Internet Engineering Task Force (IETF) Y. Fu
Request for Comments: 8389 CNNIC
Category: Standards Track S. Jiang
ISSN: 2070-1721 B. Liu
Huawei Technologies Co., Ltd
J. Dong
Y. Chen
Tsinghua University
December 2018
Internet Engineering Task Force (IETF) Y. Fu
Request for Comments: 8389 CNNIC
Category: Standards Track S. Jiang
ISSN: 2070-1721 B. Liu
Huawei Technologies Co., Ltd
J. Dong
Y. Chen
Tsinghua University
December 2018
Definitions of Managed Objects for Mapping of Address and Port with Encapsulation (MAP-E)
使用封装映射地址和端口的托管对象定义(MAP-E)
Abstract
摘要
This memo defines a portion of the Management Information Base (MIB) for Mapping of Address and Port with Encapsulation (MAP-E) for use with network management protocols.
本备忘录定义了管理信息库(MIB)的一部分,用于通过封装(MAP-E)映射地址和端口,以用于网络管理协议。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8389.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8389.
Copyright Notice
版权公告
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2018 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2
2. The Internet-Standard Management Framework ......................2
3. Terminology .....................................................3
4. Structure of the MIB Module .....................................3
4.1. The mapMIBObjects ..........................................3
4.1.1. The mapRule Subtree .................................3
4.1.2. The mapSecurityCheck Subtree ........................3
4.2. The mapMIBConformance Subtree ..............................4
5. Definitions .....................................................4
6. IANA Considerations ............................................12
7. Security Considerations ........................................12
8. References .....................................................13
8.1. Normative References ......................................13
8.2. Informative References ....................................14
Acknowledgements ..................................................15
Authors' Addresses ................................................16
1. Introduction ....................................................2
2. The Internet-Standard Management Framework ......................2
3. Terminology .....................................................3
4. Structure of the MIB Module .....................................3
4.1. The mapMIBObjects ..........................................3
4.1.1. The mapRule Subtree .................................3
4.1.2. The mapSecurityCheck Subtree ........................3
4.2. The mapMIBConformance Subtree ..............................4
5. Definitions .....................................................4
6. IANA Considerations ............................................12
7. Security Considerations ........................................12
8. References .....................................................13
8.1. Normative References ......................................13
8.2. Informative References ....................................14
Acknowledgements ..................................................15
Authors' Addresses ................................................16
Mapping of Address and Port with Encapsulation (MAP-E) [RFC7597] is a stateless, automatic tunneling mechanism for providing an IPv4 connectivity service to end users over a service provider's IPv6 network.
地址和端口封装映射(MAP-E)[RFC7597]是一种无状态自动隧道机制,用于通过服务提供商的IPv6网络向最终用户提供IPv4连接服务。
This document defines a portion of the Management Information Base (MIB) for use with monitoring MAP-E devices.
本文档定义了管理信息库(MIB)的一部分,用于监控MAP-E设备。
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410].
有关描述当前互联网标准管理框架的文件的详细概述,请参阅RFC 3410[RFC3410]第7节。
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].
托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB对象通常通过简单网络管理协议(SNMP)进行访问。MIB中的对象是使用管理信息结构(SMI)中定义的机制定义的。本备忘录规定了符合SMIv2的MIB模块,如STD 58、RFC 2578[RFC2578]、STD 58、RFC 2579[RFC2579]和STD 58、RFC 2580[RFC2580]所述。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
The IF-MIB [RFC2863] defines generic managed objects for managing interfaces. Each logical interface (physical or virtual) has an ifEntry. Tunnels are handled by creating a logical interface (ifEntry) for each tunnel. Each MAP-E tunnel endpoint also acts as a virtual interface that has a corresponding entry in the IF-MIB. Those corresponding entries are indexed by ifIndex. The MAP-E MIB is configurable on a per-interface basis, so it depends on several parts (ifEntry) of the IF-MIB [RFC2863].
