draft-ietf-behave-nat-mib-06.txt   draft-ietf-behave-nat-mib-07.txt 
Network Working Group S. Perreault Network Working Group S. Perreault
Internet-Draft Viagenie Internet-Draft Viagenie
Obsoletes: 4008 (if approved) T. Tsou Obsoletes: 4008 (if approved) T. Tsou
Intended status: Standards Track Huawei Technologies (USA) Intended status: Standards Track Huawei Technologies (USA)
Expires: November 02, 2013 S. Sivakumar Expires: January 16, 2014 S. Sivakumar
Cisco Systems Cisco Systems
May 01, 2013 July 15, 2013
Additional Managed Objects for Network Address Translators (NAT) Additional Managed Objects for Network Address Translators (NAT)
draft-ietf-behave-nat-mib-06 draft-ietf-behave-nat-mib-07
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for devices implementing Network Address Translator (NAT) function. for devices implementing Network Address Translator (NAT) function.
This MIB module may be used for monitoring of a device capable of NAT This MIB module may be used for monitoring of a device capable of NAT
function. function.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 02, 2013. This Internet-Draft will expire on January 16, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Internet-Standard Management Framework . . . . . . . . . 2 2. The Internet-Standard Management Framework . . . . . . . . . 2
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3
3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4
3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 78 5. Security Considerations . . . . . . . . . . . . . . . . . . . 77
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 79
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 80 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 79
7.1. Normative References . . . . . . . . . . . . . . . . . . 80 7.1. Normative References . . . . . . . . . . . . . . . . . . 79
7.2. Informative References . . . . . . . . . . . . . . . . . 81 7.2. Informative References . . . . . . . . . . . . . . . . . 80
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 81
1. Introduction 1. Introduction
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for devices implementing NAT function. This MIB module may be used for devices implementing NAT function. This MIB module may be used
for monitoring of a device capable of NAT function. Using it for for monitoring of a device capable of NAT function. Using it for
configuration is deprecated. NAT types and their characteristics are configuration is deprecated. NAT types and their characteristics are
defined in [RFC2663]. Traditional NAT function, in particular is defined in [RFC2663]. Traditional NAT function, in particular is
defined in [RFC3022]. This MIB does not address the firewall defined in [RFC3022]. This MIB does not address the firewall
functions and must not be used for configuring or monitoring these. functions and must not be used for configuring or monitoring these.
Section 2 provides references to the SNMP management framework, which Section 2 provides references to the SNMP management framework, which
was used as the basis for the MIB module definition. Section 3 was used as the basis for the MIB module definition. Section 3
provides an overview of the MIB features. Lastly, Section 4 has the provides an overview of the MIB features. Lastly, Section 4 has the
complete NAT MIB definition. complete NAT MIB definition.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. The Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]. RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
skipping to change at page 3, line 30 skipping to change at page 3, line 33
Exposing configuration parameters: Even in read-only mode, many Exposing configuration parameters: Even in read-only mode, many
configuration parameters were exposed by [RFC4008] (e.g. configuration parameters were exposed by [RFC4008] (e.g.
timeouts). Since implementations vary wildly in their sets of timeouts). Since implementations vary wildly in their sets of
configuration parameters, few implementations could claim even configuration parameters, few implementations could claim even
basic compliance. basic compliance.
Lesson learned: the NAT MIB's purpose is not to expose Lesson learned: the NAT MIB's purpose is not to expose
configuration parameters. configuration parameters.
Interfaces: Objects from [RFC4008] tie NAT state with interfaces Interfaces: Objects from [RFC4008] tie NAT state with interfaces
(e.g. the interface table, the way map entries are grouped by (e.g. the interface table, the way map entries are grouped by
interface). Many NAT implementations either never keep track of interface). Many NAT implementations either never keep track of
the interface or associate a mapping to a set of interfaces. the interface or associate a mapping to a set of interfaces.
Since interfaces are at the core of [RFC4008], many NAT devices Since interfaces are at the core of [RFC4008], many NAT devices
were unable to have a proper implementation. were unable to have a proper implementation.
Lesson learned: NAT is a logical function that may be independent Lesson learned: NAT is a logical function that may be independent
of interfaces. Do not tie NAT state with interfaces. of interfaces. Do not tie NAT state with interfaces.
NAT service types: [RFC4008] used four categories of NAT service: NAT service types: [RFC4008] used four categories of NAT service:
basicNat, napt, bidirectionalNat, twiceNat. These are ill-defined basicNat, napt, bidirectionalNat, twiceNat. These are ill-defined
skipping to change at page 29, line 41 skipping to change at page 29, line 45
natAddrPortBindLocalAddrType OBJECT-TYPE natAddrPortBindLocalAddrType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"This object specifies the address type used for "This object specifies the address type used for
natAddrPortBindLocalAddr." natAddrPortBindLocalAddr."
::= { natAddrPortBindEntry 1 } ::= { natAddrPortBindEntry 1 }
natAddrPortBindLocalAddr OBJECT-TYPE natAddrPortBindLocalAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (4|16)) SYNTAX InetAddress
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"This object represents the private-realm specific "This object represents the private-realm specific
network layer address which, in conjunction with network layer address which, in conjunction with
natAddrPortBindLocalPort, maps to the public-realm natAddrPortBindLocalPort, maps to the public-realm
network layer address and transport id represented by network layer address and transport id represented by
natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort
respectively. respectively.
skipping to change at page 56, line 30 skipping to change at page 56, line 33
OBJECTS { natPoolIndex } OBJECTS { natPoolIndex }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This notification is generated when the specified pool's "This notification is generated when the specified pool's
number of free addresses becomes greater than or equal to number of free addresses becomes greater than or equal to
the specified threshold. The threshold is specified by the the specified threshold. The threshold is specified by the
natPoolWatermarkHigh object" natPoolWatermarkHigh object"
::= { natMIBNotifications 3 } ::= { natMIBNotifications 3 }
natNotifMappings NOTIFICATION-TYPE natNotifMappings NOTIFICATION-TYPE
OBJECTS { natCntMappings } OBJECTS { natMappingCreations, natMappingRemovals }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This notification is generated when natCntMappings exceeds "This notification is generated when the number of active
the value of natMappingsNotifyThreshold." mappings exceeds the value of natMappingsNotifyThreshold."
::= { natMIBNotifications 4 } ::= { natMIBNotifications 4 }
natNotifAddrMappings NOTIFICATION-TYPE natNotifAddrMappings NOTIFICATION-TYPE
OBJECTS { natCntAddressMappings } OBJECTS { natAddressMappings }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This notification is generated when natCntAddressMappings "This notification is generated when natAddressMappings
exceeds the value of natAddrMapNotifyThreshold." exceeds the value of natAddrMapNotifyThreshold."
::= { natMIBNotifications 5 } ::= { natMIBNotifications 5 }
natNotifSubscriberMappings NOTIFICATION-TYPE natNotifSubscriberMappings NOTIFICATION-TYPE
OBJECTS { natSubscriberCntMappings } OBJECTS { natSubscriberMappingCreations,
natSubscriberMappingRemovals }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This notification is generated when natSubscriberCntMappings "This notification is generated when the number of active
exceeds the value of natSubscriberMapNotifyThresh, unless mappings exceeds the value of natSubscriberMapNotifyThresh,
natSubscriberMapNotifyThresh is zero.." unless natSubscriberMapNotifyThresh is zero.."
::= { natMIBNotifications 6 } ::= { natMIBNotifications 6 }
-- counters -- counters
natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 } natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 }
natCntTranslates OBJECT-TYPE natTranslations OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT has been applied." "The number of packets translated."
::= { natCounters 1 } ::= { natCounters 1 }
natCntOOP OBJECT-TYPE natOutOfPortErrors OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT could not be applied "The number of packets not translated because no external
because no external port was available, excluding quota port was available, excluding quota limitations."
limitations."
