One document matched: draft-stiemerling-midcom-server-mib-00.txt
Internet Draft M. Stiemerling
Document: draft-stiemerling-midcom-server-mib-00.txt J. Quittek
Expires: May 2003 NEC Europe Ltd.
P. Srisuresh
Caymas Systems, Inc.
November 2003
Definitions of Managed Objects for MIDCOM Server
<draft-stiemerling-midcom-server-mib-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Distribution of this document is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it describes a set of managed objects that allow
monitoring and configuration of middleboxes running a MIDCOM server,
i.e. the MIDCOM MIB module RFC YYYY.
Stiemerling, Quittek, Srisuresh [Page 1]
Internet-Draft MIDCOM SERVER MIB November 2003
Table of Contents
1 Introduction ................................................. 2
2 The Internet-Standard Management Framework ................... 2
3 Overview ..................................................... 2
3.1 Terminology ................................................ 3
4 Structure of the MIB module .................................. 3
4.1 midcomSrvResourceTable ..................................... 4
4.2 midcomSrvFwTable ........................................... 5
4.3 MIDCOM Server Statistics ................................... 5
5 Definitions .................................................. 7
6 Security Considerations ...................................... 19
7 Open Issues .................................................. 19
8 Normative References ......................................... 19
9 Informative References ....................................... 20
10 Authors' Addresses .......................................... 21
11 Full Copyright Statement .................................... 21
1. Introduction
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it describes a set of managed objects that allow
monitoring and configuration of MIDCOM server, i.e. the MIDCOM MIB
module. Middleboxes, such as firewall and Network Address
Translators (NAT), that implement the MIDCOM MIB module (RFC YYYY)
are called MIDCOM server throughout this document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
Stiemerling, Quittek, Srisuresh [Page 2]
Internet-Draft MIDCOM SERVER MIB November 2003
3. Overview
The MIDCOM working group has defined the framework, protocol
requirements, protocol semantics, and a protocol evaluation document.
The outcome of the protocol evaluation is the use of SNMPv3 as the
MIDCOM protocol. Consequently, the MIDCOM protocol will be defined as
a MIB module, the MIDCOM MIB module. This module implements the
MIDCOM protocol semantics as defined in [RFCXXXX].
For monitoring and configuring this MIDCOM protocol implementation,
another MIB module is required. This is the MIDCOM SERVER MIB
module. Whereas the MIDCOM MIB module is used for dynamic
configuration of middleboxes, the MIDCOM SERVER MIB module is used
for monitoring the resource usage of the MIDCOM MIB and for
configuring some parameters related to the MIDCOM MIB module.
As defined in [RFC3234], firewalls and NATs belong to the group of
middleboxes. A middlebox is a device on the datagram path between
source and destination, which performs other functions than just IP
routing.
Middleboxes may be an obstacle to several applications that make use
of dynamic port allocation schemes. The IETF MIDCOM working group
defined a framework [RFC3303], requirements [RFC3304] and protocol
semantics [RFCXXXX] for communication between applications and
middleboxes acting as firewalls, NATs or a combination of both.
The MIDCOM protocol is defined in the MIDCOM MIB module in [RFCXXXX]
and can be used for dynamically configuring middleboxes on the
datagram path in order to enable datagram streams to pass the
middlebox. This way, applications can request pinholes at firewalls
and address bindings at NATs. Instances serving MIDCOM on the
middlebox are called MIDCOM server throughout this document.
The MIDCOM SERVER MIB module defined in this document serves for
configuration and monitoring MIDCOM servers on middleboxes.
3.1. Terminology
The terminology used in this document is fully aligned with the
terminology defined in [RFCXXXX].
There is a conflict between the MIDCOM terminology and the SNMP
terminology. The roles of entities participating in SNMP
communication are called 'manager' and 'agent' with the agent acting
as server for requests from the manager. This use of the term 'agent'
is different to its use in the MIDCOM framework: The SNMP manager
corresponds to the MIDCOM agent and the SNMP agent corresponds to the
MIDCOM middlebox. In order to avoid confusion, the term agent is
Stiemerling, Quittek, Srisuresh [Page 3]
Internet-Draft MIDCOM SERVER MIB November 2003
only used in combination with a prefix: either as MIDCOM agent or as
SNMP agent.
4. Structure of the MIB module
This section presents the structure of the MIB module that is
specified in this section.
The MIDCOM SERVER MIB module is divided intro three logical groups
for monitoring the resource usage on a per policy rule base,
configuring firewall parameters, and general statistics.
4.1. midcomSrvResourceTable
Information about resource usage per policy rule is provided by the
midcomSrvResourceTable. Each row in the midcomSrvResourceTable
serves exactly one policy rule.
Resources are NAT resources and firewall resources, depending on the
type of middlebox, i.e. firewall, NAT, or any combination of those.
NAT resources are NAT binds and NAT sessions. NAT address mappings
are not considered. For firewalls only firewall filter rules are
considered as resources.
The values provide by the following objects on NAT binds and NAT
sessions may refer to a more detailed NAT MIB module. This module is
not specified in this document.
The values provided by the following objects on firewall rules may
refer to a more detailed firewall MIB module. This module is not
specified in this document.
These following objects are defined:
o natSrcBindMode
This object indicates whether the source address is an address
NAT bind or an address-port NAT bind.
o natSrcBindId
This object is the link to the NAT bind for the source address
in the NAT engine. The natSrcBindId is the identifier of the
actual NAT bind.
o natDstBindMode
This object indicates whether the destination address is an
address NAT bind or an address-port NAT bind.
Stiemerling, Quittek, Srisuresh [Page 4]
Internet-Draft MIDCOM SERVER MIB November 2003
o natDstBindId
This object is the link to the NAT bind for the destination
address in the NAT engine. The natSrcBindId is the identifier
of the actual NAT bind.
o natSessionId1
This object links to the first NAT session associated with one
of the above NAT binds.
o natSessionId2
This object links to the second NAT session associated with one
of the above NAT binds.
o fwRuleId
The firewall rule for this policy rule.
4.2. midcomSrvFwTable
The midcomSrvFwTable keeps a row per interface available for MIDCOM
service at the middlebox. Several parameters per interface are
configurable through this table:
o fwGroup
Firewall rules loaded for the MIDCOM server may be assigned to
specific group in the firewall rule engine. A SNMP manager can
set the firewall group with this object.
o fwPriority
Depending on the firewall type rules may have an associated
firewall rule priority. A SNMP manager can set the firewall
rule priority with this object.
4.3. MIDCOM Server Statistics
Several objects are provided for collecting statistics about the
MIDCOM server:
o midcomSrvSessionsRejected
MIDCOM agents are required to establish a session prior to any
further GET or SET message on policy rules or groups. This
object counts the rejected session establishment requests.
o midcomSrvSessionsCurrent
This object indicates the total number of current established
sessions.
o midcomSrvSessionsTotal
This object indicates the total number of established sessions
Stiemerling, Quittek, Srisuresh [Page 5]
Internet-Draft MIDCOM SERVER MIB November 2003
current and in the past.
o midcomSrvRuleEntriesRejected
This object indicates the total number of rejected policy rule
entries. Typically, policy rules will be rejected with a
specific reason (see below). Failed row creations in
midcomRuleTable are counted with this object, i.e. policy rule
requests that are rejected by the SNMP agent.
o midcomSrvRulesIncomplete
This object indicates the total number of policy rules that have
not been fully loaded into a table row of midcomRuleTable.
o midcomSrvResRulesRejected
This object indicates the total number of rejected reserved
policy rules. The SNMP agent accepts the row creation of a row
in midcomRuleTable, but any further action is rejected.
o midcomSrvResRulesFailed
This object indicates the total number of failed reserved policy
rules. Failed reserved policy rules are typically policy rules
that are accepted by the SNMP agent, but not accepted by the
middlebox.
o midcomSrvResRulesActive
This object indicates the number of active reserved policy rules
in midcomRuleTable at the point of time when the object is
retrieved by the SNMP manager.
o midcomSrvResRulesExpired
This object indicates the number of expired reserved policy
rules in midcomRuleTable at the point of time when the object is
retrieved by the SNMP manager.
o midcomSrvResRulesTerminated
This object indicates the number of terminated reserved policy
rules in midcomRuleTable at the point of time when the object is
retrieved by the SNMP manager.
o midcomSrvResRulesOnRequest
This object indicates the number of reserved policy rules on-
request in midcomRuleTable at the point of time when the object
is retrieved by the SNMP manager.
o midcomSrvEnabledRulesRejected
This object indicates the total number of rejected enabled
policy rules. The SNMP agent accepts the row creation of a row
in midcomRuleTable, but any further action is rejected.
Stiemerling, Quittek, Srisuresh [Page 6]
Internet-Draft MIDCOM SERVER MIB November 2003
o midcomSrvEnabledRulesFailed
This object indicates the total number of failed enabled policy
rules. Failed enabled policy rules are typically policy rules
that are accepted by the SNMP agent, but not accepted by the
middlebox.
o midcomSrvEnabledRulesActive
This object indicates the number of active enabled policy rules
in midcomRuleTable at the point of time when the object is
retrieved by the SNMP manager.
o midcomSrvEnabledRulesExpired
This object indicates the number of expired enabled policy rules
in midcomRuleTable at the point of time when the object is
retrieved by the SNMP manager.
o midcomSrvEnabledRulesTerminated
This object indicates the number of terminated enabled policy
rules in midcomRuleTable at the point of time when the object is
retrieved by the SNMP manager.
o midcomSrvEnabledRulesOnRequest
This object indicates the number of enabled policy rules on-
request in midcomRuleTable at the point of time when the object
is retrieved by the SNMP manager.
o midcomSrvTransRejected
This object indicates the total number of rejected transactions.
A transaction is rejected when there is no session established
for the requesting SNMP manager, i.e. no entry in
midcomSessionTable.
o midcomSrvTransFailed
This object indicates the total number of failed transactions.
A transaction is accepted (not rejected), but due to another
reason it failed. For instance a transaction consisting of
multiple SET operations is only performed with a single SET.
o midcomSrvTransCompleted
This object indicates the total number of successfully completed
transactions at the MIDCOM server.
5. Definitions
MIDCOM-SERVER-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE,
Unsigned32, mib-2
Stiemerling, Quittek, Srisuresh [Page 7]
Internet-Draft MIDCOM SERVER MIB November 2003
FROM SNMPv2-SMI -- RFC2578
TEXTUAL-CONVENTION
FROM SNMPv2-TC -- RFC2579
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF -- RFC2580
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC3411
InterfaceIndex
FROM IF-MIB -- RFC2863
midcomSessionOwner, midcomGroupIndex,
midcomRuleIndex
FROM MIDCOM-MIB; -- draft!
midcomSrvMIB MODULE-IDENTITY
LAST-UPDATED "200311240930Z" -- November 24, 2003
ORGANIZATION "IETF Middlebox Communication Working Group"
CONTACT-INFO
"WG charter:
http://www.ietf.org/html.charters/midcom-charter.html
Mailing Lists:
General Discussion: midcom@ietf.org
To Subscribe: midcom-request@ietf.org
In Body: subscribe your_email_address
Editor:
Martin Stiemerling
NEC Europe Ltd.
Network Laboratories
Kurfuersten-Anlage 36
69221 Heidelberg
Germany
Tel: +49 6221 90511-13
Email: stiemerling@netlab.nec.de"
DESCRIPTION
"This MIB module defines a set of basic objects for
monitoring and configuring MIDCOM servers on
middleboxes that support MIDCOM. Such middleboxes
may be firewalls and network address translators.
