[要約] RFC 9349は、IKEv2およびIPsecへのIPトラフィックフローセキュリティの追加を管理するための管理オブジェクトを定義しています。目的は、RFC 9348のYANGモジュールで定義されたオブジェクトの読み取り専用バージョンを提供することです。
Internet Engineering Task Force (IETF) D. Fedyk Request for Comments: 9349 E. Kinzie Category: Standards Track LabN Consulting, L.L.C. ISSN: 2070-1721 January 2023
This document describes managed objects for the management of IP Traffic Flow Security additions to Internet Key Exchange Protocol Version 2 (IKEv2) and IPsec. This document provides a read-only version of the objects defined in the YANG module for the same purpose, which is in "A YANG Data Model for IP Traffic Flow Security" (RFC 9348).
このドキュメントでは、IPトラフィックフローセキュリティの管理をインターネットキーエクスチェンジプロトコルバージョン2(IKEV2)およびIPSECに追加するための管理されたオブジェクトについて説明します。このドキュメントは、同じ目的でYangモジュールで定義されたオブジェクトの読み取り専用バージョンを提供します。これは、「IPトラフィックフローセキュリティのヤンデータモデル」(RFC 9348)です。
This is an Internet Standards Track document.
これは、インターネット標準トラックドキュメントです。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
このドキュメントは、インターネットエンジニアリングタスクフォース(IETF)の製品です。IETFコミュニティのコンセンサスを表しています。公開レビューを受けており、インターネットエンジニアリングステアリンググループ(IESG)からの出版が承認されています。インターネット標準の詳細については、RFC 7841のセクション2で入手できます。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9349.
このドキュメントの現在のステータス、任意のERRATA、およびそのフィードバックを提供する方法に関する情報は、https://www.rfc-editor.org/info/rfc9349で取得できます。
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.
著作権(c)2023 IETF Trustおよび文書著者として特定された人。無断転載を禁じます。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
このドキュメントは、BCP 78およびIETFドキュメント(https://trustee.ietf.org/license-info)に関連するIETF Trustの法的規定の対象となります。この文書に関するあなたの権利と制限を説明するので、これらの文書を注意深く確認してください。このドキュメントから抽出されたコードコンポーネントには、セクション4.Eで説明されている法的規定のセクション4.Eで説明されており、改訂されたBSDライセンスで説明されている保証なしで提供されるように、改訂されたBSDライセンステキストを含める必要があります。
1. Introduction 1.1. The Internet-Standard Management Framework 2. Terminology and Concepts 3. Overview 4. Management Objects 4.1. MIB Tree 4.2. SNMP 5. IANA Considerations 6. Security Considerations 7. References 7.1. Normative References 7.2. Informative References Acknowledgements Authors' Addresses
This document defines a Management Information Base (MIB) module for use with network management protocols in the Internet community. IP Traffic Flow Security (IP-TFS) extensions, as defined in [RFC9347], are enhancements to an IPsec tunnel Security Association (SA) to provide improved traffic confidentiality.
このドキュメントでは、インターネットコミュニティのネットワーク管理プロトコルで使用する管理情報ベース(MIB)モジュールを定義しています。[RFC9347]で定義されているIPトラフィックフローセキュリティ(IP-TFS)拡張機能は、IPSECトンネルセキュリティ協会(SA)の強化であり、トラフィックの機密性を改善します。
The objects defined here are the same as [RFC9348], with the exception that only operational or state data is supported. By making operational data accessible via SNMP, existing network management systems can monitor IP-TFS. This data is listed in the MIB tree in Section 4.1. This module uses the YANG data model as a reference point for managed objects. Note that an IETF MIB model for IPsec was never standardized; however, the structures here could be adapted to existing proprietary MIB implementations where SNMP is used to manage networks.
