Network Working Group J. Quittek Request for Comments: 5190 M. Stiemerling Category: Standards Track NEC P. Srisuresh Kazeon Systems March 2008
Network Working Group J. Quittek Request for Comments: 5190 M. Stiemerling Category: Standards Track NEC P. Srisuresh Kazeon Systems March 2008
Definitions of Managed Objects for Middlebox Communication
用于中间盒通信的托管对象的定义
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Abstract
摘要
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes a set of managed objects that allow configuring middleboxes, such as firewalls and network address translators, in order to enable communication across these devices. The definitions of managed objects in this documents follow closely the MIDCOM semantics defined in RFC 5189.
此备忘录定义了管理信息库(MIB)的一部分,用于Internet社区中的网络管理协议。特别是,它描述了一组托管对象,这些对象允许配置中间件(如防火墙和网络地址转换器),以便在这些设备之间进行通信。本文档中托管对象的定义严格遵循RFC 5189中定义的MIDCOM语义。
Table of Contents
目录
1. Introduction ....................................................4 2. The Internet-Standard Management Framework ......................4 3. Overview ........................................................4 3.1. Terminology ................................................5 4. Realizing the MIDCOM Protocol with SNMP .........................6 4.1. MIDCOM Sessions ............................................6 4.1.1. Authentication and Authorization ....................6 4.2. MIDCOM Transactions ........................................7 4.2.1. Asynchronous Transactions ...........................7 4.2.2. Configuration Transactions ..........................8 4.2.3. Monitoring Transactions ............................11 4.2.4. Atomicity of MIDCOM Transactions ...................12 4.2.4.1. Asynchronous MIDCOM Transactions ..........12 4.2.4.2. Session Establishment and Termination Transactions ..................12 4.2.4.3. Monitoring Transactions ...................13 4.2.4.4. Lifetime Change Transactions ..............13 4.2.4.5. Transactions Establishing New Policy Rules ..............................14 4.2.5. Access Control .....................................14 4.3. Access Control Policies ...................................14 5. Structure of the MIB Module ....................................15 5.1. Transaction Objects .......................................16 5.1.1. midcomRuleTable ....................................17 5.1.2. midcomGroupTable ...................................19 5.2. Configuration Objects .....................................20 5.2.1. Capabilities .......................................20 5.2.2. midcomConfigFirewallTable ..........................21 5.3. Monitoring Objects ........................................22 5.3.1. midcomResourceTable ................................22 5.3.2. midcomStatistics ...................................24 5.4. Notifications .............................................25 6. Recommendations for Configuration and Operation ................26 6.1. Security Model Configuration ..............................26 6.2. VACM Configuration ........................................27 6.3. Notification Configuration ................................28 6.4. Simultaneous Access .......................................28 6.5. Avoiding Idempotency Problems .............................29 6.6. Interface Indexing Problems ...............................29 6.7. Applicability Restrictions ................................30 7. Usage Examples for MIDCOM Transactions .........................30 7.1. Session Establishment (SE) ................................31 7.2. Session Termination (ST) ..................................31 7.3. Policy Reserve Rule (PRR) .................................31 7.4. Policy Enable Rule (PER) after PRR ........................33 7.5. Policy Enable Rule (PER) without Previous PRR .............34
1. Introduction ....................................................4 2. The Internet-Standard Management Framework ......................4 3. Overview ........................................................4 3.1. Terminology ................................................5 4. Realizing the MIDCOM Protocol with SNMP .........................6 4.1. MIDCOM Sessions ............................................6 4.1.1. Authentication and Authorization ....................6 4.2. MIDCOM Transactions ........................................7 4.2.1. Asynchronous Transactions ...........................7 4.2.2. Configuration Transactions ..........................8 4.2.3. Monitoring Transactions ............................11 4.2.4. Atomicity of MIDCOM Transactions ...................12 4.2.4.1. Asynchronous MIDCOM Transactions ..........12 4.2.4.2. Session Establishment and Termination Transactions ..................12 4.2.4.3. Monitoring Transactions ...................13 4.2.4.4. Lifetime Change Transactions ..............13 4.2.4.5. Transactions Establishing New Policy Rules ..............................14 4.2.5. Access Control .....................................14 4.3. Access Control Policies ...................................14 5. Structure of the MIB Module ....................................15 5.1. Transaction Objects .......................................16 5.1.1. midcomRuleTable ....................................17 5.1.2. midcomGroupTable ...................................19 5.2. Configuration Objects .....................................20 5.2.1. Capabilities .......................................20 5.2.2. midcomConfigFirewallTable ..........................21 5.3. Monitoring Objects ........................................22 5.3.1. midcomResourceTable ................................22 5.3.2. midcomStatistics ...................................24 5.4. Notifications .............................................25 6. Recommendations for Configuration and Operation ................26 6.1. Security Model Configuration ..............................26 6.2. VACM Configuration ........................................27 6.3. Notification Configuration ................................28 6.4. Simultaneous Access .......................................28 6.5. Avoiding Idempotency Problems .............................29 6.6. Interface Indexing Problems ...............................29 6.7. Applicability Restrictions ................................30 7. Usage Examples for MIDCOM Transactions .........................30 7.1. Session Establishment (SE) ................................31 7.2. Session Termination (ST) ..................................31 7.3. Policy Reserve Rule (PRR) .................................31 7.4. Policy Enable Rule (PER) after PRR ........................33 7.5. Policy Enable Rule (PER) without Previous PRR .............34
7.6. Policy Rule Lifetime Change (RLC) .........................35 7.7. Policy Rule List (PRL) ....................................35 7.8. Policy Rule Status (PRS) ..................................35 7.9. Asynchronous Policy Rule Event (ARE) ......................36 7.10. Group Lifetime Change (GLC) ..............................36 7.11. Group List (GL) ..........................................36 7.12. Group Status (GS) ........................................37 8. Usage Examples for Monitoring Objects ..........................37 8.1. Monitoring NAT Resources ..................................37 8.2. Monitoring Firewall Resources .............................38 9. Definitions ....................................................38 10. Security Considerations .......................................85 10.1. General Security Issues ..................................85 10.2. Unauthorized Middlebox Configuration .....................86 10.3. Unauthorized Access to Middlebox Configuration ...........87 10.4. Unauthorized Access to MIDCOM Service Configuration ......88 11. Acknowledgements ..............................................88 12. IANA Considerations ...........................................88 13. Normative References ..........................................88 14. Informative References ........................................90
7.6. Policy Rule Lifetime Change (RLC) .........................35 7.7. Policy Rule List (PRL) ....................................35 7.8. Policy Rule Status (PRS) ..................................35 7.9. Asynchronous Policy Rule Event (ARE) ......................36 7.10. Group Lifetime Change (GLC) ..............................36 7.11. Group List (GL) ..........................................36 7.12. Group Status (GS) ........................................37 8. Usage Examples for Monitoring Objects ..........................37 8.1. Monitoring NAT Resources ..................................37 8.2. Monitoring Firewall Resources .............................38 9. Definitions ....................................................38 10. Security Considerations .......................................85 10.1. General Security Issues ..................................85 10.2. Unauthorized Middlebox Configuration .....................86 10.3. Unauthorized Access to Middlebox Configuration ...........87 10.4. Unauthorized Access to MIDCOM Service Configuration ......88 11. Acknowledgements ..............................................88 12. IANA Considerations ...........................................88 13. Normative References ..........................................88 14. Informative References ........................................90
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes a set of managed objects that allow controlling middleboxes.
此备忘录定义了管理信息库(MIB)的一部分,用于Internet社区中的网络管理协议。特别是,它描述了一组允许控制中间盒的托管对象。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410].
有关描述当前互联网标准管理框架的文件的详细概述,请参阅RFC 3410[RFC3410]第7节。
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].
托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB对象通常通过简单网络管理协议(SNMP)进行访问。MIB中的对象是使用管理信息结构(SMI)中定义的机制定义的。本备忘录规定了符合SMIv2的MIB模块,如STD 58、RFC 2578[RFC2578]、STD 58、RFC 2579[RFC2579]和STD 58、RFC 2580[RFC2580]所述。
The managed objects defined in this document serve for controlling firewalls and Network Address Translators (NATs). As defined in [RFC3234], firewalls and NATs belong to the group of middleboxes. A middlebox is a device on the datagram path between source and destination, which performs other functions than just IP routing. As outlined in [RFC3303], firewalls and NATs are potential obstacles to packet streams, for example, if dynamically negotiated UDP or TCP port numbers are used, as in many peer-to-peer communication applications.
本文档中定义的托管对象用于控制防火墙和网络地址转换器(NAT)。如[RFC3234]中所定义,防火墙和NAT属于中间盒组。中间盒是源和目标之间的数据报路径上的设备,它执行IP路由以外的其他功能。如[RFC3303]所述,防火墙和NAT是数据包流的潜在障碍,例如,如果使用动态协商的UDP或TCP端口号,如在许多对等通信应用程序中。
As one possible solution for this problem, the IETF MIDCOM working group defined a framework [RFC3303], requirements [RFC3304], and protocol semantics [RFC5189] for communication between applications and middleboxes acting as firewalls, NATs, or a combination of both. The MIDCOM architecture and framework define a model in which trusted third parties can be delegated to assist middleboxes in performing their operations, without requiring application intelligence being embedded in the middleboxes. This trusted third party is referred to as the MIDCOM agent. The MIDCOM protocol is defined between a MIDCOM agent and a middlebox.
作为该问题的一种可能解决方案,IETF MIDCOM工作组定义了一个框架[RFC3303]、要求[RFC3304]和协议语义[RFC5189],用于应用程序和充当防火墙、NAT或两者组合的中间盒之间的通信。MIDCOM体系结构和框架定义了一个模型,在该模型中,可委托受信任的第三方协助中间箱执行其操作,而无需在中间箱中嵌入应用程序智能。此受信任的第三方称为MIDCOM代理。MIDCOM协议是在MIDCOM代理和中间盒之间定义的。
The managed objects defined in this document can be used for dynamically configuring middleboxes on the datagram path to permit datagrams traversing the middleboxes. This way, applications can, for example, request pinholes at firewalls and address bindings at NATs.
本文档中定义的托管对象可用于在数据报路径上动态配置中间件,以允许数据报遍历中间件。例如,通过这种方式,应用程序可以在防火墙上请求针孔,在NAT上请求地址绑定。
Besides managed objects for controlling the middlebox operation, this document also defines managed objects that provide information on middlebox resource usage (such as firewall pinholes, NAT bindings, NAT sessions, etc.) affected by requests.
除了用于控制中间箱操作的托管对象外,本文档还定义了托管对象,这些对象提供受请求影响的中间箱资源使用信息(如防火墙针孔、NAT绑定、NAT会话等)。
Since firewalls and NATs are critical devices concerning network security, security issues of middlebox communication need to be considered very carefully.
由于防火墙和NAT是关系到网络安全的关键设备,因此需要非常仔细地考虑中间包通信的安全问题。
The terminology used in this document is fully aligned with the terminology defined in [RFC5189] except for the term 'MIDCOM agent'. For this term, there is a conflict between the MIDCOM terminology and the SNMP terminology. The roles of entities participating in SNMP communication are called 'manager' and 'agent' with the agent acting as server for requests from the manager. This use of the term 'agent' is different from its use in the MIDCOM framework: The SNMP manager corresponds to the MIDCOM agent and the SNMP agent corresponds to the MIDCOM middlebox, also called MIDCOM server. In order to avoid confusion in this document specifying a MIB module, we replace the term 'MIDCOM agent' with 'MIDCOM client'. Whenever the term 'agent' is used in this document, it refers to the SNMP agent. Figure 1 sketches the entities of MIDCOM in relationship to SNMP manager and SNMP agent.
本文件中使用的术语与[RFC5189]中定义的术语完全一致,但术语“MIDCOM代理”除外。对于这个术语,MIDCOM术语和SNMP术语之间存在冲突。参与SNMP通信的实体的角色称为“管理器”和“代理”,代理充当管理器请求的服务器。术语“代理”的使用不同于其在MIDCOM框架中的使用:SNMP管理器对应于MIDCOM代理,SNMP代理对应于MIDCOM中间盒,也称为MIDCOM服务器。为了避免在指定MIB模块的文档中出现混淆,我们将术语“MIDCOM代理”替换为“MIDCOM客户端”。本文档中使用术语“代理”时,它指的是SNMP代理。图1概述了MIDCOM与SNMP管理器和SNMP代理的关系。
+---------+ MIDCOM +-----------+ | MIDCOM |<~ ~ ~ ~ ~ ~ ~ ~>| MIDCOM | | Client | Transaction | middlebox | | | | (server) | +---------+ +-----------+ ^ ^ | | v v +---------+ +-----------+ | SNMP | SNMP | SNMP | | Manager |<===============>| Agent | +---------+ Protocol +-----------+
+---------+ MIDCOM +-----------+ | MIDCOM |<~ ~ ~ ~ ~ ~ ~ ~>| MIDCOM | | Client | Transaction | middlebox | | | | (server) | +---------+ +-----------+ ^ ^ | | v v +---------+ +-----------+ | SNMP | SNMP | SNMP | | Manager |<===============>| Agent | +---------+ Protocol +-----------+
Figure 1: Mapping of MIDCOM to SNMP
图1:MIDCOM到SNMP的映射
In order to realize middlebox communication as described in [RFC5189], several aspects and properties of the MIDCOM protocol need to be mapped to SNMP capabilities and expressed in terms of the Structure of Management Information version 2 (SMIv2).
为了实现[RFC5189]中所述的中间箱通信,需要将MIDCOM协议的几个方面和属性映射到SNMP功能,并用管理信息版本2(SMIv2)的结构表示。
Basic concepts to be mapped are MIDCOM sessions and MIDCOM transactions. For both, access control policies need to be supported.
要映射的基本概念是MIDCOM会话和MIDCOM事务。对于这两种情况,都需要支持访问控制策略。
SNMP has no direct support for sessions. Therefore, they need to be modeled. A MIDCOM session is stateful and has a context that is valid for several transactions. For SNMP, a context is valid for a single transaction only, for example, covering just a single request/reply pair of messages.
SNMP不直接支持会话。因此,需要对它们进行建模。MIDCOM会话是有状态的,并且具有对多个事务有效的上下文。对于SNMP,上下文仅对单个事务有效,例如,仅覆盖单个请求/回复消息对。
Properties of sessions that are utilized by the MIDCOM semantics and not available in SNMP need to be modeled. Particularly, the middlebox needs to be able to authenticate MIDCOM clients, authorize access to policy rules, and send notification messages concerning policy rules to MIDCOM clients participating in a session. In the MIDCOM-MIB module, authentication and access control are performed on a per-message basis using an SNMPv3 security model, such as the User-based Security Model (USM) [RFC3414], for authentication, and the View-based Access Control Model (VACM) [RFC3415] for access control. Sending notifications to MIDCOM clients is controlled by access control models such as VACM and a mostly static configuration of objects in the SNMP-TARGET-MIB [RFC3413] and the SNMP-NOTIFICATION-MIB [RFC3413].
需要对MIDCOM语义所使用且在SNMP中不可用的会话的属性进行建模。特别是,中间件需要能够对MIDCOM客户端进行身份验证,授权对策略规则的访问,并向参与会话的MIDCOM客户端发送有关策略规则的通知消息。在MIDCOM-MIB模块中,使用SNMPv3安全模型(例如用于认证的基于用户的安全模型(USM)[RFC3414])和用于访问控制的基于视图的访问控制模型(VACM)[RFC3415])在每条消息的基础上执行认证和访问控制。向MIDCOM客户端发送通知由访问控制模型(如VACM)控制,SNMP-TARGET-MIB[RFC3413]和SNMP-NOTITITIONG-MIB[RFC3413]中的对象大多为静态配置。
This session model is static except that the MIDCOM client can switch on and off the generation of SNMP notifications that the middlebox sends. Recommended configurations of VACM and the SNMP-TARGET-MIB and the SNMP-NOTIFICATION-MIB that can serve for modeling a session are described in detail in section 6.
此会话模型是静态的,只是MIDCOM客户端可以打开和关闭由middlebox发送的SNMP通知的生成。第6节详细描述了可用于会话建模的VACM、SNMP-TARGET-MIB和SNMP-NOTIFICATION-MIB的推荐配置。
MIDCOM sessions are required for providing authentication, authorization, and encryption for messages exchanged between a MIDCOM client and a middlebox. SNMPv3 provides these features on a per-message basis instead of a per-session basis applying a security model and an access control model, such as USM and VACM. Per-message
MIDCOM会话用于为MIDCOM客户端和中间盒之间交换的消息提供身份验证、授权和加密。SNMPv3以每条消息为基础提供这些功能,而不是应用安全模型和访问控制模型(如USM和VACM)以每会话为基础提供这些功能。每条消息
security mechanisms can be considered as overhead compared to per-session security mechanisms, but it certainly satisfies the security requirements of middlebox communication.
与每会话安全机制相比,安全机制可以被视为开销,但它确实满足了中间盒通信的安全要求。
For each authenticated MIDCOM client, access to the MIDCOM-MIB, particularly to policy rules, should be configured as part of the VACM configuration of the SNMP agent.
对于每个经过身份验证的MIDCOM客户端,对MIDCOM-MIB的访问,尤其是对策略规则的访问,应作为SNMP代理的VACM配置的一部分进行配置。
[RFC5189] defines the MIDCOM protocol semantics in terms of transactions and transaction parameters. Transactions are grouped into request-reply transactions and asynchronous transactions.
[RFC5189]根据事务和事务参数定义MIDCOM协议语义。事务分为请求-应答事务和异步事务。
SNMP offers simple transactions that in general cannot be mapped one-to-one to MIDCOM transactions. This section describes how the MIDCOM-MIB module implements MIDCOM transactions using SNMP transactions. The concerned MIDCOM transactions are asynchronous transactions and request-reply transactions. Within the set of request-reply transactions, we distinguish configuration transactions and monitoring transactions, because they are implemented in slightly different ways by using SNMP transactions.
SNMP提供了通常无法一对一映射到MIDCOM事务的简单事务。本节介绍MIDCOM-MIB模块如何使用SNMP事务实现MIDCOM事务。相关的MIDCOM事务是异步事务和请求-应答事务。在请求-应答事务集合中,我们区分配置事务和监视事务,因为它们是通过使用SNMP事务以稍微不同的方式实现的。
The SNMP terminology as defined in [RFC3411] does not use the concept of transactions, but of SNMP operations. For the considerations in this section, we use the terms SNMP GET transaction and SNMP SET transaction. An SNMP GET transaction consists of an SNMP Read Class operation and an SNMP Response Class operation. An SNMP SET transaction consists of an SNMP Write Class operation and an SNMP Response Class operation.
[RFC3411]中定义的SNMP术语不使用事务的概念,而是使用SNMP操作的概念。对于本节中的注意事项,我们使用术语SNMP GET transaction和SNMP SET transaction。SNMP GET事务由SNMP读取类操作和SNMP响应类操作组成。SNMP集事务由SNMP写入类操作和SNMP响应类操作组成。
Asynchronous transactions can easily be modeled by SNMP Notification Class operations. An asynchronous transaction contains a notification message with one to three parameters. The message can be realized as an SNMP Notification Class operation with the parameters implemented as managed objects contained in the notification.
异步事务可以通过SNMP通知类操作轻松建模。异步事务包含一个带有一到三个参数的通知消息。消息可以实现为SNMP通知类操作,其中的参数实现为通知中包含的托管对象。
+--------------+ notification +------------+ | MIDCOM client|<--------------| middlebox | +--------------+ message +------------+
+--------------+ notification +------------+ | MIDCOM client|<--------------| middlebox | +--------------+ message +------------+
MIDCOM asynchronous transaction
MIDCOM异步事务
+--------------+ SNMP +------------+ | SNMP manager |<--------------| SNMP agent | +--------------+ notification +------------+
+--------------+ SNMP +------------+ | SNMP manager |<--------------| SNMP agent | +--------------+ notification +------------+
Implementation of MIDCOM asynchronous transaction
MIDCOM异步事务的实现
Figure 2: MIDCOM asynchronous transaction mapped to SNMP Notification Class operation
图2:映射到SNMP通知类操作的MIDCOM异步事务
One of the parameters is the transaction identifier that should be unique per middlebox. It does not have to be unique for all notifications sent by the particular SNMP agent, but for all sent notifications that are defined by the MIDCOM-MIB module.
其中一个参数是每个中间盒都应该是唯一的事务标识符。对于特定SNMP代理发送的所有通知,它不必是唯一的,但对于MIDCOM-MIB模块定义的所有发送的通知,它都必须是唯一的。
Note that SNMP notifications are usually sent as unreliable UDP packets and may be dropped before they reach their destination. If a MIDCOM client is expecting an asynchronous notification on a specific transaction, it would be the job of the MIDCOM client to poll the middlebox periodically and monitor the transaction in case notifications are lost along the way.
请注意,SNMP通知通常作为不可靠的UDP数据包发送,可能在到达目的地之前被丢弃。如果MIDCOM客户机希望在特定事务上收到异步通知,则MIDCOM客户机的任务是定期轮询中间箱,并在通知丢失的情况下监视事务。
All request-reply transactions contain a request message, a reply message, and potentially also a set of notifications. In general, they cannot be modeled by just having a single SNMP message per MIDCOM message, because some of the MIDCOM messages carry a large set of parameters that do not necessarily fit into an SNMP message consisting of a single UDP packet only.
所有请求-应答事务都包含一条请求消息、一条应答消息,可能还包含一组通知。通常,不能通过每个MIDCOM消息只包含一条SNMP消息来对它们进行建模,因为某些MIDCOM消息包含大量参数,这些参数不一定适合仅包含一个UDP数据包的SNMP消息。
For configuration transactions, the MIDCOM request message can be modeled by one or more SNMP SET transactions. The action of sending the MIDCOM request to the middlebox is realized by writing the parameters contained in the message to managed objects at the SNMP agent. If necessary, the SNMP SET transaction includes creating these managed objects. If not all parameters of the MIDCOM request message can be set by a single SNMP SET transaction, then more than one SET transaction is used; see Figure 3. Completion of the last of the SNMP transactions indicates that all required parameters are set and that processing of the MIDCOM request message can start at the middlebox.
对于配置事务,MIDCOM请求消息可以由一个或多个SNMP集事务建模。通过将消息中包含的参数写入SNMP代理中的受管对象,可以实现将MIDCOM请求发送到middlebox的操作。如有必要,SNMP集合事务包括创建这些托管对象。如果不能通过单个SNMP set事务设置MIDCOM请求消息的所有参数,则使用多个set事务;参见图3。最后一个SNMP事务的完成表明已设置所有必需的参数,并且可以从中间盒开始处理MIDCOM请求消息。
Please note that a single SNMP SET transaction consists of an SNMP SET request message and an SNMP SET reply message. Both are sent as unreliable UDP packets and may be dropped before they reach their destination. If the SNMP SET request message or the SNMP reply message is lost, then the SNMP manager (the MIDCOM client) needs to take action, for example, by just repeating the SET transaction or by first checking the success of the initial write transaction with an SNMP GET transaction and then only repeating the SNMP SET transaction if necessary.
请注意,单个SNMP集事务由SNMP集请求消息和SNMP集回复消息组成。两者都作为不可靠的UDP数据包发送,可能在到达目的地之前被丢弃。如果SNMP设置请求消息或SNMP回复消息丢失,则SNMP管理器(MIDCOM客户端)需要采取措施,例如,只需重复设置事务,或首先使用SNMP GET事务检查初始写入事务的成功,然后仅在必要时重复SNMP设置事务。
+--------------+ request +------------+ | MIDCOM client|-------------->| middlebox | +--------------+ message +------------+
+--------------+ request +------------+ | MIDCOM client|-------------->| middlebox | +--------------+ message +------------+
MIDCOM request message
MIDCOM请求消息
+--------------+ +------------+ | | SNMP SET | | | |-------------->| | | | message | | | | | | | | SNMP SET | | | |<--------------| | | | reply message | | | SNMP manager | | SNMP agent | | | SNMP SET | | | |- - - - - - - >| | | | message | | | | | | | | SNMP SET | | | |< - - - - - - -| | | | reply message | | | | | | | | . . . | | +--------------+ +------------+
+--------------+ +------------+ | | SNMP SET | | | |-------------->| | | | message | | | | | | | | SNMP SET | | | |<--------------| | | | reply message | | | SNMP manager | | SNMP agent | | | SNMP SET | | | |- - - - - - - >| | | | message | | | | | | | | SNMP SET | | | |< - - - - - - -| | | | reply message | | | | | | | | . . . | | +--------------+ +------------+
Implementation of MIDCOM request message by one or more SNMP SET transactions
通过一个或多个SNMP集事务实现MIDCOM请求消息
Figure 3: MIDCOM request message mapped to SNMP SET transactions
图3:映射到SNMP集事务的MIDCOM请求消息
The MIDCOM reply message can be modeled in two ways. The first way is an SNMP Notification Class operation optionally followed by one or more SNMP GET transactions as shown in Figure 4. The MIDCOM server informs the MIDCOM client about the end of processing the request by sending an SNMP notification. If possible, the SNMP notification
MIDCOM回复消息可以通过两种方式建模。第一种方法是一个SNMP通知类操作,可选地后跟一个或多个SNMP GET事务,如图4所示。MIDCOM服务器通过发送SNMP通知通知MIDCOM客户端处理请求的结束。如果可能,SNMP通知
carries all reply parameters. If this is not possible, then the SNMP manager has to perform additional SNMP GET transactions as long as necessary to receive all of the reply parameters.
携带所有回复参数。如果这是不可能的,那么SNMP管理器必须执行附加的SNMP GET事务,只要有必要就可以接收所有回复参数。
+--------------+ reply +------------+ | MIDCOM client|<--------------| middlebox | +--------------+ message +------------+
+--------------+ reply +------------+ | MIDCOM client|<--------------| middlebox | +--------------+ message +------------+
MIDCOM reply message
MIDCOM回复消息
+--------------+ +------------+ | | SNMP | | | |<--------------| | | | notification | | | | | | | | SNMP GET | | | |-------------->| | | | message | | | SNMP manager | | SNMP agent | | | SNMP GET | | | |<--------------| | | | reply message | | | | | | | | SNMP GET | | | |- - - - - - - >| | | | message | | | | | | | | SNMP GET | | | |< - - - - - - -| | | | reply message | | | | | | | | . . . | | +--------------+ +------------+
+--------------+ +------------+ | | SNMP | | | |<--------------| | | | notification | | | | | | | | SNMP GET | | | |-------------->| | | | message | | | SNMP manager | | SNMP agent | | | SNMP GET | | | |<--------------| | | | reply message | | | | | | | | SNMP GET | | | |- - - - - - - >| | | | message | | | | | | | | SNMP GET | | | |< - - - - - - -| | | | reply message | | | | | | | | . . . | | +--------------+ +------------+
Implementation of MIDCOM reply message by an SNMP notification and one or more SNMP GET transactions
通过SNMP通知和一个或多个SNMP GET事务实现MIDCOM回复消息
Figure 4: MIDCOM reply message mapped to SNMP notification and optional GET transactions
图4:映射到SNMP通知和可选GET事务的MIDCOM回复消息
The second way replaces the SNMP Notification Class operation by a polling operation of the SNMP manager. The manager polls status information at the SNMP agent using SNMP GET transactions until it detects the end of the processing of the request. Then it uses one or more SNMP GET transactions to receive all of the reply parameters. Note that this second way requires more SNMP operations, but is more
第二种方法将SNMP通知类操作替换为SNMP管理器的轮询操作。manager使用SNMP GET事务在SNMP代理上轮询状态信息,直到检测到请求处理结束。然后,它使用一个或多个SNMP GET事务来接收所有回复参数。请注意,第二种方法需要更多的SNMP操作,但更复杂
reliable than the first way using an SNMP Notification Class operation.
比第一种使用SNMP通知类操作的方法更可靠。
The realization of MIDCOM monitoring transactions in terms of SNMP transactions is simpler. The request message is very short and just specifies a piece of information that the MIDCOM client wants to retrieve.
根据SNMP事务实现MIDCOM监控事务更简单。请求消息非常短,只指定了MIDCOM客户端想要检索的一条信息。
+--------------+ request +------------+ | |-------------->| | | | message | | | MIDCOM client| | middlebox | | | reply | | | |<--------------| | +--------------+ message +------------+
+--------------+ request +------------+ | |-------------->| | | | message | | | MIDCOM client| | middlebox | | | reply | | | |<--------------| | +--------------+ message +------------+
MIDCOM monitoring transaction
MIDCOM监控事务
+--------------+ +------------+ | | SNMP GET | | | |-------------->| | | | message | | | | | | | | SNMP GET | | | |<--------------| | | | reply message | | | SNMP manager | | SNMP agent | | | SNMP GET | | | |- - - - - - - >| | | | message | | | | | | | | SNMP GET | | | |< - - - - - - -| | | | reply message | | | | | | | | . . . | | +--------------+ +------------+
+--------------+ +------------+ | | SNMP GET | | | |-------------->| | | | message | | | | | | | | SNMP GET | | | |<--------------| | | | reply message | | | SNMP manager | | SNMP agent | | | SNMP GET | | | |- - - - - - - >| | | | message | | | | | | | | SNMP GET | | | |< - - - - - - -| | | | reply message | | | | | | | | . . . | | +--------------+ +------------+
Implementation of MIDCOM monitoring transaction by one or more SNMP GET messages
通过一个或多个SNMP GET消息实现MIDCOM监控事务
Figure 5: MIDCOM monitoring transaction mapped to SNMP GET transactions
图5:映射到SNMP GET事务的MIDCOM监控事务
Since monitoring is a strength of SNMP, there are sufficient means to realize MIDCOM monitoring transactions simpler than MIDCOM configuration transactions.
