Internet Engineering Task Force (IETF)                             Y. Fu
Request for Comments: 7870                                         CNNIC
Category: Standards Track                                       S. Jiang
ISSN: 2070-1721                             Huawei Technologies Co., Ltd
                                                                 J. Dong
                                                                 Y. Chen
                                                     Tsinghua University
                                                               June 2016
        
Internet Engineering Task Force (IETF)                             Y. Fu
Request for Comments: 7870                                         CNNIC
Category: Standards Track                                       S. Jiang
ISSN: 2070-1721                             Huawei Technologies Co., Ltd
                                                                 J. Dong
                                                                 Y. Chen
                                                     Tsinghua University
                                                               June 2016
        

Dual-Stack Lite (DS-Lite) Management Information Base (MIB) for Address Family Transition Routers (AFTRs)

地址族转换路由器(AFTR)的双栈精简版(DS精简版)管理信息库(MIB)

Abstract

摘要

This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines managed objects for Address Family Transition Routers (AFTRs) of Dual-Stack Lite (DS-Lite).

此备忘录定义了管理信息库(MIB)的一部分,用于Internet社区中的网络管理协议。特别是,它为双栈Lite(DS Lite)的地址族转换路由器(AFTR)定义了托管对象。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7870.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7870.

Copyright Notice

版权公告

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Requirements Language ...........................................2
   3. The Internet-Standard Management Framework ......................3
   4. Relationship to the IF-MIB ......................................3
   5. Difference from the IP Tunnel MIB and NATV2-MIB .................3
   6. Structure of the MIB Module .....................................4
      6.1. The Object Group ...........................................5
           6.1.1. The dsliteTunnel Subtree ............................5
           6.1.2. The dsliteNAT Subtree ...............................5
           6.1.3. The dsliteInfo Subtree ..............................5
      6.2. The Notification Group .....................................5
      6.3. The Conformance Group ......................................5
   7. MIB Modules Required for IMPORTS ................................5
   8. Definitions .....................................................6
   9. Security Considerations ........................................22
   10. IANA Considerations ...........................................24
   11. References ....................................................24
      11.1. Normative References .....................................24
      11.2. Informative References ...................................26
   Acknowledgements ..................................................27
   Authors' Addresses ................................................27
        
   1. Introduction ....................................................2
   2. Requirements Language ...........................................2
   3. The Internet-Standard Management Framework ......................3
   4. Relationship to the IF-MIB ......................................3
   5. Difference from the IP Tunnel MIB and NATV2-MIB .................3
   6. Structure of the MIB Module .....................................4
      6.1. The Object Group ...........................................5
           6.1.1. The dsliteTunnel Subtree ............................5
           6.1.2. The dsliteNAT Subtree ...............................5
           6.1.3. The dsliteInfo Subtree ..............................5
      6.2. The Notification Group .....................................5
      6.3. The Conformance Group ......................................5
   7. MIB Modules Required for IMPORTS ................................5
   8. Definitions .....................................................6
   9. Security Considerations ........................................22
   10. IANA Considerations ...........................................24
   11. References ....................................................24
      11.1. Normative References .....................................24
      11.2. Informative References ...................................26
   Acknowledgements ..................................................27
   Authors' Addresses ................................................27
        
1. Introduction
1. 介绍

Dual-Stack Lite [RFC6333] is a solution that offers both IPv4 and IPv6 connectivity to customers crossing an IPv6-only infrastructure. One of its key components is an IPv4-over-IPv6 tunnel, which is used to provide IPv4 connectivity across a service provider's IPv6 network. Another key component is a carrier-grade IPv4-IPv4 Network Address Translation (NAT) to share service provider IPv4 addresses among customers.

双栈Lite[RFC6333]是一种解决方案,它为跨越仅限IPv6的基础架构的客户提供IPv4和IPv6连接。其关键组件之一是IPv4-over-IPv6隧道,用于跨服务提供商的IPv6网络提供IPv4连接。另一个关键组件是运营商级IPv4-IPv4网络地址转换(NAT),用于在客户之间共享服务提供商IPv4地址。

This document defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. This MIB module may be used for configuration and monitoring of Address Family Transition Routers (AFTRs) in a Dual-Stack Lite scenario.

本文档定义了管理信息库(MIB)的一部分,用于Internet社区中的网络管理协议。该MIB模块可用于在双栈Lite方案中配置和监控地址族转换路由器(AFTR)。

2. Requirements Language
2. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119]. When these words are not in ALL CAPS (such as "should" or "Should"), they have their usual English meanings and are not to be interpreted as [RFC2119] key words.

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照BCP 14、RFC 2119[RFC2119]中的说明进行解释。当这些词不在所有大写字母中时(如“应该”或“应该”),它们具有通常的英语含义,不应解释为[RFC2119]关键词。

3. The Internet-Standard Management Framework
3. 因特网标准管理框架

For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of [RFC3410].

有关描述当前互联网标准管理框架的文件的详细概述,请参阅[RFC3410]第7节。

Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580 [RFC2580].

托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB对象通常通过简单网络管理协议(SNMP)进行访问。MIB中的对象是使用管理信息结构(SMI)中定义的机制定义的。本备忘录规定了符合SMIv2的MIB模块,如STD 58、RFC 2578[RFC2578]、STD 58、RFC 2579[RFC2579]和STD 58、RFC 2580[RFC2580]所述。

4. Relationship to the IF-MIB
4. 与IF-MIB的关系

The Interfaces MIB [RFC2863] defines generic managed objects for managing interfaces. Each logical interface (physical or virtual) has an ifEntry. Tunnels are handled by creating a logical interface (ifEntry) for each tunnel. Each DS-Lite tunnel endpoint also acts as a virtual interface that has a corresponding entry in the IP Tunnel MIB and Interface MIB. Those corresponding entries are indexed by ifIndex.

接口MIB[RFC2863]定义了用于管理接口的通用托管对象。每个逻辑接口(物理或虚拟)都有一个ifEntry。通过为每个隧道创建逻辑接口(ifEntry)来处理隧道。每个DS Lite隧道端点还充当一个虚拟接口,在IP隧道MIB和接口MIB中具有相应的条目。这些对应的条目由ifIndex索引。

The ifOperStatus in ifTable is used to represent whether the DS-Lite tunnel function has been triggered. The ifInUcastPkts defined in ifTable will represent the number of IPv4 packets that have been encapsulated into IPv6 packets sent to a Basic Bridging BroadBand (B4). The ifOutUcastPkts defined in ifTable contains the number of IPv6 packets that can be decapsulated to IPv4 in the virtual interface. Also, the IF-MIB defines ifMtu for the MTU of this tunnel interface, so the DS-Lite MIB does not need to define the MTU for the tunnel.

ifTable中的ifOperStatus用于表示是否已触发DS Lite隧道功能。ifTable中定义的ifInUcastPkts将表示已封装到发送到基本桥接宽带(B4)的IPv6数据包中的IPv4数据包的数量。在ifTable中定义的IFOUTUCSTPKTS包含可以在虚拟接口中解封到IPv4的IPv6数据包数。此外,IF-MIB为该隧道接口的MTU定义了ifMtu,因此DS Lite MIB不需要为隧道定义MTU。

5. Difference from the IP Tunnel MIB and NATV2-MIB
5. 与IP隧道MIB和NATV2-MIB的区别

The key technologies for DS-Lite are IP-in-IP (IPv4-in-IPv6) tunnels and NAT (IPv4-to-IPv4 translation).

DS-Lite的关键技术是IP-in-IP(IPv4-in-IPv6)隧道和NAT(IPv4-to-IPv4转换)。

Notes: According to Section 5.2 of [RFC6333], DS-Lite only defines IPv4 in IPv6 tunnels at this moment, but other types of encapsulation could be defined in the future. So, the DS-Lite MIB only supports IP-in-IP encapsulation. If another RFC defines other tunnel types in the future, the DS-Lite MIB will be updated then.

注:根据[RFC6333]第5.2节,DS Lite目前仅在IPv6隧道中定义IPv4,但将来可能会定义其他类型的封装。因此,DS Lite MIB只支持IP-in-IP封装。如果将来有另一个RFC定义了其他隧道类型,那么将更新DS Lite MIB。

The NATV2-MIB [RFC7659] is designed to carry translation from any address family to any address family; therefore, it supports IPv4-to-IPv4 translation.

NATV2-MIB[RFC7659]设计用于将任何地址族转换为任何地址族;因此,它支持IPv4到IPv4的转换。

The IP Tunnel MIB [RFC4087] is designed to manage tunnels of any type over IPv4 and IPv6 networks; therefore, it already supports IP-in-IP tunnels. But in a DS-Lite scenario, the tunnel type is point-to-multipoint IP-in-IP tunnels. The direct(2) defined in the IP Tunnel MIB only supports point-to-point tunnels. So, it needs to define a new tunnel type for DS-Lite.

IP隧道MIB[RFC4087]设计用于管理IPv4和IPv6网络上的任何类型的隧道;因此,它已经在IP隧道中支持IP。但在DS Lite场景中,隧道类型是IP隧道中的点对多点IP。IP隧道MIB中定义的direct(2)仅支持点对点隧道。因此,需要为DS Lite定义一种新的隧道类型。

However, the NATV2-MIB and IP Tunnel MIB together are not sufficient to support DS-Lite. This document describes the specific features for the DS-Lite MIB, as below.

