RFC 5190
Definitions of Managed Objects for Middlebox Communication
Pages: 92
Proposed Standard
Proposed Standard
Part 4 of 4 – Pages 63 to 92
Writing to this object is processed by the MIDCOM-MIB
implementation by choosing a lifetime value that is
greater than 0 and less than or equal to the minimum of
the requested value and the value specified by object
midcomConfigMaxLifetime:
0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
where:
- lt_granted is the actually granted lifetime by the
MIDCOM-MIB implementation
- lt_requested is the requested lifetime of the MIDCOM
client
- lt_maximum is the value of object
midcomConfigMaxLifetime
SNMP SET requests to this object may be rejected or the
value of the object after an accepted SET operation may be
less than the value that was contained in the SNMP SET
request.
Successfully writing a value of 0 terminates the policy
rule. Note that after a policy rule is terminated, still
the entry will exist as long as indicated by the value of
midcomRuleStorageTime.
Writing to this object in any state other than
newEntry(1), setting(2), reserved(7), or enabled(7)
will always fail with an 'inconsistentValue' error.
Note that this error code is SNMP specific. If the MIB
module is used with other protocols than SNMP, errors with
similar semantics specific to those protocols should be
returned.
If object midcomRuleOperStatus of the same entry has a
value other than newEntry(1), setting(2), reserved(7), or
enabled(8), then the value of this object is irrelevant."
DEFVAL { 180 }
::= { midcomRuleEntry 26 }
midcomRuleRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A control that allows entries to be added and removed from
this table.
Entries can also be removed from this table by setting
objects midcomRuleLifetime and midcomRuleStorageTime of
an entry to 0.
Attempts to set a row notInService(2) where the value
of the midcomRuleStorageType object is permanent(4) or
readOnly(5) will result in an 'notWritable' error.
Note that this error code is SNMP specific. If the MIB
module is used with other protocols than SNMP, errors with
similar semantics specific to those protocols should be
returned.
The value of this object has no effect on whether other
objects in this conceptual row can be modified."
::= { midcomRuleEntry 27 }
--
-- Policy rule group subtree
--
-- The midcomGroupTable lists all current policy rule groups.
--
midcomGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF MidcomGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all current policy rule groups.
Entries in this table are created or removed
implicitly when entries in the midcomRuleTable are
created or removed, respectively. A group entry
in this table only exists as long as there are
member rules of this group in the midcomRuleTable.
The table serves for listing the existing groups and
their remaining lifetimes and for changing lifetimes
of groups and implicitly of all group members.
Groups and all their member policy rules can only be
deleted by deleting all member policies in the
midcomRuleTable.
Setting midcomGroupLifetime will result in setting
the lifetime of all policy members to the same value."
::= { midcomTransaction 4 }
midcomGroupEntry OBJECT-TYPE
SYNTAX MidcomGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing properties of a particular
MIDCOM policy rule group."
INDEX { midcomRuleOwner, midcomGroupIndex }
::= { midcomGroupTable 1 }
MidcomGroupEntry ::= SEQUENCE {
midcomGroupIndex Unsigned32,
midcomGroupLifetime Unsigned32
}
midcomGroupIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index of this group for the midcomRuleOwner.
A group is identified by the combination of
midcomRuleOwner and midcomGroupIndex.
The value of this index must be unique per
midcomRuleOwner."
::= { midcomGroupEntry 2 }
midcomGroupLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"When retrieved, this object delivers the maximum
lifetime in seconds of all member rules of this group,
i.e., of all rows in the midcomRuleTable that have the
same values for midcomRuleOwner and midcomGroupIndex.
Successfully writing to this object modifies the
lifetime of all member policies. Successfully
writing a value of 0 terminates all member policies
and implicitly deletes the group as soon as all member
entries are removed from the midcomRuleTable.
Note that after a group's lifetime is expired or is
set to 0, still the corresponding entry in the
midcomGroupTable will exist as long as terminated
member policy rules are stored as entries in the
midcomRuleTable.
Writing to this object is processed by the MIDCOM-MIB
implementation by choosing a lifetime value that is
greater than 0 and less than or equal to the minimum of
the requested value and the value specified by object
midcomConfigMaxLifetime:
0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
where:
- lt_granted is the actually granted lifetime by the
MIDCOM-MIB implementation
- lt_requested is the requested lifetime of the MIDCOM
client
- lt_maximum is the value of object
midcomConfigMaxLifetime
SNMP SET requests to this object may be rejected or the
value of the object after an accepted SET operation may be
less than the value that was contained in the SNMP SET
request."
