rfc9349.original.xml   rfc9349.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt"?>
<?rfc toc="yes"?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" submissionType
<?rfc compact="no"?> ="IETF" category="std" consensus="true" docName="draft-ietf-ipsecme-mib-iptfs-11
<?rfc subcompact="no"?> " number="9349" obsoletes="" updates="" xml:lang="en" tocInclude="true" symRefs=
<?rfc symrefs="yes" ?> "true" sortRefs="true" version="3">
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no"?>
<?rfc strict="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" category="std"
docName="draft-ietf-ipsecme-mib-iptfs-11" submissionType="IETF" obsoletes="" up
dates="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version=
"3">
<!-- xml2rfc v2v3 conversion 3.14.2 --> <!-- xml2rfc v2v3 conversion 3.14.2 -->
<front> <front>
<title abbrev="draft-ietf-ipsecme-mib-iptfs-11">Definitions of Managed Objec <title abbrev="Definitions of Managed Objects for IP-TFS">Definitions of Man
ts for IP Traffic Flow Security</title> aged Objects for IP Traffic Flow Security</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-ipsecme-mib-iptfs-11"/> <seriesInfo name="RFC" value="9349"/>
<!-- <title abbrev="Definitions of Managed Objects for IP-TFS">Definitions o f Managed Objects for IP Traffic Flow Security</title> --> <!-- <title abbrev="Definitions of Managed Objects for IP-TFS">Definitions o f Managed Objects for IP Traffic Flow Security</title> -->
<author initials="D." surname="Fedyk" fullname="Don Fedyk"> <author initials="D." surname="Fedyk" fullname="Don Fedyk">
<organization>LabN Consulting, L.L.C.</organization> <organization>LabN Consulting, L.L.C.</organization>
<address> <address>
<email>dfedyk@labn.net</email> <email>dfedyk@labn.net</email>
</address> </address>
</author> </author>
<author initials="E." surname="Kinzie" fullname="Eric Kinzie"> <author initials="E." surname="Kinzie" fullname="Eric Kinzie">
<organization>LabN Consulting, L.L.C.</organization> <organization>LabN Consulting, L.L.C.</organization>
<address> <address>
<email>ekinzie@labn.net</email> <email>ekinzie@labn.net</email>
</address> </address>
</author> </author>
<date/> <date year="2023" month="January"/>
<area>sec</area>
<workgroup>ipsecme</workgroup>
<keyword>MIB</keyword>
<keyword>IPsec</keyword>
<keyword>IP-TRAFFIC-FLOW-SECURITY-MIB</keyword>
<abstract> <abstract>
<t>This document describes managed objects for the management of IP <t>This document describes managed objects for the management of IP
Traffic Flow Security additions to IKEv2 and IPsec. Traffic Flow Security additions to Internet Key Exchange Protocol Version 2 (IKE
This document provides a read only version of the objects defined in v2) and IPsec.
the YANG module for the same purpose. This document provides a read-only version of the objects defined in
the YANG module for the same purpose, which is in "A YANG Data Model for
IP Traffic Flow Security" (RFC 9348).
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Introduction</name> <name>Introduction</name>
<t>This document defines a Management Information Base (MIB) module for us e <t>This document defines a Management Information Base (MIB) module for us e
with network management protocols in the Internet community. Traffic with network management protocols in the Internet community. IP Traffic
Flow Security (IP-TFS) extensions as defined in Flow Security (IP-TFS) extensions, as defined in
<xref target="I-D.ietf-ipsecme-iptfs" format="default"/> are <xref target="RFC9347" format="default"/>, are
enhancements to an IPsec tunnel Security Association to provide enhancements to an IPsec tunnel Security Association (SA) to provide
improved traffic confidentiality. </t> improved traffic confidentiality. </t>
<t>
The objects defined here are the same as <xref target="RFC9348" format="
default"/>,
with the exception that only operational or state data is supported.
By making operational data accessible via SNMP, existing network managem
ent systems can monitor IP-TFS.
This data is listed in the MIB
tree in <xref target ="mib-tree" format="default"/>.
This module uses the YANG data model as a reference point for managed objects.
Note that an IETF MIB model for IPsec was never standardized; however, the str
uctures here
could be adapted to existing proprietary MIB implementations where SNMP is use
d to manage networks.
</t>
<section numbered="true" toc="default">
<name>The Internet-Standard Management Framework</name>
<!-- DNE starts -->
<t> <t>
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to <xref target="RFC3410
<xref target="RFC3410" format="default"/>. " section="7" sectionFormat="of" format="default"/>.
</t> </t>
<t> <t>
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
<xref target="RFC2578" format="default"/>, STD 58, <xref target="RFC2579" fo rmat="default"/> and STD 58, <xref target="RFC2578" format="default"/>, STD 58, <xref target="RFC2579" fo rmat="default"/> and STD 58,
<xref target="RFC2580" format="default"/>. <xref target="RFC2580" format="default"/>.
</t> </t>
<t> <!-- DNE ends -->
The objects defined here are the same as <xref target="I-D.ietf-ipsecme- </section>
yang-iptfs" format="default"/>
with the exception that only operational or state data is supported.
By making operational data accessible via SNMP existing network manageme
nt systems can monitor IP-TFS.
This data is listed in the MIB
tree in <xref target ="mib-tree" format="default"/>.
This module uses the YANG model as a reference point for managed objects.
Note an IETF MIB model for IPsec was never standardized however the structures
here
could be adapted to existing proprietary MIB implementations where SNMP is use
d to manage networks.
</t>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Terminology &amp; Concepts</name> <name>Terminology and Concepts</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", <t>
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
"OPTIONAL" in this document are to be interpreted as described in IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
<xref target="RFC2119" format="default"/> <xref target="RFC8174" format="default NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
"/> when, and only when, they appear in all capitals, RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
as shown here.</t> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Overview</name> <name>Overview</name>
<t>This document defines the MIB for access to operational parameters of I <t>This document defines the MIB for access to operational parameters of I
P traffic P Traffic
flow security (IP-TFS). IP-TFS, defined in Flow Security (IP-TFS). IP-TFS, defined in
<xref target="I-D.ietf-ipsecme-iptfs" format="default"/>, <xref target="RFC9347" format="default"/>,
configures a security association for tunnel mode IPsec with characteristics configures a Security Association for tunnel mode IPsec with characteristics
that improve traffic confidentiality and reduce bandwidth efficiency loss. that improve traffic confidentiality and reduce bandwidth efficiency loss.
</t> </t>
<t> <t>
This document is based on the concepts and management model This document is based on the concepts and management model
defined in <xref target="I-D.ietf-ipsecme-yang-iptfs" format="default"/>. This defined in <xref target="RFC9348" format="default"/>. This
document assumes familiarity with IP security concepts described in document assumes familiarity with the IPsec concepts described in
<xref target="RFC4301" format="default"/>, IP-TFS as described in <xref target="RFC4301" format="default"/>, IP-TFS as described in
<xref target="I-D.ietf-ipsecme-iptfs" format="default"/> and the <xref target="RFC9347" format="default"/>, and the
IP-TFS management model described in IP-TFS management model described in
<xref target="I-D.ietf-ipsecme-yang-iptfs" format="default"/>. <xref target="RFC9348" format="default"/>.
</t> </t>
<t> <t>
This document specifies an extensible operational model for IP-TFS. This document specifies an extensible operational model for IP-TFS.
It reuses the management model It reuses the management model
defined in <xref target="I-D.ietf-ipsecme-yang-iptfs" format="default"/>. defined in <xref target="RFC9348" format="default"/>.
It allows SNMP systems to read operational objects (which includes configured ob It allows SNMP systems to read operational objects (which include configured obj
jects) from IP-TFS. ects) from IP-TFS.
</t> </t>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Management Objects</name> <name>Management Objects</name>
<section anchor="mib-tree" numbered="true" toc="default"> <section anchor="mib-tree" numbered="true" toc="default">
<name>MIB Tree</name> <name>MIB Tree</name>
<t>The following is the MIB registration tree diagram for the IP-TFS <t>The following is the MIB registration tree diagram for the IP-TFS
extensions.</t> extensions.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork name="" type="" align="left" alt=""><![CDATA[
# IP-TRAFFIC-FLOW-SECURITY-MIB registration tree # IP-TRAFFIC-FLOW-SECURITY-MIB registration tree
skipping to change at line 157 skipping to change at line 163
| | +--iptfsInnerStatsTable(1) | | +--iptfsInnerStatsTable(1)
| | +--iptfsInnerStatsTableEntry(1) [iptfsInnerSaIndex] | | +--iptfsInnerStatsTableEntry(1) [iptfsInnerSaIndex]
| | +-- --- Integer32 iptfsInnerSaIndex(1) | | +-- --- Integer32 iptfsInnerSaIndex(1)
| | +-- r-n Counter64 txInnerPkts(2) | | +-- r-n Counter64 txInnerPkts(2)
| | +-- r-n Counter64 txInnerOctets(3) | | +-- r-n Counter64 txInnerOctets(3)
| | +-- r-n Counter64 rxInnerPkts(4) | | +-- r-n Counter64 rxInnerPkts(4)
| | +-- r-n Counter64 rxInnerOctets(5) | | +-- r-n Counter64 rxInnerOctets(5)
| | +-- r-n Counter64 rxIncompleteInnerPkts(6) | | +-- r-n Counter64 rxIncompleteInnerPkts(6)
| +--iptfsOuterStatsGroup(4) | +--iptfsOuterStatsGroup(4)
| +--iptfsOuterStatsTable(1) | +--iptfsOuterStatsTable(1)
| +--iptfsOuterStatsTableEntry(1) [iptfsSaIndex] | +--iptfsOuterStatsTableEntry(1) [iptfsOuterSaIndex]
| +-- --- Integer32 iptfsSaIndex(1) | +-- --- Integer32 iptfsOuterSaIndex(1)
| +-- r-n Counter64 txExtraPadPkts(2) | +-- r-n Counter64 txExtraPadPkts(2)
| +-- r-n Counter64 txExtraPadOctets(3) | +-- r-n Counter64 txExtraPadOctets(3)
| +-- r-n Counter64 txAllPadPkts(4) | +-- r-n Counter64 txAllPadPkts(4)
| +-- r-n Counter64 txAllPadOctets(5) | +-- r-n Counter64 txAllPadOctets(5)
| +-- r-n Counter64 rxExtraPadPkts(6) | +-- r-n Counter64 rxExtraPadPkts(6)
| +-- r-n Counter64 rxExtraPadOctets(7) | +-- r-n Counter64 rxExtraPadOctets(7)
| +-- r-n Counter64 rxAllPadPkts(8) | +-- r-n Counter64 rxAllPadPkts(8)
| +-- r-n Counter64 rxAllPadOctets(9) | +-- r-n Counter64 rxAllPadOctets(9)
| +-- r-n Counter64 rxErroredPkts(10) | +-- r-n Counter64 rxErroredPkts(10)
| +-- r-n Counter64 rxMissedPkts(11) | +-- r-n Counter64 rxMissedPkts(11)
skipping to change at line 177 skipping to change at line 183
| +-- r-n Counter64 rxErroredPkts(10) | +-- r-n Counter64 rxErroredPkts(10)
| +-- r-n Counter64 rxMissedPkts(11) | +-- r-n Counter64 rxMissedPkts(11)
+--iptfsMIBConformance(2) +--iptfsMIBConformance(2)
+--iptfsMIBConformances(1) +--iptfsMIBConformances(1)
| +--iptfsMIBCompliance(1) | +--iptfsMIBCompliance(1)
+--iptfsMIBGroups(2) +--iptfsMIBGroups(2)
+--iptfsMIBConfGroup(1) +--iptfsMIBConfGroup(1)
+--ipsecStatsConfGroup(2) +--ipsecStatsConfGroup(2)
+--iptfsInnerStatsConfGroup(3) +--iptfsInnerStatsConfGroup(3)
+--iptfsOuterStatsConfGroup(4) +--iptfsOuterStatsConfGroup(4)
]]></artwork> ]]></artwork>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>SNMP</name> <name>SNMP</name>
<t>The following is the MIB for IP-TFS. The Congestion control algorithm <t>The following is the MIB for IP-TFS. The congestion control algorithm
in <xref target="RFC5348" format="default"/> is referenced in the MIB text.</t> in <xref target="RFC5348" format="default"/> is referenced in the MIB text.</t>
<sourcecode name="iptfs-mib.mib" type="mib" markers="true"><![CDATA[=--> <sourcecode name="iptfs-mib.mib" type="mib" markers="true"><![CDATA[
-- *---------------------------------------------------------------- -- *----------------------------------------------------------------
-- * IP-TRAFFIC-FLOW-SECURITY-MIB Module -- * IP-TRAFFIC-FLOW-SECURITY-MIB Module
-- *---------------------------------------------------------------- -- *----------------------------------------------------------------
IP-TRAFFIC-FLOW-SECURITY-MIB DEFINITIONS ::= BEGIN IP-TRAFFIC-FLOW-SECURITY-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, MODULE-IDENTITY, OBJECT-TYPE,
Integer32, Unsigned32, Counter64, mib-2 Integer32, Unsigned32, Counter64, mib-2
FROM SNMPv2-SMI FROM SNMPv2-SMI
CounterBasedGauge64 CounterBasedGauge64
FROM HCNUM-TC FROM HCNUM-TC
MODULE-COMPLIANCE, OBJECT-GROUP MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
TEXTUAL-CONVENTION, TEXTUAL-CONVENTION,
TruthValue TruthValue
FROM SNMPv2-TC; FROM SNMPv2-TC;
iptfsMIB MODULE-IDENTITY iptfsMIB MODULE-IDENTITY
LAST-UPDATED "202210210000Z" LAST-UPDATED "202301090000Z"
ORGANIZATION "IETF IPsecme Working Group" ORGANIZATION "IETF IPsecme Working Group"
CONTACT-INFO CONTACT-INFO
" "
Author: Don Fedyk Author: Don Fedyk
<mailto:dfedyk@labn.net> <mailto:dfedyk@labn.net>
Author: Eric Kinzie Author: Eric Kinzie
<mailto:ekinzie@labn.net>" <mailto:ekinzie@labn.net>"
DESCRIPTION DESCRIPTION
"This module defines the configuration and operational "This module defines the configuration and operational
state for managing the IP Traffic Flow Security state for managing the IP Traffic Flow Security
functionality [RFC XXXX]. Copyright (c) 2022 IETF functionality (RFC 9349).
