idnits 2.17.00 (12 Aug 2021) /tmp/idnits32335/draft-ietf-ipsecme-mib-iptfs-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 133 has weird spacing: '...thValue con...' == Line 134 has weird spacing: '...thValue use...' == Line 138 has weird spacing: '...thValue don...' == Line 139 has weird spacing: '...Seconds maxA...' == Line 141 has weird spacing: '...thValue sen...' == (1 more instance...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (11 November 2021) is 191 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC XXXX' is mentioned on line 218, but not defined == Outdated reference: A later version (-06) exists of draft-ietf-ipsecme-yang-iptfs-03 ** Downref: Normative reference to an Informational RFC: RFC 3410 Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft E. Kinzie 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: 15 May 2022 11 November 2021 7 Definitions of Managed Objects for IP Traffic Flow Security 8 draft-ietf-ipsecme-mib-iptfs-01 10 Abstract 12 This document describes managed objects for the the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. This document 14 provides a read only version of the objects defined in the YANG 15 module for the same purpose. 17 This is an unpublished work in progress. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on 15 May 2022. 36 Copyright Notice 38 Copyright (c) 2021 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 43 license-info) in effect on the date of publication of this document. 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. Code Components 46 extracted from this document must include Simplified BSD License text 47 as described in Section 4.e of the Trust Legal Provisions and are 48 provided without warranty as described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Terminology & Concepts . . . . . . . . . . . . . . . . . . . 2 54 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 4. Management Objects . . . . . . . . . . . . . . . . . . . . . 3 56 4.1. MIB Tree . . . . . . . . . . . . . . . . . . . . . . . . 3 57 4.2. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 59 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 60 7. Normative References . . . . . . . . . . . . . . . . . . . . 19 61 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 63 1. Introduction 65 This document defines a Management Information Base (MIB) module for 66 use with network management protocols in the Internet community. 67 Traffic Flow Security (IP-TFS) extensions as defined in 68 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 69 tunnel Security Association to provide improved traffic 70 confidentiality. 72 For a detailed overview of the documents that describe the current 73 Internet-Standard Management Framework, please refer to section 7 of 74 [RFC3410]. 76 Managed objects are accessed via a virtual information store, termed 77 the Management Information Base or MIB. MIB objects are generally 78 accessed through the Simple Network Management Protocol (SNMP). 79 Objects in the MIB are defined using the mechanisms defined in the 80 Structure of Management Information (SMI). This memo specifies a MIB 81 module that is compliant to the SMIv2, which is described in STD 58, 82 [RFC2578], STD 58, [RFC2579] and STD 58, [RFC2580]. 84 The objects defined here are the same as 85 [I-D.ietf-ipsecme-yang-iptfs] with the exception that only 86 operational data is supported. This module uses the YANG model as a 87 reference point for managed objects. Note an IETF MIB model for 88 IPsec was never standardized however the structures here could be 89 adapted to existing MIB implementations. 