RFC 7659
Definitions of Managed Objects for Network Address Translators (NATs)
4. Definitions
This MIB module IMPORTs objects from [RFC2578], [RFC2579], [RFC2580], [RFC3411], and [RFC4001]. NATV2-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32, Counter64, mib-2, NOTIFICATION-TYPE FROM SNMPv2-SMI -- RFC 2578 TEXTUAL-CONVENTION, DisplayString, TimeStamp FROM SNMPv2-TC -- RFC 2579 MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF -- RFC 2580 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC 3411 InetAddressType, InetAddress, InetAddressPrefixLength, InetPortNumber FROM INET-ADDRESS-MIB; -- RFC 4001 natv2MIB MODULE-IDENTITY LAST-UPDATED "201510020000Z" -- 2 October 2015 ORGANIZATION "IETF Behavior Engineering for Hindrance Avoidance (BEHAVE) Working Group" CONTACT-INFO "Working Group Email: behave@ietf.org Simon Perreault Jive Communications Quebec, QC Canada Email: sperreault@jive.com
Tina Tsou
Huawei Technologies
Bantian, Longgang
Shenzhen 518129
China
Email: tina.tsou.zouting@huawei.com
Senthil Sivakumar
Cisco Systems
7100-8 Kit Creek Road
Research Triangle Park, North Carolina 27709
United States
Phone: +1 919 392 5158
Email: ssenthil@cisco.com
Tom Taylor
PT Taylor Consulting
Ottawa
Canada
Email: tom.taylor.stds@gmail.com"
DESCRIPTION
"This MIB module defines the generic managed objects
for NAT.
Copyright (c) 2015 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC 7659;
see the RFC itself for full legal notices."
REVISION "201510020000Z" -- 2 October 2015
DESCRIPTION
"Complete rewrite, published as RFC 7659.
Replaces former version published as RFC 4008."
::= { mib-2 234 }
-- Textual conventions
ProtocolNumber ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"A protocol number, from the IANA Protocol Numbers
registry."
REFERENCE
"IANA Protocol Numbers,
<http://www.iana.org/assignments/protocol-numbers>"
SYNTAX Unsigned32 (0..255)
Natv2SubscriberIndex ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each subscriber
in the managed system. The value for each
subscriber MUST remain constant at least from one
update of the entity's natv2SubscriberDiscontinuityTime
object until the next update of that object. If a
subscriber is deleted, its assigned index value MUST NOT
be assigned to another subscriber at least until
reinitialization of the entity's management system."
SYNTAX Unsigned32 (1..4294967295)
Natv2SubscriberIndexOrZero ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"This textual convention is an extension of the
Natv2SubscriberIndex convention. The latter defines a
greater than zero value used to identify a subscriber in
the managed system. This extension permits the additional
value of zero, which serves as a placeholder when no
subscriber is associated with the object."
SYNTAX Unsigned32 (0|1..4294967295)
Natv2InstanceIndex ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each NAT instance
in the managed system. It is RECOMMENDED that values are
assigned contiguously starting from 1. The value for each
NAT instance MUST remain constant at least from one
update of the entity's natv2InstanceDiscontinuityTime
object until the next update of that object. If a NAT
instance is deleted, its assigned index value MUST NOT
be assigned to another NAT instance at least until
reinitialization of the entity's management system."
SYNTAX Unsigned32 (1..4294967295)
Natv2PoolIndex ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"A unique value over the containing NAT instance, greater than
zero, for each address pool supported by that NAT instance.
It is RECOMMENDED that values are assigned contiguously
starting from 1. The value for each address pool MUST remain
constant at least from one update of the entity's
natv2PoolDiscontinuityTime object until the next update of
that object. If an address pool is deleted, its assigned
index value MUST NOT be assigned to another address pool for
the same NAT instance at least until reinitialization of the
entity's management system."
SYNTAX Unsigned32 (1..4294967295)
Natv2PoolIndexOrZero ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"This textual convention is an extension of the
Natv2PoolIndex convention. The latter defines a greater
than zero value used to identify address pools in the
managed system. This extension permits the additional
value of zero, which serves as a placeholder when the
implementation does not support address pools or no address
pool is configured in a given external realm."
