smilint output for ./MPLS-L3VPN-MIB-DRAFT-01


Message Severities
SeverityCount
minor error2
warning3
Message Types
TypeCount
index-element-accessible (warning)1
index-exceeds-too-large (warning)1
module-name-suffix (warning)1
revision-after-update (minor error)1
revision-missing (minor error)1

Messages:

MPLS-L3VPN-MIB-DRAFT-01

   1: -- extracted from draft-ietf-l3vpn-mpls-vpn-mib-01.txt
   2: -- at Fri Jan 30 06:16:29 2004
  25: 
  26: mplsVpnMIB MODULE-IDENTITY
  27:    LAST-UPDATED "200210311200Z"  -- 31 October 2002 12:00:00 GMT
  28:    ORGANIZATION "IETF Layer-3 Virtual Private
  29:                  Networks Working Group."
  30:    CONTACT-INFO
  31:           "        Thomas D. Nadeau
  32:                    tnadeau@cisco.com
  33: 
  34:                    Harmen van der Linde
  35:                    hvdl@att.com
  36: 
  37:                    Luyuan Fang
  38:                    luyuanfang@att.com
  39:                    Stephen Brannon
  40: 
  41:                    Fabio M. Chiussi
  42:                    fabio@bell-labs.com
  43: 
  44:                    Joseph Dube
  45: 
  46:                    Martin Tatham
  47:                    martin.tatham@bt.com
  48: 
  49:                    Comments and discussion to l3vpn@ietf.org"
  50:    DESCRIPTION
  51:         "This MIB contains managed object definitions for the
  52:          Layer-3 Multiprotocol Label Switching Virtual 
  53:          Private Networks."
  54:   -- Revision history.
  55:   REVISION
  56:        "200401301200Z"  -- 30 January 2004 12:00:00 EST
  56: minor error - revision date after last update
  57:    DESCRIPTION
  58:       "Initial RFC version."
  59:    ::= { experimental 118 } -- assigned by IANA
  59: minor error - revision for last update is missing
  60: 
...
 661: 
 662: mplsVpnVrfRouteEntry OBJECT-TYPE
 662: warning - warning: index of row `mplsVpnVrfRouteEntry' can exceed OID size limit by 684 subidentifier(s)
 662: warning - warning: index element `mplsVpnVrfRouteNextHop' of row `mplsVpnVrfRouteEntry' should be not-accessible in SMIv2 MIB
 663:    SYNTAX        MplsVpnVrfRouteEntry
 664:    MAX-ACCESS    not-accessible
 665:    STATUS        current
 666:    DESCRIPTION
 667:        "An entry in this table is created by an LSR for every route
 668:         present configured (either dynamically or statically) within
 669:         the context of a specific VRF capable of supporting MPLS/BGP
 670:         VPN. The indexing provides an ordering of VRFs per-VPN
 671:         interface.
 672: 
 673:         Implementors need to be aware that if the value of
 674:         the mplsVpnVrfName (an OID) has more 
 675:         that 111 sub-identifiers, then OIDs of column
 676:         instances in this table will have more than 128
 677:         sub-identifiers and cannot be accessed using SNMPv1,
 678:         SNMPv2c, or SNMPv3."
 679:       INDEX  { mplsVpnVrfName, mplsVpnVrfRouteDest,
 680:                mplsVpnVrfRouteMask, mplsVpnVrfRouteTos,
 681:                mplsVpnVrfRouteNextHop }
 682:       ::= { mplsVpnVrfRouteTable 1 }
 683: 
 684: MplsVpnVrfRouteEntry ::= SEQUENCE {
 685:        mplsVpnVrfRouteDestAddrType       InetAddressType,
 686:        mplsVpnVrfRouteDest               InetAddress,
 687:        mplsVpnVrfRouteMaskAddrType       InetAddressType,
 688:        mplsVpnVrfRouteMask               InetAddress,
 689:        mplsVpnVrfRouteTos                Unsigned32,
 690:        mplsVpnVrfRouteNextHopAddrType    InetAddressType,
 691:        mplsVpnVrfRouteNextHop            InetAddress,
 692:        mplsVpnVrfRouteIfIndex            InterfaceIndexOrZero,
 693:        mplsVpnVrfRouteType               INTEGER,
 694:        mplsVpnVrfRouteProto              INTEGER,
 695:        mplsVpnVrfRouteAge                Unsigned32,
 696:        mplsVpnVrfRouteInfo               OBJECT IDENTIFIER,
 697:        mplsVpnVrfRouteNextHopAS          Unsigned32,
 698:        mplsVpnVrfRouteMetric1            Integer32,
 699:        mplsVpnVrfRouteMetric2            Integer32,
 700:        mplsVpnVrfRouteMetric3            Integer32,
 701:        mplsVpnVrfRouteMetric4            Integer32,
 702:        mplsVpnVrfRouteMetric5            Integer32,
 703:        mplsVpnVrfRouteXCPointer          MplsIndexType,
 704:        mplsVpnVrfRouteRowStatus          RowStatus,
 705:        mplsVpnVrfRouteStorageType        StorageType
...
1259: 
1260:    mplsVpnNotificationGroup NOTIFICATION-GROUP
1261:        NOTIFICATIONS { mplsVrfIfUp,
1262:                        mplsVrfIfDown,