由于监视是SNMP的一个优势,因此有足够的方法实现比MIDCOM配置事务更简单的MIDCOM监视事务。
All MIDCOM monitoring transactions can be realized as a sequence of SNMP GET transactions. The number of SNMP GET transactions required depends on the amount of information to be retrieved.
所有MIDCOM监控事务都可以实现为一系列SNMP GET事务。所需的SNMP GET事务数取决于要检索的信息量。
Given the realizations of MIDCOM transactions by means of SNMP transactions, atomicity of the MIDCOM transactions is not fully guaranteed anymore. However, this section shows that atomicity provided by the MIB module specified in section 9 is still sufficient for meeting the MIDCOM requirements specified in [RFC3304].
鉴于通过SNMP事务实现MIDCOM事务,MIDCOM事务的原子性不再得到充分保证。然而,本节表明,第9节中规定的MIB模块提供的原子性仍然足以满足[RFC3304]中规定的MIDCOM要求。
There are two asynchronous MIDCOM transactions: Asynchronous Session Termination (AST) and Asynchronous Policy Rule Event (ARE). The very static realization of MIDCOM sessions in the MIDCOM-MIB, as described by section 4.1, does not anymore support the asynchronous termination of a session. Therefore, the AST transaction is not modeled. For the ARE, atomicity is maintained, because it is modeled by a single atomic SNMP notification transaction.
有两个异步MIDCOM事务:异步会话终止(AST)和异步策略规则事件(are)。如第4.1节所述,MIDCOM-MIB中MIDCOM会话的静态实现不再支持会话的异步终止。因此,AST事务没有建模。对于ARE,原子性得到维护,因为它是由单个原子SNMP通知事务建模的。
In addition, the MIDCOM-MIB supports an Asynchronous Group Event transaction, which is an aggregation of a set of ARE transactions. Also, this MIDCOM transaction is implemented by a single SNMP transaction.
此外,MIDCOM-MIB支持异步组事件事务,它是一组ARE事务的聚合。此外,此MIDCOM事务由单个SNMP事务实现。
The MIDCOM-MIB models MIDCOM sessions in a very static way. The only dynamic actions within these transactions are enabling and disabling the generation of SNMP notifications at the SNMP agent.
MIDCOM-MIB以非常静态的方式为MIDCOM会话建模。这些事务中唯一的动态操作是在SNMP代理上启用和禁用SNMP通知的生成。
For the Session Establishment (SE) transaction, the MIDCOM client first reads the middlebox capabilities. It is not relevant whether or not this action is atomic because a dynamic change of the middlebox capabilities is not to be expected. Therefore, also non-atomic implementations of this action are acceptable.
对于会话建立(SE)事务,MIDCOM客户端首先读取中间盒功能。这个动作是否是原子性的并不重要,因为不期望中间盒功能的动态变化。因此,此操作的非原子实现也是可以接受的。
Then, the MIDCOM agent needs to enable the generation of SNMP notifications at the middlebox. This can be realized by writing to a single managed object in the SNMP-NOTIFICATION-MIB [RFC3413]. But even other implementations are acceptable, because atomicity is not required for this step.
然后,MIDCOM代理需要在中间盒上启用SNMP通知的生成。这可以通过写入SNMP-NOTIFICATION-MIB[RFC3413]中的单个受管对象来实现。但即使是其他实现也可以接受,因为这一步不需要原子性。
For the Session Termination (ST) transaction, the only required action is disabling the generation of SNMP notifications at the middlebox. As for the SE transaction, this action can be realized atomically by using the SNMP-NOTIFICATION-MIB, but also other implementations are acceptable because atomicity is not required for this action.
对于会话终止(ST)事务,唯一需要的操作是禁用在中间盒生成SNMP通知。对于SE事务,此操作可以通过使用SNMP-NOTIFICATION-MIB以原子方式实现,但也可以接受其他实现,因为此操作不需要原子性。
Potentially, the monitoring transactions Policy Rule List (PRL), Policy Rule Status (PRS), Group List (GL), and Group Status (GS) are not atomic, because these transactions may be implemented by more than one SNMP GET operation.
监控事务策略规则列表(PRL)、策略规则状态(PRS)、组列表(GL)和组状态(GS)可能不是原子的,因为这些事务可能由多个SNMP GET操作实现。
The problem that might occur is that while the monitoring transaction is performed, the monitored items may change. For example, while reading a long list of policies, new policies may be added and already read policies may be deleted. This is not in line with the protocol semantics. However, it is not in direct conflict with the MIDCOM requirement requesting the middlebox state to be stable and known by the MIDCOM client, because the middlebox notifies the MIDCOM client on all changes to its state that are performed during the monitoring transaction by sending notifications.
可能出现的问题是,在执行监视事务时,监视的项目可能会更改。例如,在读取一长串策略时,可以添加新策略,也可以删除已读取的策略。这不符合协议语义。但是,它与MIDCOM要求中间箱状态稳定并为MIDCOM客户端所知的要求没有直接冲突,因为中间箱通过发送通知通知MIDCOM客户端在监控事务期间对其状态进行的所有更改。
If the MIDCOM client receives such a notification while performing a monitoring transaction (or shortly after completing it), the MIDCOM client can then either repeat the monitoring transaction or integrate the result of the monitoring transaction with the information received via notifications during the transaction. In both cases, the MIDCOM client will know the state of the middlebox.
如果MIDCOM客户端在执行监控事务时(或在完成监控事务后不久)收到此类通知,则MIDCOM客户端可以重复监控事务或将监控事务的结果与在事务期间通过通知接收的信息集成。在这两种情况下,MIDCOM客户端都会知道中间盒的状态。
For the policy Rule Lifetime Change (RLC) transaction and the Group Lifetime Change (GLC) transaction, atomicity is maintained. They both have very few parameters for the request message and the reply message. The request parameters can be transmitted by a single SNMP SET request message, and the reply parameters can be transmitted by a single SNMP notification message. In order to prevent idempotency problems by retransmitting an SNMP request after a lost SNMP reply, it is RECOMMENDED that either snmpSetSerialNo (see [RFC3418]) is included in the corresponding SNMP SET request or the value of the SNMP retransmission timer be lower than the smallest requested lifetime value. The same recommendation applies to the smallest requested value for the midcomRuleStorageTime. MIDCOM client implementations MAY completely avoid this problem by configuring their SNMP stack such that no retransmissions are sent.
对于策略规则生存期更改(RLC)事务和组生存期更改(GLC)事务,将维护原子性。它们对于请求消息和应答消息都只有很少的参数。请求参数可以通过单个SNMP SET请求消息传输,回复参数可以通过单个SNMP通知消息传输。为了通过在丢失SNMP应答后重新传输SNMP请求来防止幂等性问题,建议在相应的SNMP集合请求中包含snmpSetSerialNo(请参见[RFC3418]),或者SNMP重新传输计时器的值低于最小请求的生存期值。同样的建议也适用于midcomRuleStorageTime的最小请求值。MIDCOM客户端实现可以通过配置其SNMP堆栈,使其不发送重传,从而完全避免此问题。
Analogous to the monitoring transactions, the atomicity may not be given for Policy Reserve Rule (PRR) and Policy Enable Rule (PER) transactions. Both transactions are potentially implemented using more than one SNMP SET operation and GET operation for obtaining transaction reply parameters. The solution for this loss of atomicity is the same as for the monitoring transactions.
与监控事务类似,可能不会为策略保留规则(PRR)和策略启用规则(PER)事务提供原子性。这两个事务都可能使用多个SNMP SET操作和GET操作来实现,以获取事务回复参数。这种原子性损失的解决方案与监视事务的解决方案相同。
There is an additional atomicity problem for PRR and PER. If transferring request parameters requires more than a single SET operation, then there is the potential problem that multiple MIDCOM clients sharing the same permissions are able to access the same policy rule. In this case, a client could alter request parameters already set by another client before the first client could complete the request. However, this is acceptable since usually only one agent is creating a policy rule and filling it subsequently. It can also be assumed that in most cases where clients share permissions, they act in a more or less coordinated way avoiding such interferences.
PRR和PER还有一个额外的原子性问题。如果传输请求参数需要多个集合操作,则存在一个潜在问题,即共享相同权限的多个MIDCOM客户端能够访问相同的策略规则。在这种情况下,客户机可以在第一个客户机完成请求之前更改另一个客户机已经设置的请求参数。但是,这是可以接受的,因为通常只有一个代理创建策略规则并随后填充。还可以假设,在大多数情况下,当客户端共享权限时,它们会以或多或少协调的方式进行操作,以避免此类干扰。
All atomicity problems caused by using multiple SNMP SET transactions for implementing the MIDCOM request message can be avoided by transferring all request parameters with a single SNMP SET transaction.
通过使用单个SNMP集事务传输所有请求参数,可以避免使用多个SNMP集事务实现MIDCOM请求消息所导致的所有原子性问题。
Since SNMP does not offer per-session authentication and authorization, authentication and authorization are performed per SNMP message sent from the MIDCOM client to the middlebox.
由于SNMP不提供每次会话的身份验证和授权,因此身份验证和授权是根据从MIDCOM客户端发送到中间盒的SNMP消息执行的。
For each transaction, the MIDCOM client has to authenticate itself as an authenticated principal, such as a USM user. Then, the principal's access rights to all resources affected by the transaction are checked. Access right control is realized by configuring the access control mechanisms, such as VACM, at the SNMP agent.
对于每个事务,MIDCOM客户端都必须将自己作为经过身份验证的主体进行身份验证,例如USM用户。然后,检查主体对受事务影响的所有资源的访问权限。通过在SNMP代理上配置访问控制机制(如VACM)来实现访问权限控制。
Potentially, a middlebox has to control access for a large set of MIDCOM clients and to a large set of policy rules configuring firewall pinholes and NAT bindings. Therefore, it can be beneficial to use access control policies for specifying access control rules. Generating, provisioning, and managing these policies are out of scope of this MIB module.
潜在地,中间盒必须控制对大量MIDCOM客户端的访问,以及对大量配置防火墙针孔和NAT绑定的策略规则的访问。因此,使用访问控制策略来指定访问控制规则是有益的。生成、设置和管理这些策略超出此MIB模块的范围。
However, if such an access control policy system is used, then the SNMP agent acts as a policy enforcement point. An access control policy system must transform all active policies into configurations of, for example, the SNMP agent's View-based Access Control Model (VACM).
但是,如果使用这样的访问控制策略系统,则SNMP代理将充当策略实施点。访问控制策略系统必须将所有活动策略转换为配置,例如SNMP代理基于视图的访问控制模型(VACM)。
The mechanisms of access control models, such as VACM, allow an access control policy system to enforce MIDCOM client authentication rules and general access control of MIDCOM clients to middlebox control.
访问控制模型(如VACM)的机制允许访问控制策略系统强制执行MIDCOM客户端身份验证规则,并对MIDCOM客户端进行一般访问控制,以实现中间盒控制。
The mechanisms of VACM can be used to enforce access control of authenticated clients to MIDCOM-MIB policy rules based on the concept of ownership. For example, an access control policy can specify that MIDCOM-MIB policy rules owned by user A cannot be accessed at all by user B, can be read by user C, and can be read and modified by user D.
VACM的机制可用于根据所有权的概念强制已验证客户端对MIDCOM-MIB策略规则进行访问控制。例如,访问控制策略可以指定用户A拥有的MIDCOM-MIB策略规则完全不能由用户B访问,可以由用户C读取,并且可以由用户D读取和修改。
Further access control policies can control access to concrete middlebox resources. These are enforced, when a MIDCOM request is processed. For example, an authenticated MIDCOM client may be authorized to request new MIDCOM policies to be established, but only for certain IP address ranges. The enforcement of this kind of policies may not be realizable using available SNMP mechanisms, but needs to be performed by the individual MIB module implementation.
进一步的访问控制策略可以控制对具体中间包资源的访问。在处理MIDCOM请求时,将强制执行这些操作。例如,可以授权经过身份验证的MIDCOM客户端请求建立新的MIDCOM策略,但仅限于某些IP地址范围。使用可用的SNMP机制可能无法实现此类策略的实施,但需要由单个MIB模块实现来执行。
The MIB module defined in section 9 contains three kinds of managed objects:
第9节中定义的MIB模块包含三种托管对象:
- Transaction objects Transaction objects are required for implementing the MIDCOM protocol requirements defined in [RFC3304] and the MIDCOM protocol semantics defined in [RFC5189].
- 事务对象实现[RFC3304]中定义的MIDCOM协议要求和[RFC5189]中定义的MIDCOM协议语义需要事务对象。
- Configuration objects Configuration objects can be used for retrieving middlebox capability information (mandatory) and for setting parameters of the implementation of transaction objects (optional).
- 配置对象配置对象可用于检索中间盒功能信息(必需)和设置事务对象实现的参数(可选)。
- Monitoring objects The optional monitoring objects provide information about used resources and about MIDCOM transaction statistics.
- 监视对象可选的监视对象提供有关已用资源和MIDCOM事务统计信息的信息。
The transaction objects are organized in two tables: the midcomRuleTable and the midcomGroupTable. Entity relationships of
事务对象组织在两个表中:midcomRuleTable和midcomGroupTable。实体关系
entries of these tables and the midcomResourceTable from the monitoring objects are illustrated by Figure 6.
图6显示了这些表的条目以及来自监控对象的midcomResourceTable。
+--------------------+ | midcomRuleEntry | | indexed by | | midcomRuleOwner | | midcomGroupIndex | | midcomRuleIndex | +--------------------+ 1...n | | 1 | | 1 | | 1 +--------------------+ +---------------------+ | midcomGroupEntry | | midcomResourceEntry | | indexed by | | indexed by | | midcomRuleOwner | | midcomRuleOwner | | midcomGroupIndex | | midcomGroupIndex | +--------------------+ | midcomRuleIndex | +---------------------+ | | | | | | v v v NAT Firewall other MIB MIB MIB
+--------------------+ | midcomRuleEntry | | indexed by | | midcomRuleOwner | | midcomGroupIndex | | midcomRuleIndex | +--------------------+ 1...n | | 1 | | 1 | | 1 +--------------------+ +---------------------+ | midcomGroupEntry | | midcomResourceEntry | | indexed by | | indexed by | | midcomRuleOwner | | midcomRuleOwner | | midcomGroupIndex | | midcomGroupIndex | +--------------------+ | midcomRuleIndex | +---------------------+ | | | | | | v v v NAT Firewall other MIB MIB MIB
Figure 6: Entity relationships of table entries
图6:表条目的实体关系
A MIDCOM client can create and delete entries in the midcomRuleTable. Entries in the midcomGroupTable are generated automatically as soon as there is an entry in the midcomRuleTable using the midcomGroupIndex. The midcomGroupTable can be used as shortcut for accessing all member rules with a single transaction. MIDCOM clients can group policy rules for various purposes. For example, they can assign a unique value for the midcomGroupIndex to all rules belonging to a single application or an application session served by the MIDCOM agent.
MIDCOM客户端可以在MIDCOM规则表中创建和删除条目。只要使用midcomGroupIndex在midcomRuleTable中有条目,就会自动生成midcomGroupTable中的条目。midcomGroupTable可用作通过单个事务访问所有成员规则的快捷方式。MIDCOM客户端可以出于各种目的对策略规则进行分组。例如,他们可以为属于单个应用程序或由MIDCOM代理服务的应用程序会话的所有规则分配唯一的midcomGroupIndex值。
The midcomResourceTable augments the midcomRuleTable by information on the relationship of entries of the midcomRuleTable to resources listed in other MIB modules, such as the NAT-MIB [RFC4008].
midcomResourceTable通过有关midcomRuleTable条目与其他MIB模块(如NAT-MIB[RFC4008])中列出的资源之间关系的信息来扩充midcomRuleTable。
The transaction objects are structured according to the MIDCOM semantics described in [RFC5189] into two subtrees, one for policy rule control and one for policy rule group control.
事务对象根据[RFC5189]中描述的MIDCOM语义构造为两个子树,一个子树用于策略规则控制,另一个子树用于策略规则组控制。
The midcomRuleTable contains information about policy rules including policy rules to be established, policy rules for which establishing failed, established policy rules, and terminated policy rules.
midcomRuleTable包含有关策略规则的信息,包括要建立的策略规则、建立失败的策略规则、已建立的策略规则和终止的策略规则。
Entries in this table are indexed by the combination of midcomRuleOwner, midcomGroupIndex, and midcomRuleIndex. The midcomRuleOwner is the owner of the rule; the midcomGroupIndex is the index of the group of which the policy rule is a member.
此表中的条目由midcomRuleOwner、midcomGroupIndex和midcomRuleIndex的组合编制索引。midcomRuleOwner是规则的所有者;midcomGroupIndex是策略规则所属组的索引。
midcomRuleOwner is of type SnmpAdminString, a textual convention that allows for use of the SNMPv3 View-based Access Control Model (VACM [RFC3415]) and allows a management application to identify its entries.
midcomRuleOwner属于SNMPAdministring类型,这是一种文本约定,允许使用基于SNMPv3视图的访问控制模型(VACM[RFC3415]),并允许管理应用程序识别其条目。
Entries in this table are created by writing to midcomRuleRowStatus. Entries are removed when both their midcomRuleLifetime and midcomRuleStorageTime are timed out by counting down to 0. A MIDCOM client can explicitly remove an entry by setting midcomRuleLifetime and midcomRuleStorageTime to 0.
此表中的条目是通过写入midcomRuleRowStatus创建的。当条目的midcomRuleLifetime和midcomRuleStorageTime都通过倒计时到0超时时,条目将被删除。通过将midcomRuleLifetime和midcomRuleStorageTime设置为0,MIDCOM客户端可以显式删除条目。
The table contains the following columnar objects:
该表包含以下列对象:
o midcomRuleIndex The index of this entry must be unique in combination with the midcomRuleOwner and the midcomGroupIndex of the entry.
o midcomRuleIndex此条目的索引必须与该条目的midcomRuleOwner和midcomGroupIndex一起唯一。
o midcomRuleAdminStatus For establishing a new policy rule, a set of objects in this entry needs to be written first. These objects are the request parameters. Then, by writing either reserve(1) or enable(2) to this object, the MIDCOM-MIB implementation is triggered to start processing the parameters and tries to establish the specified policy rule.
o midcomRuleAdminStatus要建立新的策略规则,需要首先写入此条目中的一组对象。这些对象是请求参数。然后,通过将reserve(1)或enable(2)写入此对象,将触发MIDCOM-MIB实现以开始处理参数并尝试建立指定的策略规则。
o midcomRuleOperStatus This read-only object indicates the current status of the entry. The entry may have an initializing state, it may have a transient state while processing requests, it may have an error state after a request was rejected, it may have a state where a policy rule is established, or it may have a terminated state.
o midcomRuleOperStatus此只读对象指示条目的当前状态。条目可能具有初始化状态,可能在处理请求时具有瞬态,可能在请求被拒绝后具有错误状态,可能具有建立策略规则的状态,或者可能具有终止状态。
o midcomRuleStorageType This object indicates whether or not the policy rule is stored as volatile, non-volatile, or permanent. Depending on the MIDCOM-MIB implementation, this object may be writable.
o midcomRuleStorageType此对象指示策略规则是否存储为易失性、非易失性或永久性。根据MIDCOM-MIB实现,此对象可能是可写的。
o midcomRuleStorageTime This object indicates how long the entry will still exist after entering an error state or a termination state.
o midcomRuleStorageTime此对象表示在进入错误状态或终止状态后,条目仍将存在多长时间。
o midcomRuleError This object is a string indicating the reason for entering an error state.
o midcomRuleError此对象是一个字符串,指示进入错误状态的原因。
o midcomRuleInterface This object indicates the IP interface for which enforcement of a policy rule is requested or performed, respectively.
o midcomRuleInterface此对象表示分别为其请求或执行策略规则强制的IP接口。
o midcomRuleFlowDirection This object indicates a flow direction for which a policy enable rule was requested or established, respectively.
o midcomRuleFlowDirection此对象分别指示请求或建立策略启用规则的流向。
o midcomRuleMaxIdleTime This object indicates the maximum idle time of the policy rule in seconds. If no packet to which the policy rule applies passes the middlebox for the time specified by midcomRuleMaxIdleTime, then the policy rule enters a termination state.
o midcomRuleMaxIdleTime此对象表示策略规则的最大空闲时间(秒)。如果在midcomRuleMaxIdleTime指定的时间内没有应用策略规则的数据包通过中间盒,则策略规则进入终止状态。
o midcomRuleTransportProtocol This object indicates a transport protocol for which a policy reserve rule or policy enable rule was requested or established, respectively.
o midcomRuleTransportProtocol此对象表示分别为其请求或建立策略保留规则或策略启用规则的传输协议。
o midcomRulePortRange This object indicates a port range for which a policy reserve rule or policy enable rule was requested or established, respectively.
o midcomRulePortRange此对象表示分别为其请求或建立策略保留规则或策略启用规则的端口范围。
o midcomRuleLifetime This object indicates the remaining lifetime of an established policy rule. The MIDCOM client can change the remaining lifetime by writing to it.
o midcomRuleLifetime此对象表示已建立策略规则的剩余生存期。MIDCOM客户端可以通过写入来更改剩余的生存期。
Beyond the listed objects, the table contains 10 further objects describing address parameters. They include the IP version, IP address, prefix length and port number for the internal address (A0), inside address (A1), outside address (A2), and external address (A3). These objects serve as parameters specifying a request or an established policy, respectively.
除了列出的对象之外,该表还包含10个描述地址参数的对象。它们包括内部地址(A0)、内部地址(A1)、外部地址(A2)和外部地址(A3)的IP版本、IP地址、前缀长度和端口号。这些对象分别用作指定请求或已建立策略的参数。
A0, A1, A2, and A3 are address tuples defined according to the MIDCOM semantics [RFC5189]. Each of them identifies either a communication endpoint at an internal or external device or an allocated address at the middlebox.
A0、A1、A2和A3是根据MIDCOM语义定义的地址元组[RFC5189]。它们中的每一个都标识内部或外部设备上的通信端点,或者在中间盒上标识分配的地址。
+----------+ +----------+ | internal | A0 A1 +-----------+ A2 A3 | external | | endpoint +----------+ middlebox +----------+ endpoint | +----------+ +-----------+ +----------+
+----------+ +----------+ | internal | A0 A1 +-----------+ A2 A3 | external | | endpoint +----------+ middlebox +----------+ endpoint | +----------+ +-----------+ +----------+
Figure 7: Address tuples A0 - A3
图7:地址元组A0-A3
- A0 - internal endpoint: Address tuple A0 specifies a communication endpoint of a device within the internal network, with respect to the middlebox.
- A0-内部端点:地址元组A0指定内部网络中设备相对于中间盒的通信端点。
- A1 - middlebox inside address: Address tuple A1 specifies a virtual communication endpoint at the middlebox within the internal network. A1 is the destination address for packets passing from the internal endpoint to the middlebox and is the source for packets passing from the middlebox to the internal endpoint.
- A1-中间盒内部地址:地址元组A1指定内部网络中中间盒处的虚拟通信端点。A1是从内部端点传递到中间盒的数据包的目标地址,是从中间盒传递到内部端点的数据包的源地址。
- A2 - middlebox outside address: Address tuple A2 specifies a virtual communication endpoint at the middlebox within the external network. A2 is the destination address for packets passing from the external endpoint to the middlebox and is the source for packets passing from the middlebox to the external endpoint.
- A2-中间盒外部地址:地址元组A2指定外部网络中中间盒处的虚拟通信端点。A2是从外部端点传递到中间盒的数据包的目标地址,也是从中间盒传递到外部端点的数据包的源地址。
- A3 - external endpoint: Address tuple A3 specifies a communication endpoint of a device within the external network, with respect to the middlebox.
- A3-外部端点:地址元组A3指定外部网络中设备相对于中间盒的通信端点。
The MIDCOM-MIB requires the MIDCOM client to specify address tuples A0 and A3. This might be a problem for applications that are not designed in a firewall-friendly way. An example is an FTP application that uses the PORT command (instead of the recommended PASV command). The problem only occurs when the middlebox offers twice-NAT functionality, and it can be fixed following recommendations for firewall-friendly communication.
MIDCOM-MIB要求MIDCOM客户端指定地址元组A0和A3。对于未以防火墙友好方式设计的应用程序来说,这可能是一个问题。例如,FTP应用程序使用PORT命令(而不是推荐的PASV命令)。只有当中间盒提供两次NAT功能时,问题才会出现,并且可以按照防火墙友好通信的建议进行修复。
The midcomGroupTable has an entry per existing policy rule group. Entries in this table are created automatically when creating member entries in the midcomRuleTable. Entries are automatically removed from this table when the last member entry is removed from the midcomRuleTable. Entries cannot be created or removed explicitly by the MIDCOM client.
midcomGroupTable在每个现有策略规则组中都有一个条目。在midcomRuleTable中创建成员条目时,会自动创建此表中的条目。从midcomRuleTable中删除最后一个成员条目时,将自动从此表中删除条目。MIDCOM客户端无法显式创建或删除条目。
Entries are indexed by the midcomRuleOwner of the rules that belong to the group and by a specific midcomGroupIndex. This allows each midcomRuleOwner to maintain its own independent group namespace.
条目由属于该组的规则的midcomRuleOwner和特定的midcomGroupIndex编制索引。这允许每个midcomRuleOwner维护自己的独立组命名空间。
An entry of the table contains the following objects:
表的条目包含以下对象:
o midcomGroupIndex The index of this entry must be unique in combination with the midcomRuleOwner of the entry.
o midcomGroupIndex此项的索引必须与该项的midcomRuleOwner组合唯一。
o midcomGroupLifetime This object indicates the maximum of the remaining lifetimes of all established policy rules that are members of the group. The MIDCOM client can change the remaining lifetime of all member policies by writing to this object.
o midcomGroupLifetime此对象表示作为组成员的所有已建立策略规则的剩余生存期的最大值。MIDCOM客户端可以通过写入此对象来更改所有成员策略的剩余生存期。
The configuration subtree contains middlebox capability and configuration information. Some of the contained objects are (optionally) writable and can also be used for configuring the middlebox service.
配置子树包含中间盒功能和配置信息。所包含的某些对象(可选)是可写的,也可用于配置middlebox服务。
The capabilities subtree contains some general capability information and detailed information per supported IP interface. The midcomConfigFirewallTable can be used to configure how the MIDCOM-MIB implementation creates firewall rules in its firewall modules.
capabilities子树包含一些一般功能信息和每个受支持IP接口的详细信息。MIDCOM配置防火墙表可用于配置MIDCOM-MIB实现如何在其防火墙模块中创建防火墙规则。
Note that typically, configuration objects are not intended to be written by MIDCOM clients. In general, write access to these objects needs to be restricted more strictly than write access to transaction objects.
请注意,配置对象通常不会由MIDCOM客户端编写。通常,对这些对象的写访问权限需要比对事务对象的写访问权限受到更严格的限制。
Information on middlebox capabilities, i.e., capabilities of the MIDCOM-MIB implementation, is provided by the midcomCapabilities subtree of managed objects. The following objects are defined:
有关中间盒功能(即MIDCOM-MIB实现的功能)的信息由托管对象的MIDCOM功能子树提供。定义了以下对象:
o midcomConfigMaxLifetime This object indicates the maximum lifetime that this middlebox allows policy rules to have.
o midcomConfigMaxLifetime此对象表示此中间框允许策略规则具有的最大生存期。
o midcomConfigPersistentRules This is a boolean object indicating whether or not the middlebox is capable of storing policy rules persistently.
o midcomConfigPersistentRules这是一个布尔对象,指示middlebox是否能够持久存储策略规则。
Further capabilities are provided by the midcomConfigIfTable per IP interface. This table contains just two objects. The first one is a BITS object called midcomConfigIfBits containing the following bit values:
每个IP接口的midcomConfigIfTable提供了更多功能。此表仅包含两个对象。第一个是名为midcomConfigIfBits的BITS对象,包含以下位值:
o ipv4 and ipv6 These two bit values provide information on which IP versions are supported by the middlebox at the indexed interface.
o ipv4和ipv6这两个位值提供索引接口上的中间盒支持哪些IP版本的信息。
o addressWildcards and portWildcards These two bit values provide information on wildcarding supported by the middlebox at the indexed interface.
o addressWildcards和portWildcards这两个位值提供有关索引接口上的中间盒支持的通配符的信息。
o firewall and nat These two bit values provide information on availability of firewall and NAT functionality at the indexed interface.
o 防火墙和nat这两个位值提供有关索引接口处防火墙和nat功能可用性的信息。
o portTranslation, protocolTranslation, and twiceNat These three bit values provide information on the kind of NAT functionality available at the indexed interface.
o portTranslation、protocolTranslation和twiceNat这三个位值提供了有关索引接口可用NAT功能类型的信息。
o inside This bit indicates whether or not the indexed interface is an inside interface with respect to NAT functionality.
o 该位内部表示索引接口是否是NAT功能的内部接口。
The second object, called midcomConfigIfEnabled, indicates whether the middlebox capabilities described by midcomConfigIfBits are available or not available at the indexed IP interface.
