--- 1/draft-ietf-bfd-mpls-mib-01.txt 2013-06-28 05:14:25.343587831 +0100 +++ 2/draft-ietf-bfd-mpls-mib-02.txt 2013-06-28 05:14:25.387588968 +0100 @@ -1,26 +1,26 @@ Network Working Group INTERNET-DRAFT Sam Aldrin Intended Status: Standards Track Huawei Technologies -Expires: June 29, 2013 M.Venkatesan +Expires: December 30, 2013 M.Venkatesan Dell Inc. Kannan KV Sampath Redeem Software Thomas D. Nadeau Juniper Networks - December 26, 2012 + June 28, 2013 BFD Management Information Base (MIB) extensions for MPLS and MPLS-TP Networks - draft-ietf-bfd-mpls-mib-01 + draft-ietf-bfd-mpls-mib-02 Abstract This draft defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it extends the BFD Management Information Base BFD- STD-MIB and describes the managed objects for modeling Bidirectional Forwarding Detection (BFD) protocol for MPLS and MPLS-TP networks. Status of this Memo @@ -37,25 +37,25 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on December 29, 2012. + This Internet-Draft will expire on December 30, 2013. Copyright Notice - Copyright (c) 2012 IETF Trust and the persons identified as the + Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -67,32 +67,32 @@ 2. The Internet-Standard Management Framework . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1 Conventions used in this document . . . . . . . . . . . . . 3 3.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. Brief description of MIB Objects . . . . . . . . . . . . . . . 4 5.1. Extensions to the BFD session table (bfdSessionTable) . . . 4 5.2. Example of BFD session configuration . . . . . . . . . . . 6 5.2.1 Example of BFD Session configuration for MPLS TE tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 5.2.2 Example of BFD Session configuration for Maintenance - Entity of MPLS-TP TE tunnel . . . . . . . . . . . . . . 7 + 5.2.2 Example of BFD Session configuration for ME of MPLS-TP + TE tunnel . . . . . . . . . . . . . . . . . . . . . . . 7 5.3. BFD objects for session performance counters . . . . . . . 9 5.4. Notification Objects . . . . . . . . . . . . . . . . . . . 9 6. BFD MPLS-MPLS-TP MIB Module Definition . . . . . . . . . . . . 10 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 17 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 18 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 18 - 9.2 Informative References . . . . . . . . . . . . . . . . . . . 18 - 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 - 11. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 18 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 20 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 20 + 9.2 Informative References . . . . . . . . . . . . . . . . . . . 21 + 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 + 11. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21 1 Introduction Current MIB for BFD as defined by BFD-STD-MIB is used for neighbor monitoring in IP networks. The BFD session association to the neighbors being monitored is done using the source and destination IP addresses of the neighbors configured using the respective MIB objects. To monitor MPLS/MPLS-TP paths like tunnels or Pseudowires, there is a @@ -141,20 +141,21 @@ LSP: Label Switching Path LSR: Label Switching Router MIB: Management Information Base MPLS: Multi-Protocol Label Switching MPLS-TP: MPLS Transport Profile ME: Maintenance Entity MEG: Maintenance Entity Group MEP: Maintenance Entity End-Point PW: Pseudowire TP: Transport Profile + LOC: Loss Of Continuity 5. Brief description of MIB Objects The objects described in this section support the functionality described in documents [BFD-MPLS] and [RFC6428]. The objects are defined as an extension to the BFD base MIB defined by BFD-STD-MIB. 5.1. Extensions to the BFD session table (bfdSessionTable) The BFD session table used to identify a BFD session between a pair @@ -309,22 +309,21 @@ = mplsTunnelName.100.1.3221225985.3221225987, bfdSessRowStatus = createAndGo } Similarly BFD session would be configured on the tail-end of the tunnel. Creating the above row will trigger the bootstrapping of the session using LSP Ping and its subsequent establishment over the path by de-multiplexing of the control packets using the BFD session discriminators. -5.2.2 Example of BFD Session configuration for Maintenance Entity of - MPLS-TP TE tunnel +5.2.2 Example of BFD Session configuration for ME of MPLS-TP TE tunnel This example considers the OAM identifiers configuration on a head-end LSR to manage and monitor a co-routed bidirectional MPLS tunnel. Only relevant objects which are applicable for IP based OAM identifiers of co-routed MPLS tunnel are illustrated here. In mplsOamIdMegTable: { @@ -436,54 +434,55 @@ RowPointer,TruthValue,TEXTUAL-CONVENTION FROM SNMPv2-TC -- [RFC2579] MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF -- [RFC2580] bfdSessIndex FROM BFD-STD-MIB; bfdMplsMib MODULE-IDENTITY - LAST-UPDATED "201204190000Z" -- April 19 2012 + LAST-UPDATED "201306260000Z" -- June 26 2013 ORGANIZATION "IETF Bidirectional Forwarding Detection Working Group" CONTACT-INFO " Sam Aldrin Huawei Technologies 2330 Central Express Way, Santa Clara, CA 95051, USA Email: aldrin.ietf@gmail.com Venkatesan Mahalingam