SAVI C. An
Internet-Draft J. Yang
Intended status: Informational J. Wu
Expires: June 20, 2014 J. Bi
CERNET
December 17, 2013
Definition of Managed Objects for SAVI Protocol
draft-an-savi-mib-06
Abstract
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it defines objects for managing SAVI (Source Address
Validation Improvements) protocol instance.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 20, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
An, et al. Expires June 20, 2014 [Page 1]
Internet-Draft SAVI-MIB December 2013
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4
5.1. The SAVI System Table . . . . . . . . . . . . . . . . . . 4
5.2. The SAVI Port Table . . . . . . . . . . . . . . . . . . . 5
5.3. The SAVI Binding Table . . . . . . . . . . . . . . . . . . 6
5.4. The SAVI Filtering Table . . . . . . . . . . . . . . . . . 7
6. Textual Conventions . . . . . . . . . . . . . . . . . . . . . 8
7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 8
7.1. Relationship to the INET-ADDRESS-MIB . . . . . . . . . . . 8
7.2. Relationship to the IF-MIB . . . . . . . . . . . . . . . . 8
7.3. MIB modules required for IMPORTS . . . . . . . . . . . . . 9
8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 9
9. Security Considerations . . . . . . . . . . . . . . . . . . . 23
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 24
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
12.1. Normative References . . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . . 25
12.3. URL References . . . . . . . . . . . . . . . . . . . . . . 26
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 26
Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . . 27
An, et al. Expires June 20, 2014 [Page 2]
Internet-Draft SAVI-MIB December 2013
1. Introduction
The Source Address Validation Improvement protocol was developed to
complement ingress filtering with finer-grained, standardized IP
source address validation(refer to [RFC7039]).A SAVI protocol
instance is located on the path of hosts' packets, enforcing the
hosts' use of legitimate IP source addresses.
SAVI protocol determines whether the IP address obtaining process is
legitimate according to IP address assignment method. For links with
Stateless Address Auto Configuration (SLAAC), Dynamic Host
Configuration Protocol (DHCP), and Secure Neighbor Discovery (SEND),
the process is defined in separate documents of SAVI Working Group
(refer to [RFC6620], [I-D.ietf-savi-dhcp], [I-D.ietf-savi-send].)
This document defines a MIB module that can be used to manage the
SAVI protocol instance. It covers both configuration and status
monitoring aspects of SAVI implementations.
This document uses terminology from the SAVI Protocol specification.
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
3. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
4. Overview
The SAVI Protocol MIB module (SAVI-MIB) is conformant to SAVI
protocol, and is designed to:
An, et al. Expires June 20, 2014 [Page 3]
Internet-Draft SAVI-MIB December 2013
o Support centralized management and monitoring of SAVI protocol
instance by standard SNMP protocol.
o Support configuration and querying of SAVI protocol parameters.
o Support configuration and querying of binding entries. Operators
may insert and delete manual binding entries.
o Support querying of filtering entries.
Based on SAVI protocol, attributes and objects of a SAVI protocol
instance can be classified into four categories:
o System attributes. These attributes are corresponding to a SAVI
protocol instance, such as IP Address Assignment Methods and some
constants.
o Anchor attributes. These attributes are corresponding to a SAVI
anchor. Anchor is defined in [RFC7039].
o Binding Status Table. This table contains the state of binding
between source address and binding anchor (refer to [RFC6620],
[I-D.ietf-savi-dhcp], [I-D.ietf-savi-send]).
o Filtering Table. This table contains the bindings between binding
anchor and address, which is used to filter packets (refer to
[RFC6620], [I-D.ietf-savi-dhcp], [I-D.ietf-savi-send]).
A table is designed for each category of objects.
5. Structure of the MIB Module
This section presents the structure of the SAVI-MIB module. The MIB
objects are derived from the SAVI protocol specification.
This MIB is composed of a series of tables meant to form the base for
managing SAVI entities. The following subsections describe all
tables in the SAVI MIB module.
5.1. The SAVI System Table
The SAVI System Table (saviObjectsSystemTable) contains the objects
which are corresponding to SAVI system-wide parameters. It supports
the configuration and collection of SAVI system-wide parameters.