1263:                        mplsNumVrfRouteMidThreshExceeded,
1264:                        mplsNumVrfRouteMaxThreshExceeded,
1265:                        mplsNumVrfSecIllglLblThrshExcd,
1266:                        mplsNumVrfRouteMaxThreshCleared
1267:                      }
1268:       STATUS  current
1269:       DESCRIPTION
1270:              "Objects required for MPLS VPN notifications."
1271:    ::= { mplsVpnGroups 9 }
1272: -- End of MPLS-VPN-MIB
1273: END
1273: warning - warning: module name `MPLS-L3VPN-MIB-DRAFT-01' should match `*-MIB'
1274: 
1275: -- 
1276: -- 16.0 Security Considerations
1277: -- 
1278: --    It is clear that these MIB modules are potentially useful for 
1279: --    monitoring of MPLS LSRs supporting L3 MPLS VPN.  This
1280: --    MIB module can also be used for configuration of certain objects, 
1281: --    and anything that can be configured can be incorrectly configured, 
1282: --    with potentially disastrous results.
1283: --    
1284: --    There are a number of management objects defined in this MIB module
1285: --    with a MAX-ACCESS clause of read-write and/or read-create.  Such
1286: --    objects may be considered sensitive or vulnerable in some network
1287: --    environments.  The support for SET operations in a non-secure
1288: --    environment without proper protection can have a negative effect on
1289: --    network operations.  These are the tables and objects and their
1290: --    sensitivity/vulnerability:
1291: -- 
1292: --    o    the XXX tables collectively 
1293: --         contain objects which may be used to provision MPLS VRF
1294: --         interfaces and configuration.  Unauthorized access to objects 
1295: --         in these tables, could result in disruption of traffic on the 
1296: --         network.  This is especially true if these VRFs have been 
1297: --         previously provisioned and are in use. The use of stronger 
1298: --         mechanisms such as SNMPv3 security should be considered where 
1299: --         possible.  Specifically,
1300: --         SNMPv3 VACM and USM MUST be used with any v3 agent which
1301: --         implements this MIB module.  Administrators should consider 
1302: --         whether read access to these objects should be allowed, 
1303: --         since read access may be undesirable under certain 
1304: --         circumstances.
1305: -- 
1306: --    Some of the readable objects in this MIB module "i.e., objects with a
1307: --    MAX-ACCESS other than not-accessible" may be considered sensitive or
1308: --    vulnerable in some network environments.  It is thus important to
1309: --    control even GET and/or NOTIFY access to these objects and possibly
1310: --    to even encrypt the values of these objects when sending them over
1311: --    the network via SNMP.  These are the tables and objects and their
1312: --    sensitivity/vulnerability:
1313: -- 
1314: --    o    the XXX tables 
1315: --         collectively show the VRF interfaces and 
1316: --         associated VRF configurations as well as their linkages to other
1317: --         MPLS-related configuration and/or performanc statistics. 
1318: --         Administrators not wishing to reveal this information should
1319: --         consider these objects sensitive/vulnerable and take 
1320: --         precautions so they are not revealed.
1321: -- 
1322: --    SNMP versions prior to SNMPv3 did not include adequate security.
1323: --    Even if the network itself is secure "for example by using IPSec",
1324: --    even then, there is no control as to who on the secure network is
1325: --    allowed to access and GET/SET "read/change/create/delete" the objects
1326: --    in this MIB module.
1327: -- 
1328: --    It is RECOMMENDED that implementers consider the security features as
1329: --    provided by the SNMPv3 framework "see [RFC3410], section 8",
1330: --    including full support for the SNMPv3 cryptographic mechanisms "for
1331: --    authentication and privacy".
1332: -- 
1333: --    Further, deployment of SNMP versions prior to SNMPv3 is NOT
1334: --    RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1335: --    enable cryptographic security.  It is then a customer/operator
1336: --    responsibility to ensure that the SNMP entity giving access to an
1337: --    instance of this MIB module, is properly configured to give access 
1338: --    to the objects only to those principals "users" that have legitimate
1339: --    rights to indeed GET or SET "change/create/delete" them.
1340: -- 
1341: