RFC 4008
Definitions of Managed Objects for Network Address Translators (NAT)
natAddrPortBindGlobalAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the address type used for
natAddrPortBindGlobalAddr."
::= { natAddrPortBindEntry 5 }
natAddrPortBindGlobalAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object represents the public-realm specific network
layer address that, in conjunction with
natAddrPortBindGlobalPort, maps to the private-realm
network layer address and transport id represented by
natAddrPortBindLocalAddr and natAddrPortBindLocalPort,
respectively.
The type of this address is determined by the value of
the natAddrPortBindGlobalAddrType object."
::= { natAddrPortBindEntry 6 }
natAddrPortBindGlobalPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"For a protocol value TCP or UDP, this object represents
the public-realm specific port number. On the other
hand, for ICMP a bind is created only for query/response
type ICMP messages such as ICMP echo, Timestamp, and
Information request messages, and this object represents
the public-realm specific identifier in the ICMP message,
as defined in RFC 792 for ICMPv4 and in RFC 2463 for
ICMPv6.
This object, together with natAddrPortBindProtocol,
natAddrPortBindGlobalAddrType, and
natAddrPortBindGlobalAddr, constitutes a session endpoint
in the public realm. A bind entry binds a public realm
specific endpoint to a private realm specific endpoint,
as represented by the tuple of
(natAddrPortBindLocalPort, natAddrPortBindProtocol,
natAddrPortBindLocalAddrType, and
natAddrPortBindLocalAddr)."
::= { natAddrPortBindEntry 7 }
natAddrPortBindId OBJECT-TYPE
SYNTAX NatBindId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object represents a bind id that is dynamically
assigned to each bind by a NAT enabled device. Each
bind is represented by a unique bind id across both
the natAddrBindTable and the natAddrPortBindTable."
::= { natAddrPortBindEntry 8 }
natAddrPortBindTranslationEntity OBJECT-TYPE
SYNTAX NatTranslationEntity
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object represents the direction of sessions
for which this bind is applicable and the entity
(source or destination) within the sessions that is
subject to translation with the BIND.
Orientation of the bind can be a superset of the
translationEntity of the address map entry that
forms the basis for this bind.
For example, if the translationEntity of an
address map entry is outboundSrcEndPoint, the
translationEntity of a bind derived from this
map entry may either be outboundSrcEndPoint or
may be bidirectional (a bitmask of
outboundSrcEndPoint and inboundDstEndPoint)."
::= { natAddrPortBindEntry 9 }
natAddrPortBindType OBJECT-TYPE
SYNTAX NatAssociationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether the bind is static or
dynamic."
::= { natAddrPortBindEntry 10 }
natAddrPortBindMapIndex OBJECT-TYPE
SYNTAX NatAddrMapId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object is a pointer to the natAddrMapTable entry
(and the parameters of that entry) used in
creating this BIND. This object, in conjunction with the
ifIndex (which identifies a unique addrMapName), points
to a unique entry in the natAddrMapTable."
::= { natAddrPortBindEntry 11 }
natAddrPortBindSessions OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of sessions currently using this BIND."
::= { natAddrPortBindEntry 12 }
natAddrPortBindMaxIdleTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the maximum time for
which this bind can be idle without any sessions
attached to it.
The value of this object is of relevance
only for dynamic NAT."
::= { natAddrPortBindEntry 13 }
natAddrPortBindCurrentIdleTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"At any given instance, this object indicates the
time that this bind has been idle without any sessions
attached to it.
The value of this object is of relevance
only for dynamic NAT."
::= { natAddrPortBindEntry 14 }
natAddrPortBindInTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets that were translated as per
this bind entry.
Discontinuities in the value of this counter can occur at
reinitialization of the management system and at other
times, as indicated by the value of
ifCounterDiscontinuityTime on the relevant interface."
::= { natAddrPortBindEntry 15 }
natAddrPortBindOutTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets that were translated as per
this bind entry.
