Internet Draft Network Working Group Thomas D. Nadeau Internet Draft Cisco Systems, Inc. Expires: January 2001 Cheenu Srinivasan Tachion Networks, Inc. Arun Viswanathan Force10 Networks, Inc. July 2000 Multiprotocol Label Switching (MPLS) Packet Classifier Management Information Base Using SMIv2 draft-nadeau-mpls-packet-classifier-mib-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This memo defines an experimental portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects for specifying packet classification and corresponding actions for use with Multiprotocol Label Switching (MPLS). 1. Introduction This memo defines an experimental portion of the Management Nadeau et al. Expires January 2001 [Page 1] Internet Draft MPLS Packet Classifier MIB 14 July 2000 Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects for specifying packet classification s and corresponding actions for Multiprotocol Label Switching. This memo does not, in its draft form, specify a standard for the Internet community. 2. Terminology TBD. 3. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: - An overall architecture, described in RFC 2271 [SNMPArch]. - Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [SMIv1], RFC 1212 [SNMPv1MIBDef] and RFC 1215 [SNMPv1Traps]. The second version, called SMIv2, is described in RFC 1902 [SMIv2], RFC 1903 [SNMPv2TC] and RFC 1904 [SNMPv2Conf]. - Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [SNMPv1]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [SNMPv2c] and RFC 1906 [SNMPv2TM]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [SNMPv2TM], RFC 2272 [SNMPv3MP] and RFC 2274 [SNMPv3USM]. - Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [SNMPv1]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [SNMPv2PO]. - A set of fundamental applications described in RFC 2273 [SNMPv3App] and the view-based access control mechanism described in RFC 2275 [SNMPv3VACM]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be Nadeau et al. Expires January 2001 [Page 2] Internet Draft MPLS Packet Classifier MIB 14 July 2000 produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine-readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine-readable information is not considered to change the semantics of the MIB. 3.1. Object Definitions Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) defined in the SMI. In particular, each object type is named by an OBJECT IDENTIFIER, an administratively assigned name. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the descriptor, to also refer to the object type. 4. Motivation The primary motivation for this proposal arose from requirements in the MPLS area. In MPLS, packets belonging to a forwarding equivalency class (FEC) are associated with an LSP (ER-LSP) via the FEC-To-NHLFE (FTN) mapping [MPLS-Arch]. This mapping of packets to an LSP is made at the ingress LSR of an LSP or a Traffic Engineered (TE) Tunnel. Conceptually, some of the FTN table functionality could be implemented using the Forwarding Information Base (FIB) to map all packets destined for a prefix to an LSP. However, this mapping is coarse in nature. Likewise, an LSR could use its classifier to redirect packets into LSPs or TE Tunnels. With the classifier-based mapping it is possible to specify FECs finer in granularity and based on a richer set of criteria than is possible via the FIB mapping. In essence, the FTN table is a combination of the FIB and classifier. The packet classification functionality is already being used in other contexts, such as security filters, access filters, and for RSVP flow identification. All of these require various combinations of matching based on IP header and upper-layer header information to identify packets for a particular treatment. When packets match a particular rule, a corresponding action is executed against those packets. For example, two popular actions to take when a successful match is detected are allowing the packet to be forwarded or to discard it. However, other actions are possible, such as modifying the TOS byte, or redirecting a packet to a particular outgoing interface. Nadeau et al. Expires January 2001 [Page 3] Internet Draft MPLS Packet Classifier MIB 14 July 2000 This proposal is an attempt to consolidate the various matching requirements and associated action options into a single specification, such that they satisfy existing usage and requirements as well as new ones such as those required by MPLS. 5. Outline This MIB consists of three tables. mplsPacketClassifierTable defines the rule base against which incoming packets are matched and actions taken on matching packets. mplsPacketClassifierMapTable defines the application of these to specific interfaces. Finally, the mplsPacketClassifierPerfTable provides performance counters for every that is active, on a per-interface basis. 