There is an entry for each IP stack, IPv4 and IPv6. The table is
indexed by:
An, et al. Expires June 20, 2014 [Page 4]
Internet-Draft SAVI-MIB December 2013
o saviObjectsSystemIPVersion - The IP Version. A textual convention
InetVersion defined in RFC4001 is used to represent the different
version of IP protocol.
It contains the following objects:
o saviObjectsSystemMode - Which IP address assignment method the
link is running in (refer to [RFC7039]).
o saviObjectsSystemMaxDhcpResponseTime - A constant defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsSystemDataSnoopingInterval - A constant defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsSystemMaxLeaseQueryDelay - A constant defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsSystemOffLinkDelay - A constant defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsSystemDadTimeout - A constant defined in SAVI protocol
(refer to [I-D.ietf-savi-dhcp]).
o saviObjectsSystemTentLT - A constant defined in SAVI protocol
(refer to [RFC6620]).
o saviObjectsSystemDefaultLT - A constant defined in SAVI protocol
(refer to [RFC6620]).
o saviObjectsSystemTWAIT - A constant defined in SAVI protocol
(refer to [RFC6620]).
The MAX-ACCESS of thses objects is READ-WRITE. Network Operators may
do configuration by setting these objects.
5.2. The SAVI Port Table
The SAVI Port Table (saviObjectsPortTable) contains the objects which
are corresponding to SAVI running parameters of each anchor. It
supports the configuration and collection of SAVI parameters of each
anchor.
There is an entry for each IP stack, IPv4 and IPv6. The table is
indexed by:
An, et al. Expires June 20, 2014 [Page 5]
Internet-Draft SAVI-MIB December 2013
o saviObjectsPortIPVersion - The IP Version.
o saviObjectsPortIfIndex - The index value that uniquely identifies
the interface to which this entry is applicable.
It contains the following objects:
o saviObjectsPortValidatingAttr - An attribute defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsPortDhcpTrustAttr - An attribute defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsPortTrustAttr - An attribute defined in SAVI protocol
(refer to [I-D.ietf-savi-dhcp]).
o saviObjectsPortDhcpSnoopingAttr - An attribute defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsPortDataSnoopingAttr - An attribute defined in SAVI
protocol (refer to [I-D.ietf-savi-dhcp]).
o saviObjectsPortFilteringNum - The max filtering number of the
Port.
The MAX-ACCESS of thses objects is READ-WRITE. Network Operators may
configure by setting these objects.
5.3. The SAVI Binding Table
The SAVI Binding Table (saviObjectsBindingTable) contains the objects
which are corresponding to Binding State Table (BST) defined in SAVI
protocol. It contains the binding parameters and state of each
binding entry. It supports the collection of binding entries. And
an entry can be inserted or deleted if it is a manual binding entry.
The table is indexed by:
o saviObjectsBindingIpAddressType - IP address type. A textual
convention InetAddressType defined in RFC4001 is used to represent
the different kind of IP address.
o saviObjectsBindingType - which IP address assignment method is
used to create the binding entry - manual(1), slaac(2), dhcp(3),
send(4).
o saviObjectsBindingIfIndex - The index value that uniquely
identifies the interface to which this entry is applicable.
An, et al. Expires June 20, 2014 [Page 6]
Internet-Draft SAVI-MIB December 2013
o saviObjectsBindingIpAddress - The binding source IP address. A
textual convention InetAddress defined in RFC4001 is used to
define this object.
The SAVI Binding Table contains the following objects:
o saviObjectsBindingMacAddr - The binding source mac address.
o saviObjectsBindingState - The state of the binding entry.
o saviObjectsBindingLifetime - The remaining lifetime of the entry.
o saviObjectsBindingCreationtime - The value of the local clock when
the entry was firstly created.
o saviObjectsBindingTID - The Transaction ID (TID) (refer to RFC2131
and RFC3315) of the corresponding DHCP transaction.
o saviObjectsBindingRowStatus - The status of this row, by which new
entries may be created, or old entries be deleted from this table.
As defined in RFC2579, the RowStatus textual convention is used to
manage the creation and deletion of conceptual rows. For SAVI
Binding Table, an entry can be created or deleted only when
saviObjectsBindingType=manual.
The MAX-ACCESS of thses objects is READ-CREATE. Network Operators
may create or delete an entry by setting these objects.
5.4. The SAVI Filtering Table
The SAVI Filtering Table (saviObjectsFilteringTable) contains the
objects which are corresponding to Filtering Table (FT) defined in
SAVI protocol. It supports the collection of filtering entries.
The table is indexed by:
o saviObjectsFilteringIpAddressType - IP address type.
o saviObjectsFilteringIfIndex - The index value that uniquely
identifies the interface to which this entry is applicable.
o saviObjectsFilteringIpAddress - The source IP address.
It contains the following objects:
o saviObjectsFilteringMacAddr - The source mac address.
The MAX-ACCESS of the object is READ-ONLY.
An, et al. Expires June 20, 2014 [Page 7]
Internet-Draft SAVI-MIB December 2013
6. Textual Conventions
The textual conventions used in the SAVI-MIB are as follows.
The MODULE-COMPLIANCE,OBJECT-GROUP textual convention is imported
from SNMPv2-CONF [RFC2580]. The MODULE-IDENTITY, OBJECT-IDENTITY,
OBJECT-TYPE, Unsigned32 textual convention is imported from SNMPv2-
SMI [RFC2578].
The MacAddress,TimeInterval,RowStatus textual convention is imported
from SNMPv2-TC [RFC2579].
The InetVersion,InetAddressType,InetAddress textual convention is
imported from INET-ADDRESS-MIB [RFC4001].
The InterfaceIndex textual convention is imported from IF-MIB
[RFC2863].
The ip textual convention is imported from IP-MIB [RFC4293].
7. Relationship to Other MIB Modules
7.1. Relationship to the INET-ADDRESS-MIB
To support extensibility, IETF defined new textual conventions to
represent different IP protocol and different IP address in a unified
formation in RFC4001. To support different IP version, a textual
convention InetVersion is defined to represent the different version
of IP protocol. To support different IP address, a generic Internet
address is defined. It consists of two objects: The first one has
the syntax InetAddressType, and the second object have the syntax
InetAddress. The value of the first object determines how the value
of the second is encoded.
Since SAVI running mode and parameter is independent of IPv4 and
IPv6, so different OID instances should be defined for each protocol.
In SAVI-MIB definition, when IP address is used as a part of binding
table, it is defined using textual conventions described in INET-
ADDRESS-MIB.
7.2. Relationship to the IF-MIB
The Interfaces MIB [RFC2863] defines generic managed objects for
managing interfaces. This document contains the interface-specific
extensions for managing SAVI anchors that are modeled as interfaces.
The IF-MIB module is required to be supported on the SAVI device.
The interface MUST be modeled as an ifEntry, and ifEntry objects such
An, et al. Expires June 20, 2014 [Page 8]
Internet-Draft SAVI-MIB December 2013
as ifIndex are to be used as per [RFC2863].
An ifIndex [RFC2863] is used as a common index for interfaces in the
SAVI-MIB modules.
7.3. MIB modules required for IMPORTS
The SAVI MIB module IMPORTS objects from SNMPv2-SMI [RFC2578],
SNMPv2-TC [RFC2579],SNMPv2-CONF [RFC2580], IF-MIB [RFC2863] and INET-
ADDRESS-MIB [RFC4001] .
8. Definitions
SAVI-MIB DEFINITIONS ::=BEGIN
IMPORTS
MODULE-COMPLIANCE,OBJECT-GROUP
FROM SNMPv2-CONF --RFC2580
MODULE-IDENTITY, OBJECT-IDENTITY, OBJECT-TYPE, Unsigned32
FROM SNMPv2-SMI --RFC2578
TEXTUAL-CONVENTION,MacAddress,TimeInterval,RowStatus
FROM SNMPv2-TC --RFC2579
InterfaceIndex
FROM IF-MIB --RFC2863
InetVersion,InetAddressType,InetAddress
FROM INET-ADDRESS-MIB --RFC4001
ip
FROM IP-MIB --RFC4293
;
saviMIB MODULE-IDENTITY
LAST-UPDATED "201312170037Z" --Dec 17,2013
ORGANIZATION
"IETF SAVI Working Group"
CONTACT-INFO
"WG charter:
http://datatracker.ietf.org/wg/savi/charter/
Editor:
Changqing An
CERNET
Postal: Network Research Center, Tsinghua University
Beijing 100084
China
Email: acq@cernet.edu.cn
Jiahai Yang
CERNET
An, et al. Expires June 20, 2014 [Page 9]
Internet-Draft SAVI-MIB December 2013
Postal: Network Research Center, Tsinghua University
Beijing 100084
China
Email: yang@cernet.edu.cn
"
DESCRIPTION
"This MIB Module is designed to support configuration
and monitoring of SAVI protocol.