::= { natCounters 2 } ::= { natCounters 2 }
natCntResource OBJECT-TYPE natResourceErrors OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT could not be applied "The number of packets not translated because of resource
because of resource constraints (excluding out-of-ports constraints (excluding out-of-ports condition)."
condition)."
::= { natCounters 3 } ::= { natCounters 3 }
natCntStateMismatch OBJECT-TYPE natQuotaDrops OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT could not be applied "The number of incoming packets not translated because of
because of mapping state mismatch. For example, a TCP packet quota limitations. Quotas include absolute limits as well
that matches an existing mapping but is dropped because its as limits on rate of allocation."
flags are incompatible with the current state of the mapping
would cause this counter to be incremented."
::= { natCounters 4 } ::= { natCounters 4 }
natCntQuota OBJECT-TYPE natMappingCreations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets to which NAT could not be applied
because of quota limitations. Quotas include absolute limits
as well as limits on rate of allocation."
::= { natCounters 5 }
natCntMappings OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of currently active mappings.
Equal to natCntMapRemovals - natCntMapCreations."
::= { natCounters 6 }
natCntMapCreations OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of mapping creations. This includes static mappings." "Number of mapping creations. This includes static mappings."
::= { natCounters 7 } ::= { natCounters 5 }
natCntMapRemovals OBJECT-TYPE natMappingRemovals OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of mapping removals. This includes static mappings." "Number of mapping removals. This includes static mappings."
::= { natCounters 8 } ::= { natCounters 6 }
natCntAddressMappings OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of active address mappings.
Equal to natCntAddrMapRemovals - natCntAddrMapCreations."
::= { natCounters 9 }
natCntAddrMapCreations OBJECT-TYPE natAddressMappingCreations OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of address mapping creations. This includes static "Number of address mapping creations. This includes static
mappings." mappings."
::= { natCounters 10 } ::= { natCounters 7 }
natCntAddrMapRemovals OBJECT-TYPE natAddressMappingRemovals OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of address mapping removals. This includes static "Number of address mapping removals. This includes static
mappings." mappings.
::= { natCounters 11 }
natCntProtocolTable OBJECT-TYPE The number of active mappings is equal to
SYNTAX SEQUENCE OF NatCntProtocolEntry natAddressMappingCreations - natAddressMappingRemovals."
::= { natCounters 8 }
natProtocolTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatProtocolEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Table of protocols with per-protocol counters." "Table of protocols with per-protocol counters."
::= { natCounters 128 } ::= { natCounters 128 }
natCntProtocolEntry OBJECT-TYPE natProtocolEntry OBJECT-TYPE
SYNTAX NatCntProtocolEntry SYNTAX NatProtocolEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Per-protocol counters." "Per-protocol counters."
INDEX { natCntProtocolNumber } INDEX { natProtocolNumber }
::= { natCntProtocolTable 1 } ::= { natProtocolTable 1 }
NatCntProtocolEntry ::= NatProtocolEntry ::=
SEQUENCE { SEQUENCE {
natCntProtocolNumber ProtocolNumber, natProtocolNumber ProtocolNumber,
natCntProtocolTranslates Counter64, natProtocolTranslations Counter64,
natCntProtocolOOP Counter64, natProtocolOutOfPortErrors Counter64,
natCntProtocolResource Counter64, natProtocolResourceErrors Counter64,
natCntProtocolStateMismatch Counter64, natProtocolQuotaDrops Counter64,
natCntProtocolQuota Counter64, natProtocolMappingCreations Counter64,
natCntProtocolMappings Gauge32, natProtocolMappingRemovals Counter64
natCntProtocolMapCreations Counter64,
natCntProtocolMapRemovals Counter64
} }
natCntProtocolNumber OBJECT-TYPE natProtocolNumber OBJECT-TYPE
SYNTAX ProtocolNumber SYNTAX ProtocolNumber
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Counters in this conceptual row apply to packets using the "Counters in this conceptual row apply to packets using the
transport protocol identified by this object's value." transport protocol identified by this object's value."
