNotifications 6 } -- counters natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 } natCntTranslates OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION @@ -3316,48 +3366,48 @@ SYNTAX NatPoolingType MAX-ACCESS read-only STATUS current DESCRIPTION "Type of address pooling behavior that was used to create this mapping." ::= { natMappingTableEntry 13 } -- subscribers - natSubscribers OBJECT IDENTIFIER ::= { NatObjects 5 } + natSubscribers OBJECT IDENTIFIER ::= { natMIBObjects 15 } natSubscribersTable OBJECT-TYPE - SYNTAX SEQUENCE OF natSubscribersTableEntry + SYNTAX SEQUENCE OF NatSubscribersTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of CGN subscribers." ::= { natSubscribers 1 } natSubscribersTableEntry OBJECT-TYPE - SYNTAX natSubscribersTableEntry + SYNTAX NatSubscribersTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry describes a single CGN subscriber." INDEX { natSubscriberIdentifierType, natSubscriberIdentifier } ::= { natSubscribersTable 1 } - natSubscribersTableEntry ::= + NatSubscribersTableEntry ::= SEQUENCE { natSubscriberIdentifierType InetAddressType, natSubscriberIdentifier InetAddress, natSubscriberIntPrefixType InetAddressType, natSubscriberIntPrefix InetAddress, natSubscriberIntPrefixLength InetAddressPrefixLength, - natSubscriberPool NatPoolIndex, + natSubscriberPool NatPoolId, natSubscriberCntTranslates Counter64, natSubscriberCntOOP Counter64, natSubscriberCntResource Counter64, natSubscriberCntStateMismatch Counter64, natSubscriberCntQuota Counter64, natSubscriberCntMappings Gauge32, natSubscriberCntMapCreations Counter64, natSubscriberCntMapRemovals Counter64, natSubscriberLimitMappings Unsigned32, natSubscriberMapNotifyThresh Unsigned32 @@ -3406,21 +3456,21 @@ SYNTAX InetAddressPrefixLength MAX-ACCESS read-only STATUS current DESCRIPTION "Length of the prefix assigned to a subscriber's CPE, in bits. In case a single address is assigned, this will be 32 for IPv4 and 128 for IPv6." ::= { natSubscribersTableEntry 5 } natSubscriberPool OBJECT-TYPE - SYNTAX NatPoolIndex + SYNTAX NatPoolId MAX-ACCESS read-only STATUS current DESCRIPTION "External address pool to which this subscriber belongs." ::= { natSubscribersTableEntry 6 } natSubscriberCntTranslates OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current @@ -3508,21 +3558,21 @@ DESCRIPTION "Limit on the number of active mappings created by or for this subscriber. Zero means unlimited." ::= { natSubscribersTableEntry 15 } natSubscriberMapNotifyThresh OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION - "See NatNotifSubscriberMappings." + "See natNotifSubscriberMappings." ::= { natSubscribersTableEntry 16 } -- object groups natGroupBasicObjects OBJECT-GROUP OBJECTS { natCntTranslates, natCntOOP, natCntResource, natCntStateMismatch, natCntQuota, @@ -3608,29 +3657,29 @@ natSubscriberPool, natSubscriberCntTranslates, natSubscriberCntOOP, natSubscriberCntResource, natSubscriberCntStateMismatch, natSubscriberCntQuota, natSubscriberCntMappings, natSubscriberCntMapCreations, natSubscriberCntMapRemovals, natSubscriberLimitMappings, - natLimitSubscribers } + natLimitSubscribers, + natSubscriberMapNotifyThresh } STATUS current DESCRIPTION "Per-subscriber counters, limits, and thresholds." ::= { natMIBGroups 13 } natGroupSubscriberNotifications NOTIFICATION-GROUP - NOTIFICATIONS { natSubscriberMapNotifyThresh } - + NOTIFICATIONS { natNotifSubscriberMappings } STATUS current DESCRIPTION "Subscriber notifications." ::= { natMIBGroups 14 } -- compliance statements natBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION @@ -3683,56 +3732,88 @@ natGroupAddrMapNotifications, natGroupFragmentObjects, natGroupSubscriberObjects, natGroupSubscriberNotifications } ::= { natMIBCompliances 6 } END 5. Security Considerations - Unauthorized access to the write-able objects could cause a denial of - service and/or widespread network disturbance. Hence, the support - for SET operations in a non-secure environment without proper - protection can have a negative effect on network operations. + There are a number of management objects defined in this MIB module + with a MAX-ACCESS clause of read-write and/or read-create. Such + objects may be considered sensitive or vulnerable in some network + environments. The support for SET operations in a non-secure + environment without proper protection can have a negative effect on + network operations. These are the tables and objects and their + sensitivity/vulnerability: - At this writing, no security holes have been identified beyond those - that SNMP Security is itself intended to address. These relate - primarily to controlled access to sensitive information and the - ability to configure a device - or which might result from operator - error, which is beyond the scope of any security architecture. + Limits: An attacker setting a very low or very high limit can easily + cause a denial-of-service situation. + + * natLimitMappings + + * natLimitAddressMappings + + * natLimitFragments + + * natLimitSubscribers + + * natSubscriberLimitMappings + + Notification thresholds: An attacker setting an arbitrarily low + treshold can cause many useless notifications to be generated. + Setting an arbitrarily high threshold can effectively disable + notifications, which could be used to hide another attack. + + * natMappingsNotifyThreshold + + * natAddrMapNotifyThreshold + + * natSubscriberMapNotifyThresh + + Some of the readable objects in this MIB module (i.e., objects with a + MAX-ACCESS other than not-accessible) may be considered sensitive or + vulnerable in some network environments. It is thus important to + control even GET and/or NOTIFY access to these objects and possibly + to even encrypt the values of these objects when sending them over + the network via SNMP. There are a number of managed objects in this MIB that may contain information that may be sensitive from a business perspective, in that they may represent NAT state information. Various objects can reveal the identity of private hosts that are engaged in a session with external end nodes. A curious outsider could monitor these to assess the number of private hosts being supported by the NAT device. Further, a disgruntled former employee of an enterprise could use the information to break into specific private hosts by intercepting the existing sessions or originating new sessions into the host. There are no objects that are sensitive in their own right, such as passwords or monetary amounts. It may even be important to control GET access to these objects and possibly to encrypt the values of these objects when they are sent over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMP versions prior to SNMPv3 did not include adequate security. - Even if the network itself is secure (for example by using IPSec), - even then, there is no control as to who on the secure network is - allowed to access and GET/SET (read/change/create/delete) the objects - in this MIB. + Even if the network itself is secure (for example by using IPsec), + there is no control as to who on the secure network is allowed to + access and GET/SET (read/change/create/delete) the objects in this + MIB module. - It is recommended that the implementers consider the security - features as provided by the SNMPv3 framework (see [RFC3410], section - 8), including full support for the SNMPv3 cryptographic mechanisms - (for authentication and privacy). + Implementations SHOULD provide the security features described by the + SNMPv3 framework (see [RFC3410]), and implementations claiming + compliance to the SNMPv3 standard MUST include full support for + authentication and privacy via the User-based Security Model (USM) + [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations + MAY also provide support for the Transport Security Model (TSM) + [RFC5591] in combination with a secure transport such as SSH + [RFC5592] or TLS/DTLS [RFC6353]. Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 6. IANA Considerations @@ -3758,32 +3839,52 @@ April 1999. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999. [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001. + [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model + (USM) for version 3 of the Simple Network Management + Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. + + [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The + Advanced Encryption Standard (AES) Cipher Algorithm in the + SNMP User-based Security Model", RFC 3826, June 2004. + [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., and F. Baker, "OSPF Version 2 Management Information Base", RFC 4750, December 2006. [RFC4787] Audet, F. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, January 2007. + [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model + for the Simple Network Management Protocol (SNMP)", RFC + 5591, June 2009. + + [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure + Shell Transport Model for the Simple Network Management + Protocol (SNMP)", RFC 5592, June 2009. + + [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport + Model for the Simple Network Management Protocol (SNMP)", + RFC 6353, July 2011. + 7.2. Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and C. Wang, "Definitions of Managed Objects for Network Address Translators (NAT)", RFC 4008, March 2005.