draft-ietf-sidr-rpki-rtr-protocol-mib-07.txt   rfc6945.txt 
Network Working Group R. Bush Internet Engineering Task Force (IETF) R. Bush
Internet-Draft Internet Initiative Japan Request for Comments: 6945 Internet Initiative Japan
Intended status: Standards Track B. Wijnen Category: Standards Track B. Wijnen
Expires: September 12, 2013 RIPE NCC ISSN: 2070-1721 RIPE NCC
K. Patel K. Patel
Cisco Systems Cisco Systems
M. Baer M. Baer
SPARTA SPARTA
March 11, 2013 May 2013
Definitions of Managed Objects for the RPKI-Router Protocol Definitions of Managed Objects for the
draft-ietf-sidr-rpki-rtr-protocol-mib-07 Resource Public Key Infrastructure (RPKI) to Router Protocol
Abstract Abstract
This document defines a portion of the Management Information Base This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in the Internet (MIB) for use with network management protocols in the Internet
community. In particular, it describes objects used for monitoring community. In particular, it describes objects used for monitoring
the RPKI Router protocol. the Resource Public Key Infrastructure (RPKI) to Router Protocol.
Status of this Memo
This Internet-Draft is submitted in full conformance with the Status of This Memo
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This is an Internet Standards Track document.
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on September 12, 2013. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6945.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2
2. Internet-Standard Management Framework . . . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . 2
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
6. Security Considerations . . . . . . . . . . . . . . . . . . . 22 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1. Normative References . . . . . . . . . . . . . . . . . . . 23 7.1. Normative References . . . . . . . . . . . . . . . . . . 23
7.2. Informative References . . . . . . . . . . . . . . . . . . 24 7.2. Informative References . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
This document defines a portion of the Management Information Base This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in the Internet (MIB) for use with network management protocols in the Internet
community. In particular, it defines objects used for monitoring the community. In particular, it defines objects used for monitoring the
RPKI Router protocol [RFC6810]. RPKI-Router Protocol [RFC6810].
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
2. Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
[RFC3410]. Managed objects are accessed via a virtual information RFC 3410 [RFC3410]. Managed objects are accessed via a virtual
store, termed the Management Information Base or MIB. MIB objects information store, termed the Management Information Base or MIB.
are generally accessed through the Simple Network Management Protocol
(SNMP). Objects in the MIB are defined using the mechanisms defined MIB objects are generally accessed through the Simple Network
in the Structure of Management Information (SMI). This document Management Protocol (SNMP). Objects in the MIB are defined using the
specifies a MIB module that is compliant to the SMIv2, which is mechanisms defined in the Structure of Management Information (SMI).
described in STD 58, [RFC2578], STD 58, [RFC2579] and STD 58, This memo specifies a MIB module that is compliant to the SMIv2,
[RFC2580]. which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579
[RFC2579], and STD 58, RFC 2580 [RFC2580].
3. Overview 3. Overview
The objects defined in this document are used to monitor the RPKI The objects defined in this document are used to monitor the RPKI-
Router protocol [RFC6810]. The MIB module defined in this is broken Router Protocol [RFC6810]. The MIB module defined here is broken
into these tables: the RPKI Router Cache Server (connection) Table, into these tables: the RPKI-Router Cache Server (Connection) Table,
the RPKI Router Cache Server Errors Table, and the RPKI Router Prefix the RPKI-Router Cache Server Errors Table, and the RPKI-Router Prefix
Origin Table. Origin Table.
The RPKI Router Cache Server Table contains information about state The RPKI-Router Cache Server Table contains information about the
and current activity of connections with the RPKI Router Cache state and current activity of connections with the RPKI-router cache
Servers. It also contains counters for the number of messages servers. It also contains counters for the number of messages
received and sent plus the number of announcements, withdrawals and received and sent, plus the number of announcements, withdrawals, and
active records. The RPKI Router Cache Server Errors Table contains active records. The RPKI-Router Cache Server Errors Table contains
counters of occurrences of errors on the connections (if any). The counters of occurrences of errors on the connections (if any). The
RPKI Router Prefix Origin Table contains IP prefixes with their RPKI-Router Prefix Origin Table contains IP prefixes with their
minimum and maximum prefix lengths and the Origin AS. This data is minimum and maximum prefix lengths and the Origin Autonomous System
the collective set of information received from all RPKI Cache (AS). This data is the collective set of information received from
Servers that the router is connected with. The Cache Servers are all RPKI cache servers that the router is connected with. The cache
running the RPKI Router protocol. servers are running the RPKI-Router Protocol.
Two Notifications have been defined to inform a Network Management Two notifications have been defined to inform a Network Management
Station (NMS) or operators about changes in the connection state of Station (NMS) or operators about changes in the connection state of
the connections listed in the RPKI Cache Server (Connection) Table. the connections listed in the RPKI-Router Cache Server (Connection)
Table.
4. Definitions 4. Definitions
The Following MIB module imports definitions from [RFC2578], STD 58, The following MIB module imports definitions from [RFC2578],
[RFC2579] STD 58, [RFC2580], [RFC4001], [RFC2287]. That means we [RFC2579], [RFC2580], [RFC4001], and [RFC2287]. That means we have a
have a normative reference to those documents. normative reference to each of those documents.
The MIB module also has a normative reference to the RPKI Router The MIB module also has a normative reference to the RPKI-Router
protocol [RFC6810]. Furthermore, for background and informative Protocol [RFC6810]. Furthermore, for background and informative
information, the MIB module refers to [RFC1982], [RFC5925], information, the MIB module refers to [RFC1982], [RFC4252],
[RFC4252], [RFC5246], [RFC5925]. [RFC5246], and [RFC5925].
