-- extracted from draft-stiemerling-midcom-mib-00.txt -- at Fri May 14 06:21:14 2004 MIDCOM-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2 FROM SNMPv2-SMI -- RFC2578 TruthValue, StorageType, RowStatus, TimeInterval FROM SNMPv2-TC -- RFC2579 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF -- RFC2580 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC3411 InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB -- RFC 3291 InterfaceIndex FROM IF-MIB; -- RFC2863 midcomMIB MODULE-IDENTITY LAST-UPDATED "200310070333Z" -- October 07, 2003 ORGANIZATION "IETF Middlebox Communication Working Group" CONTACT-INFO "WG charter: http://www.ietf.org/html.charters/midcom-charter.html Mailing Lists: General Discussion: midcom@ietf.org To Subscribe: midcom-request@ietf.org In Body: subscribe your_email_address Editor: Martin Stiemerling NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 69221 Heidelberg Germany Tel: +49 6221 90511-13 Email: stiemerling@ccrle.nec.de" DESCRIPTION "This MIB module defines a set of basic objects for configuring middleboxes, such as firewalls and network address translators, in order to enable communication across these devices. There are four groups of managed objects defined by this MIB module: - objects describing middlebox capabilities in the midcomCapabilities group, - objects modeling MIDCOM sessions in the midcomSessionTable - objects modeling MIDCOM policy rules in the midcomRuleTable - objects modeling MIDCOM polcy rule groups in the midcomGroupTable Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC yyyy; see the RFC itself for full legal notices." -- RFC Ed.: replace yyyy with actual RFC number & remove this notice REVISION "200310070333Z" -- October 07, 2003 DESCRIPTION "Initial version, published as RFC yyyy." -- RFC Ed.: replace yyyy with actual RFC number & remove this notice ::= { mib-2 4444 } -- 4444 to be assigned by IANA. -- -- main components of this MIB module -- midcomObjects OBJECT IDENTIFIER ::= { midcomMIB 1 } midcomNotifications OBJECT IDENTIFIER ::= { midcomMIB 2 } midcomConformance OBJECT IDENTIFIER ::= { midcomMIB 3 } -- -- Capabilities group -- -- The MIDCOM capabilities group contains a set of managed -- objects describing the capabilities of the middlebox. -- All objects in this group have MAX-ACCESS read-only. -- midcomCapabilities OBJECT IDENTIFIER ::= { midcomObjects 1 } midcomCapabFirewall OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node acts as firewall. Otherwise, it returns false(2)." ::= { midcomCapabilities 1 } midcomCapabNat OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node acts as network address tranlator. Otherwise, it returns false(2)." ::= { midcomCapabilities 2 } midcomCapabPortTranslation OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node acts as network address translator and supports port transaltion. Otherwise, it returns false(2)." ::= { midcomCapabilities 3 } midcomCapabProtocolTranslation OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node acts as network address translator and supports protocol transaltion. Otherwise, it returns false(2)." ::= { midcomCapabilities 4 } midcomCapabTwiceNat OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node acts as twice network address translator. Otherwise, it returns false(2)." ::= { midcomCapabilities 5 } midcomCapabInsideIpVersions OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2), both(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns ipv4(1) if the managed node supports IPv4 only at the inside. It returns ipv6(2) if it supports IPv6 only at the inside. Otherwise, if it supports voth IP version, it returns both(3)." ::= { midcomCapabilities 6 } midcomCapabOutsideIpVersions OBJECT-TYPE SYNTAX INTEGER { ipv4(1), ipv6(2), both(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns ipv4(1) if the managed node supports IPv4 only at the outside. It returns ipv6(2) if it supports IPv6 only at the outside. Otherwise, if it supports voth IP version, it returns both(3)." ::= { midcomCapabilities 7 } midcomCapabInsideWildcards OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node supports IP address wildcarding at the inde. Otherwise, it returns false(2)." ::= { midcomCapabilities 8 } midcomCapabOutsideWildcards OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node supports IP address wildcarding at the outde. Otherwise, it returns false(2)." ::= { midcomCapabilities 9 } midcomCapabPortWildcards OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node supports port wildcarding. Otherwise, it returns false(2)." ::= { midcomCapabilities 10 } midcomCapabPersistentRules OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns true(1) if the managed node can store policy rules persistently. Otherwise, it returns false(2)." ::= { midcomCapabilities 11 } midcomCapabMaxLifetime OBJECT-TYPE SYNTAX TimeInterval UNITS "centi-seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns the maximum lifetime in centi-seconds, that this middlebox allows policy rules to have." ::= { midcomCapabilities 12 } -- -- Session group -- -- The midcomSessionTable models MIDCOM sessions. -- MIDCOM agents ( = SNMP managers ) that want to -- read, create or modify entries in the midcomRuleTable -- or midcomGroupTable need to have an entry in this table. -- -- The table contains objects identify a destination for -- notifications to be sent to the MIDCOM agent. -- Also it serves for creating new rows in the -- midcomRuleTable. -- midcomSession OBJECT IDENTIFIER ::= { midcomObjects 2 } midcomSessionIndexNext OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns an unused session index for the USM user that issued the read-request. The returned value can be used for creating a new entry in the midcomSessionTable. A value retuned when reading this object is not returned again on subsequent read-requests as long as possible. This ensures that two SNMP managers authenticated as the same USM user can independently create sessions without facing race conditions." ::= { midcomSession 1 } midcomSessionTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists open MIDCOM sessions. The midcomSessionTable models MIDCOM sessions. MIDCOM agents ( = SNMP managers ) that want to read, create or modify entries in the midcomRuleTable or midcomGroupTable need to have an entry in this table. The table contains objects identify a destination for notifications to be sent to the MIDCOM agent. Also, it serves for creating new rows in the midcomRuleTable. The midcomSessionTable is indexed by its owner identified as USM user, and by a session index that allows distinguishing multiple sessions of the same USM users." ::= { midcomSession 2 } midcomSessionEntry OBJECT-TYPE SYNTAX MidcomSessionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular MIDCOM session." INDEX { midcomSessionOwner, midcomSessionIndex } ::= { midcomSessionTable 1 } MidcomSessionEntry ::= SEQUENCE { midcomSessionOwner SnmpAdminString, midcomSessionIndex Unsigned32, midcomSessionRuleGroupIndex Unsigned32, midcomSessionRuleStorageTime TimeInterval, midcomSessionRuleIndexNext OBJECT IDENTIFIER, midcomSessionCreateRule OBJECT IDENTIFIER, midcomSessionStorageType StorageType, midcomSessionRowStatus RowStatus } midcomSessionOwner OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The manager ( = MIDCOM agent ) who owns this row in the midcomSessionTable. Every policy rule created from a particular entry in the midcomSessionTable (i.e. entries in the midcomRuleTable) will be owned by the same midcomSessionOwner used to index the entry in the midcomSessionTable." ::= { midcomSessionEntry 1 } midcomSessionIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object allows distinguishing multiple concurrent sessions of the same USM user. Its value needs to be unique per USM user." ::= { midcomSessionEntry 2 } midcomSessionRuleGroupIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object determines the index of the MIDCOM policy rule group of which policy rules becomes a member when they are created by writing to midcomSessionCreateRule. The value 0 is not a valid group index. When this object has a value of 0, then a new group is created for each new policy rule generated by writing to midcomSessionCreateRule." DEFVAL { 0 } ::= { midcomSessionEntry 3 } midcomSessionRuleStorageTime OBJECT-TYPE SYNTAX TimeInterval UNITS "centi-seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the default maximum amount of time information on a policy rule is kept as entry in the mibRuleTable after the entry reaches an error state or after the policy rule is terminated. The value of this object is used to initialize the midcomRuleStorageTime when a new entry in the midcomRuleTable is created. Changing the value of an midcomSessionRuleStorageTime instance does not affect any entry of the midcomRuleTable created previously." DEFVAL { 60000 } ::= { midcomSessionEntry 4 } midcomSessionRuleIndexNext OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "When retrieved, this object returns an object identifier pointing to a not yet existing row in the midcomRuleTable. The first index of the object identifier is the value of the midcomSessionOwner object of the actual entry in the midcomSessionTable. The second index is the value of the midcomSessionGroupIndex object of the actual entry in the midcomSessionTable, if this value is not 0. If the value is zero, then the second index is the midcomGroupIndex of a not yet existing entry in the midcomGroupTable. The third index is a so far unused policy rule index for members of the group identified by the second index. The returned value can be used for creating a new entry in the midcomRuleTable by writing it to midcomSessionCreateRule." ::= { midcomSessionEntry 5 } midcomSessionCreateRule OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-write STATUS current DESCRIPTION "Writing to this object potentially creates a new entry in the midcomRuleTable. A value written to this object should be an object identifier pointing to a so far not existing entry in the midcomRuleTable. Also it should use the value of the midcomSessionOwner iobject of the acual entry in the midcomSessionTable as first index. If one of these constraints is not given, then the operation will result in an inconsistentValue error. Also, the value must use the midcomSessionOwner of the actual entry in the midcomSessionTable as first index. Valid values for writing to this object can be obtained by reading the midcomSessionRuleIndexNext object. If the value is valid, then the MIDCOM MIB implementation creates a new entry in the midcomRuleTable using the value." ::= { midcomSessionEntry 6 } midcomSessionStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "to be done" DEFVAL { volatile } ::= { midcomSessionEntry 7 } midcomSessionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Needed for creating sessions. Detailed description to be done." ::= { midcomSessionEntry 8 } -- -- Policy rule group -- -- The midcomRuleTable lists all current policy rules -- including policy reserve rules and policy enable rules. -- midcomRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all current policy rules. It is indexed by the midcomSessionOwner, the midcomGroupIndex and the midcomRuleIndex. This implies that a rule is member of exactly one group and that group membership cannot be changed. Entries in this table are created implicitly by writing to the midcomSessionTable. Entries are deleted by writing to midcomGroupLifetime or midcomRuleLifetime." ::= { midcomObjects 3 } midcomRuleEntry OBJECT-TYPE SYNTAX MidcomRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular MIDCOM policy rule. It must be unque in combination with the midcomSessionOwner, the midcomGroupIndex, and the midcomRuleIndex of this entry." INDEX { midcomSessionOwner, midcomGroupIndex, midcomRuleIndex } ::= { midcomRuleTable 1 } MidcomRuleEntry ::= SEQUENCE { midcomRuleIndex Unsigned32, midcomRuleAdminStatus INTEGER, midcomRuleOperStatus INTEGER, midcomRuleStorageType StorageType, midcomRuleStorageTime TimeInterval, midcomRuleError SnmpAdminString, midcomRuleNatService INTEGER, midcomRuleInternalIpVersion InetAddressType, midcomRuleInternalIpAddr InetAddress, midcomRuleInternalPort InetPortNumber, midcomRuleInsideIpVersion InetAddressType, midcomRuleInsideIpAddr InetAddress, midcomRuleInsidePort InetPortNumber, midcomRuleInsideInterface InterfaceIndex, midcomRuleOutsideIpVersion InetAddressType, midcomRuleOutsideIpAddr InetAddress, midcomRuleOutsidePort InetPortNumber, midcomRuleOutsideInterface InterfaceIndex, midcomRuleExternalIpVersion InetAddressType, midcomRuleExternalIpAddr InetAddress, midcomRuleExternalPort InetPortNumber, midcomRuleTransportProtocol Unsigned32, -- defintion? midcomRulePortRange Unsigned32, midcomRulePortParity INTEGER, midcomRuleFlowDirection INTEGER, midcomRuleLifetime TimeInterval } midcomRuleIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of this object must be unique in combination with the values of midcomSessionOwner and midcomGroupIndex. The value of this index is chosen by the MIDCOM MIB implementation when a new entry in this row is created." ::= { midcomRuleEntry 3 } midcomRuleAdminStatus OBJECT-TYPE SYNTAX INTEGER { reserved(1), enabled(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The value of this object indicates the desired status of the policy rule. See the definition of midcomRuleOperStatus for a description of the values. When the midcomRuleAdminStatus object is set, then the MIDCOM MIB