::= { natCntProtocolEntry 1 } ::= { natProtocolEntry 1 }
natCntProtocolTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets to which NAT has been applied."
::= { natCntProtocolEntry 2 }
natCntProtocolOOP OBJECT-TYPE natProtocolTranslations OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT could not be applied "The number of packets translated."
because no external port was available." ::= { natProtocolEntry 2 }
::= { natCntProtocolEntry 3 }
natCntProtocolResource OBJECT-TYPE natProtocolOutOfPortErrors OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT could not be applied "The number of packets not translated because no external
because of resource constraints (excluding out-of-ports port was available."
condition)." ::= { natProtocolEntry 3 }
::= { natCntProtocolEntry 4 }
natCntProtocolStateMismatch OBJECT-TYPE natProtocolResourceErrors OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT could not be applied "The number of packets not translated because of resource
because of state table mismatch. For example, a TCP packet constraints (excluding out-of-ports condition)."
that matches an existing mapping but is dropped because its ::= { natProtocolEntry 4 }
flags are incompatible with the current state of the mapping
would cause this counter to be incremented."
::= { natCntProtocolEntry 5 }
natCntProtocolQuota OBJECT-TYPE natProtocolQuotaDrops OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets to which NAT could not be applied "The number of incoming packets not translated because of
because of exceeded quotas. Quotas include absolute limits exceeded quotas. Quotas include absolute limits as well as
as well as limits on rate of allocation." limits on rate of allocation."
::= { natCntProtocolEntry 6 } ::= { natProtocolEntry 5 }
natCntProtocolMappings OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of active mappings.
Equal to natCntMapRemovals - natCntMapCreations."
::= { natCntProtocolEntry 7 }
natCntProtocolMapCreations OBJECT-TYPE natProtocolMappingCreations OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of mapping creations. This includes static mappings." "Number of mapping creations. This includes static mappings."
::= { natCntProtocolEntry 8 } ::= { natProtocolEntry 6 }
natCntProtocolMapRemovals OBJECT-TYPE natProtocolMappingRemovals OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of mapping removals. This includes statis mappings." "Number of mapping removals. This includes static mappings.
::= { natCntProtocolEntry 9 }
The number of active mappings is equal to
natProtocolMappingCreations - natProtocolMappingRemovals."
::= { natProtocolEntry 7 }
-- limits -- limits
natLimits OBJECT IDENTIFIER ::= { natMIBObjects 12 } natLimits OBJECT IDENTIFIER ::= { natMIBObjects 12 }
natLimitMappings OBJECT-TYPE natLimitMappings OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 70, line 29 skipping to change at page 69, line 29
natMappingIntPort OBJECT-TYPE natMappingIntPort OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mapping's internal port number. If this is zero, ports "The mapping's internal port number. If this is zero, ports
are not translated." are not translated."
::= { natMappingTableEntry 9 } ::= { natMappingTableEntry 9 }
natMappingPool OBJECT-TYPE natMappingPool OBJECT-TYPE
SYNTAX NatPoolId (0|1..4294967295) SYNTAX Unsigned32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Index of the pool that contains this mapping's external "Index of the pool that contains this mapping's external
address and port. If zero, no pool is associated with this address and port. If zero, no pool is associated with this
mapping." mapping."
::= { natMappingTableEntry 10 } ::= { natMappingTableEntry 10 }
natMappingMapBehavior OBJECT-TYPE natMappingMapBehavior OBJECT-TYPE
SYNTAX NatBehaviorType SYNTAX NatBehaviorType
skipping to change at page 71, line 46 skipping to change at page 70, line 46
::= { natSubscribersTable 1 } ::= { natSubscribersTable 1 }
NatSubscribersTableEntry ::= NatSubscribersTableEntry ::=
SEQUENCE { SEQUENCE {
natSubscriberIdentifierType InetAddressType, natSubscriberIdentifierType InetAddressType,
natSubscriberIdentifier InetAddress, natSubscriberIdentifier InetAddress,
natSubscriberIntPrefixType InetAddressType, natSubscriberIntPrefixType InetAddressType,
natSubscriberIntPrefix InetAddress, natSubscriberIntPrefix InetAddress,
natSubscriberIntPrefixLength InetAddressPrefixLength, natSubscriberIntPrefixLength InetAddressPrefixLength,
natSubscriberPool NatPoolId, natSubscriberPool NatPoolId,
natSubscriberCntTranslates Counter64, natSubscriberTranslations Counter64,
natSubscriberCntOOP Counter64, natSubscriberOutOfPortErrors Counter64,
natSubscriberCntResource Counter64, natSubscriberResourceErrors Counter64,
natSubscriberCntStateMismatch Counter64, natSubscriberQuotaDrops Counter64,
natSubscriberCntQuota Counter64, natSubscriberMappingCreations Counter64,
natSubscriberCntMappings Gauge32, natSubscriberMappingRemovals Counter64,
natSubscriberCntMapCreations Counter64,
natSubscriberCntMapRemovals Counter64,
natSubscriberLimitMappings Unsigned32, natSubscriberLimitMappings Unsigned32,
natSubscriberMapNotifyThresh Unsigned32 natSubscriberMapNotifyThresh Unsigned32
} }
natSubscriberIdentifierType OBJECT-TYPE natSubscriberIdentifierType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Address type of the subscriber identifier." "Address type of the subscriber identifier."
skipping to change at page 73, line 18 skipping to change at page 72, line 16
::= { natSubscribersTableEntry 5 } ::= { natSubscribersTableEntry 5 }
natSubscriberPool OBJECT-TYPE natSubscriberPool OBJECT-TYPE
SYNTAX NatPoolId SYNTAX NatPoolId
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"External address pool to which this subscriber belongs." "External address pool to which this subscriber belongs."
::= { natSubscribersTableEntry 6 } ::= { natSubscribersTableEntry 6 }
natSubscriberCntTranslates OBJECT-TYPE natSubscriberTranslations OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets received from or sent to this "The number of translated packets received from or sent to
subscriber and to which NAT has been applied." this subscriber."
::= { natSubscribersTableEntry 7 } ::= { natSubscribersTableEntry 7 }
natSubscriberCntOOP OBJECT-TYPE natSubscriberOutOfPortErrors OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets received from this subscriber to which "The number of packets received from this subscriber not
NAT could not be applied because no external port was translated because no external port was available, excluding
available, excluding quota limitations." quota limitations."
::= { natSubscribersTableEntry 8 } ::= { natSubscribersTableEntry 8 }
natSubscriberCntResource OBJECT-TYPE natSubscriberResourceErrors OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets received from this subscriber to which "The number of packets received from this subscriber not
NAT could not be applied because of resource constraints translated because of resource constraints (excluding
(excluding out-of-ports condition)." out-of-ports condition)."
::= { natSubscribersTableEntry 9 } ::= { natSubscribersTableEntry 9 }
natSubscriberCntStateMismatch OBJECT-TYPE natSubscriberQuotaDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets received from or destined to this
subscriber to which NAT could not be applied because of
mapping state mismatch. For example, a TCP packet that
matches an existing mapping but is dropped because its flags
are incompatible with the current state of the mapping would
cause this counter to be incremented."
::= { natSubscribersTableEntry 10 }
natSubscriberCntQuota OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of packets received from or destined to this "The number of incoming packets received from or destined to
subscriber to which NAT could not be applied because of this subscriber not translated because of quota limitations.
quota limitations. Quotas include absolute limits as well as
limits on the rate of allocation."
::= { natSubscribersTableEntry 11 }
natSubscriberCntMappings OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of currently active mappings created by or for this
subscriber.
Equal to natSubscriberCntMapRemovals - Quotas include absolute limits as well as limits on the rate
natSubscriberCntMapCreations." of allocation."