"
REVISION "201312170037Z"
DESCRIPTION
"Initial version"
::= {ip xxx}
saviObjects OBJECT IDENTIFIER ::= { saviMIB 1 }
-- System parameters for SAVI protocol
saviObjectsSystemTable OBJECT-TYPE
SYNTAX SEQUENCE OF SaviObjectsSystemEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing savi system-wide parameters."
::= { saviObjects 1 }
saviObjectsSystemEntry OBJECT-TYPE
SYNTAX SaviObjectsSystemEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing savi system-wide parameters for a
particular IP version.
"
INDEX { saviObjectsSystemIPVersion }
::= { saviObjectsSystemTable 1 }
SaviObjectsSystemEntry ::=
SEQUENCE {
saviObjectsSystemIPVersion InetVersion,
saviObjectsSystemMode INTEGER,
saviObjectsSystemMaxDhcpResponseTime TimeInterval,
saviObjectsSystemDataSnoopingInterval TimeInterval,
saviObjectsSystemMaxLeaseQueryDelay TimeInterval,
saviObjectsSystemOffLinkDelay TimeInterval,
saviObjectsSystemDadTimeout TimeInterval,
saviObjectsSystemTentLT TimeInterval,
An, et al. Expires June 20, 2014 [Page 10]
Internet-Draft SAVI-MIB December 2013
saviObjectsSystemDefaultLT TimeInterval,
saviObjectsSystemTWAIT TimeInterval
}
saviObjectsSystemIPVersion OBJECT-TYPE
SYNTAX InetVersion
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IP version "
::= { saviObjectsSystemEntry 1 }
saviObjectsSystemMode OBJECT-TYPE
SYNTAX INTEGER {
savi-disable(1),
savi-default(2),
savi-dhcp-only(3),
savi-slaac-only(4),
savi-dhcp-slaac-mix(5),
savi-send(6)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"IP Address Assignment Methods. "
::= { saviObjectsSystemEntry 2 }
saviObjectsSystemMaxDhcpResponseTime OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 3 }
saviObjectsSystemDataSnoopingInterval OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
An, et al. Expires June 20, 2014 [Page 11]
Internet-Draft SAVI-MIB December 2013
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 4 }
saviObjectsSystemMaxLeaseQueryDelay OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 5 }
saviObjectsSystemOffLinkDelay OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 6 }
saviObjectsSystemDadTimeout OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 7 }
saviObjectsSystemTentLT OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
An, et al. Expires June 20, 2014 [Page 12]
Internet-Draft SAVI-MIB December 2013
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 8 }
saviObjectsSystemDefaultLT OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 9 }
saviObjectsSystemTWAIT OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A constant.
TimeInterval is defined in RFC 2579, it's a period of time,
measured in units of 0.01 seconds,
and the value is (0..2147483647).
"
::= { saviObjectsSystemEntry 10 }
-- Port parameters for SAVI protocol
saviObjectsPortTable OBJECT-TYPE
SYNTAX SEQUENCE OF SaviObjectsPortEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing SAVI parameters of each anchor."
::= { saviObjects 2 }
saviObjectsPortEntry OBJECT-TYPE
SYNTAX SaviObjectsPortEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing SAVI running parameters of an anchor."
INDEX {
saviObjectsPortIPVersion,
An, et al. Expires June 20, 2014 [Page 13]
Internet-Draft SAVI-MIB December 2013
saviObjectsPortIfIndex
}
::= { saviObjectsPortTable 1 }
SaviObjectsPortEntry ::=
SEQUENCE {
saviObjectsPortIPVersion InetVersion,
saviObjectsPortIfIndex InterfaceIndex,
saviObjectsPortValidatingAttr INTEGER,
saviObjectsPortDhcpTrustAttr INTEGER,
saviObjectsPortTrustAttr INTEGER,
saviObjectsPortDhcpSnoopingAttr INTEGER,
saviObjectsPortDataSnoopingAttr INTEGER,
saviObjectsPortFilteringNum Unsigned32
}
saviObjectsPortIPVersion OBJECT-TYPE
SYNTAX InetVersion
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IP version "
::= { saviObjectsPortEntry 1 }
saviObjectsPortIfIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index value that uniquely identifies the interface to
which this entry is applicable. The interface identified by
a particular value of this index is the same interface as
identified by the same value of the IF-MIB's ifIndex.
