[BEHAVE] Issue tracking for NAT MIB
Tom Taylor <tom.taylor.stds@gmail.com> Tue, 26 August 2014 14:19 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3090D1A7034 for <behave@ietfa.amsl.com>; Tue, 26 Aug 2014 07:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zShWAe4CG4uD for <behave@ietfa.amsl.com>; Tue, 26 Aug 2014 07:19:45 -0700 (PDT)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8F9C1A7032 for <behave@ietf.org>; Tue, 26 Aug 2014 07:19:45 -0700 (PDT)
Received: by mail-qg0-f52.google.com with SMTP id f51so14529639qge.39 for <behave@ietf.org>; Tue, 26 Aug 2014 07:19:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; bh=w7Uf+AMBBiCS5sBN2HRD2dHAiYw5rRFYQMU7A0LWSjk=; b=pCMdfh8QKOGLWrf3Xd8VTkCDukcgSp3SU28Ig+OWPp1zz2FdAJ0HBJgV3M9OZ0s+By ZnzH8pgrvYn2GKKJdfWGu+/a0NMk7+e5pu+DSmLjaixZrfm8wf0HoHKyx/Xs7RPBcLTB hhtuehH/R4BCz4uv948SoAE10f5l0OUFZxDN2YgSjYRs29mt7FOizz/Yi0/Yq/kbl2If yheRGVLiRF9pEybzbBc5DK2oo90LqF9W2pI4J2L9Ec0nnyv1efnE8MLUHCm8sSM2d7+s TZwF5e8wLVUSx5L5/2XKqUjSQJLLGA4Naeo/TrUxDLO4NnrWHIu3jo4p1I9+UIHsHffM rcZQ==
X-Received: by 10.140.101.86 with SMTP id t80mr43516366qge.91.1409062784810; Tue, 26 Aug 2014 07:19:44 -0700 (PDT)
Received: from [192.168.97.118] ([67.210.160.130]) by mx.google.com with ESMTPSA id o6sm9844796qag.40.2014.08.26.07.19.42 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 26 Aug 2014 07:19:44 -0700 (PDT)
Message-ID: <53FC9781.9020609@gmail.com>
Date: Tue, 26 Aug 2014 10:19:45 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "behave@ietf.org" <behave@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/5lZ0AicAYibyjnoCDIlb7JZ4vxQ
Cc: Simon Perreault <simon@per.reau.lt>, Tina TSOU <tina.tsou.zouting@huawei.com>
Subject: [BEHAVE] Issue tracking for NAT MIB
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 14:19:51 -0000
The NAT MIB document, draft-ietf-behave-nat-mib-11, is going through the process of review as an AD-sponsored document. David Harrington had a long list of issues. I am posting his E-mail here before breaking these issues down and putting them into an issue tracker so that I have a message reference for each issue. I will let you know the details for reaching the tracker when it is ready. I'm creating it directly in the Behave Wiki rather than using TRAC. Tom Taylor > -----Original Message----- From: David Harrington > [mailto:dbharrington@comcast.net <mailto:dbharrington@comcast.net>] > Sent: Tuesday, June 17, 2014 2:22 AM To: > draft-ietf-behave-nat-mib@tools.ietf.org <mailto:draft-ietf-behave-nat-mib@tools.ietf.org> > Cc: behave-chairs@ietf.org <mailto:behave-chairs@ietf.org>; behave-ads@ietf.org <mailto:behave-ads@ietf.org> > Subject: MIB Doctor review of draft-ietf-behave-nat-mib-11 > > Hi, > > I have done a MIB Doctor review of draft-ietf-behave-nat-mib-11. I > have reviewed this document as part of the MIB Doctor directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > operational area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > My impression is that this document is not ready for publication. > > Technical issues: The nature of the realm usage in NAT-MIB could have > serious consequences to existing deployments of other MIB modules. > The use of calculated thresholds, and calculated values to compare > to thresholds, could be problematic, especially to > resource-constrained agent implementations. > > Editorial issues: A significant cause for concern is the naming, > which doesn't follow RFC 4181 > guidelines. This will make the MIB harder for operators to use in > the field. > Another significant concern is the lack of REFERENCE clauses. This > will make > the MIB harder for operators to use in the field. The description > clauses are sometimes rather sparse. This will make the MIB > harder for operators to use in the field. Some of the descriptions in > the module are sparse, while the surrounding text contains a better > description. But MIB modules are frequently distributed without the > surrounding RFC text. This will make the MIB harder > for operators to use in the field. The IMPORTS clauses don't identify > the RFC that contains the MIB module being imported from. This will > make the MIB harder for operators to use in the field. The > redefinition of realm in the middle of a bis could be a problem, > especially for managers. This will make the MIB harder for operators > to use > in the field. > > > Detailed review: > > 1) We have discussed whether the new objects really should be a new > MIB module, published under a new MIB module name. Reading through > this document, I feel that deprecating the whole previous NAT-MIB > within the same document is a mistake. It makes the document harder > to deal with. This really should be two separate documents and two > separate MIBs - with different module names. > > The current approach might be perfectly viable for an agent implementation, > where the NAT-MIB is likely to be an implementation of EITHER the > first half > of this document, or the second half of this document. But it seems > problematic for an NMS implementation that has to support BOTH > implementations based on RFC4008, and implementations based on this > document. I especially think about the fact that NMSs import MIB > modules, including the Description clauses for the managed objects, > and can display the description clauses so operators can see what the > definition of the object is. With this document, NMS applications > MUST parse all the deprecated objects, even if, at some future time, > there are no devices that implement the RFC4008 NAT-MIB. If the > deprecation was handled in a separate RFC from the new MIB module, > and an NMS no longer had to support the "old" NAT-MIB, then NMSs in > the future would only need to import the new document. > > I found it especially irritating to review, because I am used to > finding Textual Conventions at the beginning of the MIB module, which > is usually at > the beginning of the document containing the MIB module, but here, I > had to look for the T-Cs in the middle of a long MIB module, because > I had to work > past the first 54 pages of deprecations to find the T-Cs of the new module. > Every user of this MIB document will be similarly inconvenienced, > over and over. > > 2) This new I-D is redefining a term "realm" that is defined in the original > NAT-MIB. (see section 3.3). RFC4008 defined realm objects to be of > type INTEGER, but the new NAT-MIB defines realm objects as > SnmpAdminStrings. An NMS (and operators) needs to be able to support > devices that implement the "old" NAT-MIB and devices that implement > the "new" NAT-MIB. With this new NAT-MIB, an NMS user must be aware > when they look at the description of a realm-related object, whether > that object was defined in the RFC4008 NAT-MIB or in the <new RFC> > NAT-MIB, in order to understand which meaning and datatype of the > term "realm" applies. But since RFC4008 is updated by being > deprecated in the same document, in the same-named MIB module, the > reader of the new NAT-MIB must determine whether the object was > defined in the first half of this document, i.e., the > first half of the NAT-MIB, i.e., the "old" deprecated NAT-MIB, or in > the second half of this document, to understand the meaning of the > word realm. I think this is problematic. > > 3) Section 3.3 explains that implementations of MIB modules that implicitly > support realms (e.g.,OSPFv2-MIB), and utilize SNMPv3 contexts (or > presumably communities in community-based SNMP) in an SNMP-standard > compliant manner, will no longer be able to do things in those > standard-compliant manners, because the NAT-MIB design spans realms. > > This I-D should list the names and references for the "many MIBs" > that "implicitly support realms in one form or another" that may be > broken by this NAT-MIB's usage of realm. I suggest an "Operational > Considerations" section for this information. I think the IETF > community needs to better understand this claim before approving this > document. > > 4) I will assume all the RFC4008 objects that are being deprecated > have been > included here, and each has had its status changed to deprecated. I > have not > gone through the document looking at each and every deprecation. > > 5) ProtocolNumber is a rather generic name for this textual > convention. It doesn't start with "nat". I fear there is a potential > for conflict. This does not follow the conventions recommended in > RFC4181 Appendix C: - Names of TCs that are specific to the MIB > module and names of SEQUENCE types that are used in conceptual table > definitions should start with a prefix Xxx that is the same as xxx > but with the initial letter changed to uppercase. OPT-IF-MIB uses > the prefix OptIf on the names of TCs and SEQUENCE types. > > 6) ProtocolNumber is dependent on an IANA registry. There should be a > REFERENCE clause with a link to the specific IANA registry, so > implementers/users can see the list of valid values. > > 7) This document does not provide REFERENCE clauses; it really > should. > > 8) natPoolID - the description does not describe what a pool is, or provide > a REFERENCE clause. > > 9) natBehaviorType has only a