IF-MIB[RFC2863]定义了用于管理接口的通用托管对象。每个逻辑接口(物理或虚拟)都有一个ifEntry。通过为每个隧道创建逻辑接口(ifEntry)来处理隧道。每个MAP-E隧道端点还充当在IF-MIB中具有相应条目的虚拟接口。这些对应的条目由ifIndex索引。MAP-E MIB可根据每个接口进行配置,因此它取决于IF-MIB[RFC2863]的几个部分(ifEntry)。
The mapRule subtree describes managed objects used for managing the multiple mapping rules in MAP-E.
mapRule子树描述了用于管理MAP-E中多个映射规则的托管对象。
According to [RFC7597], the mapping rules are divided into two categories: Basic Mapping Rule (BMR) and Forwarding Mapping Rule (FMR). According to Section 4.1 of [RFC7598], an F-flag specifies whether the rule is to be used for forwarding (FMR). If set, this rule is used as an FMR; if not set, this rule is BMR only and MUST NOT be used for forwarding. A BMR can also be used as an FMR for forwarding if the F-flag is set. So, the RuleType definition in the MAP-E MIB (see Section 5) defines bmrAndfmr to specify this scenario.
根据[RFC7597],映射规则分为两类:基本映射规则(BMR)和转发映射规则(FMR)。根据[RFC7598]第4.1节,F标志指定规则是否用于转发(FMR)。如果设置,则该规则用作FMR;如果未设置,则此规则仅为BMR,不得用于转发。如果设置了F标志,BMR也可用作转发的FMR。因此,MAP-E MIB中的规则类型定义(参见第5节)定义了bmrAndfmr来指定此场景。
The mapSecurityCheck subtree provides statistics for the number of invalid packets that have been identified. [RFC7597] defines two kinds of invalid packets:
mapSecurityCheck子树提供已识别的无效数据包数量的统计信息。[RFC7597]定义了两种无效数据包:
o The Border Relay (BR) will validate the received packet's source IPv6 address against the configured MAP domain rule and the destination IPv6 address against the configured BR IPv6 address.
o 边界中继(BR)将根据配置的映射域规则验证接收数据包的源IPv6地址,并根据配置的BR IPv6地址验证目标IPv6地址。
o The MAP node (Customer Edge (CE) and BR) will check that the received packet's source IPv4 address and port are in the range derived from the matching MAP rule.
o 映射节点(客户边缘(CE)和BR)将检查所接收数据包的源IPv4地址和端口是否在从匹配映射规则派生的范围内。
The mapMIBConformance subtree provides conformance information of MIB objects.
MAPMIB一致性子树提供MIB对象的一致性信息。
The following MIB module imports definitions from [RFC2578], [RFC2579], [RFC2580], [RFC2863], and [RFC4001].
以下MIB模块从[RFC2578]、[RFC2579]、[RFC2580]、[RFC2863]和[RFC4001]导入定义。
MAP-E-MIB DEFINITIONS ::= BEGIN
MAP-E-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-TYPE, mib-2, Unsigned32, Counter64 FROM SNMPv2-SMI --RFC 2578 TEXTUAL-CONVENTION FROM SNMPv2-TC --RFC 2579 ifIndex FROM IF-MIB --RFC 2863 InetAddressIPv6, InetAddressIPv4, InetAddressPrefixLength FROM INET-ADDRESS-MIB --RFC 4001 OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF; --RFC 2580
从SNMPv2 SMI导入模块标识、对象类型、mib-2、未签名32、计数器64——从SNMPv2 TC导入RFC 2578文本约定——从IF-mib导入RFC 2579 iIndex——从INET-ADDRESS-mib导入RFC 2863 InetAddressIPv6、InetAddressIPv4、InetAddressPrefixLength——从SNMPv2 CONF导入RFC 4001对象组、模块遵从性--RFC2580
mapMIB MODULE-IDENTITY LAST-UPDATED "201811260000Z" ORGANIZATION "IETF Softwire Working Group" CONTACT-INFO "Yu Fu CNNIC No. 4 South 4th Street, Zhongguancun Beijing 100190 China Email: eleven711711@foxmail.com
mapMIB MODULE-IDENTITY最后更新的“201811260000Z”组织“IETF软线工作组”联系方式“北京中关村南四街4号裕富CNNIC 100190中国电子邮件:eleven711711@foxmail.com
Sheng Jiang Huawei Technologies Co., Ltd Q14, Huawei Campus, No. 156 Beiqing Road Hai-Dian District, Beijing 100095 China Email: jiangsheng@huawei.com
北京海淀区北青路156号华为校园盛江华为技术有限公司Q14中国邮箱:100095jiangsheng@huawei.com
Bing Liu Huawei Technologies Co., Ltd Q14, Huawei Campus, No. 156 Beiqing Road
刘冰华为技术有限公司北青路156号华为校区Q14
Hai-Dian District, Beijing 100095 China Email: leo.liubing@huawei.com
北京市海淀区100095中国电子邮件:leo。liubing@huawei.com
Jiang Dong Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China Email: knight.dongjiang@gmail.com
江东清华大学计算机科学系,清华大学北京100084中国电子邮件:knight。dongjiang@gmail.com
Yuchi Chen Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China Email: chenycmx@gmail.com"
陈玉池清华大学计算机科学系,清华大学北京100084中国电子邮件:chenycmx@gmail.com"
DESCRIPTION "This MIB module is defined for management of objects for MAP-E BRs or CEs.