implementation will try to read the respective relvant objects of the entry and try to achieve the corresponding midcomRuleOperStatus. Depending on whether the midcomRuleAdminStatus is set to reserved(1) or enabled(2) several entries in MidcomRuleEntry must be set. In the reserved(1) case these entries must be set for a request: - midcomRuleNatService - midcomRuleInternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalPort - midcomRuleInsideInterface - midcomRuleOutsideInterface - midcomRuleExternalIpVersion - midcomRuleTransportProtocol - midcomRulePortRange - midcomRulePortParity In the enabled(2) case these entries must be set for a request: - midcomRuleInternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalPort - midcomRuleInsideInterface - midcomRuleOutsideInterface - midcomRuleExternalIpVersion - midcomRuleExternalIpAddr - midcomRuleExternalPort - midcomRuleTransportProtocol - midcomRulePortRange - midcomRulePortParity - midcomRuleFlowDirection When retrieved, the object returns the last set value. If no value has been set, it returns one of the two possible values." ::= { midcomRuleEntry 4 } midcomRuleOperStatus OBJECT-TYPE SYNTAX INTEGER { newEntry(1), setting(2), checkingRequest(3), incorrectRequest(4), processingRequest(5), requestRejected(6), reserved(7), checkingTransitRequest(8), processingTransitRequest(9), enabled(10), timedOut(11), terminatedOnRequest(12), terminated(13), genericError(14) } MAX-ACCESS read-only STATUS current DESCRIPTION "The actual status of the policy rule. The midcomRuleOperStatus object may have the following values: - newEntry(1) indicates that the entry in the midcomRuleTable was created, but not modified yet. Such an entry needs to be filled with values specifying a request first. - setting(2) indicates that the entry has been already modified after generating it, but no request was made yet. - checkingRequest(3) indicates that midcomRuleAdminStatus has recently been set and that the MIDCOM MIB implementation is currently checking the parameters of the request. - incorrectRequest(4) indicates that checking a request resulted in detecting an incorrect value in one of the objects containing request parameters. The failure reason is indicated by the value of midcomRuleError. - processingRequest(5) indicates that midcomRuleAdminStatus has recently been set and that the MIDCOM MIB implementation is currently processing the request and trying to configure the middlebox accordingly. - requestRejected(6) indicates that a request to establish a policy rule specified by the entry was rejected. The reason of rejection is indicated by the value of midcomRuleError. - reserved(7) indicates that the entry describes an established policy reserve rule. These values of MidcomRuleEntry can be retrieved for a reserved policy rule: - midcomRuleNatService - midcomRuleInternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalPort - midcomRuleInsideIpVersion - midcomRuleInsideIpAddr - midcomRuleInsidePort - midcomRuleInsideInterface - midcomRuleOutsideIpVersion - midcomRuleOutsideIpAddr - midcomRuleOutsidePort - midcomRuleExternalIpVersion - midcomRuleTransportProtocol - midcomRulePortRange - midcomRulePortParity - midcomRuleLifetime - checkingTransitRequest(8) indicates that after a policy reserve rule was established, midcomRuleAdminStatus has recently been set to enabled(10) and that the MIDCOM MIB implementation is currently checking the parameters of the request. - processingTransitRequest(9) indicates that after a policy reserve rule was established, midcomRuleAdminStatus has recently been set to enabled(10) and that the MIDCOM MIB implementation is currently processing the request and trying to configure the middlebox accordingly. - enabled(10) indicates that the entry describes an established policy enable rule. These values of MidcomRuleEntry can be retrieved for an enabled policy rule - midcomRuleInternalIpVersion - midcomRuleInternalIpAddr - midcomRuleInternalPort - midcomRuleInsideIpVersion - midcomRuleInsideIpAddr - midcomRuleInsidePort - midcomRuleInsideInterface - midcomRuleOutsideIpVersion - midcomRuleOutsideIpAddr - midcomRuleOutsidePort - midcomRuleOutsideInterface - midcomRuleExternalIpVersion - midcomRuleExternalIpAddr - midcomRuleExternalPort - midcomRuleTransportProtocol - midcomRulePortRange - midcomRulePortParity - midcomRuleFlowDirection - midcomRuleLifetime - timedOut(11) indicates that the lifetime of a previously established policy rule is expired and that the policy rule is terminated