SYNTAX Unsigned32 (0|1..4294967295)
-- Notifications
natv2MIBNotifications OBJECT IDENTIFIER ::= { natv2MIB 0 }
natv2NotificationPoolUsageLow NOTIFICATION-TYPE
OBJECTS { natv2PoolNotifiedPortMapEntries,
natv2PoolNotifiedPortMapProtocol }
STATUS current
DESCRIPTION
"This notification is triggered when an address pool's usage
becomes less than or equal to the value of the
natv2PoolThresholdUsageLow object for that pool, unless the
notification has been disabled by setting the value of the
threshold to -1. It is reported subject to the rate
limitation specified by natv2PortMapNotificationInterval.
Address pool usage is calculated as the percentage of the
total number of ports allocated to the address pool that are
already in use, for the most-mapped protocol at the time
the notification is triggered. The two returned objects are
members of natv2PoolTable indexed by the NAT instance and
pool indices for which the event is being reported. They
give the number of port map entries using external addresses
configured on the pool for the most-mapped protocol and
identify that protocol at the time the notification was
triggered."
REFERENCE
"RFC 7659, Sections 3.1.2 and 3.3.6."
::= { natv2MIBNotifications 1 }
natv2NotificationPoolUsageHigh NOTIFICATION-TYPE
OBJECTS { natv2PoolNotifiedPortMapEntries,
natv2PoolNotifiedPortMapProtocol }
STATUS current
DESCRIPTION
"This notification is triggered when an address pool's usage
becomes greater than or equal to the value of the
natv2PoolThresholdUsageHigh object for that pool, unless
the notification has been disabled by setting the value of
the threshold to -1. It is reported subject to the rate
limitation specified by natv2PortMapNotificationInterval.
Address pool usage is calculated as the percentage of the
total number of ports allocated to the address pool that are
already in use, for the most-mapped protocol at the time the
notification is triggered. The two returned objects are
members of natv2PoolTable indexed by the NAT instance and
pool indices for which the event is being reported. They
give the number of port map entries using external addresses
configured on the pool for the most-mapped protocol and
identify that protocol at the time the notification was
triggered."
REFERENCE
"RFC 7659, Sections 3.1.2 and 3.3.6."
::= { natv2MIBNotifications 2 }
natv2NotificationInstanceAddressMapEntriesHigh NOTIFICATION-TYPE
OBJECTS { natv2InstanceAddressMapEntries,
natv2InstanceAddressMapCreations }
STATUS current
DESCRIPTION
"This notification is triggered when the value of
natv2InstanceAddressMapEntries equals or exceeds the value
of the natv2InstanceThresholdAddressMapEntriesHigh object
for the NAT instance, unless disabled by setting that
threshold to -1. Reporting is subject to the rate limitation
given by natv2InstanceNotificationInterval.
natv2InstanceAddressMapEntries and
natv2InstanceAddressMapCreations are members of table
natv2InstanceTable indexed by the identifier of the NAT
instance for which the event is being reported. The values
reported are those observed at the moment the notification
was triggered."
REFERENCE
"RFC 7659, Section 3.1.2."
::= { natv2MIBNotifications 3 }
natv2NotificationInstancePortMapEntriesHigh NOTIFICATION-TYPE
OBJECTS { natv2InstancePortMapEntries,
natv2InstancePortMapCreations }
STATUS current
DESCRIPTION
"This notification is triggered when the value of
natv2InstancePortMapEntries becomes greater than or equal
to the value of natv2InstanceThresholdPortMapEntriesHigh,
unless disabled by setting that threshold to -1. Reporting
is subject to the rate limitation given by
natv2InstanceNotificationInterval.
natv2InstancePortMapEntries and
natv2InstancePortMapCreations are members of table
natv2InstanceTable indexed by the identifier of the NAT
instance for which the event is being reported. The values
reported are those observed at the moment the notification
was triggered."
::= { natv2MIBNotifications 4 }
natv2NotificationSubscriberPortMappingEntriesHigh
NOTIFICATION-TYPE
OBJECTS { natv2SubscriberPortMapEntries,
natv2SubscriberPortMapCreations }
STATUS current
DESCRIPTION
"This notification is triggered when the value of
natv2SubscriberPortMapEntries for an individual subscriber
becomes greater than or equal to the value of the
natv2SubscriberThresholdPortMapEntriesHigh object for that
subscriber, unless disabled by setting that threshold to -1.
Reporting is subject to the rate limitation given by
natv2SubscriberNotificationInterval.
natv2SubscriberPortMapEntries and
natv2SubscriberPortMapCreations are members of table
natv2SubscriberTable indexed by the subscriber for
which the event is being reported. The values
reported are those observed at the moment the notification
was triggered."