RPKI-RTR-MIB DEFINITIONS ::= BEGIN RPKI-ROUTER-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE,
Integer32, Unsigned32, mib-2, Gauge32, Counter32 Integer32, Unsigned32, mib-2, Gauge32, Counter32
FROM SNMPv2-SMI -- RFC2578 FROM SNMPv2-SMI -- RFC 2578
InetAddressType, InetAddress, InetPortNumber, InetAddressType, InetAddress, InetPortNumber,
InetAddressPrefixLength, InetAutonomousSystemNumber InetAddressPrefixLength, InetAutonomousSystemNumber
FROM INET-ADDRESS-MIB -- RFC4001 FROM INET-ADDRESS-MIB -- RFC 4001
TEXTUAL-CONVENTION, TimeStamp TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC -- RFC2579 FROM SNMPv2-TC -- RFC 2579
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF -- RFC2580 FROM SNMPv2-CONF -- RFC 2580
LongUtf8String FROM SYSAPPL-MIB -- RFC2287 LongUtf8String FROM SYSAPPL-MIB -- RFC 2287
; ;
rpkiRtrMIB MODULE-IDENTITY rpkiRtrMIB MODULE-IDENTITY
LAST-UPDATED "201303050000Z" LAST-UPDATED "201305010000Z"
ORGANIZATION "IETF Secure Inter-Domain Routing (SIDR) ORGANIZATION "IETF Secure Inter-Domain Routing (SIDR)
Working Group Working Group
" "
CONTACT-INFO "Working Group Email: sidr@ietf.org CONTACT-INFO "Working Group Email: sidr@ietf.org
Randy Bush Randy Bush
Internet Initiative Japan Internet Initiative Japan
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, Washington, 98110 Bainbridge Island, WA 98110
USA USA
Email: randy@psg.com Email: randy@psg.com
Bert Wijnen Bert Wijnen
RIPE NCC RIPE NCC
Schagen 33 Schagen 33
3461 GL Linschoten 3461 GL Linschoten
Netherlands Netherlands
Email: bertietf@bwijnen.net Email: bertietf@bwijnen.net
skipping to change at page 5, line 29 skipping to change at page 5, line 11
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Email: keyupate@cisco.com Email: keyupate@cisco.com
Michael Baer Michael Baer
SPARTA SPARTA
P.O. Box 72682 P.O. Box 72682
Davis, CA 95617 Davis, CA 95617
USA USA
Email: michael.baer@sparta.com Email: baerm@tislabs.com
" "
DESCRIPTION "This MIB module contains management objects to DESCRIPTION "This MIB module contains management objects to
support monitoring of the Resource Public Key support monitoring of the Resource Public Key
Infrastructure (RPKI) protocol on routers. Infrastructure (RPKI) protocol on routers.
Copyright (c) 2013 IETF Trust and the persons Copyright (c) 2013 IETF Trust and the persons
identified as authors of the code. All rights identified as authors of the code. All rights
reserved. reserved.
Redistribution and use in source and binary Redistribution and use in source and binary
forms, with or without modification, is forms, with or without modification, is
permitted pursuant to, and subject to the permitted pursuant to, and subject to the
license terms contained in, the Simplified BSD license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF License set forth in Section 4.c of the IETF
Trust's Legal Provisions Relating to IETF Trust's Legal Provisions Relating to IETF
Documents Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this MIB module is part of This version of this MIB module is part of
RFCxxxx; see the RFC itself for full legal RFC 6945; see the RFC itself for full legal
notices. notices."
"
REVISION "201303050000Z" REVISION "201305010000Z"
DESCRIPTION "Initial version, published as RFCxxxx." DESCRIPTION "Initial version, published as RFC 6945."
-- Note to RFC Editor: pls fill in above (2 times) RFC ::= { mib-2 218 }
-- number for xxxx and delete these 2 lines.
::= { mib-2 XXX } -- XXX to be assigned by IANA
rpkiRtrNotifications OBJECT IDENTIFIER ::= { rpkiRtrMIB 0 } rpkiRtrNotifications OBJECT IDENTIFIER ::= { rpkiRtrMIB 0 }
rpkiRtrObjects OBJECT IDENTIFIER ::= { rpkiRtrMIB 1 } rpkiRtrObjects OBJECT IDENTIFIER ::= { rpkiRtrMIB 1 }
rpkiRtrConformance OBJECT IDENTIFIER ::= { rpkiRtrMIB 2 } rpkiRtrConformance OBJECT IDENTIFIER ::= { rpkiRtrMIB 2 }
-- ============================================================== -- ==============================================================
-- Textual Conventions used in this MIB module -- Textual Conventions used in this MIB module
-- ============================================================== -- ==============================================================
RpkiRtrConnectionType ::= TEXTUAL-CONVENTION RpkiRtrConnectionType ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION "The connection type used between a router (as a DESCRIPTION "The connection type used between a router (as a
client) and a cache server. client) and a cache server.
The following types have been defined in RFC6810: The following types have been defined in RFC 6810:
ssh(1) - sect 7.1, see also RFC4252. ssh(1) - Section 7.1; see also RFC 4252.
tls(2) - sect 7.2, see also RFC5246. tls(2) - Section 7.2; see also RFC 5246.
tcpMD5(3) - sect 7.3, see also RFC2385. tcpMD5(3) - Section 7.3; see also RFC 2385.
tcpAO(4) - sect 7.4, see also RFC5925. tcpAO(4) - Section 7.4; see also RFC 5925.
tcp(5) - sect 7. tcp(5) - Section 7.
ipsec(6) - sect 7, see also RFC4301. ipsec(6) - Section 7; see also RFC 4301.
other(7) - none of the above other(7) - none of the above."