"
::= { saviObjectsPortEntry 2 }
saviObjectsPortValidatingAttr OBJECT-TYPE
SYNTAX INTEGER {
enable(1),
disable(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An attribute defined in SAVI protocol.
enable(1), the attribute is set.
An, et al. Expires June 20, 2014 [Page 14]
Internet-Draft SAVI-MIB December 2013
disable(2), the attribute is not set.
"
::= { saviObjectsPortEntry 3 }
saviObjectsPortDhcpTrustAttr OBJECT-TYPE
SYNTAX INTEGER {
enable(1),
disable(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An attribute defined in SAVI protocol.
enable(1), the attribute is set.
disable(2), the attribute is not set.
"
::= { saviObjectsPortEntry 4 }
saviObjectsPortTrustAttr OBJECT-TYPE
SYNTAX INTEGER {
enable(1),
disable(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An attribute defined in SAVI protocol.
enable(1), the attribute is set.
disable(2), the attribute is not set.
"
::= { saviObjectsPortEntry 5 }
saviObjectsPortDhcpSnoopingAttr OBJECT-TYPE
SYNTAX INTEGER {
enable(1),
disable(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An attribute defined in SAVI protocol.
enable(1), the attribute is set.
disable(2), the attribute is not set.
"
::= { saviObjectsPortEntry 6 }
saviObjectsPortDataSnoopingAttr OBJECT-TYPE
SYNTAX INTEGER {
An, et al. Expires June 20, 2014 [Page 15]
Internet-Draft SAVI-MIB December 2013
enable(1),
disable(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An attribute defined in SAVI protocol.
enable(1), the attribute is set.
disable(2), the attribute is not set.
"
::= { saviObjectsPortEntry 7 }
saviObjectsPortFilteringNum OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The max filtering number of the Port."
::= { saviObjectsPortEntry 8 }
-- Binding Status Table for SAVI protocol
saviObjectsBindingTable OBJECT-TYPE
SYNTAX SEQUENCE OF SaviObjectsBindingEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing the state of binding
between source address and anchor.
"
::= { saviObjects 3 }
saviObjectsBindingEntry OBJECT-TYPE
SYNTAX SaviObjectsBindingEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the state of binding between source
address and anchor.
Entries are keyed on the source IP address type,
binding type, anchor, and source IP address.
"
INDEX {
saviObjectsBindingIpAddressType,
saviObjectsBindingType,
saviObjectsBindingIfIndex,
An, et al. Expires June 20, 2014 [Page 16]
Internet-Draft SAVI-MIB December 2013
saviObjectsBindingIpAddress
}
::= { saviObjectsBindingTable 1 }
SaviObjectsBindingEntry ::=
SEQUENCE {
saviObjectsBindingIpAddressType InetAddressType,
saviObjectsBindingType INTEGER,
saviObjectsBindingIfIndex InterfaceIndex,
saviObjectsBindingIpAddress InetAddress,
saviObjectsBindingMacAddr MacAddress,
saviObjectsBindingState INTEGER,
saviObjectsBindingLifetime TimeInterval,
saviObjectsBindingCreationtime DateAndTime,
saviObjectsBindingTID INTEGER,
saviObjectsBindingRowStatus RowStatus
}
saviObjectsBindingIpAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IP address type of the binding source IP."
::= { saviObjectsBindingEntry 1 }
saviObjectsBindingType OBJECT-TYPE
SYNTAX INTEGER {
manual(1),
slaac(2),
dhcp(3),
send(4)
}
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IP address assignment methods."
::= { saviObjectsBindingEntry 2 }
saviObjectsBindingIfIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index value that uniquely identifies the interface to
which this entry is applicable. The interface identified by
a particular value of this index is the same interface as
identified by the same value of the IF-MIB's ifIndex.