::= { natv2MIBNotifications 5 }
-- Device-level objects
natv2MIBDeviceObjects OBJECT IDENTIFIER ::= { natv2MIB 1 }
-- Subscriber table
natv2SubscriberTable OBJECT-TYPE
SYNTAX SEQUENCE OF Natv2SubscriberEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of subscribers. As well as the subscriber index, it
provides per-subscriber state and counter objects, a last
discontinuity time object for the counters, and a writable
threshold value and limit on port consumption."
REFERENCE
"RFC 7659, Section 3.3.3."
::= { natv2MIBDeviceObjects 1 }
natv2SubscriberEntry OBJECT-TYPE
SYNTAX Natv2SubscriberEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry describes a single subscriber."
INDEX { natv2SubscriberIndex }
::= { natv2SubscriberTable 1 }
Natv2SubscriberEntry ::=
SEQUENCE {
natv2SubscriberIndex Natv2SubscriberIndex,
natv2SubscriberInternalRealm SnmpAdminString,
natv2SubscriberInternalPrefixType InetAddressType,
natv2SubscriberInternalPrefix InetAddress,
natv2SubscriberInternalPrefixLength InetAddressPrefixLength,
-- State
natv2SubscriberAddressMapEntries Unsigned32,
natv2SubscriberPortMapEntries Unsigned32,
-- Counters and last discontinuity time
natv2SubscriberTranslations Counter64,
natv2SubscriberAddressMapCreations Counter64,
natv2SubscriberPortMapCreations Counter64,
natv2SubscriberAddressMapFailureDrops Counter64,
natv2SubscriberPortMapFailureDrops Counter64,
natv2SubscriberDiscontinuityTime TimeStamp,
-- Read-write controls
natv2SubscriberLimitPortMapEntries Unsigned32,
-- Disable notifications by setting threshold to -1
natv2SubscriberThresholdPortMapEntriesHigh Integer32,
-- Disable limit by setting to 0
natv2SubscriberNotificationInterval Unsigned32
}
natv2SubscriberIndex OBJECT-TYPE
SYNTAX Natv2SubscriberIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each subscriber
in the managed system. The value for each
subscriber MUST remain constant at least from one
update of the entity's natv2SubscriberDiscontinuityTime
object until the next update of that object. If a
subscriber is deleted, its assigned index value MUST NOT
be assigned to another subscriber at least until
reinitialization of the entity's management system."
::= { natv2SubscriberEntry 1 }
-- Configuration for this subscriber: realm, internal address(es)
natv2SubscriberInternalRealm OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address realm to which this subscriber belongs. A realm
defines an address space. All NATs support at least two
realms.
The default realm for subscribers is 'internal'.
Administrators can set other values for individual
subscribers when they are configured. The administrator MAY
configure a new value of natv2SubscriberRealm at any time
subsequent to initial configuration of the subscriber. If
this happens, it MUST be treated as a point of discontinuity
requiring an update of natv2SubscriberDiscontinuityTime.
When the subscriber sends a packet to the NAT through a
DS-Lite (RFC 6333) tunnel, this is the realm of the outer
packet header source address. Other tunneled access is out
of scope."
REFERENCE
"Address realm: RFC 2663. DS-Lite: RFC 6333."
DEFVAL
{ "internal" }
::= { natv2SubscriberEntry 2 }
natv2SubscriberInternalPrefixType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Subscriber's internal prefix type. Any value other than
ipv4(1) or ipv6(2) would be unexpected. In the case of
DS-Lite access, this is the prefix type (IPv6(2)) used in
the outer packet header."
REFERENCE
"DS-Lite: RFC 6333."
::= { natv2SubscriberEntry 3 }
natv2SubscriberInternalPrefix OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Prefix assigned to a subscriber's Customer Premises Equipment
(CPE). The type of this prefix is given by
natv2SubscriberInternalPrefixType. Source addresses of packets
outgoing from the subscriber will be contained within this
prefix. In the case of DS-Lite access, the source address
taken from the prefix will be that of the outer header."
REFERENCE
"DS-Lite: RFC 6333."
::= { natv2SubscriberEntry 4 }
natv2SubscriberInternalPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Length of the prefix assigned to a subscriber's CPE, in
bits. If a single address is assigned, this will be 32
for IPv4 and 128 for IPv6."
