draft-ietf-rtfm-meter-mib-04.txt   draft-ietf-rtfm-meter-mib-05.txt 
Internet Engineering Task Force Nevil Brownlee Internet Engineering Task Force Nevil Brownlee
INTERNET-DRAFT The University of Auckland INTERNET-DRAFT The University of Auckland
December 1997 Expires January 1999
Traffic Flow Measurement: Meter MIB Traffic Flow Measurement: Meter MIB
<draft-ietf-rtfm-meter-mib-04.txt> <draft-ietf-rtfm-meter-mib-05.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas, and documents of the Internet Engineering Task Force (IETF), its Areas, and
its Working Groups. Note that other groups may also distribute working its Working Groups. Note that other groups may also distribute working
documents as Internet-Drafts. This Internet Draft is a product of the documents as Internet-Drafts. This Internet Draft is a product of the
Realtime Traffic Flow Measurement Working Group of the IETF. Realtime Traffic Flow Measurement Working Group of the IETF.
Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts are draft documents valid for a maximum of six months.
Internet Drafts may be updated, replaced, or obsoleted by other Internet Drafts may be updated, replaced, or obsoleted by other
documents at any time. It is not appropriate to use Internet Drafts as documents at any time. It is not appropriate to use Internet Drafts as
reference material or to cite them other than as a "working draft" or reference material or to cite them other than as a "working draft" or
"work in progress." "work in progress."
To view the entire list of current Internet-Drafts, please check the To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim),
ftp.isi.edu (US West Coast). ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Abstract Abstract
A 'Traffic Meter' collects data relating to traffic flows within a A 'Traffic Meter' collects data relating to traffic flows within a
network. This document defines a Management Information Base (MIB) for network. This document defines a Management Information Base (MIB) for
use in controlling a traffic meter, in particular for specifying the use in controlling a traffic meter, in particular for specifying the
flows to be measured. It also provides an efficient mechanism for flows to be measured. It also provides an efficient mechanism for
retrieving flow data from the meter using SNMP. Security issues retrieving flow data from the meter using SNMP. Security issues
concerning the operation of traffic meters are summarised. concerning the operation of traffic meters are summarised.
Contents Contents
1 Introduction 2 1 Introduction 2
2 The Network Management Framework 2 2 The Network Management Framework 2
3 Objects 3 3 Objects 3
3.1 Format of Definitions . . . . . . . . . . . . . . . . . . . . 4 3.1 Format of Definitions . . . . . . . . . . . . . . . . . . . . . 4
4 Overview 4 4 Overview 4
4.1 Scope of Definitions, Textual Conventions . . . . . . . . . . 4 4.1 Scope of Definitions, Textual Conventions . . . . . . . . . . . 4
4.2 Usage of the MIB variables . . . . . . . . . . . . . . . . . . 5 4.2 Usage of the MIB variables . . . . . . . . . . . . . . . . . . 5
5 Changes Introduced Since RFC 2064 6 5 Definitions 7
6 Definitions 7 6 Security Considerations 44
7 Security Considerations 44 7 Appendix A: Changes Introduced Since RFC 2064 45
8 Acknowledgements 46 8 Acknowledgements 46
9 References 46 9 References 46
10 Author's Address 47 10 Author's Address 47
1 Introduction 1 Introduction
This memo defines a portion of the Management Information Base (MIB) for This memo defines a portion of the Management Information Base (MIB) for
skipping to change at page 6, line 40 skipping to change at page 6, line 40
memory until every meter reader holding a row for that flow's memory until every meter reader holding a row for that flow's
RuleSet has collected the flow's data. RuleSet has collected the flow's data.
- MANAGER INFO: Any manager wishing to run a RuleSet in the meter - MANAGER INFO: Any manager wishing to run a RuleSet in the meter
must create a row in the flowManagerInfo table, specifying the must create a row in the flowManagerInfo table, specifying the
desired RuleSet to run and its corresponding 'standby' Ruleset (if desired RuleSet to run and its corresponding 'standby' Ruleset (if
one is desired). A current RuleSet is 'running' if its one is desired). A current RuleSet is 'running' if its
flowManagerRunningStandby value is false(2), similarly a standby flowManagerRunningStandby value is false(2), similarly a standby
RuleSet is 'running' if flowManagerRunningStandby is true(1). RuleSet is 'running' if flowManagerRunningStandby is true(1).
5 Changes Introduced Since RFC 2064 Times within the meter are in terms of its Uptime, i.e. centiseconds
since the meter started. For meters implemented as self-contained SNMP
The first version of the Meter MIB was published as RFC 2064 in January agents this will be the same as sysUptime, but this may not be true for
1997. The most significant changes since then are summarised below. meters implemented as subagents. Managers can read the meter's Uptime
when neccessary (e.g. to set a TimeFilter value) by setting
- TEXTUAL CONVENTIONS: Greater use is made of textual conventions to flowReaderLastTime, then reading its new value.
describe the various types of addresses used by the meter.