91 2. Terminology & Concepts 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 95 "OPTIONAL" in this document are to be interpreted as described in 96 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 97 as shown here. 99 3. Overview 101 This document defines configuration and operational parameters of IP 102 traffic flow security (IP-TFS). IP-TFS, defined in 103 [I-D.ietf-ipsecme-iptfs], configures a security association for 104 tunnel mode IPsec with characteristics that improve traffic 105 confidentiality and reduce bandwidth efficiency loss. 107 This document is based on the concepts and management model defined 108 in [I-D.ietf-ipsecme-yang-iptfs]. This documents assume familiarity 109 with IP security concepts described in [RFC4301], IP-TFS as described 110 in [I-D.ietf-ipsecme-iptfs] and the IP-TFS management model described 111 in [I-D.ietf-ipsecme-yang-iptfs]. 113 This document specifies an extensible operational model for IP-TFS. 114 It reuses the management model defined in 115 [I-D.ietf-ipsecme-yang-iptfs]. It allows SNMP systems to read 116 configured and operational objects of IPTFS. 118 4. Management Objects 120 4.1. MIB Tree 122 The following is the MIB registration tree diagram for the IP-TFS 123 extensions. 125 # IETF-IPTFS-MIB registration tree (generated by smidump 0.4.8) 127 --iptfsMIB(1.3.6.1.3.500) 128 +--iptfsMIBObjects(1) 129 | +--iptfsGroup(1) 130 | | +--iptfsConfigTable(1) 131 | | +--iptfsConfigTableEntry(1) [iptfsConfigSaIndex] 132 | | +-- --- Integer32 iptfsConfigSaIndex(1) 133 | | +-- r-n TruthValue congestionControl(2) 134 | | +-- r-n TruthValue usePathMtu(3) 135 | | +-- r-n UnsignedShort outerPacketSize(4) 136 | | +-- r-n Counter64 l2FixedRate(5) 137 | | +-- r-n Counter64 l3FixedRate(6) 138 | | +-- r-n TruthValue dontFragment(7) 139 | | +-- r-n NanoSeconds maxAggregationTime(8) 140 | | +-- r-n Unsigned32 windowSize(9) 141 | | +-- r-n TruthValue sendImmediately(10) 142 | | +-- r-n NanoSeconds lostPktTimerInt(11) 143 | +--ipsecStatsGroup(2) 144 | | +--ipsecStatsTable(1) 145 | | +--ipsecStatsTableEntry(1) [ipsecSaIndex] 146 | | +-- --- Integer32 ipsecSaIndex(1) 147 | | +-- r-n Counter64 txPackets(2) 148 | | +-- r-n Counter64 txOctets(3) 149 | | +-- r-n Counter64 txDropPackets(4) 150 | | +-- r-n Counter64 rxPackets(5) 151 | | +-- r-n Counter64 rxOctets(6) 152 | | +-- r-n Counter64 rxDropPackets(7) 153 | +--iptfsInnerStatsGroup(3) 154 | | +--iptfsInnerStatsTable(1) 155 | | +--iptfsInnerStatsTableEntry(1) [iptfsInnerSaIndex] 156 | | +-- --- Integer32 iptfsInnerSaIndex(1) 157 | | +-- r-n Counter64 txInnerPackets(2) 158 | | +-- r-n Counter64 txInnerOctets(3) 159 | | +-- r-n Counter64 rxInnerPackets(4) 160 | | +-- r-n Counter64 rxInnerOctets(5) 161 | | +-- r-n Counter64 rxIncompleteInnerPackets(6) 162 | +--iptfsOuterStatsGroup(4) 163 | +--iptfsOuterStatsTable(1) 164 | +--iptfsOuterStatsTableEntry(1) [iptfsSaIndex] 165 | +-- --- Integer32 iptfsSaIndex(1) 166 | +-- r-n Counter64 txExtraPadPackets(2) 167 | +-- r-n Counter64 txExtraPadOctets(3) 168 | +-- r-n Counter64 txAllPadPackets(4) 169 | +-- r-n Counter64 txAllPadOctets(5) 170 | +-- r-n Counter64 rxExtraPadPackets(6) 171 | +-- r-n Counter64 rxExtraPadOctets(7) 172 | +-- r-n Counter64 rxAllPadPackets(8) 173 | +-- r-n Counter64 rxAllPadOctets(9) 174 | +-- r-n Counter64 rxErroredPackets(10) 