::= { natv2SubscriberEntry 5 }
-- State objects
natv2SubscriberAddressMapEntries OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of address map entries for the
subscriber, including static mappings. An address map entry
maps from a given internal address and realm to an external
address in a particular external realm. This definition
includes 'hairpin' mappings, where the external realm is the
same as the internal one. Address map entries are also
tracked per instance and per address pool within the
instance."
REFERENCE
"RFC 7659, Section 3.3.8."
::= { natv2SubscriberEntry 6 }
natv2SubscriberPortMapEntries OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of port map entries in the port map table
for the subscriber, including static mappings. A port map
entry maps from a given external realm, address, and port
for a given protocol to an internal realm, address, and
port. This definition includes 'hairpin' mappings, where the
external realm is the same as the internal one. Port map
entries are also tracked per instance and per protocol and
address pool within the instance."
REFERENCE
"RFC 7659, Section 3.3.9."
::= { natv2SubscriberEntry 7 }
-- Counters and last discontinuity time
natv2SubscriberTranslations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of translated packets received from or
sent to this subscriber. This value MUST be monotone
increasing in the periods between updates of the entity's
natv2SubscriberDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2SubscriberDiscontinuityTime."
::= { natv2SubscriberEntry 8 }
natv2SubscriberAddressMapCreations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of address map entries created for
this subscriber, including static mappings. Address map
entries are also tracked per instance and per protocol and
address pool within the instance.
This value MUST be monotone increasing in
the periods between updates of the entity's
natv2SubscriberDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2SubscriberDiscontinuityTime."
::= { natv2SubscriberEntry 9 }
natv2SubscriberPortMapCreations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of port map entries created for this
subscriber, including static mappings. Port map entries are
also tracked per instance and per protocol and address pool
within the instance.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2SubscriberDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2SubscriberDiscontinuityTime."
::= { natv2SubscriberEntry 10 }
natv2SubscriberAddressMapFailureDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets originated by this
subscriber that were dropped because the packet would have
triggered the creation of a new address map entry, but no
address could be allocated in the selected external realm
because all addresses from the selected address pool (or the
whole realm, if no address pool has been configured for that
realm) have already been fully allocated.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2SubscriberDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2SubscriberDiscontinuityTime."
::= { natv2SubscriberEntry 11 }
natv2SubscriberPortMapFailureDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets dropped because the
packet would have triggered the creation of a new
port mapping, but no port could be allocated for the
protocol concerned. The usual case for this will be
for a NAT instance that supports address pooling and
the 'Paired' pooling behavior recommended by RFC 4787,
where the internal endpoint has used up all of the
ports allocated to it for the address it was mapped to
in the selected address pool in the external realm
concerned and cannot be given more ports because
- policy or implementation prevents it from having a
second address in the same pool, and
- policy or unavailability prevents it from acquiring
more ports at its originally assigned address.
If the NAT instance supports address pooling but its
pooling behavior is 'Arbitrary' (meaning that
the NAT instance can allocate a new port mapping for
the given internal endpoint on any address in the
selected address pool and is not bound to what it has
already mapped for that endpoint), then this counter
is incremented when all ports for the protocol concerned
over the whole of the selected address pool are already
in use.
As a third case, if no address pools have been configured
for the external realm concerned, then this counter is
incremented because all ports for the protocol involved over
the whole set of addresses available for that external realm
are already in use.
Finally, this counter is incremented if the packet would
have triggered the creation of a new port mapping, but the
current value of natv2SubscriberPortMapEntries equals or
exceeds the value of natv2SubscriberLimitPortMapEntries
for this subscriber (unless that limit is disabled).
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2SubscriberDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2SubscriberDiscontinuityTime."
REFERENCE
"Pooling behavior: RFC 4787, end of Section 4.1."
::= { natv2SubscriberEntry 12 }
natv2SubscriberDiscontinuityTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Snapshot of the value of the sysUpTime object at the
beginning of the latest period of continuity of the
statistical counters associated with this subscriber."
::= { natv2SubscriberEntry 14 }
-- Per-subscriber limit and threshold on port mappings
-- Disabled if set to zero
natv2SubscriberLimitPortMapEntries OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Limit on total number of port mappings active for this
subscriber (natv2SubscriberPortMapEntries). Once this limit
is reached, packets that might have triggered new port
mappings are dropped. The number of such packets dropped is
counted in natv2InstancePortMapFailureDrops.
Limit is disabled if set to zero."