DESCRIPTION“此MIB模块用于管理MAP-E BRs或CEs的对象。
Copyright (c) 2018 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2018 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info)."
REVISION "201811260000Z"
DESCRIPTION
"Initial version. Published as RFC 8389."
::= { mib-2 242 }
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info)."
REVISION "201811260000Z"
DESCRIPTION
"Initial version. Published as RFC 8389."
::= { mib-2 242 }
mapMIBObjects OBJECT IDENTIFIER ::= {mapMIB 1}
mapMIBObjects OBJECT IDENTIFIER ::= {mapMIB 1}
mapRule OBJECT IDENTIFIER
::= { mapMIBObjects 1 }
mapRule OBJECT IDENTIFIER
::= { mapMIBObjects 1 }
mapSecurityCheck OBJECT IDENTIFIER
::= { mapMIBObjects 2 }
mapSecurityCheck OBJECT IDENTIFIER
::= { mapMIBObjects 2 }
-- ==============================================================
-- Textual Conventions Used in This MIB Module
-- ==============================================================
-- ==============================================================
-- Textual Conventions Used in This MIB Module
-- ==============================================================
RulePSID ::= TEXTUAL-CONVENTION
DISPLAY-HINT "0x:"
STATUS current
DESCRIPTION
"Indicates that the Port Set ID (PSID) is represented as
hexadecimal for clarity."
SYNTAX OCTET STRING (SIZE (2))
RulePSID ::= TEXTUAL-CONVENTION
DISPLAY-HINT "0x:"
STATUS current
DESCRIPTION
"Indicates that the Port Set ID (PSID) is represented as
hexadecimal for clarity."
SYNTAX OCTET STRING (SIZE (2))
RuleType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Enumerates the type of the mapping rule. It
defines three types of mapping rules here:
bmr: Basic Mapping Rule (not Forwarding Mapping Rule)
fmr: Forwarding Mapping Rule (not Basic Mapping Rule)
bmrAndfmr: Basic and Forwarding Mapping Rule
The Basic Mapping Rule may also be a Forwarding Mapping
Rule for mesh mode."
REFERENCE "bmr, fmr: Section 5 of RFC 7597.
bmrAndfmr: Section 5 of RFC 7597, Section 4.1
of RFC 7598."
SYNTAX INTEGER {
bmr(1),
fmr(2),
bmrAndfmr(3)
}
RuleType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Enumerates the type of the mapping rule. It
defines three types of mapping rules here:
bmr: Basic Mapping Rule (not Forwarding Mapping Rule)
fmr: Forwarding Mapping Rule (not Basic Mapping Rule)
bmrAndfmr: Basic and Forwarding Mapping Rule
The Basic Mapping Rule may also be a Forwarding Mapping
Rule for mesh mode."
REFERENCE "bmr, fmr: Section 5 of RFC 7597.
bmrAndfmr: Section 5 of RFC 7597, Section 4.1
of RFC 7598."
SYNTAX INTEGER {
bmr(1),
fmr(2),
bmrAndfmr(3)
}
mapRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF MapRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing rule information for
a specific mapping rule. It can also be used for row
creation."
::= { mapRule 1 }
mapRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF MapRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing rule information for
a specific mapping rule. It can also be used for row
creation."
::= { mapRule 1 }
mapRuleEntry OBJECT-TYPE
SYNTAX MapRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in this table contains the information on a
particular mapping rule."
INDEX { ifIndex,
mapRuleID }
::= { mapRuleTable 1 }
mapRuleEntry OBJECT-TYPE
SYNTAX MapRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in this table contains the information on a
particular mapping rule."