- PACKET MATCHING ATTRIBUTES: Computed attributes (e.g. FlowClass
and FlowKind) may now be tested. This allows one to use these
variables to store information during packet matching.
A new attribute, MatchingStoD, has been added. Its value is 1
while a packet is being matched with its adresses in 'wire'
(source-to-destination) order.
- FLOOD MODE: This is now a read-write variable. Setting it to
false(2) switches the meter out of flood mode and back to normal
operation.
- CONTROL TABLES: Several variables have been added to the RuleSet,
Reader and Manager tables to provide more effective control of the
meter's activities.
- FLOW TABLE: 64-bit counters are used for octet and PDU counts.
This reduces the problems caused by the wrap-around of 32-bit
counters in earlier versions.
flowDataRuleSet is now used as an index to the flow table. This
allows a meter reader to collect only those flow table rows created
by a specified RuleSet.
- DATA PACKAGES: This is a new table, allowing a meter reader to
retrieve values for a list of attributes from a flow as a single
object. When used with SNMP GetBulk requests it provides an
efficient way to recover flow data.
Earlier versions had a 'Column Activity Table;' using this it was
difficult to collect all data for a flow efficiently in a single
SNMP request.
6 Definitions 5 Definitions
FLOW-METER-MIB DEFINITIONS ::= BEGIN FLOW-METER-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Integer32 MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Integer32
FROM SNMPv2-SMI FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, TimeStamp, TruthValue TEXTUAL-CONVENTION, RowStatus, TimeStamp, TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
OBJECT-GROUP, MODULE-COMPLIANCE OBJECT-GROUP, MODULE-COMPLIANCE
FROM SNMPv2-CONF FROM SNMPv2-CONF
skipping to change at page 13, line 44 skipping to change at page 13, line 9
return(5), return(5),
gosub(6), gosub(6),
gosubAct(7), gosubAct(7),
assign(8), assign(8),
assignAct(9), assignAct(9),
goto(10), goto(10),
gotoAct(11), gotoAct(11),
pushRuleTo(12), pushRuleTo(12),
pushRuleToAct(13), pushRuleToAct(13),
pushPktTo(14), pushPktTo(14),
pushPktToAct(15) } pushPktToAct(15),
popTo(16),
popToAct(17) }
-- --
-- Control Group: Rule Set Info Table -- Control Group: Rule Set Info Table
-- --
flowRuleSetInfoTable OBJECT-TYPE flowRuleSetInfoTable OBJECT-TYPE
SYNTAX SEQUENCE OF FlowRuleSetInfoEntry SYNTAX SEQUENCE OF FlowRuleSetInfoEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 19, line 28 skipping to change at page 18, line 46
flowReaderLastTime OBJECT-TYPE flowReaderLastTime OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Time this meter reader began its most recent data collection. "Time this meter reader began its most recent data collection.
This variable should be written by a meter reader as its first This variable should be written by a meter reader as its first
step in reading flow data. The meter will set this LastTime step in reading flow data. The meter will set this LastTime
value to sysUptime and set its PreviousTime value (below) to value to its current Uptime, and set its PreviousTime value
the old LastTime. This allows the meter to recover flows (below) to the old LastTime. This allows the meter to
which have been inactive since PreviousTime, for these have recover flows which have been inactive since PreviousTime,
been collected at least once. for these have been collected at least once.
If the meter reader fails to write flowLastReadTime, collection If the meter reader fails to write flowLastReadTime, collection
may still proceed but the meter may not be able to recover may still proceed but the meter may not be able to recover
inactive flows until the flowReaderTimeout has been reached inactive flows until the flowReaderTimeout has been reached
for this entry." for this entry."
::= { flowReaderInfoEntry 4 } ::= { flowReaderInfoEntry 4 }
flowReaderPreviousTime OBJECT-TYPE flowReaderPreviousTime OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
skipping to change at page 26, line 46 skipping to change at page 26, line 13
flow table." flow table."
::= { flowDataEntry 1 } ::= { flowDataEntry 1 }
flowDataTimeMark OBJECT-TYPE flowDataTimeMark OBJECT-TYPE
SYNTAX TimeFilter SYNTAX TimeFilter
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A TimeFilter for this entry. Allows GetNext and GetBulk "A TimeFilter for this entry. Allows GetNext and GetBulk
to find flow table rows which have changed since a specified to find flow table rows which have changed since a specified
value of sysUptime." value of the meter's Uptime."
::= { flowDataEntry 2 } ::= { flowDataEntry 2 }
flowDataStatus OBJECT-TYPE flowDataStatus OBJECT-TYPE
SYNTAX INTEGER { inactive(1), current(2) } SYNTAX INTEGER { inactive(1), current(2) }
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"Status of this flow data record." "Status of this flow data record."