5.1. mplsPacketClassifierTable This table allows packet classifiers to be specified. A packet classifier defines a rule to be applied to incoming packets on interfaces that the packet classifier is activated on and an action to be taken on matching packets. mplsPacketClassifierTable provides a standard 5-tuple matching and allows address and port ranges to be specified. 5.2. mplsPacketClassifierMapTable This table provides the capability to activate or map packet classifiers defined in mplsPacketClassiferTable to specific interfaces in the system. Packet classifiers are compared with incoming packets in the order in which they are applied on an interface. For this reason, this table provides a mechanism to 'insert' a packet classifier between two existing packet classifiers already applied on an interface. 5.3. mplsPacketClassifierPerfTable This table provides performance counters for each that is active on a per-interface basis. High capacity counters are provided. 6. Example TBD. 7. The Use of RowPointer Nadeau et al. Expires January 2001 [Page 4] Internet Draft MPLS Packet Classifier MIB 14 July 2000 RowPointer is a textual convention used to identify a conceptual row in an SNMP Table by pointing to one of its objects. In this MIB, in mplsPacketClassifierTable, the RowPointer object mplsPacketClassifierActionPointer indicates the LSP or tunnel to redirect packets matching a classifier to. This object SHOULD point to the first column of the appropriate conceptual row. 8. MPLS Packet Classifier MIB Definitions MPLS-PACKET-CLASSIFIER-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, Unsigned32, Counter32, experimental FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF TEXTUAL-CONVENTION, TruthValue, RowStatus, StorageType, DisplayString FROM SNMPv2-TC InterfaceIndexOrZero FROM IF-MIB MplsTunnelIndex FROM MPLS-TE-MIB InetAddressIPv4, InetAddressIPv6, InetAddressType FROM INET-ADDRESS-MIB; mplsPacketClassifierMIB MODULE-IDENTITY LAST-UPDATED "200007141200Z" -- 14 July 2000 12:00:00 EST ORGANIZATION "Multiprotocol Label Switching (MPLS) Working Group" CONTACT-INFO " Thomas D. Nadeau Postal: Cisco Systems, Inc. 250 Apollo Drive Chelmsford, MA 01824 Tel: +1-978-244-3051 Email: tnadeau@cisco.com Cheenu Srinivasan Postal: Tachion Networks, Inc. Monmouth Park Corporate Center I Building C, 185 Monmouth Park Highway West Long Branch, NJ 07764 Tel: +1-732-542-7750 x1234 Email: cheenu@tachion.com Arun Viswanathan Postal: Force10 Networks, Inc. 1440 McCarthy Blvd Nadeau et al. Expires January 2001 [Page 5] Internet Draft MPLS Packet Classifier MIB 14 July 2000 Milpitas, CA 95035 Tel: +1-408-571-3516 Email: arun@force10networks.com" DESCRIPTION "This MIB module contains managed object definitions for specifying packet classification for MPLS." -- Revision history. REVISION "200007141200Z" -- 14 July 2000 12:00:00 EST DESCRIPTION "Initial draft version." REVISION "200003032030Z" -- 03 March 2000 20:30:00 EST DESCRIPTION "Initial draft version." ::= { experimental oid } -- to be assigned -- Textual Conventions. MplsPortAddr ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A TCP or UDP port number. Along with an IP address identifies a stream of IP traffic uniquely." SYNTAX INTEGER (0..65535) MplsPacketClassifierIndex ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Index for a packet classifier." SYNTAX Integer32(1..2147483647) MplsPacketClassifierIndexOrZero ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Index for a packet classifier or zero." SYNTAX Integer32(0..2147483647) -- Top level components of the MIB. -- tables, scalars mplsPacketClassifierObjects OBJECT IDENTIFIER ::= { mplsPacketClassifierMIB 1 } -- traps mplsPacketClassifierNotifications OBJECT IDENTIFIER Nadeau et al. Expires January 2001 [Page 6] Internet Draft MPLS Packet Classifier MIB 14 July 2000 ::= { mplsPacketClassifierMIB 2 } -- notification prefix mplsPacketClassifierNotifPrefix OBJECT IDENTIFIER ::= { mplsPacketClassifierNotifications 0 } -- conformance mplsPacketClassifierConformance OBJECT IDENTIFIER ::= { mplsPacketClassifierMIB 3 } -- Packet classifier table. mplsPacketClassifierIndexNext OBJECT-TYPE SYNTAX MplsPacketClassifierIndexOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "This object contains the next appropriate value to be used for mplsPacketClassifierIndex when creating entries in the mplsPacketClassifierTable. If the number of unassigned entries is exhausted, this object MUST return a value of 0. To obtain the mplsPacketClassifierIndex value for a new entry, the manager must first issue a management protocol retrieval operation to obtain the current value of this object. The agent should modify the value to reflect the next unassigned index after each retrieval operation. After a manager retrieves a value the agent will determine through its local policy when this index value will be made available for reuse." ::= { mplsPacketClassifierObjects 1 } mplsPacketClassifierTable OBJECT-TYPE SYNTAX SEQUENCE OF MplsPacketClassifierEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the currently defined packet classifiers." ::= { mplsPacketClassifierObjects 2 } mplsPacketClassifierEntry OBJECT-TYPE SYNTAX MplsPacketClassifierEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry represents one packet classifier which defines a rule to compare against incoming packets and an action to be taken on matching packets." INDEX { mplsPacketClassifierIndex } ::= { mplsPacketClassifierTable 1 } Nadeau et al. Expires January 2001 [Page 7] Internet Draft MPLS Packet Classifier MIB 14 July 2000 MplsPacketClassifierEntry ::= SEQUENCE { mplsPacketClassifierIndex MplsPacketClassifierIndex, mplsPacketClassifierRowStatus RowStatus, mplsPacketClassifierDescr DisplayString, mplsPacketClassifierApplied TruthValue, mplsPacketClassifierMask BITS, mplsPacketClassifierAddrType InetAddressType, mplsPacketClassifierSourceIpv4AddrMin InetAddressIPv4, mplsPacketClassifierSourceIpv6AddrMin InetAddressIPv6, mplsPacketClassifierSourceIpv4AddrMax InetAddressIPv4, mplsPacketClassifierSourceIpv6AddrMax InetAddressIPv6, mplsPacketClassifierDestIpv4AddrMin InetAddressIPv4, mplsPacketClassifierDestIpv6AddrMin InetAddressIPv6, mplsPacketClassifierDestIpv4AddrMax InetAddressIPv4, mplsPacketClassifierDestIpv6AddrMax InetAddressIPv6, mplsPacketClassifierSourcePortMin MplsPortAddr, mplsPacketClassifierSourcePortMax MplsPortAddr, mplsPacketClassifierDestPortMin MplsPortAddr, mplsPacketClassifierDestPortMax MplsPortAddr, mplsPacketClassifierProtocol INTEGER, mplsPacketClassifierActionType INTEGER, mplsPacketClassifierActionPointer RowPointer, mplsPacketClassifierStorageType StorageType } mplsPacketClassifierIndex OBJECT-TYPE SYNTAX MplsPacketClassifierIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "Unique index for the this packet classifier entry." ::= { mplsPacketClassifierEntry 1 } mplsPacketClassifierRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "For controlling the creation and deletion of this row." ::= { mplsPacketClassifierEntry 2 } mplsPacketClassifierDescr OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION "Description of this packet classifier." ::= { mplsPacketClassifierEntry 3 } Nadeau et al. Expires January 2001 [Page 8] Internet Draft MPLS Packet Classifier MIB 14 July 2000 mplsPacketClassifierApplied OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates whether this packet classifier has been applied on any interface or not." ::= { mplsPacketClassifierEntry 4 } mplsPacketClassifierMask OBJECT-TYPE SYNTAX BITS { sourceAddr(0), destAddr(1), sourcePort(2), destPort(3), protocol(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This bit map indicates which of the fields described next, namely source address range, destination address range, source port range, destination port range, and protocol is active for this . If a particular bit is inactive (i.e., set to zero) then the corresponding field in the packet is ignored for comparison purposes." ::= { mplsPacketClassifierEntry 5 } mplsPacketClassifierAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "Type of IP packet that this classifier will match against. If this object has the value ipv4(1) then the objects in this entry of type InetAddressIpv6 MUST be ignored by management applications. If this object has the value ipv6(1) then the objects in this entry of type InetAddressIpv4 MUST be