--- 1/draft-ietf-bfd-mib-17.txt 2014-04-28 06:14:24.215511172 -0700 +++ 2/draft-ietf-bfd-mib-18.txt 2014-04-28 06:14:24.283512847 -0700 @@ -1,20 +1,20 @@ Network Working Group T. Nadeau Internet-Draft Brocade Intended status: Standards Track Z. Ali -Expires: October 16, 2014 N. Akiya +Expires: October 30, 2014 N. Akiya Cisco Systems - April 14, 2014 + April 28, 2014 BFD Management Information Base - draft-ietf-bfd-mib-17 + draft-ietf-bfd-mib-18 Abstract This draft defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects for modeling Bidirectional Forwarding Detection (BFD) protocol. Requirements Language @@ -31,21 +31,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on October 16, 2014. + This Internet-Draft will expire on October 30, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -59,48 +59,51 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The Internet-Standard Management Framework . . . . . . . . . 2 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Brief Description of MIB Objects . . . . . . . . . . . . . . 3 4.1. General Variables . . . . . . . . . . . . . . . . . . . . 3 4.2. Session Table (bfdSessionTable) . . . . . . . . . . . . . 3 4.3. Session Performance Table (bfdSessionPerfTable) . . . . . 3 4.4. BFD Session Discriminator Mapping Table (bfdSessDiscMapTable) . . . . . . . . . . . . . . . . . . 3 - 4.5. BFD Session IP Mapping Table (bfdSessIpMapTable) . . . . 3 + 4.5. BFD Session IP Mapping Table (bfdSessIpMapTable) . . . . 4 5. BFD MIB Module Definitions . . . . . . . . . . . . . . . . . 4 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 36 - 9.2. Informative References . . . . . . . . . . . . . . . . . 37 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 34 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 37 + 9.2. Informative References . . . . . . . . . . . . . . . . . 38 1. Introduction This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects to configure and/or monitor Bidirectional Forwarding Detection for [RFC5880], [RFC5881], [RFC5883] and [RFC7130], BFD versions 0 and/or 1, on devices supporting this feature. + This memo does not define a compliance requirement for a system that + only implements BFD version 0. This is a reflection of a considered + and deliberate decision by the BFD WG. + 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). - Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 3. Terminology This document adopts the definitions, acronyms and mechanisms described in [RFC5880], [RFC5881], [RFC5883] and [RFC7130]. Unless @@ -247,21 +250,21 @@ DESCRIPTION "Indicates the actual operational status of the BFD system in this device. When this value is down(2), all entries in the bfdSessTable MUST have their bfdSessOperStatus as down(2) as well. When this value is adminDown(3), all entries in the bfdSessTable MUST have their bfdSessOperStatus as adminDown(3) as well." ::= { bfdScalarObjects 2 } - bfdSessNotificationsEnable OBJECT-TYPE + bfdNotificationsEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "If this object is set to true(1), then it enables the emission of bfdSessUp and bfdSessDown notifications; otherwise these notifications are not emitted." REFERENCE "See also RFC3413 for explanation that @@ -1459,21 +1466,21 @@ DESCRIPTION "Write access is not required." ::= { bfdCompliances 2 } -- Units of conformance. bfdSessionGroup OBJECT-GROUP OBJECTS { bfdAdminStatus, bfdOperStatus, - bfdSessNotificationsEnable, + bfdNotificationsEnable, bfdSessVersionNumber, bfdSessType, bfdSessIndexNext, bfdSessDiscriminator, bfdSessDestinationUdpPort, bfdSessSourceUdpPort, bfdSessEchoSourceUdpPort, bfdSessAdminStatus, bfdSessOperStatus, bfdSessOperMode, @@ -1585,36 +1591,72 @@ users. There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability: + o bfdAdminStatus - Improper change of bfdAdminStatus, from + enabled(1) to disabled(2), can cause significant disruption of the + connectivity to those portions of the Internet reached via all the + applicable remote BFD peers. + + o bfdOperStatus - Improper change of bfdOperStatus, from up(1) to + down(2) or up(1) to adminDown(3), can cause significant