但是,NATV2-MIB和IP隧道MIB一起不足以支持DS Lite。本文档描述DS Lite MIB的特定功能,如下所示。

In the DS-Lite scenario, the Address Family Transition Router (AFTR) is not only the tunnel-end concentrator, but also an IPv4-to-IPv4 NAT. So, as defined in [RFC6333], when the IPv4 packets come back from the Internet to the AFTR, it knows how to reconstruct the IPv6 encapsulation by doing a reverse lookup in the extended IPv4 NAT binding table (Section 6.6 of [RFC6333]). The NAT binding table in the AFTR is extended to include the IPv6 address of the tunnel initiator. However, the NAT binding information defined in the NATV2-MIB as natv2PortMapTable is indexed by the NAT instance, protocol, and external realm and address. Because the tunnelIfTable defined in the TUNNEL-MIB [RFC4087] is indexed by the ifIndex, the DS-Lite MIB needs to define the tunnel objects to extend the NAT binding entry by interface. Therefore, a combined MIB is necessary.

在DS Lite方案中,地址族转换路由器(AFTR)不仅是隧道端集中器,而且是IPv4到IPv4的NAT。因此,正如[RFC6333]中所定义的,当IPv4数据包从Internet返回AFTR时,它知道如何通过在扩展的IPv4 NAT绑定表中执行反向查找来重构IPv6封装(RFC6333的第6.6节)。AFTR中的NAT绑定表被扩展以包括隧道启动器的IPv6地址。但是,NATV2-MIB中定义为natv2PortMapTable的NAT绑定信息由NAT实例、协议、外部域和地址索引。由于TUNNEL-MIB[RFC4087]中定义的tunnelIfTable由ifIndex索引,因此DS Lite MIB需要定义隧道对象,以通过接口扩展NAT绑定条目。因此,组合MIB是必要的。

An implementation of the IP Tunnel MIB is required for DS-Lite. As the tunnel is not point-to-point in DS-Lite, it needs to define a new tunnel type for DS-Lite. The tunnelIfEncapsMethod in the tunnelIfEntry should be set to dsLite(17), and a corresponding entry in the DS-Lite module will exist for every tunnelIfEntry with this tunnelIfEncapsMethod. The tunnelIfRemoteInetAddress must be set to "::".

DS Lite需要实现IP隧道MIB。由于隧道在DS Lite中不是点对点的,因此需要为DS Lite定义新的隧道类型。TunnelInEntry中的TunnelLifenCapsMethod应设置为dsLite(17),并且对于使用此TunnelLifenCapsMethod的每个TunnelInEntry,DS Lite模块中将存在相应的条目。tunnelIfRemoteInetAddress必须设置为“:”。

6. Structure of the MIB Module
6. MIB模块的结构

The DS-Lite MIB provides a way to monitor and manage the devices (AFTRs) in a DS-Lite scenario through SNMP.

DS Lite MIB提供了一种通过SNMP在DS Lite场景中监视和管理设备(AFTR)的方法。

The DS-Lite MIB is configurable on a per-interface basis. It depends on several parts of the IF-MIB [RFC2863], IP Tunnel MIB [RFC4087], and NATV2-MIB [RFC7659].

DS Lite MIB可根据每个接口进行配置。它取决于IF-MIB[RFC2863]、IP隧道MIB[RFC4087]和NATV2-MIB[RFC7659]的几个部分。

6.1. The Object Group
6.1. 对象组

This group defines objects that are needed for the DS-Lite MIB.

此组定义DS Lite MIB所需的对象。

6.1.1. The dsliteTunnel Subtree
6.1.1. 隧道子树

The dsliteTunnel subtree describes managed objects used for managing tunnels in the DS-Lite scenario. Because the tunnelInetConfigLocalAddress and the tunnelInetConfigRemoteAddress defined in the IP Tunnel MIB are not readable, a few new objects are defined in the DS-Lite MIB.

dsliteTunnel子树描述了在DS Lite场景中用于管理隧道的托管对象。由于IP隧道MIB中定义的tunnelInetConfigLocalAddress和tunnelInetConfigRemoteAddress不可读,因此在DS Lite MIB中定义了一些新对象。

6.1.2. The dsliteNAT Subtree
6.1.2. dsliteNAT子树

The dsliteNAT subtree describes managed objects used for configuration and monitoring of an AFTR that is capable of a NAT function. Because the NATV2-MIB supports the NAT management function in DS-Lite, we may reuse it in the DS-Lite MIB. The dsliteNAT subtree also provides the mapping information between the tunnel entry (dsliteTunnelEntry) and the NAT entry (dsliteNATBindEntry) by adding the IPv6 address of the B4 to the natv2PortMapEntry in the NATV2-MIB. The mapping behavior, filtering behavior, and pooling behavior described in this subtree are all defined in [RFC4787].

dsliteNAT子树描述了用于配置和监控能够实现NAT功能的AFTR的托管对象。因为NATV2-MIB支持DS Lite中的NAT管理功能,所以我们可以在DS Lite MIB中重用它。通过将B4的IPv6地址添加到NATV2-MIB中的natv2PortMapEntry,dsliteNAT子树还提供隧道条目(dsliteTunnelEntry)和NAT条目(dsliteNATBindEntry)之间的映射信息。此子树中描述的映射行为、筛选行为和池行为都在[RFC4787]中定义。

6.1.3. The dsliteInfo Subtree
6.1.3. dsliteInfo子树

The dsliteInfo subtree provides statistical information for DS-Lite.

dsliteInfo子树提供DS Lite的统计信息。

6.2. The Notification Group
6.2. 通知组

This group defines some notification objects for a DS-Lite scenario.

此组为DS Lite方案定义一些通知对象。

6.3. The Conformance Group
6.3. 一致性组

The dsliteConformance subtree provides conformance information of MIB objects.

dsliteConformance子树提供MIB对象的一致性信息。

7. MIB Modules Required for IMPORTS
7. 导入所需的MIB模块

This MIB module IMPORTs objects from [RFC2578], [RFC2580], [RFC2863], [RFC3411], [RFC4001], and [RFC7659].

此MIB模块从[RFC2578]、[RFC2580]、[RFC2863]、[RFC3411]、[RFC4001]和[RFC7659]导入对象。

8. Definitions
8. 定义
 DSLite-MIB DEFINITIONS  ::=  BEGIN
        
 DSLite-MIB DEFINITIONS  ::=  BEGIN
        

IMPORTS MODULE-IDENTITY, OBJECT-TYPE, mib-2, NOTIFICATION-TYPE, Integer32, Counter64, Unsigned32 FROM SNMPv2-SMI

从SNMPv2 SMI导入模块标识、对象类型、mib-2、通知类型、整数32、计数器64、无符号32

OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP FROM SNMPv2-CONF

SNMPv2 CONF中的对象组、模块符合性、通知组

SnmpAdminString FROM SNMP-FRAMEWORK-MIB

SNMP-FRAMEWORK-MIB中的snmpadmin安装

ifIndex FROM IF-MIB

来自IF-MIB的ifIndex

InetAddress, InetAddressType, InetAddressPrefixLength, InetPortNumber FROM INET-ADDRESS-MIB

INET-ADDRESS-MIB中的InetAddress、InetAddressType、InetAddressPrefixLength、InetPortNumber

ProtocolNumber, Natv2InstanceIndex, Natv2SubscriberIndex FROM NATV2-MIB;

NATV2-MIB中的协议号、NATV2安装索引、NATV2订阅索引;

dsliteMIB MODULE-IDENTITY LAST-UPDATED "201605110000Z" -- May 11, 2016 ORGANIZATION "IETF Softwire Working Group" CONTACT-INFO "Yu Fu CNNIC No.4 South 4th Street, Zhongguancun Hai-Dian District, Beijing 100090 China Email: fuyu@cnnic.cn

dsliteMIB模块标识最后更新“2016051110000Z”-2016年5月11日组织“IETF软线工作组”联系方式“北京市中关村海淀区南四街4号裕富CNNIC 100090中国电子邮件:fuyu@cnnic.cn

Sheng Jiang Huawei Technologies Co., Ltd Huawei Building, 156 Beiqing Rd. Hai-Dian District, Beijing 100095 China Email: jiangsheng@huawei.com

盛江华为技术有限公司中国北京市海淀区北青路156号华为大厦100095电子邮件:jiangsheng@huawei.com

Jiang Dong Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China Email: knight.dongjiang@gmail.com

江东清华大学计算机科学系,清华大学北京100084中国电子邮件:knight。dongjiang@gmail.com

Yuchi Chen Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China Email: flashfoxmx@gmail.com "

陈玉池清华大学计算机科学系,清华大学北京100084中国电子邮件:flashfoxmx@gmail.com "

DESCRIPTION "The MIB module is defined for management of objects in the DS-Lite scenario.

DESCRIPTION“MIB模块是为DS Lite场景中的对象管理而定义的。

Copyright (c) 2016 IETF Trust and the persons identified as authors of the code. All rights reserved.

版权所有(c)2016 IETF信托基金和被确定为代码作者的人员。版权所有。

        Redistribution and use in source and binary forms, with or
        without modification, is permitted pursuant to, and subject
        to the license terms contained in, the Simplified BSD License
        set forth in Section 4.c of the IETF Trust's Legal Provisions
        Relating to IETF Documents
        (http://trustee.ietf.org/license-info)."
      REVISION    "201605110000Z"
      DESCRIPTION
         "Initial version.  Published as RFC 7870."
         ::=  {  mib-2 240  }
        
        Redistribution and use in source and binary forms, with or
        without modification, is permitted pursuant to, and subject
        to the license terms contained in, the Simplified BSD License
        set forth in Section 4.c of the IETF Trust's Legal Provisions
        Relating to IETF Documents
        (http://trustee.ietf.org/license-info)."
      REVISION    "201605110000Z"
      DESCRIPTION
         "Initial version.  Published as RFC 7870."
         ::=  {  mib-2 240  }
        

--Top-level components of this MIB module

--此MIB模块的顶级组件

      dsliteMIBObjects OBJECT IDENTIFIER
         ::=  { dsliteMIB 1 }
      dsliteTunnel   OBJECT IDENTIFIER
         ::=  { dsliteMIBObjects 1 }
        
      dsliteMIBObjects OBJECT IDENTIFIER
         ::=  { dsliteMIB 1 }
      dsliteTunnel   OBJECT IDENTIFIER
         ::=  { dsliteMIBObjects 1 }
        
      dsliteNAT   OBJECT IDENTIFIER
         ::=  { dsliteMIBObjects 2 }
        
      dsliteNAT   OBJECT IDENTIFIER
         ::=  { dsliteMIBObjects 2 }
        
      dsliteInfo   OBJECT IDENTIFIER
         ::=  { dsliteMIBObjects 3 }
        
      dsliteInfo   OBJECT IDENTIFIER
         ::=  { dsliteMIBObjects 3 }
        

--Notifications section

--通知组

      dsliteNotifications  OBJECT IDENTIFIER
         ::=  { dsliteMIB 0 }
        
      dsliteNotifications  OBJECT IDENTIFIER
         ::=  { dsliteMIB 0 }
        

--dsliteTunnel

--DSLITE隧道

--dsliteTunnelTable

--dsliteTunnelTable

      dsliteTunnelTable OBJECT-TYPE
         SYNTAX     SEQUENCE OF DsliteTunnelEntry
         MAX-ACCESS  not-accessible
         STATUS     current
         DESCRIPTION
            "The (conceptual) table containing information on
             configured tunnels.  This table can be used to map
             a B4 address to the associated AFTR address.  It can
             also be used for row creation."
         REFERENCE
            "B4, AFTR: RFC 6333."
         ::=  { dsliteTunnel 1 }
        
      dsliteTunnelTable OBJECT-TYPE
         SYNTAX     SEQUENCE OF DsliteTunnelEntry
         MAX-ACCESS  not-accessible
         STATUS     current
         DESCRIPTION
            "The (conceptual) table containing information on
             configured tunnels.  This table can be used to map
             a B4 address to the associated AFTR address.  It can
             also be used for row creation."
         REFERENCE
            "B4, AFTR: RFC 6333."
         ::=  { dsliteTunnel 1 }
        
      dsliteTunnelEntry OBJECT-TYPE
         SYNTAX     DsliteTunnelEntry
         MAX-ACCESS  not-accessible
         STATUS     current
         DESCRIPTION
            "Each entry in this table contains the information on a
             particular configured tunnel."
             INDEX   { dsliteTunnelAddressType,
                       dsliteTunnelStartAddress,
                       dsliteTunnelEndAddress,
                       ifIndex }
         ::=  { dsliteTunnelTable 1 }
        
      dsliteTunnelEntry OBJECT-TYPE
         SYNTAX     DsliteTunnelEntry
         MAX-ACCESS  not-accessible
         STATUS     current
         DESCRIPTION
            "Each entry in this table contains the information on a
             particular configured tunnel."
             INDEX   { dsliteTunnelAddressType,
                       dsliteTunnelStartAddress,
                       dsliteTunnelEndAddress,
                       ifIndex }
         ::=  { dsliteTunnelTable 1 }
        
      DsliteTunnelEntry  ::=
         SEQUENCE {
          dsliteTunnelAddressType         InetAddressType,
          dsliteTunnelStartAddress        InetAddress,
          dsliteTunnelEndAddress          InetAddress,
          dsliteTunnelStartAddPreLen      InetAddressPrefixLength
      }
        
      DsliteTunnelEntry  ::=
         SEQUENCE {
          dsliteTunnelAddressType         InetAddressType,
          dsliteTunnelStartAddress        InetAddress,
          dsliteTunnelEndAddress          InetAddress,
          dsliteTunnelStartAddPreLen      InetAddressPrefixLength
      }
        

dsliteTunnelAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object MUST be set to the value of ipv6(2).

dsliteTunnelAddressType对象类型语法InetAddressType MAX-ACCESS不可访问状态当前描述“此对象必须设置为ipv6(2)的值。

              It describes the address type of the IPv4-in-IPv6
              tunnel initiator and endpoint."
          REFERENCE
            "ipv6(2): RFC 4001."
          ::= { dsliteTunnelEntry 1 }
        
              It describes the address type of the IPv4-in-IPv6
              tunnel initiator and endpoint."
          REFERENCE
            "ipv6(2): RFC 4001."
          ::= { dsliteTunnelEntry 1 }
        
      dsliteTunnelStartAddress OBJECT-TYPE
          SYNTAX     InetAddress (SIZE (0..16))
          MAX-ACCESS not-accessible
          STATUS     current
          DESCRIPTION
             "The IPv6 address of the initiator of the tunnel.
              The address type is given by dsliteTunnelAddressType."
          ::= { dsliteTunnelEntry 2 }
        
      dsliteTunnelStartAddress OBJECT-TYPE
          SYNTAX     InetAddress (SIZE (0..16))
          MAX-ACCESS not-accessible
          STATUS     current
          DESCRIPTION
             "The IPv6 address of the initiator of the tunnel.
              The address type is given by dsliteTunnelAddressType."
          ::= { dsliteTunnelEntry 2 }
        
      dsliteTunnelEndAddress OBJECT-TYPE
          SYNTAX     InetAddress (SIZE (0..16))
          MAX-ACCESS not-accessible
          STATUS     current
          DESCRIPTION
             "The IPv6 address of the endpoint of the tunnel.
              The address type is given by dsliteTunnelAddressType."
          ::= { dsliteTunnelEntry 3 }
        
      dsliteTunnelEndAddress OBJECT-TYPE
          SYNTAX     InetAddress (SIZE (0..16))
          MAX-ACCESS not-accessible
          STATUS     current
          DESCRIPTION
             "The IPv6 address of the endpoint of the tunnel.
              The address type is given by dsliteTunnelAddressType."
          ::= { dsliteTunnelEntry 3 }
        
      dsliteTunnelStartAddPreLen OBJECT-TYPE
          SYNTAX InetAddressPrefixLength
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
             "The IPv6 prefix length of the IP address for the
              initiator of the tunnel(dsliteTunnelStartAddress)."
          ::= { dsliteTunnelEntry 4 }
        
      dsliteTunnelStartAddPreLen OBJECT-TYPE
          SYNTAX InetAddressPrefixLength
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
             "The IPv6 prefix length of the IP address for the
              initiator of the tunnel(dsliteTunnelStartAddress)."
          ::= { dsliteTunnelEntry 4 }
        

--dsliteNATBindTable(according to the NAPT scheme)

--dsliteNATBindTable(根据NAPT方案)

       dsliteNATBindTable OBJECT-TYPE
         SYNTAX     SEQUENCE OF DsliteNATBindEntry
         MAX-ACCESS not-accessible
         STATUS     current
         DESCRIPTION
            "This table contains information about currently
             active NAT binds in the NAT of the AFTR.  This table
             adds the IPv6 address of a B4 to the natv2PortMapTable
             defined in NATV2-MIB (RFC 7659)."
         REFERENCE
              "NATV2-MIB: Section 4 of RFC 7659."
         ::=  { dsliteNAT 1 }
        
       dsliteNATBindTable OBJECT-TYPE
         SYNTAX     SEQUENCE OF DsliteNATBindEntry
         MAX-ACCESS not-accessible
         STATUS     current
         DESCRIPTION
            "This table contains information about currently
             active NAT binds in the NAT of the AFTR.  This table
             adds the IPv6 address of a B4 to the natv2PortMapTable
             defined in NATV2-MIB (RFC 7659)."
         REFERENCE
              "NATV2-MIB: Section 4 of RFC 7659."
         ::=  { dsliteNAT 1 }
        
      dsliteNATBindEntry OBJECT-TYPE
         SYNTAX     DsliteNATBindEntry
         MAX-ACCESS not-accessible
         STATUS     current
         DESCRIPTION
            "The entry in this table holds the mapping relationship
             between tunnel information and NAT bind information.
             Each entry in this table not only needs to match a
             corresponding entry in the natv2PortMapTable, but
             also a corresponding entry in the dsliteTunnelTable.
             So, the INDEX of the entry needs to match a corresponding
             value in the natv2PortMapTable INDEX and a corresponding
             value in the dsliteTunnelTable INDEX.  These entries are
             lost upon agent restart."
         REFERENCE
              "natv2PortMapTable: Section 4 of RFC 7659."
         INDEX   { dsliteNATBindMappingInstanceIndex,
                   dsliteNATBindMappingProto,
                   dsliteNATBindMappingExtRealm,
                   dsliteNATBindMappingExtAddressType,
                   dsliteNATBindMappingExtAddress,
                   dsliteNATBindMappingExtPort,
                   ifIndex,
                   dsliteTunnelStartAddress }
         ::=  {  dsliteNATBindTable 1   }
        
      dsliteNATBindEntry OBJECT-TYPE
         SYNTAX     DsliteNATBindEntry
         MAX-ACCESS not-accessible
         STATUS     current
         DESCRIPTION
            "The entry in this table holds the mapping relationship
             between tunnel information and NAT bind information.
             Each entry in this table not only needs to match a
             corresponding entry in the natv2PortMapTable, but
             also a corresponding entry in the dsliteTunnelTable.
             So, the INDEX of the entry needs to match a corresponding
             value in the natv2PortMapTable INDEX and a corresponding
             value in the dsliteTunnelTable INDEX.  These entries are
             lost upon agent restart."
         REFERENCE
              "natv2PortMapTable: Section 4 of RFC 7659."
         INDEX   { dsliteNATBindMappingInstanceIndex,
                   dsliteNATBindMappingProto,
                   dsliteNATBindMappingExtRealm,
                   dsliteNATBindMappingExtAddressType,
                   dsliteNATBindMappingExtAddress,
                   dsliteNATBindMappingExtPort,
                   ifIndex,
                   dsliteTunnelStartAddress }
         ::=  {  dsliteNATBindTable 1   }
        