第二个对象称为midcomConfigIfEnabled,指示由midcomConfigIfBits描述的中间件功能在索引IP接口上是否可用。
The midcomConfigIfTable uses index 0 for indicating capabilities that are available for all interfaces.
midcomConfigIfTable使用索引0指示可用于所有接口的功能。
The midcomConfigFirewallTable serves for configuring how policy rules created by MIDCOM clients are realized as firewall rules of a firewall implementation. Particularly, the priority used for MIDCOM-MIB policy rules can be configured. For a single firewall implementation at a particular IP interface, all MIDCOM-MIB policy rules are realized as firewall rules with the same priority. Also, a firewall rule group name can be configured. The table is indexed by the IP interface index.
MidcomConfigFirewall表用于配置如何将由MIDCOM客户端创建的策略规则实现为防火墙实现的防火墙规则。特别是,可以配置用于MIDCOM-MIB策略规则的优先级。对于特定IP接口上的单个防火墙实现,所有MIDCOM-MIB策略规则都实现为具有相同优先级的防火墙规则。此外,还可以配置防火墙规则组名称。该表由IP接口索引索引。
An entry of the table contains the following objects:
表的条目包含以下对象:
o midcomConfigFirewallGroupId This object indicates the firewall rule group to which all firewall rules of the MIDCOM server are assigned.
o midcomConfigFirewallGroupId此对象表示将MIDCOM服务器的所有防火墙规则分配给的防火墙规则组。
o midcomConfigFirewallPriority This object indicates the priority assigned to all firewall rules of the MIDCOM server.
o midcomConfigFirewallPriority此对象表示分配给MIDCOM服务器的所有防火墙规则的优先级。
The monitoring objects are structured into two subtrees: the resource subtree and the statistics subtree. The resource subtree provides information about which resources are used by which policy rule. The statistics subtree provides statistics about the usage of transaction objects.
监控对象分为两个子树:资源子树和统计子树。资源子树提供有关哪个策略规则使用哪些资源的信息。统计信息子树提供有关事务对象使用情况的统计信息。
Information about resource usage per policy rule is provided by the midcomResourceTable. Each entry in the midcomResourceTable describes resource usage of exactly one policy rule.
关于每个策略规则的资源使用情况的信息由midcomResourceTable提供。midcomResourceTable中的每个条目只描述一个策略规则的资源使用情况。
Resources are NAT resources and firewall resources, depending on the type of middlebox. Used NAT resources include NAT bindings and NAT sessions. NAT address mappings are not covered. For firewalls, firewall filter rules are considered as resources.
资源是NAT资源和防火墙资源,具体取决于中间包的类型。使用的NAT资源包括NAT绑定和NAT会话。NAT地址映射不包括在内。对于防火墙,防火墙过滤器规则被视为资源。
The values provided by the following objects on NAT binds and NAT sessions may refer to the detailed resource usage description in the NAT-MIB module [RFC4008].
以下对象在NAT绑定和NAT会话上提供的值可以参考NAT-MIB模块[RFC4008]中的详细资源使用说明。
The values provided by the following objects on firewall rules may refer to more detailed firewall resource usage descriptions in other MIB modules.
防火墙规则上的以下对象提供的值可能引用其他MIB模块中更详细的防火墙资源使用说明。
Entries in the midcomResourceTable are only valid if the midcomRuleOperStatus object of the corresponding entry in the midcomRuleTable has a value of either reserved(7) or enabled(8).
只有当midcomRuleTable中相应项的midcomRuleOperStatus对象的值为reserved(7)或enabled(8)时,midcomResourceTable中的项才有效。
An entry of the table contains the following objects:
表的条目包含以下对象:
o midcomRscNatInternalAddrBindMode This object indicates whether the binding of the internal address is an address NAT binding or an address-port NAT binding.
o midcomRscNatInternalAddrBindMode此对象指示内部地址的绑定是地址NAT绑定还是地址端口NAT绑定。
o midcomRscNatInternalAddrBindId This object identifies the NAT binding for the internal address in the NAT engine.
o midcomRscNatInternalAddrBindId此对象标识NAT引擎中内部地址的NAT绑定。
o midcomRscNatExternalAddrBindMode This object indicates whether the binding of the external address is an address NAT binding or an address-port NAT binding.
o midcomrscnatexternaladrdrbindmode此对象指示外部地址的绑定是地址NAT绑定还是地址端口NAT绑定。
o midcomRscNatExternalAddrBindId This object identifies the NAT binding for the external address in the NAT engine.
o midcomrscnatexternaladrdrbindid此对象标识NAT引擎中外部地址的NAT绑定。
o midcomRscNatSessionId1 This object links to the first NAT session associated with one of the above NAT bindings.
o MIDCOMRSCNATSESSIOND1此对象链接到与上述NAT绑定之一关联的第一个NAT会话。
o midcomRscNatSessionId2 This object links to the optional second NAT session associated with one of the above NAT bindings.
o MIDCOMRSCNATSESSIOND2此对象链接到与上述NAT绑定之一关联的可选第二个NAT会话。
o midcomRscFirewallRuleId This object indicates the firewall rule for this policy rule.
o midcomRscFirewallRuleId此对象表示此策略规则的防火墙规则。
The MIDCOM-MIB module does not require a middlebox to implement further specific middlebox (NAT, firewall, etc.) MIB modules as, for example, the NAT-MIB module [RFC4008].
MIDCOM-MIB模块不需要中间箱来实现更多特定的中间箱(NAT、防火墙等)MIB模块,例如NAT-MIB模块[RFC4008]。
The resource identifiers in the midcomResourceTable may be vendor proprietary in the cases where the middlebox does not implement the NAT-MIB [RFC4008] or a firewall MIB. The MIDCOM-MIB module affects NAT binding and sessions, as well as firewall pinholes. It is intentionally not specified in the MIDCOM-MIB module how these NAT and firewall resources are allocated and managed, since this depends on the MIDCOM-MIB implementation and middlebox's capabilities. However, the midcomResourceTable is useful for understanding which resources are affected by which MIDCOM-MIB transaction.
在中间盒未实现NAT-MIB[RFC4008]或防火墙MIB的情况下,midcomResourceTable中的资源标识符可能是供应商专有的。MIDCOM-MIB模块影响NAT绑定和会话,以及防火墙针孔。故意不在MIDCOM-MIB模块中指定如何分配和管理这些NAT和防火墙资源,因为这取决于MIDCOM-MIB实现和middlebox的功能。但是,MIDCOM资源表有助于了解哪些资源受哪个MIDCOM-MIB事务的影响。
The midcomResourceTable is beneficial to the middlebox administrator in that the table lists all MIDCOM transactions and the middlebox specific resources to which these transactions refer. For instance, multiple MIDCOM clients might end up using the same NAT bind, yet each MIDCOM client might define a Lifetime parameter and directionality for the bind that is specific to the transaction. MIDCOM-MIB implementations are responsible for impacting underlying middlebox resources so as to satisfy the sometimes overlapping requirements on the same resource from multiple MIDCOM clients.
midcomResourceTable对middlebox管理员有益,因为该表列出了所有MIDCOM事务以及这些事务所引用的特定于middlebox的资源。例如,多个MIDCOM客户端可能最终使用相同的NAT绑定,但每个MIDCOM客户端可能会为特定于事务的绑定定义一个生存期参数和方向性。MIDCOM-MIB实现负责影响底层中间包资源,以满足来自多个MIDCOM客户端的同一资源上有时重叠的需求。
Managing these resources is not a trivial task for MIDCOM-MIB implementers. It is possible that different MIDCOM-MIB policy rules owned by different MIDCOM clients share a NAT binding or a firewall rule. Then common properties, for example, the lifetime of the resource, need to be managed such that all clients are served well and changes to these resources need to be communicated to all affected clients. Also, dependencies between resources, for example, the precedence order of firewall rules, need to be considered
对于MIDCOM-MIB实现者来说,管理这些资源不是一项简单的任务。不同MIDCOM客户端拥有的不同MIDCOM-MIB策略规则可能共享NAT绑定或防火墙规则。然后,需要管理公共属性,例如资源的生命周期,以便为所有客户机提供良好的服务,并且需要将对这些资源的更改传达给所有受影响的客户机。此外,还需要考虑资源之间的依赖关系,例如防火墙规则的优先顺序
carefully in order to avoid that different policy rules -- potentially owned by different clients -- influence each other.
小心地避免不同的政策规则(可能由不同的客户拥有)相互影响。
MIDCOM clients may use the midcomResourceTable of the MIDCOM-MIB module in conjunction with the NAT-MIB module [RFC4008] to determine which resources of the NAT are used for MIDCOM. The NAT-MIB module stores the configured NAT bindings and sessions, and MIDCOM clients can use the information of the midcomResourceTable to sort out those NAT resources that are used by the MIDCOM-MIB module.
MIDCOM客户端可以将MIDCOM-MIB模块的midcomResourceTable与NAT-MIB模块[RFC4008]结合使用,以确定NAT的哪些资源用于MIDCOM。NAT-MIB模块存储已配置的NAT绑定和会话,MIDCOM客户端可以使用MIDCOM资源表的信息对MIDCOM-MIB模块使用的NAT资源进行排序。
The statistics subtree contains a set of non-columnar objects that provide 'MIDCOM protocol statistics', i.e., statistics about the usage of transaction objects.
统计信息子树包含一组非列对象,这些对象提供“MIDCOM协议统计信息”,即有关事务对象使用情况的统计信息。
o midcomCurrentOwners This object indicates the number of different values for midcomRuleOwner for all current entries in the midcomRuleTable.
o midcomCurrentOwners此对象表示midcomRuleOwner在midcomRuleTable中所有当前条目的不同值的数目。
o midcomOwnersTotal This object indicates the summarized number of all different values that occurred for midcomRuleOwner in the midcomRuleTable current and in the past.
o midcomOwnersTotal此对象表示midcomRuleOwner当前和过去在midcomRuleTable中发生的所有不同值的汇总数。
o midcomTotalRejectedRuleEntries This object indicates the total number of failed attempts to create an entry in the midcomRuleTable.
o midcomTotalRejectedRuleEntries此对象表示尝试在midcomRuleTable中创建条目失败的总数。
o midcomCurrentRulesIncomplete This object indicates the total number of policy rules that have not been fully loaded into a table row of the midcomRuleTable.
o midcomCurrentRulesIncomplete此对象表示尚未完全加载到midcomRuleTable的表行中的策略规则总数。
o midcomTotalIncorrectReserveRules This object indicates the total number of policy reserve rules that were rejected because the request was incorrect.
o MidcomTotalIncorrectReservers此对象表示由于请求不正确而被拒绝的策略保留规则的总数。
o midcomTotalRejectedReserveRules This object indicates the total number of policy reserve rules that were failed while being processed.
o MidcomTotalRejectedReservers此对象表示在处理时失败的策略保留规则总数。
o midcomCurrentActiveReserveRules This object indicates the number of currently active policy reserve rules in the midcomRuleTable.
o midcomCurrentActiveReserveRules此对象表示midcomRuleTable中当前活动的策略保留规则数。
o midcomTotalExpiredReserveRules This object indicates the total number of expired policy reserve rules.
o MidcomTotalExpiredReservers此对象表示过期策略保留规则的总数。
o midcomTotalTerminatedOnRqReserveRules This object indicates the total number of policy reserve rules that were terminated on request.
o MidcomTotalTerminatedOnRqReservers此对象表示根据请求终止的策略保留规则的总数。
o midcomTotalTerminatedReserveRules This object indicates the total number of policy reserve rules that were terminated, but not on request.
o MidcomTotalTerminatedReservers此对象表示已终止但未根据请求终止的策略保留规则的总数。
o midcomTotalIncorrectEnableRules This object indicates the total number of policy enable rules that were rejected because the request was incorrect.
o midcomTotalIncorrectEnableRules此对象表示由于请求不正确而被拒绝的策略启用规则总数。
o midcomTotalRejectedEnableRules This object indicates the total number of policy enable rules that were failed while being processed.
o midcomTotalRejectedEnableRules此对象表示在处理时失败的策略启用规则总数。
o midcomCurrentActiveEnableRules This object indicates the number of currently active policy enable rules in the midcomRuleTable.
o midcomCurrentActiveEnableRules此对象表示midcomRuleTable中当前活动的策略启用规则数。
o midcomTotalExpiredEnableRules This object indicates the total number of expired policy enable rules.
o midcomTotalExpiredEnableRules此对象表示过期策略启用规则的总数。
o midcomTotalTerminatedOnRqEnableRules This object indicates the total number of policy enable rules that were terminated on request.
o MidcomTotalTerminatedOnQenablerules此对象表示根据请求终止的策略启用规则总数。
o midcomTotalTerminatedEnableRules This object indicates the total number of policy enable rules that were terminated, but not on request.
o midcomTotalTerminatedEnableRules此对象表示已终止但未根据请求终止的策略启用规则的总数。
For informing MIDCOM clients about state changes of MIDCOM-MIB implementations, three notifications can be used. They notify the MIDCOM client about state changes of individual policy rules or of groups of policy rules. Different notifications are used for different kinds of transactions.
为了向MIDCOM客户端通知MIDCOM-MIB实现的状态更改,可以使用三种通知。它们将单个策略规则或策略规则组的状态更改通知MIDCOM客户端。不同类型的事务使用不同的通知。
For asynchronous transactions, unsolicited notifications are used. The only asynchronous transaction that needs to be modeled by the MIDCOM-MIB is the Asynchronous Policy Rule Event (ARE). The ARE may be caused by the expiration of a policy rule lifetime, the expiration of the idle time, or an internal change in policy rule lifetime by the MIDCOM-MIB implementation for whatever reason.
对于异步事务,使用未经请求的通知。MIDCOM-MIB需要建模的唯一异步事务是异步策略规则事件(ARE)。ARE可能由策略规则生存期到期、空闲时间到期或MIDCOM-MIB实现出于任何原因对策略规则生存期进行的内部更改引起。
For configuration transactions, solicited notifications are used. This concerns the Policy Reserve Rule (PRR) transaction, the Policy Enable Rule (PER) transaction, the Policy Rule Lifetime Change (RLC) transaction, and the Group Lifetime Change (GLC) transaction.
对于配置事务,使用请求通知。这涉及策略保留规则(PRR)事务、策略启用规则(PER)事务、策略规则生命周期更改(RLC)事务和组生命周期更改(GLC)事务。
The separation between unsolicited and solicited notifications gives the implementer of a MIDCOM client some freedom to make design decisions on how to model the MIDCOM reply message as described at the end of section 4.2.2. Depending on the choice, processing of solicited notifications may not be required. In such a case, delivery of solicited notification may be disabled, for example, by an appropriate configuration of the snmpNotifyFilterTable such that solicited notifications are filtered differently to unsolicited notifications.
未经请求的通知和请求的通知之间的分离为MIDCOM客户端的实现者提供了一些自由,可以根据第4.2.2节末尾所述,就如何对MIDCOM回复消息建模做出设计决策。根据选择,可能不需要处理请求的通知。在这种情况下,可以例如通过snmpNotifyFilterTable的适当配置来禁用请求通知的递送,使得请求通知的过滤不同于未经请求的通知。
o midcomUnsolicitedRuleEvent This notification can be generated for indicating the change of a policy rule's state or lifetime. It is used for performing the ARE transaction.
o midcomUnsolicitedRuleEvent可生成此通知,用于指示策略规则的状态或生存期的更改。它用于执行ARE事务。
o midcomSolicitedRuleEvent This notification can be generated for indicating the requested change of a policy rule's state or lifetime. It is used for performing PRR, PER, and RLC transactions.
o MidcomRequestedRuleEvent可生成此通知,用于指示策略规则状态或生存期的请求更改。它用于执行PRR、PER和RLC事务。
o midcomSolicitedGroupEvent This notification can be generated for indicating the requested change of a policy rule group's lifetime. It is used for performing the GLC transaction.
o MidcomRequestedGroupEvent可以生成此通知,用于指示策略规则组的生存期的请求更改。它用于执行GLC事务。
Configuring MIDCOM-MIB security is highly sensitive for obvious reasons. This section gives recommendations for securely configuring the SNMP agent acting as MIDCOM server. In addition, recommendations for avoiding idempotency problems are given and restrictions of MIDCOM-MIB applicability to a special set of applications are discussed.
显然,配置MIDCOM-MIB安全性是高度敏感的。本节给出了安全配置充当MIDCOM服务器的SNMP代理的建议。此外,给出了避免幂等性问题的建议,并讨论了MIDCOM-MIB适用于一组特殊应用的限制。
Since controlling firewalls and NATs is highly sensitive, it is RECOMMENDED that SNMP Command Responders implementing the MIDCOM-MIB module use the authPriv security level for all users that may access managed objects of the MIDCOM-MIB module.
由于控制防火墙和NAT是高度敏感的,建议实现MIDCOM-MIB模块的SNMP命令响应程序对所有可能访问MIDCOM-MIB模块的托管对象的用户使用authPriv安全级别。
Entries in the midcomRuleTable and the midcomGroupTable provide information about existing firewall pinholes and/or NAT sessions. They also could be used for manipulating firewall pinholes and/or NAT sessions. Therefore, access control to these objects is essential and should be restrictive.
midcomRuleTable和midcomGroupTable中的条目提供有关现有防火墙针孔和/或NAT会话的信息。它们还可用于操纵防火墙针孔和/或NAT会话。因此,对这些对象的访问控制是必不可少的,应该是有限制的。
It is RECOMMENDED that SNMP Command Responders instantiating an implementation of the MIDCOM-MIB module use VACM for controlling access to managed objects in the midcomRuleTable and the midcomGroupTable.
建议实例化MIDCOM-MIB模块实现的SNMP命令响应程序使用VACM控制对midcomRuleTable和midcomGroupTable中托管对象的访问。
It is further RECOMMENDED that individual MIDCOM clients, acting as SNMP Command Generators, only have access to an entry in the midcomRuleTable, the midcomResourceTable, or the midcomGroupTable, if they created the entry directly in the midcomRuleTable or indirectly in the midcomGroupTable and midcomResourceTable. Exceptions to this recommendation are situations where access by multiple MIDCOM clients to managed objects is explicitly required. One example is fail-over for MIDCOM agents where the stand-by MIDCOM agent needs the same access rights to managed objects as the currently active MIDCOM agent. Another example is a supervisor MIDCOM agent that monitors activities of other MIDCOM agents and/or may be used by network management systems to modify entries in tables of the MIDCOM-MIB.
进一步建议,作为SNMP命令生成器的各个MIDCOM客户端,如果直接在midcomRuleTable中或间接在midcomGroupTable和midcomResourceTable中创建条目,则只能访问midcomRuleTable、midcomResourceTable或midcomGroupTable中的条目。此建议的例外情况是明确要求多个MIDCOM客户端访问托管对象。一个例子是MIDCOM代理的故障转移,其中备用MIDCOM代理需要与当前活动的MIDCOM代理相同的对托管对象的访问权限。另一个示例是监控其他MIDCOM代理的活动和/或网络管理系统可能使用的监控MIDCOM代理来修改MIDCOM-MIB表中的条目。
For this reason, all three tables listed above have the midcomRuleOwner as initial index. It is RECOMMENDED that MIDCOM clients acting as SNMP Command Generator have access to the midcomRuleTable and the midcomGroupTable restricted to entries with the initial index matching either their SNMP securityName or their VACM groupName. It is RECOMMENDED that they do not have access to entries in these tables with initial indices other than their SNMP securityName or their VACM groupName. It is RECOMMENDED that this VACM configuration is applied to read access, write access, and notify access for all objects in the midcomRuleTable and the midcomGroupTable.
因此,上面列出的所有三个表都将midcomRuleOwner作为初始索引。建议充当SNMP命令生成器的MIDCOM客户端访问midcomRuleTable和midcomGroupTable的权限仅限于初始索引与其SNMP securityName或VACM groupName匹配的条目。建议他们不要访问这些表中初始索引不是SNMP securityName或VACM groupName的条目。建议将此VACM配置应用于midcomRuleTable和midcomGroupTable中所有对象的读访问、写访问和通知访问。
Note that less restrictive access rights MAY be granted to other users, for example, to a network management application, that monitors MIDCOM policy rules.
请注意,可以将限制性较小的访问权限授予其他用户,例如,授予监控MIDCOM策略规则的网络管理应用程序。
For each MIDCOM client that has access to the midcomRuleTable, a notification target SHOULD be configured at a Command Responder instantiating an implementation of the MIDCOM-MIB. It is RECOMMENDED that such a configuration be retrievable from the Command Responder via the SNMP-TARGET-MIB [RFC3413].
对于每个有权访问midcomRuleTable的MIDCOM客户端,应在实例化MIDCOM-MIB实现的命令响应程序上配置通知目标。建议通过SNMP-TARGET-MIB[RFC3413]从命令响应程序检索此类配置。
For each entry of the snmpTargetAddrTable that is related to a MIDCOM client, there SHOULD be an individual corresponding entry in the snmpTargetParamsTable.
对于与MIDCOM客户端相关的SNMPTargetADRDR表的每个条目,snmpTargetParamsTable中应该有一个单独的对应条目。
An implementation of the MIDCOM-MIB SHOULD also implement the SNMP-NOTIFICATION-MIB [RFC3413]. An instance of an implementation of the MIDCOM-MIB SHOULD have an individual entry in the snmpNotifyFilterProfileTable for each MIDCOM client that has access to the midcomRuleTable.
MIDCOM-MIB的实现还应实现SNMP-NOTIFICATION-MIB[RFC3413]。MIDCOM-MIB实现的实例在snmpNotifyFilterProfileTable中应有一个单独的条目,用于访问MIDCOM规则表的每个MIDCOM客户端。
An instance of an implementation of the MIDCOM-MIB SHOULD allow MIDCOM clients to start and stop the generation of notifications targeted at themselves. This SHOULD be realized by giving the MIDCOM clients write access to the snmpNotifyFilterTable. If appropriate entries of the snmpNotifyFilterTable are established in advance, then this can be achieved by granting MIDCOM clients write access only to the columnar object snmpNotifyFilterType.
MIDCOM-MIB实现的实例应允许MIDCOM客户端启动和停止针对其自身的通知生成。这应该通过授予MIDCOM客户端对snmpNotifyFilterTable的写访问权来实现。如果预先建立了snmpNotifyFilterTable的适当条目,则可以通过仅授予MIDCOM客户端对列对象snmpNotifyFilterType的写访问权限来实现。
It is RECOMMENDED that VACM be configured such that each MIDCOM agent can only access entries in the snmpTargetAddrTable, the snmpTargetParamsTable, the snmpNotifyFilterProfileTable, and the snmpFilterTable that concern that particular MIDCOM agent. Typically, read access to the snmpTargetAddrTable, the snmpTargetParamsTable, and the snmpNotifyFilterProfileTable is sufficient. Write access may be required for objects of the snmpFilterTable.
建议对VACM进行配置,使每个MIDCOM代理只能访问与特定MIDCOM代理有关的snmpTargetAddrTable、snmpTargetParamsTable、snmpNotifyFilterProfileTable和snmpFilterTable中的条目。通常,对snmpTargetAddrTable、snmpTargetParamsTable和snmpNotifyFilterProfileTable的读取访问就足够了。snmpFilterTable的对象可能需要写访问权限。
Situations with two MIDCOM clients simultaneously modifying the same policy rule should be avoided. For each entry in the midcomRuleTable, there should be only one client at a time that modifies it. If two MIDCOM clients share the same midcomRuleOwner index of the midcomRuleTable, then conflicts can be avoided, for example, by
应避免两个MIDCOM客户端同时修改同一策略规则的情况。对于midcomRuleTable中的每个条目,一次只能有一个客户端对其进行修改。如果两个MIDCOM客户端共享midcomRuleTable的同一个midcomRuleOwner索引,则可以通过以下方式避免冲突:
- scheduling access times, as, for example, in the fail-over case; - using different midcomGroupIndex values per client; or - using non-overlapping intervals for values of the midcomRuleIndex per client.
- 安排访问时间,例如,在故障转移情况下;-每个客户端使用不同的midcomGroupIndex值;或-对每个客户端的midcomRuleIndex值使用非重叠间隔。
As already discussed in section 4.2.4.4, the following recommendation is given for avoiding idempotency problems.
如第4.2.4.4节所述,为避免幂等性问题,给出了以下建议。
In general, idempotency problems can be solved by including snmpSetSerialNo (see [RFC3418]) in SNMP SET requests.
通常,幂等性问题可以通过在SNMP集合请求中包含snmpSetSerialNo(请参见[RFC3418])来解决。
In case this feature is not used, it is RECOMMENDED that the value of the SNMP retransmission timer of a MIDCOM client (acting as SNMP Command Generator) is lower than the smallest requested value for any rule lifetime or rule idle time in order to prevent idempotency problems with setting midcomRuleLifetime and midcomRuleMaxIdleTime when retransmitting an SNMP SET request after a lost SNMP reply.
如果未使用此功能,建议MIDCOM客户端(充当SNMP命令生成器)的SNMP重新传输计时器的值小于任何规则生存期或规则空闲时间的最小请求值,以防止在丢失SNMP应答后重新传输SNMP集合请求时设置midcomRuleLifetime和midcomRuleMaxIdleTime时出现幂等性问题。
MIDCOM client implementations MAY completely avoid this problem by configuring their SNMP stack such that no retransmissions are sent.
MIDCOM客户端实现可以通过配置其SNMP堆栈,使其不发送重传,从而完全避免此问题。
Similar considerations apply to MIDCOM-MIB implementations acting as Notification Originator when sending a notification (midcomUnsolicitedRuleEvent, midcomSolicitedRuleEvent or midcomSolicitedGroupEvent) containing the remaining lifetime of a policy rule or a policy rule group, respectively.
在发送分别包含策略规则或策略规则组剩余生存期的通知(midcomUnsolicitedRuleEvent、MidcomLearcedRuleEvent或MidcomLearcedGroupEvent)时,类似的注意事项也适用于充当通知发起人的MIDCOM-MIB实现。
A well-known problem of MIB modules is indexing IP interfaces after a re-initialization of the managed device. The index for interfaces provided by the ifTable (see IF-MIB in [RFC2863]) may change during re-initialization, for example, when physical interfaces are added or removed.
MIB模块的一个众所周知的问题是在托管设备重新初始化后对IP接口进行索引。ifTable提供的接口索引(参见[RFC2863]中的IF-MIB)在重新初始化期间可能会更改,例如,当添加或删除物理接口时。
The MIDCOM-MIB module uses the interface index for indicating at which interface which policy rule is (or is to be) applied. Also, this index is used for indicating how policy rules are prioritized at certain interfaces. The MIDCOM-MIB module specification requires that information provided is always correct. This implies that after re-initialization, interface index values of policy rules or firewall configurations may have changed even though they still refer to the same interface as before the re-initialization.
MIDCOM-MIB模块使用接口索引指示在哪个接口应用(或将要应用)策略规则。此外,此索引用于指示策略规则在某些接口上的优先级。MIDCOM-MIB模块规范要求提供的信息始终正确。这意味着在重新初始化之后,策略规则或防火墙配置的接口索引值可能已更改,即使它们仍然引用与重新初始化之前相同的接口。
MIDCOM client implementations need to be aware of this potential behavior. It is RECOMMENDED that before writing the value or using the value of indices that depend on the ifTable the MIDCOM client checks if the middlebox has been re-initialized recently.
MIDCOM客户端实现需要注意这种潜在行为。建议在写入值或使用依赖于ifTable的索引值之前,MIDCOM客户端检查最近是否重新初始化了middlebox。
MIDCOM-MIB module implementations MUST track interface changes of IP interface indices in the ifTable. This implies that after a re-initialization of a middlebox, a MIDCOM-MIB implementation MUST make sure that each instance of an interface index in the MIDCOM-MIB tables still points to the same interface as before the re-initialization. For any instance for which this is not possible, all affected entries in tables of the MIDCOM-MIB module MUST be either terminated, disabled, or deleted, as specified in the DESCRIPTION clause of the respective object. This concerns all objects in the MIDCOM-MIB module that are of type InterfaceIndexOrZero.
MIDCOM-MIB模块实现必须跟踪ifTable中IP接口索引的接口更改。这意味着在重新初始化中间盒之后,MIDCOM-MIB实现必须确保MIDCOM-MIB表中接口索引的每个实例仍然指向与重新初始化之前相同的接口。对于无法执行此操作的任何实例,MIDCOM-MIB模块表中所有受影响的条目必须按照相应对象的DESCRIPTION子句中的规定终止、禁用或删除。这涉及MIDCOM-MIB模块中InterfaceIndexOrZero类型的所有对象。
As already discussed in section 5.1.1, the MIDCOM-MIB requires the MIDCOM client to specify address tuples A0 and A3. This can be a problem for applications that do not have this information available when they need to configure the middlebox. For some applications, there are usage scenarios where address information is only available for a single address realm, A0 and A1 in the private realm or A2 and A3 in the public realm. An example is an FTP application using the PORT command (instead of the PASV command). The problem occurs when the middlebox offers twice-NAT functionality.
如第5.1.1节所述,MIDCOM-MIB要求MIDCOM客户端指定地址元组A0和A3。如果应用程序在需要配置中间盒时没有此信息,则可能会出现问题。对于某些应用程序,在某些使用场景中,地址信息仅适用于单个地址域,A0和A1在私有域中,A2和A3在公共域中。例如,使用PORT命令(而不是PASV命令)的FTP应用程序。当中间盒提供两次NAT功能时,就会出现问题。
This section presents some examples that explain how a MIDCOM client acting as SNMP manager can use the MIDCOM-MIB module defined in this memo. The purpose of these examples is to explain the steps that are required to perform MIDCOM transactions. For each MIDCOM transaction defined in the MIDCOM semantics [RFC5189], a sequence of SNMP operations that realizes the transaction is described.