175 | +-- r-n Counter64 rxMissedPackets(11) 176 +--iptfsMIBConformance(2) 177 +--iptfsMIBConformances(1) 178 | +--iptfsMIBCompliance(1) 179 +--iptfsMIBGroups(2) 180 +--iptfsMIBConfGroup(1) 181 +--ipsecStatsConfGroup(2) 182 +--iptfsInnerStatsConfGroup(3) 183 +--iptfsOuterStatsConfGroup(4) 185 4.2. SNMP 187 The following is the MIB for IP-TFS. 189 -- *------------------------------------------------------------------ 190 -- * 191 -- *------------------------------------------------------------------ 193 IETF-IPTFS-MIB DEFINITIONS ::= BEGIN 194 IMPORTS 195 MODULE-IDENTITY, OBJECT-TYPE, 196 Integer32, Unsigned32, Counter64, experimental 197 FROM SNMPv2-SMI 198 MODULE-COMPLIANCE, OBJECT-GROUP 199 FROM SNMPv2-CONF 200 TEXTUAL-CONVENTION, 201 TruthValue 202 FROM SNMPv2-TC; 204 iptfsMIB MODULE-IDENTITY 205 LAST-UPDATED "202111110000Z" 206 ORGANIZATION "IETF IPsecme Working Group" 207 CONTACT-INFO 208 " 209 Author: Don Fedyk 210 212 Author: Eric Kinzie 213 " 215 DESCRIPTION 216 "This module defines the configuration and operational 217 state for managing the IP Traffic Flow Security 218 functionality [RFC XXXX]. Copyright (c) 2020 IETF 219 Trust and the persons identified as authors of the 220 code. All rights reserved. 222 Redistribution and use in source and binary forms, 223 with or without modification, is permitted pursuant 224 to, and subject to the license terms contained in, 225 the Simplified BSD License set forth in Section 4.c 226 of the IETF Trust's Legal Provisions Relating to IETF 227 Documents (https://trustee.ietf.org/license-info). 229 This version of this SNMP MIB module is part of RFC XXXX 230 (https://tools.ietf.org/html/rfcXXXX); see the RFC 231 itself for full legal notices." 233 REVISION "202111110000Z" 234 DESCRIPTION 235 "Initial revision. Derived from the IPTFS Yang Model." 236 ::= { experimental 500 } 237 -- 238 -- Textual Conventions 239 -- 240 UnsignedShort ::= TEXTUAL-CONVENTION 241 DISPLAY-HINT "d" 242 STATUS current 243 DESCRIPTION "xs:unsignedShort" 244 SYNTAX Unsigned32 (0 .. 65535) 246 NanoSeconds ::= TEXTUAL-CONVENTION 247 DISPLAY-HINT "d" 248 STATUS current 249 DESCRIPTION 250 "Represents time unit value in nanoseconds." 251 SYNTAX Counter64 253 -- Objects, Notifications & Conformances 255 iptfsMIBObjects OBJECT IDENTIFIER 256 ::= { iptfsMIB 1 } 257 iptfsMIBConformance OBJECT IDENTIFIER 258 ::= { iptfsMIB 2} 260 -- 261 -- IPTFS MIB Object Groups 262 -- 263 iptfsGroup OBJECT IDENTIFIER 264 ::= { iptfsMIBObjects 1 } 266 ipsecStatsGroup OBJECT IDENTIFIER 267 ::= { iptfsMIBObjects 2 } 269 iptfsInnerStatsGroup OBJECT IDENTIFIER 270 ::= { iptfsMIBObjects 3 } 272 iptfsOuterStatsGroup OBJECT IDENTIFIER 273 ::= { iptfsMIBObjects 4 } 275 iptfsConfigTable OBJECT-TYPE 276 SYNTAX SEQUENCE OF IptfsConfigTableEntry 277 MAX-ACCESS not-accessible 278 STATUS current 279 DESCRIPTION 280 "The table containing configuration information for 281 IPTFS." 282 ::= { iptfsGroup 1 } 284 iptfsConfigTableEntry OBJECT-TYPE 285 SYNTAX IptfsConfigTableEntry 286 MAX-ACCESS not-accessible 287 STATUS current 288 DESCRIPTION 289 "An entry (conceptual row) containing the information on 290 a particular IPTFS SA." 291 INDEX { iptfsConfigSaIndex } 292 ::= { iptfsConfigTable 1 } 294 IptfsConfigTableEntry ::= SEQUENCE { 295 iptfsConfigSaIndex Integer32, 297 -- identifier information 298 congestionControl TruthValue, 299 usePathMtu TruthValue, 300 outerPacketSize UnsignedShort, 301 l2FixedRate Counter64, 302 l3FixedRate Counter64, 303 dontFragment TruthValue, 304 maxAggregationTime NanoSeconds, 305 windowSize Unsigned32, 306 sendImmediately TruthValue, 307 lostPktTimerInt NanoSeconds 308 } 310 iptfsConfigSaIndex OBJECT-TYPE 311 SYNTAX Integer32 (1..16777215) 312 MAX-ACCESS not-accessible 313 STATUS current 314 DESCRIPTION 315 "A unique value, greater than zero, for each SA. 316 It is recommended that values are assigned contiguously 317 starting from 1. 