     DsliteNATBindEntry  ::=
         SEQUENCE {
         dsliteNATBindMappingInstanceIndex  Natv2InstanceIndex,
         dsliteNATBindMappingProto          ProtocolNumber,
         dsliteNATBindMappingExtRealm       SnmpAdminString,
         dsliteNATBindMappingExtAddressType InetAddressType,
         dsliteNATBindMappingExtAddress     InetAddress,
         dsliteNATBindMappingExtPort        InetPortNumber,
         dsliteNATBindMappingIntRealm       SnmpAdminString,
         dsliteNATBindMappingIntAddressType InetAddressType,
         dsliteNATBindMappingIntAddress     InetAddress,
         dsliteNATBindMappingIntPort        InetPortNumber,
         dsliteNATBindMappingPool           Unsigned32,
         dsliteNATBindMappingMapBehavior    INTEGER,
         dsliteNATBindMappingFilterBehavior INTEGER,
         dsliteNATBindMappingAddressPooling INTEGER
         }
        
     DsliteNATBindEntry  ::=
         SEQUENCE {
         dsliteNATBindMappingInstanceIndex  Natv2InstanceIndex,
         dsliteNATBindMappingProto          ProtocolNumber,
         dsliteNATBindMappingExtRealm       SnmpAdminString,
         dsliteNATBindMappingExtAddressType InetAddressType,
         dsliteNATBindMappingExtAddress     InetAddress,
         dsliteNATBindMappingExtPort        InetPortNumber,
         dsliteNATBindMappingIntRealm       SnmpAdminString,
         dsliteNATBindMappingIntAddressType InetAddressType,
         dsliteNATBindMappingIntAddress     InetAddress,
         dsliteNATBindMappingIntPort        InetPortNumber,
         dsliteNATBindMappingPool           Unsigned32,
         dsliteNATBindMappingMapBehavior    INTEGER,
         dsliteNATBindMappingFilterBehavior INTEGER,
         dsliteNATBindMappingAddressPooling INTEGER
         }
        

dsliteNATBindMappingInstanceIndex OBJECT-TYPE SYNTAX Natv2InstanceIndex MAX-ACCESS not-accessible STATUS current

dsliteNATBindMappingInstanceIndex对象类型语法Natv2InstanceIndex MAX-ACCESS不可访问状态当前

          DESCRIPTION
             "Index of the NAT instance that created this port
              map entry."
       ::= { dsliteNATBindEntry 1 }
        
          DESCRIPTION
             "Index of the NAT instance that created this port
              map entry."
       ::= { dsliteNATBindEntry 1 }
        
      dsliteNATBindMappingProto OBJECT-TYPE
          SYNTAX      ProtocolNumber
          MAX-ACCESS  not-accessible
          STATUS      current
          DESCRIPTION
             "This object specifies the mapping's transport protocol
              number."
          ::= { dsliteNATBindEntry 2 }
        
      dsliteNATBindMappingProto OBJECT-TYPE
          SYNTAX      ProtocolNumber
          MAX-ACCESS  not-accessible
          STATUS      current
          DESCRIPTION
             "This object specifies the mapping's transport protocol
              number."
          ::= { dsliteNATBindEntry 2 }
        
     dsliteNATBindMappingExtRealm OBJECT-TYPE
          SYNTAX     SnmpAdminString (SIZE(0..32))
          MAX-ACCESS not-accessible
          STATUS     current
          DESCRIPTION
             "The realm to which dsliteNATBindMappingExtAddress
             belongs."
          ::= { dsliteNATBindEntry 3 }
        
     dsliteNATBindMappingExtRealm OBJECT-TYPE
          SYNTAX     SnmpAdminString (SIZE(0..32))
          MAX-ACCESS not-accessible
          STATUS     current
          DESCRIPTION
             "The realm to which dsliteNATBindMappingExtAddress
             belongs."
          ::= { dsliteNATBindEntry 3 }
        
      dsliteNATBindMappingExtAddressType OBJECT-TYPE
          SYNTAX InetAddressType
          MAX-ACCESS not-accessible
          STATUS current
          DESCRIPTION
            "Address type for the mapping's external address.
             This object MUST be set to the value of iPv4(1).
             The values of ipv6(2), ipv4z(3), and ipv6z(4) are
             not allowed."
          REFERENCE
            "ipv4(1), ipv6(2), iPv4z(3), and ipv6z(4): RFC 4001."
          ::= { dsliteNATBindEntry 4 }
        
      dsliteNATBindMappingExtAddressType OBJECT-TYPE
          SYNTAX InetAddressType
          MAX-ACCESS not-accessible
          STATUS current
          DESCRIPTION
            "Address type for the mapping's external address.
             This object MUST be set to the value of iPv4(1).
             The values of ipv6(2), ipv4z(3), and ipv6z(4) are
             not allowed."
          REFERENCE
            "ipv4(1), ipv6(2), iPv4z(3), and ipv6z(4): RFC 4001."
          ::= { dsliteNATBindEntry 4 }
        
     dsliteNATBindMappingExtAddress OBJECT-TYPE
          SYNTAX InetAddress (SIZE (0..4))
          MAX-ACCESS not-accessible
          STATUS current
          DESCRIPTION
            "The mapping's external address.  This is the source
             address for translated outgoing packets.  The address
             type is given by dsliteNATBindMappingExtAddressType."
          ::= { dsliteNATBindEntry 5 }
        
     dsliteNATBindMappingExtAddress OBJECT-TYPE
          SYNTAX InetAddress (SIZE (0..4))
          MAX-ACCESS not-accessible
          STATUS current
          DESCRIPTION
            "The mapping's external address.  This is the source
             address for translated outgoing packets.  The address
             type is given by dsliteNATBindMappingExtAddressType."
          ::= { dsliteNATBindEntry 5 }
        

dsliteNATBindMappingExtPort OBJECT-TYPE SYNTAX InetPortNumber

dsliteNATBindMappingExtPort对象类型语法InetPortNumber

          MAX-ACCESS not-accessible
          STATUS current
          DESCRIPTION
            "The mapping's assigned external port number.
             This is the source port for translated outgoing
             packets.  This MUST be a non-zero value."
          ::= { dsliteNATBindEntry 6 }
        
          MAX-ACCESS not-accessible
          STATUS current
          DESCRIPTION
            "The mapping's assigned external port number.
             This is the source port for translated outgoing
             packets.  This MUST be a non-zero value."
          ::= { dsliteNATBindEntry 6 }
        
       dsliteNATBindMappingIntRealm OBJECT-TYPE
          SYNTAX SnmpAdminString (SIZE(0..32))
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "The realm to which natMappingIntAddress belongs.  This
             realm defines the IPv6 address space from which the
             tunnel source address is taken.  The realm of the
             encapsulated IPv4 address is restricted in scope to
             the tunnel, so there is no point in identifying it
             separately."
          ::= { dsliteNATBindEntry 7 }
        
       dsliteNATBindMappingIntRealm OBJECT-TYPE
          SYNTAX SnmpAdminString (SIZE(0..32))
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "The realm to which natMappingIntAddress belongs.  This
             realm defines the IPv6 address space from which the
             tunnel source address is taken.  The realm of the
             encapsulated IPv4 address is restricted in scope to
             the tunnel, so there is no point in identifying it
             separately."
          ::= { dsliteNATBindEntry 7 }
        
    dsliteNATBindMappingIntAddressType OBJECT-TYPE
          SYNTAX InetAddressType
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
             "Address type of the mapping's internal address.
             This object MUST be set to the value of iPv4z(3).
             The values of ipv4(1), ipv6(2), and ipv6z(4) are
             not allowed."
          REFERENCE
            "ipv4(1), ipv6(2), iPv4z(3), and ipv6z(4): RFC 4001."
          ::= { dsliteNATBindEntry 8 }
        
    dsliteNATBindMappingIntAddressType OBJECT-TYPE
          SYNTAX InetAddressType
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
             "Address type of the mapping's internal address.
             This object MUST be set to the value of iPv4z(3).
             The values of ipv4(1), ipv6(2), and ipv6z(4) are
             not allowed."
          REFERENCE
            "ipv4(1), ipv6(2), iPv4z(3), and ipv6z(4): RFC 4001."
          ::= { dsliteNATBindEntry 8 }
        
      dsliteNATBindMappingIntAddress OBJECT-TYPE
          SYNTAX InetAddress
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "The mapping's internal address.  It is the IPv6 tunnel
             source address.  The address type is given by
             dsliteNATBindMappingIntAddressType."
          ::= { dsliteNATBindEntry 9 }
        
      dsliteNATBindMappingIntAddress OBJECT-TYPE
          SYNTAX InetAddress
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "The mapping's internal address.  It is the IPv6 tunnel
             source address.  The address type is given by
             dsliteNATBindMappingIntAddressType."
          ::= { dsliteNATBindEntry 9 }
        

dsliteNATBindMappingIntPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current

dsliteNATBindMappingIntPort对象类型语法InetPortNumber MAX-ACCESS只读状态当前

          DESCRIPTION
           "The mapping's internal port number.  This MUST be a
            non-zero value."
           ::= { dsliteNATBindEntry 10 }
        
          DESCRIPTION
           "The mapping's internal port number.  This MUST be a
            non-zero value."
           ::= { dsliteNATBindEntry 10 }
        
      dsliteNATBindMappingPool OBJECT-TYPE
          SYNTAX Unsigned32 (0|1..4294967295)
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "Index of the pool that contains this mapping's external
             address and port.  If zero, no pool is associated with
             this mapping."
          ::= { dsliteNATBindEntry 11 }
        
      dsliteNATBindMappingPool OBJECT-TYPE
          SYNTAX Unsigned32 (0|1..4294967295)
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "Index of the pool that contains this mapping's external
             address and port.  If zero, no pool is associated with
             this mapping."
          ::= { dsliteNATBindEntry 11 }
        
      dsliteNATBindMappingMapBehavior OBJECT-TYPE
          SYNTAX INTEGER{
          endpointIndependent (0),
          addressDependent(1),
          addressAndPortDependent (2)
          }
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "Mapping behavior as described in Section 4.1 of RFC 4787.
        