"
REFERENCE "The RPKI/Router Protocol, RFC6810 - section 7" REFERENCE "The RPKI-Router Protocol, RFC 6810, Section 7"
SYNTAX INTEGER { SYNTAX INTEGER {
ssh(1), ssh(1),
tls(2), tls(2),
tcpMD5(3), tcpMD5(3),
tcpAO(4), tcpAO(4),
tcp(5), tcp(5),
ipsec(6), ipsec(6),
other(7) other(7)
} }
skipping to change at page 7, line 12 skipping to change at page 6, line 40
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "This timer represents the timestamp (value DESCRIPTION "This timer represents the timestamp (value
of sysUpTime) at which time any of the of sysUpTime) at which time any of the
Counter32 objects in this MIB module Counter32 objects in this MIB module
encountered a discontinuity. encountered a discontinuity.
For objects that use rpkiRtrDiscontinuityTimer to For objects that use rpkiRtrDiscontinuityTimer to
indicate discontinuity, only values received since indicate discontinuity, only values received since
the time indicated by rpkiRtrDiscontinuityTimer are the time indicated by rpkiRtrDiscontinuityTimer are
comparable to each other. A manager should take the comparable to each other. A manager should take the
possibility of rollover into account when possibility of rollover into account when
calculating difference values. calculating difference values.
In principle that should only happen if the In principle, that should only happen if the
SNMP agent or the instrumentation for this SNMP agent or the instrumentation for this
MIB module (re-)starts." MIB module starts or restarts."
::= { rpkiRtrObjects 1 } ::= { rpkiRtrObjects 1 }
-- ============================================================== -- ==============================================================
-- RPKI Router Cache Server Connection Table -- RPKI-Router Cache Server Connection Table
-- ============================================================== -- ==============================================================
rpkiRtrCacheServerTable OBJECT-TYPE rpkiRtrCacheServerTable OBJECT-TYPE
SYNTAX SEQUENCE OF RpkiRtrCacheServerTableEntry SYNTAX SEQUENCE OF RpkiRtrCacheServerTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "This table lists the RPKI cache servers DESCRIPTION "This table lists the RPKI cache servers
known to this router/system." known to this router/system."
::= { rpkiRtrObjects 2 } ::= { rpkiRtrObjects 2 }
rpkiRtrCacheServerTableEntry OBJECT-TYPE rpkiRtrCacheServerTableEntry OBJECT-TYPE
SYNTAX RpkiRtrCacheServerTableEntry SYNTAX RpkiRtrCacheServerTableEntry
skipping to change at page 8, line 38 skipping to change at page 8, line 17
rpkiRtrCacheServerId Unsigned32 rpkiRtrCacheServerId Unsigned32
} }
rpkiRtrCacheServerRemoteAddressType OBJECT-TYPE rpkiRtrCacheServerRemoteAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "The network address type of the connection DESCRIPTION "The network address type of the connection
to this RPKI cache server. to this RPKI cache server.
Note: Only IPv4, IPv6 and DNS support are required Note: Only IPv4, IPv6, and DNS support are required
for RFCxxxx read only compliance." for read-only compliance with RFC 6945."
::= { rpkiRtrCacheServerTableEntry 1 } ::= { rpkiRtrCacheServerTableEntry 1 }
rpkiRtrCacheServerRemoteAddress OBJECT-TYPE rpkiRtrCacheServerRemoteAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "The remote network address for this connection DESCRIPTION "The remote network address for this connection
to this RPKI cache server. to this RPKI cache server.
The format of the address is defined by the The format of the address is defined by the
skipping to change at page 9, line 26 skipping to change at page 9, line 5
to this RPKI cache server." to this RPKI cache server."
::= { rpkiRtrCacheServerTableEntry 3 } ::= { rpkiRtrCacheServerTableEntry 3 }
rpkiRtrCacheServerLocalAddressType OBJECT-TYPE rpkiRtrCacheServerLocalAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The network address type of the connection DESCRIPTION "The network address type of the connection
to this RPKI cache server. to this RPKI cache server.
Note: Only IPv4, IPv6 and DNS support are required Note: Only IPv4, IPv6, and DNS support are required
for RFCxxxx read only compliance." for read-only compliance with RFC 6945."
::= { rpkiRtrCacheServerTableEntry 4 } ::= { rpkiRtrCacheServerTableEntry 4 }
rpkiRtrCacheServerLocalAddress OBJECT-TYPE rpkiRtrCacheServerLocalAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The local network address for this connection DESCRIPTION "The local network address for this connection
to this RPKI cache server. to this RPKI cache server.
The format of the address is defined by the The format of the address is defined by the
skipping to change at page 10, line 4 skipping to change at page 9, line 32
of type dns (fqdn), then the router will resolve it of type dns (fqdn), then the router will resolve it
at the time it connects to the cache server." at the time it connects to the cache server."
::= { rpkiRtrCacheServerTableEntry 5 } ::= { rpkiRtrCacheServerTableEntry 5 }
rpkiRtrCacheServerLocalPort OBJECT-TYPE rpkiRtrCacheServerLocalPort OBJECT-TYPE
SYNTAX InetPortNumber (1..65535) SYNTAX InetPortNumber (1..65535)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The local port number for this connection DESCRIPTION "The local port number for this connection
to this RPKI cache server." to this RPKI cache server."
