rfc9349.original   rfc9349.txt 
Network Working Group D. Fedyk Internet Engineering Task Force (IETF) D. Fedyk
Internet-Draft E. Kinzie Request for Comments: 9349 E. Kinzie
Intended status: Standards Track LabN Consulting, L.L.C. Category: Standards Track LabN Consulting, L.L.C.
Expires: 24 April 2023 21 October 2022 ISSN: 2070-1721 January 2023
Definitions of Managed Objects for IP Traffic Flow Security Definitions of Managed Objects for IP Traffic Flow Security
draft-ietf-ipsecme-mib-iptfs-11
Abstract Abstract
This document describes managed objects for the management of IP This document describes managed objects for the management of IP
Traffic Flow Security additions to IKEv2 and IPsec. This document Traffic Flow Security additions to Internet Key Exchange Protocol
provides a read only version of the objects defined in the YANG Version 2 (IKEv2) and IPsec. This document provides a read-only
module for the same purpose. version of the objects defined in the YANG module for the same
purpose, which is in "A YANG Data Model for IP Traffic Flow Security"
(RFC 9348).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 24 April 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9349.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Terminology & Concepts . . . . . . . . . . . . . . . . . . . 3 1.1. The Internet-Standard Management Framework
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology and Concepts
4. Management Objects . . . . . . . . . . . . . . . . . . . . . 3 3. Overview
4.1. MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Management Objects
4.2. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. MIB Tree
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 4.2. SNMP
6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 5. IANA Considerations
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 6. Security Considerations
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 7. References
8.1. Normative References . . . . . . . . . . . . . . . . . . 20 7.1. Normative References
8.2. Informative References . . . . . . . . . . . . . . . . . 22 7.2. Informative References
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Acknowledgements
Authors' Addresses
1. Introduction 1. Introduction
This document defines a Management Information Base (MIB) module for This document defines a Management Information Base (MIB) module for
use with network management protocols in the Internet community. use with network management protocols in the Internet community. IP
Traffic Flow Security (IP-TFS) extensions as defined in Traffic Flow Security (IP-TFS) extensions, as defined in [RFC9347],
[I-D.ietf-ipsecme-iptfs] are enhancements to an IPsec tunnel Security are enhancements to an IPsec tunnel Security Association (SA) to
Association to provide improved traffic confidentiality. provide improved traffic confidentiality.
The objects defined here are the same as [RFC9348], with the
exception that only operational or state data is supported. By
making operational data accessible via SNMP, existing network
management systems can monitor IP-TFS. This data is listed in the
MIB tree in Section 4.1. This module uses the YANG data model as a
reference point for managed objects. Note that an IETF MIB model for
IPsec was never standardized; however, the structures here could be
adapted to existing proprietary MIB implementations where SNMP is
used to manage networks.
1.1. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to Section 7 of
[RFC3410]. [RFC3410].
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
[RFC2578], STD 58, [RFC2579] and STD 58, [RFC2580]. [RFC2578], STD 58, [RFC2579] and STD 58, [RFC2580].
The objects defined here are the same as 2. Terminology and Concepts
[I-D.ietf-ipsecme-yang-iptfs] with the exception that only
operational or state data is supported. By making operational data
accessible via SNMP existing network management systems can monitor
IP-TFS. This data is listed in the MIB tree in Section 4.1. This
module uses the YANG model as a reference point for managed objects.
Note an IETF MIB model for IPsec was never standardized however the
structures here could be adapted to existing proprietary MIB
implementations where SNMP is used to manage networks.
2. Terminology & Concepts
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119] [RFC8174] when, and only when, they appear in all capitals, BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
as shown here. capitals, as shown here.
3. Overview 3. Overview
This document defines the MIB for access to operational parameters of This document defines the MIB for access to operational parameters of
IP traffic flow security (IP-TFS). IP-TFS, defined in IP Traffic Flow Security (IP-TFS). IP-TFS, defined in [RFC9347],
[I-D.ietf-ipsecme-iptfs], configures a security association for configures a Security Association for tunnel mode IPsec with
tunnel mode IPsec with characteristics that improve traffic characteristics that improve traffic confidentiality and reduce
confidentiality and reduce bandwidth efficiency loss. bandwidth efficiency loss.
This document is based on the concepts and management model defined This document is based on the concepts and management model defined
in [I-D.ietf-ipsecme-yang-iptfs]. This document assumes familiarity in [RFC9348]. This document assumes familiarity with the IPsec
with IP security concepts described in [RFC4301], IP-TFS as described concepts described in [RFC4301], IP-TFS as described in [RFC9347],
in [I-D.ietf-ipsecme-iptfs] and the IP-TFS management model described and the IP-TFS management model described in [RFC9348].
in [I-D.ietf-ipsecme-yang-iptfs].
This document specifies an extensible operational model for IP-TFS. This document specifies an extensible operational model for IP-TFS.