INDEX { ifIndex,
mapRuleID }
::= { mapRuleTable 1 }
MapRuleEntry ::=
SEQUENCE {
mapRuleID Unsigned32,
mapRuleIPv6Prefix InetAddressIPv6,
mapRuleIPv6PrefixLen InetAddressPrefixLength,
mapRuleIPv4Prefix InetAddressIPv4,
mapRuleIPv4PrefixLen InetAddressPrefixLength,
mapRuleBRIPv6Address InetAddressIPv6,
mapRulePSID RulePSID,
mapRulePSIDLen Unsigned32,
mapRuleOffset Unsigned32,
mapRuleEALen Unsigned32,
mapRuleType RuleType
}
MapRuleEntry ::=
SEQUENCE {
mapRuleID Unsigned32,
mapRuleIPv6Prefix InetAddressIPv6,
mapRuleIPv6PrefixLen InetAddressPrefixLength,
mapRuleIPv4Prefix InetAddressIPv4,
mapRuleIPv4PrefixLen InetAddressPrefixLength,
mapRuleBRIPv6Address InetAddressIPv6,
mapRulePSID RulePSID,
mapRulePSIDLen Unsigned32,
mapRuleOffset Unsigned32,
mapRuleEALen Unsigned32,
mapRuleType RuleType
}
mapRuleID OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique identifier used to distinguish mapping
rules."
::= { mapRuleEntry 1 }
mapRuleID OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique identifier used to distinguish mapping
rules."
::= { mapRuleEntry 1 }
-- The object mapRuleIPv6Prefix is IPv6 specific; hence, it does
-- not use the version-agnostic InetAddress.
-- The object mapRuleIPv6Prefix is IPv6 specific; hence, it does
-- not use the version-agnostic InetAddress.
mapRuleIPv6Prefix OBJECT-TYPE
SYNTAX InetAddressIPv6
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IPv6 prefix defined in the mapping rule that will be
assigned to CEs."
::= { mapRuleEntry 2 }
mapRuleIPv6Prefix OBJECT-TYPE
SYNTAX InetAddressIPv6
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IPv6 prefix defined in the mapping rule that will be
assigned to CEs."
::= { mapRuleEntry 2 }
mapRuleIPv6PrefixLen OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the IPv6 prefix defined in the mapping rule
that will be assigned to CEs."
::= { mapRuleEntry 3 }
mapRuleIPv6PrefixLen OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the IPv6 prefix defined in the mapping rule
that will be assigned to CEs."
::= { mapRuleEntry 3 }
-- The object mapRuleIPv4Prefix is IPv4 specific; hence, it does
-- not use the version-agnostic InetAddress.
-- The object mapRuleIPv4Prefix is IPv4 specific; hence, it does
-- not use the version-agnostic InetAddress.
mapRuleIPv4Prefix OBJECT-TYPE
SYNTAX InetAddressIPv4
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IPv4 prefix defined in the mapping rule that will be
assigned to CEs."
::= { mapRuleEntry 4 }
mapRuleIPv4Prefix OBJECT-TYPE
SYNTAX InetAddressIPv4
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IPv4 prefix defined in the mapping rule that will be
assigned to CEs."
::= { mapRuleEntry 4 }
mapRuleIPv4PrefixLen OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the IPv4 prefix defined in the mapping
rule that will be assigned to CEs."
::= { mapRuleEntry 5 }
mapRuleIPv4PrefixLen OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the IPv4 prefix defined in the mapping
rule that will be assigned to CEs."
::= { mapRuleEntry 5 }
-- The object mapRuleBRIPv6Address is IPv6 specific; hence, it does
-- not use the version-agnostic InetAddress.
-- The object mapRuleBRIPv6Address is IPv6 specific; hence, it does
-- not use the version-agnostic InetAddress.
mapRuleBRIPv6Address OBJECT-TYPE
SYNTAX InetAddressIPv6
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IPv6 address of the BR that will be conveyed to CEs.
If the BR IPv6 address is anycast, the relay must use
this anycast IPv6 address as the source address in
packets relayed to CEs."
::= { mapRuleEntry 6 }
mapRuleBRIPv6Address OBJECT-TYPE
SYNTAX InetAddressIPv6
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IPv6 address of the BR that will be conveyed to CEs.
If the BR IPv6 address is anycast, the relay must use
this anycast IPv6 address as the source address in
packets relayed to CEs."
::= { mapRuleEntry 6 }
mapRulePSID OBJECT-TYPE
SYNTAX RulePSID
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The PSID value algorithmically identifies a set of
ports assigned to a CE."
REFERENCE
"PSID: Section 5.1 of RFC 7597."
::= { mapRuleEntry 7 }
mapRulePSID OBJECT-TYPE
SYNTAX RulePSID
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The PSID value algorithmically identifies a set of
ports assigned to a CE."
REFERENCE
"PSID: Section 5.1 of RFC 7597."