::= { rpkiRtrCacheServerTableEntry 6 } ::= { rpkiRtrCacheServerTableEntry 6 }
rpkiRtrCacheServerPreference OBJECT-TYPE rpkiRtrCacheServerPreference OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The routers' preference for this RPKI cache server. DESCRIPTION "The routers' preference for this RPKI cache server.
A lower value means more preferred. If two entries A lower value means more preferred. If two entries
have the same preference, then the order is have the same preference, then the order is
arbitrary. arbitrary.
In two cases the maximum value for an Unsigned32 In two cases, the maximum value for an Unsigned32
object should be returned for this object: object should be returned for this object:
- If no order is specified in the RPKI Router - If no order is specified in the RPKI-Router
configuration. configuration.
- If a preference value is configured that is - If a preference value is configured that is
larger than the max value for an Unsigned32 larger than the max value for an Unsigned32
object." object."
REFERENCE "The RPKI/Rtr Protocol, RFC6810 - section 8." REFERENCE "The RPKI-Router Protocol, RFC 6810, Section 8."
DEFVAL { 4294967295 } DEFVAL { 4294967295 }
::= { rpkiRtrCacheServerTableEntry 7 } ::= { rpkiRtrCacheServerTableEntry 7 }
rpkiRtrCacheServerConnectionType OBJECT-TYPE rpkiRtrCacheServerConnectionType OBJECT-TYPE
SYNTAX RpkiRtrConnectionType SYNTAX RpkiRtrConnectionType
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The connection type or transport security suite DESCRIPTION "The connection type or transport security suite
in use for this RPKI cache server." in use for this RPKI cache server."
::= { rpkiRtrCacheServerTableEntry 8 } ::= { rpkiRtrCacheServerTableEntry 8 }
skipping to change at page 11, line 40 skipping to change at page 11, line 18
STATUS current STATUS current
DESCRIPTION "Number of active IPv4 records received from DESCRIPTION "Number of active IPv4 records received from
this RPKI cache server via this connection." this RPKI cache server via this connection."
::= { rpkiRtrCacheServerTableEntry 13 } ::= { rpkiRtrCacheServerTableEntry 13 }
rpkiRtrCacheServerV4Announcements OBJECT-TYPE rpkiRtrCacheServerV4Announcements OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The number of IPv4 records announced by the DESCRIPTION "The number of IPv4 records announced by the
RPKI cache Server via this connection. RPKI cache server via this connection.
Discontinuities are indicated by the value Discontinuities are indicated by the value
of rpkiRtrDiscontinuityTimer." of rpkiRtrDiscontinuityTimer."
::= { rpkiRtrCacheServerTableEntry 14 } ::= { rpkiRtrCacheServerTableEntry 14 }
rpkiRtrCacheServerV4Withdrawals OBJECT-TYPE rpkiRtrCacheServerV4Withdrawals OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The number of IPv4 records withdrawn by the DESCRIPTION "The number of IPv4 records withdrawn by the
RPKI cache Server via this connection. RPKI cache server via this connection.
Discontinuities are indicated by the value Discontinuities are indicated by the value
of rpkiRtrDiscontinuityTimer." of rpkiRtrDiscontinuityTimer."
::= { rpkiRtrCacheServerTableEntry 15 } ::= { rpkiRtrCacheServerTableEntry 15 }
rpkiRtrCacheServerV6ActiveRecords OBJECT-TYPE rpkiRtrCacheServerV6ActiveRecords OBJECT-TYPE
SYNTAX Gauge32 SYNTAX Gauge32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "Number of active IPv6 records received from DESCRIPTION "Number of active IPv6 records received from
this RPKI cache server via this connection." this RPKI cache server via this connection."
::= { rpkiRtrCacheServerTableEntry 16 } ::= { rpkiRtrCacheServerTableEntry 16 }
rpkiRtrCacheServerV6Announcements OBJECT-TYPE rpkiRtrCacheServerV6Announcements OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The number of IPv6 records announced by the DESCRIPTION "The number of IPv6 records announced by the
RPKI cache Server via this connection. RPKI cache server via this connection.
Discontinuities are indicated by the value Discontinuities are indicated by the value
of rpkiRtrDiscontinuityTimer." of rpkiRtrDiscontinuityTimer."
::= { rpkiRtrCacheServerTableEntry 17 } ::= { rpkiRtrCacheServerTableEntry 17 }
rpkiRtrCacheServerV6Withdrawals OBJECT-TYPE rpkiRtrCacheServerV6Withdrawals OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The number of IPv6 records withdrawn by the DESCRIPTION "The number of IPv6 records withdrawn by the
RPKI cache Server via this connection. RPKI cache server via this connection.
Discontinuities are indicated by the value Discontinuities are indicated by the value
of rpkiRtrDiscontinuityTimer." of rpkiRtrDiscontinuityTimer."
::= { rpkiRtrCacheServerTableEntry 18 } ::= { rpkiRtrCacheServerTableEntry 18 }
rpkiRtrCacheServerLatestSerial OBJECT-TYPE rpkiRtrCacheServerLatestSerial OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The latest serial number of data received from DESCRIPTION "The latest serial number of data received from
this RPKI server on this connection. this RPKI server on this connection.
Note: this value wraps back to zero when it Note: this value wraps back to zero when it
reaches its maximum value." reaches its maximum value."