ignored by management applications." DEFVAL { ipv4 } ::= { mplsPacketClassifierEntry 6 } mplsPacketClassifierSourceIpv4AddrMin OBJECT-TYPE SYNTAX InetAddressIPv4 MAX-ACCESS read-create STATUS current DESCRIPTION Nadeau et al. Expires January 2001 [Page 9] Internet Draft MPLS Packet Classifier MIB 14 July 2000 "Lower end of source address range - IPv4 version." ::= { mplsPacketClassifierEntry 7 } mplsPacketClassifierSourceIpv6AddrMin OBJECT-TYPE SYNTAX InetAddressIPv6 MAX-ACCESS read-create STATUS current DESCRIPTION " Lower end of source address range - IPv6 version." ::= { mplsPacketClassifierEntry 8 } mplsPacketClassifierSourceIpv4AddrMax OBJECT-TYPE SYNTAX InetAddressIPv4 MAX-ACCESS read-create STATUS current DESCRIPTION "Upper end of source address range - IPv4 version." ::= { mplsPacketClassifierEntry 9 } mplsPacketClassifierSourceIpv6AddrMax OBJECT-TYPE SYNTAX InetAddressIPv6 MAX-ACCESS read-create STATUS current DESCRIPTION "Upper end of source address range - IPv4 version." ::= { mplsPacketClassifierEntry 10 } mplsPacketClassifierDestIpv4AddrMin OBJECT-TYPE SYNTAX InetAddressIPv4 MAX-ACCESS read-create STATUS current DESCRIPTION "Lower end of destination address range - IPv4 version." ::= { mplsPacketClassifierEntry 11 } mplsPacketClassifierDestIpv6AddrMin OBJECT-TYPE SYNTAX InetAddressIPv6 MAX-ACCESS read-create STATUS current DESCRIPTION "Lower end of destination address range - IPv6 version." ::= { mplsPacketClassifierEntry 12 } mplsPacketClassifierDestIpv4AddrMax OBJECT-TYPE SYNTAX InetAddressIPv4 MAX-ACCESS read-create STATUS current DESCRIPTION "Upper end of destination address range - IPv4 version " ::= { mplsPacketClassifierEntry 13 } Nadeau et al. Expires January 2001 [Page 10] Internet Draft MPLS Packet Classifier MIB 14 July 2000 mplsPacketClassifierDestIpv6AddrMax OBJECT-TYPE SYNTAX InetAddressIPv6 MAX-ACCESS read-create STATUS current DESCRIPTION "Upper end of destination address range - IPv6 version " ::= { mplsPacketClassifierEntry 14 } mplsPacketClassifierSourcePortMin OBJECT-TYPE SYNTAX MplsPortAddr MAX-ACCESS read-create STATUS current DESCRIPTION "Lower end of source port range." ::= { mplsPacketClassifierEntry 15 } mplsPacketClassifierSourcePortMax OBJECT-TYPE SYNTAX MplsPortAddr MAX-ACCESS read-create STATUS current DESCRIPTION "Higher end of source port range " ::= { mplsPacketClassifierEntry 16 } mplsPacketClassifierDestPortMin OBJECT-TYPE SYNTAX MplsPortAddr MAX-ACCESS read-create STATUS current DESCRIPTION "Lower end of the destination port range." ::= { mplsPacketClassifierEntry 17 } mplsPacketClassifierDestPortMax OBJECT-TYPE SYNTAX MplsPortAddr MAX-ACCESS read-create STATUS current DESCRIPTION "Higher end of the destination port range." ::= { mplsPacketClassifierEntry 18 } mplsPacketClassifierProtocol OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "Protocol." ::= { mplsPacketClassifierEntry 19 } mplsPacketClassifierActionType OBJECT-TYPE Nadeau et al. Expires January 2001 [Page 11] Internet Draft MPLS Packet Classifier MIB 14 July 2000 SYNTAX INTEGER { drop(1), -- discard this packet redirectLsp(2), -- redirect into specified LSP redirectTunnel(3) -- redirect into specified tunnel } MAX-ACCESS read-create STATUS current DESCRIPTION "The type of action to be taken on packets matching this filter." ::= { mplsPacketClassifierEntry 20 } mplsPacketClassifierActionPointer OBJECT-TYPE SYNTAX RowPointer MAX-ACCESS read-create STATUS current DESCRIPTION "If mplsPacketClassifierActionType is redirectLsp(2), then this object indicates the instance of mplsXCEntry for the LSP to redirect matching packets to. If mplsPacketClassifierActionType is redirectTunnel(3), then this object indicates the instance of mplsTunnelEntry for the MPLS tunnel to redirect matching packets to. For other values of mplsPacketClassifierActionType this object MUST be ignored by management applications. Agents SHOULD return 0 as the value of this object." ::= { mplsPacketClassifierEntry 21 } mplsPacketClassifierStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this entry." ::= { mplsPacketClassifierEntry 22 } -- End of mplsPacketClassifierTable. -- Packet classifier mapping table. mplsPacketClassifierMapTable OBJECT-TYPE SYNTAX SEQUENCE OF MplsPacketClassifierMapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains objects for mapping previously defined packet classifiers to interfaces." ::= { mplsPacketClassifierObjects 3 } Nadeau et al. Expires January 2001 [Page 12] Internet Draft MPLS Packet Classifier MIB 14 July 2000 mplsPacketClassifierMapEntry OBJECT-TYPE SYNTAX MplsPacketClassifierMapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry indicates the application of a particular packet classifier on an interface. The order of application of packet classifiers on an interface is the order in which they will be compared against incoming packets for a match. Each entry of this table is indexed by the interface index that the classifier is applied to, with the value 0 representing all interfaces, the index of the previous packet classifier applied on the interface and the index of the current packet classifier. This linked-list structure allows classifiers to be inserted at arbitrary positions in the list. Agents MUST NOT allow the same classifiers to be applied multiple times to the same interface." INDEX { mplsPacketClassifierMapIfIndex, mplsPacketClassifierMapPrevIndex, mplsPacketClassifierMapCurrIndex } ::= { mplsPacketClassifierMapTable 1 } MplsPacketClassifierMapEntry ::= SEQUENCE { mplsPacketClassifierMapIfIndex InterfaceIndexOrZero, mplsPacketClassifierMapPrevIndex MplsPacketClassifierIndexOrZero, mplsPacketClassifierMapCurrIndex MplsPacketClassifierIndex, mplsPacketClassifierMapRowStatus RowStatus, mplsPacketClassifierMapStorageType StorageType } mplsPacketClassifierMapIfIndex OBJECT-TYPE SYNTAX InterfaceIndexOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "Interface index that this classifier is being applied to. Zero represents all interfaces." ::= { mplsPacketClassifierMapEntry 1 } mplsPacketClassifierMapPrevIndex OBJECT-TYPE SYNTAX MplsPacketClassifierIndexOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "Index of the previous classifier that was applied to Nadeau et al. Expires January 2001 [Page 13] Internet Draft MPLS Packet Classifier MIB 14 July 2000 this interface. Zero indicates that this should be the first classifier in the list." ::= { mplsPacketClassifierMapEntry 2 } mplsPacketClassifierMapCurrIndex OBJECT-TYPE SYNTAX MplsPacketClassifierIndex MAX-ACCESS read-create STATUS current DESCRIPTION "Index of the current classifier that is being applied to this interface." ::= { mplsPacketClassifierMapEntry 3 } mplsPacketClassifierMapRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "For controlling the creation and deletion of this row." ::= { mplsPacketClassifierMapEntry 4 } mplsPacketClassifierMapStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this entry." ::= { mplsPacketClassifierMapEntry 5 } -- End of packetClassifierMapTable -- Packet classifier performance table mplsPacketClassifierPerfTable OBJECT-TYPE SYNTAX SEQUENCE OF MplsPacketClassifierPerfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains performance statistics on packet classifiers on a per-interface basis." ::= { mplsPacketClassifierObjects 4 } mplsPacketClassifierPerfEntry OBJECT-TYPE SYNTAX MplsPacketClassifierPerfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains performance information for the specified interface and packet classifier activated/mapped to this interface." Nadeau et al. Expires January 2001 [Page 14] Internet Draft MPLS Packet Classifier MIB 14 July 2000 INDEX { mplsPacketClassifierMapIfIndex, mplsPacketClassifierMapCurrIndex } ::= { mplsPacketClassifierPerfTable 1 } MplsPacketClassifierPerfEntry ::= SEQUENCE { mplsPacketClassifierMatchedPackets Counter32, mplsPacketClassifierMatchedOctets Counter32, mplsPacketClassifierMatchedHCPackets Counter64, mplsPacketClassifierMatchedHCOctets Counter64 } mplsPacketClassifierMatchedPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets that matched the specified packet classifier if it is applied/mapped to the specified interface." ::= { mplsPacketClassifierPerfEntry 1 } mplsPacketClassifierMatchedOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of octets that matched the specified packet classifier if it is applied/mapped to the specified interface." ::= { mplsPacketClassifierPerfEntry 2 } mplsPacketClassifierMatchedHCPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "High-capacity counter for the number of packets that matched the specified packet classifier if it is applied/mapped to the specified interface." ::= { mplsPacketClassifierPerfEntry 3 } mplsPacketClassifierMatchedHCOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "High-capacity counter for the