Dell Inc. 350 Holger Way, San Jose, CA 95134, USA Email: venkat.mahalingams@gmail.com Kannan KV Sampath - Aricent + Redeem Software India - Email: Kannan.Sampath@aricent.com + Email: kannankvs@gmail.com Thomas D. Nadeau Juniper Networks 10 Technology Park Drive, Westford, MA 01886 Email: tnadeau@juniper.net" + DESCRIPTION - " Copyright (c) 2012 IETF Trust and the persons identified + " Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This MIB module is an initial version containing objects to provide a proactive mechanism to detect faults using BFD for MPLS and MPLS-TP networks" - REVISION "201204190000Z" -- April 19 2012 + REVISION "201306260000Z" -- June 26 2013 DESCRIPTION " Initial version published as RFC xxx " -- RFC Ed.: RFC-editor pls fill in xxxx ::= { mib-2 XXX } -- XXX to be replaced with correct value -- RFC Ed.: assigned by IANA -- ------------------------------------------------------------ -- groups in the MIB -- ------------------------------------------------------------ @@ -503,24 +502,37 @@ nonTeIpv4(1), -- mapping into LDP IPv4 nonTeIpv6(2), -- mapping into LDP IPv6 teIpv4(3), -- mapping into TE IPv4 teIpv6(4), -- mapping into TE IPv6 pw(5), -- mapping into Pseudowires mep(6) -- mapping into MEPs in MPLS-TP } + DefectActionTC ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The action to be taken when the mis-connectivity/loss of + connectivity defect occurs in the MPLS or MPLS-TP + path associated to the session" + SYNTAX INTEGER { + alarmOnly(1), -- Alarm only + alarmAndBlockData(2) -- Alarm and block the data + + } + -- ------------------------------------------------------------------ -- BFD session table extensions for BFD on MPLS and MPLS-TP -- ------------------------------------------------------------------ -- bfdMplsSessTable - bfdSessTable Extension + bfdMplsSessTable OBJECT-TYPE SYNTAX SEQUENCE OF BfdMplsSessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is an extension to the bfdSessTable for configuring BFD sessions for MPLS or MPLS-TP paths." ::= { bfdMplsObjects 1 } @@ -531,21 +543,23 @@ DESCRIPTION "A row in this table extends a row in bfdSessTable." INDEX { bfdSessIndex } ::= { bfdMplsSessTable 1 } BfdMplsSessEntry ::= SEQUENCE { bfdMplsSessRole INTEGER, bfdMplsSessMode INTEGER, bfdMplsSessTmrNegotiate TruthValue, bfdMplsSessMapType SessionMapTypeTC, - bfdMplsSessMapPointer RowPointer + bfdMplsSessMapPointer RowPointer, + bfdMplsSessMisConnectivityDefectAction DefectActionTC, + bfdMplsSessLOCDefect DefectActionTC } bfdMplsSessRole OBJECT-TYPE SYNTAX INTEGER { active(1), passive(2) } MAX-ACCESS read-create STATUS current DESCRIPTION @@ -629,20 +644,42 @@ instance does not currently exist then no valid path is associated with this session entry. If this object contains zeroDotZero then no valid path is associated with this BFD session entry till it is populated with a valid pointer consistent with the value of bfdMplsSessMapType as explained above." DEFVAL { zeroDotZero } ::= { bfdMplsSessEntry 5 } + bfdMplsSessMisConnectivityDefectAction OBJECT-TYPE + SYNTAX DefectActionTC + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object indicates the action to be taken when + the mis-connectivity defect is detected on + this BFD session." + DEFVAL { alarmOnly } + ::= { bfdMplsSessEntry 6 } + + bfdMplsSessLOCDefect OBJECT-TYPE + SYNTAX DefectActionTC + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object indicates the action to be taken when + the loss of continuity defect is detected on + this BFD session." + DEFVAL { alarmOnly } + ::= { bfdMplsSessEntry 7 } + -- ------------------------------------------------------------------ -- BFD Objects for Session performance -- ----------------------------------------------------------------- -- bfdMplsSessPerfTable - bfdSessPerfTable Extension bfdMplsSessPerfTable OBJECT-TYPE SYNTAX SEQUENCE OF BfdMplsSessPerfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION @@ -766,21 +802,23 @@ ::= { bfdMplsCompliances 2 } -- Units of conformance. bfdSessionExtGroup OBJECT-GROUP OBJECTS { bfdMplsSessRole, bfdMplsSessMode, bfdMplsSessTmrNegotiate, bfdMplsSessMapType, - bfdMplsSessMapPointer + bfdMplsSessMapPointer, + bfdMplsSessMisConnectivityDefectAction, + bfdMplsSessLOCDefect } STATUS current DESCRIPTION "Collection of objects needed for BFD monitoring for MPLS and MPLS-TP paths" ::= { bfdMplsGroups 1 } bfdSessionExtPerfGroup OBJECT-GROUP OBJECTS { bfdMplsSessPerfMisDefCount, @@ -791,26 +829,106 @@ STATUS current DESCRIPTION "Collection of objects needed to monitor the performance of BFD sessions on MPLS and MPLS-TP paths" ::= { bfdMplsGroups 2 } END 7. Security Considerations + As BFD session for MPLS path may be tied into the stability of + the MPLS network infrastructure, the effects of an attack on a BFD + session may be very serious. This ultimately has denial-of-service + effects, as links may be declared to be down (or falsely declared to + be up.) As such, improper configuration of the objects represented + by this MIB may result in denial of service to a large number of end- + users. - To be added in the next version of this document. + There are a number of management objects defined in this MIB module + with a MAX-ACCESS