-- ******************************************************************
-- CISCO-IP-URPF-MIB
--
-- This module is used for monitoring the state of Unicast Reverse
-- Path Forwarding (URPF) checking.
--
-- September 2004, Michael Grobelch
--
-- Copyright (c) 2004 by Cisco Systems, Inc.
-- All rights reserved.
-- ******************************************************************
--CISCO-IP-URPF-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,Gauge32,Integer32,
Counter32,Unsigned32,NOTIFICATION-TYPEFROM SNMPv2-SMI
MODULE-COMPLIANCE,NOTIFICATION-GROUP,OBJECT-GROUPFROM SNMPv2-CONF
TimeStamp,TruthValueFROM SNMPv2-TC
SnmpAdminStringFROM SNMP-FRAMEWORK-MIB
ifIndex FROM IF-MIB
ciscoMgmt FROM CISCO-SMI;ciscoIpUrpfMIB MODULE-IDENTITYLAST-UPDATED"200411120000Z"ORGANIZATION"Cisco System, Inc."CONTACT-INFO"Postal: Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: +1 800 553-NETS
E-mail: cs-cef@cisco.com"DESCRIPTION"Unicast Reverse Path Forwarding (URPF) is a function
that checks the validity of the source address of IP
packets received on an interface. This in an attempt
to prevent Denial of Service attacks based on IP address
spoofing.
URPF checks validity of a source address by determining
whether the packet would be successfully routed as a
destination address.
Based on configuration, the check made can be for existence
of any route for the address, or more strictly for a route
out the interface on which the packet was received by the
device. When a violating packet is detected, it can be dropped.
This MIB allows detection of spoofing events."REVISION"200411120000Z"DESCRIPTION"Initial version of this MIB module."::={ ciscoMgmt 451}--
-- MIB Object Definitions
--ciscoIpUrpfMIBNotifs OBJECTIDENTIFIER::={ ciscoIpUrpfMIB 0}ciscoIpUrpfMIBObjects OBJECTIDENTIFIER::={ ciscoIpUrpfMIB 1}ciscoIpUrpfMIBConformance OBJECTIDENTIFIER::={ ciscoIpUrpfMIB 2}--
-- URPF Statistics objects
--cipUrpfScalar OBJECTIDENTIFIER::={ ciscoIpUrpfMIBObjects 1}cipUrpfStatistics OBJECTIDENTIFIER::={ ciscoIpUrpfMIBObjects 2}cipUrpfInterfaceConfig OBJECTIDENTIFIER::={ ciscoIpUrpfMIBObjects 3}
cipUrpfVrf OBJECTIDENTIFIER::={ ciscoIpUrpfMIBObjects 4}cipUrpfDropRateWindow OBJECT-TYPESYNTAXInteger32(1..600)UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The window of time in the recent past over which the drop
count used in the drop rate computation is collected.
This global value applies for the computation of all URPF
rates, global and per-interface.
Once the period over which computations have been
performed exceeds cipUrpfDropRateWindow, every time a
computation is performed, the window slides up to end
at the current time and start at cipUrpfDropRateWindow
seconds before.
The cipUrpfDropRateWindow must be greater than
or equal to the interval between computations
(cipUrpfComputeInterval).
Since the agent must save the drop count values
for each compute interval in order to slide the window,
the number of counts saved is the quotient of
cipUrpfDropRateWindow divided by cipUrpfComputeInterval."DEFVAL{300}::={ cipUrpfScalar 1}cipUrpfComputeInterval OBJECT-TYPESYNTAXInteger32(1..120)UNITS"seconds"MAX-ACCESSread-write
STATUScurrentDESCRIPTION"The time between rate computations. This global value
applies for the computation of all URPF rates, global
and per-interface.
When the value of cipUrpfComputeInterval is changed,
the interval in-progress proceeds as though the value
had not changed. The change will apply to the length
of subsequent intervals.