Discontinuities in the value of this counter can occur at
reinitialization of the management system and at other
times, as indicated by the value of
ifCounterDiscontinuityTime on the relevant interface."
::= { natAddrPortBindEntry 16 }
--
-- The Session Table
--
natSessionTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatSessionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing one entry for each
NAT session currently active on this NAT device."
::= { natMIBObjects 9 }
natSessionEntry OBJECT-TYPE
SYNTAX NatSessionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing information
about an active NAT session on this NAT device.
These entries are lost upon agent restart."
INDEX { ifIndex, natSessionIndex }
::= { natSessionTable 1 }
NatSessionEntry ::= SEQUENCE {
natSessionIndex NatSessionId,
natSessionPrivateSrcEPBindId NatBindIdOrZero,
natSessionPrivateSrcEPBindMode NatBindMode,
natSessionPrivateDstEPBindId NatBindIdOrZero,
natSessionPrivateDstEPBindMode NatBindMode,
natSessionDirection INTEGER,
natSessionUpTime TimeTicks,
natSessionAddrMapIndex NatAddrMapId,
natSessionProtocolType NatProtocolType,
natSessionPrivateAddrType InetAddressType,
natSessionPrivateSrcAddr InetAddress,
natSessionPrivateSrcPort InetPortNumber,
natSessionPrivateDstAddr InetAddress,
natSessionPrivateDstPort InetPortNumber,
natSessionPublicAddrType InetAddressType,
natSessionPublicSrcAddr InetAddress,
natSessionPublicSrcPort InetPortNumber,
natSessionPublicDstAddr InetAddress,
natSessionPublicDstPort InetPortNumber,
natSessionMaxIdleTime TimeTicks,
natSessionCurrentIdleTime TimeTicks,
natSessionInTranslates Counter64,
natSessionOutTranslates Counter64
}
natSessionIndex OBJECT-TYPE
SYNTAX NatSessionId
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The session ID for this NAT session."
::= { natSessionEntry 1 }
natSessionPrivateSrcEPBindId OBJECT-TYPE
SYNTAX NatBindIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The bind id associated between private and public
source end points. In the case of Symmetric-NAT,
this should be set to zero."
::= { natSessionEntry 2 }
natSessionPrivateSrcEPBindMode OBJECT-TYPE
SYNTAX NatBindMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether the bind indicated
by the object natSessionPrivateSrcEPBindId
is an address bind or an address port bind."
::= { natSessionEntry 3 }
natSessionPrivateDstEPBindId OBJECT-TYPE
SYNTAX NatBindIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The bind id associated between private and public
destination end points."
::= { natSessionEntry 4 }
natSessionPrivateDstEPBindMode OBJECT-TYPE
SYNTAX NatBindMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether the bind indicated
by the object natSessionPrivateDstEPBindId
is an address bind or an address port bind."
::= { natSessionEntry 5 }
natSessionDirection OBJECT-TYPE
SYNTAX INTEGER {
inbound (1),
outbound (2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The direction of this session with respect to the
local network. 'inbound' indicates that this session
was initiated from the public network into the private
network. 'outbound' indicates that this session was
initiated from the private network into the public
network."
::= { natSessionEntry 6 }
natSessionUpTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The up time of this session in one-hundredths of a
second."
::= { natSessionEntry 7 }
natSessionAddrMapIndex OBJECT-TYPE
SYNTAX NatAddrMapId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object is a pointer to the natAddrMapTable entry
(and the parameters of that entry) used in
creating this session. This object, in conjunction with
the ifIndex (which identifies a unique addrMapName), points
to a unique entry in the natAddrMapTable."
::= { natSessionEntry 8 }
natSessionProtocolType OBJECT-TYPE
SYNTAX NatProtocolType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The protocol type of this session."
::= { natSessionEntry 9 }
natSessionPrivateAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the address type used for
natSessionPrivateSrcAddr and natSessionPrivateDstAddr."
::= { natSessionEntry 10 }
natSessionPrivateSrcAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source IP address of the session endpoint that
lies in the private network.