::= { mapRuleEntry 7 }
mapRulePSIDLen OBJECT-TYPE SYNTAX Unsigned32(0..16) MAX-ACCESS read-only STATUS current
mapRulePSIDLen对象类型语法Unsigned32(0..16)MAX-ACCESS只读状态当前
DESCRIPTION
"The bit length value of the number of significant bits in
the PSID field. When it is set to 0, the PSID
field is to be ignored."
::= { mapRuleEntry 8 }
DESCRIPTION
"The bit length value of the number of significant bits in
the PSID field. When it is set to 0, the PSID
field is to be ignored."
::= { mapRuleEntry 8 }
mapRuleOffset OBJECT-TYPE
SYNTAX Unsigned32(0..15)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the mapRuleOffset is 6 by default to
exclude the system ports (0-1023). It is provided via
the Rule Port Mapping Parameters in the Basic Mapping
Rule."
DEFVAL {6}
::= { mapRuleEntry 9 }
mapRuleOffset OBJECT-TYPE
SYNTAX Unsigned32(0..15)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the mapRuleOffset is 6 by default to
exclude the system ports (0-1023). It is provided via
the Rule Port Mapping Parameters in the Basic Mapping
Rule."
DEFVAL {6}
::= { mapRuleEntry 9 }
mapRuleEALen OBJECT-TYPE
SYNTAX Unsigned32(0..48)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the Embedded Address (EA) defined in
mapping rule that will be assigned to CEs."
REFERENCE
"EA: Section 3 of RFC 7597."
::= { mapRuleEntry 10 }
mapRuleEALen OBJECT-TYPE
SYNTAX Unsigned32(0..48)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the Embedded Address (EA) defined in
mapping rule that will be assigned to CEs."
REFERENCE
"EA: Section 3 of RFC 7597."
::= { mapRuleEntry 10 }
mapRuleType OBJECT-TYPE
SYNTAX RuleType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the type of mapping rule.
'1' represents a BMR.
'2' represents an FMR.
'3' represents a BMR that is also an FMR for mesh mode."
REFERENCE
"bmr, fmr: Section 5 of RFC 7597.
bmrAndfmr: Section 5 of RFC 7597, Section 4.1 of
RFC 7598."
::= { mapRuleEntry 11 }
mapRuleType OBJECT-TYPE
SYNTAX RuleType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the type of mapping rule.
'1' represents a BMR.
'2' represents an FMR.
'3' represents a BMR that is also an FMR for mesh mode."
REFERENCE
"bmr, fmr: Section 5 of RFC 7597.
bmrAndfmr: Section 5 of RFC 7597, Section 4.1 of
RFC 7598."
::= { mapRuleEntry 11 }
mapSecurityCheckTable OBJECT-TYPE SYNTAX SEQUENCE OF MapSecurityCheckEntry MAX-ACCESS not-accessible STATUS current
MapSecurityCheckEntry MAX-ACCESS的mapSecurityCheckTable对象类型语法序列不可访问状态当前
DESCRIPTION
"The (conceptual) table containing information on
MAP security checks. This table can be used for
statistics on the number of invalid packets that
have been identified."
::= { mapSecurityCheck 1 }
DESCRIPTION
"The (conceptual) table containing information on
MAP security checks. This table can be used for
statistics on the number of invalid packets that
have been identified."
::= { mapSecurityCheck 1 }
mapSecurityCheckEntry OBJECT-TYPE
SYNTAX MapSecurityCheckEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in this table contains information on a
particular MAP security check."
INDEX { ifIndex }
::= { mapSecurityCheckTable 1 }
mapSecurityCheckEntry OBJECT-TYPE
SYNTAX MapSecurityCheckEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in this table contains information on a
particular MAP security check."
INDEX { ifIndex }
::= { mapSecurityCheckTable 1 }
MapSecurityCheckEntry ::=
SEQUENCE {
mapSecurityCheckInvalidv4 Counter64,
mapSecurityCheckInvalidv6 Counter64
}
MapSecurityCheckEntry ::=
SEQUENCE {
mapSecurityCheckInvalidv4 Counter64,
mapSecurityCheckInvalidv6 Counter64
}
mapSecurityCheckInvalidv4 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the number of received IPv4 packets
that do not have a payload source IPv4 address or
port within the range defined in the matching MAP
rule. It corresponds to the second kind of
invalid packet described in Section 4.1.2."
::= { mapSecurityCheckEntry 1 }
mapSecurityCheckInvalidv4 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the number of received IPv4 packets
that do not have a payload source IPv4 address or
port within the range defined in the matching MAP
rule. It corresponds to the second kind of
invalid packet described in Section 4.1.2."
::= { mapSecurityCheckEntry 1 }
mapSecurityCheckInvalidv6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the number of received IPv6 packets that
do not have a source or destination IPv6 address
matching a Basic Mapping Rule. It corresponds
to the first kind of invalid packet described
in Section 4.1.2."
::= { mapSecurityCheckEntry 2 }
mapSecurityCheckInvalidv6 OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the number of received IPv6 packets that
do not have a source or destination IPv6 address
matching a Basic Mapping Rule. It corresponds
to the first kind of invalid packet described
in Section 4.1.2."
::= { mapSecurityCheckEntry 2 }
-- Conformance Information
--一致性信息
mapMIBConformance OBJECT IDENTIFIER ::= {mapMIB 2}
mapMIBCompliances OBJECT IDENTIFIER ::= { mapMIBConformance 1 }
mapMIBGroups OBJECT IDENTIFIER ::= { mapMIBConformance 2 }
mapMIBConformance OBJECT IDENTIFIER ::= {mapMIB 2}
mapMIBCompliances OBJECT IDENTIFIER ::= { mapMIBConformance 1 }
mapMIBGroups OBJECT IDENTIFIER ::= { mapMIBConformance 2 }
-- compliance statements
mapMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Describes the minimal requirements for conformance
to the MAP-E MIB."
MODULE -- this module
MANDATORY-GROUPS { mapMIBRuleGroup , mapMIBSecurityGroup }
::= { mapMIBCompliances 1 }
-- compliance statements
mapMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Describes the minimal requirements for conformance
to the MAP-E MIB."
MODULE -- this module
MANDATORY-GROUPS { mapMIBRuleGroup , mapMIBSecurityGroup }
::= { mapMIBCompliances 1 }
-- Units of Conformance
mapMIBRuleGroup OBJECT-GROUP
OBJECTS {
mapRuleIPv6Prefix,
mapRuleIPv6PrefixLen,
mapRuleIPv4Prefix,
mapRuleIPv4PrefixLen,
mapRuleBRIPv6Address,
mapRulePSID,
mapRulePSIDLen,
mapRuleOffset,
mapRuleEALen,
mapRuleType }
STATUS current
DESCRIPTION
"The group of objects used to describe the MAP-E mapping
rule."
::= { mapMIBGroups 1 }
-- Units of Conformance
mapMIBRuleGroup OBJECT-GROUP
OBJECTS {
mapRuleIPv6Prefix,
mapRuleIPv6PrefixLen,
mapRuleIPv4Prefix,
mapRuleIPv4PrefixLen,
mapRuleBRIPv6Address,
mapRulePSID,
mapRulePSIDLen,
mapRuleOffset,
mapRuleEALen,
mapRuleType }
STATUS current
DESCRIPTION
"The group of objects used to describe the MAP-E mapping
rule."
::= { mapMIBGroups 1 }
mapMIBSecurityGroup OBJECT-GROUP
OBJECTS {
mapSecurityCheckInvalidv4,
mapSecurityCheckInvalidv6 }
STATUS current
DESCRIPTION
"The group of objects used to provide information on the
MAP-E security checks."
::= { mapMIBGroups 2 }
mapMIBSecurityGroup OBJECT-GROUP
OBJECTS {
mapSecurityCheckInvalidv4,
mapSecurityCheckInvalidv6 }
STATUS current
DESCRIPTION
"The group of objects used to provide information on the
MAP-E security checks."
::= { mapMIBGroups 2 }
END
终止
The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry:
本文档中的MIB模块使用SMI编号注册表中记录的以下IANA分配的对象标识符值:
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
MAP-E-MIB { mib-2 242 }
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
MAP-E-MIB { mib-2 242 }
There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations.