clause of read-write and/or read-create. Such + objects may be considered sensitive or vulnerable in some network + environments. The support for SET operations in a non-secure + environment without proper protection can have a negative effect on + network operations. + + There are a number of management objects defined in this MIB module + with a MAX-ACCESS clause of read-write and/or read-create. Such + objects may be considered sensitive or vulnerable in some network + environments. It is thus important to control even GET and/or NOTIFY + access to these objects and possibly to even encrypt the values of + these objects when sending them over the network via SNMP. + + o The bfdMplsSessTable may be used to directly configure BFD + sessions for MPLS path. + Unauthorized access to objects in this table could result in + disruption of traffic on the network. This is especially true if + an unauthorized user configures enough tables to invoke a denial + of service attack on the device where they are configured, or on + a remote device where the sessions terminate. + + Some of the readable objects in this MIB module (i.e., objects with a + MAX-ACCESS other than not-accessible) may be considered sensitive or + vulnerable in some network environments. It is thus important to + control even GET and/or NOTIFY access to these objects and possibly + to even encrypt the values of these objects when sending them over + the network via SNMP. These are the tables and objects and their + sensitivity/vulnerability: + + o The bfdSessPerfTable and bfdMplsSessPerfTable both allows access + to the performance characteristics of BFD sessions for MPLS + paths. Network administrators not wishing to show + this information should consider this table sensitive. + + The bfdSessAuthenticationType, bfdSessAuthenticationKeyID, and + bfdSessAuthenticationKey objects hold security methods and + associated security keys of BFD sessions for MPLS paths. These + objects SHOULD be considered highly sensitive objects. In order + for these sensitive information from being improperly accessed, + implementers MAY wish to disallow read and create access to these + objects. + + SNMP versions prior to SNMPv3 did not include adequate security. + Even if the network itself is secure "for example by using IPSec", + even then, there is no control as to who on the secure network is + allowed to access and GET/SET "read/change/create/delete" the objects + in these MIB modules. + + It is RECOMMENDED that implementers consider the security features as + provided by the SNMPv3 framework (see [RFC3410], section 8), + including full support for the SNMPv3 cryptographic mechanisms "for + authentication and privacy". + + Further, deployment of SNMP versions prior to SNMPv3 is not + recommended. Instead, it is RECOMMENDED to deploy SNMPv3 and to + enable cryptographic security. It is then a customer/operator + responsibility to ensure that the SNMP entity giving access to an + instance of this MIB module, is properly configured to give access to + the objects only to those principals "users" that have legitimate + rights to indeed GET or SET "change/create/delete" them. 8. IANA Considerations - To be added in the next version of this document. + The MIB module in this document uses the following IANA-assigned + OBJECT IDENTIFIER values recorded in the SMI Numbers registry: + + Descriptor OBJECT IDENTIFIER value + ---------- ----------------------- + + bfdMplsMib { mib-2 XXX } + + [Editor's Note (to be removed prior to publication): the IANA is + requested to assign a value for "XXX" under the 'mib-2' subtree + and to record the assignment in the SMI Numbers registry. When + the assignment has been made, the RFC Editor is asked to replace + "XXX" here and in the MIB module) with the assigned value and + to remove this note.] 9. References 9.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [BFD] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, June 2010. @@ -822,22 +940,22 @@ [BFD-MH] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD) for Multihop Paths", RFC 5883, June 2010. [BFD-MPLS] Aggarwal, R. et.al., "Bidirectional Forwarding Detection (BFD) for MPLS Label Switched Paths (LSPs)", RFC 5884, June 2010 [RFC6428] Allan, D., Swallow, G., Drake, J., "Proactive Connectivity Verification, Continuity Check and Remote - Defect indication for MPLS Transport Profile", RFC 6428, - November 2011. + Defect indication for MPLS Transport Profile", RFC + 6428, November 2011. [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, @@ -845,22 +963,23 @@ April 1999. 9.2 Informative References [RFC3410] J. Case, R. Mundy, D. pertain, B.Stewart, "Introduction and Applicability Statement for Internet Standard Management Framework", RFC 3410, December 2002. 10. Acknowledgments - The authors would like to thank Jeffrey Haas, Mukund Mani and Lavanya - Srivatsa for their valuable comments. + The authors would like to thank Jeffrey Haas, Mukund Mani, + Lavanya Srivatsa, Muly Ilan and John Salloway for their valuable + comments. 11. Authors' Addresses Sam Aldrin Huawei Technologies 2330 Central Express Way, Santa Clara, CA 95051, USA Email: aldrin.ietf@gmail.com Venkatesan Mahalingam