::= { midcomGroupEntry 3 }
--
-- Configuration Objects
--
-- Configuration objects that can be used for retrieving
-- middlebox capability information (mandatory) and for
-- setting parameters of the implementation of transaction
-- objects (optional).
--
-- Note that typically configuration objects are not intended
-- to be written by MIDCOM clients. In general, write access
-- to these objects needs to be restricted more strictly than
-- write access to transaction objects.
--
--
-- Capabilities subtree
--
-- This subtree contains objects to which MIDCOM clients should
-- have read access.
--
midcomConfigMaxLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"When retrieved, this object returns the maximum lifetime,
in seconds, that this middlebox allows policy rules to
have."
::= { midcomConfig 1 }
midcomConfigPersistentRules OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"When retrieved, this object returns true(1) if the
MIDCOM-MIB implementation can store policy rules
persistently. Otherwise, it returns false(2).
A value of true(1) indicates that there may be
entries in the midcomRuleTable with object
midcomRuleStorageType set to value nonVolatile(3)."
::= { midcomConfig 2 }
midcomConfigIfTable OBJECT-TYPE
SYNTAX SEQUENCE OF MidcomConfigIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table indicates capabilities of the MIDCOM-MIB
implementation per IP interface.
The table is indexed by the object midcomConfigIfIndex.
For indexing a single interface, this object contains
the value of the ifIndex object that is associated
with the interface. If an entry with
midcomConfigIfIndex = 0 occurs, then bits set in
objects of this entry apply to all interfaces for which
there is no entry in this table with the interface's
index."
::= { midcomConfig 3 }
midcomConfigIfEntry OBJECT-TYPE
SYNTAX MidcomConfigIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing the capabilities of a middlebox
with respect to the indexed IP interface."
INDEX { midcomConfigIfIndex }
::= { midcomConfigIfTable 1 }
MidcomConfigIfEntry ::= SEQUENCE {
midcomConfigIfIndex InterfaceIndexOrZero,
midcomConfigIfBits BITS,
midcomConfigIfEnabled TruthValue
}
midcomConfigIfIndex OBJECT-TYPE
SYNTAX InterfaceIndexOrZero
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index of an entry in the midcomConfigIfTable.
For values different from zero, this object
identifies an IP interface by containing the same
value as the ifIndex object associated with the
interface.
Note that the index of a particular interface in the
ifTable may change after a re-initialization of the
middlebox, for example, after adding another interface to
it. In such a case, the value of this object may change,
but the interface referred to by the MIDCOM-MIB MUST still
be the same. If, after a re-initialization of the
middlebox, the interface referred to before
re-initialization cannot be uniquely mapped anymore to a
particular entry in the ifTable, then the value of object
midcomConfigIfEnabled of the same entry MUST be changed to
false(2).
If the object has a value of 0, then values
specified by further objects of the same entry
apply to all interfaces for which there is no
explicit entry in the midcomConfigIfTable."
::= { midcomConfigIfEntry 1 }
midcomConfigIfBits OBJECT-TYPE
SYNTAX BITS {
ipv4(0),
ipv6(1),
addressWildcards(2),
portWildcards(3),
firewall(4),
nat(5),
portTranslation(6),
protocolTranslation(7),
twiceNat(8),
inside(9)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When retrieved, this object returns a set of bits
indicating the capabilities (or configuration) of
the middlebox with respect to the referenced IP interface.
If the index equals 0, then all set bits apply to all
interfaces.
If the ipv4(0) bit is set, then the middlebox supports
IPv4 at the indexed IP interface.
If the ipv6(1) bit is set, then the middlebox supports
IPv6 at the indexed IP interface.
If the addressWildcards(2) bit is set, then the
middlebox supports IP address wildcarding at the indexed
IP interface.
If the portWildcards(3) bit is set, then the
middlebox supports port wildcarding at the indexed
IP interface.
If the firewall(4) bit is set, then the middlebox offers
firewall functionality at the indexed interface.
If the nat(5) bit is set, then the middlebox offers
network address translation service at the indexed
interface.
If the portTranslation(6) bit is set, then the middlebox
offers port translation service at the indexed interface.
This bit is only relevant if nat(5) is set.
If the protocolTranslation(7) bit is set, then the
middlebox offers protocol translation service between
IPv4 and IPv6 at the indexed interface. This bit is only
relevant if nat(5) is set.
If the twiceNat(8) bit is set, then the middlebox offers
twice network address translation service at the indexed
interface. This bit is only relevant if nat(5) is set.
If the inside(9) bit is set, then the indexed interface is
an inside interface with respect to NAT functionality.
Otherwise, it is an outside interface. This bit is only
relevant if nat(5) is set. An SNMP agent supporting both
the MIDCOM-MIB module and the NAT-MIB module SHOULD ensure
that the value of this object is consistent with the values
of corresponding objects in the NAT-MIB module."
::= { midcomConfigIfEntry 2 }
midcomConfigIfEnabled OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value of this object indicates the availability of
the middlebox service described by midcomConfigIfBits
at the indexed IP interface.
By writing to this object, the MIDCOM support for the
entire IP interface can be switched on or off. Setting
this object to false(2) immediately stops middlebox
support at the indexed IP interface. This implies that
all policy rules that use NAT or firewall resources at
the indexed IP interface are terminated immediately.
In this case, the MIDCOM agent MUST send
midcomUnsolicitedRuleEvent to all MIDCOM clients that
have access to one of the terminated rules."
DEFVAL { true }
::= { midcomConfigIfEntry 3 }
--
-- Firewall subtree
--
-- This subtree contains the firewall configuration table
--
midcomConfigFirewallTable OBJECT-TYPE
SYNTAX SEQUENCE OF MidcomConfigFirewallEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists the firewall configuration per IP interface.
It can be used for configuring how policy rules created by
MIDCOM clients are realized as firewall rules of a firewall
implementation. Particularly, the priority used for MIDCOM
policy rules can be configured. For a single firewall
implementation at a particular IP interface, all MIDCOM
policy rules are realized as firewall rules with the same
priority. Also, a firewall rule group name can be
configured.
The table is indexed by the object midcomConfigFirewallIndex.
For indexing a single interface, this object contains the
value of the ifIndex object that is associated with the
interface. If an entry with midcomConfigFirewallIndex = 0
occurs, then bits set in objects of this entry apply to all
interfaces for which there is no entry in this table for the
interface's index."
::= { midcomConfig 4 }
midcomConfigFirewallEntry OBJECT-TYPE
SYNTAX MidcomConfigFirewallEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular set of
firewall resources."
INDEX { midcomConfigFirewallIndex }
::= { midcomConfigFirewallTable 1 }
MidcomConfigFirewallEntry ::= SEQUENCE {
midcomConfigFirewallIndex InterfaceIndexOrZero,
midcomConfigFirewallGroupId SnmpAdminString,
midcomConfigFirewallPriority Unsigned32
}
midcomConfigFirewallIndex OBJECT-TYPE
SYNTAX InterfaceIndexOrZero
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index of an entry in the midcomConfigFirewallTable.
For values different from 0, this object identifies an
IP interface by containing the same value as the ifIndex
object associated with the interface.
Note that the index of a particular interface in the
ifTable may change after a re-initialization of the
middlebox, for example, after adding another interface to
it. In such a case, the value of this object may change,
but the interface referred to by the MIDCOM-MIB MUST still
be the same. If, after a re-initialization of the
middlebox, the interface referred to before
re-initialization cannot be uniquely mapped anymore to a
particular entry in the ifTable, then the entry in the
midcomConfigFirewallTable MUST be deleted.
If the object has a value of 0, then values specified by
further objects of the same entry apply to all interfaces
for which there is no explicit entry in the
midcomConfigFirewallTable."
::= { midcomConfigFirewallEntry 1 }
midcomConfigFirewallGroupId OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The firewall rule group to which all firewall rules are
assigned that the MIDCOM server creates for the interface
indicated by object midcomConfigFirewallIndex. If the
value of object midcomConfigFirewallIndex is 0, then all
firewall rules of the MIDCOM server that are created for
interfaces with no specific entry in the
midcomConfigFirewallTable are assigned to the firewall
rule group indicated by the value of this object."
::= { midcomConfigFirewallEntry 2 }
midcomConfigFirewallPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The priority assigned to all firewall rules that the
MIDCOM server creates for the interface indicated by
object midcomConfigFirewallIndex. If the value of object
midcomConfigFirewallIndex is 0, then this priority is
assigned to all firewall rules of the MIDCOM server that
are created for interfaces for which there is no specific
entry in the midcomConfigFirewallTable."