ここで定義されているオブジェクトは[RFC9348]と同じですが、運用または状態のデータのみがサポートされていることを除いて。SNMPを介して運用データをアクセスできるようにすることにより、既存のネットワーク管理システムはIP-TFを監視できます。このデータは、セクション4.1のMIBツリーにリストされています。このモジュールは、管理されたオブジェクトの基準点としてYangデータモデルを使用します。IPSECのIETF MIBモデルは標準化されなかったことに注意してください。ただし、ここの構造は、SNMPがネットワークを管理するために使用される既存の独自のMIB実装に適合させることができます。
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to Section 7 of [RFC3410].
現在のインターネット標準管理フレームワークを説明するドキュメントの詳細な概要については、[RFC3410]のセクション7を参照してください。
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, [RFC2578], STD 58, [RFC2579] and STD 58, [RFC2580].
管理されたオブジェクトは、管理情報ベースまたはMIBと呼ばれる仮想情報ストアからアクセスされます。MIBオブジェクトは通常、単純なネットワーク管理プロトコル(SNMP)からアクセスされます。MIBのオブジェクトは、管理情報の構造(SMI)で定義されたメカニズムを使用して定義されます。このメモは、STD 58、[RFC2578]、STD 58、[RFC2579]およびSTD 58、[RFC2580]に記載されているSMIV2に準拠したMIBモジュールを指定します。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
この文書のキーワード "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", および "OPTIONAL" はBCP 14 [RFC2119] [RFC8174]で説明されているように、すべて大文字の場合にのみ解釈されます。
This document defines the MIB for access to operational parameters of IP Traffic Flow Security (IP-TFS). IP-TFS, defined in [RFC9347], configures a Security Association for tunnel mode IPsec with characteristics that improve traffic confidentiality and reduce bandwidth efficiency loss.
このドキュメントでは、IPトラフィックフローセキュリティ(IP-TFS)の運用パラメーターへのアクセスのためのMIBを定義しています。[RFC9347]で定義されているIP-TFSは、トラフィックの機密性を改善し、帯域幅の効率の損失を減らす特性を備えたトンネルモードIPSECのセキュリティ協会を構成します。
This document is based on the concepts and management model defined in [RFC9348]. This document assumes familiarity with the IPsec concepts described in [RFC4301], IP-TFS as described in [RFC9347], and the IP-TFS management model described in [RFC9348].
このドキュメントは、[RFC9348]で定義されている概念と管理モデルに基づいています。このドキュメントは、[RFC4301]、[RFC9347]で説明されているIP-TFS、および[RFC9348]で説明されているIP-TFS管理モデルに記載されているIPSECの概念に精通しています。
This document specifies an extensible operational model for IP-TFS. It reuses the management model defined in [RFC9348]. It allows SNMP systems to read operational objects (which include configured objects) from IP-TFS.
このドキュメントは、IP-TFSの拡張可能な運用モデルを指定します。[RFC9348]で定義されている管理モデルを再利用します。SNMPシステムは、IP-TFSから動作オブジェクト(構成されたオブジェクトを含む)を読み取ることができます。
The following is the MIB registration tree diagram for the IP-TFS extensions.