DEFVAL
{ 0 }
::= { natv2SubscriberEntry 15 }
natv2SubscriberThresholdPortMapEntriesHigh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Notification threshold for total number of port mappings
active for this subscriber. Whenever
natv2SubscriberPortMapEntries is updated, if it equals or
exceeds natv2SubscriberThresholdPortMapEntriesHigh, the
notification
natv2NotificationSubscriberPortMappingEntriesHigh is
triggered, unless the notification is disabled by setting
the threshold to -1. Reporting is subject to the minimum
inter-notification interval given by
natv2SubscriberNotificationInterval. If multiple
notifications are triggered during one interval, the agent
MUST report only the one containing the highest value of
natv2SubscriberPortMapEntries and discard the others."
DEFVAL
{ -1 }
::= { natv2SubscriberEntry 16 }
natv2SubscriberNotificationInterval OBJECT-TYPE
SYNTAX Unsigned32 (1..3600)
UNITS
"Seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Minimum number of seconds between successive
reporting of notifications for this subscriber. Controls
the reporting of
natv2NotificationSubscriberPortMappingEntriesHigh."
DEFVAL
{ 60 }
::= { natv2SubscriberEntry 17 }
-- Per-NAT-instance objects
natv2MIBInstanceObjects OBJECT IDENTIFIER ::= { natv2MIB 2 }
-- Instance table
natv2InstanceTable OBJECT-TYPE
SYNTAX SEQUENCE OF Natv2InstanceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of NAT instances. As well as state and counter
objects, it provides the instance index, instance name, and
the last discontinuity time object that is applicable to
the counters. It also contains writable thresholds for
reporting of notifications and limits on usage of resources
at the level of the NAT instance.
It is assumed that NAT instances can be created and deleted
dynamically, but this MIB module does not provide the means
to do so. For restrictions on assignment and maintenance of
the NAT index instance, see the description of
natv2InstanceIndex in the table below. For the requirements
on maintenance of the values of the counters in this table,
see the description of natv2InstanceDiscontinuityTime in
this table.
Each NAT instance has its own resources and behavior. The
resources include memory as reflected in space for map
entries, processing power as reflected in the rate of map
creation and deletion, and mappable addresses in each realm
that can play the role of an external realm for at least
some mappings for that instance. The NAT instance table
includes limits and notification thresholds that relate to
memory usage for mapping at the level of the whole instance.
The limit on number of subscribers with active mappings is a
limit to some extent on processor usage.
The mappable 'external' addresses may or may not be
organized into address pools. For a definition of address
pools, see the description of natv2PoolTable. If the instance
does support address pools, it also has a pooling behavior.
Mapping, filtering, and pooling behavior are defined in the
descriptions of the natv2InstancePortMappingBehavior,
natv2InstanceFilteringBehavior, and
natv2InstancePoolingBehavior objects in this table. The
instance also has a fragmentation behavior, defined in the
description of the natv2InstanceFragmentBehavior object."
REFERENCE
"RFC 7659, Section 3.3.4.
NAT behaviors: RFC 4787 (primary, UDP); RFC 5382 (TCP);
RFC 5508 (ICMP); and RFC 5597 (Datagram Congestion Control
Protocol (DCCP))."
::= { natv2MIBInstanceObjects 1 }
natv2InstanceEntry OBJECT-TYPE
SYNTAX Natv2InstanceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Objects related to a single NAT instance."
INDEX { natv2InstanceIndex }
::= { natv2InstanceTable 1 }
Natv2InstanceEntry ::=
SEQUENCE {
natv2InstanceIndex Natv2InstanceIndex,
natv2InstanceAlias DisplayString,
-- Configured behaviors
natv2InstancePortMappingBehavior INTEGER,
natv2InstanceFilteringBehavior INTEGER,
natv2InstancePoolingBehavior INTEGER,
natv2InstanceFragmentBehavior INTEGER,
-- State
natv2InstanceAddressMapEntries Unsigned32,
natv2InstancePortMapEntries Unsigned32,
-- Statistics and discontinuity time
natv2InstanceTranslations Counter64,
natv2InstanceAddressMapCreations Counter64,
natv2InstancePortMapCreations Counter64,
natv2InstanceAddressMapEntryLimitDrops Counter64,
natv2InstancePortMapEntryLimitDrops Counter64,
natv2InstanceSubscriberActiveLimitDrops Counter64,
natv2InstanceAddressMapFailureDrops Counter64,
natv2InstancePortMapFailureDrops Counter64,
natv2InstanceFragmentDrops Counter64,
natv2InstanceOtherResourceFailureDrops Counter64,
natv2InstanceDiscontinuityTime TimeStamp,
-- Notification thresholds, disabled if set to -1
natv2InstanceThresholdAddressMapEntriesHigh Integer32,
natv2InstanceThresholdPortMapEntriesHigh Integer32,
natv2InstanceNotificationInterval Unsigned32,
-- Limits, disabled if set to 0
natv2InstanceLimitAddressMapEntries Unsigned32,
natv2InstanceLimitPortMapEntries Unsigned32,
natv2InstanceLimitPendingFragments Unsigned32,
natv2InstanceLimitSubscriberActives Unsigned32
}
natv2InstanceIndex OBJECT-TYPE
SYNTAX Natv2InstanceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"NAT instance index. It is up to the implementation to
determine which values correspond to in-service NAT
instances. This object is used as an index for all tables
defined below."