此MIB模块中未定义具有读写和/或读创建MAX-ACCESS子句的管理对象。因此,如果此MIB模块实现正确,则入侵者不会通过直接的SNMP集操作更改或创建此MIB模块的任何管理对象。
Some of the objects in this MIB module may be considered sensitive or vulnerable in some network environments. This includes INDEX objects with a MAX-ACCESS of not-accessible, and any indices from other modules exposed via AUGMENTS. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability:
在某些网络环境中,此MIB模块中的某些对象可能被视为敏感或易受攻击。这包括MAX-ACCESS为not-accessible的索引对象,以及通过增强公开的其他模块的任何索引。因此,在通过SNMP通过网络发送这些对象时,控制甚至获取和/或通知对这些对象的访问,甚至可能加密这些对象的值,这一点非常重要。以下是表和对象及其敏感度/漏洞:
mapRuleIPv6Prefix
MapRuleIPv6前缀
mapRuleIPv6PrefixLen
MAPRULEIPV6预驱动桥
mapRuleIPv4Prefix
MapRuleIPv4前缀
mapRuleIPv4PrefixLen
mapRuleIPv4PrefixLen
mapRuleBRIPv6Address
MapRuleBripV6地址
mapRulePSID
mapRulePSID
mapRulePSIDLen
mapRulePSIDLen
mapRuleOffset
mapRuleOffset
mapRuleEALen
mapRuleEALen
mapRuleType
映射规则类型
Some of the MIB model's objects are vulnerable because the information that they hold may be used for targeting an attack against a MAP node (CE or BR). For example, an intruder could use the information to help deduce the customer IPv4 and IPv6 topologies and address-sharing ratios in use by the ISP.
MIB模型的某些对象易受攻击,因为它们所持有的信息可能用于针对映射节点(CE或BR)的攻击。例如,入侵者可以利用这些信息帮助推断ISP使用的客户IPv4和IPv6拓扑以及地址共享比率。
SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.
SNMPv3之前的SNMP版本未包含足够的安全性。即使网络本身是安全的(例如通过使用IPsec),也无法控制安全网络上的谁可以访问和获取/设置(读取/更改/创建/删除)此MIB模块中的对象。
Implementations SHOULD provide the security features described by the
SNMPv3 framework (see [RFC3410]), and implementations claiming
compliance to the SNMPv3 standard MUST include full support for
authentication and privacy via the User-based Security Model (USM)
[RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
MAY also provide support for the Transport Security Model (TSM)
[RFC5591] in combination with a secure transport such as SSH
[RFC5592] or TLS/DTLS [RFC6353].
Implementations SHOULD provide the security features described by the
SNMPv3 framework (see [RFC3410]), and implementations claiming
compliance to the SNMPv3 standard MUST include full support for
authentication and privacy via the User-based Security Model (USM)
[RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
MAY also provide support for the Transport Security Model (TSM)
[RFC5591] in combination with a secure transport such as SSH
[RFC5592] or TLS/DTLS [RFC6353].
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
此外,不建议部署SNMPv3之前的SNMP版本。相反,建议部署SNMPv3并启用加密安全性。然后,客户/运营商应负责确保授予访问此MIB模块实例权限的SNMP实体已正确配置为仅授予那些拥有确实获取或设置(更改/创建/删除)对象的合法权限的主体(用户)访问对象。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, DOI 10.17487/RFC2578, April 1999, <https://www.rfc-editor.org/info/rfc2578>.
[RFC2578]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,DOI 10.17487/RFC2578,1999年4月<https://www.rfc-editor.org/info/rfc2578>.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, <https://www.rfc-editor.org/info/rfc2579>.
[RFC2579]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“SMIv2的文本约定”,STD 58,RFC 2579,DOI 10.17487/RFC2579,1999年4月<https://www.rfc-editor.org/info/rfc2579>.
[RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Conformance Statements for SMIv2", STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, <https://www.rfc-editor.org/info/rfc2580>.
[RFC2580]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“SMIv2的一致性声明”,STD 58,RFC 2580,DOI 10.17487/RFC2580,1999年4月<https://www.rfc-editor.org/info/rfc2580>.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, <https://www.rfc-editor.org/info/rfc2863>.
[RFC2863]McCloghrie,K.和F.Kastenholz,“接口组MIB”,RFC 2863,DOI 10.17487/RFC2863,2000年6月<https://www.rfc-editor.org/info/rfc2863>.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, DOI 10.17487/RFC4001, February 2005, <https://www.rfc-editor.org/info/rfc4001>.
[RFC4001]Daniele,M.,Haberman,B.,Routhier,S.,和J.Schoenwaeld,“互联网网络地址的文本约定”,RFC 4001,DOI 10.17487/RFC4001,2005年2月<https://www.rfc-editor.org/info/rfc4001>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., Murakami, T., and T. Taylor, Ed., "Mapping of Address and Port with Encapsulation (MAP-E)", RFC 7597, DOI 10.17487/RFC7597, July 2015, <https://www.rfc-editor.org/info/rfc7597>.
[RFC7597]Troan,O.,Ed.,Dec,W.,Li,X.,Bao,C.,Matsushima,S.,Murakami,T.,和T.Taylor,Ed.,“地址和端口的封装映射(MAP-E)”,RFC 7597,DOI 10.17487/RFC7597,2015年7月<https://www.rfc-editor.org/info/rfc7597>.