以下は、IP-TFS拡張機能のMIB登録ツリー図です。
# IP-TRAFFIC-FLOW-SECURITY-MIB registration tree --iptfsMIB(1.3.6.1.2.1.500) +--iptfsMIBObjects(1) | +--iptfsGroup(1) | | +--iptfsConfigTable(1) | | +--iptfsConfigTableEntry(1) [iptfsConfigSaIndex] | | | | | +-- --- Integer32 iptfsConfigSaIndex(1) | | +-- r-n TruthValue congestionControl(2) | | +-- r-n TruthValue usePathMtuDiscovery(3) | | +-- r-n UnsignedShort outerPacketSize(4) | | +-- r-n CounterBasedGauge64 l2FixedRate(5) | | +-- r-n CounterBasedGauge64 l3FixedRate(6) | | +-- r-n TruthValue dontFragment(7) | | +-- r-n NanoSeconds maxAggregationTime(8) | | +-- r-n UnsignedShort windowSize(9) | | +-- r-n TruthValue sendImmediately(10) | | +-- r-n NanoSeconds lostPacketTimerInterval(11) | +--ipsecStatsGroup(2) | | +--ipsecStatsTable(1) | | +--ipsecStatsTableEntry(1) [ipsecSaIndex] | | +-- --- Integer32 ipsecSaIndex(1) | | +-- r-n Counter64 txPkts(2) | | +-- r-n Counter64 txOctets(3) | | +-- r-n Counter64 txDropPkts(4) | | +-- r-n Counter64 rxPkts(5) | | +-- r-n Counter64 rxOctets(6) | | +-- r-n Counter64 rxDropPkts(7) | +--iptfsInnerStatsGroup(3) | | +--iptfsInnerStatsTable(1) | | +--iptfsInnerStatsTableEntry(1) [iptfsInnerSaIndex] | | +-- --- Integer32 iptfsInnerSaIndex(1) | | +-- r-n Counter64 txInnerPkts(2) | | +-- r-n Counter64 txInnerOctets(3) | | +-- r-n Counter64 rxInnerPkts(4) | | +-- r-n Counter64 rxInnerOctets(5) | | +-- r-n Counter64 rxIncompleteInnerPkts(6) | +--iptfsOuterStatsGroup(4) | +--iptfsOuterStatsTable(1) | +--iptfsOuterStatsTableEntry(1) [iptfsOuterSaIndex] | +-- --- Integer32 iptfsOuterSaIndex(1) | +-- r-n Counter64 txExtraPadPkts(2) | +-- r-n Counter64 txExtraPadOctets(3) | +-- r-n Counter64 txAllPadPkts(4) | +-- r-n Counter64 txAllPadOctets(5) | +-- r-n Counter64 rxExtraPadPkts(6) | +-- r-n Counter64 rxExtraPadOctets(7) | +-- r-n Counter64 rxAllPadPkts(8) | +-- r-n Counter64 rxAllPadOctets(9) | +-- r-n Counter64 rxErroredPkts(10) | +-- r-n Counter64 rxMissedPkts(11) +--iptfsMIBConformance(2) +--iptfsMIBConformances(1) | +--iptfsMIBCompliance(1) +--iptfsMIBGroups(2) +--iptfsMIBConfGroup(1) +--ipsecStatsConfGroup(2) +--iptfsInnerStatsConfGroup(3) +--iptfsOuterStatsConfGroup(4)
The following is the MIB for IP-TFS. The congestion control algorithm in [RFC5348] is referenced in the MIB text.
以下は、IP-TFSのMIBです。[RFC5348]の混雑制御アルゴリズムは、MIBテキストで参照されています。
-- *---------------------------------------------------------------- -- * IP-TRAFFIC-FLOW-SECURITY-MIB Module -- *---------------------------------------------------------------- IP-TRAFFIC-FLOW-SECURITY-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32, Counter64, mib-2 FROM SNMPv2-SMI CounterBasedGauge64 FROM HCNUM-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF TEXTUAL-CONVENTION, TruthValue FROM SNMPv2-TC; iptfsMIB MODULE-IDENTITY LAST-UPDATED "202301310000Z" ORGANIZATION "IETF IPsecme Working Group" CONTACT-INFO " Author: Don Fedyk <mailto:dfedyk@labn.net> Author: Eric Kinzie <mailto:ekinzie@labn.net>" DESCRIPTION "This module defines the configuration and operational state for managing the IP Traffic Flow Security functionality (RFC 9349). Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this SNMP MIB module is part of RFC 9349; see the RFC itself for full legal notices." REVISION "202301310000Z" DESCRIPTION "Initial revision. Derived from the IP-TFS YANG Data Model." ::= { mib-2 246} -- -- Textual Conventions -- UnsignedShort ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "xs:unsignedShort" SYNTAX Unsigned32 (0 .. 