number of octets that matched the specified packet classifier if it is applied/mapped to the specified interface." ::= { mplsPacketClassifierPerfEntry 4 } Nadeau et al. Expires January 2001 [Page 15] Internet Draft MPLS Packet Classifier MIB 14 July 2000 -- End of mplsPacketClassifierPerfTable -- Module compliance. mplsPacketClassifierGroups OBJECT IDENTIFIER ::= { mplsPacketClassifierConformance 1 } mplsPacketClassifierCompliances OBJECT IDENTIFIER ::= { mplsPacketClassifierConformance 2 } mplsPacketClassifierModuleCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "Compliance statement for agents that support the MPLS Packet Classifier MIB." MODULE -- this module -- The mandatory groups have to be implemented -- by all LSRs. However, they may all be supported -- as read-only objects in the case where manual -- configuration is unsupported. MANDATORY-GROUPS { mplsPacketClassifierRuleGroup, mplsPacketClassifierMapGroup } GROUP mplsPacketClassifierHCPerfGroup DESCRIPTION "This group is mandatory for those perf entries for which the object mplsPacketClassifierMatchedHCOctets and mplsPacketClassifierMatchedHCPackets wrap around too quickly." ::= { mplsPacketClassifierCompliances 1 } -- Units of conformance. mplsPacketClassifierRuleGroup OBJECT-GROUP OBJECTS { mplsPacketClassifierIndexNext, mplsPacketClassifierRowStatus, mplsPacketClassifierDescr, mplsPacketClassifierApplied, mplsPacketClassifierMask, mplsPacketClassifierAddrType, mplsPacketClassifierSourceIpv4AddrMin, mplsPacketClassifierSourceIpv6AddrMin, mplsPacketClassifierSourceIpv4AddrMax, Nadeau et al. Expires January 2001 [Page 16] Internet Draft MPLS Packet Classifier MIB 14 July 2000 mplsPacketClassifierSourceIpv6AddrMax, mplsPacketClassifierDestIpv4AddrMin, mplsPacketClassifierDestIpv6AddrMin, mplsPacketClassifierDestIpv4AddrMax, mplsPacketClassifierDestIpv6AddrMax, mplsPacketClassifierSourcePortMin, mplsPacketClassifierSourcePortMax, mplsPacketClassifierDestPortMin, mplsPacketClassifierDestPortMax, mplsPacketClassifierProtocol, mplsPacketClassifierActionType, mplsPacketClassifierActionPointer, mplsPacketClassifierStorageType } STATUS current DESCRIPTION "Collection of objects needed for MPLS classifier configuration and monitoring." ::= { mplsPacketClassifierGroups 1 } mplsPacketClassifierMapGroup OBJECT-GROUP OBJECTS { mplsPacketClassifierMapIfIndex, mplsPacketClassifierMapPrevIndex, mplsPacketClassifierMapCurrIndex, mplsPacketClassifierMapRowStatus, mplsPacketClassifierMapStorageType } STATUS current DESCRIPTION "Collection of objects needed for MPLS classifier configuration and monitoring." ::= { mplsPacketClassifierGroups 2 } mplsPacketClassifierPerfGroup OBJECT-GROUP OBJECTS { mplsPacketClassifierMatchedPackets, mplsPacketClassifierMatchedOctets } STATUS current DESCRIPTION "Collection of objects needed for MPLS packet classifier performance monitoring." ::= { mplsPacketClassifierGroups 3 } mplsPacketClassifierHCPerfGroup OBJECT-GROUP OBJECTS { mplsPacketClassifierMatchedHCPackets, mplsPacketClassifierMatchedHCOctets } Nadeau et al. Expires January 2001 [Page 17] Internet Draft MPLS Packet Classifier MIB 14 July 2000 STATUS current DESCRIPTION "Collection of objects needed for MPLS packet classifier performance monitoring when using high-capacity counters." ::= { mplsPacketClassifierGroups 4 } -- End of MPLS-PACKET-CLASSIFIER-MIB END 9. Security Considerations It is clear that this MIB can be used for configuration of certain objects, and anything that can be configured can be incorrectly configured, with potentially disastrous results. At this writing, no security holes have been identified beyond those that SNMP Security [SNMPArch] is itself intended to address. These relate to primarily controlled access to sensitive information and the ability to configure a device - or which might result from operator error, which is beyond the scope of any security architecture. There are a number of management objects defined in this MIB which have a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. The use of SNMP Version 3 is recommended over prior versions, for configuration control, as its security model is improved. SNMPv1 or SNMPv2 are by themselves not a secure environment. Even if the network itself is secure (for example by using IPSec [IPSEC]), there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB. It is recommended that the implementers consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model [SNMPv3USM] and the View-based Access Control [SNMPv3VACM] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. There are a number of managed objects in this MIB that may contain information that may be sensitive from a business perspective, in that they represent a customer's interface to the MPLS network. Nadeau et al. Expires January 2001 [Page 18] Internet Draft MPLS Packet Classifier MIB 14 July 2000 Allowing uncontrolled access to these objects could result in malicious and unwanted disruptions of network traffic or incorrect configurations for these customers. There are no objects that are particularly sensitive in their own right, such as passwords or monetary amounts. 10. References [MPLSArch] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol Label Switching Architecture", Internet Draft <draft-ietf-mpls-arch-03.txt>, February 1999. [MPLSFW] Callon, R., Doolan, P., Feldman, N., Fredette, A., Swallow, G., and A. Viswanathan, "A Framework for Multiprotocol Label Switching", Internet Draft, November 1997. [LSRMIB] Srinivasan, C., Viswanathan, A. and T. Nadeau, "MPLS Label Switch Router Management Information Base Using SMIv2", Internet Draft , September 2000. [TEMIB] Srinivasan, C., Viswanathan, A. and Nadeau, T., "MPLS Traffic Engineering Management Information Base Using SMIv2", Internet Draft , September 2000. [LDPMIB] Cucchiara, J., Sjostrand, H., and J. Luciani, " Definitions of Managed Objects for the Multiprotocol Label Switching, Label Distribution Protocol (LDP)", Internet Draft <draft-ietf-mpls-ldp-mib-05.txt>, August 1998. [LblStk] Rosen, E., Rekhter, Y., Tappan, D., Farinacci, D., Federokow, G., Li, T., and A. Conta, "MPLS Label Stack Encoding", Internet Draft , September 1998. [RSVPTun] Awaduche, D., Berger, L., Der-Haw, G., Li, T., Swallow, G., and V. Srinivasan, "Extensions to RSVP for LSP Tunnels", Internet Draft , November 1998. [CRLDP] Andersson, L., Fredette, A., Jamoussi, B., Callon, R., Doolan, P., Feldman, N., Gray, E., Halpern, J., Heinenan, J., Kilty, T., Malis, A., Girish, M., Sundell, K., Vaananen, P., T. Worster, Wu, L., and Dantu, R., "Explicit Routing Over LDP Specification", Internet Draft <draft-jamoussi-mpls-cr-ldp-00.txt>, Nadeau et al. Expires January 2001 [Page 19] Internet Draft MPLS Packet Classifier MIB 14 July 2000 November 1998. [Assigned] Reynolds, J., and J. Postel, "Assigned Numbers", RFC 1700, October 1994. [SNMPArch] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998. [SMIv1] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP- based Internets", RFC 1155, May 1990. [SNMPv1MIBDef]Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, March 1991. [SNMPv1Traps] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991. [SMIv2] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [SNMPv2TC] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc., January 1996. [SNMPv2Conf] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904, January 1996. [SNMPv1] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1157, May 1990. [SNMPv2c] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [SNMPv2TM] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [SNMPv3MP] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January Nadeau et al. Expires January 2001 [Page 20] Internet Draft MPLS Packet Classifier MIB 14 July 2000 1998. [SNMPv3USM] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2274, January 1998. [SNMPv2PO] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [SNMPv3App] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 2273, January 1998 [SNMPv3VACM] Wijnen, B., Presuhn, R., and K. McCloghrie, "View- based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2275, January 1998 11. Authors' Addresses Thomas D. Nadeau Cisco Systems, Inc. 300 Apollo Drive Chelmsford, MA 01824 Phone: +1-978-244-3051 Email: tnadeau@cisco.com Cheenu Srinivasan Tachion Networks, Inc. 185 Monmouth Park Highway West Long Branch, NJ 07764 Phone: +1-732-542-7750 x1234 Email: cheenu@tachion.com Arun Viswanathan Force10 Networks, Inc. 1440 McCarthy Blvd Milpitas, CA 95035 Phone: +1-408-571-3516 Email: arun@force10networks.com 12. Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it Nadeau et al. Expires January 2001 [Page 21] Internet Draft MPLS Packet Classifier MIB 14 July 2000 or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Nadeau et al. Expires January 2001 [Page 22]