::= { flowDataEntry 3 } ::= { flowDataEntry 3 }
skipping to change at page 44, line 38 skipping to change at page 44, line 5
MANDATORY-GROUPS { MANDATORY-GROUPS {
flowControlGroup2, flowControlGroup2,
flowDataTableGroup2, flowDataTableGroup2,
flowDataPackageGroup, flowDataPackageGroup,
flowRuleTableGroup flowRuleTableGroup
} }
::= { flowMIBCompliances 1 } ::= { flowMIBCompliances 1 }
END END
7 Security Considerations 6 Security Considerations
This MIB describes how an RTFM traffic meter is controlled, and provides This MIB describes how an RTFM traffic meter is controlled, and provides
a way for traffic flow data to be retrieved from it by a meter reader. a way for traffic flow data to be retrieved from it by a meter reader.
This is essentially an application using SNMP as a method of This is essentially an application using SNMP as a method of
communication between co-operating hosts; it does not - in itself - have communication between co-operating hosts; it does not - in itself - have
any inherent security risks. any inherent security risks.
Since, however, the traffic flow data can be extremely valuable for Since, however, the traffic flow data can be extremely valuable for
network management purposes it is vital that sensible precautions be network management purposes it is vital that sensible precautions be
taken to keep the meter and its data secure. This requires that access taken to keep the meter and its data secure. This requires that access
skipping to change at page 46, line 5 skipping to change at page 45, line 20
the counters in a flow to wrap several times between meter the counters in a flow to wrap several times between meter
readings, thus causing the counts to be artificially low. The readings, thus causing the counts to be artificially low. The
change to using 64-bit counters in this MIB reduces this problem change to using 64-bit counters in this MIB reduces this problem
significantly. significantly.
Users can reduce the severity of both the above attacks by ensuring that Users can reduce the severity of both the above attacks by ensuring that
their meters are read often enough to prevent them being flooded. The their meters are read often enough to prevent them being flooded. The
resulting flow data will contain a record of the attacking packets, resulting flow data will contain a record of the attacking packets,
which may well be useful in determining where any attack came from. which may well be useful in determining where any attack came from.
7 Appendix A: Changes Introduced Since RFC 2064
The first version of the Meter MIB was published as RFC 2064 in January
1997. The most significant changes since then are summarised below.
- TEXTUAL CONVENTIONS: Greater use is made of textual conventions to
describe the various types of addresses used by the meter.
- PACKET MATCHING ATTRIBUTES: Computed attributes (e.g. FlowClass
and FlowKind) may now be tested. This allows one to use these
variables to store information during packet matching.
A new attribute, MatchingStoD, has been added. Its value is 1
while a packet is being matched with its adresses in 'wire'
(source-to-destination) order.
- FLOOD MODE: This is now a read-write variable. Setting it to
false(2) switches the meter out of flood mode and back to normal
operation.
- CONTROL TABLES: Several variables have been added to the RuleSet,
Reader and Manager tables to provide more effective control of the
meter's activities.
- FLOW TABLE: 64-bit counters are used for octet and PDU counts.
This reduces the problems caused by the wrap-around of 32-bit
counters in earlier versions.
flowDataRuleSet is now used as an index to the flow table. This
allows a meter reader to collect only those flow table rows created
by a specified RuleSet.
- DATA PACKAGES: This is a new table, allowing a meter reader to
retrieve values for a list of attributes from a flow as a single
object. When used with SNMP GetBulk requests it provides an
efficient way to recover flow data.
Earlier versions had a 'Column Activity Table;' using this it was
difficult to collect all data for a flow efficiently in a single
SNMP request.
8 Acknowledgements 8 Acknowledgements
An early draft of this document was produced under the auspices of the An early draft of this document was produced under the auspices of the
IETF's Accounting Working Group with assistance from the SNMP Working IETF's Accounting Working Group with assistance from the SNMP Working
Group and the Security Area Advisory Group. Particular thanks are due Group and the Security Area Advisory Group. Particular thanks are due
to Jim Barnes, Sig Handelman and Stephen Stibler for their support and to Jim Barnes, Sig Handelman and Stephen Stibler for their support and
their assistance with checking early versions of the MIB. their assistance with checking early versions of the MIB.
Stephen Stibler shared the development workload of producing the MIB Stephen Stibler shared the development workload of producing the MIB
changes summarized in chpter 5 (above). changes summarized in chpter 5 (above).
skipping to change at line 2325 skipping to change at page 47, line 52
1995. 1995.
10 Author's Address 10 Author's Address
Nevil Brownlee Nevil Brownlee
Information Technology Systems & Services Information Technology Systems & Services
The University of Auckland The University of Auckland
Phone: +64 9 373 7599 x8941 Phone: +64 9 373 7599 x8941
E-mail: n.brownlee@auckland.ac.nz E-mail: n.brownlee@auckland.ac.nz
Expires January 1999
 End of changes. 17 change blocks. 
59 lines changed or deleted 68 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/