The value of this object must be zero only when the
natSessionPrivateSrcEPBindId object has a zero value.
When the value of this object is zero, the NAT session
lookup will match any IP address to this field.
The type of this address is determined by the value of
the natSessionPrivateAddrType object."
::= { natSessionEntry 11 }
natSessionPrivateSrcPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When the value of protocol is TCP or UDP, this object
represents the source port in the first packet of session
while in private-realm. On the other hand, when the
protocol is ICMP, a NAT session is created only for
query/response type ICMP messages such as ICMP echo,
Timestamp, and Information request messages, and this
object represents the private-realm specific identifier
in the ICMP message, as defined in RFC 792 for ICMPv4
and in RFC 2463 for ICMPv6.
The value of this object must be zero when the
natSessionPrivateSrcEPBindId object has zero value
and value of natSessionPrivateSrcEPBindMode is
addressPortBind(2). In such a case, the NAT session
lookup will match any port number to this field.
The value of this object must be zero when the object
is not a representative field (SrcPort, DstPort, or
ICMP identifier) of the session tuple in either the
public realm or the private realm."
::= { natSessionEntry 12 }
natSessionPrivateDstAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination IP address of the session endpoint that
lies in the private network.
The value of this object must be zero when the
natSessionPrivateDstEPBindId object has a zero value.
In such a scenario, the NAT session lookup will match
any IP address to this field.
The type of this address is determined by the value of
the natSessionPrivateAddrType object."
::= { natSessionEntry 13 }
natSessionPrivateDstPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When the value of protocol is TCP or UDP, this object
represents the destination port in the first packet
of session while in private-realm. On the other hand,
when the protocol is ICMP, this object is not relevant
and should be set to zero.
The value of this object must be zero when the
natSessionPrivateDstEPBindId object has a zero
value and natSessionPrivateDstEPBindMode is set to
addressPortBind(2). In such a case, the NAT session
lookup will match any port number to this field.
The value of this object must be zero when the object
is not a representative field (SrcPort, DstPort, or
ICMP identifier) of the session tuple in either the
public realm or the private realm."
::= { natSessionEntry 14 }
natSessionPublicAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the address type used for
natSessionPublicSrcAddr and natSessionPublicDstAddr."
::= { natSessionEntry 15 }
natSessionPublicSrcAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source IP address of the session endpoint that
lies in the public network.
The value of this object must be zero when the
natSessionPrivateSrcEPBindId object has a zero value.
In such a scenario, the NAT session lookup will match
any IP address to this field.
The type of this address is determined by the value of
the natSessionPublicAddrType object."
::= { natSessionEntry 16 }
natSessionPublicSrcPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When the value of protocol is TCP or UDP, this object
represents the source port in the first packet of
session while in public-realm. On the other hand, when
protocol is ICMP, a NAT session is created only for
query/response type ICMP messages such as ICMP echo,
Timestamp, and Information request messages, and this
object represents the public-realm specific identifier
in the ICMP message, as defined in RFC 792 for ICMPv4
and in RFC 2463 for ICMPv6.
The value of this object must be zero when the
natSessionPrivateSrcEPBindId object has a zero value
and natSessionPrivateSrcEPBindMode is set to
addressPortBind(2). In such a scenario, the NAT
session lookup will match any port number to this
field.
The value of this object must be zero when the object
is not a representative field (SrcPort, DstPort or
ICMP identifier) of the session tuple in either the
public realm or the private realm."
::= { natSessionEntry 17 }
natSessionPublicDstAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination IP address of the session endpoint that
lies in the public network.
The value of this object must be non-zero when the
natSessionPrivateDstEPBindId object has a non-zero
value. If the value of this object and the
corresponding natSessionPrivateDstEPBindId object value
is zero, then the NAT session lookup will match any IP
address to this field.
The type of this address is determined by the value of
the natSessionPublicAddrType object."