      dsliteNATBindMappingMapBehavior OBJECT-TYPE
          SYNTAX INTEGER{
          endpointIndependent (0),
          addressDependent(1),
          addressAndPortDependent (2)
          }
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "Mapping behavior as described in Section 4.1 of RFC 4787.
        

endpointIndependent(0), the behavior REQUIRED by RFC 4787, REQ-1 maps the source address and port to the same external address and port for all destination address and port combinations reached through the same external realm and using the given protocol.

endpointIndependent(0),RFC 4787,REQ-1要求的行为将源地址和端口映射到相同的外部地址和端口,所有目标地址和端口组合通过相同的外部域和使用给定的协议到达。

addressDependent(1) maps to the same external address and port for all destination ports at the same destination address reached through the same external realm and using the given protocol.

addressDependent(1)映射到相同的外部地址和端口,用于通过相同的外部域并使用给定协议到达相同目标地址的所有目标端口。

addressAndPortDependent(2) maps to a separate external address and port combination for each different destination address and port combination reached through the same external realm.

addressAndPortDependent(2)映射到通过同一外部领域到达的每个不同目标地址和端口组合的单独外部地址和端口组合。

             For the DS-Lite scenario, it must be
             addressAndPortDependent(2)."
          REFERENCE
            "Mapping behavior: Section 4.1 of RFC 4787.
             DS-Lite: RFC 6333."
          ::= { dsliteNATBindEntry 12 }
        
             For the DS-Lite scenario, it must be
             addressAndPortDependent(2)."
          REFERENCE
            "Mapping behavior: Section 4.1 of RFC 4787.
             DS-Lite: RFC 6333."
          ::= { dsliteNATBindEntry 12 }
        
      dsliteNATBindMappingFilterBehavior OBJECT-TYPE
          SYNTAX INTEGER{
          endpointIndependent (0),
          addressDependent(1),
          addressAndPortDependent (2)
          }
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "Filtering behavior as described in Section 5 of RFC 4787.
        
      dsliteNATBindMappingFilterBehavior OBJECT-TYPE
          SYNTAX INTEGER{
          endpointIndependent (0),
          addressDependent(1),
          addressAndPortDependent (2)
          }
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
            "Filtering behavior as described in Section 5 of RFC 4787.
        

endpointIndependent(0) accepts for translation packets from all combinations of remote address and port destined to the mapped external address and port via the given external realm and using the given protocol.

endpointIndependent(0)接受来自远程地址和端口的所有组合的转换数据包,这些数据包通过给定的外部域并使用给定的协议发送到映射的外部地址和端口。

addressDependent(1) accepts for translation packets from all remote ports from the same remote source address destined to the mapped external address and port via the given external realm and using the given protocol.

addressDependent(1)接受来自所有远程端口的转换数据包,这些数据包来自同一远程源地址,通过给定的外部域并使用给定的协议发送到映射的外部地址和端口。

addressAndPortDependent(2) accepts for translation only those packets with the same remote source address, port, and protocol incoming from the same external realm as identified when the applicable port map entry was created.

addressAndPortDependent(2)仅接受具有相同远程源地址、端口和协议的数据包进行转换,这些数据包来自创建适用端口映射条目时标识的相同外部领域。

RFC 4787, REQ-8 recommends either endpointIndependent(0) or addressDependent(1) filtering behavior, depending on whether application friendliness or security takes priority.

RFC 4787,REQ-8建议端点独立(0)或地址依赖(1)过滤行为,这取决于应用程序友好性或安全性是否优先。

             For the DS-Lite scenario, it must be
             addressAndPortDependent(2)."
          REFERENCE
            "Filtering behavior: Section 5 of RFC 4787.
             DS-Lite: RFC 6333."
          ::= { dsliteNATBindEntry 13 }
        
             For the DS-Lite scenario, it must be
             addressAndPortDependent(2)."
          REFERENCE
            "Filtering behavior: Section 5 of RFC 4787.
             DS-Lite: RFC 6333."
          ::= { dsliteNATBindEntry 13 }
        
      dsliteNATBindMappingAddressPooling OBJECT-TYPE
          SYNTAX INTEGER{
          arbitrary (0),
          paired (1)
          }
          MAX-ACCESS read-only
          STATUS current
        
      dsliteNATBindMappingAddressPooling OBJECT-TYPE
          SYNTAX INTEGER{
          arbitrary (0),
          paired (1)
          }
          MAX-ACCESS read-only
          STATUS current
        

DESCRIPTION "Type of address pooling behavior that was used to create this mapping.

DESCRIPTION“用于创建此映射的地址池行为的类型。

arbitrary(0) pooling behavior means that the NAT instance may create the new port mapping using any address in the pool that has a free port for the protocol concerned.

任意(0)池行为意味着NAT实例可以使用池中具有相关协议的空闲端口的任何地址创建新端口映射。

             paired(1) pooling behavior, the behavior RECOMMENDED by RFC
             4787, REQ-2 means that once a given internal address has
             been mapped to a particular address in a particular pool,
             further mappings of the same internal address to that pool
             will reuse the previously assigned pool member address."
          REFERENCE
            "Pooling behavior: Section 4.1 of RFC 4787."
          ::= { dsliteNATBindEntry 14 }
        
             paired(1) pooling behavior, the behavior RECOMMENDED by RFC
             4787, REQ-2 means that once a given internal address has
             been mapped to a particular address in a particular pool,
             further mappings of the same internal address to that pool
             will reuse the previously assigned pool member address."
          REFERENCE
            "Pooling behavior: Section 4.1 of RFC 4787."
          ::= { dsliteNATBindEntry 14 }
        

--dsliteInfo

--dsliteInfo

      dsliteAFTRAlarmScalar OBJECT IDENTIFIER ::= { dsliteInfo 1 }
        
      dsliteAFTRAlarmScalar OBJECT IDENTIFIER ::= { dsliteInfo 1 }
        
      dsliteAFTRAlarmB4AddrType OBJECT-TYPE
         SYNTAX  InetAddressType
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the address type of
             the B4, which will send an alarm."
         ::= { dsliteAFTRAlarmScalar 1 }
        
      dsliteAFTRAlarmB4AddrType OBJECT-TYPE
         SYNTAX  InetAddressType
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the address type of
             the B4, which will send an alarm."
         ::= { dsliteAFTRAlarmScalar 1 }
        
      dsliteAFTRAlarmB4Addr OBJECT-TYPE
         SYNTAX  InetAddress
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the IP address of
             B4, which will send an alarm.  The address type is
             given by dsliteAFTRAlarmB4AddrType."
         ::= { dsliteAFTRAlarmScalar 2 }
        
      dsliteAFTRAlarmB4Addr OBJECT-TYPE
         SYNTAX  InetAddress
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the IP address of
             B4, which will send an alarm.  The address type is
             given by dsliteAFTRAlarmB4AddrType."
         ::= { dsliteAFTRAlarmScalar 2 }
        
      dsliteAFTRAlarmProtocolType OBJECT-TYPE
         SYNTAX INTEGER{
         tcp (0),
         udp (1),
         icmp (2),
         total (3)
         }
        
      dsliteAFTRAlarmProtocolType OBJECT-TYPE
         SYNTAX INTEGER{
         tcp (0),
         udp (1),
         icmp (2),
         total (3)
         }
        

MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the transport protocol type of alarm.

MAX-ACCESS可访问通知状态当前描述“此对象表示报警的传输协议类型。

tcp (0) means that the transport protocol type of alarm is tcp.

tcp(0)表示报警的传输协议类型为tcp。

udp (1) means that the transport protocol type of alarm is udp.

udp(1)表示报警的传输协议类型为udp。

icmp (2) means that the transport protocol type of alarm is icmp.

icmp(2)表示报警的传输协议类型为icmp。

             total (3) means that the transport protocol type of
             alarm is total."
         ::= { dsliteAFTRAlarmScalar 3 }
        
             total (3) means that the transport protocol type of
             alarm is total."
         ::= { dsliteAFTRAlarmScalar 3 }
        
    dsliteAFTRAlarmSpecificIPAddrType OBJECT-TYPE
         SYNTAX InetAddressType
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the address type of the IP address
             whose port usage has reached the threshold."
         ::= { dsliteAFTRAlarmScalar 4 }
        
    dsliteAFTRAlarmSpecificIPAddrType OBJECT-TYPE
         SYNTAX InetAddressType
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the address type of the IP address
             whose port usage has reached the threshold."
         ::= { dsliteAFTRAlarmScalar 4 }
        
     dsliteAFTRAlarmSpecificIP OBJECT-TYPE
         SYNTAX InetAddress
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the IP address whose port usage
             has reached the threshold.  The address type is given by
             dsliteAFTRAlarmSpecificIPAddrType."
         ::= { dsliteAFTRAlarmScalar 5 }
        
     dsliteAFTRAlarmSpecificIP OBJECT-TYPE
         SYNTAX InetAddress
         MAX-ACCESS accessible-for-notify
         STATUS current
         DESCRIPTION
            "This object indicates the IP address whose port usage
             has reached the threshold.  The address type is given by
             dsliteAFTRAlarmSpecificIPAddrType."
         ::= { dsliteAFTRAlarmScalar 5 }
        

dsliteAFTRAlarmConnectNumber OBJECT-TYPE SYNTAX Integer32 (60..90) MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the notification threshold of the DS-Lite tunnels that is active in the AFTR device." REFERENCE "AFTR: Section 6 of RFC 6333."

dsliteAFTRAlarmConnectNumber对象类型语法整数32(60..90)最大访问读写状态当前描述“此对象表示在AFTR设备中活动的DS Lite隧道的通知阈值。”参考“AFTR:RFC 6333第6节。”