65535) NanoSeconds ::= TEXTUAL-CONVENTION DISPLAY-HINT "d-6" STATUS current DESCRIPTION "Represents the time unit value in nanoseconds." SYNTAX Integer32 -- Objects, Notifications & Conformances iptfsMIBObjects OBJECT IDENTIFIER ::= { iptfsMIB 1 } iptfsMIBConformance OBJECT IDENTIFIER ::= { iptfsMIB 2} -- -- IP-TFS MIB Object Groups -- iptfsGroup OBJECT IDENTIFIER ::= { iptfsMIBObjects 1 } ipsecStatsGroup OBJECT IDENTIFIER ::= { iptfsMIBObjects 2 } iptfsInnerStatsGroup OBJECT IDENTIFIER ::= { iptfsMIBObjects 3 } iptfsOuterStatsGroup OBJECT IDENTIFIER ::= { iptfsMIBObjects 4 } iptfsConfigTable OBJECT-TYPE SYNTAX SEQUENCE OF IptfsConfigTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table containing configuration information for IP-TFS." ::= { iptfsGroup 1 } iptfsConfigTableEntry OBJECT-TYPE SYNTAX IptfsConfigTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IP-TFS SA." INDEX { iptfsConfigSaIndex } ::= { iptfsConfigTable 1 } IptfsConfigTableEntry ::= SEQUENCE { iptfsConfigSaIndex Integer32, -- identifier information congestionControl TruthValue, usePathMtuDiscovery TruthValue, outerPacketSize UnsignedShort, l2FixedRate CounterBasedGauge64, l3FixedRate CounterBasedGauge64, dontFragment TruthValue, maxAggregationTime NanoSeconds, windowSize UnsignedShort, sendImmediately TruthValue, lostPacketTimerInterval NanoSeconds } iptfsConfigSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique value, greater than zero, for each SA. It is recommended that values are assigned contiguously, starting from 1. The value for each entry must remain constant at least from one re-initialization of an entity's network management system to the next re-initialization." ::= { iptfsConfigTableEntry 1 } congestionControl OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When set to true, the default, this enables the congestion control on-the-wire exchange of data that is required by congestion control algorithms, as defined by RFC 5348. When set to false, IP-TFS sends fixed-sized packets over an IP-TFS tunnel at a constant rate." ::= { iptfsConfigTableEntry 2 } usePathMtuDiscovery OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "Packet size is either auto-discovered or manually configured. If usePathMtuDiscovery is true, the system utilizes path-mtu to determine the maximum IP-TFS packet size. If the packet size is explicitly configured, then it will only be adjusted downward if use-path-mtu is set." ::= { iptfsConfigTableEntry 3 } outerPacketSize OBJECT-TYPE SYNTAX UnsignedShort MAX-ACCESS read-only STATUS current DESCRIPTION "On transmission, the size of the outer encapsulating tunnel packet (i.e., the IP packet containing Encapsulating Security Payload)." ::= { iptfsConfigTableEntry 4 } l2FixedRate OBJECT-TYPE SYNTAX CounterBasedGauge64 MAX-ACCESS read-only STATUS current DESCRIPTION "The IP-TFS bit rate may be specified as a layer 2 wire rate. On transmission, the target bandwidth/bit rate in bits per second (bps) for the IP-TFS tunnel. This rate is the nominal timing for the fixed-size packet. If congestion control is enabled, the rate may be adjusted down." ::= { iptfsConfigTableEntry 5 } l3FixedRate OBJECT-TYPE SYNTAX CounterBasedGauge64 MAX-ACCESS read-only STATUS current DESCRIPTION "The IP-TFS bit rate may be specified as a layer 3 packet rate. On transmission, the target bandwidth/bit rate in bps for the IP-TFS tunnel. This rate is the nominal timing for the fixed-size packet. If congestion control is enabled, the rate may be adjusted down." ::= { iptfsConfigTableEntry 6 } dontFragment OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "On transmission, disable packet fragmentation across consecutive IP-TFS tunnel packets; inner packets larger than what can be transmitted in outer packets will be dropped." ::= { iptfsConfigTableEntry 7 } maxAggregationTime OBJECT-TYPE SYNTAX NanoSeconds MAX-ACCESS read-only STATUS current DESCRIPTION "On transmission, the maximum aggregation time is the maximum length of time a received inner packet can be held prior to transmission in the IP-TFS tunnel. Inner packets that would be held longer than this time, based on the current tunnel configuration, will be dropped rather than be queued for transmission." ::= { iptfsConfigTableEntry 8 } windowSize OBJECT-TYPE SYNTAX UnsignedShort MAX-ACCESS read-only STATUS current DESCRIPTION "On reception, the maximum number of out-of-order packets that will be reordered by an IP-TFS receiver while performing the reordering operation. The value 0 disables any reordering." ::= { iptfsConfigTableEntry 9 } sendImmediately OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "On reception, send inner packets as soon as possible; do not wait for lost or misordered outer packets. Selecting this option reduces the inner (user) packet delay but can amplify out-of-order delivery of the inner packet stream in the presence of packet aggregation and any reordering." ::= { iptfsConfigTableEntry 10 } lostPacketTimerInterval OBJECT-TYPE SYNTAX NanoSeconds MAX-ACCESS read-only STATUS current DESCRIPTION "On reception, this interval defines the length of time an IP-TFS receiver will wait for a missing packet before considering it lost. If not using send-immediately, then each lost packet will delay inner (user) packets until this timer expires. Setting this value too low can impact reordering and reassembly." ::= { iptfsConfigTableEntry 11 } ipsecStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecStatsTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table containing basic statistics on IPsec." ::= { ipsecStatsGroup 1 } ipsecStatsTableEntry OBJECT-TYPE SYNTAX IpsecStatsTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA." INDEX { ipsecSaIndex } ::= { ipsecStatsTable 1 } IpsecStatsTableEntry ::= SEQUENCE { ipsecSaIndex Integer32, -- packet statistics information txPkts Counter64, txOctets Counter64, txDropPkts Counter64, rxPkts Counter64, rxOctets Counter64, rxDropPkts Counter64 } ipsecSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique value, greater than zero, for each SA. It is recommended that values are assigned contiguously, starting from 1. The value for each entry must remain constant at least from one re-initialization of an entity's network management system to the next re-initialization." ::= { ipsecStatsTableEntry 1 } txPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Outbound Packet count." ::= { ipsecStatsTableEntry 2 } txOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Outbound Packet bytes." ::= { ipsecStatsTableEntry 3 } txDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Outbound dropped packets count." ::= { ipsecStatsTableEntry 4 } rxPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Inbound Packet count." ::= { ipsecStatsTableEntry 5 } rxOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Inbound Packet bytes." ::= { ipsecStatsTableEntry 6 } rxDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Inbound dropped packets." ::= { ipsecStatsTableEntry 7 } iptfsInnerStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF IptfsInnerStatsSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table containing information on IP-TFS inner packets." ::= { iptfsInnerStatsGroup 1 } iptfsInnerStatsTableEntry OBJECT-TYPE SYNTAX IptfsInnerStatsSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the information on a particular IP-TFS SA." INDEX { iptfsInnerSaIndex } ::= { iptfsInnerStatsTable 1 } IptfsInnerStatsSaEntry ::= SEQUENCE { iptfsInnerSaIndex Integer32, txInnerPkts Counter64, txInnerOctets Counter64, rxInnerPkts Counter64, rxInnerOctets Counter64, rxIncompleteInnerPkts Counter64 } iptfsInnerSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique value, greater than zero, for each SA. It is recommended that values are assigned contiguously, starting from 1. The value for each entry must remain constant at least from one re-initialization of an entity's network management system to the next re-initialization." ::= { iptfsInnerStatsTableEntry 1 } txInnerPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IP-TFS inner packets sent. This count is whole packets only. A fragmented packet counts as one packet." ::= { iptfsInnerStatsTableEntry 2 } txInnerOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IP-TFS inner octets sent. This is inner packet octets only. This does not count padding." ::= { iptfsInnerStatsTableEntry 3 } rxInnerPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IP-TFS inner packets received." ::= { iptfsInnerStatsTableEntry 4 } rxInnerOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IP-TFS inner octets received. This does not include padding or overhead." ::= { iptfsInnerStatsTableEntry 5 } rxIncompleteInnerPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IP-TFS inner packets that were incomplete. Usually, this is due to fragments not received. Also, this may be due to misordering or errors in received outer packets." ::= { iptfsInnerStatsTableEntry 6 } iptfsOuterStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF IptfsOuterStatsSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table containing information on IP-TFS." ::= { iptfsOuterStatsGroup 1 } iptfsOuterStatsTableEntry OBJECT-TYPE SYNTAX IptfsOuterStatsSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the information on a particular IP-TFS SA." INDEX { iptfsOuterSaIndex } ::= { iptfsOuterStatsTable 1 } IptfsOuterStatsSaEntry ::= SEQUENCE { iptfsOuterSaIndex Integer32, -- iptfs packet statistics information txExtraPadPkts Counter64, txExtraPadOctets Counter64, txAllPadPkts Counter64, txAllPadOctets Counter64, rxExtraPadPkts Counter64, rxExtraPadOctets Counter64, rxAllPadPkts Counter64, rxAllPadOctets Counter64, rxErroredPkts Counter64, rxMissedPkts Counter64 } iptfsOuterSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique value, greater than zero, for each SA. It is recommended that values are assigned contiguously, starting from 1. The value for each entry must remain constant at least from one re-initialization of an entity's network management system to the next re-initialization." ::= { iptfsOuterStatsTableEntry 1 } txExtraPadPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of transmitted outer IP-TFS packets that included some padding." ::= { iptfsOuterStatsTableEntry 2 } txExtraPadOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of transmitted octets of padding added to outer IP-TFS packets with data." ::= { iptfsOuterStatsTableEntry 3 } txAllPadPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of transmitted IP-TFS packets that were all padding with no inner packet data." ::= { iptfsOuterStatsTableEntry 4 } txAllPadOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number transmitted octets of padding added to IP-TFS packets with no inner packet data." ::= { iptfsOuterStatsTableEntry 5 } rxExtraPadPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of received outer IP-TFS packets that included some padding." ::= { iptfsOuterStatsTableEntry 6 } rxExtraPadOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of received octets of padding added to outer IP-TFS packets with data." ::= { iptfsOuterStatsTableEntry 7 } rxAllPadPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of received IP-TFS packets that were all padding with no inner packet data." ::= { iptfsOuterStatsTableEntry 8 } rxAllPadOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number received octets of padding added to IP-TFS packets with no inner packet data." ::= { iptfsOuterStatsTableEntry 