It reuses the management model defined in It reuses the management model defined in [RFC9348]. It allows SNMP
[I-D.ietf-ipsecme-yang-iptfs]. It allows SNMP systems to read systems to read operational objects (which include configured
operational objects (which includes configured objects) from IP-TFS. objects) from IP-TFS.
4. Management Objects 4. Management Objects
4.1. MIB Tree 4.1. MIB Tree
The following is the MIB registration tree diagram for the IP-TFS The following is the MIB registration tree diagram for the IP-TFS
extensions. extensions.
# IP-TRAFFIC-FLOW-SECURITY-MIB registration tree # IP-TRAFFIC-FLOW-SECURITY-MIB registration tree
skipping to change at page 4, line 30 skipping to change at line 169
| | +--iptfsInnerStatsTable(1) | | +--iptfsInnerStatsTable(1)
| | +--iptfsInnerStatsTableEntry(1) [iptfsInnerSaIndex] | | +--iptfsInnerStatsTableEntry(1) [iptfsInnerSaIndex]
| | +-- --- Integer32 iptfsInnerSaIndex(1) | | +-- --- Integer32 iptfsInnerSaIndex(1)
| | +-- r-n Counter64 txInnerPkts(2) | | +-- r-n Counter64 txInnerPkts(2)
| | +-- r-n Counter64 txInnerOctets(3) | | +-- r-n Counter64 txInnerOctets(3)
| | +-- r-n Counter64 rxInnerPkts(4) | | +-- r-n Counter64 rxInnerPkts(4)
| | +-- r-n Counter64 rxInnerOctets(5) | | +-- r-n Counter64 rxInnerOctets(5)
| | +-- r-n Counter64 rxIncompleteInnerPkts(6) | | +-- r-n Counter64 rxIncompleteInnerPkts(6)
| +--iptfsOuterStatsGroup(4) | +--iptfsOuterStatsGroup(4)
| +--iptfsOuterStatsTable(1) | +--iptfsOuterStatsTable(1)
| +--iptfsOuterStatsTableEntry(1) [iptfsSaIndex] | +--iptfsOuterStatsTableEntry(1) [iptfsOuterSaIndex]
| +-- --- Integer32 iptfsSaIndex(1) | +-- --- Integer32 iptfsOuterSaIndex(1)
| +-- r-n Counter64 txExtraPadPkts(2) | +-- r-n Counter64 txExtraPadPkts(2)
| +-- r-n Counter64 txExtraPadOctets(3) | +-- r-n Counter64 txExtraPadOctets(3)
| +-- r-n Counter64 txAllPadPkts(4) | +-- r-n Counter64 txAllPadPkts(4)
| +-- r-n Counter64 txAllPadOctets(5) | +-- r-n Counter64 txAllPadOctets(5)
| +-- r-n Counter64 rxExtraPadPkts(6) | +-- r-n Counter64 rxExtraPadPkts(6)
| +-- r-n Counter64 rxExtraPadOctets(7) | +-- r-n Counter64 rxExtraPadOctets(7)
| +-- r-n Counter64 rxAllPadPkts(8) | +-- r-n Counter64 rxAllPadPkts(8)
| +-- r-n Counter64 rxAllPadOctets(9) | +-- r-n Counter64 rxAllPadOctets(9)
| +-- r-n Counter64 rxErroredPkts(10) | +-- r-n Counter64 rxErroredPkts(10)
| +-- r-n Counter64 rxMissedPkts(11) | +-- r-n Counter64 rxMissedPkts(11)
skipping to change at page 5, line 7 skipping to change at line 192
+--iptfsMIBConformances(1) +--iptfsMIBConformances(1)
| +--iptfsMIBCompliance(1) | +--iptfsMIBCompliance(1)
+--iptfsMIBGroups(2) +--iptfsMIBGroups(2)
+--iptfsMIBConfGroup(1) +--iptfsMIBConfGroup(1)
+--ipsecStatsConfGroup(2) +--ipsecStatsConfGroup(2)
+--iptfsInnerStatsConfGroup(3) +--iptfsInnerStatsConfGroup(3)
+--iptfsOuterStatsConfGroup(4) +--iptfsOuterStatsConfGroup(4)
4.2. SNMP 4.2. SNMP
The following is the MIB for IP-TFS. The Congestion control The following is the MIB for IP-TFS. The congestion control
algorithm in [RFC5348] is referenced in the MIB text. algorithm in [RFC5348] is referenced in the MIB text.