本节提供一些示例,解释充当SNMP管理器的MIDCOM客户端如何使用本备忘录中定义的MIDCOM-MIB模块。这些示例的目的是解释执行MIDCOM事务所需的步骤。对于MIDCOM语义[RFC5189]中定义的每个MIDCOM事务,描述了实现该事务的SNMP操作序列。
The examples described below are recommended procedures for MIDCOM clients. Clients may choose to operate differently.
下面介绍的示例是针对MIDCOM客户端的推荐过程。客户可能会选择不同的操作方式。
For example, they may choose not to receive solicited notifications on completion of a transaction, but to poll the MIDCOM-MIB instead until the transaction is completed. This can be achieved by performing step 2 of the SE transaction (see below) differently. The MIDCOM agent then creates an entry in the snmpNotifyFilterTable such that only the midcomUnsolicitedRuleEvent may pass the filter and is sent to the MIDCOM client. In this case, the PER, PRR, and RLC transactions require a polling loop wherever in the example below the MIDCOM client waits for a notification.
例如,他们可能选择在事务完成时不接收请求通知,而是轮询MIDCOM-MIB,直到事务完成。这可以通过以不同的方式执行SE事务(见下文)的步骤2来实现。然后,MIDCOM代理在snmpNotifyFilterTable中创建一个条目,以便只有midcomUnsolicitedRuleEvent可以通过过滤器并发送到MIDCOM客户端。在这种情况下,PER、PRR和RLC事务需要轮询循环,在下面的示例中,只要MIDCOM客户端等待通知。
The MIDCOM-MIB realizes most properties of MIDCOM sessions in a very static way. Only the generation of notifications targeted at the MIDCOM client is enabled by the client for session establishment.
MIDCOM-MIB以非常静态的方式实现MIDCOM会话的大多数属性。客户端仅为会话建立启用针对MIDCOM客户端的通知生成。
1. The MIDCOM client checks the middlebox capabilities by reading objects in the midcomCapabilitiesGroup.
1. MIDCOM客户端通过读取midcomCapabilitiesGroup中的对象来检查middlebox功能。
2. The MIDCOM client enables generation of notifications on events concerning the policy rules controlled by the client. If the SNMP-NOTIFICATION-MIB is supported as recommended by section 6.3 of this document, then the agent just has to change the value of a object snmpNotifyFilterType in the corresponding entry of the snmpNotifyFilterTable from included(1) to excluded(2).
2. MIDCOM客户端支持在与客户端控制的策略规则有关的事件上生成通知。如果按照本文档第6.3节的建议支持SNMP-NOTIFICATION-MIB,则代理只需将snmpNotifyFilterTable的相应条目中的对象snmpNotifyFilterType的值从包含(1)更改为排除(2)。
For terminating a session, the MIDCOM client just disables the generation of notifications for this client.
对于终止会话,MIDCOM客户端仅禁用此客户端的通知生成。
1. The MIDCOM client disables generation of notifications on events concerning the policy rules controlled by the client. If the SNMP-NOTIFICATION-MIB is supported as recommended by section 6.3 of this document, then the agent just has to change the value of a object snmpNotifyFilterType in the corresponding entry of the snmpNotifyFilterTable from included(1) to excluded(2).
1. MIDCOM客户端禁用对与客户端控制的策略规则有关的事件生成通知。如果按照本文档第6.3节的建议支持SNMP-NOTIFICATION-MIB,则代理只需将snmpNotifyFilterTable的相应条目中的对象snmpNotifyFilterType的值从包含(1)更改为排除(2)。
This example explains steps that may be performed by a MIDCOM client to establish a policy reserve rule.
此示例说明MIDCOM客户端为建立策略保留规则而执行的步骤。
1. The MIDCOM client creates a new entry in the midcomRuleTable by writing to midcomRuleRowStatus. The chosen value for index object midcomGroupIndex determines the group membership of the created rule. Note that choosing an unused value for midcomGroupIndex creates a new entry in the midcomGroupTable.
1. MIDCOM客户端通过写入midcomRuleRowStatus在midcomRuleTable中创建一个新条目。为索引对象midcomGroupIndex选择的值确定所创建规则的组成员资格。请注意,为midcomGroupIndex选择未使用的值会在midcomGroupTable中创建一个新条目。
2. The MIDCOM client sets the following objects in the new entry of the midcomRuleTable to specify all request parameters of the PRR transaction:
2. MIDCOM客户端在midcomRuleTable的新条目中设置以下对象,以指定PRR事务的所有请求参数:
- midcomRuleMaxIdleTime - midcomRuleInterface - midcomRuleTransportProtocol - midcomRulePortRange - midcomRuleInternalIpVersion
- midcomRuleMaxIdleTime-midcomRuleInterface-midcomRuleTransportProtocol-midcomRulePortRange-midcomRuleInternalIpVersion
- midcomRuleExternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalIpPrefixLength - midcomRuleInternalPort - midcomRuleLifetime
- midcomRuleExternalIpVersion-MidComRuleInternalIPAddress-midcomRuleInternalIpPrefixLength-midcomRuleInternalPort-midcomRuleLifetime
Note that several of these parameters have default values that can be used.
请注意,其中几个参数具有可以使用的默认值。
3. The MIDCOM client sets the midcomRuleAdminStatus objects in the new row of the midcomRuleTable to reserve(1).
3. MIDCOM客户端将midcomRuleTable新行中的midcomRuleAdminStatus对象设置为reserve(1)。
4. The MIDCOM client awaits a midcomSolicitedRuleEvent notification concerning the new policy rule in the midcomRuleTable. Waiting for the notification is timed out after a pre-selected maximum waiting time. In case of a timeout while waiting for the notification or if the client does not use notifications, the MIDCOM client retrieves the status of the midcomRuleEntry by one or more SNMP GET operations.
4. MIDCOM客户端等待有关midcomRuleTable中新策略规则的MIDCOMRequestedRuleEvent通知。等待通知在预先选择的最长等待时间后超时。如果等待通知时超时,或者客户端不使用通知,则MIDCOM客户端通过一个或多个SNMP GET操作检索midcomRuleEntry的状态。
5. After receiving the midcomSolicitedRuleEvent notification, the MIDCOM client checks the lifetime value carried by the notification. If it is greater than 0, the MIDCOM client reads all positive reply parameters of the PRR transaction:
5. 收到MidcomRequestedRuleEvent通知后,MIDCOM客户端将检查该通知所携带的生存期值。如果大于0,MIDCOM客户端将读取PRR事务的所有肯定回复参数:
- midcomRuleOutsideIpAddr - midcomRuleOutsidePort - midcomRuleMaxIdleTime - midcomRuleLifetime
- MidComRuleOutsideIPADR-midcomRuleOutsidePort-midcomRuleMaxIdleTime-midcomRuleLifetime
If the lifetime equals 0, then the MIDCOM client reads the midcomRuleOperStatus and the midcomRuleError in order to analyze the failure reason.
如果生存期等于0,则MIDCOM客户端将读取midcomRuleOperStatus和midcomRuleError以分析故障原因。
6. Optionally, after receiving the midcomSolicitedRuleEvent notification with a lifetime value greater than 0, the MIDCOM client may check the midcomResourceTable for the middlebox resources allocated for this policy reserve rule. Note that PRR does not necessarily allocate any middlebox resource visible in the NAT-MIB module or in a firewall MIB module, since it does a reservation only. If, however, the PRR overlaps with already existing PERs, then the PRR may be related to middlebox resources visible in other MIB modules.
6. 或者,在接收到生存期值大于0的MidcomRequestedRuleEvent通知后,MIDCOM客户端可以检查midcomResourceTable,查看为此策略保留规则分配的中间盒资源。请注意,PRR不一定分配NAT-MIB模块或防火墙MIB模块中可见的任何中间包资源,因为它只进行保留。但是,如果PRR与现有PER重叠,则PRR可能与其他MIB模块中可见的中间盒资源相关。
This example explains steps that may be performed by a MIDCOM client to establish a policy enable rule after a corresponding policy reserve rule was already established.
此示例说明了MIDCOM客户端在相应的策略保留规则已建立后,为建立策略启用规则而可能执行的步骤。
1. The MIDCOM client sets the following objects in the row of the established PRR in the midcomRuleTable to specify all request parameters of the PER transaction:
1. MIDCOM客户端在MIDCOM规则表中已建立的PRR行中设置以下对象,以指定每个事务的所有请求参数:
- midcomRuleMaxIdleTime - midcomRuleExternalIpAddr - midcomRuleExternalIpPrefixLength - midcomRuleExternalPort - midcomRuleFlowDirection
- midcomRuleMaxIdleTime-MidComRuleExternalPaddr-MidComRuleExternalAppRefiXlength-midcomRuleExternalPort-midcomRuleFlowDirection
Note that several of these parameters have default values that can be used.
请注意,其中几个参数具有可以使用的默认值。
2. The MIDCOM client sets the midcomRuleAdminStatus objects in the row of the established PRR in the midcomRuleTable to enable(1).
2. MIDCOM客户端将midcomRuleTable中已建立PRR行中的midcomRuleAdminStatus对象设置为enable(1)。
3. The MIDCOM client awaits a midcomSolicitedRuleEvent notification concerning the new row in the midcomRuleTable. Waiting for the notification is timed out after a pre-selected maximum waiting time. In case of a timeout while waiting for the notification or if the client does not use notifications, the MIDCOM client retrieves the status of the midcomRuleEntry by one or more SNMP GET operations.
3. MIDCOM客户端等待有关midcomRuleTable中新行的MIDCOMRequestedRuleEvent通知。等待通知在预先选择的最长等待时间后超时。如果等待通知时超时,或者客户端不使用通知,则MIDCOM客户端通过一个或多个SNMP GET操作检索midcomRuleEntry的状态。
4. After receiving the midcomSolicitedRuleEvent notification, the MIDCOM client checks the lifetime value carried by the notification. If it is greater than 0, the MIDCOM client reads all positive reply parameters of the PER transaction:
4. 收到MidcomRequestedRuleEvent通知后,MIDCOM客户端将检查该通知所携带的生存期值。如果大于0,则MIDCOM客户端将读取每个事务的所有肯定回复参数:
- midcomRuleInsideIpAddr - midcomRuleInsidePort - midcomRuleMaxIdleTime
- MidComRuleInsidePaddr-MidComRuleInsideReport-midcomRuleMaxIdleTime
If the lifetime equals 0, then the MIDCOM client reads the midcomRuleOperStatus and the midcomRuleError in order to analyze the failure reason.
如果生存期等于0,则MIDCOM客户端将读取midcomRuleOperStatus和midcomRuleError以分析故障原因。
5. Optionally, after receiving the midcomSolicitedRuleEvent notification with a lifetime value greater than 0, the MIDCOM client may check the midcomResourceTable for the allocated middlebox resources for this policy enable rule.
5. 或者,在收到生存期值大于0的MidcomRequestedRuleEvent通知后,MIDCOM客户端可能会检查midcomResourceTable,以获取为此策略启用规则分配的middlebox资源。
This example explains steps that may be performed by a MIDCOM client to establish a policy enable rule for which no PRR transaction has been performed before.
此示例说明了MIDCOM客户端可能执行的步骤,以建立以前未执行过PRR事务的策略启用规则。
1. Identical to step 1 for PRR (section 7.3).
1. 与PRR的步骤1相同(第7.3节)。
2. Identical to step 2 for PRR (section 7.3).
2. 与PRR的步骤2相同(第7.3节)。
3. The MIDCOM client sets the following objects in the new row of the midcomRuleTable to specify all request parameters of the PER transaction:
3. MIDCOM客户端在midcomRuleTable的新行中设置以下对象,以指定每个事务的所有请求参数:
- midcomRuleInterface - midcomRuleFlowDirection - midcomRuleTransportProtocol - midcomRulePortRange - midcomRuleInternalIpVersion - midcomRuleExternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalIpPrefixLength - midcomRuleInternalPort - midcomRuleExternalIpAddr - midcomRuleExternalIpPrefixLength - midcomRuleExternalPort - midcomRuleLifetime
- midcomRuleInterface-midcomRuleFlowDirection-midcomRuleTransportProtocol-midcomRuleInternalIpVersion-midcomRuleExternalIpVersion-MidComRuleInternalIPAddress-midcomRuleInternalIpPrefixLength-midcomRuleInternalPort-midcomRuleExternalIpPrefixLength-中期寿命
Note that several of these parameters have default values that can be used.
请注意,其中几个参数具有可以使用的默认值。
4. The MIDCOM client sets the midcomRuleAdminStatus objects in the new row of the midcomRuleTable to enable(1).
4. MIDCOM客户端将midcomRuleTable新行中的midcomRuleAdminStatus对象设置为启用(1)。
5. Identical to step 4 for PRR (section 7.3).
5. 与PRR的步骤4相同(第7.3节)。
6. After receiving the midcomSolicitedRuleEvent notification, the MIDCOM client checks the lifetime value carried by the notification. If it is greater than 0, the MIDCOM client reads all positive reply parameters of the PRR transaction:
6. 收到MidcomRequestedRuleEvent通知后,MIDCOM客户端将检查该通知所携带的生存期值。如果大于0,MIDCOM客户端将读取PRR事务的所有肯定回复参数:
- midcomRuleInsideIpAddr - midcomRuleInsidePort - midcomRuleOutsideIpAddr - midcomRuleOutsidePort - midcomRuleMaxIdleTime
- MidComRuleInsideIPADR-MidComRuleInsideReport-MidComRuleOutsideIPADR-midcomRuleOutsidePort-midcomRuleMaxIdleTime
If the lifetime equals 0, then the MIDCOM client reads the midcomRuleOperStatus and the midcomRuleError in order to analyze the failure reason.
如果生存期等于0,则MIDCOM客户端将读取midcomRuleOperStatus和midcomRuleError以分析故障原因。
7. Optionally, after receiving the midcomSolicitedRuleEvent notification with a lifetime value greater than 0, the MIDCOM client may check the midcomResourceTable for the allocated middlebox resources for this policy enable rule.
7. 或者,在收到生存期值大于0的MidcomRequestedRuleEvent通知后,MIDCOM客户端可能会检查midcomResourceTable,以获取为此策略启用规则分配的middlebox资源。
This example explains steps that may be performed by a MIDCOM client to change the lifetime of a policy rule. Changing the lifetime to 0 implies terminating the policy rule.
此示例说明了MIDCOM客户端为更改策略规则的生存期而执行的步骤。将生存期更改为0意味着终止策略规则。
1. The MIDCOM client issues a SET request for writing the desired lifetime to the midcomRuleLifetime object in the corresponding row of the midcomRuleTable. This does not have any effect if the lifetime is already expired.
1. MIDCOM客户端发出SET请求,将所需的生存期写入MIDCOMRULELIFET表相应行中的MIDCOMRULELIFET对象。如果生存期已过期,则这不会产生任何影响。
2. The MIDCOM client awaits a midcomSolicitedRuleEvent notification concerning the corresponding row in the midcomRuleTable. Waiting for the notification is timed out after a pre-selected maximum waiting time. In case of a timeout while waiting for the notification or if the client does not use notifications, the MIDCOM client retrieves the status of the midcomRuleEntry by one or more SNMP GET operations.
2. MIDCOM客户端等待有关midcomRuleTable中相应行的MIDCOMRequestedRuleEvent通知。等待通知在预先选择的最长等待时间后超时。如果等待通知时超时,或者客户端不使用通知,则MIDCOM客户端通过一个或多个SNMP GET操作检索midcomRuleEntry的状态。
3. After receiving the midcomSolicitedRuleEvent notification MIDCOM client checks the lifetime value carried by the notification.
3. 收到MidcomRequestedRuleEvent通知后,MIDCOM客户端将检查该通知所携带的生存期值。
The SNMP agent can browse the list of policy rules by browsing the midcomRuleTable. For each observed row in this table, the SNMP agent should check the midcomRuleOperStatus in order to find out if the row contains information about an established policy rule or of a rule that is under construction or already terminated.
SNMP代理可以通过浏览midcomRuleTable来浏览策略规则列表。对于此表中观察到的每一行,SNMP代理应检查midcomRuleOperStatus,以确定该行是否包含有关已建立的策略规则或正在构建或已终止的规则的信息。
The SNMP agent can retrieve all status information and properties of a policy rule by reading the managed objects in the corresponding row of the midcomRuleTable.
SNMP代理可以通过读取midcomRuleTable对应行中的托管对象来检索策略规则的所有状态信息和属性。
There are two different triggers for the ARE. It may be triggered by the expiration of a policy rule's lifetime or the expiration of the idle time. But beyond this, the MIDCOM-MIB implementation may terminate a policy rule at any time. In all cases, two steps are required for performing this transaction:
are有两种不同的触发器。它可能由策略规则的生存期到期或空闲时间到期触发。但除此之外,MIDCOM-MIB实现可以随时终止策略规则。在所有情况下,执行此事务都需要两个步骤:
1. The MIDCOM-MIB implementation sends a midcomUnsolicitedRuleEvent notification containing a lifetime value of 0 to the MIDCOM client owning the rule.
1. MIDCOM-MIB实现向拥有该规则的MIDCOM客户端发送包含生存期值0的MIDCOM UnsolicitedRuleEvent通知。
2. If the midcomRuleStorageTime object in the corresponding row of the midcomRuleTable has a value of 0, then the MIDCOM-MIB implementation removes the row from the table. Otherwise, it sets in this row the midcomRuleLifetime object to 0 and changes the midcomRuleOperStatus object. If the event was triggered by policy lifetime expiration, then the midcomRuleOperStatus is set to timedOut(9); otherwise, it is set to terminated(11).
2. 如果midcomRuleTable对应行中的midcomRuleStorageTime对象的值为0,则MIDCOM-MIB实现会从表中删除该行。否则,它将此行中的midcomRuleLifetime对象设置为0,并更改midcomRuleOperStatus对象。如果事件是由策略生存期到期触发的,则midcomRuleOperStatus设置为timedOut(9);否则,将其设置为终止(11)。
This example explains steps that may be performed by a MIDCOM client to change the lifetime of a policy rule group. Changing the lifetime to 0 implies terminating all member policies of the group.
此示例说明了MIDCOM客户端为更改策略规则组的生存期而执行的步骤。将生存期更改为0意味着终止组的所有成员策略。
1. The MIDCOM client issues a SET request for writing the desired lifetime to the midcomGroupLifetime object in the corresponding row of the midcomGroupTable.
1. MIDCOM客户端发出SET请求,将所需的生存期写入到midcomGroupTable对应行中的midcomGroupLifetime对象。
2. The MIDCOM client waits for a midcomSolicitedGroupEvent notification concerning the corresponding row in the midcomGroupTable. Waiting for the notification is timed out after a pre-selected maximum waiting time. In case of a timeout while waiting for the notification or if the client does not use notifications, the MIDCOM client retrieves the status of the midcomGroupEntry by one or more SNMP GET operations.
2. MIDCOM客户端等待有关midcomGroupTable中相应行的MidcomRequestedGroupEvent通知。等待通知在预先选择的最长等待时间后超时。如果等待通知时超时,或者客户端不使用通知,则MIDCOM客户端通过一个或多个SNMP GET操作检索midcomGroupEntry的状态。
3. After receiving the midcomSolicitedRuleEvent notification, the MIDCOM client checks the lifetime value carried by the notification.
3. 收到MidcomRequestedRuleEvent通知后,MIDCOM客户端将检查该通知所携带的生存期值。
The SNMP agent can browse the list of policy rule groups by browsing the midcomGroupTable. For each observed row in this table, the SNMP agent should check the midcomGroupLifetime in order to find out if the group does contain established policies.
SNMP代理可以通过浏览midcomGroupTable来浏览策略规则组列表。对于此表中观察到的每一行,SNMP代理应检查midcomGroupLifetime,以确定该组是否包含已建立的策略。
The SNMP agent can retrieve all member policies of a group by browsing the midcomRuleTable using the midcomGroupIndex of the particular group. For retrieving the remaining lifetime of the group, the SNMP agent reads the midcomGroupLifetime object in the corresponding row of the midcomGroupTable.
SNMP代理可以通过使用特定组的midcomGroupIndex浏览midcomRuleTable来检索组的所有成员策略。为了检索组的剩余生存期,SNMP代理将读取midcomGroupTable对应行中的midcomGroupLifetime对象。
This section presents some examples that explain how a MIDCOM client can use the midcomResourceTable to correlate policy rules with the used middlebox resources. One example is given for middleboxes implementing the NAT-MIB and another one is given for firewalls.
本节提供了一些示例,解释了MIDCOM客户端如何使用midcomResourceTable将策略规则与使用的middlebox资源关联起来。本文给出了一个用于实现NAT-MIB的中间件的示例,另一个用于防火墙。
When a rule in the midcomRuleTable is executed, it directly impacts the middlebox resources. The midcomResourceTable provides the information on the relationships between the MIDCOM-MIB policy rules and the middlebox resources used for enforcing these rules.
当执行midcomRuleTable中的规则时,它会直接影响中间盒资源。MIDCOM资源表提供了有关MIDCOM-MIB策略规则与用于实施这些规则的中间件资源之间关系的信息。
A MIDCOM-MIB policy rule will cause the creation or modification of up to two NAT bindings and up to two NAT sessions. Two NAT bindings are impacted in the case of a session being subject to twice-NAT. Two NAT bindings may also be impacted when midcomRulePortRange is set to pair(2) in the policy rule. In the majority of cases, where traditional NAT is implemented, only a single NAT binding may be adequate. Note, however, that this BindId is set to 0 if the middlebox is implementing symmetric NAT function. Two NAT sessions are created or modified only when the midcomRulePortRange is set to pair(2) in the policy rule.
MIDCOM-MIB策略规则将导致创建或修改最多两个NAT绑定和最多两个NAT会话。在会话受到两次NAT约束的情况下,两个NAT绑定会受到影响。当在策略规则中将midcomRulePortRange设置为pair(2)时,两个NAT绑定也可能受到影响。在大多数情况下,在实现传统NAT的情况下,只有一个NAT绑定可能就足够了。但是,请注意,如果中间盒正在实现对称NAT函数,则该BindId设置为0。只有在策略规则中将midcomRulePortRange设置为pair(2)时,才会创建或修改两个NAT会话。
When support for the NAT-MIB module is also available at the middlebox, the parameters in the combination of the midcomRuleTable and the midcomResourceTable for a given rule can be used to index the corresponding BIND and NAT session resources effected in the NAT-MIB. These parameters are valuable to monitor the impact on the NAT module, even when the NAT-MIB module is not implemented at the middlebox.
当在中间盒上也支持NAT-MIB模块时,可以使用给定规则的midcomRuleTable和midcomResourceTable组合中的参数来索引NAT-MIB中影响的相应绑定和NAT会话资源。这些参数对于监控NAT模块的影响很有价值,即使NAT-MIB模块没有在中间箱实现。
The impact of MIDCOM rules on the NAT resources is important because a MIDCOM rule not only can create BINDs and NAT sessions, but also is capable of modifying the NAT objects that already exist. For example, FlowDirection and MaxIdleTime parameters in a MIDCOM rule directly affect the TranslationEntity and MaxIdleTime of the associated NAT bind object. Likewise, MaxIdleTime in a MIDCOM rule
MIDCOM规则对NAT资源的影响很重要,因为MIDCOM规则不仅可以创建绑定和NAT会话,还可以修改已经存在的NAT对象。例如,MIDCOM规则中的FlowDirection和MaxIdleTime参数直接影响关联NAT绑定对象的TranslationEntity和MaxIdleTime。同样,MIDCOM规则中的MaxIdleTime
has a direct impact on the MaxIdleTime of the associated NAT session object. The lifetime parameter in the MIDCOM rule directly impacts the lifetime of all the impacted NAT BIND and NAT session objects.
对关联NAT会话对象的MaxIdleTime有直接影响。MIDCOM规则中的lifetime参数直接影响所有受影响的NAT绑定和NAT会话对象的生存期。
When a MIDCOM-MIB policy rule is established at a middlebox with firewall capabilities, this may lead to the creation of one or more new firewall rules. Note that in general a single firewall rule per MIDCOM-MIB policy rule will be sufficient. For each policy rule, a MIDCOM client can explore the corresponding firewall filter rule by reading the midcomResourceEntry in the midcomResourceTable that corresponds to the midcomRuleEntry describing the rule. The identification of the firewall filter rule is stored in object midcomRscFirewallRuleId. The value of midcomRscFirewallRuleId may correspond directly to any firewall filter rule number or to an entry in a locally available firewall MIB module.
当在具有防火墙功能的中间盒上建立MIDCOM-MIB策略规则时,这可能会导致创建一个或多个新的防火墙规则。请注意,通常每个MIDCOM-MIB策略规则一个防火墙规则就足够了。对于每个策略规则,MIDCOM客户端可以通过读取midcomResourceTable中与描述规则的midcomRuleEntry相对应的midcomResourceEntry来浏览相应的防火墙筛选规则。防火墙过滤规则的标识存储在对象midcomRscFirewallRuleId中。midcomRscFirewallRuleId的值可能直接对应于任何防火墙筛选器规则编号或本地可用防火墙MIB模块中的条目。
The following MIB module imports from [RFC2578], [RFC2579], [RFC2580], [RFC2863], [RFC3411], [RFC4001], and [RFC4008].
以下MIB模块从[RFC2578]、[RFC2579]、[RFC2580]、[RFC2863]、[RFC3411]、[RFC4001]和[RFC4008]导入。
MIDCOM-MIB DEFINITIONS ::= BEGIN
MIDCOM-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, Counter32, Gauge32, mib-2 FROM SNMPv2-SMI -- RFC 2578
从SNMPv2 SMI--RFC 2578导入模块标识、对象类型、通知类型、未签名32、计数器32、仪表32、mib-2
TEXTUAL-CONVENTION, TruthValue, StorageType, RowStatus FROM SNMPv2-TC -- RFC 2579
SNMPv2 TC中的文本约定、TruthValue、StorageType、行状态——RFC2579
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF -- RFC 2580
来自SNMPv2 CONF的MODULE-COMPLIANCE、OBJECT-GROUP、NOTIFICATION-GROUP——RFC2580
SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC 3411
SNMP-FRAMEWORK-MIB中的snmpadmin安装——RFC 3411
InetAddressType, InetAddress, InetPortNumber, InetAddressPrefixLength FROM INET-ADDRESS-MIB -- RFC 4001
INET-ADDRESS-MIB中的InetAddressType、InetAddress、InetPortNumber、InetAddressPrefixLength--RFC 4001
InterfaceIndexOrZero FROM IF-MIB -- RFC 2863
来自IF-MIB的接口索引或零--RFC 2863
NatBindIdOrZero FROM NAT-MIB; -- RFC 4008
NAT-MIB中的NATBindiorZero;——RFC 4008
midcomMIB MODULE-IDENTITY LAST-UPDATED "200708091011Z" -- August 09, 2007 ORGANIZATION "IETF Middlebox Communication Working Group" CONTACT-INFO "WG charter: http://www.ietf.org/html.charters/midcom-charter.html
midcomMIB模块标识最后更新的“200708091011Z”-2007年8月9日组织“IETF中间盒通信工作组”联系方式工作组章程:http://www.ietf.org/html.charters/midcom-charter.html
Mailing Lists: General Discussion: midcom@ietf.org To Subscribe: midcom-request@ietf.org In Body: subscribe your_email_address
Mailing Lists: General Discussion: midcom@ietf.org To Subscribe: midcom-request@ietf.org In Body: subscribe your_email_address
Co-editor: Juergen Quittek NEC Europe Ltd. Kurfuersten-Anlage 36 69115 Heidelberg Germany Tel: +49 6221 4342-115 Email: quittek@nw.neclab.eu
合编:Juergen Quittek NEC欧洲有限公司Kurfuersten Anlage 36 69115德国海德堡电话:+49 6221 4342-115电子邮件:quittek@nw.neclab.eu
Co-editor: Martin Stiemerling NEC Europe Ltd. Kurfuersten-Anlage 36 69115 Heidelberg Germany Tel: +49 6221 4342-113 Email: stiemerling@nw.neclab.eu
合编:Martin Stieemering NEC Europe Ltd.Kurfuersten Anlage 36 69115德国海德堡电话:+49 6221 4342-113电子邮件:stiemerling@nw.neclab.eu
Co-editor: Pyda Srisuresh Kazeon Systems, Inc. 1161 San Antonio Rd. Mountain View, CA 94043 U.S.A. Tel: +1 408 836-4773 Email: srisuresh@yahoo.com"
共同编辑:Pyda Srisuresh Kazeon Systems,Inc.美国加利福尼亚州山景城圣安东尼奥路1161号94043电话:+1 408 836-4773电子邮件:srisuresh@yahoo.com"
DESCRIPTION "This MIB module defines a set of basic objects for configuring middleboxes, such as firewalls and network
DESCRIPTION“此MIB模块定义了一组用于配置中间件的基本对象,如防火墙和网络
address translators, in order to enable communication across these devices.
地址转换器,以实现这些设备之间的通信。
Managed objects defined in this MIB module are structured in three kinds of objects: - transaction objects required according to the MIDCOM protocol requirements defined in RFC 3304 and according to the MIDCOM protocol semantics defined in RFC 3989, - configuration objects that can be used for retrieving or setting parameters of the implementation of transaction objects, - optional monitoring objects that provide information about used resource and statistics
此MIB模块中定义的托管对象由三种对象构成:-根据RFC 3304中定义的MIDCOM协议要求和RFC 3989中定义的MIDCOM协议语义所需的事务对象,-可用于检索或设置事务对象实现参数的配置对象,-提供有关已用资源和统计信息的可选监视对象
The transaction objects are organized in two subtrees: - objects modeling MIDCOM policy rules in the midcomRuleTable - objects modeling MIDCOM policy rule groups in the midcomGroupTable
事务对象组织在两个子树中:-在midcomRuleTable中建模MIDCOM策略规则的对象-在midcomGroupTable中建模MIDCOM策略规则组的对象
Note that typically, configuration objects are not intended to be written by MIDCOM clients. In general, write access to these objects needs to be restricted more strictly than write access to objects in the transaction subtrees.