for this reason. - terminatedOnRequest(12) indicates that a previously established policy rule was terminated by an SNMP manager setting the midcomRuleLifetime to 0 or setting midcomGroupLifetime to 0. - terminated(13) indicates that a previously established policy rule was terminated by the MIDCOM MIB implementation for another reason than lifetime expiration or an explicit request from an SNMP manager. - genericError(14) indicates that the policy rule specified by the entry is not established due to an error condition not listed above. The states timedOut(11), terminatedOnRequest(12) and terminated(13) are referred to as termination states. The states incorrectRequest(4), requestRejected(6) and genericError(14) are referred to as error states. The checkingRequest(3), processingRequest(4), checkingTransitRequest(8) and checkingTransitRequest(9) states are transient states which will either lead to one of the error states or the reserved(7) state or the enabled(10) states." DEFVAL { newEntry } ::= { midcomRuleEntry 5 } midcomRuleStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether this row and the policy rule controlled by this row are kept in volatile storage and lost upon reboot or if this row is backed up by non-volatile or permanent storage. Attempts to set this object to permanent will always fail with an inconsistentValue error. If midcomRuleStorageType has the value permanent(4), then all objects whose MAX-ACCESS value is read-write must be read-only." DEFVAL { volatile } ::= { midcomRuleEntry 6 } midcomRuleStorageTime OBJECT-TYPE SYNTAX TimeInterval UNITS "centi-seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "The value of this object specifies how long this row can exist in the midcomRuleTable after the midcomRuleOperState switched to a termination state or to an error state. This object returns the remaining time that the row may exist before it is aged out. The object is initialized with the value of the associated midcomSessionStorageTime object. After expiration or termination of the context, the value of this object ticks backwards. The entry in the midcomRuleTable is destroyed when the value reaches 0. The value of this object may be set in order to increase or reduce the remaining time that the row may exist. Setting the value to 0 will destroy this entry as soon as the midcomRuleOperState switched to a termination state or to an error state. Note that there is no guarantee that the row is stored as long as this object indicates. At any time, the SNMP agent may decide to remove a row describing a terminated policy rule before the storage time of the corresponding row in the midcomRuleTable reaches the value of 0. In this case the information stored in this row is not anymore available." ::= { midcomRuleEntry 7 } midcomRuleError OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This object contains a descriptive error message if the transition into the operational status reserved(7) or enabled(10) failed. Implementations must reset the error message to a zero-length string when a new attempt to change the policy rule status to reserved(7) or enabled(10) is started." DEFVAL { ''H } ::= { midcomRuleEntry 8 } midcomRuleNatService OBJECT-TYPE SYNTAX INTEGER { traditionalNat(1), twiceNat(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The requested NAT service of the middlebox. Some NATs may have dual characters, like providing traditional and twice NAT service at the same time for different NAT bindings. This parameter determines the behaviour for this NAT binding. A firewall only middlebox ignores this parameter. The midcomRuleService is only available for policy reserve rules, indicated by midcomRuleAdminStatus set to reserved(1)." ::= { midcomRuleEntry 9 } midcomRuleInternalIpVersion OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "IP version at the inside of the middlebox." ::= { midcomRuleEntry 10 } midcomRuleInternalIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The internal IP address at the middlebox." ::= { midcomRuleEntry 11 } midcomRuleInternalPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-write STATUS current DESCRIPTION "The internal port at the middlebox." ::= { midcomRuleEntry 12 } midcomRuleInsideIpVersion OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "IP version at the inside of the middlebox. The midcomRuleInsideIpVersion is set by the SNMP agent to the IP address type, when the middlebox is twice-NAT and twice-NAT service is requested. The midcomRuleInsideIpVersion