::= { natv2InstanceEntry 1 }
natv2InstanceAlias OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..64))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object is an 'alias' name for the NAT instance as
specified by a network manager and provides a non-volatile
'handle' for the instance.
An example of the value that a network manager might store
in this object for a NAT instance is the name/identifier of
the interface that brings in internal traffic for this NAT
instance or the name of the Virtual Routing and Forwarding
(VRF) for internal traffic."
::= { natv2InstanceEntry 2 }
-- Configured behaviors
natv2InstancePortMappingBehavior OBJECT-TYPE
SYNTAX INTEGER {
endpointIndependent (0),
addressDependent (1),
addressAndPortDependent (2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Port mapping behavior is the policy governing the selection
of external address and port in a given realm for a given
five-tuple of source address and port, destination address
and port, and protocol.
endpointIndependent(0), the behavior REQUIRED by RFC 4787,
REQ-1, maps the source address and port to the same
external address and port for all destination address and
port combinations reached through the same external realm
and using the given protocol.
addressDependent(1) maps to the same external address and
port for all destination ports at the same destination
address reached through the same external realm and using
the given protocol.
addressAndPortDependent(2) maps to a separate external
address and port combination for each different
destination address and port combination reached through
the same external realm."
REFERENCE
"RFC 4787, Section 4.1."
::= { natv2InstanceEntry 3 }
natv2InstanceFilteringBehavior OBJECT-TYPE
SYNTAX INTEGER {
endpointIndependent (0),
addressDependent (1),
addressAndPortDependent (2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Filtering behavior is the policy governing acceptance or
the dropping of packets incoming from remote sources via a
given external realm and destined to a specific three-tuple
of external address, port, and protocol at the NAT instance
that has been assigned in a port mapping.
endpointIndependent(0) accepts for translation packets from
all combinations of remote address and port destined to the
mapped external address and port via the given external
realm and using the given protocol.
addressDependent(1) accepts for translation packets from all
remote ports from the same remote source address destined to
the mapped external address and port via the given external
realm and using the given protocol.
addressAndPortDependent(2) accepts for translation only
those packets with the same remote source address, port, and
protocol incoming from the same external realm as identified
when the applicable port map entry was created.
RFC 4787, REQ-8 recommends either endpointIndependent(0) or
addressDependent(1) filtering behavior depending on whether
application friendliness or security takes priority."
REFERENCE
"RFC 4787, Section 5."
::= { natv2InstanceEntry 4 }
natv2InstancePoolingBehavior OBJECT-TYPE
SYNTAX INTEGER {
arbitrary (0),
paired (1)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Pooling behavior is the policy used to select the address
for a new port mapping within a given address pool to which
the internal address has already been mapped.
arbitrary(0) pooling behavior means that the NAT instance
may create the new port mapping using any address in the
pool that has a free port for the protocol concerned.
paired(1) pooling behavior, the behavior RECOMMENDED by RFC
4787, REQ-2, means that once a given internal address has
been mapped to a particular address in a particular pool,
further mappings of the same internal address to that pool
will reuse the previously assigned pool member address."