请注意,配置对象通常不会由MIDCOM客户端编写。通常,对这些对象的写访问需要比对事务子树中的对象的写访问受到更严格的限制。
Copyright (C) The Internet Society (2008). This version of this MIB module is part of RFC 5190; see the RFC itself for full legal notices."
版权所有(C)互联网协会(2008年)。此版本的MIB模块是RFC 5190的一部分;有关完整的法律通知,请参见RFC本身。”
REVISION "200708091011Z" -- August 09, 2007 DESCRIPTION "Initial version, published as RFC 5190." ::= { mib-2 171 }
REVISION "200708091011Z" -- August 09, 2007 DESCRIPTION "Initial version, published as RFC 5190." ::= { mib-2 171 }
-- -- main components of this MIB module --
----此MIB模块的主要组件--
midcomNotifications OBJECT IDENTIFIER ::= { midcomMIB 0 } midcomObjects OBJECT IDENTIFIER ::= { midcomMIB 1 } midcomConformance OBJECT IDENTIFIER ::= { midcomMIB 2 }
midcomNotifications OBJECT IDENTIFIER ::= { midcomMIB 0 } midcomObjects OBJECT IDENTIFIER ::= { midcomMIB 1 } midcomConformance OBJECT IDENTIFIER ::= { midcomMIB 2 }
-- Transaction objects required according to the MIDCOM -- protocol requirements defined in RFC 3304 and according to -- the MIDCOM protocol semantics defined in RFC 3989 midcomTransaction OBJECT IDENTIFIER ::= { midcomObjects 1 }
-- Transaction objects required according to the MIDCOM -- protocol requirements defined in RFC 3304 and according to -- the MIDCOM protocol semantics defined in RFC 3989 midcomTransaction OBJECT IDENTIFIER ::= { midcomObjects 1 }
-- Configuration objects that can be used for retrieving -- middlebox capability information (mandatory) and for
-- Configuration objects that can be used for retrieving -- middlebox capability information (mandatory) and for
-- setting parameters of the implementation of transaction -- objects (optional) midcomConfig OBJECT IDENTIFIER ::= { midcomObjects 2 }
-- setting parameters of the implementation of transaction -- objects (optional) midcomConfig OBJECT IDENTIFIER ::= { midcomObjects 2 }
-- Optional monitoring objects that provide information about -- used resource and statistics midcomMonitoring OBJECT IDENTIFIER ::= { midcomObjects 3 }
-- Optional monitoring objects that provide information about -- used resource and statistics midcomMonitoring OBJECT IDENTIFIER ::= { midcomObjects 3 }
-- -- Transaction Objects -- -- Transaction objects are structured according to the MIDCOM -- protocol semantics into two groups: -- - objects modeling MIDCOM policy rules in the midcomRuleTable -- - objects modeling MIDCOM policy rule groups in the -- midcomGroupTable
-- -- Transaction Objects -- -- Transaction objects are structured according to the MIDCOM -- protocol semantics into two groups: -- - objects modeling MIDCOM policy rules in the midcomRuleTable -- - objects modeling MIDCOM policy rule groups in the -- midcomGroupTable
-- -- Policy rule subtree -- -- The midcomRuleTable lists policy rules -- including policy reserve rules and policy enable rules. --
-- -- Policy rule subtree -- -- The midcomRuleTable lists policy rules -- including policy reserve rules and policy enable rules. --
midcomRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists policy rules.
MidcomRuleEntry MAX-ACCESS的midcomRuleTable对象类型语法序列不可访问状态当前描述“此表列出了策略规则。
It is indexed by the midcomRuleOwner, the midcomGroupIndex, and the midcomRuleIndex. This implies that a rule is a member of exactly one group and that group membership cannot be changed.
它由midcomRuleOwner、midcomGroupIndex和midcomRuleIndex编制索引。这意味着规则仅为一个组的成员,并且组成员身份不能更改。
Entries can be deleted by writing to midcomGroupLifetime or midcomRuleLifetime and potentially also to midcomRuleStorageTime." ::= { midcomTransaction 3 }
Entries can be deleted by writing to midcomGroupLifetime or midcomRuleLifetime and potentially also to midcomRuleStorageTime." ::= { midcomTransaction 3 }
midcomRuleEntry OBJECT-TYPE SYNTAX MidcomRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular MIDCOM policy rule."
midcomRuleEntry对象类型语法midcomRuleEntry MAX-ACCESS不可访问状态当前描述“描述特定MIDCOM策略规则的条目。”
INDEX { midcomRuleOwner, midcomGroupIndex, midcomRuleIndex } ::= { midcomRuleTable 1 }
INDEX { midcomRuleOwner, midcomGroupIndex, midcomRuleIndex } ::= { midcomRuleTable 1 }
MidcomRuleEntry ::= SEQUENCE { midcomRuleOwner SnmpAdminString, midcomRuleIndex Unsigned32, midcomRuleAdminStatus INTEGER, midcomRuleOperStatus INTEGER, midcomRuleStorageType StorageType, midcomRuleStorageTime Unsigned32, midcomRuleError SnmpAdminString, midcomRuleInterface InterfaceIndexOrZero, midcomRuleFlowDirection INTEGER, midcomRuleMaxIdleTime Unsigned32, midcomRuleTransportProtocol Unsigned32, midcomRulePortRange INTEGER, midcomRuleInternalIpVersion InetAddressType, midcomRuleExternalIpVersion InetAddressType, midcomRuleInternalIpAddr InetAddress, midcomRuleInternalIpPrefixLength InetAddressPrefixLength, midcomRuleInternalPort InetPortNumber, midcomRuleExternalIpAddr InetAddress, midcomRuleExternalIpPrefixLength InetAddressPrefixLength, midcomRuleExternalPort InetPortNumber, midcomRuleInsideIpAddr InetAddress, midcomRuleInsidePort InetPortNumber, midcomRuleOutsideIpAddr InetAddress, midcomRuleOutsidePort InetPortNumber, midcomRuleLifetime Unsigned32, midcomRuleRowStatus RowStatus }
MidcomRuleEntry ::= SEQUENCE { midcomRuleOwner SnmpAdminString, midcomRuleIndex Unsigned32, midcomRuleAdminStatus INTEGER, midcomRuleOperStatus INTEGER, midcomRuleStorageType StorageType, midcomRuleStorageTime Unsigned32, midcomRuleError SnmpAdminString, midcomRuleInterface InterfaceIndexOrZero, midcomRuleFlowDirection INTEGER, midcomRuleMaxIdleTime Unsigned32, midcomRuleTransportProtocol Unsigned32, midcomRulePortRange INTEGER, midcomRuleInternalIpVersion InetAddressType, midcomRuleExternalIpVersion InetAddressType, midcomRuleInternalIpAddr InetAddress, midcomRuleInternalIpPrefixLength InetAddressPrefixLength, midcomRuleInternalPort InetPortNumber, midcomRuleExternalIpAddr InetAddress, midcomRuleExternalIpPrefixLength InetAddressPrefixLength, midcomRuleExternalPort InetPortNumber, midcomRuleInsideIpAddr InetAddress, midcomRuleInsidePort InetPortNumber, midcomRuleOutsideIpAddr InetAddress, midcomRuleOutsidePort InetPortNumber, midcomRuleLifetime Unsigned32, midcomRuleRowStatus RowStatus }
midcomRuleOwner OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The manager who owns this row in the midcomRuleTable.
midcomRuleOwner对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS不可访问状态当前描述“在midcomRuleTable中拥有此行的管理器。
This object SHOULD uniquely identify an authenticated MIDCOM client. This object is part of the table index to allow for the use of the SNMPv3 View-based Access Control Model (VACM, RFC 3415)." ::= { midcomRuleEntry 1 }
This object SHOULD uniquely identify an authenticated MIDCOM client. This object is part of the table index to allow for the use of the SNMPv3 View-based Access Control Model (VACM, RFC 3415)." ::= { midcomRuleEntry 1 }
midcomRuleIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible
midcomRuleIndex对象类型语法Unsigned32(1..4294967295)MAX-ACCESS不可访问
STATUS current DESCRIPTION "The value of this object must be unique in combination with the values of the objects midcomRuleOwner and midcomGroupIndex in this row." ::= { midcomRuleEntry 3 }
STATUS current DESCRIPTION "The value of this object must be unique in combination with the values of the objects midcomRuleOwner and midcomGroupIndex in this row." ::= { midcomRuleEntry 3 }
midcomRuleAdminStatus OBJECT-TYPE SYNTAX INTEGER { reserve(1), enable(2), notSet(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "The value of this object indicates the desired status of the policy rule. See the definition of midcomRuleOperStatus for a description of the values.
midcomRuleAdminStatus OBJECT-TYPE SYNTAX INTEGER { reserve(1), enable(2), notSet(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "The value of this object indicates the desired status of the policy rule. See the definition of midcomRuleOperStatus for a description of the values.
When a midcomRuleEntry is created without explicitly setting this object, its value will be notSet(3).
创建midcomRuleEntry时未显式设置此对象,其值将不会设置(3)。
However, a SET request can only set this object to either reserve(1) or enable(2). Attempts to set this object to notSet(3) will always fail with an 'inconsistentValue' error. Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
但是,SET请求只能将此对象设置为reserve(1)或enable(2)。尝试将此对象设置为notSet(3)将始终失败,并出现“值不一致”错误。请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
When the midcomRuleAdminStatus object is set, then the MIDCOM-MIB implementation will try to read the respective relevant objects of the entry and try to achieve the corresponding midcomRuleOperStatus.
设置midcomRuleAdminStatus对象后,MIDCOM-MIB实现将尝试读取条目的相应相关对象,并尝试实现相应的midcomRuleOperStatus。
Setting midcomRuleAdminStatus to value reserve(1) when object midcomRuleOperStatus has a value of reserved(7) does not have any effect on the policy rule. Setting midcomRuleAdminStatus to value enable(2) when object midcomRuleOperStatus has a value of enabled(8) does not have any effect on the policy rule.
当对象midcomRuleOperStatus的值为reserved(7)时,将midcomRuleAdminStatus设置为value reserve(1),对策略规则没有任何影响。当对象midcomRuleOperStatus的值为enabled(8)时,将midcomRuleAdminStatus设置为值enable(2)对策略规则没有任何影响。
Depending on whether the midcomRuleAdminStatus is set to reserve(1) or enable(2), several objects must be set in advance. They serve as parameters of the policy rule to be established.
根据midcomRuleAdminStatus设置为reserve(1)还是enable(2),必须提前设置多个对象。它们作为要建立的政策规则的参数。
When object midcomRuleAdminStatus is set to reserve(1), then the following objects in the same entry are of relevance: - midcomRuleInterface - midcomRuleTransportProtocol - midcomRulePortRange - midcomRuleInternalIpVersion - midcomRuleExternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalIpPrefixLength - midcomRuleInternalPort - midcomRuleLifetime
当对象midcomRuleAdminStatus设置为reserve(1)时,然后,同一条目中的以下对象具有相关性:-midcomRuleInterface-midcomRuleTransportProtocol-midcomRulePortRange-midcomRuleInternalIpVersion-midcomRuleExternalIpVersion-midcomRuleInternalIpPrefixLength-midcomRuleInternalPort-midcomRuleLifetime
MIDCOM-MIB implementation may also consider the value of object midcomRuleMaxIdleTime when establishing a reserve rule.
在建立储备规则时,MIDCOM MIB实现也可以考虑对象MIDCOMRUMEXAXIDLE时间的值。
When object midcomRuleAdminStatus is set to enable(2), then the following objects in the same entry are of relevance: - midcomRuleInterface - midcomRuleFlowDirection - midcomRuleMaxIdleTime - midcomRuleTransportProtocol - midcomRulePortRange - midcomRuleInternalIpVersion - midcomRuleExternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalIpPrefixLength - midcomRuleInternalPort - midcomRuleExternalIpAddr - midcomRuleExternalIpPrefixLength - midcomRuleExternalPort - midcomRuleLifetime
当对象midcomRuleAdminStatus设置为enable(2)时,然后,同一条目中的以下对象具有相关性:-midcomRuleInterface-midcomRuleFlowDirection-midcomRuleMaxIdleTime-midcomRuleTransportProtocol-midcomRulePortRange-midcomRuleInternalIpVersion-midcomRuleExternalIpVersion-MidcomRuleInternalIPAddress-midcomRuleInternalIpPrefixLength-midcomRuleInternalPort-MidComRuleExternalPaddr-MidComRuleExternalPrefixLength-midcomRuleExternalPort-midcomRuleLifetime
When retrieved, the object returns the last set value. If no value has been set, it returns the default value notSet(3)." DEFVAL { notSet } ::= { midcomRuleEntry 4 }
When retrieved, the object returns the last set value. If no value has been set, it returns the default value notSet(3)." DEFVAL { notSet } ::= { midcomRuleEntry 4 }
midcomRuleOperStatus OBJECT-TYPE SYNTAX INTEGER { newEntry(1), setting(2), checkingRequest(3), incorrectRequest(4), processingRequest(5),
midcomRuleOperStatus对象类型语法整数{newEntry(1)、设置(2)、检查请求(3)、不正确请求(4)、处理请求(5),
requestRejected(6), reserved(7), enabled(8), timedOut(9), terminatedOnRequest(10), terminated(11), genericError(12) } MAX-ACCESS read-only STATUS current DESCRIPTION "The actual status of the policy rule. The midcomRuleOperStatus object may have the following values:
requestRejected(6)、reserved(7)、enabled(8)、timedOut(9)、terminatedOnRequest(10)、terminated(11)、genericError(12)}MAX-ACCESS只读状态当前描述“策略规则的实际状态。midcomRuleOperStatus对象可能具有以下值:
- newEntry(1) indicates that the entry in the midcomRuleTable was created, but not modified yet. Such an entry needs to be filled with values specifying a request first.
- newEntry(1)表示midcomRuleTable中的条目已创建,但尚未修改。这样的条目需要先用指定请求的值填充。
- setting(2) indicates that the entry has been already modified after generating it, but no request was made yet.
- 设置(2)表示条目在生成后已被修改,但尚未发出任何请求。
- checkingRequest(3) indicates that midcomRuleAdminStatus has recently been set and that the MIDCOM-MIB implementation is currently checking the parameters of the request. This is a transient state. The value of this object will change to either incorrectRequest(4) or processingRequest(5) without any external interaction. A MIDCOM-MIB implementation MAY return this value while checking request parameters.
- checkingRequest(3)表示最近设置了midcomRuleAdminStatus,并且MIDCOM-MIB实现当前正在检查请求的参数。这是一个瞬态。在没有任何外部交互的情况下,此对象的值将更改为incorrectRequest(4)或processingRequest(5)。MIDCOM-MIB实现在检查请求参数时可能会返回此值。
- incorrectRequest(4) indicates that checking a request resulted in detecting an incorrect value in one of the objects containing request parameters. The failure reason is indicated by the value of midcomRuleError.
- incorrectRequest(4)表示检查请求导致在包含请求参数的一个对象中检测到不正确的值。故障原因由midcomRuleError的值指示。
- processingRequest(5) indicates that midcomRuleAdminStatus has recently been set and that the MIDCOM-MIB implementation is currently processing the request and trying to configure the middlebox accordingly. This is a transient state. The value of this object will change to either requestRejected(6), reserved(7), or enabled(8) without any external interaction. A MIDCOM-MIB implementation MAY return this value while processing a request.
- processingRequest(5)表示最近设置了midcomRuleAdminStatus,并且MIDCOM-MIB实现当前正在处理该请求并尝试相应地配置中间盒。这是一个瞬态。在没有任何外部交互的情况下,此对象的值将更改为requestRejected(6)、reserved(7)或enabled(8)。MIDCOM-MIB实现在处理请求时可能会返回此值。
- requestRejected(6) indicates that a request to establish
- requestRejected(6)表示请求建立
a policy rule specified by the entry was rejected. The reason for rejection is indicated by the value of midcomRuleError.
条目指定的策略规则被拒绝。拒绝的原因由midcomRuleError的值表示。
- reserved(7) indicates that the entry describes an established policy reserve rule. These values of MidcomRuleEntry are meaningful for a reserved policy rule: - midcomRuleMaxIdleTime - midcomRuleInterface - midcomRuleTransportProtocol - midcomRulePortRange - midcomRuleInternalIpVersion - midcomRuleExternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalIpPrefixLength - midcomRuleInternalPort - midcomRuleOutsideIpAddr - midcomRuleOutsidePort - midcomRuleLifetime
- 保留(7)表示该条目描述已建立的策略保留规则。MidcomRuleEntry的这些值对于保留策略规则是有意义的:-midcomRuleMaxIdleTime-midcomRuleInterface-midcomRuleTransportProtocol-midcomRulePortRange-midcomRuleInternalIpVersion-midcomRuleExternalIpVersion-midcomRuleInternalIpPrefixLength-midcomRuleInternalPort-MidComRuleOutsideIPAddress-midcomRuleOutsidePort-midcomRuleLifetime
- enabled(8) indicates that the entry describes an established policy enable rule. These values of MidcomRuleEntry are meaningful for an enabled policy rule:
- 已启用(8)表示该条目描述已建立的策略启用规则。MidcomRuleEntry的这些值对于启用的策略规则有意义:
- midcomRuleFlowDirection - midcomRuleInterface - midcomRuleMaxIdleTime - midcomRuleTransportProtocol - midcomRulePortRange - midcomRuleInternalIpVersion - midcomRuleExternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalIpPrefixLength - midcomRuleInternalPort - midcomRuleExternalIpAddr - midcomRuleExternalIpPrefixLength - midcomRuleExternalPort - midcomRuleInsideIpAddr - midcomRuleInsidePort - midcomRuleOutsideIpAddr - midcomRuleOutsidePort - midcomRuleLifetime
- midcomRuleFlowDirection-midcomRuleInterface-midcomRuleMaxIdleTime-midcomRuleTransportProtocol-midcomRuleInternalIpVersion-midcomRuleExternalIpVersion-midcomRuleInternalIpPrefixLength-midcomRuleInternalPort-midcomRuleExternalIpPrefixLength-midcomRuleExternalPort-MidComRuleInsideIPADR-MidComRuleInsideReport-MidComRuleOutsideIPADR-midcomRuleOutsidePort-midcomRuleLifetime
- timedOut(9) indicates that the lifetime of a previously established policy rule has expired and that the policy rule is terminated for this reason.
- timedOut(9)表示以前建立的策略规则的生存期已过期,并且该策略规则因此而终止。
- terminatedOnRequest(10) indicates that a previously established policy rule was terminated by an SNMP manager setting the midcomRuleLifetime to 0 or setting midcomGroupLifetime to 0.
- terminatedOnRequest(10)表示SNMP管理器将midcomRuleLifetime设置为0或将midcomGroupLifetime设置为0终止了先前建立的策略规则。
- terminated(11) indicates that a previously established policy rule was terminated by the MIDCOM-MIB implementation for a reason other than lifetime expiration or an explicit request from a MIDCOM client.
- terminated(11)表示MIDCOM-MIB实现终止以前建立的策略规则的原因不是生存期到期或来自MIDCOM客户端的显式请求。
- genericError(12) indicates that the policy rule specified by the entry is not established due to an error condition not listed above.
- genericError(12)表示由于上面未列出的错误条件,未建立条目指定的策略规则。
The states timedOut(9), terminatedOnRequest(10), and terminated(11) are referred to as termination states.
timedOut(9)、terminatedOnRequest(10)和terminated(11)状态称为终止状态。
The states incorrectRequest(4), requestRejected(6), and genericError(12) are referred to as error states.
不正确请求(4)、拒绝请求(6)和一般错误(12)的状态称为错误状态。
The checkingRequest(3) and processingRequest(5) states are transient states, which will lead to either one of the error states or the reserved(7) state or the enabled(8) state. MIDCOM-MIB implementations MAY return these values when checking or processing requests." DEFVAL { newEntry } ::= { midcomRuleEntry 5 }
The checkingRequest(3) and processingRequest(5) states are transient states, which will lead to either one of the error states or the reserved(7) state or the enabled(8) state. MIDCOM-MIB implementations MAY return these values when checking or processing requests." DEFVAL { newEntry } ::= { midcomRuleEntry 5 }
midcomRuleStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "When retrieved, this object returns the storage type of the policy rule. Writing to this object can change the storage type of the particular row from volatile(2) to nonVolatile(3) or vice versa.
midcomRuleStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述”检索时,此对象返回策略规则的存储类型。写入此对象可将特定行的存储类型从易失性(2)更改为非易失性(3),反之亦然。
Attempts to set this object to permanent will always fail with an 'inconsistentValue' error. Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
尝试将此对象设置为永久将始终失败,并出现“值不一致”错误。请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If midcomRuleStorageType has the value permanent(4), then all objects in this row whose MAX-ACCESS value is read-create must be read-only."
如果midcomRuleStorageType的值为permanent(4),则此行中最大访问值为read create的所有对象都必须是只读的。”
DEFVAL { volatile } ::= { midcomRuleEntry 6 }
DEFVAL { volatile } ::= { midcomRuleEntry 6 }
midcomRuleStorageTime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "The value of this object specifies how long this row can exist in the midcomRuleTable after the midcomRuleOperStatus switched to a termination state or to an error state. This object returns the remaining time that the row may exist before it is aged out.
midcomRuleStorageTime对象类型语法无符号32个单位“秒”最大访问读取创建状态当前说明“此对象的值指定在midcomRuleOperStatus切换到终止状态或错误状态后,该行在midcomRuleTable中可以存在多长时间。此对象返回行在过期之前可能存在的剩余时间。
After expiration or termination of the context, the value of this object ticks backwards. The entry in the midcomRuleTable is destroyed when the value reaches 0.
上下文过期或终止后,此对象的值会向后勾选。值达到0时,midcomRuleTable中的条目将被销毁。
The value of this object may be set in order to increase or reduce the remaining time that the row may exist. Setting the value to 0 will destroy this entry as soon as the midcomRuleOperStatus switched to a termination state or to an error state.
可以设置此对象的值以增加或减少行可能存在的剩余时间。将值设置为0将在midcomRuleOperStatus切换到终止状态或错误状态时立即销毁此条目。
Note that there is no guarantee that the row is stored as long as this object indicates. At any time, the MIDCOM-MIB implementation may decide to remove a row describing a terminated policy rule before the storage time of the corresponding row in the midcomRuleTable reaches the value of 0. In this case, the information stored in this row is not available anymore.
请注意,不能保证只要该对象指示,就可以存储该行。在任何时候,MIDCOM-MIB实现都可能决定在MIDCOM规则表中相应行的存储时间达到0之前删除描述终止策略规则的行。在这种情况下,存储在此行中的信息不再可用。
If object midcomRuleStorageType indicates that the policy rule has the storage type permanent(4), then this object has a constant value of 4294967295." DEFVAL { 0 } ::= { midcomRuleEntry 7 }
If object midcomRuleStorageType indicates that the policy rule has the storage type permanent(4), then this object has a constant value of 4294967295." DEFVAL { 0 } ::= { midcomRuleEntry 7 }
midcomRuleError OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This object contains a descriptive error message if the transition into the operational status reserved(7) or enabled(8) failed. Implementations must reset the error message to a zero-length string when a new
midcomRuleError对象类型语法SNMPAdministring MAX-ACCESS只读状态当前描述“如果转换为保留(7)或启用(8)的操作状态失败,则此对象包含描述性错误消息。当新的
attempt to change the policy rule status to reserved(7) or enabled(8) is started.
开始尝试将策略规则状态更改为保留(7)或启用(8)。
RECOMMENDED values to be returned in particular cases include - 'lack of IP addresses' - 'lack of port numbers' - 'lack of resources' - 'specified NAT interface does not exist' - 'specified NAT interface does not support NAT' - 'conflict with already existing policy rule' - 'no internal IP wildcarding allowed' - 'no external IP wildcarding allowed'
在特定情况下返回的建议值包括—“缺少IP地址”—“缺少端口号”—“缺少资源”—“指定的NAT接口不存在”—“指定的NAT接口不支持NAT”—“与现有策略规则冲突”—“不允许内部IP通配符”—“不允许外部IP通配符”允许的
The semantics of these error messages and the corresponding behavior of the MIDCOM-MIB implementation are specified in sections 2.3.9 and 2.3.10 of RFC 3989." REFERENCE "RFC 3989, sections 2.3.9 and 2.3.10" DEFVAL { ''H } ::= { midcomRuleEntry 8 }
The semantics of these error messages and the corresponding behavior of the MIDCOM-MIB implementation are specified in sections 2.3.9 and 2.3.10 of RFC 3989." REFERENCE "RFC 3989, sections 2.3.9 and 2.3.10" DEFVAL { ''H } ::= { midcomRuleEntry 8 }
midcomRuleInterface OBJECT-TYPE SYNTAX InterfaceIndexOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the IP interface for which enforcement of a policy rule is requested or performed, respectively.
midcomRuleInterface对象类型语法InterfaceIndexOrZero MAX-ACCESS读取创建状态当前描述“此对象表示分别请求或执行策略规则强制执行的IP接口。
The interface is identified by its index in the ifTable (see IF-MIB in RFC 2863). If the object has a value of 0, then no particular interface is indicated.
接口由ifTable中的索引标识(请参见RFC 2863中的IF-MIB)。如果对象的值为0,则不指示特定接口。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has the value newEntry(1) or setting(2), then this object can be written by a manager in order to request its preference concerning the interface at which it requests NAT service. The default value of 0 indicates that the manager does not have a preferred interface or does not have sufficient topology information for specifying one. Writing to this object in any state other than newEntry(1) or setting(2) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus具有值newEntry(1)或设置(2),则管理器可以写入此对象,以请求其有关请求NAT服务的接口的首选项。默认值0表示管理器没有首选接口或没有足够的拓扑信息来指定接口。在newEntry(1)或设置(2)以外的任何状态下写入此对象都将始终失败,并出现“值不一致”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value reserved(7) or enabled(8), then this object indicates the interface at which NAT service for this rule is performed. If NAT service is not required for enforcing the policy rule, then the value of this object is 0. Also, if the MIDCOM-MIB implementation cannot indicate an interface, because it does not have this information or because NAT service is not offered at a particular single interface, then the value of the object is 0.
如果同一条目的对象midcomRuleOperStatus的值为reserved(7)或enabled(8),则此对象表示执行此规则的NAT服务的接口。如果强制策略规则不需要NAT服务,则此对象的值为0。此外,如果MIDCOM-MIB实现无法指示接口,因为它没有此信息,或者因为NAT服务未在特定的单个接口上提供,则对象的值为0。
Note that the index of a particular interface in the ifTable may change after a re-initialization of the middlebox, for example, after adding another interface to it. In such a case, the value of this object may change, but the interface referred to by the MIDCOM-MIB MUST still be the same. If, after a re-initialization of the middlebox, the interface referred to before re-initialization cannot be uniquely mapped anymore to a particular entry in the ifTable, then the value of object midcomRuleOperStatus of the same entry MUST be changed to terminated(11).
请注意,ifTable中特定接口的索引可能会在重新初始化中间盒后发生更改,例如,在向其添加另一个接口后。在这种情况下,此对象的值可能会更改,但MIDCOM-MIB引用的接口必须仍然相同。如果在重新初始化middlebox之后,重新初始化之前引用的接口无法再唯一地映射到ifTable中的特定条目,则同一条目的object midcomRuleOperStatus的值必须更改为terminated(11)。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 9 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 9 }
midcomRuleFlowDirection OBJECT-TYPE SYNTAX INTEGER { inbound(1), outbound(2), biDirectional(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This parameter specifies the direction of enabled communication, either inbound(1), outbound(2), or biDirectional(3).
midcomRuleFlowDirection OBJECT-TYPE SYNTAX INTEGER { inbound(1), outbound(2), biDirectional(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This parameter specifies the direction of enabled communication, either inbound(1), outbound(2), or biDirectional(3).
The semantics of this object depends on the protocol the rule relates to. If the rule is independent of
此对象的语义取决于规则所涉及的协议。如果规则独立于
the transport protocol (midcomRuleTransportProtocol has a value of 0) or if the transport protocol is UDP, then the value of midcomRuleFlowDirection indicates the direction of packets traversing the middlebox.
传输协议(midcomRuleTransportProtocol的值为0)或如果传输协议为UDP,则midcomRuleFlowDirection的值表示数据包穿过中间盒的方向。
In this case, value inbound(1) indicates that packets are traversing from outside to inside, value outbound(2) indicates that packets are traversing from inside to outside. For both values, inbound(1) and outbound(2) packets can traverse the middlebox only unidirectional. A bidirectional flow is indicated by value biDirectional(3).
在这种情况下,值inbound(1)表示数据包从外部到内部遍历,值outbound(2)表示数据包从内部到外部遍历。对于这两个值,入站(1)和出站(2)数据包只能单向通过中间盒。双向流由值双向(3)表示。
If the transport protocol is TCP, the packet flow is always bidirectional, but the value of midcomRuleFlowDirection indicates that:
如果传输协议为TCP,则数据包流始终是双向的,但midcomRuleFlowDirection的值表示:
- inbound(1): bidirectional TCP packet flow. First packet, with TCP SYN flag set, must arrive at an outside interface of the middlebox.