REFERENCE "RFC6810 section 2 and RFC1982" REFERENCE "RFC 1982 and RFC 6810, Section 2"
-- RFC-Editor: please fill out nnnn with the RFC number assigned
-- to draft-ietf-sidr-rpki-rtr-nn.txt
::= { rpkiRtrCacheServerTableEntry 19 } ::= { rpkiRtrCacheServerTableEntry 19 }
rpkiRtrCacheServerSessionID OBJECT-TYPE rpkiRtrCacheServerSessionID OBJECT-TYPE
SYNTAX Unsigned32 (0..65535) SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The Session ID associated with the RPKI cache DESCRIPTION "The Session ID associated with the RPKI cache
server at the other end of this connection." server at the other end of this connection."
REFERENCE "RFC6810 section 2" REFERENCE "RFC 6810, Section 2"
::= { rpkiRtrCacheServerTableEntry 20 } ::= { rpkiRtrCacheServerTableEntry 20 }
rpkiRtrCacheServerRefreshTimer OBJECT-TYPE rpkiRtrCacheServerRefreshTimer OBJECT-TYPE
SYNTAX Unsigned32 (60..7200) SYNTAX Unsigned32 (60..7200)
UNITS "seconds" UNITS "seconds"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The number of seconds configured for the refresh DESCRIPTION "The number of seconds configured for the refresh
timer for this connection to this RPKI cache timer for this connection to this RPKI cache
server." server."
REFERENCE "RFC6810 section 8, section 6.1" REFERENCE "RFC 6810, Sections 6.1 and 8"
::= { rpkiRtrCacheServerTableEntry 21 } ::= { rpkiRtrCacheServerTableEntry 21 }
rpkiRtrCacheServerTimeToRefresh OBJECT-TYPE rpkiRtrCacheServerTimeToRefresh OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32
UNITS "seconds" UNITS "seconds"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The number of seconds remaining before a new DESCRIPTION "The number of seconds remaining before a new
refresh is performed via a Serial Query to refresh is performed via a Serial Query to
this cache server over this connection. this cache server over this connection.
A negative value means that the refresh time has A negative value means that the refresh time has
passed this many seconds and the refresh has not passed this many seconds and the refresh has not
yet been completed. It will stop decrementing at yet been completed. It will stop decrementing at
the maximum negative value. the maximum negative value.
Upon a completed refresh (i.e. a successful Upon a completed refresh (i.e., a successful
and complete response to a Serial Query) the and complete response to a Serial Query) the
value of this attribute will be re-initialized value of this attribute will be reinitialized
with the value of the corresponding with the value of the corresponding
rpkiRtrCacheServerRefreshTimer attribute." rpkiRtrCacheServerRefreshTimer attribute."
REFERENCE "RFC6810 section 8" REFERENCE "RFC 6810, Section 8"
::= { rpkiRtrCacheServerTableEntry 22 } ::= { rpkiRtrCacheServerTableEntry 22 }
rpkiRtrCacheServerId OBJECT-TYPE rpkiRtrCacheServerId OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The unique ID for this connection. DESCRIPTION "The unique ID for this connection.
An implementation must make sure this ID is unique An implementation must make sure this ID is unique
within this table. It is this ID that can be used within this table. It is this ID that can be used
to find entries in the rpkiRtrPrefixOriginTable to find entries in the rpkiRtrPrefixOriginTable
that were created by announcements received on that were created by announcements received on
this connection from this cache server." this connection from this cache server."
REFERENCE "RFC6810 section 4" REFERENCE "RFC 6810, Section 4"
::= { rpkiRtrCacheServerTableEntry 23 } ::= { rpkiRtrCacheServerTableEntry 23 }
-- ============================================================== -- ==============================================================
-- Errors Table -- Errors Table
-- ============================================================== -- ==============================================================
rpkiRtrCacheServerErrorsTable OBJECT-TYPE rpkiRtrCacheServerErrorsTable OBJECT-TYPE
SYNTAX SEQUENCE OF RpkiRtrCacheServerErrorsTableEntry SYNTAX SEQUENCE OF RpkiRtrCacheServerErrorsTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "This table provides statistics on errors per DESCRIPTION "This table provides statistics on errors per
RPKI peer connection. These can be used for RPKI peer connection. These can be used for
debugging." debugging."
::= { rpkiRtrObjects 3 } ::= { rpkiRtrObjects 3 }
rpkiRtrCacheServerErrorsTableEntry OBJECT-TYPE rpkiRtrCacheServerErrorsTableEntry OBJECT-TYPE
SYNTAX RpkiRtrCacheServerErrorsTableEntry SYNTAX RpkiRtrCacheServerErrorsTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "An entry in the rpkiCacheServerErrorTable. It DESCRIPTION "An entry in the rpkiCacheServerErrorTable. It
holds management objects associated with errors holds management objects associated with errors
codes that were received on the specified codes that were received on the specified
connection to a specific cache server." connection to a specific cache server."