REFERENCE
"RFC 4787, near the end of Section 4.1"
::= { natv2InstanceEntry 5 }
natv2InstanceFragmentBehavior OBJECT-TYPE
SYNTAX INTEGER {
fragmentNone (0),
fragmentInOrder (1),
fragmentOutOfOrder (2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Fragment behavior is the NAT instance's capability to
receive and translate fragments incoming from remote
sources.
fragmentNone(0) implies no capability to translate incoming
fragments, so all received fragments are dropped. Each
dropped fragment is counted in natv2InstanceFragmentDrops.
fragmentInOrder(1) implies the ability to translate
fragments only if they are received in order, so that in
particular the header is in the first packet. If a fragment
is received out of order, it is dropped and counted in
natv2InstanceFragmentDrops.
fragmentOutOfOrder(2), the capability REQUIRED by RFC 4787,
REQ-14, implies the capability to translate fragments even
when they arrive out of order, subject to a protective
limit natv2InstanceLimitPendingFragments on total number of
fragments awaiting the first fragment of the chain. If the
implementation supports this capability,
natv2InstanceFragmentDrops is incremented only when a new
fragment arrives but is dropped because the limit on pending
fragments has already been reached."
REFERENCE
"RFC 4787, Section 11."
::= { natv2InstanceEntry 6 }
-- State
natv2InstanceAddressMapEntries OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of address map entries in total over the
whole NAT instance, including static mappings. An address
map entry maps from a given internal address and realm to an
external address in a particular external realm. This
definition includes 'hairpin' mappings, where the external
realm is the same as the internal one. Address map entries
are also tracked per subscriber and per address pool within
the instance."
REFERENCE
"RFC 7659, Section 3.3.8.
Hairpinning: RFC 4787, Section 6."
::= { natv2InstanceEntry 7 }
natv2InstancePortMapEntries OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of entries in the port map table in total
over the whole NAT instance, including static mappings. A
port map entry maps from a given external realm, address,
and port for a given protocol to an internal realm, address,
and port. This definition includes 'hairpin' mappings, where
the external realm is the same as the internal one. Port map
entries are also tracked per subscriber and per protocol and
address pool within the instance."
REFERENCE
"RFC 7659, Section 3.3.9.
Hairpinning: RFC 4787, Section 6."
::= { natv2InstanceEntry 8 }
-- Statistics
natv2InstanceTranslations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of translated packets passing through
this NAT instance. This value MUST be monotone increasing in
the periods between updates of
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 9 }
natv2InstanceAddressMapCreations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of address map entries created by the
NAT instance, including static mappings. Address map
creations are also tracked per address pool within the
instance and per subscriber.
This value MUST be monotone increasing in
the periods between updates of
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 10 }
natv2InstancePortMapCreations OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of port map entries created by the
NAT instance, including static mappings. Port map
creations are also tracked per protocol and address pool
within the instance and per subscriber.
This value MUST be monotone increasing in
the periods between updates of
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 11 }
natv2InstanceAddressMapEntryLimitDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets dropped rather than
translated because the packet would have triggered
the creation of a new address map entry, but the limit
on number of address map entries for the NAT instance
given by natv2InstanceLimitAddressMapEntries has
already been reached.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 12 }
natv2InstancePortMapEntryLimitDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets dropped rather than
translated because the packet would have triggered
the creation of a new port map entry, but the limit
on number of port map entries for the NAT instance
given by natv2InstanceLimitPortMapEntries has
already been reached.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 13 }
natv2InstanceSubscriberActiveLimitDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets dropped rather than
translated because the packet would have triggered the
creation of a new mapping for a subscriber with no other
active mappings, but the limit on number of active
subscribers for the NAT instance given by
natv2InstanceLimitSubscriberActives has already been
reached.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 14 }
natv2InstanceAddressMapFailureDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets dropped because the packet
would have triggered the creation of a new address map
entry, but no address could be allocated in the selected
external realm because all addresses from the selected
address pool (or the whole realm, if no address pool has
been configured for that realm) have already been fully
allocated.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 15 }
natv2InstancePortMapFailureDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets dropped because the
packet would have triggered the creation of a new
port map entry, but no port could be allocated for the
protocol concerned. The usual case for this will be
for a NAT instance that supports address pooling and
the 'Paired' pooling behavior recommended by RFC 4787,
where the internal endpoint has used up all of the
ports allocated to it for the address it was mapped to
in the selected address pool in the external realm
concerned and cannot be given more ports because
- policy or implementation prevents it from having a
second address in the same pool, and
- policy or unavailability prevents it from acquiring
more ports at its originally assigned address.
If the NAT instance supports address pooling but its
pooling behavior is 'Arbitrary' (meaning that
the NAT instance can allocate a new port mapping for
the given internal endpoint on any address in the
selected address pool and is not bound to what it has
already mapped for that endpoint), then this counter
is incremented when all ports for the protocol concerned
over the whole of the selected address pool are already
in use.