         DEFVAL
             { 60 }
         ::= { dsliteAFTRAlarmScalar 6 }
        
         DEFVAL
             { 60 }
         ::= { dsliteAFTRAlarmScalar 6 }
        
      dsliteAFTRAlarmSessionNumber OBJECT-TYPE
         SYNTAX Integer32
         MAX-ACCESS read-write
         STATUS current
         DESCRIPTION
            "This object indicates the notification threshold of
             the IPv4 session for the user."
          REFERENCE
            "AFTR: Section 6 of RFC 6333
             B4: Section 5 of RFC 6333."
         DEFVAL
             { -1 }
         ::= { dsliteAFTRAlarmScalar 7 }
        
      dsliteAFTRAlarmSessionNumber OBJECT-TYPE
         SYNTAX Integer32
         MAX-ACCESS read-write
         STATUS current
         DESCRIPTION
            "This object indicates the notification threshold of
             the IPv4 session for the user."
          REFERENCE
            "AFTR: Section 6 of RFC 6333
             B4: Section 5 of RFC 6333."
         DEFVAL
             { -1 }
         ::= { dsliteAFTRAlarmScalar 7 }
        
     dsliteAFTRAlarmPortNumber OBJECT-TYPE
         SYNTAX Integer32
         MAX-ACCESS read-write
         STATUS current
         DESCRIPTION
            "This object indicates the notification threshold of the NAT
             ports that have been used by the user."
         DEFVAL
             { -1 }
         ::= { dsliteAFTRAlarmScalar 8 }
        
     dsliteAFTRAlarmPortNumber OBJECT-TYPE
         SYNTAX Integer32
         MAX-ACCESS read-write
         STATUS current
         DESCRIPTION
            "This object indicates the notification threshold of the NAT
             ports that have been used by the user."
         DEFVAL
             { -1 }
         ::= { dsliteAFTRAlarmScalar 8 }
        
      dsliteStatisticsTable OBJECT-TYPE
         SYNTAX SEQUENCE OF DsliteStatisticsEntry
         MAX-ACCESS not-accessible
         STATUS current
         DESCRIPTION
            "This table provides statistical information
             about DS-Lite."
         ::= { dsliteInfo 2 }
        
      dsliteStatisticsTable OBJECT-TYPE
         SYNTAX SEQUENCE OF DsliteStatisticsEntry
         MAX-ACCESS not-accessible
         STATUS current
         DESCRIPTION
            "This table provides statistical information
             about DS-Lite."
         ::= { dsliteInfo 2 }
        
      dsliteStatisticsEntry OBJECT-TYPE
         SYNTAX DsliteStatisticsEntry
         MAX-ACCESS not-accessible
         STATUS current
         DESCRIPTION
            "Each entry in this table provides statistical information
             about DS-Lite."
         INDEX { dsliteStatisticsSubscriberIndex }
         ::= { dsliteStatisticsTable 1 }
        
      dsliteStatisticsEntry OBJECT-TYPE
         SYNTAX DsliteStatisticsEntry
         MAX-ACCESS not-accessible
         STATUS current
         DESCRIPTION
            "Each entry in this table provides statistical information
             about DS-Lite."
         INDEX { dsliteStatisticsSubscriberIndex }
         ::= { dsliteStatisticsTable 1 }
        
      DsliteStatisticsEntry ::=
         SEQUENCE {
       dsliteStatisticsSubscriberIndex        Natv2SubscriberIndex,
       dsliteStatisticsDiscards               Counter64,
       dsliteStatisticsSends                  Counter64,
       dsliteStatisticsReceives               Counter64,
       dsliteStatisticsIpv4Session            Counter64,
       dsliteStatisticsIpv6Session            Counter64
      }
        
      DsliteStatisticsEntry ::=
         SEQUENCE {
       dsliteStatisticsSubscriberIndex        Natv2SubscriberIndex,
       dsliteStatisticsDiscards               Counter64,
       dsliteStatisticsSends                  Counter64,
       dsliteStatisticsReceives               Counter64,
       dsliteStatisticsIpv4Session            Counter64,
       dsliteStatisticsIpv6Session            Counter64
      }
        
     dsliteStatisticsSubscriberIndex OBJECT-TYPE
        SYNTAX Natv2SubscriberIndex
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION
           "Index of the subscriber or host.  A unique value,
            greater than zero, for each subscriber in the
            managed system."
         ::= { dsliteStatisticsEntry 1 }
        
     dsliteStatisticsSubscriberIndex OBJECT-TYPE
        SYNTAX Natv2SubscriberIndex
        MAX-ACCESS not-accessible
        STATUS current
        DESCRIPTION
           "Index of the subscriber or host.  A unique value,
            greater than zero, for each subscriber in the
            managed system."
         ::= { dsliteStatisticsEntry 1 }
        
      dsliteStatisticsDiscards OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of packets
             discarded from this subscriber."
        ::= { dsliteStatisticsEntry 2 }
        
      dsliteStatisticsDiscards OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of packets
             discarded from this subscriber."
        ::= { dsliteStatisticsEntry 2 }
        
       dsliteStatisticsSends  OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of packets that is
              sent to this subscriber."
         ::= { dsliteStatisticsEntry 3 }
        
       dsliteStatisticsSends  OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of packets that is
              sent to this subscriber."
         ::= { dsliteStatisticsEntry 3 }
        
       dsliteStatisticsReceives  OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of packets that is
              received from this subscriber."
         ::= { dsliteStatisticsEntry 4 }
        
       dsliteStatisticsReceives  OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of packets that is
              received from this subscriber."
         ::= { dsliteStatisticsEntry 4 }
        
      dsliteStatisticsIpv4Session OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of the
             current IPv4 Sessions."
         REFERENCE
             "Session: Paragraph 2 in Section 11 of RFC 6333.
             (The AFTR should have the capability to log the
              tunnel-id, protocol, ports/IP addresses, and
              the creation time of the NAT binding to uniquely
              identify the user sessions)."
         ::= { dsliteStatisticsEntry 5 }
        
      dsliteStatisticsIpv4Session OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of the
             current IPv4 Sessions."
         REFERENCE
             "Session: Paragraph 2 in Section 11 of RFC 6333.
             (The AFTR should have the capability to log the
              tunnel-id, protocol, ports/IP addresses, and
              the creation time of the NAT binding to uniquely
              identify the user sessions)."
         ::= { dsliteStatisticsEntry 5 }
        
      dsliteStatisticsIpv6Session OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of the
             current IPv6 session.  Because the AFTR is
             also a dual-stack device, it will also
             forward normal IPv6 packets for the
             inbound and outbound direction."
         REFERENCE
             "Session: Paragraph 2 in Section 11 of RFC 6333.
             (The AFTR should have the capability to log the
              tunnel-id, protocol, ports/IP addresses, and
              the creation time of the NAT binding to uniquely
              identify the user sessions)."
        ::= { dsliteStatisticsEntry 6 }
        
      dsliteStatisticsIpv6Session OBJECT-TYPE
         SYNTAX Counter64
         MAX-ACCESS read-only
         STATUS current
         DESCRIPTION
            "This object indicates the number of the
             current IPv6 session.  Because the AFTR is
             also a dual-stack device, it will also
             forward normal IPv6 packets for the
             inbound and outbound direction."
         REFERENCE
             "Session: Paragraph 2 in Section 11 of RFC 6333.
             (The AFTR should have the capability to log the
              tunnel-id, protocol, ports/IP addresses, and
              the creation time of the NAT binding to uniquely
              identify the user sessions)."
        ::= { dsliteStatisticsEntry 6 }
        
   ---dslite Notifications
        
   ---dslite Notifications
        
      dsliteTunnelNumAlarm NOTIFICATION-TYPE
         OBJECTS { dsliteAFTRAlarmProtocolType,
                   dsliteAFTRAlarmB4AddrType,
                   dsliteAFTRAlarmB4Addr }
         STATUS current
         DESCRIPTION
            "This trap is triggered when the number of
             current DS-Lite tunnels exceeds the value of
             the dsliteAFTRAlarmConnectNumber."
         ::= { dsliteNotifications 1 }
        
      dsliteTunnelNumAlarm NOTIFICATION-TYPE
         OBJECTS { dsliteAFTRAlarmProtocolType,
                   dsliteAFTRAlarmB4AddrType,
                   dsliteAFTRAlarmB4Addr }
         STATUS current
         DESCRIPTION
            "This trap is triggered when the number of
             current DS-Lite tunnels exceeds the value of
             the dsliteAFTRAlarmConnectNumber."
         ::= { dsliteNotifications 1 }
        
      dsliteAFTRUserSessionNumAlarm NOTIFICATION-TYPE
         OBJECTS { dsliteAFTRAlarmProtocolType,
                dsliteAFTRAlarmB4AddrType,
                dsliteAFTRAlarmB4Addr }
         STATUS current
         DESCRIPTION
            "This trap is triggered when user sessions
             reach the threshold.  The threshold
             is specified by the dsliteAFTRAlarmSessionNumber."
         REFERENCE
             "Session: Paragraph 2 in Section 11 of RFC 6333.
             (The AFTR should have the capability to log the
              tunnel-id, protocol, ports/IP addresses, and
              the creation time of the NAT binding to uniquely
              identify the user sessions)."
         ::= { dsliteNotifications 2 }
        
      dsliteAFTRUserSessionNumAlarm NOTIFICATION-TYPE
         OBJECTS { dsliteAFTRAlarmProtocolType,
                dsliteAFTRAlarmB4AddrType,
                dsliteAFTRAlarmB4Addr }
         STATUS current
         DESCRIPTION
            "This trap is triggered when user sessions
             reach the threshold.  The threshold
             is specified by the dsliteAFTRAlarmSessionNumber."
         REFERENCE
             "Session: Paragraph 2 in Section 11 of RFC 6333.
             (The AFTR should have the capability to log the
              tunnel-id, protocol, ports/IP addresses, and
              the creation time of the NAT binding to uniquely
              identify the user sessions)."
         ::= { dsliteNotifications 2 }
        
        dsliteAFTRPortUsageOfSpecificIpAlarm NOTIFICATION-TYPE
         OBJECTS { dsliteAFTRAlarmSpecificIPAddrType,
                    dsliteAFTRAlarmSpecificIP }
         STATUS current
         DESCRIPTION
            "This trap is triggered when the used NAT
             ports of map address reach the threshold.
             The threshold is specified by the
             dsliteAFTRAlarmPortNumber."
         ::= { dsliteNotifications 3 }
        
        dsliteAFTRPortUsageOfSpecificIpAlarm NOTIFICATION-TYPE
         OBJECTS { dsliteAFTRAlarmSpecificIPAddrType,
                    dsliteAFTRAlarmSpecificIP }
         STATUS current
         DESCRIPTION
            "This trap is triggered when the used NAT
             ports of map address reach the threshold.
             The threshold is specified by the
             dsliteAFTRAlarmPortNumber."
         ::= { dsliteNotifications 3 }
        