REFERENCE "RFC6810 section 10" REFERENCE "RFC 6810, Section 10"
AUGMENTS { rpkiRtrCacheServerTableEntry } AUGMENTS { rpkiRtrCacheServerTableEntry }
::= { rpkiRtrCacheServerErrorsTable 1 } ::= { rpkiRtrCacheServerErrorsTable 1 }
RpkiRtrCacheServerErrorsTableEntry ::= SEQUENCE { RpkiRtrCacheServerErrorsTableEntry ::= SEQUENCE {
rpkiRtrCacheServerErrorsCorruptData Counter32, rpkiRtrCacheServerErrorsCorruptData Counter32,
rpkiRtrCacheServerErrorsInternalError Counter32, rpkiRtrCacheServerErrorsInternalError Counter32,
rpkiRtrCacheServerErrorsNoData Counter32, rpkiRtrCacheServerErrorsNoData Counter32,
rpkiRtrCacheServerErrorsInvalidRequest Counter32, rpkiRtrCacheServerErrorsInvalidRequest Counter32,
rpkiRtrCacheServerErrorsUnsupportedVersion Counter32, rpkiRtrCacheServerErrorsUnsupportedVersion Counter32,
rpkiRtrCacheServerErrorsUnsupportedPdu Counter32, rpkiRtrCacheServerErrorsUnsupportedPdu Counter32,
skipping to change at page 17, line 4 skipping to change at page 16, line 26
errors received from the RPKI cache server at errors received from the RPKI cache server at
the other end of this connection. the other end of this connection.
Discontinuities are indicated by the value Discontinuities are indicated by the value
of rpkiRtrDiscontinuityTimer." of rpkiRtrDiscontinuityTimer."
::= { rpkiRtrCacheServerErrorsTableEntry 8 } ::= { rpkiRtrCacheServerErrorsTableEntry 8 }
-- ============================================================== -- ==============================================================
-- The rpkiRtrPrefixOriginTable -- The rpkiRtrPrefixOriginTable
-- ============================================================== -- ==============================================================
rpkiRtrPrefixOriginTable OBJECT-TYPE rpkiRtrPrefixOriginTable OBJECT-TYPE
SYNTAX SEQUENCE OF RpkiRtrPrefixOriginTableEntry SYNTAX SEQUENCE OF RpkiRtrPrefixOriginTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "This table lists the prefixes that were DESCRIPTION "This table lists the prefixes that were
announced by RPKI cache servers to this system. announced by RPKI cache servers to this system.
That is the prefixes and their Origin ASN That is the prefixes and their Origin Autonomous
as received by announcements via the System Number (ASN) as received by announcements
rpki-rtr protocol." via the RPKI-Router Protocol."
::= { rpkiRtrObjects 4 } ::= { rpkiRtrObjects 4 }
rpkiRtrPrefixOriginTableEntry OBJECT-TYPE rpkiRtrPrefixOriginTableEntry OBJECT-TYPE
SYNTAX RpkiRtrPrefixOriginTableEntry SYNTAX RpkiRtrPrefixOriginTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "An entry in the rpkiRtrPrefixOriginTable. This DESCRIPTION "An entry in the rpkiRtrPrefixOriginTable. This
represents one announced prefix. If a Cache Server represents one announced prefix. If a cache server
is removed from the local configuration, any table is removed from the local configuration, any table
rows associated with that server (indicated by rows associated with that server (indicated by
rpkiRtrPrefixOriginCacheServerId) are also removed rpkiRtrPrefixOriginCacheServerId) are also removed
from this table. from this table.
Implementers should be aware that if the Implementers should be aware that if the
rpkiRtrPrefixOriginAddress object exceeds 111 rpkiRtrPrefixOriginAddress object exceeds 111
octets, the index values will exceed the 128 octets, the index values will exceed the 128
sub-identifier limit and cannot be accessed using sub-identifier limit and cannot be accessed using
SNMPv1, SNMPv2c, or SNMPv3." SNMPv1, SNMPv2c, or SNMPv3."
skipping to change at page 18, line 6 skipping to change at page 17, line 29
rpkiRtrPrefixOriginMinLength InetAddressPrefixLength, rpkiRtrPrefixOriginMinLength InetAddressPrefixLength,
rpkiRtrPrefixOriginMaxLength InetAddressPrefixLength, rpkiRtrPrefixOriginMaxLength InetAddressPrefixLength,
rpkiRtrPrefixOriginASN InetAutonomousSystemNumber, rpkiRtrPrefixOriginASN InetAutonomousSystemNumber,
rpkiRtrPrefixOriginCacheServerId Unsigned32 rpkiRtrPrefixOriginCacheServerId Unsigned32
} }
rpkiRtrPrefixOriginAddressType OBJECT-TYPE rpkiRtrPrefixOriginAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "The network Address Type for this prefix. DESCRIPTION "The network address type for this prefix.
Note: Only IPv4 and IPv6 support are required Note: Only IPv4 and IPv6 support are required
for RFCxxxx read only compliance." for read-only compliance with RFC 6945."
::= { rpkiRtrPrefixOriginTableEntry 1 } ::= { rpkiRtrPrefixOriginTableEntry 1 }
rpkiRtrPrefixOriginAddress OBJECT-TYPE rpkiRtrPrefixOriginAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "The network Address for this prefix. DESCRIPTION "The network address for this prefix.
The format of the address is defined by the The format of the address is defined by the
value of the corresponding instance of value of the corresponding instance of
rpkiRtrPrefixOriginAddressType." rpkiRtrPrefixOriginAddressType."