319 The value for each entry must remain constant at least 320 from one re-initialization of entity's network management 321 system to the next re-initialization." 322 ::= { iptfsConfigTableEntry 1 } 324 congestionControl OBJECT-TYPE 325 SYNTAX TruthValue 326 MAX-ACCESS read-only 327 STATUS current 328 DESCRIPTION 329 "Congestion Control With the congestion controlled 330 mode, IP-TFS adapts to network congestion by lowering 331 the packet send rate to accommodate the congestion, as 332 well as raising the rate when congestion subsides." 333 DEFVAL { false } 334 ::= { iptfsConfigTableEntry 2 } 336 usePathMtu OBJECT-TYPE 337 SYNTAX TruthValue 338 MAX-ACCESS read-only 339 STATUS current 340 DESCRIPTION 341 "Packet size is either auto-discovered or manually 342 configured. If usePathMtu is true the system utilizes 343 path-mtu to determine maximum IPTFS packet size. If 344 the packet size is explicitly configured then it will 345 only be adjusted downward if use-path-mtu is set." 346 ::= { iptfsConfigTableEntry 3 } 348 outerPacketSize OBJECT-TYPE 349 SYNTAX UnsignedShort 350 MAX-ACCESS read-only 351 STATUS current 352 DESCRIPTION 353 "The size of the outer encapsulating tunnel packet 354 (i.e., the IP packet containing the ESP payload)." 355 ::= { iptfsConfigTableEntry 4 } 357 l2FixedRate OBJECT-TYPE 358 SYNTAX Counter64 359 MAX-ACCESS read-only 360 STATUS current 361 DESCRIPTION 362 "TFS bit rate may be specified at layer 2 wire rate. 363 Target bandwidth/bit rate in bps for iptfs tunnel. 364 This rate is the nominal timing for the fixed size 365 packet. If congestion control is enabled the rate may 366 be adjusted down (or up if unset)." 367 ::= { iptfsConfigTableEntry 5 } 369 l3FixedRate OBJECT-TYPE 370 SYNTAX Counter64 371 MAX-ACCESS read-only 372 STATUS current 373 DESCRIPTION 374 "TFS bit rate may be specified at layer 3 packet 375 rate.Target bandwidth/bit rate in bps for iptfs 376 tunnel. this rate is the nominal timing for the fixed 377 size packet. If congestion control is enabled the rate 378 may be adjusted down (or up if unset)." 379 ::= { iptfsConfigTableEntry 6 } 381 dontFragment OBJECT-TYPE 382 SYNTAX TruthValue 383 MAX-ACCESS read-only 384 STATUS current 385 DESCRIPTION 386 "Disable packet fragmentation across consecutive iptfs 387 tunnel packets when set to true." 388 ::= { iptfsConfigTableEntry 7 } 390 maxAggregationTime OBJECT-TYPE 391 SYNTAX NanoSeconds 392 MAX-ACCESS read-only 393 STATUS current 394 DESCRIPTION 395 "Maximum aggregation time is the maximum length of 396 time a received inner packet can be held prior to 397 transmission in the iptfs tunnel. Inner packets that 398 would be held longer than this time, based on the 399 current tunnel configuration will be dropped rather 400 than be queued for transmission." 401 ::= { iptfsConfigTableEntry 8 } 403 windowSize OBJECT-TYPE 404 SYNTAX Unsigned32(0..65535) 405 MAX-ACCESS read-only 406 STATUS current 407 DESCRIPTION 408 "The maximum number of out-of-order packets that will be 409 reordered by an iptfs receiver while performing the 410 reordering operation. The value 0 disables any 411 reordering." 412 ::= { iptfsConfigTableEntry 9 } 414 sendImmediately OBJECT-TYPE 415 SYNTAX TruthValue 416 MAX-ACCESS read-only 417 STATUS current 418 DESCRIPTION 419 "Send inner packets as soon as possible, do not wait for 420 lost or misordered outer packets. Selecting this option 421 reduces the inner (user) packet delay but can amplify 422 out-of-order delivery of the inner packet stream in the 423 presence of packet aggregation and any reordering." 424 ::= { iptfsConfigTableEntry 10 } 426 lostPktTimerInt OBJECT-TYPE 427 SYNTAX NanoSeconds 428 MAX-ACCESS read-only 429 STATUS current 430 DESCRIPTION 431 "This interval defines the length of time an iptfs 432 receiver will wait for a missing packet before 433 considering it lost. Setting this value too low can 434 impact reordering and reassembly. The value is 435 configurable in milliseconds or fractional milliseconds 436 down to 1 nanosecond." 437 ::= { iptfsConfigTableEntry 11 } 439 ipsecStatsTable OBJECT-TYPE 440 SYNTAX SEQUENCE OF IpsecStatsTableEntry 441 MAX-ACCESS not-accessible 442 STATUS current 443 DESCRIPTION 444 "The table containing basic statistics on IPsec." 445 ::= { ipsecStatsGroup 1 } 447 ipsecStatsTableEntry OBJECT-TYPE 448 SYNTAX IpsecStatsTableEntry 449 MAX-ACCESS not-accessible 450 STATUS current 451 DESCRIPTION 452 "An entry (conceptual row) containing the information on 453 a particular IKE SA." 454 INDEX { ipsecSaIndex } 455 ::= { ipsecStatsTable 1 } 457 IpsecStatsTableEntry ::= SEQUENCE { 458 ipsecSaIndex Integer32, 459 -- packet statistics information 460 txPackets Counter64, 461 txOctets Counter64, 462 txDropPackets Counter64, 463 rxPackets Counter64, 464 rxOctets Counter64, 465 rxDropPackets Counter64 466 } 468 ipsecSaIndex OBJECT-TYPE 469 SYNTAX Integer32 (1..16777215) 470 MAX-ACCESS not-accessible 471 STATUS current 472 DESCRIPTION 473 "A unique value, greater than zero, for each SA. 474 It is recommended that values are assigned contiguously 475 starting from 1. 477 The value for each entry must remain constant at least 478 from one re-initialization of entity's network management 479 system to the next re-initialization." 480 ::= { ipsecStatsTableEntry 1 } 482 txPackets OBJECT-TYPE 483 SYNTAX Counter64 484 MAX-ACCESS read-only 485 STATUS current 486 DESCRIPTION 487 "Outbound Packet count." 488 ::= { ipsecStatsTableEntry 2 } 490 txOctets OBJECT-TYPE 491 SYNTAX Counter64 492 MAX-ACCESS read-only 493 STATUS current 494 DESCRIPTION 495 "Outbound Packet bytes." 496 ::= { ipsecStatsTableEntry 3 } 498 txDropPackets OBJECT-TYPE 499 SYNTAX Counter64 500 MAX-ACCESS read-only 501 STATUS current 502 DESCRIPTION 503 "Outbound dropped packets count." 504 ::= { ipsecStatsTableEntry 4 } 506 rxPackets OBJECT-TYPE 507 SYNTAX Counter64 508 MAX-ACCESS read-only 509 STATUS current 510 DESCRIPTION 511 "Inbound Packet count." 512 ::= { ipsecStatsTableEntry 5 } 514 rxOctets OBJECT-TYPE 515 SYNTAX Counter64 516 MAX-ACCESS read-only 517 STATUS current 518 DESCRIPTION 519 "Inbound Packet bytes." 520 ::= { ipsecStatsTableEntry 6 } 522 rxDropPackets OBJECT-TYPE 523 SYNTAX Counter64 524 MAX-ACCESS read-only 525 STATUS current 526 DESCRIPTION 527 "Inbound Dropped packets" 528 ::= { ipsecStatsTableEntry 7 } 530 iptfsInnerStatsTable OBJECT-TYPE 531 SYNTAX SEQUENCE OF IptfsInnerSaEntry 532 MAX-ACCESS not-accessible 533 STATUS current 534 DESCRIPTION 535 "The table containing information on IPTFS 536 Inner Packets." 537 ::= { iptfsInnerStatsGroup 1 } 539 iptfsInnerStatsTableEntry OBJECT-TYPE 540 SYNTAX IptfsInnerSaEntry 541 MAX-ACCESS not-accessible 542 STATUS current 543 DESCRIPTION 544 "An entry containing the information on 545 a particular tfs SA." 546 INDEX { iptfsInnerSaIndex } 547 ::= { iptfsInnerStatsTable 1 } 549 IptfsInnerSaEntry ::= SEQUENCE { 550 iptfsInnerSaIndex Integer32, 552 txInnerPackets Counter64, 553 txInnerOctets Counter64, 554 rxInnerPackets Counter64, 555 rxInnerOctets Counter64, 556 rxIncompleteInnerPackets Counter64 557 } 559 iptfsInnerSaIndex OBJECT-TYPE 560 SYNTAX Integer32 (1..16777215) 561 MAX-ACCESS not-accessible 562 STATUS current 563 DESCRIPTION 564 "A unique value, greater than zero, for each SA. 565 It is recommended that values are assigned contiguously 566 starting from 1. 568 The value for each entry must remain constant at least 569 from one re-initialization of entity's network management 570 system to the next re-initialization." 571 ::= { iptfsInnerStatsTableEntry 1 } 573 txInnerPackets OBJECT-TYPE 574 SYNTAX Counter64 575 MAX-ACCESS read-only 576 STATUS current 577 DESCRIPTION 578 "Total number of IP-TFS inner packets sent. This count 579 is whole packets only. A fragmented packet counts as 580 one packet." 581 ::= { iptfsInnerStatsTableEntry 2 } 583 txInnerOctets OBJECT-TYPE 584 SYNTAX Counter64 585 MAX-ACCESS read-only 586 STATUS current 587 DESCRIPTION 588 "Total number of IP-TFS inner octets sent. This is 589 inner packet octets only. Does not count padding." 590 ::= { iptfsInnerStatsTableEntry 3 } 592 rxInnerPackets OBJECT-TYPE 593 SYNTAX Counter64 594 MAX-ACCESS read-only 595 STATUS current 596 DESCRIPTION 597 "Total number of IP-TFS inner packets received." 598 ::= { iptfsInnerStatsTableEntry 4 } 600 rxInnerOctets OBJECT-TYPE 601 SYNTAX Counter64 602 MAX-ACCESS read-only 603 STATUS current 604 DESCRIPTION 605 "Total number of IP-TFS inner octets received. Does 606 not include padding or overhead." 607 ::= { iptfsInnerStatsTableEntry 5 } 609 rxIncompleteInnerPackets OBJECT-TYPE 610 SYNTAX Counter64 611 MAX-ACCESS read-only 612 STATUS current 613 DESCRIPTION 614 "Total number of IP-TFS inner packets that were 615 incomplete. Usually this is due to fragments not 616 received. Also, this may be due to misordering or 617 errors in received outer packets." 618 ::= { iptfsInnerStatsTableEntry 6 } 620 iptfsOuterStatsTable OBJECT-TYPE 621 SYNTAX SEQUENCE OF IptfsOuterSaEntry 622 MAX-ACCESS not-accessible 623 STATUS current 624 DESCRIPTION 625 "The table containing information on IPTFS." 626 ::= { iptfsOuterStatsGroup 1 } 628 iptfsOuterStatsTableEntry OBJECT-TYPE 629 SYNTAX IptfsOuterSaEntry 630 MAX-ACCESS not-accessible 631 STATUS current 632 DESCRIPTION 633 "An entry containing the information on 634 a particular tfs SA." 635 INDEX { iptfsSaIndex } 636 ::= { iptfsOuterStatsTable 1 } 638 IptfsOuterSaEntry ::= SEQUENCE { 639 iptfsSaIndex Integer32, 641 -- iptfs packet statistics information 642 txExtraPadPackets Counter64, 643 txExtraPadOctets Counter64, 644 txAllPadPackets Counter64, 645 txAllPadOctets Counter64, 646 rxExtraPadPackets Counter64, 647 rxExtraPadOctets Counter64, 648 rxAllPadPackets Counter64, 649 rxAllPadOctets Counter64, 650 rxErroredPackets Counter64, 651 rxMissedPackets Counter64 652 } 654 iptfsSaIndex OBJECT-TYPE 655 SYNTAX Integer32 (1..16777215) 656 MAX-ACCESS not-accessible 657 STATUS current 658 DESCRIPTION 659 "A unique value, greater than zero, for each SA. 660 It is recommended that values are assigned contiguously 661 starting from 1. 