--Module Conformance statement

--模块一致性声明

      dsliteConformance   OBJECT IDENTIFIER
         ::=  { dsliteMIB 2 }
        
      dsliteConformance   OBJECT IDENTIFIER
         ::=  { dsliteMIB 2 }
        
      dsliteCompliances OBJECT IDENTIFIER ::= { dsliteConformance 1 }
        
      dsliteCompliances OBJECT IDENTIFIER ::= { dsliteConformance 1 }
        
      dsliteGroups OBJECT IDENTIFIER ::= { dsliteConformance 2 }
        
      dsliteGroups OBJECT IDENTIFIER ::= { dsliteConformance 2 }
        

-- compliance statements

--合规声明

dsliteCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "Describes the minimal requirements for conformance to the DS-Lite MIB." MODULE -- this module MANDATORY-GROUPS { dsliteNATBindGroup, dsliteTunnelGroup, dsliteStatisticsGroup,

dsliteCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION“描述了与DS Lite MIB一致性的最低要求。”MODULE--此模块为必填组{dsliteNATBindGroup,dsliteTunnelGroup,dsliteStatisticsGroup,

                  dsliteNotificationsGroup,
                  dsliteAFTRAlarmScalarGroup }
          ::= { dsliteCompliances 1 }
        
                  dsliteNotificationsGroup,
                  dsliteAFTRAlarmScalarGroup }
          ::= { dsliteCompliances 1 }
        
      dsliteNATBindGroup OBJECT-GROUP
         OBJECTS {
                  dsliteNATBindMappingIntRealm,
                  dsliteNATBindMappingIntAddressType,
                  dsliteNATBindMappingIntAddress,
                  dsliteNATBindMappingIntPort,
                  dsliteNATBindMappingPool,
                  dsliteNATBindMappingMapBehavior,
                  dsliteNATBindMappingFilterBehavior,
                  dsliteNATBindMappingAddressPooling }
         STATUS current
         DESCRIPTION
             "A collection of objects to support basic
              management of NAT binds in the NAT of the AFTR."
          ::= { dsliteGroups 1 }
        
      dsliteNATBindGroup OBJECT-GROUP
         OBJECTS {
                  dsliteNATBindMappingIntRealm,
                  dsliteNATBindMappingIntAddressType,
                  dsliteNATBindMappingIntAddress,
                  dsliteNATBindMappingIntPort,
                  dsliteNATBindMappingPool,
                  dsliteNATBindMappingMapBehavior,
                  dsliteNATBindMappingFilterBehavior,
                  dsliteNATBindMappingAddressPooling }
         STATUS current
         DESCRIPTION
             "A collection of objects to support basic
              management of NAT binds in the NAT of the AFTR."
          ::= { dsliteGroups 1 }
        
      dsliteTunnelGroup OBJECT-GROUP
         OBJECTS { dsliteTunnelStartAddPreLen }
         STATUS current
         DESCRIPTION
             "A collection of objects to support management
              of DS-Lite tunnels."
         ::= { dsliteGroups 2 }
        
      dsliteTunnelGroup OBJECT-GROUP
         OBJECTS { dsliteTunnelStartAddPreLen }
         STATUS current
         DESCRIPTION
             "A collection of objects to support management
              of DS-Lite tunnels."
         ::= { dsliteGroups 2 }
        
      dsliteStatisticsGroup OBJECT-GROUP
         OBJECTS { dsliteStatisticsDiscards,
                   dsliteStatisticsSends,
                   dsliteStatisticsReceives,
                   dsliteStatisticsIpv4Session,
                   dsliteStatisticsIpv6Session }
        STATUS current
        DESCRIPTION
           " A collection of objects to support management
             of statistical information for AFTR devices."
          ::= { dsliteGroups 3 }
        
      dsliteStatisticsGroup OBJECT-GROUP
         OBJECTS { dsliteStatisticsDiscards,
                   dsliteStatisticsSends,
                   dsliteStatisticsReceives,
                   dsliteStatisticsIpv4Session,
                   dsliteStatisticsIpv6Session }
        STATUS current
        DESCRIPTION
           " A collection of objects to support management
             of statistical information for AFTR devices."
          ::= { dsliteGroups 3 }
        

dsliteNotificationsGroup NOTIFICATION-GROUP NOTIFICATIONS { dsliteTunnelNumAlarm, dsliteAFTRUserSessionNumAlarm, dsliteAFTRPortUsageOfSpecificIpAlarm } STATUS current DESCRIPTION "A collection of objects to support management of trap information for AFTR devices."

dsliteNotificationsGroup NOTIFICATION-GROUP NOTIFICATIONS{DSLiteTunnelNumalam,DSLiteAftRuserSessionNumalam,DSLiteAftrPortsageOfSpecificAlarm}状态当前描述“支持AFTR设备陷阱信息管理的对象集合。”

         ::= { dsliteGroups 4 }
        
         ::= { dsliteGroups 4 }
        
       dsliteAFTRAlarmScalarGroup OBJECT-GROUP
         OBJECTS { dsliteAFTRAlarmB4AddrType,
              dsliteAFTRAlarmB4Addr,
              dsliteAFTRAlarmProtocolType,
              dsliteAFTRAlarmSpecificIPAddrType,
              dsliteAFTRAlarmSpecificIP,
              dsliteAFTRAlarmConnectNumber,
              dsliteAFTRAlarmSessionNumber,
              dsliteAFTRAlarmPortNumber}
         STATUS current
         DESCRIPTION
             "A collection of objects to support management of
             the information about the AFTR alarming scalar."
         ::= { dsliteGroups 5 }
        
       dsliteAFTRAlarmScalarGroup OBJECT-GROUP
         OBJECTS { dsliteAFTRAlarmB4AddrType,
              dsliteAFTRAlarmB4Addr,
              dsliteAFTRAlarmProtocolType,
              dsliteAFTRAlarmSpecificIPAddrType,
              dsliteAFTRAlarmSpecificIP,
              dsliteAFTRAlarmConnectNumber,
              dsliteAFTRAlarmSessionNumber,
              dsliteAFTRAlarmPortNumber}
         STATUS current
         DESCRIPTION
             "A collection of objects to support management of
             the information about the AFTR alarming scalar."
         ::= { dsliteGroups 5 }
        

END

终止

9. Security Considerations
9. 安全考虑

There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection opens devices to attack. These are the tables and objects and their sensitivity/vulnerability:

此MIB模块中定义了许多管理对象,其MAX-ACCESS子句为read-write和/或read-create。在某些网络环境中,此类对象可能被视为敏感或易受攻击。在没有适当保护的非安全环境中支持SET操作会使设备受到攻击。以下是表和对象及其敏感度/漏洞:

dsliteAFTRAlarmConnectNumber

dsliteAFTRAlarmConnectNumber

dsliteAFTRAlarmSessionNumber

dsliteAFTRAlarmSessionNumber

dsliteAFTRAlarmPortNumber

dsliteAFTRAlarmPortNumber

Notification thresholds: An attacker setting an arbitrarily low threshold can cause many useless notifications to be generated. Setting an arbitrarily high threshold can effectively disable notifications, which could be used to hide another attack.

通知阈值:攻击者设置任意低的阈值会导致生成许多无用的通知。设置任意高的阈值可以有效地禁用通知,该通知可用于隐藏另一次攻击。

Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability:

在某些网络环境中,此MIB模块中的某些可读对象(即具有MAX-ACCESS而非not ACCESS的对象)可能被视为敏感或易受攻击。因此,在通过SNMP通过网络发送这些对象时,控制甚至获取和/或通知对这些对象的访问,甚至可能加密这些对象的值,这一点非常重要。以下是表和对象及其敏感度/漏洞:

entries in dsliteTunnelTable

dsliteTunnelTable中的条目

entries in dsliteNATBindTable

dsliteNATBindTable中的条目

Objects that reveal host identities: Various objects can reveal the identity of private hosts that are engaged in a session with external end nodes. A curious outsider could monitor these to assess the number of private hosts being supported by the AFTR device. Further, a disgruntled former employee of an enterprise could use the information to break into specific private hosts by intercepting the existing sessions or originating new sessions into the host. If nothing else, unauthorized monitoring of these objects will violate individual subscribers' privacy.

显示主机标识的对象:各种对象可以显示与外部终端节点进行会话的专用主机的标识。好奇的局外人可以监视这些设备,以评估AFTR设备支持的私有主机的数量。此外,不满的企业前员工可以通过拦截现有会话或向主机发起新会话,利用这些信息进入特定的私有主机。如果没有其他原因,对这些对象的未经授权的监视将侵犯个人订阅者的隐私。

Unauthorized read access to the dsliteTunnelTable would reveal information about the tunnel topology.