::= { rpkiRtrPrefixOriginTableEntry 2 } ::= { rpkiRtrPrefixOriginTableEntry 2 }
rpkiRtrPrefixOriginMinLength OBJECT-TYPE rpkiRtrPrefixOriginMinLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength SYNTAX InetAddressPrefixLength
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
skipping to change at page 20, line 18 skipping to change at page 19, line 40
-- ============================================================== -- ==============================================================
-- Module Compliance information -- Module Compliance information
-- ============================================================== -- ==============================================================
rpkiRtrCompliances OBJECT IDENTIFIER ::= rpkiRtrCompliances OBJECT IDENTIFIER ::=
{rpkiRtrConformance 1} {rpkiRtrConformance 1}
rpkiRtrGroups OBJECT IDENTIFIER ::= rpkiRtrGroups OBJECT IDENTIFIER ::=
{rpkiRtrConformance 2} {rpkiRtrConformance 2}
rpkiRtrRFCxxxxReadOnlyCompliance MODULE-COMPLIANCE rpkiRtrRFC6945ReadOnlyCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for the rpkiRtrMIB module. There "The compliance statement for the rpkiRtrMIB module. There
are only read-only objects in this MIB module, so the are only read-only objects in this MIB module, so the
'ReadOnly' in the name of this compliance statement is there 'ReadOnly' in the name of this compliance statement is there
only for clarity and truth in advertising. only for clarity and truth in advertising.
There are a number of INDEX objects that cannot be There are a number of INDEX objects that cannot be
represented in the form of OBJECT clauses in SMIv2, but for represented in the form of OBJECT clauses in SMIv2, but for
which there are compliance requirements. Those requirements which there are compliance requirements. Those requirements
and similar requirements for related objects are expressed and similar requirements for related objects are expressed
below, in pseudo-OBJECT clause form, in this description: below, in pseudo-OBJECT clause form, in this description:
-- OBJECT rpkiRtrCacheServerRemoteAddressType -- OBJECT rpkiRtrCacheServerRemoteAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2), dns(16) } -- SYNTAX InetAddressType { ipv4(1), ipv6(2), dns(16) }
-- DESCRIPTION -- DESCRIPTION
-- The MIB requires support for the IPv4, IPv6 and DNS -- The MIB requires support for the IPv4, IPv6, and DNS
-- InetAddressTypes's for this object. -- InetAddressTypes for this object.
-- OBJECT rpkiRtrCacheServerLocalAddressType -- OBJECT rpkiRtrCacheServerLocalAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2), dns(16) } -- SYNTAX InetAddressType { ipv4(1), ipv6(2), dns(16) }
-- DESCRIPTION -- DESCRIPTION
-- The MIB requires support for the IPv4, IPv6 and DNS -- The MIB requires support for the IPv4, IPv6, and DNS
-- InetAddressTypes's for this object. -- InetAddressTypes for this object.
-- OBJECT rpkiRtrPrefixOriginAddressType -- OBJECT rpkiRtrPrefixOriginAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) } -- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION -- DESCRIPTION
-- The MIB requires support for the IPv4 and IPv6 -- The MIB requires support for the IPv4, and IPv6
-- InetAddressTypes's for this object. -- InetAddressTypes for this object.
" "
MODULE -- This module MODULE -- This module
MANDATORY-GROUPS { rpkiRtrCacheServerGroup, MANDATORY-GROUPS { rpkiRtrCacheServerGroup,
rpkiRtrPrefixOriginGroup, rpkiRtrPrefixOriginGroup,
rpkiRtrNotificationsGroup rpkiRtrNotificationsGroup
} }
GROUP rpkiRtrCacheServerErrorsGroup GROUP rpkiRtrCacheServerErrorsGroup
DESCRIPTION "Implementation of this group is optional and DESCRIPTION "Implementation of this group is optional and
skipping to change at page 22, line 9 skipping to change at page 21, line 31
rpkiRtrCacheServerErrorsInternalError, rpkiRtrCacheServerErrorsInternalError,
rpkiRtrCacheServerErrorsNoData, rpkiRtrCacheServerErrorsNoData,
rpkiRtrCacheServerErrorsInvalidRequest, rpkiRtrCacheServerErrorsInvalidRequest,
rpkiRtrCacheServerErrorsUnsupportedVersion, rpkiRtrCacheServerErrorsUnsupportedVersion,
rpkiRtrCacheServerErrorsUnsupportedPdu, rpkiRtrCacheServerErrorsUnsupportedPdu,
rpkiRtrCacheServerErrorsWithdrawalUnknown, rpkiRtrCacheServerErrorsWithdrawalUnknown,
rpkiRtrCacheServerErrorsDuplicateAnnounce rpkiRtrCacheServerErrorsDuplicateAnnounce
} }
STATUS current STATUS current
DESCRIPTION "The collection of objects that may help in DESCRIPTION "The collection of objects that may help in
debugging the communication between rpki debugging the communication between RPKI
clients and cache servers." clients and cache servers."
::= { rpkiRtrGroups 2 } ::= { rpkiRtrGroups 2 }
rpkiRtrPrefixOriginGroup OBJECT-GROUP rpkiRtrPrefixOriginGroup OBJECT-GROUP
OBJECTS { OBJECTS {
rpkiRtrPrefixOriginCacheServerId rpkiRtrPrefixOriginCacheServerId
} }
STATUS current STATUS current
DESCRIPTION "The collection of objects that represent DESCRIPTION "The collection of objects that represent
the prefix(es) and their validated origin the prefix(es) and their validated Origin
ASes." ASes."
::= { rpkiRtrGroups 3 } ::= { rpkiRtrGroups 3 }
rpkiRtrNotificationsGroup NOTIFICATION-GROUP rpkiRtrNotificationsGroup NOTIFICATION-GROUP
NOTIFICATIONS { rpkiRtrCacheServerConnectionStateChange, NOTIFICATIONS { rpkiRtrCacheServerConnectionStateChange,
rpkiRtrCacheServerConnectionToGoStale rpkiRtrCacheServerConnectionToGoStale
} }
STATUS current STATUS current
DESCRIPTION "The set of notifications to alert an NMS of change DESCRIPTION "The set of notifications to alert an NMS of change
in connections to RPKI cache servers." in connections to RPKI cache servers."