- 入站(1):双向TCP数据包流。设置了TCP SYN标志的第一个数据包必须到达中间盒的外部接口。
- outbound(2): bidirectional TCP packet flow. First packet, with TCP SYN flag set, must arrive at an inside interface of the middlebox.
- 出站(2):双向TCP数据包流。设置了TCP SYN标志的第一个数据包必须到达中间盒的内部接口。
- biDirectional(3): bidirectional TCP packet flow. First packet, with TCP SYN flag set, may arrive at an inside or an outside interface of the middlebox.
- 双向(3):双向TCP数据包流。设置了TCP SYN标志的第一个数据包可能到达中间盒的内部或外部接口。
This object is used as input to a request for establishing a policy enable rule as well as for indicating the properties of an established policy rule.
此对象用作建立策略启用规则的请求的输入,以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has a value of either newEntry(1), setting(2), or reserved(7), then this object can be written by a manager in order to specify a requested direction to be enabled by a policy rule. Writing to this object in any state other than newEntry(1), setting(2), or reserved(7) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus的值为newEntry(1)、setting(2)或reserved(7),则管理器可以写入此对象,以指定策略规则要启用的请求方向。在除newEntry(1)、setting(2)或reserved(7)之外的任何状态下写入此对象都将始终失败,并出现“inconsistentValue”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value enabled(8), then this object indicates the enabled
如果同一条目的对象midcomRuleOperStatus的值为enabled(8),则此对象表示已启用
flow direction.
流向。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { outbound } ::= { midcomRuleEntry 10 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { outbound } ::= { midcomRuleEntry 10 }
midcomRuleMaxIdleTime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "Maximum idle time of the policy rule in seconds.
midcomRuleMaxIdleTime对象类型语法未签名32个单位“秒”最大访问读取创建状态当前描述“策略规则的最大空闲时间(秒)。
If no packet to which the policy rule applies passes the middlebox for the specified midcomRuleMaxIdleTime, then the policy rule enters the termination state timedOut(9).
如果没有应用策略规则的数据包通过指定的midcomRuleMaxIdleTime的中间盒,则策略规则进入终止状态timedOut(9)。
A value of 0 indicates that the policy does not require an individual idle time and that instead, a default idle time chosen by the middlebox is used.
值为0表示策略不需要单独的空闲时间,而是使用由中间盒选择的默认空闲时间。
A value of 4294967295 ( = 2^32 - 1 ) indicates that the policy does not time out if it is idle.
值4294967295(=2^32-1)表示策略在空闲时不会超时。
This object is used as input to a request for establishing a policy enable rule as well as for indicating the properties of an established policy rule.
此对象用作建立策略启用规则的请求的输入,以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has a value of either newEntry(1), setting(2), or reserved(7), then this object can be written by a manager in order to specify a maximum idle time for the policy rule to be requested. Writing to this object in any state others than newEntry(1), setting(2), or reserved(7) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus的值为newEntry(1)、setting(2)或reserved(7),则管理器可以写入此对象,以指定要请求的策略规则的最大空闲时间。在newEntry(1)、设置(2)或保留(7)以外的任何状态下写入此对象都将始终失败,并出现“不一致值”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value enabled(8), then this object indicates the maximum idle time of the policy rule. Note that even if a maximum idle time greater than zero was requested, the middlebox
如果同一条目的对象midcomRuleOperStatus的值为enabled(8),则此对象表示策略规则的最大空闲时间。请注意,即使请求的最大空闲时间大于零,中间盒
may not be able to support maximum idle times and set the value of this object to zero when entering state enabled(8).
当进入启用状态(8)时,可能无法支持最大空闲时间并将此对象的值设置为零。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 11 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 11 }
midcomRuleTransportProtocol OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "The transport protocol.
midcomRuleTransportProtocol对象类型语法Unsigned32(0..255)MAX-ACCESS读取创建状态当前描述“传输协议”。
Valid values for midcomRuleTransportProtocol other than zero are defined at: http://www.iana.org/assignments/protocol-numbers
Valid values for midcomRuleTransportProtocol other than zero are defined at: http://www.iana.org/assignments/protocol-numbers
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has a value of either newEntry(1) or setting(2), then this object can be written by a manager in order to specify a requested transport protocol. If translation of an IP address only is requested, then this object must have the default value 0. Writing to this object in any state other than newEntry(1) or setting(2) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus的值为newEntry(1)或setting(2),则管理器可以写入此对象以指定请求的传输协议。如果仅请求IP地址的转换,则此对象的默认值必须为0。在newEntry(1)或设置(2)以外的任何状态下写入此对象都将始终失败,并出现“值不一致”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value reserved(7) or enabled(8), then this object indicates which transport protocol is enforced by this policy rule. A value of 0 indicates a rule acting on IP addresses only.
如果同一条目的对象midcomRuleOperStatus的值为reserved(7)或enabled(8),则此对象指示此策略规则强制执行的传输协议。值0表示仅作用于IP地址的规则。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant."
如果同一条目的对象midcomRuleOperStatus的值不是newEntry(1)、设置(2)、保留(7)或启用(8),则此对象的值无关。”
DEFVAL { 0 } ::= { midcomRuleEntry 12 }
DEFVAL { 0 } ::= { midcomRuleEntry 12 }
midcomRulePortRange OBJECT-TYPE SYNTAX INTEGER { single(1), pair(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "The range of port numbers.
midcomRulePortRange OBJECT-TYPE SYNTAX INTEGER { single(1), pair(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "The range of port numbers.
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule. It is relevant to the operation of the MIDCOM-MIB implementation only if the value of object midcomTransportProtocol in the same entry has a value other than 0.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。只有当同一条目的对象midcomTransportProtocol的值不是0时,它才与MIDCOM-MIB实现的操作相关。
If object midcomRuleOperStatus of the same entry has the value newEntry(1) or setting(2), then this object can be written by a manager in order to specify the requested size of the port range. With single(1) just a single port number is requested, with pair(2) a consecutive pair of port numbers is requested with the lower number being even. Requesting a consecutive pair of port numbers may be used by RTP [RFC3550] and may even be required to support older RTP applications.
如果同一条目的对象midcomRuleOperStatus具有值newEntry(1)或设置(2),则管理器可以写入此对象,以指定请求的端口范围大小。对于single(1),只请求一个端口号;对于pair(2),请求一个连续的端口号对,较小的端口号为偶数。RTP[RFC3550]可能会使用请求一对连续的端口号,甚至可能需要请求来支持较旧的RTP应用程序。
Writing to this object in any state other than newEntry(1), setting(2) or reserved(7) will always fail with an 'inconsistentValue' error.
在newEntry(1)、设置(2)或保留(7)以外的任何状态下写入此对象都将始终失败,并出现“不一致值”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8), then this object will have the value that it had before the transition to this state.
如果同一条目的对象midcomRuleOperStatus的值为reserved(7)或enabled(8),则此对象将具有转换到此状态之前的值。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { single }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { single }
::= { midcomRuleEntry 13}
::= { midcomRuleEntry 13}
midcomRuleInternalIpVersion OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP version of the internal address (A0) and the inside address (A1). Allowed values are ipv4(1), ipv6(2), ipv4z(3), and ipv6z(4).
midcomRuleInternalIpVersion对象类型语法InetAddressType MAX-ACCESS读取创建状态当前描述“内部地址(A0)和内部地址(A1)的IP版本。允许的值为ipv4(1)、ipv6(2)、ipv4z(3)和ipv6z(4)。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has the value newEntry(1) or setting(2), then this object can be written by a manager in order to specify the IP version required at the inside of the middlebox. Writing to this object in any state other than newEntry(1) or setting(2) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus具有值newEntry(1)或设置(2),则管理器可以写入此对象,以便在中间盒内部指定所需的IP版本。在newEntry(1)或设置(2)以外的任何状态下写入此对象都将始终失败,并出现“值不一致”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value reserved(7) or enabled(8), then this object indicates the internal/inside IP version.
如果同一条目的对象midcomRuleOperStatus具有保留(7)或启用(8)的值,则此对象表示内部/内部IP版本。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { ipv4 } ::= { midcomRuleEntry 14 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { ipv4 } ::= { midcomRuleEntry 14 }
midcomRuleExternalIpVersion OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "IP version of the external address (A3) and the outside address (A2). Allowed values are ipv4(1) and ipv6(2).
midcomRuleExternalIpVersion对象类型语法InetAddressType MAX-ACCESS读取创建状态当前描述“外部地址(A3)和外部地址(A2)的IP版本。允许的值为ipv4(1)和ipv6(2)。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has the value newEntry(1) or setting(2), then this object can be written by a manager in order to specify the IP version required at the outside of the middlebox. Writing to this object in any state other than newEntry(1) or setting(2) will always fail with an 'inconsistentValue' error. Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
如果同一条目的对象midcomRuleOperStatus具有值newEntry(1)或设置(2),则管理器可以写入此对象,以便在中间盒外部指定所需的IP版本。在newEntry(1)或设置(2)以外的任何状态下写入此对象都将始终失败,并出现“值不一致”错误。请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value reserved(7) or enabled(8), then this object indicates the external/outside IP version.
如果同一条目的对象midcomRuleOperStatus具有保留(7)或启用(8)的值,则此对象表示外部/外部IP版本。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7) or enabled(8), then the value of this object is irrelevant." DEFVAL { ipv4 } ::= { midcomRuleEntry 15 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7) or enabled(8), then the value of this object is irrelevant." DEFVAL { ipv4 } ::= { midcomRuleEntry 15 }
midcomRuleInternalIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The internal IP address (A0).
midcomRuleInternalIpAddr对象类型语法InetAddress MAX-ACCESS读取创建状态当前描述“内部IP地址(A0)”。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has the value newEntry(1) or setting(2), then this object can be written by a manager in order to specify the internal IP address for which a reserve policy rule or a enable policy rule is requested to be established. Writing to this object in any state other than newEntry(1) or setting(2) will always fail with an 'inconsistentValue' error. Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
如果同一条目的对象midcomRuleOperStatus具有值newEntry(1)或设置(2),则管理器可以写入此对象,以指定请求为其建立保留策略规则或启用策略规则的内部IP地址。在newEntry(1)或设置(2)以外的任何状态下写入此对象都将始终失败,并出现“值不一致”错误。请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value reserved(7) or enabled(8), then this object will have the value which it had before the transition to this
如果同一条目的对象midcomRuleOperStatus具有保留(7)或启用(8)的值,则此对象将具有转换到此项之前的值
state.
状态
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7) or enabled(8), then the value of this object is irrelevant." ::= { midcomRuleEntry 16 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7) or enabled(8), then the value of this object is irrelevant." ::= { midcomRuleEntry 16 }
midcomRuleInternalIpPrefixLength OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-create STATUS current DESCRIPTION "The prefix length of the internal IP address used for wildcarding. A value of 0 indicates a full wildcard; in this case, the value of midcomRuleInternalIpAddr is irrelevant. If midcomRuleInternalIpVersion has a value of ipv4(1), then a value > 31 indicates no wildcarding at all. If midcomRuleInternalIpVersion has a value of ipv4(2), then a value > 127 indicates no wildcarding at all. A MIDCOM-MIB implementation that does not support IP address wildcarding MUST implement this object as read-only with a value of 128. A MIDCOM that does not support wildcarding based on prefix length MAY restrict allowed values for this object to 0 and 128.
midcomRuleInternalIpPrefixLength对象类型语法InetAddressPrefixLength最大访问读取创建状态当前描述“用于通配符的内部IP地址的前缀长度。值为0表示完全通配符;在这种情况下,midcomRuleInternalIpAddr的值是不相关的。如果midcomRuleInternalIpVersion的值为ipv4(1),则值>31表示根本没有通配符。如果midcomRuleInternalIpVersion的值为ipv4(2),则值>127表示根本没有通配符。不支持IP地址通配符的MIDCOM-MIB实现必须将此对象实现为只读,值为128。不支持基于前缀长度的通配符的MIDCOM可能会将此对象允许的值限制为0和128。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has the value newEntry(1) or setting(2), then this object can be written by a manager in order to specify the prefix length of the internal IP address for which a reserve policy rule or an enable policy rule is requested to be established. Writing to this object in any state other than newEntry(1) or setting(2) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus具有值newEntry(1)或设置(2),则管理器可以写入此对象,以指定请求为其建立保留策略规则或启用策略规则的内部IP地址的前缀长度。在newEntry(1)或设置(2)以外的任何状态下写入此对象都将始终失败,并出现“值不一致”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value reserved(7) or enabled(8), then this object will have the value which it had before the transition to this state.
如果同一条目的对象midcomRuleOperStatus具有保留(7)或启用(8)的值,则此对象将具有转换到此状态之前的值。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 128 } ::= { midcomRuleEntry 17 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 128 } ::= { midcomRuleEntry 17 }
midcomRuleInternalPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The internal port number. A value of 0 is a wildcard.
midcomRuleInternalPort对象类型语法InetPortNumber MAX-ACCESS读取创建状态当前描述“内部端口号。值0为通配符。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule. It is relevant to the operation of the MIDCOM-MIB implementation only if the value of object midcomTransportProtocol in the same entry has a value other than 0.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。只有当同一条目的对象midcomTransportProtocol的值不是0时,它才与MIDCOM-MIB实现的操作相关。
If object midcomRuleOperStatus of the same entry has the value newEntry(1) or setting(2), then this object can be written by a manager in order to specify the internal port number for which a reserve policy rule or an enable policy rule is requested to be established. Writing to this object in any state other than newEntry(1) or setting(2) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus具有值newEntry(1)或设置(2),则管理器可以写入此对象,以指定请求为其建立保留策略规则或启用策略规则的内部端口号。在newEntry(1)或设置(2)以外的任何状态下写入此对象都将始终失败,并出现“值不一致”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value reserved(7) or enabled(8), then this object will have the value that it had before the transition to this state.
如果同一条目的对象midcomRuleOperStatus具有保留(7)或启用(8)的值,则此对象将具有转换到此状态之前的值。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 18 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 18 }
midcomRuleExternalIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current
MIDCOMRuleExternalIPDR对象类型语法InetAddress MAX-ACCESS读取创建状态当前
DESCRIPTION "The external IP address (A3).
DESCRIPTION“外部IP地址(A3)。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has the value newEntry(1), setting(2), or reserved(7), then this object can be written by a manager in order to specify the external IP address for which an enable policy rule is requested to be established. Writing to this object in any state other than newEntry(1), setting(2), or reserved(7) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus的值为newEntry(1)、setting(2)或reserved(7),则管理器可以写入此对象,以指定请求为其建立启用策略规则的外部IP地址。在除newEntry(1)、setting(2)或reserved(7)之外的任何状态下写入此对象都将始终失败,并出现“inconsistentValue”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value enabled(8), then this object will have the value that it had before the transition to this state.
如果同一条目的对象midcomRuleOperStatus的值为enabled(8),则此对象将具有转换到此状态之前的值。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." ::= { midcomRuleEntry 19 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." ::= { midcomRuleEntry 19 }
midcomRuleExternalIpPrefixLength OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-create STATUS current DESCRIPTION "The prefix length of the external IP address used for wildcarding. A value of 0 indicates a full wildcard; in this case, the value of midcomRuleExternalIpAddr is irrelevant. If midcomRuleExternalIpVersion has a value of ipv4(1), then a value > 31 indicates no wildcarding at all. If midcomRuleExternalIpVersion has a value of ipv4(2), then a value > 127 indicates no wildcarding at all. A MIDCOM-MIB implementation that does not support IP address wildcarding MUST implement this object as read-only with a value of 128. A MIDCOM that does not support wildcarding based on prefix length MAY restrict allowed values for this object to 0 and 128.
MIDCOMRuleExternalApprefixlength对象类型语法InetAddressPrefixLength MAX-ACCESS读取创建状态当前描述“用于通配符的外部IP地址的前缀长度。值为0表示完全通配符;在这种情况下,midcomuleexternalipddr的值是不相关的。如果midcomRuleExternalIpVersion的值为ipv4(1),则值>31表示根本没有通配符。如果midcomRuleExternalIpVersion的值为ipv4(2),则值>127表示根本没有通配符。不支持IP地址通配符的MIDCOM-MIB实现必须将此对象实现为只读,值为128。不支持基于前缀长度的通配符的MIDCOM可能会将此对象允许的值限制为0和128。
This object is used as input to a request for establishing
此对象用作建立请求的输入
a policy rule as well as for indicating the properties of an established policy rule.
一种策略规则,用于指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has the value newEntry(1), setting(2), or reserved(7), then this object can be written by a manager in order to specify the prefix length of the external IP address for which an enable policy rule is requested to be established. Writing to this object in any state other than newEntry(1), setting(2), or reserved(7) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus的值为newEntry(1)、setting(2)或reserved(7),则管理器可以写入此对象,以指定请求为其建立启用策略规则的外部IP地址的前缀长度。在除newEntry(1)、setting(2)或reserved(7)之外的任何状态下写入此对象都将始终失败,并出现“inconsistentValue”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value enabled(8), then this object will have the value that it had before the transition to this state.
如果同一条目的对象midcomRuleOperStatus的值为enabled(8),则此对象将具有转换到此状态之前的值。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 128 } ::= { midcomRuleEntry 20 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 128 } ::= { midcomRuleEntry 20 }
midcomRuleExternalPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The external port number. A value of 0 is a wildcard.
midcomRuleExternalPort对象类型语法InetPortNumber MAX-ACCESS读取创建状态当前描述“外部端口号。值0是通配符。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule. It is relevant to the operation of the MIDCOM-MIB implementation only if the value of object midcomTransportProtocol in the same entry has a value other than 0.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。只有当同一条目的对象midcomTransportProtocol的值不是0时,它才与MIDCOM-MIB实现的操作相关。
If object midcomRuleOperStatus of the same entry has the value newEntry(1), setting(2) or reserved(7), then this object can be written by a manager in order to specify the external port number for which an enable policy rule is requested to be established. Writing to this object in any state other than newEntry(1), setting(2) or reserved(7) will always fail with an 'inconsistentValue' error.
如果同一条目的对象midcomRuleOperStatus的值为newEntry(1)、setting(2)或reserved(7),则管理器可以写入此对象,以指定请求为其建立启用策略规则的外部端口号。在newEntry(1)、设置(2)或保留(7)以外的任何状态下写入此对象都将始终失败,并出现“不一致值”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has the value enabled(8), then this object will have the value which it had before the transition to this state.
如果同一条目的对象midcomRuleOperStatus的值为enabled(8),则此对象将具有转换到此状态之前的值。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7) or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 21 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7) or enabled(8), then the value of this object is irrelevant." DEFVAL { 0 } ::= { midcomRuleEntry 21 }
midcomRuleInsideIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The inside IP address at the middlebox (A1).
MidComRuleInsideiPadr对象类型语法InetAddress MAX-ACCESS只读状态当前描述“中间盒(A1)处的内部IP地址”。
The value of this object is relevant only if object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 22 }
The value of this object is relevant only if object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 22 }
midcomRuleInsidePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The inside port number at the middlebox. A value of 0 is a wildcard.
MidComRuleInsideReport对象类型语法InetPortNumber MAX-ACCESS只读状态当前描述“中间盒处的内部端口号。值0为通配符。
The value of this object is relevant only if object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 23 }
The value of this object is relevant only if object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 23 }
midcomRuleOutsideIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The outside IP address at the middlebox (A2).
midcomRuleOutsideIpAddr对象类型语法InetAddress MAX-ACCESS只读状态当前描述“中间盒(A2)处的外部IP地址”。
The value of this object is relevant only if
只有在以下情况下,此对象的值才相关
object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 24 }
object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 24 }
midcomRuleOutsidePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The outside port number at the middlebox. A value of 0 is a wildcard.
midcomRuleOutsidePort对象类型语法InetPortNumber MAX-ACCESS只读状态当前描述“中间盒处的外部端口号。值0为通配符。
The value of this object is relevant only if object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 25 }
The value of this object is relevant only if object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8)." ::= { midcomRuleEntry 25 }
midcomRuleLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "The remaining lifetime in seconds of this policy rule.
midcomRuleLifetime对象类型语法Unsigned32个单位“秒”MAX-ACCESS read create STATUS current DESCRIPTION“此策略规则的剩余生存期(秒)。
Lifetime of a policy rule starts when object midcomRuleOperStatus in the same entry enters either state reserved(7) or state enabled(8).
当同一条目的对象midcomRuleOperStatus进入保留状态(7)或启用状态(8)时,策略规则的生存期开始。
This object is used as input to a request for establishing a policy rule as well as for indicating the properties of an established policy rule.
此对象用作请求的输入,用于建立策略规则以及指示已建立策略规则的属性。
If object midcomRuleOperStatus of the same entry has a value of either newEntry(1) or setting(2), then this object can be written by a manager in order to specify the requested lifetime of a policy rule to be established.
如果同一条目的对象midcomRuleOperStatus的值为newEntry(1)或setting(2),则管理器可以写入此对象,以指定要建立的策略规则的请求生存期。
If object midcomRuleOperStatus of the same entry has a value of either reserved(7) or enabled(8), then this object indicates the (continuously decreasing) remaining lifetime of the established policy rule. Note that when entering state reserved(7) or enabled(8), the MIDCOM-MIB implementation can choose a lifetime shorter than the one requested.
如果同一条目的对象midcomRuleOperStatus的值为reserved(7)或enabled(8),则此对象表示已建立策略规则的剩余生存期(持续减少)。请注意,当进入保留状态(7)或启用状态(8)时,MIDCOM-MIB实现可以选择比请求的生存期短的生存期。
Unlike other parameters of the policy rule, this parameter can still be written in state reserved(7) and enabled(8).
与策略规则的其他参数不同,此参数仍然可以写入保留状态(7)和启用状态(8)。
Writing to this object is processed by the MIDCOM-MIB implementation by choosing a lifetime value that is greater than 0 and less than or equal to the minimum of the requested value and the value specified by object midcomConfigMaxLifetime:
MIDCOM-MIB实现通过选择大于0且小于或等于请求值和对象midcomConfigMaxLifetime指定的值中的最小值来处理对此对象的写入:
0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
where: - lt_granted is the actually granted lifetime by the MIDCOM-MIB implementation - lt_requested is the requested lifetime of the MIDCOM client - lt_maximum is the value of object midcomConfigMaxLifetime
其中:-lt_prograted是MIDCOM-MIB实现实际授予的生存期-lt_requested是MIDCOM客户端请求的生存期-lt_max是对象midcomConfigMaxLifetime的值
SNMP SET requests to this object may be rejected or the value of the object after an accepted SET operation may be less than the value that was contained in the SNMP SET request.
对该对象的SNMP设置请求可能会被拒绝,或者在接受设置操作后该对象的值可能小于SNMP设置请求中包含的值。
Successfully writing a value of 0 terminates the policy rule. Note that after a policy rule is terminated, still the entry will exist as long as indicated by the value of midcomRuleStorageTime.
成功写入值0将终止策略规则。请注意,在终止策略规则后,只要midcomRuleStorageTime的值指示,该条目仍将存在。
Writing to this object in any state other than newEntry(1), setting(2), reserved(7), or enabled(7) will always fail with an 'inconsistentValue' error.
在除newEntry(1)、setting(2)、reserved(7)或enabled(7)之外的任何状态下写入此对象都将始终失败,并出现“inconsistentValue”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 180 } ::= { midcomRuleEntry 26 }
If object midcomRuleOperStatus of the same entry has a value other than newEntry(1), setting(2), reserved(7), or enabled(8), then the value of this object is irrelevant." DEFVAL { 180 } ::= { midcomRuleEntry 26 }
midcomRuleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "A control that allows entries to be added and removed from this table.
midcomRuleRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“允许在此表中添加和删除条目的控件。
Entries can also be removed from this table by setting objects midcomRuleLifetime and midcomRuleStorageTime of an entry to 0.
通过将条目的对象midcomRuleLifetime和midcomRuleStorageTime设置为0,也可以从此表中删除条目。
Attempts to set a row notInService(2) where the value of the midcomRuleStorageType object is permanent(4) or readOnly(5) will result in an 'notWritable' error.
尝试设置行notInService(2),其中midcomRuleStorageType对象的值为永久(4)或只读(5),将导致“notWritable”错误。
Note that this error code is SNMP specific. If the MIB module is used with other protocols than SNMP, errors with similar semantics specific to those protocols should be returned.
请注意,此错误代码是特定于SNMP的。如果MIB模块与SNMP以外的其他协议一起使用,则应返回具有特定于这些协议的类似语义的错误。
The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { midcomRuleEntry 27 }
The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { midcomRuleEntry 27 }
-- -- Policy rule group subtree -- -- The midcomGroupTable lists all current policy rule groups. --
-- -- Policy rule group subtree -- -- The midcomGroupTable lists all current policy rule groups. --
midcomGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all current policy rule groups.
midcomGroupTable对象类型语法MidcomGroupEntry MAX-ACCESS不可访问状态当前描述“此表列出了所有当前策略规则组。
Entries in this table are created or removed implicitly when entries in the midcomRuleTable are created or removed, respectively. A group entry in this table only exists as long as there are member rules of this group in the midcomRuleTable.
分别在创建或删除midcomRuleTable中的条目时,会隐式创建或删除此表中的条目。只有在midcomRuleTable中存在此组的成员规则时,此表中的组条目才存在。
The table serves for listing the existing groups and their remaining lifetimes and for changing lifetimes of groups and implicitly of all group members. Groups and all their member policy rules can only be deleted by deleting all member policies in the midcomRuleTable.
该表用于列出现有组及其剩余生存期,以及更改组的生存期和隐式更改所有组成员的生存期。只有删除midcomRuleTable中的所有成员策略,才能删除组及其所有成员策略规则。
Setting midcomGroupLifetime will result in setting the lifetime of all policy members to the same value." ::= { midcomTransaction 4 }
Setting midcomGroupLifetime will result in setting the lifetime of all policy members to the same value." ::= { midcomTransaction 4 }
midcomGroupEntry OBJECT-TYPE
midcomGroupEntry对象类型
SYNTAX MidcomGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing properties of a particular MIDCOM policy rule group." INDEX { midcomRuleOwner, midcomGroupIndex } ::= { midcomGroupTable 1 }
SYNTAX MidcomGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing properties of a particular MIDCOM policy rule group." INDEX { midcomRuleOwner, midcomGroupIndex } ::= { midcomGroupTable 1 }
MidcomGroupEntry ::= SEQUENCE { midcomGroupIndex Unsigned32, midcomGroupLifetime Unsigned32 }
MidcomGroupEntry ::= SEQUENCE { midcomGroupIndex Unsigned32, midcomGroupLifetime Unsigned32 }
midcomGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of this group for the midcomRuleOwner. A group is identified by the combination of midcomRuleOwner and midcomGroupIndex.
midcomGroupIndex对象类型语法Unsigned32(1..4294967295)MAX-ACCESS不可访问状态当前描述“midcomRuleOwner的此组索引。组由midcomRuleOwner和midcomGroupIndex组合标识。
The value of this index must be unique per midcomRuleOwner." ::= { midcomGroupEntry 2 }
The value of this index must be unique per midcomRuleOwner." ::= { midcomGroupEntry 2 }
midcomGroupLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "When retrieved, this object delivers the maximum lifetime in seconds of all member rules of this group, i.e., of all rows in the midcomRuleTable that have the same values for midcomRuleOwner and midcomGroupIndex.
midcomGroupLifetime对象类型语法Unsigned32个单位“秒”最大访问读写状态当前描述检索时,此对象提供此组的所有成员规则的最大生存期(以秒为单位),即midcomRuleOwner和midcomGroupIndex具有相同值的midcomRuleTable中所有行的最大生存期。
Successfully writing to this object modifies the lifetime of all member policies. Successfully writing a value of 0 terminates all member policies and implicitly deletes the group as soon as all member entries are removed from the midcomRuleTable.
成功写入此对象将修改所有成员策略的生存期。成功写入值0将终止所有成员策略,并在从midcomRuleTable中删除所有成员条目后立即隐式删除组。
Note that after a group's lifetime is expired or is set to 0, still the corresponding entry in the midcomGroupTable will exist as long as terminated member policy rules are stored as entries in the
请注意,在组的生存期过期或设置为0后,只要终止的成员策略规则作为条目存储在
midcomRuleTable.