663 The value for each entry must remain constant at least 664 from one re-initialization of entity's network management 665 system to the next re-initialization." 666 ::= { iptfsOuterStatsTableEntry 1 } 668 txExtraPadPackets OBJECT-TYPE 669 SYNTAX Counter64 670 MAX-ACCESS read-only 671 STATUS current 672 DESCRIPTION 673 "Total number of transmitted outer IP-TFS packets that 674 included some padding." 675 ::= { iptfsOuterStatsTableEntry 2 } 677 txExtraPadOctets OBJECT-TYPE 678 SYNTAX Counter64 679 MAX-ACCESS read-only 680 STATUS current 681 DESCRIPTION 682 "Total number of transmitted octets of padding added to 683 outer IP-TFS packets with data." 684 ::= { iptfsOuterStatsTableEntry 3 } 686 txAllPadPackets OBJECT-TYPE 687 SYNTAX Counter64 688 MAX-ACCESS read-only 689 STATUS current 690 DESCRIPTION 691 "Total number of transmitted IP-TFS packets that were 692 all padding with no inner packet data." 693 ::= { iptfsOuterStatsTableEntry 4 } 695 txAllPadOctets OBJECT-TYPE 696 SYNTAX Counter64 697 MAX-ACCESS read-only 698 STATUS current 699 DESCRIPTION 700 "Total number transmitted octets of padding added to 701 IP-TFS packets with no inner packet data." 702 ::= { iptfsOuterStatsTableEntry 5 } 704 rxExtraPadPackets OBJECT-TYPE 705 SYNTAX Counter64 706 MAX-ACCESS read-only 707 STATUS current 708 DESCRIPTION 709 "Total number of received outer IP-TFS packets that 710 included some padding." 711 ::= { iptfsOuterStatsTableEntry 6 } 713 rxExtraPadOctets OBJECT-TYPE 714 SYNTAX Counter64 715 MAX-ACCESS read-only 716 STATUS current 717 DESCRIPTION 718 "Total number of received octets of padding added to 719 outer IP-TFS packets with data." 720 ::= { iptfsOuterStatsTableEntry 7 } 722 rxAllPadPackets OBJECT-TYPE 723 SYNTAX Counter64 724 MAX-ACCESS read-only 725 STATUS current 726 DESCRIPTION 727 "Total number of received IP-TFS packets that were all 728 padding with no inner paccket data." 729 ::= { iptfsOuterStatsTableEntry 8 } 731 rxAllPadOctets OBJECT-TYPE 732 SYNTAX Counter64 733 MAX-ACCESS read-only 734 STATUS current 735 DESCRIPTION 736 "Total number received octets of padding added to 737 IP-TFS packets with no inner packet data." 738 ::= { iptfsOuterStatsTableEntry 9 } 740 rxErroredPackets OBJECT-TYPE 741 SYNTAX Counter64 742 MAX-ACCESS read-only 743 STATUS current 744 DESCRIPTION 745 "Total number of IP-TFS outer packets dropped due to 746 errors." 747 ::= { iptfsOuterStatsTableEntry 10 } 749 rxMissedPackets OBJECT-TYPE 750 SYNTAX Counter64 751 MAX-ACCESS read-only 752 STATUS current 753 DESCRIPTION 754 "Total number of IP-TFS outer packets missing indicated 755 by missing sequence number." 756 ::= { iptfsOuterStatsTableEntry 11 } 758 -- 759 -- Iptfs Module Compliance 760 -- 762 iptfsMIBConformances OBJECT IDENTIFIER 763 ::= { iptfsMIBConformance 1 } 765 iptfsMIBGroups OBJECT IDENTIFIER 766 ::= { iptfsMIBConformance 2 } 768 iptfsMIBCompliance MODULE-COMPLIANCE 769 STATUS current 770 DESCRIPTION 771 "The compliance statement for entities which implement 772 the IPTFS MIB" 773 MODULE -- this module 774 MANDATORY-GROUPS { 775 iptfsMIBConfGroup, 776 ipsecStatsConfGroup, 777 iptfsInnerStatsConfGroup, 778 iptfsOuterStatsConfGroup 779 } 781 ::= { iptfsMIBConformances 1 } 783 -- 784 -- MIB Groups (Units of Conformance) 785 -- 787 iptfsMIBConfGroup OBJECT-GROUP 788 OBJECTS { 789 congestionControl, 790 usePathMtu, 791 outerPacketSize , 792 l2FixedRate , 793 l3FixedRate , 794 dontFragment, 795 maxAggregationTime, 796 windowSize, 797 sendImmediately, 798 lostPktTimerInt 799 } 800 STATUS current 801 DESCRIPTION 802 "A collection of objects providing per SA IPTFS 803 Configuration." 