对dsliteTunnelTable的未经授权的读取访问将泄露有关隧道拓扑的信息。

SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.

SNMPv3之前的SNMP版本未包含足够的安全性。即使网络本身是安全的(例如通过使用IPsec),也无法控制安全网络上的谁可以访问和获取/设置(读取/更改/创建/删除)此MIB模块中的对象。

   Implementations SHOULD provide the security features described by the
   SNMPv3 framework (see [RFC3410]), and implementations claiming
   compliance to the SNMPv3 standard MUST include full support for
   authentication and privacy via the User-based Security Model (USM)
   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
   MAY also provide support for the Transport Security Model (TSM)
   [RFC5591] in combination with a secure transport such as SSH
   [RFC5592] or TLS/DTLS [RFC6353].
        
   Implementations SHOULD provide the security features described by the
   SNMPv3 framework (see [RFC3410]), and implementations claiming
   compliance to the SNMPv3 standard MUST include full support for
   authentication and privacy via the User-based Security Model (USM)
   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
   MAY also provide support for the Transport Security Model (TSM)
   [RFC5591] in combination with a secure transport such as SSH
   [RFC5592] or TLS/DTLS [RFC6353].
        

Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.

此外,不建议部署SNMPv3之前的SNMP版本。相反,建议部署SNMPv3并启用加密安全性。然后,客户/运营商应负责确保授予访问此MIB模块实例权限的SNMP实体已正确配置为仅授予那些拥有确实获取或设置(更改/创建/删除)对象的合法权限的主体(用户)访问对象。

10. IANA Considerations
10. IANA考虑

IANA has allocated the following OBJECT IDENTIFIER value and recorded it in the SMI Numbers registry in the subregistry called "SMI Network Management MGMT Codes Internet-standard MIB" under the mib-2 branch (1.3.6.1.2.1):

IANA已分配以下对象标识符值,并将其记录在MIB-2分支(1.3.6.1.2.1)下名为“SMI网络管理代码互联网标准MIB”的子区域的SMI编号注册表中:

         Descriptor        OBJECT IDENTIFIER value
         ----------        -----------------------
         DSLite-MIB         { mib-2 240 }
        
         Descriptor        OBJECT IDENTIFIER value
         ----------        -----------------------
         DSLite-MIB         { mib-2 240 }
        

IANA has recorded the following IANAtunnelType Textual Convention within the IANAifType-MIB:

IANA在IANAifType MIB中记录了以下IANAtunnelType文本约定:

         IANAtunnelType ::= TEXTUAL-CONVENTION
                    SYNTAX     INTEGER {
                               dsLite(17)        -- DS-Lite tunnel
                               }
        
         IANAtunnelType ::= TEXTUAL-CONVENTION
                    SYNTAX     INTEGER {
                               dsLite(17)        -- DS-Lite tunnel
                               }
        
11. References
11. 工具书类
11.1. Normative References
11.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.

[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, DOI 10.17487/RFC2578, April 1999, <http://www.rfc-editor.org/info/rfc2578>.

[RFC2578]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,DOI 10.17487/RFC2578,1999年4月<http://www.rfc-editor.org/info/rfc2578>.

[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, <http://www.rfc-editor.org/info/rfc2579>.

[RFC2579]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“SMIv2的文本约定”,STD 58,RFC 2579,DOI 10.17487/RFC2579,1999年4月<http://www.rfc-editor.org/info/rfc2579>.

[RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Conformance Statements for SMIv2", STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, <http://www.rfc-editor.org/info/rfc2580>.

[RFC2580]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“SMIv2的一致性声明”,STD 58,RFC 2580,DOI 10.17487/RFC2580,1999年4月<http://www.rfc-editor.org/info/rfc2580>.

[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, <http://www.rfc-editor.org/info/rfc2863>.

[RFC2863]McCloghrie,K.和F.Kastenholz,“接口组MIB”,RFC 2863,DOI 10.17487/RFC2863,2000年6月<http://www.rfc-editor.org/info/rfc2863>.

[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, DOI 10.17487/RFC3411, December 2002, <http://www.rfc-editor.org/info/rfc3411>.

[RFC3411]Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,DOI 10.17487/RFC34112002年12月<http://www.rfc-editor.org/info/rfc3411>.

[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, DOI 10.17487/RFC3414, December 2002, <http://www.rfc-editor.org/info/rfc3414>.

[RFC3414]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)版本3的基于用户的安全模型(USM)”,STD 62,RFC 3414,DOI 10.17487/RFC3414,2002年12月<http://www.rfc-editor.org/info/rfc3414>.

[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, DOI 10.17487/RFC3826, June 2004, <http://www.rfc-editor.org/info/rfc3826>.

[RFC3826]Blumenthal,U.,Maino,F.,和K.McCloghrie,“基于SNMP用户的安全模型中的高级加密标准(AES)密码算法”,RFC 3826,DOI 10.17487/RFC3826,2004年6月<http://www.rfc-editor.org/info/rfc3826>.

[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, DOI 10.17487/RFC4001, February 2005, <http://www.rfc-editor.org/info/rfc4001>.

[RFC4001]Daniele,M.,Haberman,B.,Routhier,S.,和J.Schoenwaeld,“互联网网络地址的文本约定”,RFC 4001,DOI 10.17487/RFC4001,2005年2月<http://www.rfc-editor.org/info/rfc4001>.

[RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, DOI 10.17487/RFC4087, June 2005, <http://www.rfc-editor.org/info/rfc4087>.

[RFC4087]Thaler,D.,“IP隧道MIB”,RFC 4087,DOI 10.17487/RFC4087,2005年6月<http://www.rfc-editor.org/info/rfc4087>.

[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2007, <http://www.rfc-editor.org/info/rfc4787>.

[RFC4787]Audet,F.,Ed.和C.Jennings,“单播UDP的网络地址转换(NAT)行为要求”,BCP 127,RFC 4787,DOI 10.17487/RFC4787,2007年1月<http://www.rfc-editor.org/info/rfc4787>.

[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, <http://www.rfc-editor.org/info/rfc5591>.

[RFC5591]Harrington,D.和W.Hardaker,“简单网络管理协议(SNMP)的传输安全模型”,STD 78,RFC 5591,DOI 10.17487/RFC55912009年6月<http://www.rfc-editor.org/info/rfc5591>.

[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 2009, <http://www.rfc-editor.org/info/rfc5592>.

[RFC5592]Harrington,D.,Salowey,J.,和W.Hardaker,“简单网络管理协议(SNMP)的安全外壳传输模型”,RFC 5592,DOI 10.17487/RFC5592,2009年6月<http://www.rfc-editor.org/info/rfc5592>.

[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, <http://www.rfc-editor.org/info/rfc6333>.

[RFC6333]Durand,A.,Droms,R.,Woodyatt,J.,和Y.Lee,“IPv4耗尽后的双栈Lite宽带部署”,RFC 6333,DOI 10.17487/RFC6333,2011年8月<http://www.rfc-editor.org/info/rfc6333>.

[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, <http://www.rfc-editor.org/info/rfc6353>.

[RFC6353]Hardaker,W.“简单网络管理协议(SNMP)的传输层安全(TLS)传输模型”,STD 78,RFC 6353,DOI 10.17487/RFC6353,2011年7月<http://www.rfc-editor.org/info/rfc6353>.

[RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, "Definitions of Managed Objects for Network Address Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, October 2015, <http://www.rfc-editor.org/info/rfc7659>.

[RFC7659]Perreault,S.,Tsou,T.,Sivakumar,S.,和T.Taylor,“网络地址转换器(NAT)托管对象的定义”,RFC 7659,DOI 10.17487/RFC7659,2015年10月<http://www.rfc-editor.org/info/rfc7659>.

11.2. Informative References
11.2. 资料性引用

[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, DOI 10.17487/RFC3410, December 2002, <http://www.rfc-editor.org/info/rfc3410>.

[RFC3410]Case,J.,Mundy,R.,Partain,D.,和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 3410,DOI 10.17487/RFC3410,2002年12月<http://www.rfc-editor.org/info/rfc3410>.

Acknowledgements

致谢

The authors would like to thank the following for their valuable comments: Suresh Krishnan, Ian Farrer, Yiu Lee, Qi Sun, Yong Cui, David Harrington, Dave Thaler, Tassos Chatzithomaoglou, Tom Taylor, Hui Deng, Carlos Pignataro, Matt Miller, Terry Manderson, and other members of the Softwire working group.

作者要感谢以下宝贵的评论:Suresh Krishnan、Ian Farrer、Yiu Lee、祁孙、崔勇、David Harrington、Dave Thaler、Tassos Chatzittomoglou、Tom Taylor、Hui Deng、Carlos Pignataro、Matt Miller、Terry Manderson和软线工作组的其他成员。

Authors' Addresses

作者地址

Yu Fu CNNIC No.4 South 4th Street, Zhongguancun Hai-Dian District, Beijing 100190 China

中国北京市中关村海淀区裕富CNNIC南四街4号100190

   Email: fuyu@cnnic.cn
        
   Email: fuyu@cnnic.cn
        

Sheng Jiang Huawei Technologies Co., Ltd Q14, Huawei Campus, No.156 Beiqing Road Hai-Dian District, Beijing 100095 China

中国北京海淀区北青路156号华为校园盛江华为技术有限公司Q14,邮编100095

   Email: jiangsheng@huawei.com
        
   Email: jiangsheng@huawei.com
        

Jiang Dong Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China

江东清华大学计算机科学系,清华大学北京100084

   Email: knight.dongjiang@gmail.com
        
   Email: knight.dongjiang@gmail.com
        

Yuchi Chen Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China

清华大学计算机科学系,北京100084

   Email: flashfoxmx@gmail.com
        
   Email: flashfoxmx@gmail.com