This MIB module does not implement portions of the
MIDCOM protocol, but is the MIDCOM SERVER MIB module
for monitoring instances of the MIDCOM protocol.
Stiemerling, Quittek, Srisuresh [Page 8]
Internet-Draft MIDCOM SERVER MIB November 2003
There are three groups of managed objects defined
by this MIB module:
- objects describing the used middlebox resources on
a per MIDCOM policy rule base
- objects describing the used firewall configuration
on a per MIDCOM policy rule base
- objects providing statistical information
about the MIDCOM MIB module
Copyright (C) The Internet Society (2003). This version
of this MIB module is part of RFC yyyy; see the RFC
itself for full legal notices."
-- RFC Ed.: replace yyyy with actual RFC number & remove this notice
REVISION "200311240930Z" -- November 24, 2003
DESCRIPTION "Initial version, published as RFC yyyy."
-- RFC Ed.: replace yyyy with actual RFC number & remove this notice
::= { mib-2 44445 }
-- 44445 to be assigned by IANA.
--
-- Some textual conventions for this module
--
MidcomNatBindMode ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An indication whether the NAT bind is an address
bind or an address-port bind."
SYNTAX INTEGER {
addressBind (1),
addressPortBind (2)
}
MidcomNatBindId ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A unique ID that is assigned to each NAT bind by
a NAT enabled device."
SYNTAX Unsigned32
MidcomNatSessionId ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A unique ID that is assigned to each NAT session by
a NAT enabled device."
SYNTAX Unsigned32
--
Stiemerling, Quittek, Srisuresh [Page 9]
Internet-Draft MIDCOM SERVER MIB November 2003
-- main components of this MIB module
--
midcomSrvObjects OBJECT IDENTIFIER ::= { midcomSrvMIB 1 }
midcomSrvConformance OBJECT IDENTIFIER ::= { midcomSrvMIB 2 }
--
-- Resources group
--
-- The MIDCOM server resources group contains a set of managed
-- objects describing the currently used resources of the MIDCOM
-- server.
-- Some objects in this group have MAX-ACCESS read-write.
--
midcomSrvResources OBJECT IDENTIFIER ::= { midcomSrvObjects 1 }
--
-- The NAT resource table
--
midcomSrvResourceTable OBJECT-TYPE
SYNTAX SEQUENCE OF MidcomSrvMbEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all used middlebox resources per
MIDCOM policy rule.
The midcomSrvMBTable is indexed by
session owner, group index, rule index.
"
::= { midcomSrvResources 1 }
midcomSrvResourceEntry OBJECT-TYPE
SYNTAX MidcomSrvMbEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular set of middlebox
resources."
INDEX { midcomSessionOwner, midcomGroupIndex, midcomRuleIndex }
::= { midcomSrvResourceTable 1 }
MidcomSrvMbEntry ::= SEQUENCE {
natSrcBindMode MidcomNatBindMode,
natSrcBindId MidcomNatBindId,
natDstBindMode MidcomNatBindMode,
natDstBindId MidcomNatBindId,
Stiemerling, Quittek, Srisuresh [Page 10]
Internet-Draft MIDCOM SERVER MIB November 2003
natSessionId1 MidcomNatSessionId,
natSessionId2 MidcomNatSessionId,
fwRuleId Unsigned32
-- more input required.
}
natSrcBindMode OBJECT-TYPE
SYNTAX MidcomNatBindMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication whether this policy rule uses an address
NAT bind or an address-port NAT bind for the source
address."
::= { midcomSrvResourceEntry 4 }
natSrcBindId OBJECT-TYPE
SYNTAX MidcomNatBindId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The allocated NAT bind for the source address used
by this policy rule."
::= { midcomSrvResourceEntry 5 }
natDstBindMode OBJECT-TYPE
SYNTAX MidcomNatBindMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication whether this policy rule uses an address
NAT bind or an address-port NAT bind for the destination
address."