Trust and the persons identified as authors of the
code. All rights reserved. Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, Redistribution and use in source and binary forms,
with or without modification, is permitted pursuant with or without modification, is permitted pursuant
to, and subject to the license terms contained in, to, and subject to the license terms contained in,
the Simplified BSD License set forth in Section 4.c the Simplified BSD License set forth in Section 4.c
of the IETF Trust's Legal Provisions Relating to IETF of the IETF Trust's Legal Provisions Relating to IETF
Documents (https://trustee.ietf.org/license-info). Documents (https://trustee.ietf.org/license-info).
This version of this SNMP MIB module is part of RFC XXXX This version of this SNMP MIB module is part of RFC 9349;
(https://tools.ietf.org/html/rfcXXXX); see the RFC see the RFC itself for full legal notices."
itself for full legal notices."
REVISION "202210210000Z" REVISION "202301090000Z"
DESCRIPTION DESCRIPTION
"Initial revision. Derived from the IP-TFS Yang Model." "Initial revision. Derived from the IP-TFS YANG
::= { mib-2 500} Data Model."
::= { mib-2 246}
-- --
-- Textual Conventions -- Textual Conventions
-- --
UnsignedShort ::= TEXTUAL-CONVENTION UnsignedShort ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d" DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION "xs:unsignedShort" DESCRIPTION "xs:unsignedShort"
SYNTAX Unsigned32 (0 .. 65535) SYNTAX Unsigned32 (0 .. 65535)
NanoSeconds ::= TEXTUAL-CONVENTION NanoSeconds ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d-6" DISPLAY-HINT "d-6"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Represents time unit value in nanoseconds." "Represents the time unit value in nanoseconds."
SYNTAX Integer32 SYNTAX Integer32
-- Objects, Notifications & Conformances -- Objects, Notifications & Conformances
iptfsMIBObjects OBJECT IDENTIFIER iptfsMIBObjects OBJECT IDENTIFIER
::= { iptfsMIB 1 } ::= { iptfsMIB 1 }
iptfsMIBConformance OBJECT IDENTIFIER iptfsMIBConformance OBJECT IDENTIFIER
::= { iptfsMIB 2} ::= { iptfsMIB 2}
-- --
skipping to change at line 318 skipping to change at line 321
sendImmediately TruthValue, sendImmediately TruthValue,
lostPacketTimerInterval NanoSeconds lostPacketTimerInterval NanoSeconds
} }
iptfsConfigSaIndex OBJECT-TYPE iptfsConfigSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { iptfsConfigTableEntry 1 } ::= { iptfsConfigTableEntry 1 }
congestionControl OBJECT-TYPE congestionControl OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When set to true, the default, this enables the "When set to true, the default, this enables the
congestion control on-the-wire exchange of data that is congestion control on-the-wire exchange of data that is
required by congestion control algorithms as defined by required by congestion control algorithms, as defined by
RFC 5348. When set to false, IP-TFS sends fixed-sized RFC 5348. When set to false, IP-TFS sends fixed-sized
packets over an IP-TFS tunnel at a constant rate." packets over an IP-TFS tunnel at a constant rate."
::= { iptfsConfigTableEntry 2 } ::= { iptfsConfigTableEntry 2 }
usePathMtuDiscovery OBJECT-TYPE usePathMtuDiscovery OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Packet size is either auto-discovered or manually "Packet size is either auto-discovered or manually
configured. If usePathMtuDiscovery is true the system configured. If usePathMtuDiscovery is true, the system
utilizes path-mtu to determine maximum IP-TFS packet utilizes path-mtu to determine the maximum IP-TFS packet
size. If the packet size is explicitly configured size. If the packet size is explicitly configured,
then it will only be adjusted downward if use-path-mtu then it will only be adjusted downward if use-path-mtu
is set." is set."
::= { iptfsConfigTableEntry 3 } ::= { iptfsConfigTableEntry 3 }
outerPacketSize OBJECT-TYPE outerPacketSize OBJECT-TYPE
SYNTAX UnsignedShort SYNTAX UnsignedShort
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On Transmission, the size of the outer encapsulating "On transmission, the size of the outer encapsulating
tunnel packet (i.e., the IP packet containing the ESP tunnel packet (i.e., the IP packet containing
payload)." Encapsulating Security Payload)."
::= { iptfsConfigTableEntry 4 } ::= { iptfsConfigTableEntry 4 }
l2FixedRate OBJECT-TYPE l2FixedRate OBJECT-TYPE
SYNTAX CounterBasedGauge64 SYNTAX CounterBasedGauge64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IP-TFS bit rate may be specified as a layer 2 wire rate. "The IP-TFS bit rate may be specified as a layer 2 wire
On transmission, target bandwidth/bit rate in bps for rate. On transmission, the target bandwidth/bit rate in
IP-TFS tunnel. This rate is the nominal timing for the bits per second (bps) for the IP-TFS tunnel. This rate is
fixed size packet. If congestion control is enabled the the nominal timing for the fixed-size packet. If
rate may be adjusted down." congestion control is enabled, the rate may be adjusted
down."
::= { iptfsConfigTableEntry 5 } ::= { iptfsConfigTableEntry 5 }
l3FixedRate OBJECT-TYPE l3FixedRate OBJECT-TYPE
SYNTAX CounterBasedGauge64 SYNTAX CounterBasedGauge64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IP-TFS bit rate may be specified as a layer 3 packet rate. "The IP-TFS bit rate may be specified as a layer 3 packet
On Transmission, target bandwidth/bit rate in bps for rate. On transmission, the target bandwidth/bit rate in
IP-TFS tunnel. This rate is the nominal timing for the bps for the IP-TFS tunnel. This rate is the nominal timing
fixed size packet. If congestion control is enabled the for the fixed-size packet. If congestion control is
rate may be adjusted down." enabled, the rate may be adjusted down."
::= { iptfsConfigTableEntry 6 } ::= { iptfsConfigTableEntry 6 }
dontFragment OBJECT-TYPE dontFragment OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On transmission, disable packet fragmentation across "On transmission, disable packet fragmentation across
consecutive IP-TFS tunnel packets; inner packets larger consecutive IP-TFS tunnel packets; inner packets larger
than what can be transmitted in outer packets will be than what can be transmitted in outer packets will be
dropped." dropped."