reference in the description. In > general it is > better to actually have a description in the description clause and provide > the reference in the REFERENCE clause. This is not merely an academic > nit. Because GUI-based NMSs frequently display the Description clause > in a window so the user can understand the meaning of the object, it > is important that the description actually explain the meaning. > Providing a reference in the description implies that the user would > then need to go find the RFC and find the section of the RFC, and > read the whole section to understand what this object means. Not very > helpful. On top of that, an NMS might know how to track down an RFC > and provide a link to the document in the REFERENCE clause, but it > wouldn't necessarily know to parse the Description clause to find the > reference. > > 10) NatPoolingType is only used to define the type of one object. The > description clause in the object is indirect - " "Type of address > pooling behavior that was used to create this mapping." To understand > this object, you need to look at the textual convention. But the > textual convention is also indirect - "Pooling type as described in > [RFC4787] sections 4.1." Even looking at RFC4787 section 4.1 isn't > immediately helpful, because the discussion of arbitrary versus > paired is a subset of section 4.1 (that is not called out as a > subsection); it is found in the one-paragraph explanatory text for > REQ-2. A short description in the OBJECT description clause could be > made from a couple sentences from section 4.1, supplemented with a > REFRERENCE clause, which would be much easier for users than the > current indirect-indirect-someplace-in-this-text approach. > > 11) SubscriberIdentifierType concerns me. We are supposed to be > standardizing things here. But this appears to be a standardized > "bucket" which implementers can stuff with their own proprietary > identifiers, especially the "other" value. How is a vendor-neutral > NMS supposed to know how to handle the "other" value? I feel > uncomfortable with this whole identifierType, which implies that an > implementation needs to go parse the packet to pull out additional > information to identify the subscriber, without standardizing how > this information should be extracted from the message in a > standardized vendor-neutral manner. > > I feel uncomfortable that for the "other" type, each implementation defines > the semantics of AND and OR combinations. How should a > vendor-neutral NMS handle the implementation-specific variations; > where is the AND/OR semantic decision documented by each implementer, > to make this vendor- interoperable? > > For the interfaces choice, how is the set of interface indexes constructed? > I'm confused by this. The classifying information is in the packet (identify > the subscriber from an incoming packet); so does the packet contain a > set of > interface indexes that the receiving implementation is supposed to extract? > There is no reference to the type of packet involved, and I haven't > had to unpack a set of interface indices from a packet before. What > type of packet > contains a set of one or more ifIndexes? The RFC2863 textual > convention doesn't seem to describe this. > > 12) SubsInterfaceIdRowIndex - unique within what scope? Within the > agent? > > 13) I am concerned about abbreviations is naming. RFC4181 Appendix C > suggests - When abbreviations are used, then they should be used > consistently. Inconsistent usage such as > > xxxYyyDestAddr xxxZzzDstAddr > > should be avoided. > > But sometimes, object names in this module use Identifier and other > times ID: natSubscriberVpnIdentifier vs. natSubscriberIPEncapsIdType > Sometimes it's subscriber, other times it's "subs". > natSubscriberVpnIdentifier vs. natSubsInterfaceIndex Sometimes it's > threshold, sometimes it's "thresh": natMappingsNotifyThreshold vs. > natSubscriberMapNotifyThresh For an operator, especially one under > stress, using a command-line SNMP tools to query a value, it is > really irritating to have some objects abbreviated one way and other > objects abbreviated other ways. > > 14) This is made worse by inconsistent name construction, such as a > set of nat limits being named nat + "Limit" + <specific>, as in > natLimitMappings but the set of notify thresholds are constructed as > nat + <specific> + "NotifyThreshold", as in > natMappingsNotifyThreshold. So operators need to recall which way you > chose to construct the names, on a case-by-case basis, > because you are not being consistent. Why not do nat + <specific> + "Limit" > to match the way you construct NotifyThreshold names, or use > nat+"NotifyThreshold"+<specific> to match how you construct the > Limit names? > > 15) Once again, I will point out consistency in naming, following > Appendix C > conventions: " - The descriptor associated with a conceptual table > should be of the form xxxZzzTable; the descriptor associated with the > corresponding conceptual row should be of the form xxxZzzEntry; the > name of the associated SEQUENCE type should be of the form > XxxZzzEntry; and the descriptors associated with the subordinate > columnar objects should be of the form xxxZzzSomeotherName. An > example from the OPT-IF-MIB is the OTMn table. The descriptor of the > table object is optIfOTMnTable, the descriptor of the row object is > optIfOTMnEntry, the name of the associated SEQUENCE type is > OptIfOTMnEntry, and the descriptors of the columnar objects are > optIfOTMnOrder, optIfOTMnReduced, optIfOTMnBitRates, > optIfOTMnInterfaceType, optIfOTMnTcmMax, and optIfOTMnOpticalReach." > > But we find in this NAT-MIB module inconsistency: natCountersTable > OBJECT-TYPE ... natCountersEntry OBJECT-TYPE ... NatCountersEntry > ::= SEQUENCE { natTranslations Counter64, > natOutOfPortErrors Counter64, natResourceErrors > Counter64, natQuotaDrops Counter64, natMappingCreations > Counter64, natMappingRemovals Counter64, > natAddressMappingCreations Counter64, natAddressMappingRemovals > Counter64 } > > And natLimitsTable OBJECT-TYPE ... natLimitsEntry OBJECT-TYPE ... > NatLimitsEntry ::= SEQUENCE { natLimitMappings > Unsigned32, natMappingsNotifyThreshold Unsigned32, > natLimitAddressMappings Unsigned32, natAddrMapNotifyThreshold > Unsigned32, natLimitFragments Unsigned32, > natLimitSubscribers Unsigned32 } (notice Limits vs Limit, as > well as objects with no natLimit prefix, as well > as "AddressMappings" vs "AddrMap".) > > 16) If there is a concern that descriptor length can become > problematic, "Threshold" is never used without the "Notify" prefix. > You could probably shorten the NotifyThreshold names to just use > Threshold. > > 17) Consistency. Watermark vs Threshold. > > 18) natLimitMappings - this is in a table of limits for a NAT > instance. What does "Global" mean in this context? See others in this > table as well. > > 19) natMappingsNotifyThreshold - the description is "See > natNotifMappings." Which says "This notification is generated when > the number of active mappings exceeds the value of > natMappingsNotifyThreshold." Why not write the (modified) description > into both places rather than using > indirection? > > 20) natNotifMappings Typically we try to not derive values when > defining objects. For example, RFC4188 states as a principle " > Exclude objects that are simply derivable from others in this or > other MIB modules." But natNotifMappings is triggered when " the > number of active mappings exceeds the value of > natMappingsNotifyThreshold" But we don't actually track active > mappings; we track creations and removals, and we calculate active by > subtracting removals from creations (active=creations-removals). If > you want to use active against the threshold, why not simply track active > and skip tracking creations and removals? > > Is there a reason to track creations and removals? If the maximum > number of creations performed is important (maybe for memory > management or something?), then why not track creations and active > and let somebody else calculate the removals > (removals=creations-active) If the number of removals is important (I > have no idea why), then you can track active and removals, and let > somebody else calculate (creations=active+removals) This way a > notification doesn't have to wait to calculate active. > > 21) natNotifMappings - the relationship between the notification and > thresholds is clear. The relationship to "which mappings" is a bit > less clear. I see a natMapIntAddrTable, and a natMappingTable; which > one is related to natNotifMappings? (and is the savings from dropping > the y from notify significant?) > > I assume the fact we are sending a notification means it is important > for the operator to know right away when "active exceeds threshold" > happens. I have to guess that this might be related to > memory/resource management. But I have to guess because nothing is > said about why these particular values are tracked. Nothing is said > about table row re-use when a mapping is removed. Is it really > important to know the creation and removal counts, rather than > just the active count? Is it important