::= { midcomSrvResourceEntry 6 }
natDstBindId OBJECT-TYPE
SYNTAX MidcomNatBindId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The allocated NAT bind for the destination address
used by this policy rule."
::= { midcomSrvResourceEntry 7 }
natSessionId1 OBJECT-TYPE
SYNTAX MidcomNatSessionId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique ID that is assigned to this specific NAT
Stiemerling, Quittek, Srisuresh [Page 11]
Internet-Draft MIDCOM SERVER MIB November 2003
session at the NAT for this policy rule.
A maximum of two NAT sessions can be assigned to
one policy rule."
::= { midcomSrvResourceEntry 8 }
natSessionId2 OBJECT-TYPE
SYNTAX MidcomNatSessionId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique ID that is assigned to this specific NAT
session at the NAT for this policy rule.
A maximum of two NAT sessions can be assigned to
one policy rule."
::= { midcomSrvResourceEntry 9 }
fwRuleId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique ID that is assigned to this specific
firewall rule at the firewall for this policy rule."
::= { midcomSrvResourceEntry 10 }
--
-- The firewall (fw) configuration table
--
midcomSrvFwTable OBJECT-TYPE
SYNTAX SEQUENCE OF MidcomSrvFwEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists the firewal configuration
per interface.
The midcomSrvFwTable is indexed by
midcomifIndex
"
::= { midcomSrvResources 2 }
midcomSrvFwEntry OBJECT-TYPE
SYNTAX MidcomSrvFwEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular set of
firewall resources."
INDEX { midcomifIndex }
Stiemerling, Quittek, Srisuresh [Page 12]
Internet-Draft MIDCOM SERVER MIB November 2003
::= { midcomSrvFwTable 1 }
MidcomSrvFwEntry ::= SEQUENCE {
midcomifIndex InterfaceIndex,
fwGroup SnmpAdminString,
fwPriority Unsigned32
-- Wes, what should be here?
}
midcomifIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The corresponding interface of the middlebox."
::= { midcomSrvFwEntry 1 }
fwGroup OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The firewall rule group to which all firewall
rules of the MIDCOM server are assigned."
::= { midcomSrvFwEntry 2 }
fwPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The priority assigned to all firewall rules
of the MIDCOM server."
::= { midcomSrvFwEntry 3 }
--
-- The statistics of the MIDCOM server
--
midcomSrvStatistics OBJECT IDENTIFIER ::= { midcomSrvObjects 2 }
midcomSrvSessionsRejected OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rejected MIDCOM sessions.
The MIDCOM MIB module can rejected sessions that
Stiemerling, Quittek, Srisuresh [Page 13]
Internet-Draft MIDCOM SERVER MIB November 2003
are not authorized or unknown."
::= { midcomSrvStatistics 1 }
midcomSrvSessionsCurrent OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently established MIDCOM sessions.
This object equals the number of rows in the
midcomSessionTable and gives the number
of MIDCOM agents (=SNMP managers) that are
allowed to read, create, or modify entries
in the MIDCOM MIB module."
::= { midcomSrvStatistics 2 }
midcomSrvSessionsTotal OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The summarized number of all current and past
established MIDCOM sessions."
::= { midcomSrvStatistics 3 }
midcomSrvRuleEntriesRejected OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of policy rule entries rejected without
any further detailed reason.
Policy rules may be rejected due to several reasons.
This object counts policy rules rejected without any
other specific reason."
::= { midcomSrvStatistics 4 }
midcomSrvRulesIncomplete OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy rules that are
incomplete.
Policy rules are loaded via row entries in
midcomRuleTable. This object counts policy
rules that are loaded but not fully specified,
Stiemerling, Quittek, Srisuresh [Page 14]
Internet-Draft MIDCOM SERVER MIB November 2003
i.e. the associated action (reserved or enable)
is not set. Those rule are typically removed
after sometime and counted."