::= { natSessionEntry 18 }
natSessionPublicDstPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When the value of protocol is TCP or UDP, this object
represents the destination port in the first packet of
session while in public-realm. On the other hand, when
the protocol is ICMP, this object is not relevant for
translation and should be zero.
The value of this object must be zero when the
natSessionPrivateDstEPBindId object has a zero value
and natSessionPrivateDstEPBindMode is
addressPortBind(2). In such a scenario, the NAT
session lookup will match any port number to this
field.
The value of this object must be zero when the object
is not a representative field (SrcPort, DstPort, or
ICMP identifier) of the session tuple in either the
public realm or the private realm."
::= { natSessionEntry 19 }
natSessionMaxIdleTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The max time for which this session can be idle
without detecting a packet."
::= { natSessionEntry 20 }
natSessionCurrentIdleTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time since a packet belonging to this session was
last detected."
::= { natSessionEntry 21 }
natSessionInTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets that were translated for
this session.
Discontinuities in the value of this counter can occur at
reinitialization of the management system and at other
times, as indicated by the value of
ifCounterDiscontinuityTime on the relevant interface."
::= { natSessionEntry 22 }
natSessionOutTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets that were translated for
this session.
Discontinuities in the value of this counter can occur at
reinitialization of the management system and at other
times, as indicated by the value of
ifCounterDiscontinuityTime on the relevant interface."
::= { natSessionEntry 23 }
--
-- The Protocol table
--
natProtocolTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatProtocolEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing per protocol NAT
statistics."
::= { natMIBObjects 10 }
natProtocolEntry OBJECT-TYPE
SYNTAX NatProtocolEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing NAT statistics
pertaining to a particular protocol."
INDEX { natProtocol }
::= { natProtocolTable 1 }
NatProtocolEntry ::= SEQUENCE {
natProtocol NatProtocolType,
natProtocolInTranslates Counter64,
natProtocolOutTranslates Counter64,
natProtocolDiscards Counter64
}
natProtocol OBJECT-TYPE
SYNTAX NatProtocolType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the protocol pertaining to which
parameters are reported."
::= { natProtocolEntry 1 }
natProtocolInTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets pertaining to the protocol
identified by natProtocol that underwent NAT.
Discontinuities in the value of this counter can occur at
reinitialization of the management system and at other
times, as indicated by the value of
ifCounterDiscontinuityTime on the relevant interface."
::= { natProtocolEntry 2 }
natProtocolOutTranslates OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets pertaining to the protocol
identified by natProtocol that underwent NAT.
Discontinuities in the value of this counter can occur at
reinitialization of the management system and at other
times, as indicated by the value of
ifCounterDiscontinuityTime on the relevant interface."
::= { natProtocolEntry 3 }
natProtocolDiscards OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets pertaining to the protocol
identified by natProtocol that had to be
rejected/dropped due to lack of resources. These
rejections could be due to session timeout, resource
unavailability, lack of address space, etc.
Discontinuities in the value of this counter can occur at
reinitialization of the management system and at other
times, as indicated by the value of
ifCounterDiscontinuityTime on the relevant interface."
::= { natProtocolEntry 4 }
--
-- Notifications section
--
natMIBNotifications OBJECT IDENTIFIER ::= { natMIB 0 }
--
-- Notifications
--
natPacketDiscard NOTIFICATION-TYPE
OBJECTS { ifIndex }
STATUS current
DESCRIPTION
"This notification is generated when IP packets are
discarded by the NAT function; e.g., due to lack of
mapping space when NAT is out of addresses or ports.
Note that the generation of natPacketDiscard
notifications is throttled by the agent, as specified
by the 'natNotifThrottlingInterval' object."
::= { natMIBNotifications 1 }
--
-- Conformance information.
--
natMIBConformance OBJECT IDENTIFIER ::= { natMIB 2 }
natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 }
natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 }
--
-- Units of conformance
--
natConfigGroup OBJECT-GROUP
OBJECTS { natInterfaceRealm,
natInterfaceServiceType,
natInterfaceStorageType,
natInterfaceRowStatus,
natAddrMapName,
natAddrMapEntryType,
natAddrMapTranslationEntity,
natAddrMapLocalAddrType,
natAddrMapLocalAddrFrom,
natAddrMapLocalAddrTo,
natAddrMapLocalPortFrom,
natAddrMapLocalPortTo,
natAddrMapGlobalAddrType,
natAddrMapGlobalAddrFrom,
natAddrMapGlobalAddrTo,
natAddrMapGlobalPortFrom,
natAddrMapGlobalPortTo,
natAddrMapProtocol,
natAddrMapStorageType,
natAddrMapRowStatus,
natBindDefIdleTimeout,
natUdpDefIdleTimeout,
natIcmpDefIdleTimeout,
natOtherDefIdleTimeout,
natTcpDefIdleTimeout,
natTcpDefNegTimeout,
natNotifThrottlingInterval }
STATUS current
DESCRIPTION
"A collection of configuration-related information
required to support management of devices supporting
NAT."
::= { natMIBGroups 1 }
natTranslationGroup OBJECT-GROUP
OBJECTS { natAddrBindNumberOfEntries,
natAddrBindGlobalAddrType,
natAddrBindGlobalAddr,
natAddrBindId,
natAddrBindTranslationEntity,
natAddrBindType,
natAddrBindMapIndex,
natAddrBindSessions,
natAddrBindMaxIdleTime,
natAddrBindCurrentIdleTime,
natAddrBindInTranslates,
natAddrBindOutTranslates,
natAddrPortBindNumberOfEntries,
natAddrPortBindGlobalAddrType,
natAddrPortBindGlobalAddr,
natAddrPortBindGlobalPort,
natAddrPortBindId,
natAddrPortBindTranslationEntity,
natAddrPortBindType,
natAddrPortBindMapIndex,
natAddrPortBindSessions,
natAddrPortBindMaxIdleTime,
natAddrPortBindCurrentIdleTime,
natAddrPortBindInTranslates,
natAddrPortBindOutTranslates,
natSessionPrivateSrcEPBindId,
natSessionPrivateSrcEPBindMode,
natSessionPrivateDstEPBindId,
natSessionPrivateDstEPBindMode,
natSessionDirection,
natSessionUpTime,
natSessionAddrMapIndex,
natSessionProtocolType,
natSessionPrivateAddrType,
natSessionPrivateSrcAddr,
natSessionPrivateSrcPort,
natSessionPrivateDstAddr,
natSessionPrivateDstPort,
natSessionPublicAddrType,
natSessionPublicSrcAddr,
natSessionPublicSrcPort,
natSessionPublicDstAddr,
natSessionPublicDstPort,
natSessionMaxIdleTime,
natSessionCurrentIdleTime,
natSessionInTranslates,
natSessionOutTranslates }
STATUS current
DESCRIPTION
"A collection of BIND-related objects required to support
management of devices supporting NAT."
::= { natMIBGroups 2 }
natStatsInterfaceGroup OBJECT-GROUP
OBJECTS { natInterfaceInTranslates,
natInterfaceOutTranslates,
natInterfaceDiscards }
STATUS current
DESCRIPTION
"A collection of NAT statistics associated with the
interface on which NAT is configured, to aid
troubleshooting/monitoring of the NAT operation."
::= { natMIBGroups 3 }
natStatsProtocolGroup OBJECT-GROUP
OBJECTS { natProtocolInTranslates,
natProtocolOutTranslates,
natProtocolDiscards }
STATUS current
DESCRIPTION
"A collection of protocol specific NAT statistics,
to aid troubleshooting/monitoring of NAT operation."
::= { natMIBGroups 4 }
natStatsAddrMapGroup OBJECT-GROUP
OBJECTS { natAddrMapInTranslates,
natAddrMapOutTranslates,
natAddrMapDiscards,
natAddrMapAddrUsed }
STATUS current
DESCRIPTION
"A collection of address map specific NAT statistics,
to aid troubleshooting/monitoring of NAT operation."
