[MIB-DOCTORS] FW: MIB Doctor review of draft-ietf-behave-nat-mib-11
"ietfdbh" <ietfdbh@comcast.net> Tue, 17 June 2014 13:40 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: mib-doctors@ietfa.amsl.com
Delivered-To: mib-doctors@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D61BF1A004D for <mib-doctors@ietfa.amsl.com>; Tue, 17 Jun 2014 06:40:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.651
X-Spam-Level:
X-Spam-Status: No, score=-4.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9x85L8xc6H4 for <mib-doctors@ietfa.amsl.com>; Tue, 17 Jun 2014 06:40:49 -0700 (PDT)
Received: from qmta08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:80]) by ietfa.amsl.com (Postfix) with ESMTP id EFDA81A0389 for <mib-doctors@ietf.org>; Tue, 17 Jun 2014 06:40:46 -0700 (PDT)
Received: from omta08.westchester.pa.mail.comcast.net ([76.96.62.12]) by qmta08.westchester.pa.mail.comcast.net with comcast id FRSm1o0020Fqzac58RgmCB; Tue, 17 Jun 2014 13:40:46 +0000
Received: from JV6RVH1 ([67.189.237.137]) by omta08.westchester.pa.mail.comcast.net with comcast id FRgl1o00X2yZEBF3URglSs; Tue, 17 Jun 2014 13:40:46 +0000
From: ietfdbh <ietfdbh@comcast.net>
To: Benoit Claise <bclaise@cisco.com>
References: <030201cf89f4$8547e260$8fd7a720$@comcast.net>
In-Reply-To: <030201cf89f4$8547e260$8fd7a720$@comcast.net>
Date: Tue, 17 Jun 2014 09:39:22 -0400
Message-ID: <033101cf8a31$8c206e80$a4614b80$@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGvX9EMWvq5LmOaZ0DTXqp9cVV6b5u1oxUA
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1403012446; bh=N2ec7zulB6gMA/VRcBDQXsQmyjc4V3Hu9jwpj4l99H8=; h=Received:Received:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type; b=wHU5GL97WPhZ43LdA+xkVVQwjG0knAP33KVRWgMWsyJyjM6t27xQcQvw8BuaLzyFs uLlwHSutcFGwrYzPVl0LTZHaY74kkIDefDkYQP8JzOdBwD/eQGA0BiTBsrFDgxq6nf tIamIn8hc4QJu7f3nxawQhOluQN11euLHJjJdDhSAbdJS5igYq75/zs+SJdQIX/CUh FxkrUo88jEuDYSIN6CvzoemxorzUasADjI/N3VkBzxmjftrj3M5afZ2k8xT9dmWdyB VFmrTR+N3rf6g0wB4BXCWgJ2NGNrWT/+vFNhMl7S38nIQsgEU13lFwZICx/xVIPO/3 BDD+qT+hCe6hw==
Archived-At: http://mailarchive.ietf.org/arch/msg/mib-doctors/EWQMogl-MEiiZSK9jFNeLKs4HbM
Cc: MIB Doctors <mib-doctors@ietf.org>
Subject: [MIB-DOCTORS] FW: MIB Doctor review of draft-ietf-behave-nat-mib-11
X-BeenThere: mib-doctors@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: MIB Doctors list <mib-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mib-doctors/>
List-Post: <mailto:mib-doctors@ietf.org>
List-Help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 13:40:54 -0000
Hmmm; behave-ads doesn't work. So I'll send direct. Forgot to include mib doctors list. David Harrington ietfdbh@comcast.net +1-603-828-1401 > -----Original Message----- > From: David Harrington [mailto:dbharrington@comcast.net] > Sent: Tuesday, June 17, 2014 2:22 AM > To: draft-ietf-behave-nat-mib@tools.ietf.org > Cc: behave-chairs@ietf.org; behave-ads@ietf.org > Subject: MIB Doctor review of draft-ietf-behave-nat-mib-11 > > Hi, > > I have done a MIB Doctor review of draft-ietf-behave-nat-mib-11. > I have reviewed this document as part of the MIB Doctor directorate's > ongoing > effort to review all IETF documents being processed by the IESG. These > comments > were written primarily for the benefit of the operational area directors. > Document editors and WG chairs should treat these comments just like any > other > last call comments. > > My impression is that this document is not ready for publication. > > Technical issues: > The nature of the realm usage in NAT-MIB could have serious consequences > to > existing deployments of other MIB modules. > The use of calculated thresholds, and calculated values to compare to > thresholds, could be problematic, especially to resource-constrained agent > implementations. > > Editorial issues: > A significant cause for concern is the naming, which doesn't follow RFC 4181 > guidelines. This will make the MIB harder for operators to use in the field. > Another significant concern is the lack of REFERENCE clauses. This will make > the MIB harder for operators to use in the field. > The description clauses are sometimes rather sparse. This will make the MIB > harder for operators to use in the field. > Some of the descriptions in the module are sparse, while the surrounding > text contains a better description. But MIB modules are frequently > distributed without the surrounding RFC text. This will make the MIB harder > for operators to use in the field. > The IMPORTS clauses don't identify the RFC that contains the MIB module > being imported from. This will make the MIB harder for operators to use in > the field. > The redefinition of realm in the middle