::= { midcomSrvStatistics 5 }
midcomSrvResRulesRejected OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of reserved policy rules that are
loaded, but are rejected."
::= { midcomSrvStatistics 6 }
midcomSrvResRulesFailed OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of failed reserved policy rules."
::= { midcomSrvStatistics 7 }
midcomSrvResRulesActive OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently active reserved policy
rules."
::= { midcomSrvStatistics 8 }
midcomSrvResRulesExpired OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently expired reserved policy
rules."
::= { midcomSrvStatistics 9 }
midcomSrvResRulesTerminated OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently terminated reserved policy
rules."
::= { midcomSrvStatistics 10 }
midcomSrvResRulesOnRequest OBJECT-TYPE
Stiemerling, Quittek, Srisuresh [Page 15]
Internet-Draft MIDCOM SERVER MIB November 2003
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently on-request reserved policy
rules."
::= { midcomSrvStatistics 11 }
midcomSrvEnabledRulesRejected OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of rejected enabled policy rules."
::= { midcomSrvStatistics 12 }
midcomSrvEnabledRulesFailed OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of failed enabled policy rules."
::= { midcomSrvStatistics 13 }
midcomSrvEnabledRulesActive OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently active enabled policy
rules."
::= { midcomSrvStatistics 14 }
midcomSrvEnabledRulesExpired OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently expired enabled policy
rules."
::= { midcomSrvStatistics 15 }
midcomSrvEnabledRulesTerminated OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently terminated enabled policy
rules."
::= { midcomSrvStatistics 16 }
Stiemerling, Quittek, Srisuresh [Page 16]
Internet-Draft MIDCOM SERVER MIB November 2003
midcomSrvEnabledRulesOnRequest OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently on-request enabled policy
rules."
::= { midcomSrvStatistics 17 }
midcomSrvTransRejected OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of rejected transactions."
::= { midcomSrvStatistics 18 }
midcomSrvTransFailed OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of failed transactions."
::= { midcomSrvStatistics 19 }
midcomSrvTransCompleted OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of completed transactions."
::= { midcomSrvStatistics 20 }
--
-- Compliance statements
--
midcomSrvCompliances OBJECT IDENTIFIER ::= { midcomSrvConformance 1 }
midcomSrvGroups OBJECT IDENTIFIER ::= { midcomSrvConformance 2 }
--
-- This is the MIDCOM server compliance defintion
--
midcomSrvCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that
implement the MIDCOM SERVER MIB."
MODULE -- this module
Stiemerling, Quittek, Srisuresh [Page 17]
Internet-Draft MIDCOM SERVER MIB November 2003
MANDATORY-GROUPS {
midcomSrvResourceGroup,
midcomSrvFwGroup,
midcomSrvStatisticsGroup
}
::= { midcomSrvCompliances 1 }
midcomSrvResourceGroup OBJECT-GROUP
OBJECTS {
natSrcBindMode,
natSrcBindId,
natDstBindMode,
natDstBindId,
natSessionId1,
natSessionId2,
fwRuleId
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
the used NAT resources."
::= { midcomSrvGroups 1 }
midcomSrvFwGroup OBJECT-GROUP
OBJECTS {
fwGroup,
fwPriority
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
the used firewall resources."
::= { midcomSrvGroups 2 }
midcomSrvStatisticsGroup OBJECT-GROUP
OBJECTS {
midcomSrvSessionsRejected,
midcomSrvSessionsCurrent,
midcomSrvSessionsTotal,
midcomSrvRuleEntriesRejected,
midcomSrvRulesIncomplete,
midcomSrvResRulesRejected,
midcomSrvResRulesFailed,
midcomSrvResRulesActive,
midcomSrvResRulesExpired,
midcomSrvResRulesTerminated,
midcomSrvResRulesOnRequest,
midcomSrvEnabledRulesRejected,
midcomSrvEnabledRulesFailed,
midcomSrvEnabledRulesActive,
Stiemerling, Quittek, Srisuresh [Page 18]
Internet-Draft MIDCOM SERVER MIB November 2003
midcomSrvEnabledRulesExpired,
midcomSrvEnabledRulesTerminated,
midcomSrvEnabledRulesOnRequest,
midcomSrvTransRejected,
midcomSrvTransFailed,
midcomSrvTransCompleted
}
STATUS current
DESCRIPTION
"A collection of objects providing statistical
information about the MIDCOM server."
::= { midcomSrvGroups 3 }
END
6. Security Considerations
TBD XXX
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is REQUIRED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
For implementations of the MIDCOM SERVER MIB it is REQUIRED to deploy
SNMPv3 and to enable cryptographic security. It is then a
customer/operator responsibility to ensure that the SNMP entity
giving access to an instance of this MIB module is properly
configured to give access to the objects only to those principals
(users) that have legitimate rights to indeed GET or SET
(change/create/delete) them.
7. Open Issues
- Firewall entries in midcomSrvResourceTable
- Furhter entries ibn midcomSrvFwTable?
Stiemerling, Quittek, Srisuresh [Page 19]
Internet-Draft MIDCOM SERVER MIB November 2003
8. Normative References
[RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A. and A.
Rayhan, "Middlebox communication architecture and
framework", RFC 3303, August 2002.
[RFC3304] Swale, R.P., Mart, P.A., Sijben, P., Brimm, S. and M. Shore,
"Middlebox Communications (midcom) Protocol Requirements",
RFC 3304, August 2002.
[RFCXXXX] Stiemerling, M., Quittek, J. and T. Tailor, "Middlebox
Communications (midcom) protocol semantics", RFC XXXX,
YYYYmonth 2003, <draft-ietf-midcom-semantics-03.txt>.
[RFCYYYY] Quittek, J., Stiemerling, M., "MIDCOM MIB XXXX", RFC YYYYY
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578, April
1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture
for Describing Simple Network Management Protocol (SNMP)
Management Frameworks", STD 62, RFC 3411, December 2002.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
MIB", RFC 2863, June 2000.
[RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", RFC 2574, April 1999.
9. Informative References
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[NAT-TERM] Srisuresh,P., and Holdrege, M., "IP Network Translator (NAT)
Terminology and Considerations", RFC 2663, August 1999.
Stiemerling, Quittek, Srisuresh [Page 20]
Internet-Draft MIDCOM SERVER MIB November 2003
[RFC2246] Dierks, T., Allen, C., "The TLS Protocol Version 1.0", RFC
2246, January 1999.
[RFC2402] Kent, S., and Atkinson, R., "IP Authentication Header", RFC
2402, November 1998.
[RFC2406] Kent, S., and Atkinson, R., "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
Stiemerling, Quittek, Srisuresh [Page 21]
Internet-Draft MIDCOM SERVER MIB November 2003
10. Authors' Addresses
Martin Stiemerling
NEC Europe Ltd.
Network Laboratories
Kurfuersten-Anlage 36
69115 Heidelberg
Germany
Phone: +49 6221 90511-13
Email: stiemerling@ccrle.nec.de
Juergen Quittek
NEC Europe Ltd.
Network Laboratories
Kurfuersten-Anlage 36
69115 Heidelberg
Germany
Phone: +49 6221 90511-15
EMail: quittek@ccrle.nec.de
P. Srisuresh
Caymans Systems, Inc.
1179-A North McDowell Blvd.
Petaluma, CA 94954
USA
Phone: +1 707 283 5063
EMail: srisuresh@yahoo.com
11. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
Stiemerling, Quittek, Srisuresh [Page 22]
Internet-Draft MIDCOM SERVER MIB November 2003
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Stiemerling, Quittek, Srisuresh [Page 23]
Internet-Draft MIDCOM SERVER MIB November 2003
| PAFTECH AB 2003-2026 | 2026-04-26 13:07:31 |