must be set to unknown(0) when the NAT does not assign an inside IP address. Firewalls always return unkown(0), since no inside IP address is assigned." ::= { midcomRuleEntry 13 } midcomRuleInsideIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The inside IP address at the middlebox. The midcomRuleInsideIpAddr is set by the SNMP agent to the IP address, when the middlebox is twice-NAT and twice-NAT service is requested." ::= { midcomRuleEntry 14 } midcomRuleInsidePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The inside port at the middlebox. The midcomRuleInsideIpPort is set by the SNMP agent to the IP port number, when the middlebox is twice-NAT and twice-NAT service is requested." ::= { midcomRuleEntry 15 } midcomRuleInsideInterface OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-write STATUS current DESCRIPTION "The interface at the inside of the middlebox." ::= { midcomRuleEntry 16 } midcomRuleOutsideIpVersion OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "IP version at the outside of the middlebox. The midcomRuleOutsideIpVersion is set by the SNMP agent to the IP address type. Firewalls always return unkown(0), since no inside IP address is assigned." ::= { midcomRuleEntry 17 } midcomRuleOutsideIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The outside IP address at the middlebox. The midcomRuleOutsideIpAddr is set by the SNMP agent to the IP address." ::= { midcomRuleEntry 18 } midcomRuleOutsidePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The outside port at the middlebox. The midcomRuleOutsideIpPort is set by the SNMP agent to the IP address type." ::= { midcomRuleEntry 19 } midcomRuleOutsideInterface OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-write STATUS current DESCRIPTION "The interface at the outside of the middlebox." ::= { midcomRuleEntry 20 } midcomRuleExternalIpVersion OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "IP version at the external of the middlebox." ::= { midcomRuleEntry 21 } midcomRuleExternalIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The external IP address at the middlebox. The midcomExternalIpAddr is only available for policy enable rule requests, indicated by midcomRuleAdminStatus set to enabled(2)." ::= { midcomRuleEntry 22 } midcomRuleExternalPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-write STATUS current DESCRIPTION "The external port at the middlebox. The midcomExternalPort is only available for policy enable rule requests, indicated by midcomRuleAdminStatus set to enabled(2)." ::= { midcomRuleEntry 23 } midcomRuleTransportProtocol OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-write STATUS current DESCRIPTION "The transport protocol." ::= { midcomRuleEntry 24 } midcomRulePortRange OBJECT-TYPE SYNTAX Unsigned32 (1..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The port range parameter specifies a number of consecutive port numbers. Its value is a positive integer. Together with the port number parameter this parameter defines a set of consecutive port numbers starting with the port number specified by the port number parameter as the lowest port number and having as many elements as specified by the port range parameter. A value of one specifies just a single port number." ::= { midcomRuleEntry 25 } midcomRulePortParity OBJECT-TYPE SYNTAX INTEGER { same(1), -- available for PER only any(2), -- available for PER and PRR odd(3), -- available for PRR only even(4) -- available for PRR only } MAX-ACCESS read-write STATUS current DESCRIPTION "The port parity parameter is differently used in the context of policy reserve rules (PRR, midcomRuleAdminStatus set to reserved(1)) and policy enable rules (PER, midcomRuleAdminStaus set to enabled(2)). In the context of a PRR, the value of the parameter may be 'odd', 'even', or 'any'. It specifies the parity of the first (lowest) reserved port number. In the context of a PER, the port parity parameter indicates to the middlebox, whether or not port numbers allocated at the middlebox should have the same parity as the corresponding internal or external port numbers, respectively. In this context, the parameter has either the value 'same' or 'any'. If it has the value 'same', then the parity of the port number of A0 must be the same as the parity of the port number of A2, and the parity of the port number of A1 must be the same as the parity of the port number of A3. If the port parity parameter has the value 'any', then there are no constraints on the parity