9 } rxErroredPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IP-TFS outer packets dropped due to errors." ::= { iptfsOuterStatsTableEntry 10 } rxMissedPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IP-TFS outer packets missing indicated by a missing sequence number." ::= { iptfsOuterStatsTableEntry 11 } -- -- Iptfs Module Compliance -- iptfsMIBConformances OBJECT IDENTIFIER ::= { iptfsMIBConformance 1 } iptfsMIBGroups OBJECT IDENTIFIER ::= { iptfsMIBConformance 2 } iptfsMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities that implement the IP-TFS MIB." MODULE -- this module MANDATORY-GROUPS { iptfsMIBConfGroup, ipsecStatsConfGroup, iptfsInnerStatsConfGroup, iptfsOuterStatsConfGroup } ::= { iptfsMIBConformances 1 } -- -- MIB Groups (Units of Conformance) -- iptfsMIBConfGroup OBJECT-GROUP OBJECTS { congestionControl, usePathMtuDiscovery, outerPacketSize , l2FixedRate , l3FixedRate , dontFragment, maxAggregationTime, windowSize, sendImmediately, lostPacketTimerInterval } STATUS current DESCRIPTION "A collection of objects providing per SA IP-TFS configuration." ::= { iptfsMIBGroups 1 } ipsecStatsConfGroup OBJECT-GROUP OBJECTS { txPkts, txOctets, txDropPkts, rxPkts, rxOctets, rxDropPkts } STATUS current DESCRIPTION "A collection of objects providing per SA basic statistics." ::= { iptfsMIBGroups 2 } iptfsInnerStatsConfGroup OBJECT-GROUP OBJECTS { txInnerPkts, txInnerOctets, rxInnerPkts, rxInnerOctets, rxIncompleteInnerPkts } STATUS current DESCRIPTION "A collection of objects providing per SA IP-TFS inner packet statistics." ::= { iptfsMIBGroups 3 } iptfsOuterStatsConfGroup OBJECT-GROUP OBJECTS { txExtraPadPkts, txExtraPadOctets, txAllPadPkts, txAllPadOctets, rxExtraPadPkts, rxExtraPadOctets, rxAllPadPkts, rxAllPadOctets, rxErroredPkts, rxMissedPkts } STATUS current DESCRIPTION "A collection of objects providing per SA IP-TFS outer packet statistics." ::= { iptfsMIBGroups 4 } END
The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER value, recorded in the "SMI Network Management MGMT Codes Internet-standard MIB" registry:
このドキュメントのMIBモジュールは、「SMIネットワーク管理MGMTコードインターネット標準MIB」レジストリに記録されている次のIANAによって割り当てられたオブジェクト識別子値を使用します。
+=========+==========+==============================+ | Decimal | Name | Description | +=========+==========+==============================+ | 246 | iptfsMIB | IP-TRAFFIC-FLOW-SECURITY-MIB | +---------+----------+------------------------------+ Table 1
The MIB specified in this document can read the operational behavior of IP Traffic Flow Security. For the implications regarding write configuration, consult [RFC9347], which defines the functionality.
このドキュメントで指定されたMIBは、IPトラフィックフローセキュリティの運用動作を読み取ることができます。書き込み構成に関する意味については、機能を定義する[RFC9347]を参照してください。
There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations.
このMIBモジュールには、読み取りワイトおよび/またはread-Createの最大アクセス句を持つ管理オブジェクトはありません。したがって、このMIBモジュールが正しく実装されている場合、侵入者が直接SNMPセット操作を介してこのMIBモジュールの管理オブジェクトを変更または作成できるリスクはありません。
Some of the objects in this MIB module may be considered sensitive or vulnerable in some network environments. This includes INDEX objects with a MAX-ACCESS of not-accessible, and any indices from other modules exposed via AUGMENTS. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability:
このMIBモジュールの一部のオブジェクトは、一部のネットワーク環境で敏感または脆弱と見なされる場合があります。これには、アクセス不可能な最大アクセスを備えたインデックスオブジェクト、および増加を介して公開された他のモジュールからのインデックスが含まれます。したがって、これらのオブジェクトへのアクセスを取得および/または通知することさえ制御し、SNMPを介してネットワーク上に送信するときにこれらのオブジェクトの値を暗号化することも重要です。これらはテーブルとオブジェクトであり、その感度/脆弱性です。
* iptfsInnerStatsTable and iptfsOuterStatsTable: Access to IP inner and outer Traffic Flow Security statistics can provide information that IP Traffic Flow Security obscures, such as the true activity of the flows using IP Traffic Flow Security.