::= { natMIBGroups 5 }
natMIBNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { natPacketDiscard }
STATUS current
DESCRIPTION
"A collection of notifications generated by
devices supporting this MIB."
::= { natMIBGroups 6 }
--
-- Compliance statements
--
natMIBFullCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"When this MIB is implemented with support for
read-create, then such an implementation can claim
full compliance. Such devices can then be both
monitored and configured with this MIB.
The following index objects cannot be added as OBJECT
clauses but nevertheless have the compliance
requirements:
"
-- OBJECT natAddrBindLocalAddrType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
-- OBJECT natAddrBindLocalAddr
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
-- OBJECT natAddrPortBindLocalAddrType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
-- OBJECT natAddrPortBindLocalAddr
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
MODULE IF-MIB -- The interfaces MIB, RFC2863
MANDATORY-GROUPS {
ifCounterDiscontinuityGroup
}
MODULE -- this module
MANDATORY-GROUPS { natConfigGroup, natTranslationGroup,
natStatsInterfaceGroup }
GROUP natStatsProtocolGroup
DESCRIPTION
"This group is optional."
GROUP natStatsAddrMapGroup
DESCRIPTION
"This group is optional."
GROUP natMIBNotificationGroup
DESCRIPTION
"This group is optional."
OBJECT natAddrMapLocalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrMapLocalAddrFrom
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrMapLocalAddrTo
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrMapGlobalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrMapGlobalAddrFrom
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrMapGlobalAddrTo
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrBindGlobalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrBindGlobalAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrPortBindGlobalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natAddrPortBindGlobalAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natSessionPrivateAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natSessionPrivateSrcAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natSessionPrivateDstAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natSessionPublicAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natSessionPublicSrcAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
OBJECT natSessionPublicDstAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support
for IPv4 and IPv6."
::= { natMIBCompliances 1 }
natMIBReadOnlyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"When this MIB is implemented without support for
read-create (i.e., in read-only mode), then such an
implementation can claim read-only compliance.
Such a device can then be monitored but cannot be
configured with this MIB.
The following index objects cannot be added as OBJECT
clauses but nevertheless have the compliance
requirements:
"
-- OBJECT natAddrBindLocalAddrType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
-- OBJECT natAddrBindLocalAddr
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
-- OBJECT natAddrPortBindLocalAddrType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
-- OBJECT natAddrPortBindLocalAddr
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- "An implementation is required to support
-- global IPv4 and/or IPv6 addresses, depending
-- on its support for IPv4 and IPv6."
MODULE IF-MIB -- The interfaces MIB, RFC2863
MANDATORY-GROUPS {
ifCounterDiscontinuityGroup
}
MODULE -- this module
MANDATORY-GROUPS { natConfigGroup, natTranslationGroup,
natStatsInterfaceGroup }
GROUP natStatsProtocolGroup
DESCRIPTION
"This group is optional."
GROUP natStatsAddrMapGroup
DESCRIPTION
"This group is optional."
GROUP natMIBNotificationGroup
DESCRIPTION
"This group is optional."
OBJECT natInterfaceRowStatus
SYNTAX RowStatus { active(1) }
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and active is the only
status that needs to be supported."
OBJECT natAddrMapLocalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. An implementation is
required to support global IPv4 and/or IPv6 addresses,
depending on its support for IPv4 and IPv6."
OBJECT natAddrMapLocalAddrFrom
SYNTAX InetAddress (SIZE(4|16))
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. An implementation is
required to support global IPv4 and/or IPv6 addresses,
depending on its support for IPv4 and IPv6."
OBJECT natAddrMapLocalAddrTo
SYNTAX InetAddress (SIZE(4|16))
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. An implementation is
required to support global IPv4 and/or IPv6 addresses,
depending on its support for IPv4 and IPv6."
OBJECT natAddrMapGlobalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. An implementation is
required to support global IPv4 and/or IPv6 addresses,
depending on its support for IPv4 and IPv6."