Finally, if no address pools have been configured for the
external realm concerned, then this counter is incremented
because all ports for the protocol involved over the whole
set of addresses available for that external realm are
already in use.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
REFERENCE
"Pooling behavior: RFC 4787, end of Section 4.1."
::= { natv2InstanceEntry 16 }
natv2InstanceFragmentDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of fragments received by the NAT
instance but dropped rather than translated. When the NAT
instance supports the 'Receive Fragment Out of Order'
capability as required by RFC 4787, this occurs because the
fragment was received out of order and would be added to the
queue of fragments awaiting the initial fragment of the
chain, but the queue has already reached the limit set by
natv2InstanceLimitsPendingFragments. Counting in other cases
is specified in the description of
natv2InstanceFragmentBehavior.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
REFERENCE
"RFC 4787, Section 11."
::= { natv2InstanceEntry 17 }
natv2InstanceOtherResourceFailureDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cumulative number of packets dropped because of
unavailability of a resource other than an address or port
that would have been required to process it. The most likely
case is where the upper-layer protocol in the packet is not
supported by the NAT instance.
This value MUST be monotone increasing in the periods
between updates of the entity's
natv2InstanceDiscontinuityTime. If a manager detects a
change in the latter since the last time it sampled this
counter, it SHOULD NOT make use of the difference between
the latest value of the counter and any value retrieved
before the new value of natv2InstanceDiscontinuityTime."
::= { natv2InstanceEntry 18 }
natv2InstanceDiscontinuityTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Snapshot of the value of the sysUpTime object at the
beginning of the latest period of continuity of the
statistical counters associated with this NAT instance."
::= { natv2InstanceEntry 19 }
-- Notification thresholds, disabled by setting to -1.
natv2InstanceThresholdAddressMapEntriesHigh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Notification threshold for total number of address map
entries held by this NAT instance. Whenever
natv2InstanceAddressMapEntries is updated, if it equals or
exceeds natv2InstanceThresholdAddressMapEntriesHigh, then
natv2NotificationInstanceAddressMapEntriesHigh may be
triggered, unless the notification is disabled by setting
the threshold to -1. Reporting is subject to the minimum
inter-notification interval given by
natv2InstanceNotificationInterval. If multiple notifications
are triggered during one interval, the agent MUST report
only the one containing the highest value of
natv2InstanceAddressMapEntries and discard the others."
DEFVAL
{ -1 }
::= { natv2InstanceEntry 20 }
natv2InstanceThresholdPortMapEntriesHigh OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Notification threshold for total number of port map
entries held by this NAT instance. Whenever
natv2InstancePortMapEntries is updated, if it equals or
exceeds natv2InstanceThresholdPortMapEntriesHigh, then
natv2NotificationInstancePortMapEntriesHigh may be
triggered, unless the notification is disabled by setting
the threshold to -1. Reporting is subject to the minimum
inter-notification interval given by
natv2InstanceNotificationInterval. If multiple notifications
are triggered during one interval, the agent MUST report
only the one containing the highest value of
natv2InstancePortMapEntries and discard the others."
DEFVAL
{ -1 }
::= { natv2InstanceEntry 21 }
natv2InstanceNotificationInterval OBJECT-TYPE
SYNTAX Unsigned32 (1..3600)
UNITS
"Seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Minimum number of seconds between successive
notifications for this NAT instance. Controls the reporting
of natv2NotificationInstanceAddressMapEntriesHigh and
natv2NotificationInstancePortMapEntriesHigh."
DEFVAL
{ 10 }
::= { natv2InstanceEntry 22 }
-- Limits, disabled if set to 0
natv2InstanceLimitAddressMapEntries OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Limit on total number of address map entries supported by
the NAT instance. When natv2InstanceAddressMapEntries has
reached this limit, subsequent packets that would normally
trigger creation of a new address map entry will be dropped
and counted in natv2InstanceAddressMapEntryLimitDrops.
Warning of an approach to this limit can be achieved by
setting natv2InstanceThresholdAddressMapEntriesHigh to a
non-zero value, for example, 80% of the limit. The limit is
disabled by setting its value to zero.
For further information, please see the descriptions of
natv2NotificationInstanceAddressMapEntriesHigh and
natv2InstanceAddressMapEntries."
DEFVAL
{ 0 }
::= { natv2InstanceEntry 23 }
(next page on part 3)