of a bis could be a problem, > especially for managers. This will make the MIB harder for operators to use > in the field. > > > Detailed review: > > 1) We have discussed whether the new objects really should be a new MIB > module, published under a new MIB module name. Reading through this > document, I feel that deprecating the whole previous NAT-MIB within the > same > document is a mistake. It makes the document harder to deal with. This > really should be two separate documents and two separate MIBs - with > different module names. > > The current approach might be perfectly viable for an agent implementation, > where the NAT-MIB is likely to be an implementation of EITHER the first half > of this document, or the second half of this document. > But it seems problematic for an NMS implementation that has to support > BOTH > implementations based on RFC4008, and implementations based on this > document. > I especially think about the fact that NMSs import MIB modules, including > the Description clauses for the managed objects, and can display the > description clauses so operators can see what the definition of the object > is. > With this document, NMS applications MUST parse all the deprecated > objects, > even if, at some future time, there are no devices that implement the > RFC4008 NAT-MIB. > If the deprecation was handled in a separate RFC from the new MIB module, > and an NMS no longer had to support the "old" NAT-MIB, then NMSs in the > future would only need to import the new document. > > I found it especially irritating to review, because I am used to finding > Textual Conventions at the beginning of the MIB module, which is usually at > the beginning of the document containing the MIB module, but here, I had > to > look for the T-Cs in the middle of a long MIB module, because I had to work > past the first 54 pages of deprecations to find the T-Cs of the new module. > Every user of this MIB document will be similarly inconvenienced, over and > over. > > 2) This new I-D is redefining a term "realm" that is defined in the original > NAT-MIB. (see section 3.3). > RFC4008 defined realm objects to be of type INTEGER, but the new NAT-MIB > defines realm objects as SnmpAdminStrings. > An NMS (and operators) needs to be able to support devices that implement > the "old" NAT-MIB and devices that implement the "new" NAT-MIB. > With this new NAT-MIB, an NMS user must be aware when they look at the > description of a realm-related object, whether that object was defined in > the RFC4008 NAT-MIB or in the <new RFC> NAT-MIB, in order to understand > which meaning and datatype of the term "realm" applies. > But since RFC4008 is updated by being deprecated in the same document, in > the same-named MIB module, the reader of the new NAT-MIB must > determine > whether the object was defined in the first half of this document, i.e., the > first half of the NAT-MIB, i.e., the "old" deprecated NAT-MIB, or in the > second half of this document, to understand the meaning of the word > realm. > I think this is problematic. > > 3) Section 3.3 explains that implementations of MIB modules that implicitly > support realms (e.g.,OSPFv2-MIB), and utilize SNMPv3 contexts (or > presumably > communities in community-based SNMP) in an SNMP-standard compliant > manner, > will no longer be able to do things in those standard-compliant manners, > because the NAT-MIB design spans realms. > > This I-D should list the names and references for the "many MIBs" that > "implicitly support realms in one form or another" that may be broken by > this NAT-MIB's usage of realm. I suggest an "Operational Considerations" > section for this information. I think the IETF community needs to better > understand this claim before approving this document. > > 4) I will assume all the RFC4008 objects that are being deprecated have been > included here, and each has had its status changed to deprecated. I have not > gone through the document looking at each and every deprecation. > > 5) ProtocolNumber is a rather generic name for this textual convention. It > doesn't start with "nat". I fear there is a potential for conflict. > This does not follow the conventions recommended in RFC4181 Appendix C: > - Names of TCs that are specific to the MIB module and names of > SEQUENCE types that are used in conceptual table definitions should > start with a prefix Xxx that is the same as xxx but with the > initial letter changed to uppercase. OPT-IF-MIB uses the prefix > OptIf on the names of TCs and SEQUENCE types. > > 6) ProtocolNumber is dependent on an IANA registry. > There should be a REFERENCE clause with a link to the specific IANA > registry, so implementers/users can see the list of valid values. > > 7) This document does not provide REFERENCE clauses; it really should. > > 8) natPoolID - the description does not describe what a pool is, or provide > a REFERENCE clause. > > 9) natBehaviorType has only a reference in the description. In general it is > better to actually have a description in the description clause and provide > the reference in the REFERENCE clause. This is not merely an academic nit. > Because GUI-based NMSs frequently display the Description clause in a > window > so the user can understand the meaning of the object, it is important that > the description actually explain the meaning. Providing a reference in the > description implies that the user would then need to go find the RFC and > find the section of the RFC, and read the whole section to understand what > this object means. Not very helpful. > On top of that, an NMS might know how to track down an RFC and provide a > link to the document in the REFERENCE clause, but it wouldn't necessarily > know to parse the Description clause to find the reference. > > 10) NatPoolingType is only used to define the type of one object. > The description clause in the object is indirect - " "Type of address > pooling behavior that was used to create this mapping." > To understand this object, you need to look at the textual convention. > But the textual convention is also indirect - "Pooling type as described in > [RFC4787] sections 4.1." > Even looking at RFC4787 section 4.1 isn't immediately helpful, because the > discussion of arbitrary versus paired is a subset of section 4.1 (that is > not called out as a subsection); it is found in the one-paragraph > explanatory text for REQ-2. A short description in the OBJECT description > clause could be made from a couple sentences from section 4.1, > supplemented > with a REFRERENCE clause, which would be much easier for users than the > current indirect-indirect-someplace-in-this-text approach. > > 11) SubscriberIdentifierType concerns me. We are supposed to be > standardizing things here. But this appears to be a standardized "bucket" > which implementers can stuff with their own proprietary identifiers, > especially the "other" value. How is a vendor-neutral NMS supposed to know > how to handle the "other" value? > I feel uncomfortable with this whole identifierType, which implies that an > implementation needs to go parse the packet to pull out additional > information to identify the subscriber, without standardizing how this > information should be extracted from the message in a standardized > vendor-neutral manner. > > I feel uncomfortable that for the "other" type, each implementation defines > the semantics of AND and OR combinations. How should a vendor-neutral > NMS > handle the implementation-specific variations; where is the AND/OR > semantic > decision documented by each implementer, to make this vendor- > interoperable? > > For the interfaces choice, how is the set of interface indexes constructed? > I'm confused by this. The classifying information is in the packet (identify > the subscriber from an incoming packet); so does the packet contain a set of > interface indexes that the receiving implementation is supposed to extract? > There is no reference to the type of packet involved, and I haven't had to > unpack a set of interface indices from a packet before. What type of packet > contains a set of one or more ifIndexes? The RFC2863 textual convention > doesn't seem to describe this. > > 12) SubsInterfaceIdRowIndex - unique within what scope? Within the agent? > > 13) I am concerned about abbreviations is naming. RFC4181 Appendix C > suggests > - When abbreviations are used, then they should be used consistently. > Inconsistent usage such as > > xxxYyyDestAddr > xxxZzzDstAddr > > should be avoided. > > But sometimes, object names in this module use Identifier and other times > ID: natSubscriberVpnIdentifier vs. natSubscriberIPEncapsIdType > Sometimes it's subscriber, other times it's "subs". > natSubscriberVpnIdentifier vs. natSubsInterfaceIndex > Sometimes it's threshold, sometimes it's "thresh": > natMappingsNotifyThreshold vs. natSubscriberMapNotifyThresh > For an operator, especially one under stress, using a command-line SNMP > tools to query a value, it is really irritating to have some objects > abbreviated one way and other objects abbreviated other ways. > > 14) This is made worse by inconsistent name construction, such as a set of > nat limits being named nat + "Limit" + <specific>, as in natLimitMappings > but the set of notify thresholds are constructed