804 ::= { iptfsMIBGroups 1 } 806 ipsecStatsConfGroup OBJECT-GROUP 807 OBJECTS { 808 txPackets, 809 txOctets, 810 txDropPackets, 811 rxPackets, 812 rxOctets, 813 rxDropPackets 814 } 815 STATUS current 816 DESCRIPTION 817 "A collection of objects providing per SA Basic 818 Stats." 819 ::= { iptfsMIBGroups 2 } 821 iptfsInnerStatsConfGroup OBJECT-GROUP 822 OBJECTS { 823 txInnerPackets, 824 txInnerOctets, 825 rxInnerPackets, 826 rxInnerOctets, 827 rxIncompleteInnerPackets 828 } 829 STATUS current 830 DESCRIPTION 831 "A collection of objects providing per SA IPTFS 832 Inner Packet Statistics." 833 ::= { iptfsMIBGroups 3 } 835 iptfsOuterStatsConfGroup OBJECT-GROUP 836 OBJECTS { 837 txExtraPadPackets, 838 txExtraPadOctets, 839 txAllPadPackets, 840 txAllPadOctets, 841 rxExtraPadPackets, 842 rxExtraPadOctets, 843 rxAllPadPackets, 844 rxAllPadOctets, 845 rxErroredPackets, 846 rxMissedPackets 847 } 848 STATUS current 849 DESCRIPTION 850 "A collection of objects providing per SA IPTFS 851 Outer Packet Statistics." 852 ::= { iptfsMIBGroups 4 } 854 END 856 5. Security Considerations 858 The MIB specified in this document can read the operational and 859 configured the behavior of IP traffic flow security, for the 860 implications regarding write configuration consult the 861 [I-D.ietf-ipsecme-iptfs] which defines the functionality. 863 6. Acknowledgements 865 The authors would like to thank Chris Hopps for his help and feedback 866 on the MIB model. 868 7. Normative References 870 [I-D.ietf-ipsecme-iptfs] 871 Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for 872 ESP and its Use for IP Traffic Flow Security", Work in 873 Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 874 November 2021, . 877 [I-D.ietf-ipsecme-yang-iptfs] 878 Fedyk, D. and C. Hopps, "A YANG Data Model for IP Traffic 879 Flow Security", Work in Progress, Internet-Draft, draft- 880 ietf-ipsecme-yang-iptfs-03, 11 November 2021, 881 . 884 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 885 Requirement Levels", BCP 14, RFC 2119, 886 DOI 10.17487/RFC2119, March 1997, 887 . 889 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 890 Schoenwaelder, Ed., "Structure of Management Information 891 Version 2 (SMIv2)", STD 58, RFC 2578, 892 DOI 10.17487/RFC2578, April 1999, 893 . 895 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 896 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 897 STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, 898 . 900 [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. 901 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 902 STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, 903 . 905 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 906 "Introduction and Applicability Statements for Internet- 907 Standard Management Framework", RFC 3410, 908 DOI 10.17487/RFC3410, December 2002, 909 . 911 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 912 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 913 December 2005, . 915 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 916 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 917 May 2017, . 919 Authors' Addresses 921 Don Fedyk 922 LabN Consulting, L.L.C. 924 Email: dfedyk@labn.net 926 Eric Kinzie 927 LabN Consulting, L.L.C. 929 Email: ekinzie@labn.net