::= { midcomConfigFirewallEntry 3 }
--
-- Monitoring Objects
--
-- Monitoring objects are structured into two groups,
-- the midcomResourceGroup providing information about used
-- resources and the midcomStatisticsGroup providing information
-- about MIDCOM transaction statistics.
--
-- Resources subtree
--
-- The MIDCOM resources subtree contains a set of managed
-- objects describing the currently used resources of NAT
-- and firewall implementations.
--
--
-- Textual conventions for objects of the resource subtree
--
MidcomNatBindMode ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An indicator of the kind of NAT resources used by a policy
rule. This definition corresponds to the definition of
NatBindMode in the NAT-MIB (RFC 4008). Value none(3) can
be used to indicate that the policy rule does not use
any NAT binding.
"
SYNTAX INTEGER {
addressBind(1),
addressPortBind(2),
none(3)
}
MidcomNatSessionIdOrZero ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"A unique ID that is assigned to each NAT session by
a NAT implementation. This definition corresponds to
the definition of NatSessionId in the NAT-MIB (RFC 4008).
Value 0 can be used to indicate that the policy rule does
not use any NAT binding."
SYNTAX Unsigned32
--
-- The MIDCOM resource table
--
midcomResourceTable OBJECT-TYPE
SYNTAX SEQUENCE OF MidcomResourceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all used middlebox resources per
MIDCOM policy rule.
The midcomResourceTable augments the
midcomRuleTable."
::= { midcomMonitoring 1 }
midcomResourceEntry OBJECT-TYPE
SYNTAX MidcomResourceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular set of middlebox
resources."
AUGMENTS { midcomRuleEntry }
::= { midcomResourceTable 1 }
MidcomResourceEntry ::= SEQUENCE {
midcomRscNatInternalAddrBindMode MidcomNatBindMode,
midcomRscNatInternalAddrBindId NatBindIdOrZero,
midcomRscNatInsideAddrBindMode MidcomNatBindMode,
midcomRscNatInsideAddrBindId NatBindIdOrZero,
midcomRscNatSessionId1 MidcomNatSessionIdOrZero,
midcomRscNatSessionId2 MidcomNatSessionIdOrZero,
midcomRscFirewallRuleId Unsigned32
}
midcomRscNatInternalAddrBindMode OBJECT-TYPE
SYNTAX MidcomNatBindMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication of whether this policy rule uses an address
NAT bind or an address-port NAT bind for binding the
internal address.
If the MIDCOM-MIB module is operated together with
the NAT-MIB module (RFC 4008) then object
midcomRscNatInternalAddrBindMode contains the same
value as the corresponding object
natSessionPrivateSrcEPBindMode of the NAT-MIB module."
::= { midcomResourceEntry 4 }
midcomRscNatInternalAddrBindId OBJECT-TYPE
SYNTAX NatBindIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object references to the allocated internal NAT
bind that is used by this policy rule. A NAT bind
describes the mapping of internal addresses to
outside addresses. MIDCOM-MIB implementations can
read this object to learn the corresponding NAT bind
resource for this particular policy rule.
If the MIDCOM-MIB module is operated together with
the NAT-MIB module (RFC 4008) then object
midcomRscNatInternalAddrBindId contains the same
value as the corresponding object
natSessionPrivateSrcEPBindId of the NAT-MIB module."
::= { midcomResourceEntry 5 }
midcomRscNatInsideAddrBindMode OBJECT-TYPE
SYNTAX MidcomNatBindMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication of whether this policy rule uses an address
NAT bind or an address-port NAT bind for binding the
external address.
If the MIDCOM-MIB module is operated together with
the NAT-MIB module (RFC 4008), then object
midcomRscNatInsideAddrBindMode contains the same
value as the corresponding object
natSessionPrivateDstEPBindMode of the NAT-MIB module."
::= { midcomResourceEntry 6 }
midcomRscNatInsideAddrBindId OBJECT-TYPE
SYNTAX NatBindIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object refers to the allocated external NAT
bind that is used by this policy rule. A NAT bind
describes the mapping of external addresses to
inside addresses. MIDCOM-MIB implementations can
read this object to learn the corresponding NAT bind
resource for this particular policy rule.
If the MIDCOM-MIB module is operated together with the
NAT-MIB module (RFC 4008), then object
midcomRscNatInsideAddrBindId contains the same
value as the corresponding object
natSessionPrivateDstEPBindId of the NAT-MIB module."
::= { midcomResourceEntry 7 }
midcomRscNatSessionId1 OBJECT-TYPE
SYNTAX MidcomNatSessionIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object refers to the first allocated NAT session for
this policy rule. MIDCOM-MIB implementations can read this
object to learn whether or not a NAT session for a
particular policy rule is used. A value of 0 means that no
NAT session is allocated for this policy rule. A value
other than 0 refers to the NAT session."
::= { midcomResourceEntry 8 }
midcomRscNatSessionId2 OBJECT-TYPE
SYNTAX MidcomNatSessionIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object refers to the second allocated NAT session for
this policy rule. MIDCOM-MIB implementations can read this
object to learn whether or not a NAT session for a
particular policy rule is used. A value of 0 means that no
NAT session is allocated for this policy rule. A value
other than 0 refers to the NAT session."
::= { midcomResourceEntry 9 }
midcomRscFirewallRuleId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object refers to the allocated firewall
rule in the firewall engine for this policy rule.
MIDCOM-MIB implementations can read this value to
learn whether a firewall rule for this particular
policy rule is used or not. A value of 0 means that
no firewall rule is allocated for this policy rule.
A value other than 0 refers to the firewall rule
number within the firewall engine."
::= { midcomResourceEntry 10 }
--
-- Statistics subtree
--
-- The MIDCOM statistics subtree contains a set of managed
-- objects providing statistics about the usage of transaction
-- objects.
--
midcomStatistics OBJECT IDENTIFIER ::= { midcomMonitoring 2 }
midcomCurrentOwners OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of different values for midcomRuleOwner
for all current entries in the midcomRuleTable."
::= { midcomStatistics 1 }
midcomTotalRejectedRuleEntries OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of failed attempts to create an entry
in the midcomRuleTable."
::= { midcomStatistics 2 }
midcomCurrentRulesIncomplete OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of policy rules that are incomplete.
Policy rules are loaded via row entries in the
midcomRuleTable. This object counts policy rules that are
loaded but not fully specified, i.e., they are in state
newEntry(1) or setting(2)."
::= { midcomStatistics 3 }
midcomTotalIncorrectReserveRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy reserve rules that failed
parameter check and entered state incorrectRequest(4)."
::= { midcomStatistics 4 }
midcomTotalRejectedReserveRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy reserve rules that failed
while being processed and entered state requestRejected(6)."
::= { midcomStatistics 5 }
midcomCurrentActiveReserveRules OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently active policy reserve rules."
::= { midcomStatistics 6 }
midcomTotalExpiredReserveRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of expired policy reserve rules
(entered termination state timedOut(9))."
::= { midcomStatistics 7 }
midcomTotalTerminatedOnRqReserveRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy reserve rules that were
terminated on request (entered termination state
terminatedOnRequest(10))."
::= { midcomStatistics 8 }
midcomTotalTerminatedReserveRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy reserve rules that were
terminated, but not on request (entered termination state
terminated(11))."
::= { midcomStatistics 9 }
midcomTotalIncorrectEnableRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy enable rules that failed
parameter check and entered state incorrectRequest(4)."
::= { midcomStatistics 10 }
midcomTotalRejectedEnableRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy enable rules that failed
while being processed and entered state requestRejected(6)."
::= { midcomStatistics 11 }
midcomCurrentActiveEnableRules OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently active policy enable rules."
::= { midcomStatistics 12 }
midcomTotalExpiredEnableRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of expired policy enable rules
(entered termination state timedOut(9))."
::= { midcomStatistics 13 }
midcomTotalTerminatedOnRqEnableRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy enable rules that were
terminated on request (entered termination state
terminatedOnRequest(10))."
::= { midcomStatistics 14 }
midcomTotalTerminatedEnableRules OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of policy enable rules that were
terminated, but not on request (entered termination state
terminated(11))."
::= { midcomStatistics 15 }
--
-- Notifications.
--
midcomUnsolicitedRuleEvent NOTIFICATION-TYPE
OBJECTS { midcomRuleOperStatus, midcomRuleLifetime }
STATUS current
DESCRIPTION
"This notification is generated whenever the value of
midcomRuleOperStatus enters any error state or any
termination state without an explicit trigger by a
MIDCOM client."