::= { rpkiRtrGroups 4 } ::= { rpkiRtrGroups 4 }
END END
5. IANA Considerations 5. IANA Considerations
The MIB module in this document will required an IANA assigned OBJECT IANA has assigned the MIB module in this document the following
IDENTIFIER within the SMI Numbers registry. For example, replacing OBJECT IDENTIFIER within the SMI Numbers registry.
XXX below:
Descriptor OBJECT IDENTIFIER value Descriptor OBJECT IDENTIFIER value
---------- ----------------------- ---------- -----------------------
rpkiRouter { mib-2 XXX } rpkiRtrMIB { mib-2 218 }
6. Security Considerations 6. Security Considerations
There are no management objects defined in this MIB module that have There are no management objects defined in this MIB module that have
a MAX-ACCESS clause of read-write and/or read-create. So, if this a MAX-ACCESS clause of read-write and/or read-create. So, if this
MIB module is implemented correctly, then there is no risk that an MIB module is implemented correctly, then there is no risk that an
intruder can alter or create any management objects of this MIB intruder can alter or create any management objects of this MIB
module via direct SNMP SET operations. module via direct SNMP SET operations.
Most of the readable objects in this MIB module (i.e., objects with a Most of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. They are vulnerable in the vulnerable in some network environments. They are vulnerable in the
sense that when an intruder sees the information in this MIB module, sense that when an intruder sees the information in this MIB module,
then it might help him/her to setup a an attack on the router or then it might help him/her to set up an attack on the router or cache
cache server. It is thus important to control even GET and/or NOTIFY server. It is thus important to control even GET and/or NOTIFY
access to these objects and possibly to even encrypt the values of access to these objects and possibly to even encrypt the values of
these objects when sending them over the network via SNMP. these objects when sending them over the network via SNMP.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec), Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is there is no control as to who on the secure network is allowed to
allowed to access and GET/SET (read/change/create/delete) the objects access and GET/SET (read/change/create/delete) the objects in this
in this MIB module. MIB module.
Implementations MUST provide the security features described by the Implementations MUST provide the security features described by the
SNMPv3 framework (see [RFC3410]), including full support for SNMPv3 framework (see [RFC3410]), including full support for
authentication and privacy via the User-based Security Model (USM) authentication and privacy via the User-based Security Model (USM)
[RFC3414] with the AES cipher algorithm [RFC3826]. Implementations [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
MAY also provide support for the Transport Security Model (TSM) MAY also provide support for the Transport Security Model (TSM)
[RFC3591] in combination with a secure transport such as SSH [RFC5591] in combination with a secure transport such as SSH
[RFC3592] or TLS/DTLS [RFC3593] [RFC5592] or TLS/DTLS [RFC6353].
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to indeed GET or SET (change/create/delete) them.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2287] Krupczak, C. and J. Saperia, "Definitions of System-Level [RFC2287] Krupczak, C. and J. Saperia, "Definitions of System-Level
Managed Objects for Applications", RFC 2287, Managed Objects for Applications", RFC 2287, February
February 1998. 1998.
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
"Structure of Management Information Version 2 (SMIv2)", Schoenwaelder, Ed., "Structure of Management Information
RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
"Textual Conventions for SMIv2", RFC 2579, April 1999. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD
58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", RFC 2580, April 1999. "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
[RFC6810] Bush, R. and R. Austein, "The Resource Public Key [RFC6810] Bush, R. and R. Austein, "The Resource Public Key
Infrastructure (RPKI) to Router Protocol", RFC 6810, Infrastructure (RPKI) to Router Protocol", RFC 6810,
January 2013. January 2013.
7.2. Informative References 7.2. Informative References
[RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
August 1996. August 1996.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", RFC 3414, December 2002. Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3591] Lam, H-K., Stewart, M., and A. Huynh, "Definitions of
Managed Objects for the Optical Interface Type", RFC 3591,
September 2003.
[RFC3592] Tesink, K., "Definitions of Managed Objects for the
Synchronous Optical Network/Synchronous Digital Hierarchy
(SONET/SDH) Interface Type", RFC 3592, September 2003.
[RFC3593] Tesink, K., "Textual Conventions for MIB Modules Using
Performance History Based on 15 Minute Intervals",
RFC 3593, September 2003.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004. SNMP User-based Security Model", RFC 3826, June 2004.
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
for the Simple Network Management Protocol (SNMP)", RFC
5591, June 2009.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, June 2010. Authentication Option", RFC 5925, June 2010.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)",
RFC 6353, July 2011.
Authors' Addresses Authors' Addresses
Randy Bush Randy Bush
Internet Initiative Japan Internet Initiative Japan
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, Washington 98110 Bainbridge Island, WA 98110
US US
Email: randy@psg.com EMail: randy@psg.com
Bert Wijnen Bert Wijnen
RIPE NCC RIPE NCC
Schagen 33 Schagen 33
3461 GL Linschoten 3461 GL Linschoten
Netherlands Netherlands
Email: bertietf@bwijnen.net EMail: bertietf@bwijnen.net
Keyur Patel Keyur Patel
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Email: keyupate@cisco.com EMail: keyupate@cisco.com
Michael Baer Michael Baer
SPARTA SPARTA
P.O. Box 72682 P.O. Box 72682
Davis, CA 95617 Davis, CA 95617
USA USA
Email: michael.baer@sparta.com EMail: baerm@tislabs.com
 End of changes. 89 change blocks. 
180 lines changed or deleted 172 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/