[RFC7598] Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec, W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for Configuration of Softwire Address and Port-Mapped Clients", RFC 7598, DOI 10.17487/RFC7598, July 2015, <https://www.rfc-editor.org/info/rfc7598>.
[RFC7598]Mrugalski,T.,Troan,O.,Farrer,I.,Perreault,S.,Dec,W.,Bao,C.,Yeh,L.,和X.Deng,“用于配置软线地址和端口映射客户端的DHCPv6选项”,RFC 7598,DOI 10.17487/RFC7598,2015年7月<https://www.rfc-editor.org/info/rfc7598>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, DOI 10.17487/RFC3410, December 2002, <https://www.rfc-editor.org/info/rfc3410>.
[RFC3410]Case,J.,Mundy,R.,Partain,D.,和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 3410,DOI 10.17487/RFC3410,2002年12月<https://www.rfc-editor.org/info/rfc3410>.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, DOI 10.17487/RFC3414, December 2002, <https://www.rfc-editor.org/info/rfc3414>.
[RFC3414]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)版本3的基于用户的安全模型(USM)”,STD 62,RFC 3414,DOI 10.17487/RFC3414,2002年12月<https://www.rfc-editor.org/info/rfc3414>.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, DOI 10.17487/RFC3826, June 2004, <https://www.rfc-editor.org/info/rfc3826>.
[RFC3826]Blumenthal,U.,Maino,F.,和K.McCloghrie,“基于SNMP用户的安全模型中的高级加密标准(AES)密码算法”,RFC 3826,DOI 10.17487/RFC3826,2004年6月<https://www.rfc-editor.org/info/rfc3826>.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, <https://www.rfc-editor.org/info/rfc5591>.
[RFC5591]Harrington,D.和W.Hardaker,“简单网络管理协议(SNMP)的传输安全模型”,STD 78,RFC 5591,DOI 10.17487/RFC55912009年6月<https://www.rfc-editor.org/info/rfc5591>.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 2009, <https://www.rfc-editor.org/info/rfc5592>.
[RFC5592]Harrington,D.,Salowey,J.,和W.Hardaker,“简单网络管理协议(SNMP)的安全外壳传输模型”,RFC 5592,DOI 10.17487/RFC5592,2009年6月<https://www.rfc-editor.org/info/rfc5592>.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, <https://www.rfc-editor.org/info/rfc6353>.
[RFC6353]Hardaker,W.“简单网络管理协议(SNMP)的传输层安全(TLS)传输模型”,STD 78,RFC 6353,DOI 10.17487/RFC6353,2011年7月<https://www.rfc-editor.org/info/rfc6353>.
Acknowledgements
致谢
The authors would like to thank the following individuals for their valuable comments: David Harrington, Mark Townsley, Shishio Tsuchiya, Yong Cui, Suresh Krishnan, Bert Wijnen, Ian Farrer, and Juergen Schoenwaelder.
作者要感谢以下个人的宝贵意见:大卫·哈林顿、马克·汤斯利、石狮村屋、崔勇、苏雷什·克里希南、伯特·维南、伊恩·法勒和尤尔根·舍恩瓦埃尔德。
Authors' Addresses
作者地址
Yu Fu CNNIC No. 4 South 4th Street, Zhongguancun Beijing 100190 China
中国北京中关村南四街4号裕富CNNIC 100190
Email: eleven711711@foxmail.com
Email: eleven711711@foxmail.com
Sheng Jiang Huawei Technologies Co., Ltd Q14, Huawei Campus, No. 156 Beiqing Road Hai-Dian District, Beijing 100095 China
中国北京海淀区北青路156号华为校园盛江华为技术有限公司Q14,邮编100095
Email: jiangsheng@huawei.com
Email: jiangsheng@huawei.com
Bing Liu Huawei Technologies Co., Ltd Q14, Huawei Campus, No. 156 Beiqing Road Hai-Dian District, Beijing 100095 China
刘冰华为技术有限公司中国北京市海淀区北青路156号华为校区Q14,邮编:100095
Email: leo.liubing@huawei.com
Email: leo.liubing@huawei.com
Jiang Dong Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China
江东清华大学计算机科学系,清华大学北京100084
Email: knight.dongjiang@gmail.com
Email: knight.dongjiang@gmail.com
Yuchi Chen Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China
清华大学计算机科学系,北京100084
Email: flashfoxmx@gmail.com
Email: flashfoxmx@gmail.com