<CODE BEGINS> file "iptfs-mib.mib" <CODE BEGINS> file "iptfs-mib.mib"
=-->
-- *---------------------------------------------------------------- -- *----------------------------------------------------------------
-- * IP-TRAFFIC-FLOW-SECURITY-MIB Module -- * IP-TRAFFIC-FLOW-SECURITY-MIB Module
-- *---------------------------------------------------------------- -- *----------------------------------------------------------------
IP-TRAFFIC-FLOW-SECURITY-MIB DEFINITIONS ::= BEGIN IP-TRAFFIC-FLOW-SECURITY-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, MODULE-IDENTITY, OBJECT-TYPE,
Integer32, Unsigned32, Counter64, mib-2 Integer32, Unsigned32, Counter64, mib-2
FROM SNMPv2-SMI FROM SNMPv2-SMI
CounterBasedGauge64 CounterBasedGauge64
FROM HCNUM-TC FROM HCNUM-TC
MODULE-COMPLIANCE, OBJECT-GROUP MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
TEXTUAL-CONVENTION, TEXTUAL-CONVENTION,
TruthValue TruthValue
FROM SNMPv2-TC; FROM SNMPv2-TC;
iptfsMIB MODULE-IDENTITY iptfsMIB MODULE-IDENTITY
LAST-UPDATED "202210210000Z" LAST-UPDATED "202301090000Z"
ORGANIZATION "IETF IPsecme Working Group" ORGANIZATION "IETF IPsecme Working Group"
CONTACT-INFO CONTACT-INFO
" "
Author: Don Fedyk Author: Don Fedyk
<mailto:dfedyk@labn.net> <mailto:dfedyk@labn.net>
Author: Eric Kinzie Author: Eric Kinzie
<mailto:ekinzie@labn.net>" <mailto:ekinzie@labn.net>"
-- RFC Ed.: replace XXXX with actual RFC number, update mib-2
-- entry and remove this note.
DESCRIPTION DESCRIPTION
"This module defines the configuration and operational "This module defines the configuration and operational
state for managing the IP Traffic Flow Security state for managing the IP Traffic Flow Security
functionality [RFC XXXX]. Copyright (c) 2022 IETF functionality (RFC 9349).
Trust and the persons identified as authors of the
code. All rights reserved. Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, Redistribution and use in source and binary forms,
with or without modification, is permitted pursuant with or without modification, is permitted pursuant
to, and subject to the license terms contained in, to, and subject to the license terms contained in,
the Simplified BSD License set forth in Section 4.c the Simplified BSD License set forth in Section 4.c
of the IETF Trust's Legal Provisions Relating to IETF of the IETF Trust's Legal Provisions Relating to IETF
Documents (https://trustee.ietf.org/license-info). Documents (https://trustee.ietf.org/license-info).
This version of this SNMP MIB module is part of RFC XXXX This version of this SNMP MIB module is part of RFC 9349;
(https://tools.ietf.org/html/rfcXXXX); see the RFC see the RFC itself for full legal notices."
itself for full legal notices."
REVISION "202210210000Z" REVISION "202301090000Z"
DESCRIPTION DESCRIPTION
"Initial revision. Derived from the IP-TFS Yang Model." "Initial revision. Derived from the IP-TFS YANG
::= { mib-2 500} Data Model."
::= { mib-2 246}
-- --
-- Textual Conventions -- Textual Conventions
-- --
UnsignedShort ::= TEXTUAL-CONVENTION UnsignedShort ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d" DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION "xs:unsignedShort" DESCRIPTION "xs:unsignedShort"
SYNTAX Unsigned32 (0 .. 65535) SYNTAX Unsigned32 (0 .. 65535)
NanoSeconds ::= TEXTUAL-CONVENTION NanoSeconds ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d-6" DISPLAY-HINT "d-6"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Represents time unit value in nanoseconds." "Represents the time unit value in nanoseconds."
SYNTAX Integer32 SYNTAX Integer32
-- Objects, Notifications & Conformances -- Objects, Notifications & Conformances
iptfsMIBObjects OBJECT IDENTIFIER iptfsMIBObjects OBJECT IDENTIFIER
::= { iptfsMIB 1 } ::= { iptfsMIB 1 }
iptfsMIBConformance OBJECT IDENTIFIER iptfsMIBConformance OBJECT IDENTIFIER
::= { iptfsMIB 2} ::= { iptfsMIB 2}
-- --
skipping to change at page 7, line 52 skipping to change at line 327
sendImmediately TruthValue, sendImmediately TruthValue,
lostPacketTimerInterval NanoSeconds lostPacketTimerInterval NanoSeconds
} }
iptfsConfigSaIndex OBJECT-TYPE iptfsConfigSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { iptfsConfigTableEntry 1 } ::= { iptfsConfigTableEntry 1 }
congestionControl OBJECT-TYPE congestionControl OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When set to true, the default, this enables the "When set to true, the default, this enables the
congestion control on-the-wire exchange of data that is congestion control on-the-wire exchange of data that is
required by congestion control algorithms as defined by required by congestion control algorithms, as defined by
RFC 5348. When set to false, IP-TFS sends fixed-sized RFC 5348. When set to false, IP-TFS sends fixed-sized
packets over an IP-TFS tunnel at a constant rate." packets over an IP-TFS tunnel at a constant rate."
::= { iptfsConfigTableEntry 2 } ::= { iptfsConfigTableEntry 2 }
usePathMtuDiscovery OBJECT-TYPE usePathMtuDiscovery OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Packet size is either auto-discovered or manually "Packet size is either auto-discovered or manually
configured. If usePathMtuDiscovery is true the system configured. If usePathMtuDiscovery is true, the system
utilizes path-mtu to determine maximum IP-TFS packet utilizes path-mtu to determine the maximum IP-TFS packet
size. If the packet size is explicitly configured size. If the packet size is explicitly configured,
then it will only be adjusted downward if use-path-mtu then it will only be adjusted downward if use-path-mtu
is set." is set."