as nat + <specific> + > "NotifyThreshold", as in natMappingsNotifyThreshold. So operators need to > recall which way you chose to construct the names, on a case-by-case basis, > because you are not being consistent. Why not do nat + <specific> + "Limit" > to match the way you construct NotifyThreshold names, or use > nat+"NotifyThreshold"+<specific> to match how you construct the Limit > names? > > 15) Once again, I will point out consistency in naming, following Appendix C > conventions: > " - The descriptor associated with a conceptual table should be of the > form xxxZzzTable; the descriptor associated with the corresponding > conceptual row should be of the form xxxZzzEntry; the name of the > associated SEQUENCE type should be of the form XxxZzzEntry; and the > descriptors associated with the subordinate columnar objects should > be of the form xxxZzzSomeotherName. An example from the OPT-IF-MIB > is the OTMn table. The descriptor of the table object is > optIfOTMnTable, the descriptor of the row object is optIfOTMnEntry, > the name of the associated SEQUENCE type is OptIfOTMnEntry, and the > descriptors of the columnar objects are optIfOTMnOrder, > optIfOTMnReduced, optIfOTMnBitRates, optIfOTMnInterfaceType, > optIfOTMnTcmMax, and optIfOTMnOpticalReach." > > But we find in this NAT-MIB module inconsistency: > natCountersTable OBJECT-TYPE > ... > natCountersEntry OBJECT-TYPE > ... > NatCountersEntry ::= > SEQUENCE { > natTranslations Counter64, > natOutOfPortErrors Counter64, > natResourceErrors Counter64, > natQuotaDrops Counter64, > natMappingCreations Counter64, > natMappingRemovals Counter64, > natAddressMappingCreations Counter64, > natAddressMappingRemovals Counter64 > } > > And > natLimitsTable OBJECT-TYPE > ... > natLimitsEntry OBJECT-TYPE > ... > NatLimitsEntry ::= > SEQUENCE { > natLimitMappings Unsigned32, > natMappingsNotifyThreshold Unsigned32, > natLimitAddressMappings Unsigned32, > natAddrMapNotifyThreshold Unsigned32, > natLimitFragments Unsigned32, > natLimitSubscribers Unsigned32 > } > (notice Limits vs Limit, as well as objects with no natLimit prefix, as well > as "AddressMappings" vs "AddrMap".) > > 16) If there is a concern that descriptor length can become problematic, > "Threshold" is never used without the "Notify" prefix. You could probably > shorten the NotifyThreshold names to just use Threshold. > > 17) Consistency. Watermark vs Threshold. > > 18) natLimitMappings - this is in a table of limits for a NAT instance. > What does "Global" mean in this context? See others in this table as well. > > 19) natMappingsNotifyThreshold - the description is "See > natNotifMappings." > Which says "This notification is generated when the number of active > mappings exceeds the value of natMappingsNotifyThreshold." > Why not write the (modified) description into both places rather than using > indirection? > > 20) natNotifMappings > Typically we try to not derive values when defining objects. For example, > RFC4188 states as a principle " Exclude objects that are simply derivable > from others in this or > other MIB modules." > But natNotifMappings is triggered when " the number of active mappings > exceeds the value of natMappingsNotifyThreshold" > But we don't actually track active mappings; we track creations and > removals, and we calculate active by subtracting removals from creations > (active=creations-removals). > If you want to use active against the threshold, why not simply track active > and skip tracking creations and removals? > > Is there a reason to track creations and removals? > If the maximum number of creations performed is important (maybe for > memory > management or something?), then why not track creations and active and let > somebody else calculate the removals (removals=creations-active) > If the number of removals is important (I have no idea why), then you can > track active and removals, and let somebody else calculate > (creations=active+removals) > This way a notification doesn't have to wait to calculate active. > > 21) natNotifMappings - the relationship between the notification and > thresholds is clear. > The relationship to "which mappings" is a bit less clear. > I see a natMapIntAddrTable, and a natMappingTable; which one is related to > natNotifMappings? > (and is the savings from dropping the y from notify significant?) > > I assume the fact we are sending a notification means it is important for > the operator to know right away when "active exceeds threshold" happens. > I have to guess that this might be related to memory/resource management. > But I have to guess because nothing is said about why these particular > values are tracked. > Nothing is said about table row re-use when a mapping is removed. > Is it really important to know the creation and removal counts, rather than > just the active count? > Is it important to not reuse an index value to make sure that the NMS > doesn't associate previously acquired data with a new mapping. > (This is important, for example, if ifIndex changes during a reboot, because > an NMS could take data associated with an old ifIndex and confuse it as > being associated with a new ifIndex, and totally misinterpret trends, and so > on. Other MIB modules need to protect against reuse of an index value, at > least for some period of time, or until rollover.) > > 22) It's a good thing the description of natPoolTable is "Table of pools" > because I might have confused it as being something else. 8-ball anyone? > Description please? > > 23) natpoolRealm - "Realm to which this pool's addresses belong." > MIB modules are often distributed without the surrounding text from the > RFC. > > So it is important to be sure the description is meaningful without the > whole RFC being present. > At a minimum, especially since you are defining realm in this document, you > should provide a REFERENCE to the text in this RFC that contains the > definition for realm. > > 24) natNotifPoolWatermarkLow and WatermarkHigh > > we usually try to not use derived values in MIB modules. We try to keep the > agent simple, and push complexity toward the NMS, which normally has far > more resources available. > When you set a watermark/threshold as a percentage, then the system > needs to > use CPU cycles to calculate the percentage - CPU cycles that might be better > used forwarding packets. > > The calculations you expect are rather complex - you require summing > (allocations - deallocations) over all address ranges, then dividing by the > total number of ip addresses in the poll and by the size of the port range > (calculated by portmax-portmin+1). > > I'm not sure that that formula is unambiguous; is that > (sum(allocations-deallocation)/ipaddresses)/portrange or am I calculating > something with (ip addresses and size of portrange) before dividing? Can you > use parentheses or something? > > How often should this complex calculation be done to monitor the > percentage > versus the threshold? Should this be re-calculated ***every time*** one of > the following changes: allocation or deallocation across any address range, > total number of ip addresses, or size of the port range? (and of course, the > watermark setting). > > Wow! That seems like a lot of CPU cycles. > > 25) natpoolIndex - the description doesn't mention the scope of uniqueness. > Is this unique across all address pools in all instances? Unique within a > nat instance, but not necessarily across other nat instances? > > 26) natPool watermarks > There is mention of low usage mode and high usage mode. Is there a > REFERENCE > you can make, maybe to NAT requirements or something, that explains this a > bit more? > Is there a reason why BEHAVE is not trying to standardize low/high usage > behaviors? (isn't standardizing behaviors what behave is all about?) > > Are the "may" terms here RFC2119-compliant? Usually RFC2119 "may" terms > are > capitalized. > > 27) It is very helpful to add comments to your IMPORTS identifying the RFC > that contains the MIB you are importing from. > > 28) natPoolRangeType - can this support any of the address types allowed by > this textual convention? Or should the text constrain the acceptable values? > I'm not sure which ways to limit this are acceptable. Let me know if all the > address types cannot be supported, and I'll check with other mib doctors to > determine the best way to constrain it. > > 29) natMappingTable - "Table of mappings indexed by external 3-tuple." > I'm not sure this is accurate, given > INDEX { natInstanceIndex, > natMappingProto, > natMappingExtRealm, > natMappingExtAddressType, > natMappingExtAddress, > natMappingExtPort } > > 30) natMappingExtAddress - can you point me to the REFERENCE for "the > undefined address"? I didn't find it in RFC4001. > Ditto for natMappingIntAddress > > 31) natMappingMapBehavior and natMappingFilterBehavior - for reasons > mentioned above, please include a description, not just a reference in the > description text. Put the reference in a REFERENCE clause. > > 32) natMappingSubsIndex - you don't really need the Index suffix. This > would > be more meaningful as natMappingSubscriber > > 33) natSubscribersTable, natSubscribersEntry, and natSubscriberIndex (et al) > are not consistent. I recommend losing the plural. > > 34) do the existence of fields natSubscriberVlanIdentifier, > natSubscriberVpnIdentifier, natSubscriberIPEncapsIdType, and > natSubscriberIPEncapsIdAddr depend on the value of > natSubscriberIdentifierType? If so, then it might be better to define this > as a sparse augments table. Let me know, and I'll check with the MIB Doctors > list about the best way to do this. > > 35) natSubscriberIdentifierType - " Unused identifier values MUST be zero or > equivalent". > I think this is under-specified. > I think the zero-equivalents should be specified here for each type. > When the type is none(0), and the identifier is "none", does this mean the > identifier field is not implemented, or has a zero value or empty string or > what? > Which of these is the zero equivalent? > The TC SubscriberIdentifierType says the interfaces(1) type means the > identifier is a set of **one or more** interface indexes. What is the > zero-equivalent of a set of one or more interface indexes? > VPNIdorZero says " The semantics of the value zero-length OCTET > STRING are > object-specific and must therefore be defined > as part of the description of any object that uses this > syntax." > So presumably, the zero equivalent is a zero-length OCTET STRING. But the > description here does not define the semantics of the zero-length string; it > only implies the semantics. > And for other(5), we have no idea what a zero-equivalent is. > > 36) natSubscriberIntPrefixType is a "Subscriber's internal prefix type." > While the corresponding address is a "Prefix assigned to a subscriber's > CPE." > I tend to think of a CPE as being the border between a subscriber's network > and an ISP's network. > If the subscriber entry represents a host served by a managed enterprise > NAT, is this still the prefix type for the CPE? > Please clarify if the type is the internal prefix type for the subscriber's > CPE, or simply the subscriber's internal prefix type. > > 37) natSubscriberLimitMappings - again, we should avoid calculated objects. > This depends on "active" mappings, which is a calculated value. > > 38) natSubscriberMapNotifyThresh - consistency in naming please; this > seems > to be a real problem throughout the subscriber table. > (natSubscribers vs natSubscriber, thresh, mappngs vs Map) > > 39) natSubscriberIPEncapsIdType - I find the "when not unknown(0)" to be > an > odd description. The InetAddressType description is " A value that > represents a type of Internet address." I think that should suffice here as > well, even though unknown(0) has special semantics described in the T-C. > > 40) natSubsInterfaceIdentifierTable - the description contains a sentence > fragment; I don't know what it means - " 'OR' semantics if multiple > interface indexes > are present." I find the other sentences a bit short; I > recommend rewriting the description to make it clearer. > > 41) natSubsInterfaceIdSubsIndex - I have some concerns about the use of > Index as parts of object descriptors and part of object descriptions, for > objects that are not INDEXes, when INDEX is a SMI reserved word (RFC2578, > section 3.7). I don't find the "Index" suffix necessary. I think > SubscriberIndex would be fine as Subscriber, and SubsInterfaceIdRowIndex > would be fine as SubsInterfaceIdRow, and natSubsInterfaceIdRowIndex > would be > fine as natSubsInterfaceIdRow, etc. > > 42) natSubsInterfaceIdRowIndex - the description is "Row index." There is > no description of why this is being defined, or what it is expected to be > used for. > The T-C has a better explanation of its uniqueness and its assignment to > rows, but no description of why it is needed. > It might have been better explained in the natSubsInterfaceIdentifierEntry > description, where it is used in the INDEX. But I don't understand the > description there - "Each entry provides a single interface index." > Can you provide an example of how this table works? > > 43) I am a bit concerned about the compliance options. If we are > standardizing behaviors, why do we have five compliance levels? Lots of > compliance levels = lack of standardization. > > --- Security considerations --- > 44) What objects reveal host identities? Do you mean host addresses? I > think the community has made a statement about identity versus address in > efforts like HIP and SNMPv3. > 45) If a disgruntled former employee can break into private hosts, can > attackers who never worked for the employer do so as well? I don't have any > employees, and no former employees; does that mean this is an attack > vector > I can totally ignore? > > > Hope this helps, > > David Harrington > dbharrington@comcast.net > +1-603-828-1401