::= { midcomNotifications 1 }
midcomSolicitedRuleEvent NOTIFICATION-TYPE
OBJECTS { midcomRuleOperStatus, midcomRuleLifetime }
STATUS current
DESCRIPTION
"This notification is generated whenever the value
of midcomRuleOperStatus enters one of the states
{reserved, enabled, any error state, any termination state}
as a result of a MIDCOM agent writing successfully to
object midcomRuleAdminStatus.
In addition, it is generated when the lifetime of
a rule was changed by successfully writing to object
midcomRuleLifetime."
::= { midcomNotifications 2 }
midcomSolicitedGroupEvent NOTIFICATION-TYPE
OBJECTS { midcomGroupLifetime }
STATUS current
DESCRIPTION
"This notification is generated for indicating that the
lifetime of all member rules of the group was changed by
successfully writing to object midcomGroupLifetime.
Note that this notification is only sent if the lifetime
of a group was changed by successfully writing to object
midcomGroupLifetime. No notification is sent
- if a group's lifetime is changed by writing to object
midcomRuleLifetime of any of its member policies,
- if a group's lifetime expires (in this case,
notifications are sent for all member policies), or
- if the group is terminated by terminating the last
of its member policies without writing to object
midcomGroupLifetime."
::= { midcomNotifications 3 }
--
-- Conformance information
--
midcomCompliances OBJECT IDENTIFIER ::= { midcomConformance 1 }
midcomGroups OBJECT IDENTIFIER ::= { midcomConformance 2 }
--
-- compliance statements
--
-- This is the MIDCOM compliance definition ...
--
midcomCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for implementations of the
MIDCOM-MIB module.
Note that compliance with this compliance
statement requires compliance with the
ifCompliance3 MODULE-COMPLIANCE statement of the
IF-MIB [RFC2863]."
MODULE -- this module
MANDATORY-GROUPS {
midcomRuleGroup,
midcomNotificationsGroup,
midcomCapabilitiesGroup,
midcomStatisticsGroup
}
GROUP midcomConfigFirewallGroup
DESCRIPTION
"A compliant implementation does not have to implement
the midcomConfigFirewallGroup."
GROUP midcomResourceGroup
DESCRIPTION
"A compliant implementation does not have to implement
the midcomResourceGroup."
OBJECT midcomRuleInternalIpPrefixLength
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. When write access is
not supported, return 128 as the value of this object.
A value of 128 means that the function represented by
this option is not supported."
OBJECT midcomRuleExternalIpPrefixLength
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. When write access is
not supported, return 128 as the value of this object.
A value of 128 means that the function represented by
this option is not supported."
OBJECT midcomRuleMaxIdleTime
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. When write access is
not supported, return 0 as the value of this object.
A value of 0 means that the function represented by
this option is not supported."
OBJECT midcomRuleInterface
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT midcomConfigMaxLifetime
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT midcomConfigPersistentRules
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT midcomConfigIfEnabled
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT midcomConfigFirewallGroupId
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT midcomConfigFirewallPriority
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { midcomCompliances 1 }
midcomRuleGroup OBJECT-GROUP
OBJECTS {
midcomRuleAdminStatus,
midcomRuleOperStatus,
midcomRuleStorageType,
midcomRuleStorageTime,
midcomRuleError,
midcomRuleInterface,
midcomRuleFlowDirection,
midcomRuleMaxIdleTime,
midcomRuleTransportProtocol,
midcomRulePortRange,
midcomRuleInternalIpVersion,
midcomRuleExternalIpVersion,
midcomRuleInternalIpAddr,
midcomRuleInternalIpPrefixLength,
midcomRuleInternalPort,
midcomRuleExternalIpAddr,
midcomRuleExternalIpPrefixLength,
midcomRuleExternalPort,
midcomRuleInsideIpAddr,
midcomRuleInsidePort,
midcomRuleOutsideIpAddr,
midcomRuleOutsidePort,
midcomRuleLifetime,
midcomRuleRowStatus,
midcomGroupLifetime
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
policy rules and policy rule groups."
::= { midcomGroups 1 }
midcomCapabilitiesGroup OBJECT-GROUP
OBJECTS {
midcomConfigMaxLifetime,
midcomConfigPersistentRules,
midcomConfigIfBits,
midcomConfigIfEnabled
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
the capabilities of a middlebox."
::= { midcomGroups 2 }
midcomConfigFirewallGroup OBJECT-GROUP
OBJECTS {
midcomConfigFirewallGroupId,
midcomConfigFirewallPriority
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
the firewall rule group and firewall rule priority to
be used by firewalls loaded through MIDCOM."
::= { midcomGroups 3 }
midcomResourceGroup OBJECT-GROUP
OBJECTS {
midcomRscNatInternalAddrBindMode,
midcomRscNatInternalAddrBindId,
midcomRscNatInsideAddrBindMode,
midcomRscNatInsideAddrBindId,
midcomRscNatSessionId1,
midcomRscNatSessionId2,
midcomRscFirewallRuleId
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
the used NAT and firewall resources."
::= { midcomGroups 4 }
midcomStatisticsGroup OBJECT-GROUP
OBJECTS {
midcomCurrentOwners,
midcomTotalRejectedRuleEntries,
midcomCurrentRulesIncomplete,
midcomTotalIncorrectReserveRules,
midcomTotalRejectedReserveRules,
midcomCurrentActiveReserveRules,
midcomTotalExpiredReserveRules,
midcomTotalTerminatedOnRqReserveRules,
midcomTotalTerminatedReserveRules,
midcomTotalIncorrectEnableRules,
midcomTotalRejectedEnableRules,
midcomCurrentActiveEnableRules,
midcomTotalExpiredEnableRules,
midcomTotalTerminatedOnRqEnableRules,
midcomTotalTerminatedEnableRules
}
STATUS current
DESCRIPTION
"A collection of objects providing statistical
information about the MIDCOM server."
::= { midcomGroups 5 }
midcomNotificationsGroup NOTIFICATION-GROUP
NOTIFICATIONS {
midcomUnsolicitedRuleEvent,
midcomSolicitedRuleEvent,
midcomSolicitedGroupEvent
}
STATUS current
DESCRIPTION
"The notifications emitted by the midcomMIB."
::= { midcomGroups 6 }
END
10. Security Considerations
Obviously, securing access to firewall and NAT configuration is
extremely important for maintaining network security. This section
first describes general security issues of the MIDCOM-MIB module and
then discusses three concrete security threats: unauthorized
middlebox configuration, unauthorized access to middlebox
configuration information, and unauthorized access to the MIDCOM
service configuration.
10.1. General Security Issues
There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network
environments. But also access to managed objects with a MAX-ACCESS
clause of read-only may be considered sensitive or vulnerable. The
support for SET and GET operations in a non-secure environment
without proper protection can have a negative effect on network
operations.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
Deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED.
Compliant MIDCOM-MIB implementations MUST support SNMPv3 security
services including data integrity, identity authentication, data
confidentiality, and replay protection.
It is REQUIRED that the implementations support the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 3414 [RFC3414] and the View-based Access Control Model RFC 3415 [RFC3415] is RECOMMENDED. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. To facilitate the provisioning of access control by a security administrator using the View-based Access Control Model (VACM) defined in RFC 3415 [RFC3415] for tables in which multiple users may need to independently create or modify entries, the initial index is used as an "owner index". This is supported by the midcomRuleTable and the midcomGroupTable. Each of them uses midcomRuleOwner as the initial index. midcomRuleOwner has the syntax of SnmpAdminString, and can thus be trivially mapped to an SNMP securityName or a groupName as defined in VACM, in accordance with a security policy. All entries in the two mentioned tables belonging to a particular user will have the same value for this initial index. For a given user's entries in a particular table, the object identifiers for the information in these entries will have the same subidentifiers (except for the "column" subidentifier) up to the end of the encoded owner index. To configure VACM to permit access to this portion of the table, one would create vacmViewTreeFamilyTable entries with the value of vacmViewTreeFamilySubtree including the owner index portion, and vacmViewTreeFamilyMask "wildcarding" the column subidentifier. More elaborate configurations are possible.10.2. Unauthorized Middlebox Configuration
The most dangerous threat to network security related to the MIDCOM- MIB module is unauthorized access to facilities for establishing policy rules. In such a case, unauthorized principals would write to the midcomRuleTable for opening firewall pinholes and/or for creating NAT maps, bindings, and/or sessions. Establishing policies can be used to gain access to networks and systems that are protected by firewalls and/or NATs. If this protection is removed by unauthorized access to MIDCOM-MIB policies, then the resulting degradation of network security can be severe. Confidential information protected by a firewall might become accessible to unauthorized principals, attacks exploiting
security leaks of systems in the protected network might become possible from external networks, and it might be possible to stop firewalls blocking denial-of-service attacks. MIDCOM-MIB implementations MUST provide means for strict authentication, message integrity check, and write access control to managed objects that can be used for establishing policy rules. These are objects in the midcomRuleTable and midcomGroupTable with a MAX-ACCESS clause of read-write and/or read-create. Particularly sensitive is write access to the managed object midcomRuleAdminStatus, because writing it causes policy rules to be established. Also, writing to other managed objects in the two tables can make security vulnerable if it interferes with the authorized establishment of a policy rule, for example, by wildcarding a policy rule after the corresponding entry in the midcomRuleTable is created, but before the authorized owner establishes the rule by writing to midcomRuleAdminStatus. Not only unauthorized establishment, but also unauthorized lifetime extension of an existing policy rule may be considered sensitive or vulnerable in some network environments. Therefore, means for strict authentication, message integrity check, and write access control to managed object midcomGroupLifetime MUST be provided by MIDCOM-MIB implementations.10.3. Unauthorized Access to Middlebox Configuration
Another threat to network security is unauthorized access to entries in the midcomRuleTable. The entries contain information about existing pinholes in the firewall and/or about the current NAT configuration. This information can be used for attacking the internal network from outside. Therefore, a MIDCOM-MIB implementation MUST also provide means for read access control to the midcomRuleTable. Also, a MIDCOM-MIB implementation SHOULD provide means for protecting different authenticated MIDCOM agents from each other, such that, for example, an authenticated user can only read entries in the midcomRuleTable for which the initial index midcomRuleOwner matches the client's SNMP securityName or VACM groupName.
10.4. Unauthorized Access to MIDCOM Service Configuration
There are three objects with a MAX-ACCESS clause of read-write that configure the MIDCOM service: midcomConfigIfEnabled, midcomFirewallGroupId, and midcomFirewallPriority. Unauthorized writing to object midcomConfigIfEnabled can cause serious interruptions of network service. Writing to midcomFirewallGroupId and/or midcomFirewallPriority can be used to increase or reduce the priority of firewall rules that are generated when a policy rule is established in the midcomRuleTable. Increasing the priority might permit firewall rules generated via the MIDCOM-MIB module to overrule basic security rules at the firewall that should have higher priority than the ones generated via the MIDCOM-MIB module. Therefore, also for these objects, means for strict control of write access MUST be provided by a MIDCOM-MIB implementation.11. Acknowledgements
This memo is based on a long history of discussion within the MIDCOM MIB design team. Many thanks to Mary Barnes, Jeff Case, Wes Hardaker, David Harrington, and Tom Taylor for fruitful comments and recommendations and to Juergen Schoenwaelder acting as a very constructive MIB doctor.12. IANA Considerations
IANA has assigned an OID for the MIB module in this document: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- midcomMIB { mib-2 171 }13. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5189] Stiemerling, M., Quittek, J., and T. Taylor, "Middlebox Communication (MIDCOM) Protocol Semantics", RFC 5189, March 2008.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol Applications", STD 62, RFC 3413, December 2002. [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. [RFC3418] Presuhn, R., Ed., "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3418, December 2002. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and C. Wang, "Definitions of Managed Objects for Network Address Translators (NAT)", RFC 4008, March 2005.
14. Informative References
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and Issues", RFC 3234, February 2002. [RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and A. Rayhan, "Middlebox communication architecture and framework", RFC 3303, August 2002. [RFC3304] Swale, R., Mart, P., Sijben, P., Brim, S., and M. Shore, "Middlebox Communications (midcom) Protocol Requirements", RFC 3304, August 2002. [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002.
Authors' Addresses
Juergen Quittek NEC Europe Ltd. Kurfuersten-Anlage 36 69115 Heidelberg Germany Phone: +49 6221 4342-115 EMail: quittek@nw.neclab.eu Martin Stiemerling NEC Europe Ltd. Kurfuersten-Anlage 36 69115 Heidelberg Germany Phone: +49 6221 4342-113 EMail: stiemerling@nw.neclab.eu Pyda Srisuresh Kazeon Systems, Inc. 1161 San Antonio Rd. Mountain View, CA 94043 U.S.A. Phone: +1 408 836 4773 EMail: srisuresh@yahoo.com
Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.