中控台。
Writing to this object is processed by the MIDCOM-MIB implementation by choosing a lifetime value that is greater than 0 and less than or equal to the minimum of the requested value and the value specified by object midcomConfigMaxLifetime:
MIDCOM-MIB实现通过选择大于0且小于或等于请求值和对象midcomConfigMaxLifetime指定的值中的最小值来处理对此对象的写入:
0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
where: - lt_granted is the actually granted lifetime by the MIDCOM-MIB implementation - lt_requested is the requested lifetime of the MIDCOM client - lt_maximum is the value of object midcomConfigMaxLifetime
其中:-lt_prograted是MIDCOM-MIB实现实际授予的生存期-lt_requested是MIDCOM客户端请求的生存期-lt_max是对象midcomConfigMaxLifetime的值
SNMP SET requests to this object may be rejected or the value of the object after an accepted SET operation may be less than the value that was contained in the SNMP SET request." ::= { midcomGroupEntry 3 }
SNMP SET requests to this object may be rejected or the value of the object after an accepted SET operation may be less than the value that was contained in the SNMP SET request." ::= { midcomGroupEntry 3 }
-- -- Configuration Objects -- -- Configuration objects that can be used for retrieving -- middlebox capability information (mandatory) and for -- setting parameters of the implementation of transaction -- objects (optional). -- -- Note that typically configuration objects are not intended -- to be written by MIDCOM clients. In general, write access -- to these objects needs to be restricted more strictly than -- write access to transaction objects. --
-- -- Configuration Objects -- -- Configuration objects that can be used for retrieving -- middlebox capability information (mandatory) and for -- setting parameters of the implementation of transaction -- objects (optional). -- -- Note that typically configuration objects are not intended -- to be written by MIDCOM clients. In general, write access -- to these objects needs to be restricted more strictly than -- write access to transaction objects. --
-- -- Capabilities subtree -- -- This subtree contains objects to which MIDCOM clients should -- have read access. --
-- -- Capabilities subtree -- -- This subtree contains objects to which MIDCOM clients should -- have read access. --
midcomConfigMaxLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds"
midcomConfigMaxLifetime对象类型语法无符号32个单位“秒”
MAX-ACCESS read-write STATUS current DESCRIPTION "When retrieved, this object returns the maximum lifetime, in seconds, that this middlebox allows policy rules to have." ::= { midcomConfig 1 }
MAX-ACCESS read-write STATUS current DESCRIPTION "When retrieved, this object returns the maximum lifetime, in seconds, that this middlebox allows policy rules to have." ::= { midcomConfig 1 }
midcomConfigPersistentRules OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the MIDCOM-MIB implementation can store policy rules persistently. Otherwise, it returns false(2).
midcomConfigPersistentRules对象类型语法TruthValue MAX-ACCESS读写状态当前描述“检索时,如果MIDCOM-MIB实现可以持久存储策略规则,则此对象返回true(1)。否则,它返回false(2)。
A value of true(1) indicates that there may be entries in the midcomRuleTable with object midcomRuleStorageType set to value nonVolatile(3)." ::= { midcomConfig 2 }
A value of true(1) indicates that there may be entries in the midcomRuleTable with object midcomRuleStorageType set to value nonVolatile(3)." ::= { midcomConfig 2 }
midcomConfigIfTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomConfigIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table indicates capabilities of the MIDCOM-MIB implementation per IP interface.
MidcomConfigIfEntry的midcomConfigIfTable对象类型语法序列MAX-ACCESS不可访问状态当前描述“此表表示每个IP接口的MIDCOM-MIB实现功能。
The table is indexed by the object midcomConfigIfIndex.
该表由对象MidcomConfigiIndex索引。
For indexing a single interface, this object contains the value of the ifIndex object that is associated with the interface. If an entry with midcomConfigIfIndex = 0 occurs, then bits set in objects of this entry apply to all interfaces for which there is no entry in this table with the interface's index." ::= { midcomConfig 3 }
For indexing a single interface, this object contains the value of the ifIndex object that is associated with the interface. If an entry with midcomConfigIfIndex = 0 occurs, then bits set in objects of this entry apply to all interfaces for which there is no entry in this table with the interface's index." ::= { midcomConfig 3 }
midcomConfigIfEntry OBJECT-TYPE SYNTAX MidcomConfigIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing the capabilities of a middlebox with respect to the indexed IP interface."
midcomConfigIfEntry对象类型语法midcomConfigIfEntry MAX-ACCESS不可访问状态当前描述“描述与索引IP接口相关的中间盒功能的条目。”
INDEX { midcomConfigIfIndex } ::= { midcomConfigIfTable 1 }
INDEX { midcomConfigIfIndex } ::= { midcomConfigIfTable 1 }
MidcomConfigIfEntry ::= SEQUENCE { midcomConfigIfIndex InterfaceIndexOrZero, midcomConfigIfBits BITS, midcomConfigIfEnabled TruthValue }
MidcomConfigIfEntry ::= SEQUENCE { midcomConfigIfIndex InterfaceIndexOrZero, midcomConfigIfBits BITS, midcomConfigIfEnabled TruthValue }
midcomConfigIfIndex OBJECT-TYPE SYNTAX InterfaceIndexOrZero MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of an entry in the midcomConfigIfTable.
MidcomConfigiIndex对象类型语法接口IndexorZero MAX-ACCESS不可访问状态当前描述“MidcomConfigiTable中某个项的索引。
For values different from zero, this object identifies an IP interface by containing the same value as the ifIndex object associated with the interface.
对于不同于零的值,此对象通过包含与接口关联的ifIndex对象相同的值来标识IP接口。
Note that the index of a particular interface in the ifTable may change after a re-initialization of the middlebox, for example, after adding another interface to it. In such a case, the value of this object may change, but the interface referred to by the MIDCOM-MIB MUST still be the same. If, after a re-initialization of the middlebox, the interface referred to before re-initialization cannot be uniquely mapped anymore to a particular entry in the ifTable, then the value of object midcomConfigIfEnabled of the same entry MUST be changed to false(2).
请注意,ifTable中特定接口的索引可能会在重新初始化中间盒后发生更改,例如,在向其添加另一个接口后。在这种情况下,此对象的值可能会更改,但MIDCOM-MIB引用的接口必须仍然相同。如果在重新初始化中间盒之后,重新初始化之前引用的接口无法再唯一地映射到ifTable中的特定条目,则同一条目的object midcomConfigIfEnabled的值必须更改为false(2)。
If the object has a value of 0, then values specified by further objects of the same entry apply to all interfaces for which there is no explicit entry in the midcomConfigIfTable." ::= { midcomConfigIfEntry 1 }
If the object has a value of 0, then values specified by further objects of the same entry apply to all interfaces for which there is no explicit entry in the midcomConfigIfTable." ::= { midcomConfigIfEntry 1 }
midcomConfigIfBits OBJECT-TYPE SYNTAX BITS { ipv4(0), ipv6(1), addressWildcards(2), portWildcards(3), firewall(4), nat(5), portTranslation(6),
midcomConfigIfBits对象类型语法位{ipv4(0)、ipv6(1)、地址通配符(2)、端口通配符(3)、防火墙(4)、nat(5)、端口转换(6),
protocolTranslation(7), twiceNat(8), inside(9) } MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns a set of bits indicating the capabilities (or configuration) of the middlebox with respect to the referenced IP interface. If the index equals 0, then all set bits apply to all interfaces.
protocolTranslation(7)、twiceNat(8)、inside(9)}MAX-ACCESS只读状态当前描述“检索时,此对象返回一组位,指示与引用IP接口相关的中间盒功能(或配置)。如果索引等于0,则所有设置位适用于所有接口。
If the ipv4(0) bit is set, then the middlebox supports IPv4 at the indexed IP interface.
如果设置了ipv4(0)位,则中间件在索引IP接口上支持ipv4。
If the ipv6(1) bit is set, then the middlebox supports IPv6 at the indexed IP interface.
如果设置了ipv6(1)位,则中间盒在索引IP接口上支持ipv6。
If the addressWildcards(2) bit is set, then the middlebox supports IP address wildcarding at the indexed IP interface.
如果设置了地址通配符(2)位,则中间盒支持索引IP接口处的IP地址通配符。
If the portWildcards(3) bit is set, then the middlebox supports port wildcarding at the indexed IP interface.
如果设置了端口通配符(3)位,则中间盒支持在索引IP接口处进行端口通配符。
If the firewall(4) bit is set, then the middlebox offers firewall functionality at the indexed interface.
如果设置了防火墙(4)位,则中间盒在索引接口处提供防火墙功能。
If the nat(5) bit is set, then the middlebox offers network address translation service at the indexed interface.
如果设置了nat(5)位,则中间盒在索引接口处提供网络地址转换服务。
If the portTranslation(6) bit is set, then the middlebox offers port translation service at the indexed interface. This bit is only relevant if nat(5) is set.
如果设置了端口转换(6)位,则中间盒在索引接口处提供端口转换服务。此位仅在设置nat(5)时相关。
If the protocolTranslation(7) bit is set, then the middlebox offers protocol translation service between IPv4 and IPv6 at the indexed interface. This bit is only relevant if nat(5) is set.
如果设置了protocolTranslation(7)位,则中间盒在索引接口处提供IPv4和IPv6之间的协议转换服务。此位仅在设置nat(5)时相关。
If the twiceNat(8) bit is set, then the middlebox offers twice network address translation service at the indexed interface. This bit is only relevant if nat(5) is set.
如果设置了twiceNat(8)位,则中间盒在索引接口处提供两次网络地址转换服务。此位仅在设置nat(5)时相关。
If the inside(9) bit is set, then the indexed interface is
如果设置了内部(9)位,则索引接口为
an inside interface with respect to NAT functionality. Otherwise, it is an outside interface. This bit is only relevant if nat(5) is set. An SNMP agent supporting both the MIDCOM-MIB module and the NAT-MIB module SHOULD ensure that the value of this object is consistent with the values of corresponding objects in the NAT-MIB module." ::= { midcomConfigIfEntry 2 }
an inside interface with respect to NAT functionality. Otherwise, it is an outside interface. This bit is only relevant if nat(5) is set. An SNMP agent supporting both the MIDCOM-MIB module and the NAT-MIB module SHOULD ensure that the value of this object is consistent with the values of corresponding objects in the NAT-MIB module." ::= { midcomConfigIfEntry 2 }
midcomConfigIfEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The value of this object indicates the availability of the middlebox service described by midcomConfigIfBits at the indexed IP interface.
midcomConfigIfEnabled对象类型语法TruthValue MAX-ACCESS读写状态current DESCRIPTION“此对象的值表示midcomConfigIfBits在索引IP接口上描述的中间盒服务的可用性。
By writing to this object, the MIDCOM support for the entire IP interface can be switched on or off. Setting this object to false(2) immediately stops middlebox support at the indexed IP interface. This implies that all policy rules that use NAT or firewall resources at the indexed IP interface are terminated immediately. In this case, the MIDCOM agent MUST send midcomUnsolicitedRuleEvent to all MIDCOM clients that have access to one of the terminated rules." DEFVAL { true } ::= { midcomConfigIfEntry 3 }
By writing to this object, the MIDCOM support for the entire IP interface can be switched on or off. Setting this object to false(2) immediately stops middlebox support at the indexed IP interface. This implies that all policy rules that use NAT or firewall resources at the indexed IP interface are terminated immediately. In this case, the MIDCOM agent MUST send midcomUnsolicitedRuleEvent to all MIDCOM clients that have access to one of the terminated rules." DEFVAL { true } ::= { midcomConfigIfEntry 3 }
-- -- Firewall subtree -- -- This subtree contains the firewall configuration table --
-- -- Firewall subtree -- -- This subtree contains the firewall configuration table --
midcomConfigFirewallTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomConfigFirewallEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the firewall configuration per IP interface.
midcomConfigFirewallTable对象类型语法MidcomConfigFirewallEntry MAX-ACCESS不可访问状态当前描述“此表列出了每个IP接口的防火墙配置。
It can be used for configuring how policy rules created by MIDCOM clients are realized as firewall rules of a firewall implementation. Particularly, the priority used for MIDCOM policy rules can be configured. For a single firewall implementation at a particular IP interface, all MIDCOM policy rules are realized as firewall rules with the same
它可用于配置如何将MIDCOM客户端创建的策略规则实现为防火墙实现的防火墙规则。特别是,可以配置用于MIDCOM策略规则的优先级。对于特定IP接口上的单个防火墙实现,所有MIDCOM策略规则都实现为具有相同属性的防火墙规则
priority. Also, a firewall rule group name can be configured.
优先事项此外,还可以配置防火墙规则组名称。
The table is indexed by the object midcomConfigFirewallIndex. For indexing a single interface, this object contains the value of the ifIndex object that is associated with the interface. If an entry with midcomConfigFirewallIndex = 0 occurs, then bits set in objects of this entry apply to all interfaces for which there is no entry in this table for the interface's index." ::= { midcomConfig 4 }
The table is indexed by the object midcomConfigFirewallIndex. For indexing a single interface, this object contains the value of the ifIndex object that is associated with the interface. If an entry with midcomConfigFirewallIndex = 0 occurs, then bits set in objects of this entry apply to all interfaces for which there is no entry in this table for the interface's index." ::= { midcomConfig 4 }
midcomConfigFirewallEntry OBJECT-TYPE SYNTAX MidcomConfigFirewallEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular set of firewall resources." INDEX { midcomConfigFirewallIndex } ::= { midcomConfigFirewallTable 1 }
midcomConfigFirewallEntry OBJECT-TYPE SYNTAX MidcomConfigFirewallEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular set of firewall resources." INDEX { midcomConfigFirewallIndex } ::= { midcomConfigFirewallTable 1 }
MidcomConfigFirewallEntry ::= SEQUENCE { midcomConfigFirewallIndex InterfaceIndexOrZero, midcomConfigFirewallGroupId SnmpAdminString, midcomConfigFirewallPriority Unsigned32 }
MidcomConfigFirewallEntry ::= SEQUENCE { midcomConfigFirewallIndex InterfaceIndexOrZero, midcomConfigFirewallGroupId SnmpAdminString, midcomConfigFirewallPriority Unsigned32 }
midcomConfigFirewallIndex OBJECT-TYPE SYNTAX InterfaceIndexOrZero MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of an entry in the midcomConfigFirewallTable.
midcomConfigFirewallIndex对象类型语法接口IndexorZero MAX-ACCESS不可访问状态当前描述“midcomConfigFirewallTable中某项的索引。
For values different from 0, this object identifies an IP interface by containing the same value as the ifIndex object associated with the interface.
对于不同于0的值,此对象通过包含与接口关联的ifIndex对象相同的值来标识IP接口。
Note that the index of a particular interface in the ifTable may change after a re-initialization of the middlebox, for example, after adding another interface to it. In such a case, the value of this object may change, but the interface referred to by the MIDCOM-MIB MUST still be the same. If, after a re-initialization of the middlebox, the interface referred to before re-initialization cannot be uniquely mapped anymore to a particular entry in the ifTable, then the entry in the
请注意,ifTable中特定接口的索引可能会在重新初始化中间盒后发生更改,例如,在向其添加另一个接口后。在这种情况下,此对象的值可能会更改,但MIDCOM-MIB引用的接口必须仍然相同。如果在重新初始化中间盒之后,重新初始化之前引用的接口无法再唯一地映射到ifTable中的特定条目,则
midcomConfigFirewallTable MUST be deleted.
必须删除midcomConfigFirewallTable。
If the object has a value of 0, then values specified by further objects of the same entry apply to all interfaces for which there is no explicit entry in the midcomConfigFirewallTable." ::= { midcomConfigFirewallEntry 1 }
If the object has a value of 0, then values specified by further objects of the same entry apply to all interfaces for which there is no explicit entry in the midcomConfigFirewallTable." ::= { midcomConfigFirewallEntry 1 }
midcomConfigFirewallGroupId OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The firewall rule group to which all firewall rules are assigned that the MIDCOM server creates for the interface indicated by object midcomConfigFirewallIndex. If the value of object midcomConfigFirewallIndex is 0, then all firewall rules of the MIDCOM server that are created for interfaces with no specific entry in the midcomConfigFirewallTable are assigned to the firewall rule group indicated by the value of this object." ::= { midcomConfigFirewallEntry 2 }
midcomConfigFirewallGroupId OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The firewall rule group to which all firewall rules are assigned that the MIDCOM server creates for the interface indicated by object midcomConfigFirewallIndex. If the value of object midcomConfigFirewallIndex is 0, then all firewall rules of the MIDCOM server that are created for interfaces with no specific entry in the midcomConfigFirewallTable are assigned to the firewall rule group indicated by the value of this object." ::= { midcomConfigFirewallEntry 2 }
midcomConfigFirewallPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The priority assigned to all firewall rules that the MIDCOM server creates for the interface indicated by object midcomConfigFirewallIndex. If the value of object midcomConfigFirewallIndex is 0, then this priority is assigned to all firewall rules of the MIDCOM server that are created for interfaces for which there is no specific entry in the midcomConfigFirewallTable." ::= { midcomConfigFirewallEntry 3 }
midcomConfigFirewallPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The priority assigned to all firewall rules that the MIDCOM server creates for the interface indicated by object midcomConfigFirewallIndex. If the value of object midcomConfigFirewallIndex is 0, then this priority is assigned to all firewall rules of the MIDCOM server that are created for interfaces for which there is no specific entry in the midcomConfigFirewallTable." ::= { midcomConfigFirewallEntry 3 }
-- -- Monitoring Objects -- -- Monitoring objects are structured into two groups, -- the midcomResourceGroup providing information about used -- resources and the midcomStatisticsGroup providing information -- about MIDCOM transaction statistics.
-- -- Monitoring Objects -- -- Monitoring objects are structured into two groups, -- the midcomResourceGroup providing information about used -- resources and the midcomStatisticsGroup providing information -- about MIDCOM transaction statistics.
-- -- Resources subtree --
----资源子树--
-- The MIDCOM resources subtree contains a set of managed -- objects describing the currently used resources of NAT -- and firewall implementations. --
-- The MIDCOM resources subtree contains a set of managed -- objects describing the currently used resources of NAT -- and firewall implementations. --
-- -- Textual conventions for objects of the resource subtree --
----资源子树对象的文本约定--
MidcomNatBindMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indicator of the kind of NAT resources used by a policy rule. This definition corresponds to the definition of NatBindMode in the NAT-MIB (RFC 4008). Value none(3) can be used to indicate that the policy rule does not use any NAT binding. " SYNTAX INTEGER { addressBind(1), addressPortBind(2), none(3) }
MidcomNatBindMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An indicator of the kind of NAT resources used by a policy rule. This definition corresponds to the definition of NatBindMode in the NAT-MIB (RFC 4008). Value none(3) can be used to indicate that the policy rule does not use any NAT binding. " SYNTAX INTEGER { addressBind(1), addressPortBind(2), none(3) }
MidcomNatSessionIdOrZero ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A unique ID that is assigned to each NAT session by a NAT implementation. This definition corresponds to the definition of NatSessionId in the NAT-MIB (RFC 4008). Value 0 can be used to indicate that the policy rule does not use any NAT binding." SYNTAX Unsigned32
MidcomNatSessionIdOrZero ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A unique ID that is assigned to each NAT session by a NAT implementation. This definition corresponds to the definition of NatSessionId in the NAT-MIB (RFC 4008). Value 0 can be used to indicate that the policy rule does not use any NAT binding." SYNTAX Unsigned32
-- -- The MIDCOM resource table --
----MIDCOM资源表--
midcomResourceTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomResourceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all used middlebox resources per MIDCOM policy rule.
midcomResourceTable对象类型MidcomResourceEntry MAX-ACCESS的语法序列不可访问状态当前描述“此表列出了每个MIDCOM策略规则使用的所有中间盒资源。
The midcomResourceTable augments the
midcomResourceTable增强了
midcomRuleTable." ::= { midcomMonitoring 1 }
midcomRuleTable." ::= { midcomMonitoring 1 }
midcomResourceEntry OBJECT-TYPE SYNTAX MidcomResourceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular set of middlebox resources." AUGMENTS { midcomRuleEntry } ::= { midcomResourceTable 1 }
midcomResourceEntry OBJECT-TYPE SYNTAX MidcomResourceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular set of middlebox resources." AUGMENTS { midcomRuleEntry } ::= { midcomResourceTable 1 }
MidcomResourceEntry ::= SEQUENCE { midcomRscNatInternalAddrBindMode MidcomNatBindMode, midcomRscNatInternalAddrBindId NatBindIdOrZero, midcomRscNatInsideAddrBindMode MidcomNatBindMode, midcomRscNatInsideAddrBindId NatBindIdOrZero, midcomRscNatSessionId1 MidcomNatSessionIdOrZero, midcomRscNatSessionId2 MidcomNatSessionIdOrZero, midcomRscFirewallRuleId Unsigned32 }
MidcomResourceEntry ::= SEQUENCE { midcomRscNatInternalAddrBindMode MidcomNatBindMode, midcomRscNatInternalAddrBindId NatBindIdOrZero, midcomRscNatInsideAddrBindMode MidcomNatBindMode, midcomRscNatInsideAddrBindId NatBindIdOrZero, midcomRscNatSessionId1 MidcomNatSessionIdOrZero, midcomRscNatSessionId2 MidcomNatSessionIdOrZero, midcomRscFirewallRuleId Unsigned32 }
midcomRscNatInternalAddrBindMode OBJECT-TYPE SYNTAX MidcomNatBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "An indication of whether this policy rule uses an address NAT bind or an address-port NAT bind for binding the internal address.
midcomRscNatInternalAddrBindMode对象类型语法MidcomNatBindMode MAX-ACCESS只读状态当前描述“指示此策略规则是使用地址NAT绑定还是使用地址端口NAT绑定来绑定内部地址。
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008) then object midcomRscNatInternalAddrBindMode contains the same value as the corresponding object natSessionPrivateSrcEPBindMode of the NAT-MIB module." ::= { midcomResourceEntry 4 }
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008) then object midcomRscNatInternalAddrBindMode contains the same value as the corresponding object natSessionPrivateSrcEPBindMode of the NAT-MIB module." ::= { midcomResourceEntry 4 }
midcomRscNatInternalAddrBindId OBJECT-TYPE SYNTAX NatBindIdOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This object references to the allocated internal NAT bind that is used by this policy rule. A NAT bind describes the mapping of internal addresses to outside addresses. MIDCOM-MIB implementations can
MIDCOMRSCNATERNADDRBINDID对象类型语法NatBindIdOrZero MAX-ACCESS只读状态当前描述“此对象引用此策略规则使用的已分配内部NAT绑定。NAT绑定描述内部地址到外部地址的映射。MIDCOM-MIB实现可以
read this object to learn the corresponding NAT bind resource for this particular policy rule.
阅读此对象以了解此特定策略规则对应的NAT绑定资源。
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008) then object midcomRscNatInternalAddrBindId contains the same value as the corresponding object natSessionPrivateSrcEPBindId of the NAT-MIB module." ::= { midcomResourceEntry 5 }
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008) then object midcomRscNatInternalAddrBindId contains the same value as the corresponding object natSessionPrivateSrcEPBindId of the NAT-MIB module." ::= { midcomResourceEntry 5 }
midcomRscNatInsideAddrBindMode OBJECT-TYPE SYNTAX MidcomNatBindMode MAX-ACCESS read-only STATUS current DESCRIPTION "An indication of whether this policy rule uses an address NAT bind or an address-port NAT bind for binding the external address.
MIDCOMRSCNATINESIDEADDRBINDMODE对象类型语法MidcomNatBindMode MAX-ACCESS只读状态当前说明“指示此策略规则是使用地址NAT绑定还是使用地址端口NAT绑定绑定外部地址。
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008), then object midcomRscNatInsideAddrBindMode contains the same value as the corresponding object natSessionPrivateDstEPBindMode of the NAT-MIB module." ::= { midcomResourceEntry 6 }
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008), then object midcomRscNatInsideAddrBindMode contains the same value as the corresponding object natSessionPrivateDstEPBindMode of the NAT-MIB module." ::= { midcomResourceEntry 6 }
midcomRscNatInsideAddrBindId OBJECT-TYPE SYNTAX NatBindIdOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This object refers to the allocated external NAT bind that is used by this policy rule. A NAT bind describes the mapping of external addresses to inside addresses. MIDCOM-MIB implementations can read this object to learn the corresponding NAT bind resource for this particular policy rule.
MIDCOMRSCNATINESADDRBINDID对象类型语法NatBindIdOrZero MAX-ACCESS只读状态当前说明“此对象引用此策略规则使用的已分配的外部NAT绑定。NAT绑定描述外部地址到内部地址的映射。MIDCOM-MIB实现可以读取此对象,以了解此特定策略规则的相应NAT绑定资源。
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008), then object midcomRscNatInsideAddrBindId contains the same value as the corresponding object natSessionPrivateDstEPBindId of the NAT-MIB module." ::= { midcomResourceEntry 7 }
If the MIDCOM-MIB module is operated together with the NAT-MIB module (RFC 4008), then object midcomRscNatInsideAddrBindId contains the same value as the corresponding object natSessionPrivateDstEPBindId of the NAT-MIB module." ::= { midcomResourceEntry 7 }
midcomRscNatSessionId1 OBJECT-TYPE SYNTAX MidcomNatSessionIdOrZero MAX-ACCESS read-only
MIDCOMRSCNATSESSIOND1对象类型语法MIDCOMNATSCESSIONDORZERO MAX-ACCESS只读
STATUS current DESCRIPTION "This object refers to the first allocated NAT session for this policy rule. MIDCOM-MIB implementations can read this object to learn whether or not a NAT session for a particular policy rule is used. A value of 0 means that no NAT session is allocated for this policy rule. A value other than 0 refers to the NAT session." ::= { midcomResourceEntry 8 }
STATUS current DESCRIPTION "This object refers to the first allocated NAT session for this policy rule. MIDCOM-MIB implementations can read this object to learn whether or not a NAT session for a particular policy rule is used. A value of 0 means that no NAT session is allocated for this policy rule. A value other than 0 refers to the NAT session." ::= { midcomResourceEntry 8 }
midcomRscNatSessionId2 OBJECT-TYPE SYNTAX MidcomNatSessionIdOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This object refers to the second allocated NAT session for this policy rule. MIDCOM-MIB implementations can read this object to learn whether or not a NAT session for a particular policy rule is used. A value of 0 means that no NAT session is allocated for this policy rule. A value other than 0 refers to the NAT session." ::= { midcomResourceEntry 9 }
midcomRscNatSessionId2 OBJECT-TYPE SYNTAX MidcomNatSessionIdOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This object refers to the second allocated NAT session for this policy rule. MIDCOM-MIB implementations can read this object to learn whether or not a NAT session for a particular policy rule is used. A value of 0 means that no NAT session is allocated for this policy rule. A value other than 0 refers to the NAT session." ::= { midcomResourceEntry 9 }
midcomRscFirewallRuleId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object refers to the allocated firewall rule in the firewall engine for this policy rule. MIDCOM-MIB implementations can read this value to learn whether a firewall rule for this particular policy rule is used or not. A value of 0 means that no firewall rule is allocated for this policy rule. A value other than 0 refers to the firewall rule number within the firewall engine." ::= { midcomResourceEntry 10 }
midcomRscFirewallRuleId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object refers to the allocated firewall rule in the firewall engine for this policy rule. MIDCOM-MIB implementations can read this value to learn whether a firewall rule for this particular policy rule is used or not. A value of 0 means that no firewall rule is allocated for this policy rule. A value other than 0 refers to the firewall rule number within the firewall engine." ::= { midcomResourceEntry 10 }
-- -- Statistics subtree -- -- The MIDCOM statistics subtree contains a set of managed -- objects providing statistics about the usage of transaction -- objects. --
-- -- Statistics subtree -- -- The MIDCOM statistics subtree contains a set of managed -- objects providing statistics about the usage of transaction -- objects. --
midcomStatistics OBJECT IDENTIFIER ::= { midcomMonitoring 2 }
midcomStatistics OBJECT IDENTIFIER ::= { midcomMonitoring 2 }
midcomCurrentOwners OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of different values for midcomRuleOwner for all current entries in the midcomRuleTable." ::= { midcomStatistics 1 }
midcomCurrentOwners OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of different values for midcomRuleOwner for all current entries in the midcomRuleTable." ::= { midcomStatistics 1 }
midcomTotalRejectedRuleEntries OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of failed attempts to create an entry in the midcomRuleTable." ::= { midcomStatistics 2 }
midcomTotalRejectedRuleEntries OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of failed attempts to create an entry in the midcomRuleTable." ::= { midcomStatistics 2 }
midcomCurrentRulesIncomplete OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of policy rules that are incomplete.