::= { natSubscribersTableEntry 12 } ::= { natSubscribersTableEntry 10 }
natSubscriberCntMapCreations OBJECT-TYPE natSubscriberMappingCreations OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of mappings created by or for this subscriber." "Number of mappings created by or for this subscriber."
::= { natSubscribersTableEntry 13 } ::= { natSubscribersTableEntry 11 }
natSubscriberCntMapRemovals OBJECT-TYPE natSubscriberMappingRemovals OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Number of mappings removed by or for this subscriber." "Number of mappings removed by or for this subscriber."
::= { natSubscribersTableEntry 14 } ::= { natSubscribersTableEntry 12 }
natSubscriberLimitMappings OBJECT-TYPE natSubscriberLimitMappings OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Limit on the number of active mappings created by or for "Limit on the number of active mappings created by or for
this subscriber. Zero means unlimited." this subscriber. Zero means unlimited."
::= { natSubscribersTableEntry 15 } ::= { natSubscribersTableEntry 13 }
natSubscriberMapNotifyThresh OBJECT-TYPE natSubscriberMapNotifyThresh OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"See natNotifSubscriberMappings." "See natNotifSubscriberMappings."
::= { natSubscribersTableEntry 16 } ::= { natSubscribersTableEntry 14 }
-- object groups -- object groups
natGroupBasicObjects OBJECT-GROUP natGroupBasicObjects OBJECT-GROUP
OBJECTS { natCntTranslates, OBJECTS { natTranslations,
natCntOOP, natOutOfPortErrors,
natCntResource, natResourceErrors,
natCntStateMismatch, natQuotaDrops,
natCntQuota, natMappingCreations,
natCntMappings, natMappingRemovals,
natCntMapCreations, natProtocolTranslations ,
natCntMapRemovals, natProtocolOutOfPortErrors,
natCntProtocolTranslates, natProtocolResourceErrors,
natCntProtocolOOP, natProtocolQuotaDrops,
natCntProtocolResource, natProtocolMappingCreations,
natCntProtocolStateMismatch, natProtocolMappingRemovals,
natCntProtocolQuota,
natCntProtocolMappings,
natCntProtocolMapCreations,
natCntProtocolMapRemovals,
natLimitMappings, natLimitMappings,
natMappingsNotifyThreshold, natMappingsNotifyThreshold,
natPoolIndex, natPoolIndex,
natPoolRealm, natPoolRealm,
natPoolUsage, natPoolUsage,
natPoolWatermarkLow, natPoolWatermarkLow,
natPoolWatermarkHigh, natPoolWatermarkHigh,
natPoolPortMin, natPoolPortMin,
natPoolPortMax, natPoolPortMax,
natPoolRangePoolIndex, natPoolRangePoolIndex,
skipping to change at page 76, line 18 skipping to change at page 74, line 35
natMappingPool, natMappingPool,
natMappingMapBehavior, natMappingMapBehavior,
natMappingFilterBehavior, natMappingFilterBehavior,
natMappingAddressPooling } natMappingAddressPooling }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Basic counters, limits, and thresholds." "Basic counters, limits, and thresholds."
::= { natMIBGroups 7 } ::= { natMIBGroups 7 }
natGroupAddrMapObjects OBJECT-GROUP natGroupAddrMapObjects OBJECT-GROUP
OBJECTS { natCntAddressMappings, OBJECTS { natAddressMappings,
natCntAddrMapCreations, natAddressMappingCreations,
natCntAddrMapRemovals, natAddressMappingRemovals,
natLimitAddressMappings, natLimitAddressMappings,
natAddrMapNotifyThreshold, natAddrMapNotifyThreshold,
natMapIntAddrExtRealm, natMapIntAddrExtRealm,
natMapIntAddrExt } natMapIntAddrExt }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects that require 'Paired IP address pooling' behavior "Objects that require 'Paired IP address pooling' behavior
[RFC4787]." [RFC4787]."
::= { natMIBGroups 8 } ::= { natMIBGroups 8 }
skipping to change at page 77, line 12 skipping to change at page 75, line 29
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notifications about address mappings." "Notifications about address mappings."