The cipUrpfComputeInterval must be less than or equal
to the cipUrpfDropRateWindow."DEFVAL{30}::={ cipUrpfScalar 2}cipUrpfDropNotifyHoldDownTime OBJECT-TYPESYNTAXInteger32(1..1000)UNITS"seconds"MAX-ACCESSread-write
STATUScurrentDESCRIPTION"The minimum time between issuance of
cipUrpfIfDropRateNotify notifications for a
particular interface and packet forwarding type.
Notifications are generated for each interface and
packet forwarding type that exceeds the drop-rate.
When a Notify is sent because the drop-rate is
exceeded for a particular interface and forwarding
type, the time specified by this object is used to
specify the minimum time that must elapse before
another Notify can be sent for that interface and
forwarding type. The time is specified globally but
used individually."DEFVAL{300}::={ cipUrpfScalar 3}cipUrpfTable OBJECT-TYPESYNTAXSEQUENCEOF CipUrpfEntry
MAX-ACCESSnot-accessible
STATUScurrentDESCRIPTION"This table contains summary information for the
managed device on URPF dropping."::={ cipUrpfStatistics 1}cipUrpfEntry OBJECT-TYPESYNTAX CipUrpfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"If the managed device supports URPF dropping,
a row exists for each IP version type (v4 and v6).
A row contains summary information on URPF
dropping over the entire managed device."INDEX{ cipUrpfIpVersion }::={ cipUrpfTable 1}
CipUrpfEntry ::=SEQUENCE{
cipUrpfIpVersion INTEGER,
cipUrpfDrops Counter32,
cipUrpfDropRate Gauge32}cipUrpfIpVersion OBJECT-TYPESYNTAXINTEGER{ipv4(1), ipv6(2)}MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Specifies the version of IP forwarding on an interface
to which the table row URPF counts, rates, and
configuration apply."::={ cipUrpfEntry 1}cipUrpfDrops OBJECT-TYPESYNTAXCounter32UNITS"packets"
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Sum of dropped IP version cipUrpfIpVersion packets failing
a URPF check. This value is the sum of drops of packets
received on all interfaces of the managed device."::={ cipUrpfEntry 2}cipUrpfDropRate OBJECT-TYPESYNTAXGauge32UNITS"packets per second"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The rate of packet drops of IP version cipUrpfIpVersion
packets due to URPF for the managed device. The
per-interface drop rate notification is issued on rates
exceeding a limit (rising rate). This dropping may
indicate an security attack on the network. To determine
whether the attack/event is over, the NMS must
consult the managed device. This object can be polled to
determine the recent drop rate for the managed device
as a whole, in addition to querying particular interface
objects.
This object is the average rate of dropping over the most
recent window of time. The rate is computed by dividing
the number of packets dropped over a window by the window
time in seconds. The window time is specified by
cipUrpfDropRateWindow. Each time the drop rate is computed,
and at system startup, a snapshot is taken of the latest
value of cipUrpfDrops. Subtracting from this the snapshot
of cipUrpfDrops at the start of the current window of time
gives the number of packets dropped. The drop rate is
computed every cipUrpfComputeInterval seconds. As an
example, let cipUrpfDropRateWindow be 300 seconds,
and cipUrpfComputeInterval 30 seconds. Every 30 seconds,
the drop count five minutes previous is subtracted
from the current drop count, and the result is divided
by 300 to arrive at the drop rate.
At device start-up, until the device has been up more than
cipUrpfDropRateWindow, when drop rate is computed,
the value of cipUrpfDrops is divided by the time the
device has been up.
After the device has been up for cipUrpfDropRateWindow,
when drop rate is computed, the number of packet drops counted
from interval start time to the computation time is divided
by cipUrpfDropRateWindow.
Changes to cipUrpfDropRateWindow are not reflected in this
object until the next computation time.