An, et al. Expires June 20, 2014 [Page 17]
Internet-Draft SAVI-MIB December 2013
"
::= { saviObjectsBindingEntry 3 }
saviObjectsBindingIpAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The binding source IP address"
::= { saviObjectsBindingEntry 4 }
saviObjectsBindingMacAddr OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The binding source mac address."
::= { saviObjectsBindingEntry 5 }
saviObjectsBindingState OBJECT-TYPE
SYNTAX INTEGER {
NO_BIND(1),
INIT_BIND_OR_TENTATIVE(2),
BOUND_OR_VALID(3),
TESTING_TP-LT(4),
TESTING_VP(5)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The state of the binding entry. "
::= { saviObjectsBindingEntry 6 }
saviObjectsBindingLifetime OBJECT-TYPE
SYNTAX TimeInterval
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The remaining lifetime of the entry.
TimeInterval is defined in RFC 2579, it's a period of time,
measured in units of 0.01 seconds,
and the value is (0..2147483647).
If saviObjectsBindingType=manual, a value of 2147483647
represents infinity.
"
::= { saviObjectsBindingEntry 7 }
saviObjectsBindingCreationtime OBJECT-TYPE
An, et al. Expires June 20, 2014 [Page 18]
Internet-Draft SAVI-MIB December 2013
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The value of the local clock when the entry was firstly created.
"
::= { saviObjectsBindingEntry 8 }
saviObjectsBindingTID OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Transaction ID (TID) (refer to RFC2131 and RFC3315) of the corresponding DHCP transaction.
"
::= { saviObjectsBindingEntry 9 }
saviObjectsBindingRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this row, by which new entries may be
created, or old entries deleted from this table.
An Entry can be created or deleted only when
saviObjectsBindingType=manual.
"
::= { saviObjectsBindingEntry 10 }
-- Filtering Table for SAVI protocol
saviObjectsFilteringTable OBJECT-TYPE
SYNTAX SEQUENCE OF SaviObjectsFilteringEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing the filtering entries."
::= { saviObjects 4 }
saviObjectsFilteringEntry OBJECT-TYPE
SYNTAX SaviObjectsFilteringEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
An, et al. Expires June 20, 2014 [Page 19]
Internet-Draft SAVI-MIB December 2013
"An entry containing the filtering parameters.
Entries are keyed on the source IP address type,
anchor, and source IP address.
"
INDEX { saviObjectsFilteringIpAddressType,
saviObjectsFilteringIfIndex,
saviObjectsFilteringIpAddress
}
::= { saviObjectsFilteringTable 1 }
SaviObjectsFilteringEntry ::=
SEQUENCE {
saviObjectsFilteringIpAddressType InetAddressType,
saviObjectsFilteringIfIndex InterfaceIndex,
saviObjectsFilteringIpAddress InetAddress,
saviObjectsFilteringMacAddr MacAddress
}
saviObjectsFilteringIpAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IP address type of the filtering source IP"
::= { saviObjectsFilteringEntry 1 }
saviObjectsFilteringIfIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index value that uniquely identifies the interface to
which this entry is applicable. The interface identified by
a particular value of this index is the same interface as
identified by the same value of the IF-MIB's ifIndex.
"
::= { saviObjectsFilteringEntry 2 }
saviObjectsFilteringIpAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The filtering source IP address."
::= { saviObjectsFilteringEntry 3 }
saviObjectsFilteringMacAddr OBJECT-TYPE
SYNTAX MacAddress
An, et al. Expires June 20, 2014 [Page 20]
Internet-Draft SAVI-MIB December 2013
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The filtering source mac address."
::= { saviObjectsFilteringEntry 4 }
-- Conformance information
saviConformance OBJECT IDENTIFIER ::= { saviMIB 2 }
saviCompliances OBJECT IDENTIFIER ::= { saviConformance 1 }
-- Compliance statements
saviCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for entities which implement SAVI
protocol.