::= { iptfsConfigTableEntry 3 } ::= { iptfsConfigTableEntry 3 }
outerPacketSize OBJECT-TYPE outerPacketSize OBJECT-TYPE
SYNTAX UnsignedShort SYNTAX UnsignedShort
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On Transmission, the size of the outer encapsulating "On transmission, the size of the outer encapsulating
tunnel packet (i.e., the IP packet containing the ESP tunnel packet (i.e., the IP packet containing
payload)." Encapsulating Security Payload)."
::= { iptfsConfigTableEntry 4 } ::= { iptfsConfigTableEntry 4 }
l2FixedRate OBJECT-TYPE l2FixedRate OBJECT-TYPE
SYNTAX CounterBasedGauge64 SYNTAX CounterBasedGauge64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IP-TFS bit rate may be specified as a layer 2 wire rate. "The IP-TFS bit rate may be specified as a layer 2 wire
rate. On transmission, the target bandwidth/bit rate in
On transmission, target bandwidth/bit rate in bps for bits per second (bps) for the IP-TFS tunnel. This rate is
IP-TFS tunnel. This rate is the nominal timing for the the nominal timing for the fixed-size packet. If
fixed size packet. If congestion control is enabled the congestion control is enabled, the rate may be adjusted
rate may be adjusted down." down."
::= { iptfsConfigTableEntry 5 } ::= { iptfsConfigTableEntry 5 }
l3FixedRate OBJECT-TYPE l3FixedRate OBJECT-TYPE
SYNTAX CounterBasedGauge64 SYNTAX CounterBasedGauge64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IP-TFS bit rate may be specified as a layer 3 packet rate. "The IP-TFS bit rate may be specified as a layer 3 packet
On Transmission, target bandwidth/bit rate in bps for rate. On transmission, the target bandwidth/bit rate in
IP-TFS tunnel. This rate is the nominal timing for the bps for the IP-TFS tunnel. This rate is the nominal timing
fixed size packet. If congestion control is enabled the for the fixed-size packet. If congestion control is
rate may be adjusted down." enabled, the rate may be adjusted down."
::= { iptfsConfigTableEntry 6 } ::= { iptfsConfigTableEntry 6 }
dontFragment OBJECT-TYPE dontFragment OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On transmission, disable packet fragmentation across "On transmission, disable packet fragmentation across
consecutive IP-TFS tunnel packets; inner packets larger consecutive IP-TFS tunnel packets; inner packets larger
than what can be transmitted in outer packets will be than what can be transmitted in outer packets will be
dropped." dropped."
::= { iptfsConfigTableEntry 7 } ::= { iptfsConfigTableEntry 7 }
maxAggregationTime OBJECT-TYPE maxAggregationTime OBJECT-TYPE
SYNTAX NanoSeconds SYNTAX NanoSeconds
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On transmission, maximum aggregation time is the "On transmission, the maximum aggregation time is the
maximum length of time a received inner packet can be maximum length of time a received inner packet can be
held prior to transmission in the IP-TFS tunnel. Inner held prior to transmission in the IP-TFS tunnel. Inner
packets that would be held longer than this time, based packets that would be held longer than this time, based
on the current tunnel configuration will be dropped on the current tunnel configuration, will be dropped
rather than be queued for transmission." rather than be queued for transmission."
::= { iptfsConfigTableEntry 8 } ::= { iptfsConfigTableEntry 8 }
windowSize OBJECT-TYPE windowSize OBJECT-TYPE
SYNTAX UnsignedShort SYNTAX UnsignedShort
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On reception, the maximum number of out-of-order "On reception, the maximum number of out-of-order
packets that will be reordered by an IP-TFS receiver packets that will be reordered by an IP-TFS receiver
while performing the reordering operation. The value 0 while performing the reordering operation. The value 0
disables any reordering." disables any reordering."
::= { iptfsConfigTableEntry 9 } ::= { iptfsConfigTableEntry 9 }
sendImmediately OBJECT-TYPE sendImmediately OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On reception, send inner packets as soon as possible, do "On reception, send inner packets as soon as possible; do
not wait for lost or misordered outer packets. not wait for lost or misordered outer packets.
Selecting this option reduces the inner (user) packet Selecting this option reduces the inner (user) packet
delay but can amplify out-of-order delivery of the inner delay but can amplify out-of-order delivery of the inner
packet stream in the presence of packet aggregation and packet stream in the presence of packet aggregation and
any reordering." any reordering."
