smilint output for ./MPLS-L3VPN-MIB-DRAFT-01
Message Severities |
Severity | Count |
minor error | 2 |
warning | 3 |
Message Types |
Type | Count |
index-element-accessible (warning) | 1 |
index-exceeds-too-large (warning) | 1 |
module-name-suffix (warning) | 1 |
revision-after-update (minor error) | 1 |
revision-missing (minor error) | 1 |
Messages:
MPLS-L3VPN-MIB-DRAFT-01
1: -- extracted from draft-ietf-l3vpn-mpls-vpn-mib-01.txt
2: -- at Fri Jan 30 06:16:29 2004
25:
26: mplsVpnMIB MODULE-IDENTITY
27: LAST-UPDATED "200210311200Z" -- 31 October 2002 12:00:00 GMT
28: ORGANIZATION "IETF Layer-3 Virtual Private
29: Networks Working Group."
30: CONTACT-INFO
31: " Thomas D. Nadeau
32: tnadeau@cisco.com
33:
34: Harmen van der Linde
35: hvdl@att.com
36:
37: Luyuan Fang
38: luyuanfang@att.com
39: Stephen Brannon
40:
41: Fabio M. Chiussi
42: fabio@bell-labs.com
43:
44: Joseph Dube
45:
46: Martin Tatham
47: martin.tatham@bt.com
48:
49: Comments and discussion to l3vpn@ietf.org"
50: DESCRIPTION
51: "This MIB contains managed object definitions for the
52: Layer-3 Multiprotocol Label Switching Virtual
53: Private Networks."
54: -- Revision history.
55: REVISION
56: "200401301200Z" -- 30 January 2004 12:00:00 EST
56: minor error -
revision date after last update
57: DESCRIPTION
58: "Initial RFC version."
59: ::= { experimental 118 } -- assigned by IANA
59: minor error -
revision for last update is missing
60:
...
661:
662: mplsVpnVrfRouteEntry OBJECT-TYPE
662: warning -
warning: index of row `mplsVpnVrfRouteEntry' can exceed OID size limit by 684 subidentifier(s)
662: warning -
warning: index element `mplsVpnVrfRouteNextHop' of row `mplsVpnVrfRouteEntry' should be not-accessible in SMIv2 MIB
663: SYNTAX MplsVpnVrfRouteEntry
664: MAX-ACCESS not-accessible
665: STATUS current
666: DESCRIPTION
667: "An entry in this table is created by an LSR for every route
668: present configured (either dynamically or statically) within
669: the context of a specific VRF capable of supporting MPLS/BGP
670: VPN. The indexing provides an ordering of VRFs per-VPN
671: interface.
672:
673: Implementors need to be aware that if the value of
674: the mplsVpnVrfName (an OID) has more
675: that 111 sub-identifiers, then OIDs of column
676: instances in this table will have more than 128
677: sub-identifiers and cannot be accessed using SNMPv1,
678: SNMPv2c, or SNMPv3."
679: INDEX { mplsVpnVrfName, mplsVpnVrfRouteDest,
680: mplsVpnVrfRouteMask, mplsVpnVrfRouteTos,
681: mplsVpnVrfRouteNextHop }
682: ::= { mplsVpnVrfRouteTable 1 }
683:
684: MplsVpnVrfRouteEntry ::= SEQUENCE {
685: mplsVpnVrfRouteDestAddrType InetAddressType,
686: mplsVpnVrfRouteDest InetAddress,
687: mplsVpnVrfRouteMaskAddrType InetAddressType,
688: mplsVpnVrfRouteMask InetAddress,
689: mplsVpnVrfRouteTos Unsigned32,
690: mplsVpnVrfRouteNextHopAddrType InetAddressType,
691: mplsVpnVrfRouteNextHop InetAddress,
692: mplsVpnVrfRouteIfIndex InterfaceIndexOrZero,
693: mplsVpnVrfRouteType INTEGER,
694: mplsVpnVrfRouteProto INTEGER,
695: mplsVpnVrfRouteAge Unsigned32,
696: mplsVpnVrfRouteInfo OBJECT IDENTIFIER,
697: mplsVpnVrfRouteNextHopAS Unsigned32,
698: mplsVpnVrfRouteMetric1 Integer32,
699: mplsVpnVrfRouteMetric2 Integer32,
700: mplsVpnVrfRouteMetric3 Integer32,
701: mplsVpnVrfRouteMetric4 Integer32,
702: mplsVpnVrfRouteMetric5 Integer32,
703: mplsVpnVrfRouteXCPointer MplsIndexType,
704: mplsVpnVrfRouteRowStatus RowStatus,
705: mplsVpnVrfRouteStorageType StorageType
...
1259:
1260: mplsVpnNotificationGroup NOTIFICATION-GROUP
1261: NOTIFICATIONS { mplsVrfIfUp,
1262: mplsVrfIfDown,
1263: mplsNumVrfRouteMidThreshExceeded,
1264: mplsNumVrfRouteMaxThreshExceeded,
1265: mplsNumVrfSecIllglLblThrshExcd,
1266: mplsNumVrfRouteMaxThreshCleared
1267: }
1268: STATUS current
1269: DESCRIPTION
1270: "Objects required for MPLS VPN notifications."
1271: ::= { mplsVpnGroups 9 }
1272: -- End of MPLS-VPN-MIB
1273: END
1273: warning -
warning: module name `MPLS-L3VPN-MIB-DRAFT-01' should match `*-MIB'
1274:
1275: --
1276: -- 16.0 Security Considerations
1277: --
1278: -- It is clear that these MIB modules are potentially useful for
1279: -- monitoring of MPLS LSRs supporting L3 MPLS VPN. This
1280: -- MIB module can also be used for configuration of certain objects,
1281: -- and anything that can be configured can be incorrectly configured,
1282: -- with potentially disastrous results.
1283: --
1284: -- There are a number of management objects defined in this MIB module
1285: -- with a MAX-ACCESS clause of read-write and/or read-create. Such
1286: -- objects may be considered sensitive or vulnerable in some network
1287: -- environments. The support for SET operations in a non-secure
1288: -- environment without proper protection can have a negative effect on
1289: -- network operations. These are the tables and objects and their
1290: -- sensitivity/vulnerability:
1291: --
1292: -- o the XXX tables collectively
1293: -- contain objects which may be used to provision MPLS VRF
1294: -- interfaces and configuration. Unauthorized access to objects
1295: -- in these tables, could result in disruption of traffic on the
1296: -- network. This is especially true if these VRFs have been
1297: -- previously provisioned and are in use. The use of stronger
1298: -- mechanisms such as SNMPv3 security should be considered where
1299: -- possible. Specifically,
1300: -- SNMPv3 VACM and USM MUST be used with any v3 agent which
1301: -- implements this MIB module. Administrators should consider
1302: -- whether read access to these objects should be allowed,
1303: -- since read access may be undesirable under certain
1304: -- circumstances.
1305: --
1306: -- Some of the readable objects in this MIB module "i.e., objects with a
1307: -- MAX-ACCESS other than not-accessible" may be considered sensitive or
1308: -- vulnerable in some network environments. It is thus important to
1309: -- control even GET and/or NOTIFY access to these objects and possibly
1310: -- to even encrypt the values of these objects when sending them over
1311: -- the network via SNMP. These are the tables and objects and their
1312: -- sensitivity/vulnerability:
1313: --
1314: -- o the XXX tables
1315: -- collectively show the VRF interfaces and
1316: -- associated VRF configurations as well as their linkages to other
1317: -- MPLS-related configuration and/or performanc statistics.
1318: -- Administrators not wishing to reveal this information should
1319: -- consider these objects sensitive/vulnerable and take
1320: -- precautions so they are not revealed.
1321: --
1322: -- SNMP versions prior to SNMPv3 did not include adequate security.
1323: -- Even if the network itself is secure "for example by using IPSec",
1324: -- even then, there is no control as to who on the secure network is
1325: -- allowed to access and GET/SET "read/change/create/delete" the objects
1326: -- in this MIB module.
1327: --
1328: -- It is RECOMMENDED that implementers consider the security features as
1329: -- provided by the SNMPv3 framework "see [RFC3410], section 8",
1330: -- including full support for the SNMPv3 cryptographic mechanisms "for
1331: -- authentication and privacy".
1332: --
1333: -- Further, deployment of SNMP versions prior to SNMPv3 is NOT
1334: -- RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1335: -- enable cryptographic security. It is then a customer/operator
1336: -- responsibility to ensure that the SNMP entity giving access to an
1337: -- instance of this MIB module, is properly configured to give access
1338: -- to the objects only to those principals "users" that have legitimate
1339: -- rights to indeed GET or SET "change/create/delete" them.
1340: --
1341: