Network Working Group Y. Fu Internet Draft Sh. Jiang Intended status: Standards Track Huawei Technologies Co., Ltd Expires: November 4, 2011 Y. Cui J.Dong Tsinghua University May 4, 2011 DS-Lite Management Information Base (MIB) draft-fu-softwire-dslite-mib-00 Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 27, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Fu, et al. Expires November 4, 2011 [Page 1] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines managed objects for DS-Lite. Table of Contents 1. Introduction ..................................................3 2. The Internet-Standard Management Framework ....................3 3. Terminology ...................................................3 4. Difference from the IP tunnel MIB and NAT MIB .................3 5. Structure of the MIB Module....................................4 5.1. The DSliteMIBTunnel Subtree...............................4 5.2. The DSliteMIBNAT Subtree..................................4 5.3. The DSliteMIBRelationInfo Subtree ........................4 5.4. The DSliteMIBConformance Subtree .........................5 6. MIB modules required for IMPORTS...............................5 7. Definitions ...................................................5 8. IANA Considerations ..........................................12 9. Security Considerations.......................................12 10. References ..................................................13 10.1. Normative References....................................13 10.2. Informative References..................................14 11. Change Log [RFC Editor please remove] .......................14 Author's Addresses ..............................................14 Fu, et al. Expires November 4, 2011 [Page 2] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 1. Introduction Dual-Stack Lite [I-D.ietf-softwire-dual-stack-lite] is a solution to offer both IPv4 and IPv6 connectivity to customers crossing IPv6 only infrastructure. One of its key components is an IPv4-over-IPv6 tunnel, which is used to provide IPv4 connection across service provider IPv6 network. Another key component is a carrier-grade IPv4-IPv4 NAT to share service provider IPv4 addresses among customers. This document defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. This MIB module may be used for configuration and monitoring the devices in the Dual-Stack Lite scenario. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of [RFC3410]. Managed objects are accessed via a virtual information store, termed the MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in [RFC2578], [RFC2579] and [RFC2580]. 3. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 4. Difference from the IP tunnel MIB and NAT MIB The key technologies for DS-Lite are IP in IP (IPv4-in-IPv6) tunnel and NAT (IPv4 to IPv4 translation). The NAT-MIB [RFC4008] is designed to carry translation from any address family to any address family, therefore supports IPv4 to IPv4 translation. The tunnel MIB [RFC4087] is designed for managing tunnels of any type over IPv4 and IPv6 networks, therefore supports IP in IP tunnels. Fu, et al. Expires November 4, 2011 [Page 3] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 However, NAT MIB and tunnel MIB together are not sufficient to support DS-Lite. This document describes the specific MIB requirements for DS-Lite, as below. In DS-Lite scenario, the tunnel type is IP in IP, more precisely, is IPv4 in IPv6. Therefore, it is unnecessary to describe tunnel type in DS-Lite MIB. In DS-Lite scenario, the translation type is IPv4 private address to IPv4 public address. Therefore, it is unnecessary to describe the type of address in the corresponding tunnelIfLocalInetAddress and tunnelIfRemoteInetAddress objects in DS-Lite MIB. In DS-lite scenario, the AFTR is not only the tunnel end concentrator, but also a 4-4 translator. Within the AFTR, tunnel information and translation information MUST be mapped each other. Two independent MIB is not able to reflect this mapping relationship. Therefore, a combined MIB is necessary. 