"
MODULE
MANDATORY-GROUPS {
systemGroup,
portGroup,
bindingGroup,
filteringGroup
}
::= { saviCompliances 1}
saviGroups OBJECT IDENTIFIER ::= { saviConformance 2 }
--Units of conformance
systemGroup OBJECT-GROUP
OBJECTS {
saviObjectsSystemMode,
saviObjectsSystemMaxDhcpResponseTime,
saviObjectsSystemDataSnoopingInterval,
saviObjectsSystemMaxLeaseQueryDelay,
saviObjectsSystemOffLinkDelay,
saviObjectsSystemDadTimeout,
saviObjectsSystemTentLT,
saviObjectsSystemDefaultLT,
saviObjectsSystemTWAIT
}
STATUS current
DESCRIPTION
"The system group contains objects corrsponding to savi system
parameters.
"
::= {saviGroups 1}
An, et al. Expires June 20, 2014 [Page 21]
Internet-Draft SAVI-MIB December 2013
portGroup OBJECT-GROUP
OBJECTS {
saviObjectsPortValidatingAttr,
saviObjectsPortDhcpTrustAttr,
saviObjectsPortTrustAttr,
saviObjectsPortDhcpSnoopingAttr,
saviObjectsPortDataSnoopingAttr,
saviObjectsPortFilteringNum
}
STATUS current
DESCRIPTION
"The if group contains objects corresponding to the savi running
parameters of each anchor.
"
::= {saviGroups 2}
bindingGroup OBJECT-GROUP
OBJECTS {
saviObjectsBindingMacAddr,
saviObjectsBindingState,
saviObjectsBindingLifetime,
saviObjectsBindingCreationtime,
saviObjectsBindingTID,
saviObjectsBindingRowStatus
}
STATUS current
DESCRIPTION
"The binding group contains the binding
information of anchor and soure ip address.
"
::= {saviGroups 3}
filteringGroup OBJECT-GROUP
OBJECTS {
saviObjectsFilteringMacAddr
}
STATUS current
DESCRIPTION
"The filtering group contains the filtering
information of anchor and soure ip address.
"
::= {saviGroups 4}
END
An, et al. Expires June 20, 2014 [Page 22]
Internet-Draft SAVI-MIB December 2013
9. Security Considerations
There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their
sensitivity/vulnerability:
o saviObjectsSystemTable - Unauthorized changes to the writable
objects under saviObjectsSystemTable MAY disrupt allocation of
resources in the network. For example, a device's SAVI system
mode be changed by set operation to SAVI-DISABLE will give chance
to IP source address spoofing.
o saviObjectsPortTable - Unauthorized changes to the writable
objects under saviObjectsPortTable MAY disrupt allocation of
resources in the network. For example, an anchor's ValidatingAttr
be changed by set operation to DISABLE will give chance to IP
source address spoofing.
o saviObjectsBindingTable - Unauthorized changes to the writable
objects under this table MAY disrupt allocation of resources in
the network. For example, a manual binding entry is inserted to
the BST will give chance to IP source address spoofing.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
o saviObjectsBindingTable, saviObjectsFilteringTable - The IP
address and binding anchor information will be helpful to some
attacks.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
there is no control as to who on the secure network is allowed to
access and GET/SET (read/change/create/delete) the objects in this
MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
An, et al. Expires June 20, 2014 [Page 23]
Internet-Draft SAVI-MIB December 2013
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
10. IANA Considerations
The MIB module in this document uses the following IANA-assigned
OBJECT IDENTIFIER values recorded in the SMI Numbers registry:
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
SAVI-MIB { ip XXX }
11. Contributors
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", BCP 14, RFC 2119,
March 1997.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management
Information Version 2 (SMIv2)", STD 58,
RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for
SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J.
Schoenwaelder, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for
Internet Network Addresses", RFC 4001,
February 2005.
An, et al. Expires June 20, 2014 [Page 24]
Internet-Draft SAVI-MIB December 2013
[RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-
Abegnoli, "FCFS SAVI: First-Come, First-Served
Source Address Validation Improvement for
Locally Assigned IPv6 Addresses", RFC 6620,
May 2012.
[RFC2131] Droms, R., "Dynamic Host Configuration
Protocol", RFC 2131, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T.,
Perkins, C., and M. Carney, "Dynamic Host
Configuration Protocol for IPv6 (DHCPv6)",
RFC 3315, July 2003.
[RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C.
Vogt, "Source Address Validation Improvement
(SAVI) Framework", RFC 7039, October 2013.
[I-D.ietf-savi-dhcp] Bi, J.,Wu, J.,Yao, G., and F. Baker, "SAVI
Solution for DHCP", 2013.