OBJECT natAddrMapGlobalAddrFrom
SYNTAX InetAddress (SIZE(4|16))
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. An implementation is
required to support global IPv4 and/or IPv6 addresses,
depending on its support for IPv4 and IPv6."
OBJECT natAddrMapGlobalAddrTo
SYNTAX InetAddress (SIZE(4|16))
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. An implementation is
required to support global IPv4 and/or IPv6 addresses,
depending on its support for IPv4 and IPv6."
OBJECT natAddrMapRowStatus
SYNTAX RowStatus { active(1) }
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and active is the only
status that needs to be supported."
OBJECT natAddrBindGlobalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natAddrBindGlobalAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natAddrPortBindGlobalAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natAddrPortBindGlobalAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natSessionPrivateAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natSessionPrivateSrcAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natSessionPrivateDstAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natSessionPublicAddrType
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natSessionPublicSrcAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
OBJECT natSessionPublicDstAddr
SYNTAX InetAddress (SIZE(4|16))
DESCRIPTION
"An implementation is required to support global IPv4
and/or IPv6 addresses, depending on its support for
IPv4 and IPv6."
::= { natMIBCompliances 2 }
END
6. Acknowledgements
The authors of the document would like to thank Randy Turner, Ashwini
S.T., Kevin Luehrs, Sam Sankoorikal, and Juergen Quittek for their
valuable feedback.
The authors would like to especially thank Juergen Schoenwaelder for
his patient and fine-combed review and detailed comments as a MIB
doctor. The NAT MIB is much clearer and flatter as a result of
Juergen's suggestions.
7. Security Considerations
It is clear that this MIB can potentially be useful for
configuration. Unauthorized access to the write-able objects could
cause a denial of service and/or widespread network disturbance.
Hence, the support for SET operations in a non-secure environment
without proper protection can have a negative effect on network
operations.
At this writing, no security holes have been identified beyond those
that SNMP Security is itself intended to address. These relate
primarily to controlled access to sensitive information and the
ability to configure a device - or which might result from operator
error, which is beyond the scope of any security architecture.
There are a number of managed objects in this MIB that may contain
information that may be sensitive from a business perspective, in
that they may represent NAT bind and session information. The NAT
bind and session objects reveal the identity of private hosts that
are engaged in a session with external end nodes. A curious outsider
could monitor these two objects to assess the number of private hosts being supported by the NAT device. Further, a disgruntled former employee of an enterprise could use the NAT bind and session information to break into specific private hosts by intercepting the existing sessions or originating new sessions into the host. There are no objects that are sensitive in their own right, such as passwords or monetary amounts. It may even be important to control GET access to these objects and possibly to encrypt the values of these objects when they are sent over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB. It is recommended that the implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.8. References
8.1. Normative References
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999. [RFC4001] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J., "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, September 1981. [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, "STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)", RFC 3489, March 2003. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [RFC2463] Conta, A. and S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 2463, December 1998. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002.8.2. Informative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002.
Authors' Addresses
R. Rohit Mascon Global Limited #59/2 100 ft Ring Road Banashankari II Stage Bangalore 560 070 India Phone: +91 80 679 6227 EMail: rrohit74@hotmail.com P. Srisuresh Caymas Systems, Inc. 1179-A North McDowell Blvd. Petaluma, CA 94954 Phone: (707) 283-5063 EMail: srisuresh@yahoo.com Rajiv Raghunarayan Cisco Systems Inc. 170 West Tasman Drive San Jose, CA 95134 Phone: +1 408 853 9612 EMail: raraghun@cisco.com Nalinaksh Pai Cisco Systems, Inc. Prestige Waterford No. 9, Brunton Road Bangalore - 560 025 India Phone: +91 80 532 1300 extn. 6354 EMail: npai@cisco.com
Cliff Wang Information Security Bank One Corp 1111 Polaris Pkwy Columbus, OH 43240 Phone: +1 614 213 6117 EMail: cliffwang2000@yahoo.com
Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.