::= { iptfsConfigTableEntry 10 } ::= { iptfsConfigTableEntry 10 }
lostPacketTimerInterval OBJECT-TYPE lostPacketTimerInterval OBJECT-TYPE
SYNTAX NanoSeconds SYNTAX NanoSeconds
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On reception, this interval defines the length of time "On reception, this interval defines the length of time
an IP-TFS receiver will wait for a missing packet before an IP-TFS receiver will wait for a missing packet before
considering it lost. If not using send-immediately, considering it lost. If not using send-immediately,
then each lost packet will delay inner (user) packets then each lost packet will delay inner (user) packets
until this timer expires. Setting this value too low can until this timer expires. Setting this value too low can
impact reordering and reassembly." impact reordering and reassembly."
::= { iptfsConfigTableEntry 11 } ::= { iptfsConfigTableEntry 11 }
ipsecStatsTable OBJECT-TYPE ipsecStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecStatsTableEntry SYNTAX SEQUENCE OF IpsecStatsTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table containing basic statistics on IPsec." "The table containing basic statistics on IPsec."
::= { ipsecStatsGroup 1 } ::= { ipsecStatsGroup 1 }
skipping to change at page 11, line 23 skipping to change at line 491
rxOctets Counter64, rxOctets Counter64,
rxDropPkts Counter64 rxDropPkts Counter64
} }
ipsecSaIndex OBJECT-TYPE ipsecSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { ipsecStatsTableEntry 1 } ::= { ipsecStatsTableEntry 1 }
txPkts OBJECT-TYPE txPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Outbound Packet count." "Outbound Packet count."
::= { ipsecStatsTableEntry 2 } ::= { ipsecStatsTableEntry 2 }
skipping to change at page 12, line 29 skipping to change at line 544
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Inbound Packet bytes." "Inbound Packet bytes."
::= { ipsecStatsTableEntry 6 } ::= { ipsecStatsTableEntry 6 }
rxDropPkts OBJECT-TYPE rxDropPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Inbound Dropped packets" "Inbound dropped packets."
::= { ipsecStatsTableEntry 7 } ::= { ipsecStatsTableEntry 7 }
iptfsInnerStatsTable OBJECT-TYPE iptfsInnerStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IptfsInnerSaEntry SYNTAX SEQUENCE OF IptfsInnerStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table containing information on IP-TFS "The table containing information on IP-TFS
Inner Packets." inner packets."
::= { iptfsInnerStatsGroup 1 } ::= { iptfsInnerStatsGroup 1 }
iptfsInnerStatsTableEntry OBJECT-TYPE iptfsInnerStatsTableEntry OBJECT-TYPE
SYNTAX IptfsInnerSaEntry SYNTAX IptfsInnerStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry containing the information on "An entry containing the information on
a particular IP-TFS SA." a particular IP-TFS SA."
INDEX { iptfsInnerSaIndex } INDEX { iptfsInnerSaIndex }
::= { iptfsInnerStatsTable 1 } ::= { iptfsInnerStatsTable 1 }
IptfsInnerSaEntry ::= SEQUENCE { IptfsInnerStatsSaEntry ::= SEQUENCE {
iptfsInnerSaIndex Integer32, iptfsInnerSaIndex Integer32,
txInnerPkts Counter64, txInnerPkts Counter64,
txInnerOctets Counter64, txInnerOctets Counter64,
rxInnerPkts Counter64, rxInnerPkts Counter64,
rxInnerOctets Counter64, rxInnerOctets Counter64,
rxIncompleteInnerPkts Counter64 rxIncompleteInnerPkts Counter64
} }
iptfsInnerSaIndex OBJECT-TYPE iptfsInnerSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { iptfsInnerStatsTableEntry 1 } ::= { iptfsInnerStatsTableEntry 1 }
txInnerPkts OBJECT-TYPE txInnerPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner packets sent. This count "Total number of IP-TFS inner packets sent. This count
is whole packets only. A fragmented packet counts as is whole packets only. A fragmented packet counts as
one packet." one packet."
::= { iptfsInnerStatsTableEntry 2 } ::= { iptfsInnerStatsTableEntry 2 }
txInnerOctets OBJECT-TYPE txInnerOctets OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner octets sent. This is "Total number of IP-TFS inner octets sent. This is
inner packet octets only. Does not count padding." inner packet octets only. This does not count padding."
::= { iptfsInnerStatsTableEntry 3 } ::= { iptfsInnerStatsTableEntry 3 }
rxInnerPkts OBJECT-TYPE rxInnerPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner packets received." "Total number of IP-TFS inner packets received."
::= { iptfsInnerStatsTableEntry 4 } ::= { iptfsInnerStatsTableEntry 4 }
rxInnerOctets OBJECT-TYPE rxInnerOctets OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner octets received. Does "Total number of IP-TFS inner octets received. This does
not include padding or overhead." not include padding or overhead."
::= { iptfsInnerStatsTableEntry 5 } ::= { iptfsInnerStatsTableEntry 5 }
rxIncompleteInnerPkts OBJECT-TYPE rxIncompleteInnerPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner packets that were "Total number of IP-TFS inner packets that were
incomplete. Usually this is due to fragments not incomplete. Usually, this is due to fragments not
received. Also, this may be due to misordering or received. Also, this may be due to misordering or
errors in received outer packets." errors in received outer packets."
::= { iptfsInnerStatsTableEntry 6 } ::= { iptfsInnerStatsTableEntry 6 }
iptfsOuterStatsTable OBJECT-TYPE iptfsOuterStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IptfsOuterSaEntry SYNTAX SEQUENCE OF IptfsOuterStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table containing information on IP-TFS." "The table containing information on IP-TFS."
::= { iptfsOuterStatsGroup 1 } ::= { iptfsOuterStatsGroup 1 }
iptfsOuterStatsTableEntry OBJECT-TYPE iptfsOuterStatsTableEntry OBJECT-TYPE
SYNTAX IptfsOuterSaEntry SYNTAX IptfsOuterStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry containing the information on "An entry containing the information on
a particular IP-TFS SA." a particular IP-TFS SA."
INDEX { iptfsSaIndex } INDEX { iptfsOuterSaIndex }
::= { iptfsOuterStatsTable 1 } ::= { iptfsOuterStatsTable 1 }
IptfsOuterSaEntry ::= SEQUENCE { IptfsOuterStatsSaEntry ::= SEQUENCE {
iptfsSaIndex Integer32, iptfsOuterSaIndex Integer32,
-- iptfs packet statistics information -- iptfs packet statistics information
txExtraPadPkts Counter64, txExtraPadPkts Counter64,
txExtraPadOctets Counter64, txExtraPadOctets Counter64,
txAllPadPkts Counter64, txAllPadPkts Counter64,
txAllPadOctets Counter64, txAllPadOctets Counter64,
rxExtraPadPkts Counter64, rxExtraPadPkts Counter64,
rxExtraPadOctets Counter64, rxExtraPadOctets Counter64,
rxAllPadPkts Counter64, rxAllPadPkts Counter64,
rxAllPadOctets Counter64, rxAllPadOctets Counter64,
rxErroredPkts Counter64, rxErroredPkts Counter64,
rxMissedPkts Counter64 rxMissedPkts Counter64
} }
iptfsSaIndex OBJECT-TYPE iptfsOuterSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { iptfsOuterStatsTableEntry 1 } ::= { iptfsOuterStatsTableEntry 1 }
txExtraPadPkts OBJECT-TYPE txExtraPadPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of transmitted outer IP-TFS packets that "Total number of transmitted outer IP-TFS packets that
included some padding." included some padding."
skipping to change at page 17, line 18 skipping to change at line 772
"Total number of IP-TFS outer packets dropped due to "Total number of IP-TFS outer packets dropped due to
errors." errors."
::= { iptfsOuterStatsTableEntry 10 } ::= { iptfsOuterStatsTableEntry 10 }
rxMissedPkts OBJECT-TYPE rxMissedPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS outer packets missing indicated "Total number of IP-TFS outer packets missing indicated
by missing sequence number." by a missing sequence number."
::= { iptfsOuterStatsTableEntry 11 } ::= { iptfsOuterStatsTableEntry 11 }
-- --
-- Iptfs Module Compliance -- Iptfs Module Compliance
-- --
iptfsMIBConformances OBJECT IDENTIFIER iptfsMIBConformances OBJECT IDENTIFIER
::= { iptfsMIBConformance 1 } ::= { iptfsMIBConformance 1 }
iptfsMIBGroups OBJECT IDENTIFIER iptfsMIBGroups OBJECT IDENTIFIER
::= { iptfsMIBConformance 2 } ::= { iptfsMIBConformance 2 }
iptfsMIBCompliance MODULE-COMPLIANCE iptfsMIBCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for entities which "The compliance statement for entities that
implement the IP-TFS MIB" implement the IP-TFS MIB."
MODULE -- this module MODULE -- this module
MANDATORY-GROUPS { MANDATORY-GROUPS {
iptfsMIBConfGroup, iptfsMIBConfGroup,
ipsecStatsConfGroup, ipsecStatsConfGroup,
iptfsInnerStatsConfGroup, iptfsInnerStatsConfGroup,
iptfsOuterStatsConfGroup iptfsOuterStatsConfGroup
} }
::= { iptfsMIBConformances 1 } ::= { iptfsMIBConformances 1 }
skipping to change at page 18, line 18 skipping to change at line 820
l3FixedRate , l3FixedRate ,
dontFragment, dontFragment,
maxAggregationTime, maxAggregationTime,
windowSize, windowSize,
sendImmediately, sendImmediately,
lostPacketTimerInterval lostPacketTimerInterval
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA IP-TFS "A collection of objects providing per SA IP-TFS
Configuration." configuration."
::= { iptfsMIBGroups 1 } ::= { iptfsMIBGroups 1 }
ipsecStatsConfGroup OBJECT-GROUP ipsecStatsConfGroup OBJECT-GROUP
OBJECTS { OBJECTS {
txPkts, txPkts,
txOctets, txOctets,
txDropPkts, txDropPkts,
rxPkts, rxPkts,
rxOctets, rxOctets,
rxDropPkts rxDropPkts
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA Basic "A collection of objects providing per SA basic
Stats." statistics."