::= { iptfsConfigTableEntry 7 } ::= { iptfsConfigTableEntry 7 }
maxAggregationTime OBJECT-TYPE maxAggregationTime OBJECT-TYPE
SYNTAX NanoSeconds SYNTAX NanoSeconds
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On transmission, maximum aggregation time is the "On transmission, the maximum aggregation time is the
maximum length of time a received inner packet can be maximum length of time a received inner packet can be
held prior to transmission in the IP-TFS tunnel. Inner held prior to transmission in the IP-TFS tunnel. Inner
packets that would be held longer than this time, based packets that would be held longer than this time, based
on the current tunnel configuration will be dropped on the current tunnel configuration, will be dropped
rather than be queued for transmission." rather than be queued for transmission."
::= { iptfsConfigTableEntry 8 } ::= { iptfsConfigTableEntry 8 }
windowSize OBJECT-TYPE windowSize OBJECT-TYPE
SYNTAX UnsignedShort SYNTAX UnsignedShort
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On reception, the maximum number of out-of-order "On reception, the maximum number of out-of-order
packets that will be reordered by an IP-TFS receiver packets that will be reordered by an IP-TFS receiver
while performing the reordering operation. The value 0 while performing the reordering operation. The value 0
disables any reordering." disables any reordering."
::= { iptfsConfigTableEntry 9 } ::= { iptfsConfigTableEntry 9 }
sendImmediately OBJECT-TYPE sendImmediately OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On reception, send inner packets as soon as possible, do "On reception, send inner packets as soon as possible; do
not wait for lost or misordered outer packets. not wait for lost or misordered outer packets.
Selecting this option reduces the inner (user) packet Selecting this option reduces the inner (user) packet
delay but can amplify out-of-order delivery of the inner delay but can amplify out-of-order delivery of the inner
packet stream in the presence of packet aggregation and packet stream in the presence of packet aggregation and
any reordering." any reordering."
::= { iptfsConfigTableEntry 10 } ::= { iptfsConfigTableEntry 10 }
lostPacketTimerInterval OBJECT-TYPE lostPacketTimerInterval OBJECT-TYPE
SYNTAX NanoSeconds SYNTAX NanoSeconds
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"On reception, this interval defines the length of time "On reception, this interval defines the length of time
an IP-TFS receiver will wait for a missing packet before an IP-TFS receiver will wait for a missing packet before
considering it lost. If not using send-immediately, considering it lost. If not using send-immediately,
then each lost packet will delay inner (user) packets then each lost packet will delay inner (user) packets
until this timer expires. Setting this value too low can until this timer expires. Setting this value too low can
impact reordering and reassembly." impact reordering and reassembly."
::= { iptfsConfigTableEntry 11 } ::= { iptfsConfigTableEntry 11 }
ipsecStatsTable OBJECT-TYPE ipsecStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecStatsTableEntry SYNTAX SEQUENCE OF IpsecStatsTableEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table containing basic statistics on IPsec." "The table containing basic statistics on IPsec."
::= { ipsecStatsGroup 1 } ::= { ipsecStatsGroup 1 }
skipping to change at line 481 skipping to change at line 485
rxOctets Counter64, rxOctets Counter64,
rxDropPkts Counter64 rxDropPkts Counter64
} }
ipsecSaIndex OBJECT-TYPE ipsecSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { ipsecStatsTableEntry 1 } ::= { ipsecStatsTableEntry 1 }
txPkts OBJECT-TYPE txPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Outbound Packet count." "Outbound Packet count."
::= { ipsecStatsTableEntry 2 } ::= { ipsecStatsTableEntry 2 }
skipping to change at line 534 skipping to change at line 538
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Inbound Packet bytes." "Inbound Packet bytes."
::= { ipsecStatsTableEntry 6 } ::= { ipsecStatsTableEntry 6 }
rxDropPkts OBJECT-TYPE rxDropPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Inbound Dropped packets" "Inbound dropped packets."
::= { ipsecStatsTableEntry 7 } ::= { ipsecStatsTableEntry 7 }
iptfsInnerStatsTable OBJECT-TYPE iptfsInnerStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IptfsInnerSaEntry SYNTAX SEQUENCE OF IptfsInnerStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table containing information on IP-TFS "The table containing information on IP-TFS
Inner Packets." inner packets."
::= { iptfsInnerStatsGroup 1 } ::= { iptfsInnerStatsGroup 1 }
iptfsInnerStatsTableEntry OBJECT-TYPE iptfsInnerStatsTableEntry OBJECT-TYPE
SYNTAX IptfsInnerSaEntry SYNTAX IptfsInnerStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry containing the information on "An entry containing the information on
a particular IP-TFS SA." a particular IP-TFS SA."
INDEX { iptfsInnerSaIndex } INDEX { iptfsInnerSaIndex }
::= { iptfsInnerStatsTable 1 } ::= { iptfsInnerStatsTable 1 }
IptfsInnerSaEntry ::= SEQUENCE { IptfsInnerStatsSaEntry ::= SEQUENCE {
iptfsInnerSaIndex Integer32, iptfsInnerSaIndex Integer32,
txInnerPkts Counter64, txInnerPkts Counter64,
txInnerOctets Counter64, txInnerOctets Counter64,
rxInnerPkts Counter64, rxInnerPkts Counter64,
rxInnerOctets Counter64, rxInnerOctets Counter64,
rxIncompleteInnerPkts Counter64 rxIncompleteInnerPkts Counter64
} }
iptfsInnerSaIndex OBJECT-TYPE iptfsInnerSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { iptfsInnerStatsTableEntry 1 } ::= { iptfsInnerStatsTableEntry 1 }
txInnerPkts OBJECT-TYPE txInnerPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner packets sent. This count "Total number of IP-TFS inner packets sent. This count
is whole packets only. A fragmented packet counts as is whole packets only. A fragmented packet counts as
one packet." one packet."
::= { iptfsInnerStatsTableEntry 2 } ::= { iptfsInnerStatsTableEntry 2 }
txInnerOctets OBJECT-TYPE txInnerOctets OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner octets sent. This is "Total number of IP-TFS inner octets sent. This is
inner packet octets only. Does not count padding." inner packet octets only. This does not count padding."
::= { iptfsInnerStatsTableEntry 3 } ::= { iptfsInnerStatsTableEntry 3 }
rxInnerPkts OBJECT-TYPE rxInnerPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner packets received." "Total number of IP-TFS inner packets received."
::= { iptfsInnerStatsTableEntry 4 } ::= { iptfsInnerStatsTableEntry 4 }
rxInnerOctets OBJECT-TYPE rxInnerOctets OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner octets received. Does "Total number of IP-TFS inner octets received. This does
not include padding or overhead." not include padding or overhead."
::= { iptfsInnerStatsTableEntry 5 } ::= { iptfsInnerStatsTableEntry 5 }
rxIncompleteInnerPkts OBJECT-TYPE rxIncompleteInnerPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS inner packets that were "Total number of IP-TFS inner packets that were
incomplete. Usually this is due to fragments not incomplete. Usually, this is due to fragments not
received. Also, this may be due to misordering or received. Also, this may be due to misordering or
errors in received outer packets." errors in received outer packets."