of any port number." ::= { midcomRuleEntry 26} midcomRuleFlowDirection OBJECT-TYPE SYNTAX INTEGER { inbound(1), outbound(2), bidirectional(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This parameter specifies the direction of enabled communication, either 'inbound', 'outbound', or 'bi-directional'. The midcomRuleFlowDirection is only available for policy enable rule requests, indicated by midcomRuleAdminStatus set to enabled(2)." ::= { midcomRuleEntry 27 } midcomRuleLifetime OBJECT-TYPE SYNTAX TimeInterval UNITS "centi-seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "When retrieved, this object delivers the the reamining lifetime in centi-seconds of this policy rule. Successfully writing to this object modifies the lifetime of the policy rule. Successfully writing a value of 0 terminates the policy rule. Note that after a policy rule is terminated, still the entry will exist as long as indicated by the value of midcomRuleStorageTime. Writing to this object is processed by the SNMP agent according to the processing of a Policy Rule Lifetime Change (RLC) request as specified in RFC XXXX. Therefore, SNMP set requests to this object might be rejected or the value of the object after an accepted set operation may be different from the value that was contained in the SNMP set request." ::= { midcomRuleEntry 28 } -- -- Policy rule group group -- -- The midcomGroupTable lists all current policy rule groups. -- midcomGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF MidcomGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all current policy rule groups. Entries in this table are created implicitely when entries in the midcomRuleTable are created. Like the midcomSessionTable and the midcomRuleTable, this table is indexed by an owner and an index that is unique per owner. The table serves for listing the existing groups and their remaining lifetimes and for changing lifetimes of groups and implicitly of all group members. Groups and all their member policy rules can be deleted by setting midcomGroupLifetime to 0." ::= { midcomObjects 4 } midcomGroupEntry OBJECT-TYPE SYNTAX MidcomGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular MIDCOM session." INDEX { midcomSessionOwner, midcomGroupIndex } ::= { midcomGroupTable 1 } MidcomGroupEntry ::= SEQUENCE { midcomGroupIndex Unsigned32, midcomGroupLifetime TimeInterval } midcomGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of this group for the midcomSessionOwner. A group is identified by the combination of midcomSessionOwner and midcomGroupIndex. The value of this index must be unique per midcomSessionOwner." ::= { midcomGroupEntry 2 } midcomGroupLifetime OBJECT-TYPE SYNTAX TimeInterval UNITS "centi-seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "When retrieved, this object delivers the the maximum lifetime in centi-seconds of all member rules of this group, i.e. of all rows in the midcomRuleTable that have the same values for midcomSessionOwner and midcomGroupIndex. Successfully writing to this object modifies the lifetime of all member policies. Successfully writing a value of 0 deletes the group and all its member rules. Note that after a group is conceptually deleted, still the corresponding entry in the midcomGroupTable will exist as long as terminated member policy rules are stored as entries in the midcomRuleTable. Writing to this object is processed by the SNMP agent according to the processing of a Group Lifetime Change (GLC) request as specified in RFC XXXX. Therefore, SNMP set requests to this object might be rejected or the value of the object after an accepted set operation may be different from the value that was contained in the SNMP set request." ::= { midcomGroupEntry 3 } -- -- Notifications. The definition of midcomEvent makes notification -- registrations reversible (see STD 58, RFC 2578, Section 8.5). -- midcomEvent OBJECT IDENTIFIER ::= { midcomNotifications 0 } midcomSessionTermination NOTIFICATION-TYPE STATUS current DESCRIPTION "This notification can be generated for indicating that a session is terminated by the middlebox." ::= { midcomEvent 1 } midcomRuleEvent NOTIFICATION-TYPE OBJECTS { midcomRuleLifetime } STATUS current DESCRIPTION "This notification can be generated for indicating the change of a policy rule's lifetime." ::= { midcomEvent 2 } midcomGroupEvent NOTIFICATION-TYPE OBJECTS { midcomGroupLifetime } STATUS current DESCRIPTION "This notification can be generated for indicating the change of a policy rule group's