5. Structure of the MIB Module The DS-Lite MIB provides a way to configure and manage the devices in DS-Lite scenario through SNMP. DS-Lite MIB is configurable on a per-interface basis. It depends on several parts of the IF-MIB [RFC2863], tunnel MIB [RFC4087], and NAT MIB [RFC4008]. 5.1. The DSliteMIBTunnel Subtree The DSliteMIBTunnel subtree describes managed objects used for managing tunnels in the DS-Lite scenario. Because the tunnel MIB supports the tunnel management function in DS-Lite, we may reuse it in DS-Lite MIB. 5.2. The DSliteMIBNAT Subtree The DSliteMIBNAT Subtree describes managed objects used for configuration as well as monitoring of AFTR which is capable of NAT function. Because the NAT MIB supports the NAT management function in DS-Lite, we MAY reuse it in DS-Lite MIB. 5.3. The DSliteMIBRelationInfo Subtree The DSliteMIBRelationInfo Subtree provides the information of mapping relationship between the tunnel MIB and NAT MIB. It is vital Fu, et al. Expires November 4, 2011 [Page 4] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 information for DS-Lite implementer. It also includes information about traffic statistics. 5.4. The DSliteMIBConformance Subtree The Subtree provides conformance information of MIB objects. 6. MIB modules required for IMPORTS This MIB module IMPORTs objects from [RFC4087], [RFC4008], [RFC2580], [RFC2578], [RFC2863], [RFC4001],[RFC3411]. Notes: The IF-MIB defines the MTU for the interface which includes the virtual interface of the tunnel, so DS-Lite MIB does not need to define the MTU for tunnel. 7. Definitions DSLite-MIB DEFFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, mib-2, transmission, Gauge32 FROM SNMPv2-SMI ifIndex FROM IF-MIB InetAddress, InetPortNumber FROM INET-ADDRESS-MIB tunnelMIB FROM tunnelMIB natMIB FROM natMIB DSliteMIB MODULE-IDENTITY LAST-UPDATED "201104260000Z" -- April 26, 2011 ORGANIZATION "IETF Softwire Working Group" CONTACT-INFO "Yu Fu Huawei Technologies Co., Ltd Huawei Building, No.3 Xinxi Rd, Hai-Dian District Beijing, P.R. China 100085 EMail: fy@huawei.com Fu, et al. Expires November 4, 2011 [Page 5] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 Sheng Jiang Huawei Technologies Co., Ltd Huawei Building, No.3 Xinxi Rd, Hai-Dian District Beijing, P.R. China 100085 EMail: jiangsheng@huawei.com Yong Cui Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 P.R. China Email: yong@csnet1.cs.tsinghua.edu.cn Jiang Dong Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 P.R. China Email: dongjiang@csnet1.cs.tsinghua.edu.cn" DESCRIPTION "The MIB module is defined for management of object in the DS-Lite scenario. " ::= { transmission xxx } --xxx to be replaced with correct value DSLiteMIBRelationInfo OBJECT IDENTIFIER :: = { DSLiteMIB 1 } --Conformance DSLiteMIBConformance OBJECT IDENTIFIER :: = { DSLiteMIB 2 } --DSLiteMIBRelationInfo --DSLiteMIBBindRelationTable Table --DSLiteMIBPortBindRelationTable Table DSLiteMIBBindRelationTable OBJECT-TYPE SYNTAX SEQUENCE OF DSLiteMIBBindRelationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing mapping information between tunnel information and currently active NAT BINDs This table can be used to map the tunnel initiator to Fu, et al. Expires November 4, 2011 [Page 6] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 natAddrBindEntry." :: = { DSLiteMIBRelationInfo 1 } DSLiteMIBBindRelationEntry OBJECT-TYPE SYNTAX DSLiteMIBBindRelationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in this table holds the relationship between tunnel information and nat bind information. These entries are lost upon agent restart." INDEX { ifIndex, natAddrBindLocalAddr, tunnelIfLocalAddress } :: = { DSLiteMIBBindRelationTable 1 } DSLiteMIBBindRelationEntry :: = SEQUENCE { NatAddrBindEntry NatAddrBindEntry, tunnelIfLocalAddress IpAddress, DSLiteMIBBindNumberOfTunnel Gauge32, DSLiteMIBBindInIPv6Packets Counter32, DSLiteMIBBindOutIPv6Packets Counter32, DSLiteMIBBindOutIPv4Packets Counter32, DSLiteMIBBindInIPv6Bytes Counter64, DSLiteMIBBindOutIPv4Bytes Counter64, DSLiteMIBBindOutIPv6Bytes Counter64 } DSLiteMIBBindNumberOfTunnel OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object maintains a count of the number of tunnels that currently exist with the same endpoint, AFTR." ::= { DSLiteMIBBindRelationEntry 3 } DSLiteMIBBindInIPv6Packets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv6 Packets received by the AFTR. These IPv6 packets includes native IPv6 packets and IPv6 packets encapsulated from IPv4 packets send by the Fu, et al. Expires November 4, 2011 [Page 7] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 tunnel initiator." ::= { DSLiteMIBBindRelationEntry 4 } DSLiteMIBBindOutIPv6Packets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv6 Packets forwarded by the AFTR. These IPv6 packets are native IPv6 packets received in AFTR." ::= { DSLiteMIBBindRelationEntry 5 } DSLiteMIBBindOutIPv4Packets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv4 Packets sent by the AFTR. These IPv4 packets are decapsulated packets from encapsulated IPv6 packets." ::= { DSLiteMIBBindRelationEntry 6 } DSLiteMIBBindInIPv6Bytes OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv6 Bytes forwarded by the AFTR." ::= { DSLiteMIBBindRelationEntry 7 } DSLiteMIBBindOutIPv6Bytes OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv6 Bytes received by AFTR." ::= { DSLiteMIBBindRelationEntry 8 } DSLiteMIBBindOutIPv4Bytes OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv4 Bytes sent by Fu, et al. Expires November 4, 2011 [Page 8] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 AFTR." ::= { DSLiteMIBBindRelationEntry 9 } DSLiteMIBPortBindRelationTable OBJECT-TYPE SYNTAX SEQUENCE OF DSLiteMIBPortBindRelationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing mapping information between tunnel information and currently active NAPT BINDs This table can be used to map the tunnel initiator to natAddrPortBindEntry. " :: = { DSLiteMIBRelationInfo 2 } DSLiteMIBPortBindRelationEntry OBJECT-TYPE SYNTAX DSLiteMIBPortBindRelationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry in this table holds the relationship between tunnel information and nat bind information. These entries are lost upon agent restart." INDEX { ifIndex, natAddrPortBindLocalAddr, natAddrPortBindLocalPort, tunnelIfLocalAddress } :: = { DSLiteMIBPortBindRelationTable 1 } DSLiteMIBPortBindRelationEntry :: = SEQUENCE { natAddrPortBindEntry natAddrPortBindEntry, tunnelIfLocalAddress IpAddress, DSLiteMIBPortBindNumberOfTunnel Gauge32, DSLiteMIBPortBindInIPv6Packets Counter32, DSLiteMIBPortBindOutIPv6Packets Counter32, DSLiteMIBPortBindOutIPv4Packets Counter32, DSLiteMIBPortBindInIPv6Bytes Counter64, DSLiteMIBPortBindOutIPv4Bytes Counter64, DSLiteMIBPortBindOutIPv6Bytes Counter64 } DSLiteMIBPortBindNumberOfTunnel OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object maintains a count of the number of tunnels Fu, et al. Expires November 4, 2011 [Page 9] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 that currently exist with the same endpoint, AFTR." ::= { DSLiteMIBPortBindRelationEntry 3 } DSLiteMIBPortBindInIPv6Packets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv6 Packets received by the virtual interface of AFTR. These IPv6 packets includes native IPv6 packets and IPv6 packets encapsulated from IPv4 packets send by the tunnel initiator." ::= { DSLiteMIBPortBindRelationEntry 4 } DSLiteMIBPortBindOutIPv6Packets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv6 Packets forwarded by the AFTR. These IPv6 packets are native IPv6 packets received in AFTR." ::= { DSLiteMIBPortBindRelationEntry 5 } DSLiteMIBPortBindOutIPv4Packets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv4 Packets sent by the AFTR. These IPv4 packets are decapsulated packets from encapsulated IPv6 packets." ::= { DSLiteMIBPortBindRelationEntry 6 } DSLiteMIBPortBindInIPv6Bytes OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv6 Bytes forwarded by the AFTR." ::= { DSLiteMIBPortBindRelationEntry 7 } DSLiteMIBPortBindOutIPv6Bytes OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current Fu, et al. Expires November 4, 2011 [Page 10] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 DESCRIPTION "This object