The rate from the most recent computation is the value
fetched until the subsequent computation is performed."::={ cipUrpfEntry 3}cipUrpfIfMonTable OBJECT-TYPESYNTAXSEQUENCEOF CipUrpfIfMonEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This table contains information on URPF dropping on
an interface."::={ cipUrpfStatistics 2}cipUrpfIfMonEntry OBJECT-TYPESYNTAX CipUrpfIfMonEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"If IPv4 packet forwarding is configured on an interface,
and is configured to perform URPF checking, a row appears
in this table with indices [ifIndex][ipv4]. If IPv4
packet forwarding is deconfigured, or URPF checking
is deconfigured, the row disappears.
If IPv6 packet forwarding is configured on an interface,
and is configured to perform URPF checking, a row appears
in the table with indices [ifIndex][ipv6]. If IPv6
packet forwarding is deconfigured, or URPF checking
is deconfigured, the row disappears."INDEX{ ifIndex, cipUrpfIfIpVersion }
::={ cipUrpfIfMonTable 1}
CipUrpfIfMonEntry ::=SEQUENCE{
cipUrpfIfIpVersion INTEGER,
cipUrpfIfDrops Counter32,
cipUrpfIfSuppressedDrops Counter32,
cipUrpfIfDropRate Gauge32,
cipUrpfIfDiscontinuityTime TimeStamp}cipUrpfIfIpVersion OBJECT-TYPESYNTAXINTEGER{ipv4(1), ipv6(2)}MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION
"Specifies the version of IP forwarding on an interface
to which the table row URPF counts, rates, and
configuration apply."::={ cipUrpfIfMonEntry 1}cipUrpfIfDrops OBJECT-TYPESYNTAXCounter32UNITS"packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of IP packets of version cipUrpfIfIpVersion
failing the URPF check and dropped by the managed device
on a particular interface.
Discontinuities in the value of this variable can occur
at re-initialization of the management system, and at
other times as indicated by the values of
cipUrpfIfDiscontinuityTime."::={ cipUrpfIfMonEntry 2}cipUrpfIfSuppressedDrops OBJECT-TYPESYNTAXCounter32UNITS"packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of IP packets of version cipUrpfIfIpVersion
failing the URPF check but given a reprieve and not
dropped by the managed device. Depending on the
device configuration and capabilities, the following
cases may cause incrementing of the counter:
- if the managed device is configured to allow self-pings
and the managed device pings itself.
- if the managed device is configured for loose URPF (if any
interface has a route to the source), and the strict
case fails while the loose case passes.
- DHCP Request packets (src 0.0.0.0 dst 255.255.255.255)
will pass after initially being marked for drop.
- RIP routing on unnumbered interfaces will pass after
initially being marked for drop.
- multicast packets will pass after initially being marked
for drop
- ACL's can be applied to permit packets after initially
being marked for drop.
Discontinuities in the value of this variable can occur
at re-initialization of the management system, and at
other times as indicated by the values of
cipUrpfIfDiscontinuityTime."::={ cipUrpfIfMonEntry 3}cipUrpfIfDropRate OBJECT-TYPESYNTAXGauge32UNITS"packets/second"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The rate of packet drops of IP version cipUrpfIfIpVersion
packets due to URPF on the interface.
This object is the average rate of dropping over the most
recent interval of time. The rate is computed by dividing
the number of packets dropped over an interval by the
interval time in seconds. Each time the drop rate
is computed, and at system startup, a snapshot is taken
of the latest value of cipUrpfIfDrops. Subtracting from this
the snapshot of cipUrpfIfDrops at the start of the current
interval of time gives the number of packets dropped.
The drop rate is computed every cipUrpfComputeInterval
seconds.
When drop rate is computed, if time since the creation of
a row in cipUrpfIfMonTable is less than
cipUrpfDropRateWindow, the value of cipUrpfIfDrops is
divided by the time since row was created.
After the row has been in existence for
cipUrpfDropRateWindow, when drop rate is computed, the
number of packet drops counted on the interface from
interval start time to the computation time is divided
by cipUrpfDropRateWindow.
Changes to cipUrpfDropRateWindow are not reflected in this
object until the next computation time.