lifetime." ::= { midcomEvent 3 } -- -- Conformance information -- midcomCompliances OBJECT IDENTIFIER ::= { midcomConformance 1 } midcomGroups OBJECT IDENTIFIER ::= { midcomConformance 2 } -- -- compliance statements -- -- This is the MIDCOM compliance definition ... -- midcomCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that implement the MIDCOM MIB. Note that compliance with this compliance statement requires compliance with the ifCompliance3 MODULE-COMPLIANCE statement of the IF-MIB [RFC2863]." MODULE -- this module MANDATORY-GROUPS { midcomCapabilitiesGroup, midcomSessionGroup, midcomRuleGroup, midcomNotificationsGroup } GROUP midcomGroupGroup DESCRIPTION "A compliant implementation does not have to implement the midcomGroupGroup." OBJECT midcomRuleInsideInterface MIN-ACCESS not-accessible DESCRIPTION "A compliant implementation does not have to implement object midcomRuleInsideInterface." OBJECT midcomRuleOutsideInterface MIN-ACCESS not-accessible DESCRIPTION "A compliant implementation does not have to implement object midcomRuleOutsideInterface." ::= { midcomCompliances 1 } midcomCapabilitiesGroup OBJECT-GROUP OBJECTS { midcomCapabFirewall, midcomCapabNat, midcomCapabPortTranslation, midcomCapabProtocolTranslation, midcomCapabTwiceNat, midcomCapabInsideIpVersions, midcomCapabOutsideIpVersions, midcomCapabInsideWildcards, midcomCapabOutsideWildcards, midcomCapabPortWildcards, midcomCapabPersistentRules, midcomCapabMaxLifetime } STATUS current DESCRIPTION "A collection of objects providing information about the capabilities of a middlebox." ::= { midcomGroups 1 } midcomSessionGroup OBJECT-GROUP OBJECTS { midcomSessionIndexNext, midcomSessionRuleGroupIndex, midcomSessionRuleStorageTime, midcomSessionRuleIndexNext, midcomSessionCreateRule, midcomSessionStorageType, midcomSessionRowStatus } STATUS current DESCRIPTION "A collection of objects providing information about MIDCOM sessions." ::= { midcomGroups 2 } midcomRuleGroup OBJECT-GROUP OBJECTS { midcomRuleAdminStatus, midcomRuleOperStatus, midcomRuleStorageType, midcomRuleStorageTime, midcomRuleError, midcomRuleNatService, midcomRuleInternalIpVersion, midcomRuleInternalIpAddr, midcomRuleInternalPort, midcomRuleInsideIpVersion, midcomRuleInsideIpAddr, midcomRuleInsidePort, midcomRuleInsideInterface, midcomRuleOutsideIpVersion, midcomRuleOutsideIpAddr, midcomRuleOutsidePort, midcomRuleOutsideInterface, midcomRuleExternalIpVersion, midcomRuleExternalIpAddr, midcomRuleExternalPort, midcomRuleTransportProtocol, midcomRulePortRange, midcomRulePortParity, midcomRuleFlowDirection, midcomRuleLifetime } STATUS current DESCRIPTION "A collection of objects providing information about policy rules." ::= { midcomGroups 3 } midcomGroupGroup OBJECT-GROUP OBJECTS { midcomGroupLifetime } STATUS current DESCRIPTION "A collection of objects providing information about policy rule groups." ::= { midcomGroups 4 } midcomNotificationsGroup OBJECT-GROUP OBJECTS { midcomSessionTermination, midcomRuleEvent, midcomGroupEvent } STATUS current DESCRIPTION "The notifications emitted by the midcomMIB." ::= { midcomGroups 5 } END -- -- Copyright (C) The Internet Society (2003). All Rights Reserved. -- -- This document and translations of it may be copied and furnished to -- others, and derivative works that comment on or otherwise explain it -- or assist in its implementation may be prepared, copied, published -- and distributed, in whole or in part, without restriction of any -- kind, provided that the above copyright notice and this paragraph are -- included on all such copies and derivative works. However, this -- document itself may not be modified in any way, such as by removing -- the copyright notice or references to the Internet Society or other -- Internet organizations, except as needed for the purpose of -- developing Internet standards in which case the procedures for -- copyrights defined in the Internet Standards process must be -- followed, or as required to translate it into languages other than -- English. -- -- The limited permissions granted above are perpetual and will not be -- revoked by the Internet Society or its successors or assigns. -- -- This document and the information contained herein is provided on an -- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING -- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING -- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION -- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF -- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.