to not reuse an index value to > make sure that the NMS doesn't associate previously acquired data > with a new mapping. (This is important, for example, if ifIndex > changes during a reboot, because > an NMS could take data associated with an old ifIndex and confuse it > as being associated with a new ifIndex, and totally misinterpret > trends, and so > on. Other MIB modules need to protect against reuse of an index > value, at least for some period of time, or until rollover.) > > 22) It's a good thing the description of natPoolTable is "Table of > pools" because I might have confused it as being something else. > 8-ball anyone? Description please? > > 23) natpoolRealm - "Realm to which this pool's addresses belong." MIB > modules are often distributed without the surrounding text from the > RFC. > > So it is important to be sure the description is meaningful without > the whole RFC being present. At a minimum, especially since you are > defining realm in this document, you > should provide a REFERENCE to the text in this RFC that contains the > definition for realm. > > 24) natNotifPoolWatermarkLow and WatermarkHigh > > we usually try to not use derived values in MIB modules. We try to > keep the > agent simple, and push complexity toward the NMS, which normally has > far more resources available. When you set a watermark/threshold as a > percentage, then the system needs to use CPU cycles to calculate the > percentage - CPU cycles that might be better > used forwarding packets. > > The calculations you expect are rather complex - you require summing > (allocations - deallocations) over all address ranges, then dividing > by the > total number of ip addresses in the poll and by the size of the port > range (calculated by portmax-portmin+1). > > I'm not sure that that formula is unambiguous; is that > (sum(allocations-deallocation)/ipaddresses)/portrange or am I > calculating something with (ip addresses and size of portrange) > before dividing? Can you > use parentheses or something? > > How often should this complex calculation be done to monitor the > percentage versus the threshold? Should this be re-calculated > ***every time*** one of the following changes: allocation or > deallocation across any address range, > total number of ip addresses, or size of the port range? (and of > course, the > watermark setting). > > Wow! That seems like a lot of CPU cycles. > > 25) natpoolIndex - the description doesn't mention the scope of uniqueness. > Is this unique across all address pools in all instances? Unique > within a nat instance, but not necessarily across other nat > instances? > > 26) natPool watermarks There is mention of low usage mode and high > usage mode. Is there a REFERENCE you can make, maybe to NAT > requirements or something, that explains this a bit more? Is there a > reason why BEHAVE is not trying to standardize low/high usage > behaviors? (isn't standardizing behaviors what behave is all about?) > > Are the "may" terms here RFC2119-compliant? Usually RFC2119 "may" > terms are capitalized. > > 27) It is very helpful to add comments to your IMPORTS identifying > the RFC that contains the MIB you are importing from. > > 28) natPoolRangeType - can this support any of the address types > allowed by > this textual convention? Or should the text constrain the acceptable values? > I'm not sure which ways to limit this are acceptable. Let me know if > all the > address types cannot be supported, and I'll check with other mib > doctors to > determine the best way to constrain it. > > 29) natMappingTable - "Table of mappings indexed by external > 3-tuple." I'm not sure this is accurate, given INDEX { > natInstanceIndex, natMappingProto, natMappingExtRealm, > natMappingExtAddressType, natMappingExtAddress, natMappingExtPort } > > 30) natMappingExtAddress - can you point me to the REFERENCE for > "the undefined address"? I didn't find it in RFC4001. Ditto for > natMappingIntAddress > > 31) natMappingMapBehavior and natMappingFilterBehavior - for reasons > mentioned above, please include a description, not just a reference > in the description text. Put the reference in a REFERENCE clause. > > 32) natMappingSubsIndex - you don't really need the Index suffix. > This would be more meaningful as natMappingSubscriber > > 33) natSubscribersTable, natSubscribersEntry, and natSubscriberIndex > (et al) > are not consistent. I recommend losing the plural. > > 34) do the existence of fields natSubscriberVlanIdentifier, > natSubscriberVpnIdentifier, natSubscriberIPEncapsIdType, and > natSubscriberIPEncapsIdAddr depend on the value of > natSubscriberIdentifierType? If so, then it might be better to define > this as a sparse augments table. Let me know, and I'll check with the > MIB Doctors > list about the best way to do this. > > 35) natSubscriberIdentifierType - " Unused identifier values MUST be > zero or > equivalent". I think this is under-specified. I think the > zero-equivalents should be specified here for each type. When the > type is none(0), and the identifier is "none", does this mean the > identifier field is not implemented, or has a zero value or empty > string or > what? Which of these is the zero equivalent? The TC > SubscriberIdentifierType says the interfaces(1) type means the > identifier is a set of **one or more** interface indexes. What is > the zero-equivalent of a set of one or more interface indexes? > VPNIdorZero says " The semantics of the value zero-length > OCTET STRING are object-specific and must therefore be defined as > part of the description of any object that uses this syntax." So > presumably, the zero equivalent is a zero-length OCTET STRING. But > the description here does not define the semantics of the zero-length > string; it > only implies the semantics. And for other(5), we have no idea what a > zero-equivalent is. > > 36) natSubscriberIntPrefixType is a "Subscriber's internal prefix > type." While the corresponding address is a "Prefix assigned to a > subscriber's CPE." I tend to think of a CPE as being the border > between a subscriber's network > and an ISP's network. If the subscriber entry represents a host > served by a managed enterprise NAT, is this still the prefix type for > the CPE? Please clarify if the type is the internal prefix type for > the subscriber's > CPE, or simply the subscriber's internal prefix type. > > 37) natSubscriberLimitMappings - again, we should avoid calculated objects. > This depends on "active" mappings, which is a calculated value. > > 38) natSubscriberMapNotifyThresh - consistency in naming please; > this seems to be a real problem throughout the subscriber table. > (natSubscribers vs natSubscriber, thresh, mappngs vs Map) > > 39) natSubscriberIPEncapsIdType - I find the "when not unknown(0)" > to be an odd description. The InetAddressType description is " A > value that represents a type of Internet address." I think that > should suffice here as > well, even though unknown(0) has special semantics described in the > T-C. > > 40) natSubsInterfaceIdentifierTable - the description contains a > sentence fragment; I don't know what it means - " 'OR' semantics if > multiple interface indexes are present." I find the other sentences a > bit short; I recommend rewriting the description to make it clearer. > > 41) natSubsInterfaceIdSubsIndex - I have some concerns about the use > of Index as parts of object descriptors and part of object > descriptions, for objects that are not INDEXes, when INDEX is a SMI > reserved word (RFC2578, section 3.7). I don't find the "Index" > suffix necessary. I think SubscriberIndex would be fine as > Subscriber, and SubsInterfaceIdRowIndex would be fine as > SubsInterfaceIdRow, and natSubsInterfaceIdRowIndex would be fine as > natSubsInterfaceIdRow, etc. > > 42) natSubsInterfaceIdRowIndex - the description is "Row index." > There is no description of why this is being defined, or what it is > expected to be used for. The T-C has a better explanation of its > uniqueness and its assignment to rows, but no description of why it > is needed. It might have been better explained in the > natSubsInterfaceIdentifierEntry description, where it is used in the > INDEX. But I don't understand the description there - "Each entry > provides a single interface index." Can you provide an example of how > this table works? > > 43) I am a bit concerned about the compliance options. If we are > standardizing behaviors, why do we have five compliance levels? Lots > of compliance levels = lack of standardization. > > --- Security considerations --- 44) What objects reveal host > identities? Do you mean host addresses? I think the community has > made a statement about identity versus address in efforts like HIP > and SNMPv3. 45) If a disgruntled former employee can break into > private hosts, can attackers who never worked for the employer do so > as well? I don't have any > employees, and no former employees; does that mean this is an attack > vector I can totally ignore? > > > Hope this helps, > > David Harrington dbharrington@comcast.net > <mailto:dbharrington@comcast.net> +1-603-828-1401
- [BEHAVE] Issue tracking for NAT MIB Tom Taylor