MidcomCurrentRules完整对象类型语法量表32 MAX-ACCESS只读状态当前说明“当前未完成的策略规则数。
Policy rules are loaded via row entries in the midcomRuleTable. This object counts policy rules that are loaded but not fully specified, i.e., they are in state newEntry(1) or setting(2)." ::= { midcomStatistics 3 }
Policy rules are loaded via row entries in the midcomRuleTable. This object counts policy rules that are loaded but not fully specified, i.e., they are in state newEntry(1) or setting(2)." ::= { midcomStatistics 3 }
midcomTotalIncorrectReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that failed parameter check and entered state incorrectRequest(4)." ::= { midcomStatistics 4 }
midcomTotalIncorrectReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that failed parameter check and entered state incorrectRequest(4)." ::= { midcomStatistics 4 }
midcomTotalRejectedReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that failed while being processed and entered state requestRejected(6)." ::= { midcomStatistics 5 }
midcomTotalRejectedReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that failed while being processed and entered state requestRejected(6)." ::= { midcomStatistics 5 }
midcomCurrentActiveReserveRules OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active policy reserve rules." ::= { midcomStatistics 6 }
midcomCurrentActiveReserveRules OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active policy reserve rules." ::= { midcomStatistics 6 }
midcomTotalExpiredReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of expired policy reserve rules (entered termination state timedOut(9))." ::= { midcomStatistics 7 }
midcomTotalExpiredReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of expired policy reserve rules (entered termination state timedOut(9))." ::= { midcomStatistics 7 }
midcomTotalTerminatedOnRqReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that were terminated on request (entered termination state terminatedOnRequest(10))." ::= { midcomStatistics 8 }
midcomTotalTerminatedOnRqReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that were terminated on request (entered termination state terminatedOnRequest(10))." ::= { midcomStatistics 8 }
midcomTotalTerminatedReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that were terminated, but not on request (entered termination state terminated(11))." ::= { midcomStatistics 9 }
midcomTotalTerminatedReserveRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy reserve rules that were terminated, but not on request (entered termination state terminated(11))." ::= { midcomStatistics 9 }
midcomTotalIncorrectEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that failed parameter check and entered state incorrectRequest(4)." ::= { midcomStatistics 10 }
midcomTotalIncorrectEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that failed parameter check and entered state incorrectRequest(4)." ::= { midcomStatistics 10 }
midcomTotalRejectedEnableRules OBJECT-TYPE SYNTAX Counter32
midcomTotalRejectedEnableRules对象类型语法计数器32
MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that failed while being processed and entered state requestRejected(6)." ::= { midcomStatistics 11 } midcomCurrentActiveEnableRules OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active policy enable rules." ::= { midcomStatistics 12 }
MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that failed while being processed and entered state requestRejected(6)." ::= { midcomStatistics 11 } midcomCurrentActiveEnableRules OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active policy enable rules." ::= { midcomStatistics 12 }
midcomTotalExpiredEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of expired policy enable rules (entered termination state timedOut(9))." ::= { midcomStatistics 13 }
midcomTotalExpiredEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of expired policy enable rules (entered termination state timedOut(9))." ::= { midcomStatistics 13 }
midcomTotalTerminatedOnRqEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that were terminated on request (entered termination state terminatedOnRequest(10))." ::= { midcomStatistics 14 }
midcomTotalTerminatedOnRqEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that were terminated on request (entered termination state terminatedOnRequest(10))." ::= { midcomStatistics 14 }
midcomTotalTerminatedEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that were terminated, but not on request (entered termination state terminated(11))." ::= { midcomStatistics 15 }
midcomTotalTerminatedEnableRules OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of policy enable rules that were terminated, but not on request (entered termination state terminated(11))." ::= { midcomStatistics 15 }
-- -- Notifications. --
----通知--
midcomUnsolicitedRuleEvent NOTIFICATION-TYPE
midcomUnsolicitedRuleEvent通知类型
OBJECTS { midcomRuleOperStatus, midcomRuleLifetime } STATUS current DESCRIPTION "This notification is generated whenever the value of midcomRuleOperStatus enters any error state or any termination state without an explicit trigger by a MIDCOM client." ::= { midcomNotifications 1 }
OBJECTS { midcomRuleOperStatus, midcomRuleLifetime } STATUS current DESCRIPTION "This notification is generated whenever the value of midcomRuleOperStatus enters any error state or any termination state without an explicit trigger by a MIDCOM client." ::= { midcomNotifications 1 }
midcomSolicitedRuleEvent NOTIFICATION-TYPE OBJECTS { midcomRuleOperStatus, midcomRuleLifetime } STATUS current DESCRIPTION "This notification is generated whenever the value of midcomRuleOperStatus enters one of the states {reserved, enabled, any error state, any termination state} as a result of a MIDCOM agent writing successfully to object midcomRuleAdminStatus.
midcomSolicitedRuleEvent NOTIFICATION-TYPE OBJECTS { midcomRuleOperStatus, midcomRuleLifetime } STATUS current DESCRIPTION "This notification is generated whenever the value of midcomRuleOperStatus enters one of the states {reserved, enabled, any error state, any termination state} as a result of a MIDCOM agent writing successfully to object midcomRuleAdminStatus.
In addition, it is generated when the lifetime of a rule was changed by successfully writing to object midcomRuleLifetime." ::= { midcomNotifications 2 }
In addition, it is generated when the lifetime of a rule was changed by successfully writing to object midcomRuleLifetime." ::= { midcomNotifications 2 }
midcomSolicitedGroupEvent NOTIFICATION-TYPE OBJECTS { midcomGroupLifetime } STATUS current DESCRIPTION "This notification is generated for indicating that the lifetime of all member rules of the group was changed by successfully writing to object midcomGroupLifetime.
MidcomRequestedGroupEvent NOTIFICATION-TYPE对象{midcomGroupLifetime}状态当前描述“生成此通知的目的是指示通过成功写入对象midcomGroupLifetime更改了组的所有成员规则的生存期。
Note that this notification is only sent if the lifetime of a group was changed by successfully writing to object midcomGroupLifetime. No notification is sent - if a group's lifetime is changed by writing to object midcomRuleLifetime of any of its member policies, - if a group's lifetime expires (in this case, notifications are sent for all member policies), or - if the group is terminated by terminating the last of its member policies without writing to object midcomGroupLifetime." ::= { midcomNotifications 3 }
Note that this notification is only sent if the lifetime of a group was changed by successfully writing to object midcomGroupLifetime. No notification is sent - if a group's lifetime is changed by writing to object midcomRuleLifetime of any of its member policies, - if a group's lifetime expires (in this case, notifications are sent for all member policies), or - if the group is terminated by terminating the last of its member policies without writing to object midcomGroupLifetime." ::= { midcomNotifications 3 }
-- -- Conformance information --
----一致性信息--
midcomCompliances OBJECT IDENTIFIER ::= { midcomConformance 1 } midcomGroups OBJECT IDENTIFIER ::= { midcomConformance 2 }
midcomCompliances OBJECT IDENTIFIER ::= { midcomConformance 1 } midcomGroups OBJECT IDENTIFIER ::= { midcomConformance 2 }
-- -- compliance statements --
----合规声明--
-- This is the MIDCOM compliance definition ...
--这是MIDCOM合规性定义。。。
--
--
midcomCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for implementations of the MIDCOM-MIB module.
MIDCOM COMPLIANCE MODULE-COMPLIANCE STATUS current DESCRIPTION“MIDCOM-MIB模块实施的合规性声明。
Note that compliance with this compliance statement requires compliance with the ifCompliance3 MODULE-COMPLIANCE statement of the IF-MIB [RFC2863]." MODULE -- this module MANDATORY-GROUPS { midcomRuleGroup, midcomNotificationsGroup, midcomCapabilitiesGroup, midcomStatisticsGroup } GROUP midcomConfigFirewallGroup DESCRIPTION "A compliant implementation does not have to implement the midcomConfigFirewallGroup." GROUP midcomResourceGroup DESCRIPTION "A compliant implementation does not have to implement the midcomResourceGroup." OBJECT midcomRuleInternalIpPrefixLength MIN-ACCESS read-only DESCRIPTION "Write access is not required. When write access is not supported, return 128 as the value of this object. A value of 128 means that the function represented by this option is not supported." OBJECT midcomRuleExternalIpPrefixLength MIN-ACCESS read-only DESCRIPTION "Write access is not required. When write access is not supported, return 128 as the value of this object.
Note that compliance with this compliance statement requires compliance with the ifCompliance3 MODULE-COMPLIANCE statement of the IF-MIB [RFC2863]." MODULE -- this module MANDATORY-GROUPS { midcomRuleGroup, midcomNotificationsGroup, midcomCapabilitiesGroup, midcomStatisticsGroup } GROUP midcomConfigFirewallGroup DESCRIPTION "A compliant implementation does not have to implement the midcomConfigFirewallGroup." GROUP midcomResourceGroup DESCRIPTION "A compliant implementation does not have to implement the midcomResourceGroup." OBJECT midcomRuleInternalIpPrefixLength MIN-ACCESS read-only DESCRIPTION "Write access is not required. When write access is not supported, return 128 as the value of this object. A value of 128 means that the function represented by this option is not supported." OBJECT midcomRuleExternalIpPrefixLength MIN-ACCESS read-only DESCRIPTION "Write access is not required. When write access is not supported, return 128 as the value of this object.
A value of 128 means that the function represented by this option is not supported." OBJECT midcomRuleMaxIdleTime MIN-ACCESS read-only DESCRIPTION "Write access is not required. When write access is not supported, return 0 as the value of this object. A value of 0 means that the function represented by this option is not supported." OBJECT midcomRuleInterface MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigMaxLifetime MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigPersistentRules MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigIfEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigFirewallGroupId MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigFirewallPriority MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { midcomCompliances 1 }
A value of 128 means that the function represented by this option is not supported." OBJECT midcomRuleMaxIdleTime MIN-ACCESS read-only DESCRIPTION "Write access is not required. When write access is not supported, return 0 as the value of this object. A value of 0 means that the function represented by this option is not supported." OBJECT midcomRuleInterface MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigMaxLifetime MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigPersistentRules MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigIfEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigFirewallGroupId MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT midcomConfigFirewallPriority MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { midcomCompliances 1 }
midcomRuleGroup OBJECT-GROUP OBJECTS { midcomRuleAdminStatus, midcomRuleOperStatus, midcomRuleStorageType, midcomRuleStorageTime, midcomRuleError, midcomRuleInterface, midcomRuleFlowDirection, midcomRuleMaxIdleTime, midcomRuleTransportProtocol, midcomRulePortRange, midcomRuleInternalIpVersion,
midcomRuleGroup对象组对象{midcomRuleAdminStatus,midcomRuleOperStatus,midcomRuleStorageType,midcomRuleStorageTime,midcomRuleError,midcomRuleInterface,midcomRuleFlowDirection,midcomRuleMaxIdleTime,midcomRuleTransportProtocol,midcomRulePortRange,midcomRuleInternalIpVersion,
midcomRuleExternalIpVersion, midcomRuleInternalIpAddr, midcomRuleInternalIpPrefixLength, midcomRuleInternalPort, midcomRuleExternalIpAddr, midcomRuleExternalIpPrefixLength, midcomRuleExternalPort, midcomRuleInsideIpAddr, midcomRuleInsidePort, midcomRuleOutsideIpAddr, midcomRuleOutsidePort, midcomRuleLifetime, midcomRuleRowStatus, midcomGroupLifetime } STATUS current DESCRIPTION "A collection of objects providing information about policy rules and policy rule groups." ::= { midcomGroups 1 }
midcomRuleExternalIpVersion, midcomRuleInternalIpAddr, midcomRuleInternalIpPrefixLength, midcomRuleInternalPort, midcomRuleExternalIpAddr, midcomRuleExternalIpPrefixLength, midcomRuleExternalPort, midcomRuleInsideIpAddr, midcomRuleInsidePort, midcomRuleOutsideIpAddr, midcomRuleOutsidePort, midcomRuleLifetime, midcomRuleRowStatus, midcomGroupLifetime } STATUS current DESCRIPTION "A collection of objects providing information about policy rules and policy rule groups." ::= { midcomGroups 1 }
midcomCapabilitiesGroup OBJECT-GROUP OBJECTS { midcomConfigMaxLifetime, midcomConfigPersistentRules, midcomConfigIfBits, midcomConfigIfEnabled } STATUS current DESCRIPTION "A collection of objects providing information about the capabilities of a middlebox." ::= { midcomGroups 2 }
midcomCapabilitiesGroup OBJECT-GROUP OBJECTS { midcomConfigMaxLifetime, midcomConfigPersistentRules, midcomConfigIfBits, midcomConfigIfEnabled } STATUS current DESCRIPTION "A collection of objects providing information about the capabilities of a middlebox." ::= { midcomGroups 2 }
midcomConfigFirewallGroup OBJECT-GROUP OBJECTS { midcomConfigFirewallGroupId, midcomConfigFirewallPriority } STATUS current DESCRIPTION "A collection of objects providing information about the firewall rule group and firewall rule priority to be used by firewalls loaded through MIDCOM." ::= { midcomGroups 3 }
midcomConfigFirewallGroup OBJECT-GROUP OBJECTS { midcomConfigFirewallGroupId, midcomConfigFirewallPriority } STATUS current DESCRIPTION "A collection of objects providing information about the firewall rule group and firewall rule priority to be used by firewalls loaded through MIDCOM." ::= { midcomGroups 3 }
midcomResourceGroup OBJECT-GROUP OBJECTS {
midcomResourceGroup对象组对象{
midcomRscNatInternalAddrBindMode, midcomRscNatInternalAddrBindId, midcomRscNatInsideAddrBindMode, midcomRscNatInsideAddrBindId, midcomRscNatSessionId1, midcomRscNatSessionId2, midcomRscFirewallRuleId } STATUS current DESCRIPTION "A collection of objects providing information about the used NAT and firewall resources." ::= { midcomGroups 4 }
midcomRscNatInternalAddrBindMode, midcomRscNatInternalAddrBindId, midcomRscNatInsideAddrBindMode, midcomRscNatInsideAddrBindId, midcomRscNatSessionId1, midcomRscNatSessionId2, midcomRscFirewallRuleId } STATUS current DESCRIPTION "A collection of objects providing information about the used NAT and firewall resources." ::= { midcomGroups 4 }
midcomStatisticsGroup OBJECT-GROUP OBJECTS { midcomCurrentOwners, midcomTotalRejectedRuleEntries, midcomCurrentRulesIncomplete, midcomTotalIncorrectReserveRules, midcomTotalRejectedReserveRules, midcomCurrentActiveReserveRules, midcomTotalExpiredReserveRules, midcomTotalTerminatedOnRqReserveRules, midcomTotalTerminatedReserveRules, midcomTotalIncorrectEnableRules, midcomTotalRejectedEnableRules, midcomCurrentActiveEnableRules, midcomTotalExpiredEnableRules, midcomTotalTerminatedOnRqEnableRules, midcomTotalTerminatedEnableRules } STATUS current DESCRIPTION "A collection of objects providing statistical information about the MIDCOM server." ::= { midcomGroups 5 }
midcomStatisticsGroup OBJECT-GROUP OBJECTS { midcomCurrentOwners, midcomTotalRejectedRuleEntries, midcomCurrentRulesIncomplete, midcomTotalIncorrectReserveRules, midcomTotalRejectedReserveRules, midcomCurrentActiveReserveRules, midcomTotalExpiredReserveRules, midcomTotalTerminatedOnRqReserveRules, midcomTotalTerminatedReserveRules, midcomTotalIncorrectEnableRules, midcomTotalRejectedEnableRules, midcomCurrentActiveEnableRules, midcomTotalExpiredEnableRules, midcomTotalTerminatedOnRqEnableRules, midcomTotalTerminatedEnableRules } STATUS current DESCRIPTION "A collection of objects providing statistical information about the MIDCOM server." ::= { midcomGroups 5 }
midcomNotificationsGroup NOTIFICATION-GROUP NOTIFICATIONS { midcomUnsolicitedRuleEvent, midcomSolicitedRuleEvent, midcomSolicitedGroupEvent } STATUS current DESCRIPTION "The notifications emitted by the midcomMIB." ::= { midcomGroups 6 }
midcomNotificationsGroup NOTIFICATION-GROUP NOTIFICATIONS { midcomUnsolicitedRuleEvent, midcomSolicitedRuleEvent, midcomSolicitedGroupEvent } STATUS current DESCRIPTION "The notifications emitted by the midcomMIB." ::= { midcomGroups 6 }
END
终止
Obviously, securing access to firewall and NAT configuration is extremely important for maintaining network security. This section first describes general security issues of the MIDCOM-MIB module and then discusses three concrete security threats: unauthorized middlebox configuration, unauthorized access to middlebox configuration information, and unauthorized access to the MIDCOM service configuration.
显然,保护对防火墙和NAT配置的访问对于维护网络安全非常重要。本节首先介绍MIDCOM-MIB模块的一般安全问题,然后讨论三种具体的安全威胁:未经授权的中间箱配置、未经授权访问中间箱配置信息和未经授权访问MIDCOM服务配置。
There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. But also access to managed objects with a MAX-ACCESS clause of read-only may be considered sensitive or vulnerable. The support for SET and GET operations in a non-secure environment without proper protection can have a negative effect on network operations.
此MIB模块中定义了许多管理对象,其MAX-ACCESS子句为read-write和/或read-create。在某些网络环境中,此类对象可能被视为敏感或易受攻击。但是,对具有只读MAX-access子句的托管对象的访问可能被视为敏感或易受攻击。在没有适当保护的非安全环境中支持SET和GET操作可能会对网络操作产生负面影响。
SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.
SNMPv3之前的SNMP版本未包含足够的安全性。即使网络本身是安全的(例如通过使用IPsec),即使如此,也无法控制安全网络上的谁可以访问和获取/设置(读取/更改/创建/删除)此MIB模块中的对象。
Deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED.
不建议部署SNMPv3之前的SNMP版本。
Compliant MIDCOM-MIB implementations MUST support SNMPv3 security services including data integrity, identity authentication, data confidentiality, and replay protection.
兼容的MIDCOM-MIB实现必须支持SNMPv3安全服务,包括数据完整性、身份验证、数据机密性和重播保护。
It is REQUIRED that the implementations support the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 3414 [RFC3414] and the View-based Access Control Model RFC 3415 [RFC3415] is RECOMMENDED.
要求实现支持SNMPv3框架提供的安全特性。具体而言,建议使用基于用户的安全模型RFC 3414[RFC3414]和基于视图的访问控制模型RFC 3415[RFC3415]。
It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
然后,客户/运营商有责任确保授予访问此MIB实例权限的SNMP实体正确配置为仅授予那些拥有确实获取或设置(更改/创建/删除)对象的合法权限的主体(用户)访问对象。
To facilitate the provisioning of access control by a security administrator using the View-based Access Control Model (VACM) defined in RFC 3415 [RFC3415] for tables in which multiple users may need to independently create or modify entries, the initial index is used as an "owner index". This is supported by the midcomRuleTable and the midcomGroupTable. Each of them uses midcomRuleOwner as the initial index. midcomRuleOwner has the syntax of SnmpAdminString, and can thus be trivially mapped to an SNMP securityName or a groupName as defined in VACM, in accordance with a security policy.
为了便于安全管理员使用RFC 3415[RFC3415]中定义的基于视图的访问控制模型(VACM)为多个用户可能需要独立创建或修改条目的表提供访问控制,初始索引用作“所有者索引”。这由midcomRuleTable和midcomGroupTable支持。它们都使用midcomRuleOwner作为初始索引。midcomRuleOwner的语法为SnmpAdminString,因此可以根据安全策略简单地映射到VACM中定义的SNMP securityName或groupName。
All entries in the two mentioned tables belonging to a particular user will have the same value for this initial index. For a given user's entries in a particular table, the object identifiers for the information in these entries will have the same subidentifiers (except for the "column" subidentifier) up to the end of the encoded owner index. To configure VACM to permit access to this portion of the table, one would create vacmViewTreeFamilyTable entries with the value of vacmViewTreeFamilySubtree including the owner index portion, and vacmViewTreeFamilyMask "wildcarding" the column subidentifier. More elaborate configurations are possible.
上述两个表中属于特定用户的所有条目对此初始索引具有相同的值。对于特定表中的给定用户项,这些项中信息的对象标识符在编码的所有者索引结束之前将具有相同的子标识符(除了“列”子标识符)。要将VACM配置为允许访问表的这一部分,可以创建vacmViewTreeFamilyTable条目,其值为vacmViewTreeFamilySubtree,包括所有者索引部分,以及VACMVIEWTREEFAMILYMAK“通配符”列子标识符。更复杂的配置是可能的。
The most dangerous threat to network security related to the MIDCOM-MIB module is unauthorized access to facilities for establishing policy rules. In such a case, unauthorized principals would write to the midcomRuleTable for opening firewall pinholes and/or for creating NAT maps, bindings, and/or sessions. Establishing policies can be used to gain access to networks and systems that are protected by firewalls and/or NATs.
与MIDCOM-MIB模块相关的网络安全最危险的威胁是未经授权访问用于建立策略规则的设施。在这种情况下,未经授权的主体将写入midcomRuleTable以打开防火墙针孔和/或创建NAT映射、绑定和/或会话。建立策略可用于访问受防火墙和/或NAT保护的网络和系统。
If this protection is removed by unauthorized access to MIDCOM-MIB policies, then the resulting degradation of network security can be severe. Confidential information protected by a firewall might become accessible to unauthorized principals, attacks exploiting
如果未经授权访问MIDCOM-MIB策略而删除了此保护,则会导致网络安全性严重下降。受防火墙保护的机密信息可能会被未经授权的主体、攻击者或攻击者访问
security leaks of systems in the protected network might become possible from external networks, and it might be possible to stop firewalls blocking denial-of-service attacks.
受保护网络中系统的安全漏洞可能来自外部网络,并且可能阻止阻止拒绝服务攻击的防火墙。
MIDCOM-MIB implementations MUST provide means for strict authentication, message integrity check, and write access control to managed objects that can be used for establishing policy rules. These are objects in the midcomRuleTable and midcomGroupTable with a MAX-ACCESS clause of read-write and/or read-create.
MIDCOM-MIB实现必须提供对可用于建立策略规则的托管对象进行严格身份验证、消息完整性检查和写访问控制的方法。这些是midcomRuleTable和midcomGroupTable中的对象,其MAX-ACCESS子句为read-write和/或read-create。
Particularly sensitive is write access to the managed object midcomRuleAdminStatus, because writing it causes policy rules to be established.
特别敏感的是对托管对象midcomRuleAdminStatus的写入访问,因为写入它会导致建立策略规则。
Also, writing to other managed objects in the two tables can make security vulnerable if it interferes with the authorized establishment of a policy rule, for example, by wildcarding a policy rule after the corresponding entry in the midcomRuleTable is created, but before the authorized owner establishes the rule by writing to midcomRuleAdminStatus.
此外,如果写入两个表中的其他托管对象会干扰策略规则的授权建立,例如,在创建midcomRuleTable中的相应条目后通配符策略规则,则会使安全易受攻击,但在授权所有者以书面形式向midcomRuleAdminStatus建立规则之前。
Not only unauthorized establishment, but also unauthorized lifetime extension of an existing policy rule may be considered sensitive or vulnerable in some network environments. Therefore, means for strict authentication, message integrity check, and write access control to managed object midcomGroupLifetime MUST be provided by MIDCOM-MIB implementations.
在某些网络环境中,不仅未经授权建立现有策略规则,而且未经授权延长现有策略规则的生存期可能会被视为敏感或易受攻击。因此,MIDCOM-MIB实现必须提供对托管对象midcomGroupLifetime进行严格身份验证、消息完整性检查和写访问控制的方法。
Another threat to network security is unauthorized access to entries in the midcomRuleTable. The entries contain information about existing pinholes in the firewall and/or about the current NAT configuration. This information can be used for attacking the internal network from outside. Therefore, a MIDCOM-MIB implementation MUST also provide means for read access control to the midcomRuleTable.
对网络安全的另一个威胁是未经授权访问midcomRuleTable中的条目。这些条目包含有关防火墙中现有针孔和/或当前NAT配置的信息。此信息可用于从外部攻击内部网络。因此,MIDCOM-MIB实现还必须提供对MIDCOM规则表进行读取访问控制的方法。
Also, a MIDCOM-MIB implementation SHOULD provide means for protecting different authenticated MIDCOM agents from each other, such that, for example, an authenticated user can only read entries in the midcomRuleTable for which the initial index midcomRuleOwner matches the client's SNMP securityName or VACM groupName.
此外,MIDCOM-MIB实现还应提供保护不同的已验证MIDCOM代理的方法,例如,已验证用户只能读取初始索引midcomRuleOwner与客户端的SNMP securityName或VACM groupName匹配的midcomRuleTable中的条目。
There are three objects with a MAX-ACCESS clause of read-write that configure the MIDCOM service: midcomConfigIfEnabled, midcomFirewallGroupId, and midcomFirewallPriority.
有三个具有读写MAX-ACCESS子句的对象用于配置MIDCOM服务:midcomConfigIfEnabled、midcomFirewallGroupId和midcomFirewallPriority。
Unauthorized writing to object midcomConfigIfEnabled can cause serious interruptions of network service.
未经授权写入对象midcomConfigIfEnabled可能会导致网络服务严重中断。
Writing to midcomFirewallGroupId and/or midcomFirewallPriority can be used to increase or reduce the priority of firewall rules that are generated when a policy rule is established in the midcomRuleTable. Increasing the priority might permit firewall rules generated via the MIDCOM-MIB module to overrule basic security rules at the firewall that should have higher priority than the ones generated via the MIDCOM-MIB module.
写入midcomFirewallGroupId和/或midcomFirewallPriority可用于增加或减少在midcomRuleTable中建立策略规则时生成的防火墙规则的优先级。增加优先级可能会允许通过MIDCOM-MIB模块生成的防火墙规则否决防火墙上的基本安全规则,这些规则的优先级应高于通过MIDCOM-MIB模块生成的规则。
Therefore, also for these objects, means for strict control of write access MUST be provided by a MIDCOM-MIB implementation.
因此,同样对于这些对象,MIDCOM-MIB实现必须提供严格控制写访问的方法。
This memo is based on a long history of discussion within the MIDCOM MIB design team. Many thanks to Mary Barnes, Jeff Case, Wes Hardaker, David Harrington, and Tom Taylor for fruitful comments and recommendations and to Juergen Schoenwaelder acting as a very constructive MIB doctor.
本备忘录基于MIDCOM MIB设计团队内部的长期讨论。非常感谢Mary Barnes、Jeff Case、Wes Hardaker、David Harrington和Tom Taylor提出的富有成效的意见和建议,并感谢Juergen Schoenwaeld作为一名非常有建设性的MIB医生。
IANA has assigned an OID for the MIB module in this document:
IANA已为本文档中的MIB模块分配了一个OID:
Descriptor OBJECT IDENTIFIER value ---------- ----------------------- midcomMIB { mib-2 171 }
Descriptor OBJECT IDENTIFIER value ---------- ----------------------- midcomMIB { mib-2 171 }
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5189] Stiemerling, M., Quittek, J., and T. Taylor, "Middlebox Communication (MIDCOM) Protocol Semantics", RFC 5189, March 2008.
[RFC5189]Stieemerling,M.,Quittek,J.,和T.Taylor,“中间盒通信(MIDCOM)协议语义”,RFC 5189,2008年3月。
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2578]McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,1999年4月。
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2579]McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“SMIv2的文本约定”,STD 58,RFC 2579,1999年4月。
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.
[RFC2580]McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“SMIv2的一致性声明”,STD 58,RFC 25801999年4月。
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000.
[RFC2863]McCloghrie,K.和F.Kastenholz,“接口组MIB”,RFC 28632000年6月。
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.
[RFC3411]Harrington,D.,Presohn,R.和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol Applications", STD 62, RFC 3413, December 2002.
[RFC3413]Levi,D.,Meyer,P.,和B.Stewart,“简单网络管理协议应用”,STD 62,RFC 3413,2002年12月。
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3414]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)版本3的基于用户的安全模型(USM)”,STD 62,RFC 3414,2002年12月。
[RFC3418] Presuhn, R., Ed., "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3418, December 2002.
[RFC3418]Presohn,R.,Ed.“简单网络管理协议(SNMP)的管理信息库(MIB)”,STD 62,RFC 3418,2002年12月。
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003.
[RFC3550]Schulzrinne,H.,Casner,S.,Frederick,R.,和V.Jacobson,“RTP:实时应用的传输协议”,STD 64,RFC 35502003年7月。
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005.
[RFC4001]Daniele,M.,Haberman,B.,Routhier,S.,和J.Schoenwaeld,“互联网网络地址的文本约定”,RFC 4001,2005年2月。
[RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and C. Wang, "Definitions of Managed Objects for Network Address Translators (NAT)", RFC 4008, March 2005.
[RFC4008]Rohit,R.,Srisuresh,P.,Raghunarayan,R.,Pai,N.,和C.Wang,“网络地址转换器(NAT)管理对象的定义”,RFC 4008,2005年3月。
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002.
[RFC3410]Case,J.,Mundy,R.,Partain,D.和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 34102002年12月。
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and Issues", RFC 3234, February 2002.
[RFC3234]Carpenter,B.和S.Brim,“中间盒:分类和问题”,RFC 32342002年2月。
[RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and A. Rayhan, "Middlebox communication architecture and framework", RFC 3303, August 2002.
[RFC3303]Srisuresh,P.,Kuthan,J.,Rosenberg,J.,Molitor,A.,和A.Rayhan,“中间箱通信架构和框架”,RFC 33032002年8月。
[RFC3304] Swale, R., Mart, P., Sijben, P., Brim, S., and M. Shore, "Middlebox Communications (midcom) Protocol Requirements", RFC 3304, August 2002.
[RFC3304]Swale,R.,Mart,P.,Sijben,P.,Brim,S.,和M.Shore,“中间箱通信(midcom)协议要求”,RFC 33042002年8月。
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002.
[RFC3415]Wijnen,B.,Presuhn,R.,和K.McCloghrie,“用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”,STD 62,RFC 3415,2002年12月。
Authors' Addresses
作者地址
Juergen Quittek NEC Europe Ltd. Kurfuersten-Anlage 36 69115 Heidelberg Germany
德国海德堡Juergen Quittek NEC欧洲有限公司Kurfuersten Anlage 36 69115
Phone: +49 6221 4342-115 EMail: quittek@nw.neclab.eu
Phone: +49 6221 4342-115 EMail: quittek@nw.neclab.eu
Martin Stiemerling NEC Europe Ltd. Kurfuersten-Anlage 36 69115 Heidelberg Germany
Martin Stieemerling NEC欧洲有限公司Kurfuersten Anlage 36 69115德国海德堡
Phone: +49 6221 4342-113 EMail: stiemerling@nw.neclab.eu
Phone: +49 6221 4342-113 EMail: stiemerling@nw.neclab.eu
Pyda Srisuresh Kazeon Systems, Inc. 1161 San Antonio Rd. Mountain View, CA 94043 U.S.A.
美国加利福尼亚州山景城圣安东尼奥路1161号Pyda Srisuresh Kazeon Systems,Inc.94043。
Phone: +1 408 836 4773 EMail: srisuresh@yahoo.com
Phone: +1 408 836 4773 EMail: srisuresh@yahoo.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2008).
版权所有(C)IETF信托基金(2008年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.