represents number of IPv6 Bytes received by the virtual interface of AFTR." ::= { DSLiteMIBPortBindRelationEntry 8 } DSLiteMIBPortBindOutIPv4Bytes OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents number of IPv4 Bytes sent by the AFTR." ::= { DSLiteMIBPortBindRelationEntry 9 } --Module Conformance statement DSLiteMIBGroups OBJECT IDENTIFIER :: = { DSLiteMIBConformance 1 } DSLiteMIBCompliances OBJECT IDENTIFIER :: = { DSLiteMIBConformance 2 } DSLiteMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "Description of the requirements for conformance to the DS-Lite MIB the AFTR." MODULE - this module MANDATORY - GROUPS { DSLiteMIBRelationInfoGroup } :: = { DSLiteMIBCompliances 1 } DSLiteMIBRelationInfoGroup OBJECT-GROUP OBJECTS { NatAddrBindEntry NatAddrBindEntry, tunnelIfLocalAddress IpAddress, DSLiteMIBBindNumberOfTunnel Gauge32, DSLiteMIBBindInIPv6Packets Counter32, DSLiteMIBBindOutIPv6Packets Counter32, DSLiteMIBBindOutIPv4Packets Counter32, DSLiteMIBBindInIPv6Bytes Counter64, DSLiteMIBBindOutIPv4Bytes Counter64, DSLiteMIBBindOutIPv6Bytes Counter64, natAddrPortBindEntry natAddrPortBindEntry, DSLiteMIBPortBindNumberOfTunnel Gauge32, DSLiteMIBPortBindInIPv6Packets Counter32, DSLiteMIBPortBindOutIPv6Packets Counter32, Fu, et al. Expires November 4, 2011 [Page 11] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 DSLiteMIBPortBindOutIPv4Packets Counter32, DSLiteMIBPortBindInIPv6Bytes Counter64, DSLiteMIBPortBindOutIPv4Bytes Counter64, DSLiteMIBPortBindOutIPv6Bytes Counter64 } STATUS current DESCRIPTION "The collection of objects which are used to represent the mapping information between tunnel information and currently active NAT BINDs of the AFTR." :: = { DSLiteMIBGroup 1 } END 8. IANA Considerations The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- DSLite-MIB { transmission XXX } 9. Security Considerations The DS-Lite MIB module can be used for configuration of certain objects, and anything that can be configured can be incorrectly configured, with potentially disastrous results. Because this MIB module reuse the IP tunnel MIB and nat MIB, the security considerations for these MIBs are also applicable to the DS-Lite MIB. Unauthorized read access to tunnelIfLocalAddress, or any object in the DSLiteMIBBindRelationTable or DSLiteMIBPortBindRelationTable would reveal information about the mapping information. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Fu, et al. Expires November 4, 2011 [Page 12] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", RFC 2580, April 1999. [RFC2863] McCloghrie, K. and F. Kastenholz. "The Interfaces Group MIB", RFC 2863, June 2000. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", RFC 3411, December 2002. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan,R., Pai, N., and Wang, C., "Definitions of Managed Objects for Network Address Translators (NAT)", RFC 4008, March 2005. [RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, June 2005. Fu, et al. Expires November 4, 2011 [Page 13] Internet-Draft draft-fu-softwire-dslite-mib-00.txt May 2011 10.2. Informative References [I-D.ietf-softwire-dual-stack-lite] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- Stack Lite Broadband Deployments Following IPv4 Exhaustion", draft-ietf-softwire-dual-stack-lite-08 (work in progress), August 2010. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. 11. Change Log [RFC Editor please remove] draft-fu-softwire-dslite-mib-00, original version, 2011-05-04 Author's Addresses Yu Fu Huawei Technologies Co., Ltd Huawei Building, No.3 Xinxi Rd., Shang-Di Information Industry Base, Hai-Dian District, Beijing 100085 P.R. China Email: fy@huawei.com Sheng Jiang Huawei Technologies Co., Ltd Huawei Building, No.3 Xinxi Rd., Shang-Di Information Industry Base, Hai-Dian District, Beijing 100085 P.R. China Email: shengjiang@huawei.com Yong Cui Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 P.R. China Email: yong@csnet1.cs.tsinghua.edu.cn Jiang Dong Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 P.R. China Email: dongjiang@csnet1.cs.tsinghua.edu.cn Fu, et al. Expires November 4, 2011 [Page 14]