* IPTFSINNERSTATSTABLEおよびIPTFSOUTERSTATSTABLE:IP内および外部トラフィックフローセキュリティ統計へのアクセスは、IPトラフィックフローセキュリティを使用したフローの真のアクティビティなど、IPトラフィックフローセキュリティが不明瞭になる情報を提供できます。
SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), there is no control as to who on the secure network is allowed to access and GET (read) the objects in this MIB module.
SNMPV3以前のSNMPバージョンには、適切なセキュリティは含まれていませんでした。ネットワーク自体が(たとえば、IPSECを使用して)安全である場合でも、セキュアネットワーク上の誰がこのMIBモジュールのオブジェクトにアクセスして取得(読み取る)を許可するかについての制御はありません。
Implementations SHOULD provide the security features described by the SNMPv3 framework (see [RFC3410]), and implementations claiming compliance to the SNMPv3 standard MUST include full support for authentication and privacy via the User-based Security Model (USM) [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations MAY also provide support for the Transport Security Model (TSM) [RFC5591] in combination with a secure transport such as SSH [RFC5592] or TLS/DTLS [RFC6353].
実装は、SNMPV3フレームワーク([RFC3410]を参照)で説明されているセキュリティ機能を提供する必要があり、SNMPV3標準のコンプライアンスを主張する実装には、AESとのユーザーベースのセキュリティモデル(USM)[RFC3414]を介した認証とプライバシーの完全なサポートを含める必要があります。暗号アルゴリズム[RFC3826]。実装は、SSH [RFC5592]やTLS/DTLS [RFC6353]などの安全な輸送と組み合わせて、輸送セキュリティモデル(TSM)[RFC5591]のサポートを提供する場合があります。
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
さらに、SNMPV3より前のSNMPバージョンの展開は推奨されません。代わりに、SNMPV3を展開し、暗号化セキュリティを有効にすることをお勧めします。その場合、このMIBモジュールのインスタンスへのアクセスを提供するSNMPエンティティが、実際に取得または設定する正当な権利を持つプリンシパル(ユーザー)にのみオブジェクトにアクセスできるように適切に構成されていることを保証するのは、顧客/オペレーターの責任です(変更を変更します(変更)/作成/削除)それら。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, DOI 10.17487/RFC2578, April 1999, <https://www.rfc-editor.org/info/rfc2578>.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, <https://www.rfc-editor.org/info/rfc2579>.
[RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Conformance Statements for SMIv2", STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, <https://www.rfc-editor.org/info/rfc2580>.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, DOI 10.17487/RFC3414, December 2002, <https://www.rfc-editor.org/info/rfc3414>.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, DOI 10.17487/RFC3826, June 2004, <https://www.rfc-editor.org/info/rfc3826>.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, <https://www.rfc-editor.org/info/rfc5591>.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June 2009, <https://www.rfc-editor.org/info/rfc5592>.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, <https://www.rfc-editor.org/info/rfc6353>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC9347] Hopps, C., "Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)", RFC 9347, DOI 10.17487/RFC9347, January 2023, <https://www.rfc-editor.org/info/rfc9347>.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, DOI 10.17487/RFC3410, December 2002, <https://www.rfc-editor.org/info/rfc3410>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP Friendly Rate Control (TFRC): Protocol Specification", RFC 5348, DOI 10.17487/RFC5348, September 2008, <https://www.rfc-editor.org/info/rfc5348>.
[RFC9348] Fedyk, D. and C. Hopps, "A YANG Data Model for IP Traffic Flow Security", RFC 9348, DOI 10.17487/RFC9348, January 2023, <https://www.rfc-editor.org/info/rfc9348>.
The authors would like to thank Chris Hopps, Lou Berger, and Tero Kivinen for their help and feedback on the MIB model.
著者は、Chris Hopps、Lou Berger、およびTero Kivinenに、MIBモデルに関する助けとフィードバックに感謝したいと思います。
Don Fedyk LabN Consulting, L.L.C. Email: dfedyk@labn.net
Eric Kinzie LabN Consulting, L.L.C. Email: ekinzie@labn.net