[I-D.ietf-savi-send] M. Bagnulo and A. Garcia-Martinez, "SEND-based
Source-Address Validation Implementation",
2013.
12.2. Informative References
[RFC2223] Postel, J. and J. Reynolds, "Instructions to
RFC Authors", RFC 2223, October 1997.
[RFC3410] Case, J., Mundy, R., Partain, D., and B.
Stewart, "Introduction and Applicability
Statements for Internet-Standard Management
Framework", RFC 3410, December 2002.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML",
RFC 2629, June 1999.
[RFC4181] Heard, C., "Guidelines for Authors and
Reviewers of MIB Documents", BCP 111, RFC 4181,
September 2005.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The
Interfaces Group MIB", RFC 2863, June 2000.
[RFC4293] Routhier, S., "Management Information Base for
the Internet Protocol (IP)", RFC 4293,
April 2006.
An, et al. Expires June 20, 2014 [Page 25]
Internet-Draft SAVI-MIB December 2013
12.3. URL References
[idguidelines] IETF Internet Drafts editor,
"http://www.ietf.org/ietf/1id-guidelines.txt".
[idnits] IETF Internet Drafts editor,
"http://www.ietf.org/ID-Checklist.html".
[xml2rfc] XML2RFC tools and documentation,
"http://xml.resource.org".
[ops] the IETF OPS Area, "http://www.ops.ietf.org".
[ietf] IETF Tools Team, "http://tools.ietf.org".
Appendix A. Change Log
From draft 00 to draft 01
o Change the value range of object saviObjectsSystemMode and add a
new value savi-send(6).
From draft 01 to draft 02
o Change saviObjectsTrustStatus into two booleans, one is
saviObjectsDhcpTrustStatus, another is saviObjectsRaTrustStatus.
o Change the character string saviObjectsIf to saviObjectsPort
globally.
o Change saviObjectsBindingState according to the latest version of
solution drafts.
From draft 02 to draft 03
o Add a new object saviObjectsPortBindRecoveryAttr, and change the
object saviObjectsPortRaTrustStatus to saviObjectsPortTrustAttr
according to the latest version of solution drafts and RFC.
o Change the value range and meaning of saviObjectsBindingState
according to the latest version of solution drafts and RFC.
o Change the value range of object saviObjectsBindingType, add a new
value send(4), and change the value static(1) to manual(1).
From draft 03 to draft 04
An, et al. Expires June 20, 2014 [Page 26]
Internet-Draft SAVI-MIB December 2013
o Add three new objects according to the latest version of solution
drafts and RFC, i.e. saviObjectsSystemTentLT,
saviObjectsSystemDefaultLT, saviObjectsSystemTWAIT.
From draft 04 to draft 05
o Add two new objects according to the latest version of solution
drafts and RFC, i.e. saviObjectsBindingCreationtime,
saviObjectsBindingTID.
From draft 05 to draft 06
o Add three new objects, saviObjectsSystemDadTimeout,
saviObjectsPortDhcpSnoopingAttr and
saviObjectsPortDataSnoopingAttr.
o Replace object saviObjectsSystemBindRecoveryInterval with
saviObjectsSystemDataSnoopingInterval.
o Replace object saviObjectsPortSAVISAVIAttr with
saviObjectsPortTrustAttr.
o Delete object saviObjectsPortBindRecoveryAttr.
Appendix B. Open Issues
Note to RFC Editor: please remove this appendix before publication as
an RFC.
Authors' Addresses
Changqing An
CERNET
Network Research Center, Tsinghua University
Beijing 100084
China
Phone: +86 10 62603113
EMail: acq@cernet.edu.cn
An, et al. Expires June 20, 2014 [Page 27]
Internet-Draft SAVI-MIB December 2013
Jiahai Yang
CERNET
Network Research Center, Tsinghua University
Beijing 100084
China
Phone: +86 10 62783492
EMail: yang@cernet.edu.cn
Jianping Wu
CERNET
Network Research Center, Tsinghua University
Beijing 100084
China
EMail: jianping@cernet.edu.cn
Jun Bi
CERNET
Network Research Center, Tsinghua University
Beijing 100084
China
EMail: junbi@cernet.edu.cn
An, et al. Expires June 20, 2014 [Page 28]