::= { natMIBGroups 12 } ::= { natMIBGroups 12 }
natGroupSubscriberObjects OBJECT-GROUP natGroupSubscriberObjects OBJECT-GROUP
OBJECTS { natSubscriberIntPrefixType, OBJECTS { natSubscriberIntPrefixType,
natSubscriberIntPrefix, natSubscriberIntPrefix,
natSubscriberIntPrefixLength, natSubscriberIntPrefixLength,
natSubscriberPool, natSubscriberPool,
natSubscriberCntTranslates, natSubscriberTranslations,
natSubscriberCntOOP, natSubscriberOutOfPortErrors,
natSubscriberCntResource, natSubscriberResourceErrors,
natSubscriberCntStateMismatch, natSubscriberQuotaDrops,
natSubscriberCntQuota, natSubscriberMappingCreations,
natSubscriberCntMappings, natSubscriberMappingRemovals,
natSubscriberCntMapCreations,
natSubscriberCntMapRemovals,
natSubscriberLimitMappings, natSubscriberLimitMappings,
natLimitSubscribers, natLimitSubscribers,
natSubscriberMapNotifyThresh } natSubscriberMapNotifyThresh }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Per-subscriber counters, limits, and thresholds." "Per-subscriber counters, limits, and thresholds."
::= { natMIBGroups 13 } ::= { natMIBGroups 13 }
natGroupSubscriberNotifications NOTIFICATION-GROUP natGroupSubscriberNotifications NOTIFICATION-GROUP
NOTIFICATIONS { natNotifSubscriberMappings } NOTIFICATIONS { natNotifSubscriberMappings }
skipping to change at page 78, line 34 skipping to change at page 76, line 47
::= { natMIBCompliances 5 } ::= { natMIBCompliances 5 }
natCGNCompliance MODULE-COMPLIANCE natCGNCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"NATs that have 'Paired IP address pooling' and 'Receive "NATs that have 'Paired IP address pooling' and 'Receive
Fragments Out of Order' behavior [RFC4787] and implement the Fragments Out of Order' behavior [RFC4787] and implement the
objects in this group can claim this level of compliance. objects in this group can claim this level of compliance.
This level of compliance is to be expected of a CGN This level of compliance is to be expected of a CGN
compliant with [I-D.ietf-behave-lsn-requiremnents]." compliant with [RFC6888]."
MODULE -- this module MODULE -- this module
MANDATORY-GROUPS { natGroupBasicObjects, MANDATORY-GROUPS { natGroupBasicObjects,
natGroupBasicNotifications, natGroupBasicNotifications,
natGroupAddrMapObjects, natGroupAddrMapObjects,
natGroupAddrMapNotifications, natGroupAddrMapNotifications,
natGroupFragmentObjects, natGroupFragmentObjects,
natGroupSubscriberObjects, natGroupSubscriberObjects,
natGroupSubscriberNotifications } natGroupSubscriberNotifications }
::= { natMIBCompliances 6 } ::= { natMIBCompliances 6 }
skipping to change at page 79, line 39 skipping to change at page 78, line 5
* natAddrMapNotifyThreshold * natAddrMapNotifyThreshold
* natSubscriberMapNotifyThresh * natSubscriberMapNotifyThresh
Some of the readable objects in this MIB module (i.e., objects with a Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over to even encrypt the values of these objects when sending them over
the network via SNMP. the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
There are a number of managed objects in this MIB that may contain Objects that reveal host identities: Various objects can reveal the
information that may be sensitive from a business perspective, in identity of private hosts that are engaged in a session with
that they may represent NAT state information. Various objects can external end nodes. A curious outsider could monitor these to
reveal the identity of private hosts that are engaged in a session assess the number of private hosts being supported by the NAT
with external end nodes. A curious outsider could monitor these to device. Further, a disgruntled former employee of an enterprise
assess the number of private hosts being supported by the NAT device. could use the information to break into specific private hosts by
Further, a disgruntled former employee of an enterprise could use the intercepting the existing sessions or originating new sessions
information to break into specific private hosts by intercepting the into the host.