disruption + of the connectivity to those portions of the Internet reached via + all the applicable remote BFD peers. + o bfdSessAdminStatus - Improper change of bfdSessAdminStatus, from enabled(1) to disabled(2), can cause significant disruption of the connectivity to those portions of the Internet reached via the applicable remote BFD peer. o bfdSessOperStatus - Improper change of bfdSessOperStatus, from up(1) to down(2) or up(1) to adminDown(3), can cause significant disruption of the connectivity to those portions of the Internet reached via the applicable remote BFD peer. o bfdSessDesiredMinTxInterval, bfdSessReqMinRxInterval, bfdSessReqMinEchoRxInterval, bfdSessDetectMult - Improper change of this object can cause connections to be disrupted for extremely long time periods when otherwise they would be restored in a relatively short period of time. + o Some management objects define the BFD session whilst other + management objects define the parameter of the BFD session. It is + particularly important to control the support for SET access to + those management objects that define the BFD session, as changes + to them can be disruptive. Implementation SHOULD NOT allow + changes to following management objects when bfdSessState is + up(4): + + * bfdSessVersionNumber + + * bfdSessType + + * bfdSessDestinationUdpPort + + * bfdSessMultipointFlag + + * bfdSessInterface + + * bfdSessSrcAddrType + + * bfdSessSrcAddr + + * bfdSessDstAddrType + + * bfdSessDstAddr + There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. o The bfdSessTable may be used to directly configure BFD sessions. The bfdSessMapTable can be used indirectly in the same way. Unauthorized access to objects in this table could result in @@ -1632,22 +1674,22 @@ sensitivity/vulnerability: o The bfdSessPerfTable both allows access to the performance characteristics of BFD sessions. Network administrators not wishing to show this information should consider this table sensitive. The bfdSessAuthenticationType, bfdSessAuthenticationKeyID, and bfdSessAuthenticationKey objects hold security methods and associated security keys of BFD sessions. These objects SHOULD be considered - highly sensitive objects. In order for these sensitive information - from being improperly accessed, implementers MAY wish to disallow + highly sensitive objects. In order to prevent this sensitive + information from being improperly accessed, implementers MAY disallow access to these objects. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure "for example by using IPSec", even then, there is no control as to who on the secure network is allowed to access and GET/SET "read/change/create/delete" the objects in these MIB modules. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), @@ -1677,22 +1719,22 @@ to record the assignment in the SMI Numbers registry. When the assignment has been made, the RFC Editor is asked to replace "XXX" (here and in the MIB module) with the assigned value and to remove this note.] 8. Acknowledgments Authors would like to thank Adrian Farrel and Jeffrey Haas for performing thorough reviews and providing number of suggestions. Authors would also like to thank David Ward, Reshad Rahman, David - Toscano, Sylvain Masse, Mark Tooker, and Kiran Koushik Agrahara - Sreenivasa for their comments and suggestions. + Toscano, Sylvain Masse, Mark Tooker, Kiran Koushik Agrahara + Sreenivasa and David Black for their comments and suggestions. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information @@ -1721,22 +1763,22 @@ (BFD) for Multihop Paths", RFC 5883, June 2010. [RFC7130] Bhatia, M., Chen, M., Boutros, S., Binderberger, M., and J. Haas, "Bidirectional Forwarding Detection (BFD) on Link Aggregation Group (LAG) Interfaces", RFC 7130, February 2014. [I-D.ietf-bfd-tc-mib] Nadeau, T., Ali, Z., and N. Akiya, "Definitions of Textual Conventions (TCs) for Bidirectional Forwarding Detection - (BFD) Management", draft-ietf-bfd-tc-mib-04 (work in - progress), November 2013. + (BFD) Management", draft-ietf-bfd-tc-mib-05 (work in + progress), April 2014. 9.2. Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000.