::= { iptfsInnerStatsTableEntry 6 } ::= { iptfsInnerStatsTableEntry 6 }
iptfsOuterStatsTable OBJECT-TYPE iptfsOuterStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IptfsOuterSaEntry SYNTAX SEQUENCE OF IptfsOuterStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table containing information on IP-TFS." "The table containing information on IP-TFS."
::= { iptfsOuterStatsGroup 1 } ::= { iptfsOuterStatsGroup 1 }
iptfsOuterStatsTableEntry OBJECT-TYPE iptfsOuterStatsTableEntry OBJECT-TYPE
SYNTAX IptfsOuterSaEntry SYNTAX IptfsOuterStatsSaEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry containing the information on "An entry containing the information on
a particular IP-TFS SA." a particular IP-TFS SA."
INDEX { iptfsSaIndex } INDEX { iptfsOuterSaIndex }
::= { iptfsOuterStatsTable 1 } ::= { iptfsOuterStatsTable 1 }
IptfsOuterSaEntry ::= SEQUENCE { IptfsOuterStatsSaEntry ::= SEQUENCE {
iptfsSaIndex Integer32, iptfsOuterSaIndex Integer32,
-- iptfs packet statistics information -- iptfs packet statistics information
txExtraPadPkts Counter64, txExtraPadPkts Counter64,
txExtraPadOctets Counter64, txExtraPadOctets Counter64,
txAllPadPkts Counter64, txAllPadPkts Counter64,
txAllPadOctets Counter64, txAllPadOctets Counter64,
rxExtraPadPkts Counter64, rxExtraPadPkts Counter64,
rxExtraPadOctets Counter64, rxExtraPadOctets Counter64,
rxAllPadPkts Counter64, rxAllPadPkts Counter64,
rxAllPadOctets Counter64, rxAllPadOctets Counter64,
rxErroredPkts Counter64, rxErroredPkts Counter64,
rxMissedPkts Counter64 rxMissedPkts Counter64
} }
iptfsSaIndex OBJECT-TYPE iptfsOuterSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215) SYNTAX Integer32 (1..16777215)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique value, greater than zero, for each SA. "A unique value, greater than zero, for each SA.
It is recommended that values are assigned contiguously It is recommended that values are assigned contiguously,
starting from 1. starting from 1.
The value for each entry must remain constant at least The value for each entry must remain constant at least
from one re-initialization of entity's network management from one re-initialization of an entity's network management
system to the next re-initialization." system to the next re-initialization."
::= { iptfsOuterStatsTableEntry 1 } ::= { iptfsOuterStatsTableEntry 1 }
txExtraPadPkts OBJECT-TYPE txExtraPadPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of transmitted outer IP-TFS packets that "Total number of transmitted outer IP-TFS packets that
included some padding." included some padding."
skipping to change at line 762 skipping to change at line 766
"Total number of IP-TFS outer packets dropped due to "Total number of IP-TFS outer packets dropped due to
errors." errors."
::= { iptfsOuterStatsTableEntry 10 } ::= { iptfsOuterStatsTableEntry 10 }
rxMissedPkts OBJECT-TYPE rxMissedPkts OBJECT-TYPE
SYNTAX Counter64 SYNTAX Counter64
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Total number of IP-TFS outer packets missing indicated "Total number of IP-TFS outer packets missing indicated
by missing sequence number." by a missing sequence number."
::= { iptfsOuterStatsTableEntry 11 } ::= { iptfsOuterStatsTableEntry 11 }
-- --
-- Iptfs Module Compliance -- Iptfs Module Compliance
-- --
iptfsMIBConformances OBJECT IDENTIFIER iptfsMIBConformances OBJECT IDENTIFIER
::= { iptfsMIBConformance 1 } ::= { iptfsMIBConformance 1 }
iptfsMIBGroups OBJECT IDENTIFIER iptfsMIBGroups OBJECT IDENTIFIER
::= { iptfsMIBConformance 2 } ::= { iptfsMIBConformance 2 }
iptfsMIBCompliance MODULE-COMPLIANCE iptfsMIBCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for entities which "The compliance statement for entities that
implement the IP-TFS MIB" implement the IP-TFS MIB."
MODULE -- this module MODULE -- this module
MANDATORY-GROUPS { MANDATORY-GROUPS {
iptfsMIBConfGroup, iptfsMIBConfGroup,
ipsecStatsConfGroup, ipsecStatsConfGroup,
iptfsInnerStatsConfGroup, iptfsInnerStatsConfGroup,
iptfsOuterStatsConfGroup iptfsOuterStatsConfGroup
} }
::= { iptfsMIBConformances 1 } ::= { iptfsMIBConformances 1 }
skipping to change at line 810 skipping to change at line 814
l3FixedRate , l3FixedRate ,
dontFragment, dontFragment,
maxAggregationTime, maxAggregationTime,
windowSize, windowSize,
sendImmediately, sendImmediately,
lostPacketTimerInterval lostPacketTimerInterval
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA IP-TFS "A collection of objects providing per SA IP-TFS
Configuration." configuration."
::= { iptfsMIBGroups 1 } ::= { iptfsMIBGroups 1 }
ipsecStatsConfGroup OBJECT-GROUP ipsecStatsConfGroup OBJECT-GROUP
OBJECTS { OBJECTS {
txPkts, txPkts,
txOctets, txOctets,
txDropPkts, txDropPkts,
rxPkts, rxPkts,
rxOctets, rxOctets,
rxDropPkts rxDropPkts
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA Basic "A collection of objects providing per SA basic
Stats." statistics."
::= { iptfsMIBGroups 2 } ::= { iptfsMIBGroups 2 }
iptfsInnerStatsConfGroup OBJECT-GROUP iptfsInnerStatsConfGroup OBJECT-GROUP
OBJECTS { OBJECTS {
txInnerPkts, txInnerPkts,
txInnerOctets, txInnerOctets,
rxInnerPkts, rxInnerPkts,
rxInnerOctets, rxInnerOctets,
rxIncompleteInnerPkts rxIncompleteInnerPkts
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA IP-TFS "A collection of objects providing per SA IP-TFS
Inner Packet Statistics." inner packet statistics."
::= { iptfsMIBGroups 3 } ::= { iptfsMIBGroups 3 }
iptfsOuterStatsConfGroup OBJECT-GROUP iptfsOuterStatsConfGroup OBJECT-GROUP
OBJECTS { OBJECTS {
txExtraPadPkts, txExtraPadPkts,
txExtraPadOctets, txExtraPadOctets,
txAllPadPkts, txAllPadPkts,
txAllPadOctets, txAllPadOctets,
rxExtraPadPkts, rxExtraPadPkts,
rxExtraPadOctets, rxExtraPadOctets,
rxAllPadPkts, rxAllPadPkts,
rxAllPadOctets, rxAllPadOctets,
rxErroredPkts, rxErroredPkts,
rxMissedPkts rxMissedPkts
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing per SA IP-TFS "A collection of objects providing per SA IP-TFS
Outer Packet Statistics." outer packet statistics."
::= { iptfsMIBGroups 4 } ::= { iptfsMIBGroups 4 }
END END
]]></sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t> The MIB module in this document uses the following IANA-assigned <t> The MIB module in this document uses the following IANA-assigned
OBJECT IDENTIFIER value, recorded in the SMI Network Management OBJECT IDENTIFIER value, recorded in the "SMI Network Management
MGMT Codes Internet-standard MIB - registry: MGMT Codes Internet-standard MIB" registry:
</t> </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <table align="left">
Name Description OBJECT IDENTIFIER value <thead>
iptfsMIB IP-TRAFFIC-FLOW-SECURITY-MIB { mib-2 TBA-IANA } <tr>
]]></artwork> <th>Decimal</th>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>246</td>
<td>iptfsMIB</td>
<td>IP-TRAFFIC-FLOW-SECURITY-MIB</td>
</tr>
</tbody>
</table>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>The MIB specified in this document can read <t>The MIB specified in this document can read
the operational behavior of IP traffic flow security. For the implications the operational behavior of IP Traffic Flow Security. For the implications
regarding write configuration consult the <xref target="I-D.ietf-ipsecme-iptfs" regarding write configuration, consult <xref target="RFC9347" format="default"/>
format="default"/> ,
which defines the functionality.</t> which defines the functionality.</t>
<!-- DNE starts -->
<t> <t>
There are no management objects defined in this MIB module that have a There are no management objects defined in this MIB module that have a
MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is
implemented correctly, then there is no risk that an intruder can alter or implemented correctly, then there is no risk that an intruder can alter or
create any management objects of this MIB module via direct SNMP SET create any management objects of this MIB module via direct SNMP SET
operations. operations.
</t> </t>
<t> <t>
Some of the objects in this MIB module may be considered sensitive or Some of the objects in this MIB module may be considered sensitive or
vulnerable in some network environments. This includes INDEX objects with a vulnerable in some network environments. This includes INDEX objects with a
MAX-ACCESS of not-accessible, and any indices from other modules exposed via MAX-ACCESS of not-accessible, and any indices from other modules exposed via
AUGMENTS. It is thus important to control even GET and/or NOTIFY access to AUGMENTS. It is thus important to control even GET and/or NOTIFY access to
these objects and possibly to even encrypt the values of these objects when these objects and possibly to even encrypt the values of these objects when
sending them over the network via SNMP. These are the tables and objects and sending them over the network via SNMP. These are the tables and objects and
their sensitivity/vulnerability: their sensitivity/vulnerability:
</t> </t>
<!-- DNE ends -->
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
iptfsInnerStatsTable and iptfsOuterStatsTable- Access to IP inner and outer iptfsInnerStatsTable and iptfsOuterStatsTable: Access to IP inner and outer
traffic flow security statistics can provide information that IP Traffic Flow Security statistics can provide information that IP
traffic flow security obscures such as the true activity of the Traffic Flow Security obscures, such as the true activity of the
flows using IP traffic flow security. flows using IP Traffic Flow Security.
</li> </li>
</ul> </ul>
<!-- DNE starts -->
<t> <t>
SNMP versions prior to SNMPv3 did not include adequate security. Even if the SNMP versions prior to SNMPv3 did not include adequate security. Even if the
network itself is secure (for example by using IPsec), there is no control as network itself is secure (for example by using IPsec), there is no control as
to who on the secure network is allowed to access and GET to who on the secure network is allowed to access and GET
(read) the objects in this MIB module. (read) the objects in this MIB module.
</t> </t>
<t> <t>
To prevent unauthorized access to SNMP including access to IP-TFS sensit Implementations <bcp14>SHOULD</bcp14> provide the security features described
ive objects: by the SNMPv3 framework (see <xref target="RFC3410" format="default"/>), and
implementations claiming compliance to the SNMPv3 standard <bcp14>MUST</bcp14>
include full support for authentication and privacy via the User-based
Security Model (USM) <xref target="RFC3414" format="default"/> with the AES
cipher algorithm <xref target="RFC3826" format="default"/>. Implementations
<bcp14>MAY</bcp14> also provide support for the Transport Security Model (TSM)
<xref target="RFC5591" format="default"/> in combination with a secure
transport such as SSH <xref target="RFC5592" format="default"/> or TLS/DTLS
<xref target="RFC6353" format="default"/>.
</t> </t>
<ul spacing="normal"> <t>
<li> Further, deployment of SNMP versions prior to SNMPv3 is <bcp14>NOT RECOMMENDED</
Implementations SHOULD provide the security features described by the SNMPv3 bcp14>.
framework (see <xref target="RFC3410" format="default"/>), and implementations c Instead, it is <bcp14>RECOMMENDED</bcp14> to deploy SNMPv3 and to enable cryptog
laiming compliance to the raphic
SNMPv3 standard MUST include full support for authentication and privacy via
the User-based Security Model (USM) <xref target="RFC3414" format="default"/> wi
th the AES cipher algorithm
<xref target="RFC3826" format="default"/>. Implementations MAY also provide supp
ort for the Transport Security
Model (TSM) <xref target="RFC5591" format="default"/> in combination with a secu
re transport such as SSH
<xref target="RFC5592" format="default"/> or TLS/DTLS <xref target="RFC6353" for
mat="default"/>.
</li>
<li>
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED.
Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic
security. It is then a customer/operator responsibility to ensure that the security. It is then a customer/operator responsibility to ensure that the
SNMP entity giving access to an instance of this MIB module is properly SNMP entity giving access to an instance of this MIB module is properly
configured to give access to the objects only to those principals (users) that configured to give access to the objects only to those principals (users) that
have legitimate rights to indeed GET or SET (change/create/delete) them. have legitimate rights to indeed GET or SET (change/create/delete) them.
</li> </t>
</ul> <!-- DNE ends -->
</section>
<section numbered="true" toc="default">
<name>Acknowledgements</name>
<t>The authors would like to thank Chris Hopps, Lou Berger and Tero Kivine
n
for their help and feedback on the MIB model. </t>
</section> </section>
</middle> </middle>
<back> <back>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.
<front> xml"/>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3414.
le> xml"/>
<author fullname="S. Bradner" initials="S." surname="Bradner"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3826.
<date month="March" year="1997"/> xml"/>
<abstract> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5591.
<t>In many standards track documents several words are used to sig xml"/>
nify the requirements in the specification. These words are often capitalized. <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5592.
This document defines these words as they should be interpreted in IETF documen xml"/>
ts. This document specifies an Internet Best Current Practices for the Internet <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6353.
Community, and requests discussion and suggestions for improvements.</t> xml"/>
</abstract> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.
</front> xml"/>
<seriesInfo name="BCP" value="14"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2578.
<seriesInfo name="RFC" value="2119"/> xml"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2579.
</reference> xml"/>
<reference anchor="RFC3414" target="https://www.rfc-editor.org/info/rfc3 <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2580.
414" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3414.xml"> xml"/>
<front>
<title>User-based Security Model (USM) for version 3 of the Simple N <!-- [I-D.ietf-ipsecme-iptfs]; companion document RFC 9347 -->
etwork Management Protocol (SNMPv3)</title> <reference anchor='RFC9347' target='https://www.rfc-editor.org/info/rfc9347'>
<author fullname="U. Blumenthal" initials="U." surname="Blumenthal"/ <front>
> <title>Aggregation and Fragmentation Mode for Encapsulating Security Payload (ES
<author fullname="B. Wijnen" initials="B." surname="Wijnen"/> P) and Its Use for IP Traffic Flow Security (IP-TFS)</title>
<date month="December" year="2002"/> <author initials='C' surname='Hopps' fullname='Christian Hopps'/>
<abstract> <date year='2023' month='January'/>
<t>This document describes the User-based Security Model (USM) for </front>
Simple Network Management Protocol (SNMP) version 3 for use in the SNMP archite <seriesInfo name="RFC" value="9347"/>
cture. It defines the Elements of Procedure for providing SNMP message level se <seriesInfo name="DOI" value="10.17487/RFC9347"/>
curity. This document also includes a Management Information Base (MIB) for rem </reference>
otely monitoring/managing the configuration parameters for this Security Model.
This document obsoletes RFC 2574. [STANDARDS-TRACK]</t> </references>
</abstract>
</front>
<seriesInfo name="STD" value="62"/>
<seriesInfo name="RFC" value="3414"/>
<seriesInfo name="DOI" value="10.17487/RFC3414"/>
</reference>
<reference anchor="RFC3826" target="https://www.rfc-editor.org/info/rfc3
826" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3826.xml">
<front>
<title>The Advanced Encryption Standard (AES) Cipher Algorithm in th
e SNMP User-based Security Model</title>
<author fullname="U. Blumenthal" initials="U." surname="Blumenthal"/
>
<author fullname="F. Maino" initials="F." surname="Maino"/>
<author fullname="K. McCloghrie" initials="K." surname="McCloghrie"/
>
<date month="June" year="2004"/>
<abstract>
<t>This document describes a symmetric encryption protocol that su
pplements the protocols described in the User-based Security Model (USM), which
is a Security Subsystem for version 3 of the Simple Network Management Protocol
for use in the SNMP Architecture. The symmetric encryption protocol described i
n this document is based on the Advanced Encryption Standard (AES) cipher algori
thm used in Cipher FeedBack Mode (CFB), with a key size of 128 bits. [STANDARDS-
TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3826"/>
<seriesInfo name="DOI" value="10.17487/RFC3826"/>
</reference>
<reference anchor="RFC5591" target="https://www.rfc-editor.org/info/rfc5
591" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5591.xml">
<front>
<title>Transport Security Model for the Simple Network Management Pr
otocol (SNMP)</title>
<author fullname="D. Harrington" initials="D." surname="Harrington"/
>
<author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
<date month="June" year="2009"/>
<abstract>
<t>This memo describes a Transport Security Model for the Simple N
etwork Management Protocol (SNMP).</t>
<t>This memo also defines a portion of the Management Information
Base (MIB) for monitoring and managing the Transport Security Model for SNMP. [S
TANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="78"/>
<seriesInfo name="RFC" value="5591"/>
<seriesInfo name="DOI" value="10.17487/RFC5591"/>
</reference>
<reference anchor="RFC5592" target="https://www.rfc-editor.org/info/rfc5
592" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5592.xml">
<front>
<title>Secure Shell Transport Model for the Simple Network Managemen
t Protocol (SNMP)</title>
<author fullname="D. Harrington" initials="D." surname="Harrington"/
>
<author fullname="J. Salowey" initials="J." surname="Salowey"/>
<author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
<date month="June" year="2009"/>
<abstract>
<t>This memo describes a Transport Model for the Simple Network Ma
nagement Protocol (SNMP), using the Secure Shell (SSH) protocol.</t>
<t>This memo also defines a portion of the Management Information
Base (MIB) for use with network management protocols in TCP/IP-based internets.
In particular, it defines objects for monitoring and managing the Secure Shell T
ransport Model for SNMP. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5592"/>
<seriesInfo name="DOI" value="10.17487/RFC5592"/>
</reference>
<reference anchor="RFC6353" target="https://www.rfc-editor.org/info/rfc6
353" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6353.xml">
<front>
<title>Transport Layer Security (TLS) Transport Model for the Simple
Network Management Protocol (SNMP)</title>
<author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
<date month="July" year="2011"/>
<abstract>
<t>This document describes a Transport Model for the Simple Networ
k Management Protocol (SNMP), that uses either the Transport Layer Security prot
ocol or the Datagram Transport Layer Security (DTLS) protocol. The TLS and DTLS
protocols provide authentication and privacy services for SNMP applications. Thi
s document describes how the TLS Transport Model (TLSTM) implements the needed f
eatures of an SNMP Transport Subsystem to make this protection possible in an in
teroperable way.</t>
<t>This Transport Model is designed to meet the security and opera
tional needs of network administrators. It supports the sending of SNMP messages
over TLS/TCP and DTLS/UDP. The TLS mode can make use of TCP's improved support
for larger packet sizes and the DTLS mode provides potentially superior operatio
n in environments where a connectionless (e.g., UDP) transport is preferred. Bot
h TLS and DTLS integrate well into existing public keying infrastructures.</t>
<t>This document also defines a portion of the Management Informat
ion Base (MIB) for use with network management protocols. In particular, it defi
nes objects for managing the TLS Transport Model for SNMP. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="78"/>
<seriesInfo name="RFC" value="6353"/>
<seriesInfo name="DOI" value="10.17487/RFC6353"/>
</reference>
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC2578" target="https://www.rfc-editor.org/info/rfc2
578" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2578.xml">
<front>
<title>Structure of Management Information Version 2 (SMIv2)</title>
<author fullname="K. McCloghrie" initials="K." role="editor" surname
="McCloghrie"/>
<author fullname="D. Perkins" initials="D." role="editor" surname="P
erkins"/>
<author fullname="J. Schoenwaelder" initials="J." role="editor" surn
ame="Schoenwaelder"/>
<date month="April" year="1999"/>
<abstract>
<t>It is the purpose of this document, the Structure of Management
Information Version 2 (SMIv2), to define that adapted subset, and to assign a s
et of associated administrative values. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="58"/>
<seriesInfo name="RFC" value="2578"/>
<seriesInfo name="DOI" value="10.17487/RFC2578"/>
</reference>
<reference anchor="RFC2579" target="https://www.rfc-editor.org/info/rfc2
579" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2579.xml">
<front>
<title>Textual Conventions for SMIv2</title>
<author fullname="K. McCloghrie" initials="K." role="editor" surname
="McCloghrie"/>
<author fullname="D. Perkins" initials="D." role="editor" surname="P
erkins"/>
<author fullname="J. Schoenwaelder" initials="J." role="editor" surn
ame="Schoenwaelder"/>
<date month="April" year="1999"/>
<abstract>
<t>It is the purpose of this document to define the initial set of
textual conventions available to all MIB modules. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="58"/>
<seriesInfo name="RFC" value="2579"/>
<seriesInfo name="DOI" value="10.17487/RFC2579"/>
</reference>
<reference anchor="I-D.ietf-ipsecme-iptfs" target="https://www.ietf.org/
archive/id/draft-ietf-ipsecme-iptfs-19.txt" xml:base="https://bib.ietf.org/publi
c/rfc/bibxml-ids/reference.I-D.ietf-ipsecme-iptfs.xml">
<front>
<title>IP-TFS: Aggregation and Fragmentation Mode for ESP and its Us
e for IP Traffic Flow Security</title>
<author fullname="Christian Hopps">
<organization>LabN Consulting, L.L.C.</organization>
</author>
<date day="4" month="September" year="2022"/>
<abstract>
<t>This document describes a mechanism for aggregation and fragmen
tation of IP packets when they are being encapsulated in ESP payloads. This new
payload type can be used for various purposes such as decreasing encapsulation o
verhead for small IP packets; however, the focus in this document is to enhance
IPsec traffic flow security (IP-TFS) by adding Traffic Flow Confidentiality (TFC
) to encrypted IP encapsulated traffic. TFC is provided by obscuring the size an
d frequency of IP traffic using a fixed-sized, constant-send-rate IPsec tunnel.
The solution allows for congestion control as well as non- constant send-rate us
age.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-ipsecme-iptfs-19"/
>
</reference>
</references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="I-D.ietf-ipsecme-yang-iptfs" target="https://www.ietf
.org/archive/id/draft-ietf-ipsecme-yang-iptfs-11.txt" xml:base="https://bib.ietf <!-- [I-D.ietf-ipsecme-yang-iptfs]; companion document RFC 9348 -->
.org/public/rfc/bibxml-ids/reference.I-D.ietf-ipsecme-yang-iptfs.xml"> <reference anchor='RFC9348' target='https://www.rfc-editor.org/info/rfc9348'>
<front> <front>
<title>A YANG Data Model for IP Traffic Flow Security</title> <title>A YANG Data Model for IP Traffic Flow Security</title>
<author fullname="Don Fedyk"> <author initials="D." surname="Fedyk" fullname="Don Fedyk"/>
<organization>LabN Consulting, L.L.C.</organization> <author initials="C." surname="Hopps" fullname="Christian Hopps"/>
</author> <date month="January" year="2023"/>
<author fullname="Christian Hopps"> </front>
<organization>LabN Consulting, L.L.C.</organization> <seriesInfo name="RFC" value="9348"/>
</author> <seriesInfo name="DOI" value="10.17487/RFC9348"/>
<date day="31" month="August" year="2022"/> </reference>
<abstract>
<t>This document describes a YANG module for the management of IP <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3410.
Traffic Flow Security additions to IKEv2 and IPsec.</t> xml"/>
</abstract> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4301.
</front> xml"/>
<seriesInfo name="Internet-Draft" value="draft-ietf-ipsecme-yang-iptfs <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5348.
-11"/> xml"/>
</reference>
<reference anchor="RFC2580" target="https://www.rfc-editor.org/info/rfc2
580" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2580.xml">
<front>
<title>Conformance Statements for SMIv2</title>
<author fullname="K. McCloghrie" initials="K." role="editor" surname
="McCloghrie"/>
<author fullname="D. Perkins" initials="D." role="editor" surname="P
erkins"/>
<author fullname="J. Schoenwaelder" initials="J." role="editor" surn
ame="Schoenwaelder"/>
<date month="April" year="1999"/>
<abstract>
<t>Collections of related objects are defined in MIB modules. It
may be useful to define the acceptable lower-bounds of implementation, along wit
h the actual level of implementation achieved. It is the purpose of this docume
nt to define the notation used for these purposes. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="58"/>
<seriesInfo name="RFC" value="2580"/>
<seriesInfo name="DOI" value="10.17487/RFC2580"/>
</reference>
<reference anchor="RFC3410" target="https://www.rfc-editor.org/info/rfc3
410" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3410.xml">
<front>
<title>Introduction and Applicability Statements for Internet-Standa
rd Management Framework</title>
<author fullname="J. Case" initials="J." surname="Case"/>
<author fullname="R. Mundy" initials="R." surname="Mundy"/>
<author fullname="D. Partain" initials="D." surname="Partain"/>
<author fullname="B. Stewart" initials="B." surname="Stewart"/>
<date month="December" year="2002"/>
<abstract>
<t>The purpose of this document is to provide an overview of the t
hird version of the Internet-Standard Management Framework, termed the SNMP vers
ion 3 Framework (SNMPv3). This Framework is derived from and builds upon both t
he original Internet-Standard Management Framework (SNMPv1) and the second Inter
net-Standard Management Framework (SNMPv2). The architecture is designed to be
modular to allow the evolution of the Framework over time. The document explain
s why using SNMPv3 instead of SNMPv1 or SNMPv2 is strongly recommended. The doc
ument also recommends that RFCs 1157, 1441, 1901, 1909 and 1910 be retired by mo
ving them to Historic status. This document obsoletes RFC 2570. This memo prov
ides information for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3410"/>
<seriesInfo name="DOI" value="10.17487/RFC3410"/>
</reference>
<reference anchor="RFC4301" target="https://www.rfc-editor.org/info/rfc4
301" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml">
<front>
<title>Security Architecture for the Internet Protocol</title>
<author fullname="S. Kent" initials="S." surname="Kent"/>
<author fullname="K. Seo" initials="K." surname="Seo"/>
<date month="December" year="2005"/>
<abstract>
<t>This document describes an updated version of the "Security Arc
hitecture for IP", which is designed to provide security services for traffic at
the IP layer. This document obsoletes RFC 2401 (November 1998). [STANDARDS-TRA
CK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4301"/>
<seriesInfo name="DOI" value="10.17487/RFC4301"/>
</reference>
<reference anchor="RFC5348" target="https://www.rfc-editor.org/info/rfc5
348" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5348.xml">
<front>
<title>TCP Friendly Rate Control (TFRC): Protocol Specification</tit
le>
<author fullname="S. Floyd" initials="S." surname="Floyd"/>
<author fullname="M. Handley" initials="M." surname="Handley"/>
<author fullname="J. Padhye" initials="J." surname="Padhye"/>
<author fullname="J. Widmer" initials="J." surname="Widmer"/>
<date month="September" year="2008"/>
<abstract>
<t>This document specifies TCP Friendly Rate Control (TFRC). TFRC
is a congestion control mechanism for unicast flows operating in a best-effort I
nternet environment. It is reasonably fair when competing for bandwidth with TCP
flows, but has a much lower variation of throughput over time compared with TCP
, making it more suitable for applications such as streaming media where a relat
ively smooth sending rate is of importance.</t>
<t>This document obsoletes RFC 3448 and updates RFC 4342. [STANDAR
DS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5348"/>
<seriesInfo name="DOI" value="10.17487/RFC5348"/>
</reference>
</references> </references>
</references> </references>
<section numbered="false" toc="default">
<name>Acknowledgements</name>
<t>The authors would like to thank <contact fullname="Chris Hopps"/>, <con
tact fullname="Lou Berger"/>, and <contact fullname="Tero Kivinen"/>
for their help and feedback on the MIB model. </t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 78 change blocks. 
508 lines changed or deleted 252 lines changed or added

This html diff was produced by rfcdiff 1.48.