::= { iptfsMIBGroups 2 } ::= { iptfsMIBGroups 2 }
iptfsInnerStatsConfGroup OBJECT-GROUP iptfsInnerStatsConfGroup OBJECT-GROUP
OBJECTS { OBJECTS {
txInnerPkts, txInnerPkts,
txInnerOctets, txInnerOctets,
rxInnerPkts, rxInnerPkts,
rxInnerOctets, rxInnerOctets,
rxIncompleteInnerPkts rxIncompleteInnerPkts
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA IP-TFS "A collection of objects providing per SA IP-TFS
Inner Packet Statistics." inner packet statistics."
::= { iptfsMIBGroups 3 } ::= { iptfsMIBGroups 3 }
iptfsOuterStatsConfGroup OBJECT-GROUP iptfsOuterStatsConfGroup OBJECT-GROUP
OBJECTS { OBJECTS {
txExtraPadPkts, txExtraPadPkts,
txExtraPadOctets, txExtraPadOctets,
txAllPadPkts, txAllPadPkts,
txAllPadOctets, txAllPadOctets,
rxExtraPadPkts, rxExtraPadPkts,
rxExtraPadOctets, rxExtraPadOctets,
rxAllPadPkts, rxAllPadPkts,
rxAllPadOctets, rxAllPadOctets,
rxErroredPkts, rxErroredPkts,
rxMissedPkts rxMissedPkts
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA IP-TFS "A collection of objects providing per SA IP-TFS
Outer Packet Statistics." outer packet statistics."
::= { iptfsMIBGroups 4 } ::= { iptfsMIBGroups 4 }
END END
<CODE ENDS> <CODE ENDS>
5. IANA Considerations 5. IANA Considerations
The MIB module in this document uses the following IANA-assigned The MIB module in this document uses the following IANA-assigned
OBJECT IDENTIFIER value, recorded in the SMI Network Management MGMT OBJECT IDENTIFIER value, recorded in the "SMI Network Management MGMT
Codes Internet-standard MIB - registry: Codes Internet-standard MIB" registry:
Name Description OBJECT IDENTIFIER value +=========+==========+==============================+
------- --------------------------------- ---------------------- | Decimal | Name | Description |
iptfsMIB IP-TRAFFIC-FLOW-SECURITY-MIB { mib-2 TBA-IANA } +=========+==========+==============================+
| 246 | iptfsMIB | IP-TRAFFIC-FLOW-SECURITY-MIB |
+---------+----------+------------------------------+
Table 1
6. Security Considerations 6. Security Considerations
The MIB specified in this document can read the operational behavior The MIB specified in this document can read the operational behavior
of IP traffic flow security. For the implications regarding write of IP Traffic Flow Security. For the implications regarding write
configuration consult the [I-D.ietf-ipsecme-iptfs] which defines the configuration, consult [RFC9347], which defines the functionality.
functionality.
There are no management objects defined in this MIB module that have There are no management objects defined in this MIB module that have
a MAX-ACCESS clause of read-write and/or read-create. So, if this a MAX-ACCESS clause of read-write and/or read-create. So, if this
MIB module is implemented correctly, then there is no risk that an MIB module is implemented correctly, then there is no risk that an
intruder can alter or create any management objects of this MIB intruder can alter or create any management objects of this MIB
module via direct SNMP SET operations. module via direct SNMP SET operations.
Some of the objects in this MIB module may be considered sensitive or Some of the objects in this MIB module may be considered sensitive or
vulnerable in some network environments. This includes INDEX objects vulnerable in some network environments. This includes INDEX objects
with a MAX-ACCESS of not-accessible, and any indices from other with a MAX-ACCESS of not-accessible, and any indices from other
modules exposed via AUGMENTS. It is thus important to control even modules exposed via AUGMENTS. It is thus important to control even
GET and/or NOTIFY access to these objects and possibly to even GET and/or NOTIFY access to these objects and possibly to even
encrypt the values of these objects when sending them over the encrypt the values of these objects when sending them over the
network via SNMP. These are the tables and objects and their network via SNMP. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
* iptfsInnerStatsTable and iptfsOuterStatsTable- Access to IP inner * iptfsInnerStatsTable and iptfsOuterStatsTable: Access to IP inner
and outer traffic flow security statistics can provide information and outer Traffic Flow Security statistics can provide information
that IP traffic flow security obscures such as the true activity that IP Traffic Flow Security obscures, such as the true activity
of the flows using IP traffic flow security. of the flows using IP Traffic Flow Security.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec), Even if the network itself is secure (for example by using IPsec),
there is no control as to who on the secure network is allowed to there is no control as to who on the secure network is allowed to
access and GET (read) the objects in this MIB module. access and GET (read) the objects in this MIB module.
To prevent unauthorized access to SNMP including access to IP-TFS Implementations SHOULD provide the security features described by the
sensitive objects: SNMPv3 framework (see [RFC3410]), and implementations claiming
compliance to the SNMPv3 standard MUST include full support for
* Implementations SHOULD provide the security features described by authentication and privacy via the User-based Security Model (USM)
the SNMPv3 framework (see [RFC3410]), and implementations claiming [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
compliance to the SNMPv3 standard MUST include full support for MAY also provide support for the Transport Security Model (TSM)
authentication and privacy via the User-based Security Model (USM) [RFC5591] in combination with a secure transport such as SSH
[RFC3414] with the AES cipher algorithm [RFC3826]. [RFC5592] or TLS/DTLS [RFC6353].
Implementations MAY also provide support for the Transport
Security Model (TSM) [RFC5591] in combination with a secure
transport such as SSH [RFC5592] or TLS/DTLS [RFC6353].
* Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access
to the objects only to those principals (users) that have
legitimate rights to indeed GET or SET (change/create/delete)
them.
7. Acknowledgements
The authors would like to thank Chris Hopps, Lou Berger and Tero
Kivinen for their help and feedback on the MIB model.
8. References Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
8.1. Normative References 7. References
[I-D.ietf-ipsecme-iptfs] 7.1. Normative References
Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for
ESP and its Use for IP Traffic Flow Security", Work in
Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-19, 4
September 2022, <https://www.ietf.org/archive/id/draft-
ietf-ipsecme-iptfs-19.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, Version 2 (SMIv2)", STD 58, RFC 2578,
DOI 10.17487/RFC2578, April 1999, DOI 10.17487/RFC2578, April 1999,
<https://www.rfc-editor.org/info/rfc2578>. <https://www.rfc-editor.org/info/rfc2578>.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2", Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999,
<https://www.rfc-editor.org/info/rfc2579>. <https://www.rfc-editor.org/info/rfc2579>.
[RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Conformance Statements for SMIv2",
STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999,
<https://www.rfc-editor.org/info/rfc2580>.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, Protocol (SNMPv3)", STD 62, RFC 3414,
DOI 10.17487/RFC3414, December 2002, DOI 10.17487/RFC3414, December 2002,
<https://www.rfc-editor.org/info/rfc3414>. <https://www.rfc-editor.org/info/rfc3414>.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, SNMP User-based Security Model", RFC 3826,
DOI 10.17487/RFC3826, June 2004, DOI 10.17487/RFC3826, June 2004,
skipping to change at page 22, line 14 skipping to change at line 992
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)", Model for the Simple Network Management Protocol (SNMP)",
STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011,
<https://www.rfc-editor.org/info/rfc6353>. <https://www.rfc-editor.org/info/rfc6353>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References [RFC9347] Hopps, C., "Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for IP
[I-D.ietf-ipsecme-yang-iptfs] Traffic Flow Security (IP-TFS)", RFC 9347,
Fedyk, D. and C. Hopps, "A YANG Data Model for IP Traffic DOI 10.17487/RFC9347, January 2023,
Flow Security", Work in Progress, Internet-Draft, draft- <https://www.rfc-editor.org/info/rfc9347>.
ietf-ipsecme-yang-iptfs-11, 31 August 2022,
<https://www.ietf.org/archive/id/draft-ietf-ipsecme-yang-
iptfs-11.txt>.
[RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 7.2. Informative References
Schoenwaelder, Ed., "Conformance Statements for SMIv2",
STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999,
<https://www.rfc-editor.org/info/rfc2580>.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, Standard Management Framework", RFC 3410,
DOI 10.17487/RFC3410, December 2002, DOI 10.17487/RFC3410, December 2002,
<https://www.rfc-editor.org/info/rfc3410>. <https://www.rfc-editor.org/info/rfc3410>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP
Friendly Rate Control (TFRC): Protocol Specification", Friendly Rate Control (TFRC): Protocol Specification",
RFC 5348, DOI 10.17487/RFC5348, September 2008, RFC 5348, DOI 10.17487/RFC5348, September 2008,
<https://www.rfc-editor.org/info/rfc5348>. <https://www.rfc-editor.org/info/rfc5348>.
[RFC9348] Fedyk, D. and C. Hopps, "A YANG Data Model for IP Traffic
Flow Security", RFC 9348, DOI 10.17487/RFC9348, January
2023, <https://www.rfc-editor.org/info/rfc9348>.
Acknowledgements
The authors would like to thank Chris Hopps, Lou Berger, and Tero
Kivinen for their help and feedback on the MIB model.
Authors' Addresses Authors' Addresses
Don Fedyk Don Fedyk
LabN Consulting, L.L.C. LabN Consulting, L.L.C.
Email: dfedyk@labn.net Email: dfedyk@labn.net
Eric Kinzie Eric Kinzie
LabN Consulting, L.L.C. LabN Consulting, L.L.C.
Email: ekinzie@labn.net Email: ekinzie@labn.net
 End of changes. 78 change blocks. 
202 lines changed or deleted 194 lines changed or added

This html diff was produced by rfcdiff 1.48.