existing sessions or originating new sessions into the host. There
are no objects that are sensitive in their own right, such as * natMapIntAddrType
passwords or monetary amounts. It may even be important to control
GET access to these objects and possibly to encrypt the values of * natMapIntAddrInt
these objects when they are sent over the network via SNMP. Not all
versions of SNMP provide features for such a secure environment. * natMapIntAddrExt
* natMappingIntRealm
* natMappingIntAddressType
* natMappingIntAddress
* natMappingIntPort
* natMappingMapBehavior
* natMappingFilterBehavior
* natMappingAddressPooling
* natSubscriberIntPrefixType
* natSubscriberIntPrefix
* natSubscriberIntPrefixLength
Other objects that reveal NAT state: Other managed objects in this
MIB may contain information that may be sensitive from a business
perspective, in that they may represent NAT state information.
* natCntAddressMappings
* natCntProtocolMappings
* natPoolUsage
* natPoolRangeAllocatedPorts
* natSubscriberCntMappings
There are no objects that are sensitive in their own right, such as
passwords or monetary amounts.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec), Even if the network itself is secure (for example by using IPsec),
there is no control as to who on the secure network is allowed to there is no control as to who on the secure network is allowed to
access and GET/SET (read/change/create/delete) the objects in this access and GET/SET (read/change/create/delete) the objects in this
MIB module. MIB module.
Implementations SHOULD provide the security features described by the Implementations SHOULD provide the security features described by the
SNMPv3 framework (see [RFC3410]), and implementations claiming SNMPv3 framework (see [RFC3410]), and implementations claiming
compliance to the SNMPv3 standard MUST include full support for compliance to the SNMPv3 standard MUST include full support for
skipping to change at page 80, line 35 skipping to change at page 79, line 38
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to indeed GET or SET (change/create/delete) them.
6. IANA Considerations 6. IANA Considerations
IANA has assigned object identifier 123 to the natMIB module, with IANA has assigned object identifier 123 to the natMIB module, with
prefix iso.org.dod.internet.mgmt.mib-2 in the Network Management prefix iso.org.dod.internet.mgmt.mib-2 in the Network Management
Parameters registry [1]. Parameters registry [SMI-NUMBERS].
No IANA actions are required by this document.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
58, RFC 2579, April 1999. 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", RFC
2663, August 1999.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, January
2001.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004. SNMP User-based Security Model", RFC 3826, June 2004.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
skipping to change at page 81, line 47 skipping to change at page 80, line 47
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009. Protocol (SNMP)", RFC 5592, June 2009.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)", Model for the Simple Network Management Protocol (SNMP)",
RFC 6353, July 2011. RFC 6353, July 2011.
7.2. Informative References 7.2. Informative References
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", RFC
2663, August 1999.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, January
2001.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
C. Wang, "Definitions of Managed Objects for Network C. Wang, "Definitions of Managed Objects for Network
Address Translators (NAT)", RFC 4008, March 2005. Address Translators (NAT)", RFC 4008, March 2005.
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
Stack Lite Broadband Deployments Following IPv4
Exhaustion", RFC 6333, August 2011.
[RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
and H. Ashida, "Common Requirements for Carrier-Grade NATs
(CGNs)", BCP 127, RFC 6888, April 2013.
[SMI-NUMBERS]
, "Network Management Parameters registry at IANA", ,
<http://www.iana.org/assignments/smi-numbers>.
Authors' Addresses Authors' Addresses
Simon Perreault Simon Perreault
Viagenie Viagenie
246 Aberdeen 246 Aberdeen
Quebec, QC G1R 2E1 Quebec, QC G1R 2E1
Canada Canada
Phone: +1 418 656 9254 Phone: +1 418 656 9254
Email: simon.perreault@viagenie.ca Email: simon.perreault@viagenie.ca
 End of changes. 77 change blocks. 
247 lines changed or deleted 220 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/