The rate from the most recent computation is the value
fetched until the subsequent computation is performed."::={ cipUrpfIfMonEntry 4}
cipUrpfIfDiscontinuityTime OBJECT-TYPESYNTAXTimeStampMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of sysUpTime on the most recent
occasion at which this interface's counters
suffered a discontinuity.
If no such discontinuities have occurred
since the last re-initialization of the
local management subsystem, then this
object contains a value of zero."::={ cipUrpfIfMonEntry 5}cipUrpfIfConfTable OBJECT-TYPESYNTAXSEQUENCEOF CipUrpfIfConfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This table contains statistics information on URPF on
an interface."::={ cipUrpfInterfaceConfig 1}cipUrpfIfConfEntry OBJECT-TYPESYNTAX CipUrpfIfConfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A row exists in this table if a row exists
in cipUrpfIfMonTable."AUGMENTS{ cipUrpfIfMonEntry }::={ cipUrpfIfConfTable 1}
CipUrpfIfConfEntry ::=SEQUENCE{
cipUrpfIfDropRateNotifyEnable TruthValue,
cipUrpfIfNotifyDropRateThreshold Unsigned32,
cipUrpfIfNotifyDrHoldDownReset TruthValue,
cipUrpfIfCheckStrict INTEGER,
cipUrpfIfWhichRouteTableID INTEGER,
cipUrpfIfVrfName SnmpAdminString}cipUrpfIfDropRateNotifyEnable OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies whether the system produces the
cipUrpfIfDropRateNotify notification as a result of URPF
dropping of version cipUrpfIfIpVersion IP packets on this
interface. A false value prevents such notifications from
being generated by this system."DEFVAL{ false }::={ cipUrpfIfConfEntry 1}cipUrpfIfNotifyDropRateThreshold OBJECT-TYPE
SYNTAXUnsigned32UNITS"packets/second"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"When the calculated rate of URPF packet drops
(cipUrpfIfDropRate) meets or exceeds the value
specified by this object, a cipUrpfIfDropRateNotify
notification is sent if cipUrpfIfDropRateNotifyEnable
is set to true, and no such notification for the
IP version has been sent for this interface for the
hold-down period.
Note that due to the calculation used for drop rate,
if there are less than n drop events in an n-second
period the notification will not be generated. To allow
for the detection of a small number of drop events, the
value 0 (zero) is used to indicate that if any drop events
occur during the interval, a notification is generated."DEFVAL{1000}
::={ cipUrpfIfConfEntry 2}cipUrpfIfNotifyDrHoldDownReset OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Setting this object to true causes the five-minute
hold-down timer for emitting URPF drop rate
notifications for IP version cipUrpfIfIpVersion on
the interface to be short-circuited. If a notification
is due and would be emitted for the interface if the
five-minutes elapsed, setting this object will cause
the notification to be sent.
This is a trigger, and doesn't hold information. It is
set and an action is performed. Therefore a get for
this object always returns false."DEFVAL{ false }::={ cipUrpfIfConfEntry 3}
cipUrpfIfCheckStrict OBJECT-TYPESYNTAXINTEGER{strict(1),loose(2)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Interface configuration indicating the strictness of
the reachability check performed
on the interface.
- strict: check that source addr is reachable via
the interface it came in on.
- loose : check that source addr is reachable via
some interface on the device."::={ cipUrpfIfConfEntry 4}cipUrpfIfWhichRouteTableID OBJECT-TYPE
SYNTAXINTEGER{default(1),vrf(2)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Interface configuration indicating the routing table
consulted for the reachability check:
- default: the non-private routing table for of the
managed system.
- vrf : a particular VPN routing table."::={ cipUrpfIfConfEntry 5}cipUrpfIfVrfName OBJECT-TYPESYNTAXSnmpAdminString(SIZE(0..32))
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"If the value of cipUrpfIfWhichRouteTableID is 'vrf',
the name of the VRF Table. Otherwise a zero-length
string."::={ cipUrpfIfConfEntry 6}cipUrpfVrfTable OBJECT-TYPESYNTAXSEQUENCEOF CipUrpfVrfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This table enables indexing URPF drop statistics
by Virtual Routing and Forwarding instances."::={ cipUrpfVrf 1}cipUrpfVrfEntry OBJECT-TYPESYNTAX CipUrpfVrfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An entry exists for a VRF if and only if the VRF
is associated with an interface that is configured
to perform IP URPF checking using the routing table
for that VRF."INDEX{ cipUrpfVrfName }::={ cipUrpfVrfTable 1}
CipUrpfVrfEntry ::=SEQUENCE{
cipUrpfVrfName SnmpAdminString}cipUrpfVrfName OBJECT-TYPESYNTAXSnmpAdminString(SIZE(0..32))MAX-ACCESSread-only
STATUScurrentDESCRIPTION"This field is used to specify the VRF Table
name."::={ cipUrpfVrfEntry 1}cipUrpfVrfIfTable OBJECT-TYPESYNTAXSEQUENCEOF CipUrpfVrfIfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This table contains statistics information for interfaces
performing URPF using VRF table to determine reachability."::={ cipUrpfStatistics 3}cipUrpfVrfIfEntry OBJECT-TYPESYNTAX CipUrpfVrfIfEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"An entry exists for a VRF and interface if and only
if the VRF associated with the interface is configured
to perform IP URPF checking using the routing
table for the VRF."INDEX{ cipUrpfVrfName, ifIndex }::={ cipUrpfVrfIfTable 1}
CipUrpfVrfIfEntry ::=SEQUENCE{
cipUrpfVrfIfDrops Counter32,
cipUrpfVrfIfDiscontinuityTime TimeStamp}cipUrpfVrfIfDrops OBJECT-TYPESYNTAXCounter32UNITS"packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"The number of packets failing the URPF check for a VRF on
the interface and dropped by the managed device.
Discontinuities in the value of this variable can occur
at re-initialization of the management system, and at
other times as indicated by the values of
cipUrpfVrfIfDiscontinuityTime."::={ cipUrpfVrfIfEntry 2}cipUrpfVrfIfDiscontinuityTime OBJECT-TYPESYNTAXTimeStampMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of sysUpTime on the most recent occasion at
which the URPF counters for this VRF on this interface
suffered a discontinuity. If no such discontinuities
have occurred since the last re-initialization of the
local management subsystem, then this object contains a
value of zero."::={ cipUrpfVrfIfEntry 3}
--
-- URPF Notification objects
--cipUrpfIfDropRateNotify NOTIFICATION-TYPEOBJECTS{
cipUrpfIfDropRate
}STATUScurrentDESCRIPTION"This notification is generated when
cipUrpfIfDropRateNotifyEnable is set to true and
the calculated URPF drop rate (cipUrpfIfDropRate)
exceeds the notification threshold drop rate
(cipUrpfIfNotifyDropRateThreshold). Note the
exceptional value of 0 for threshold allows notification
generation if any drop events occur in an interval.
After generating this notification, another such
notification will not be sent out for a minimum of five
minutes (note the exception to this provided by
cipUrpfIfNotifyDrHoldDownReset).
The object value present in the notification is the
the drop rate that exceeded the threshold."
::={ ciscoIpUrpfMIBNotifs 1}-- Conformance Information DefinitionciscoIpUrpfMIBCompliances OBJECTIDENTIFIER::={ ciscoIpUrpfMIBConformance 1}ciscoIpUrpfMIBGroups OBJECTIDENTIFIER::={ ciscoIpUrpfMIBConformance 2}ciscoIpUrpfMIBCompliance MODULE-COMPLIANCESTATUScurrentDESCRIPTION"An SNMP entity can implement this module to
provide URPF problem diagnosis information."MODULE-- this moduleMANDATORY-GROUPS{ ciscoIpUrpfMIBMainObjectGroup,
ciscoIpUrpfMIBNotifyGroup }GROUP ciscoIpUrpfMIBVrfObjectGroup
DESCRIPTION"This group is mandatory for all implementations
that need to index URPF statistics by VRF interfaces."::={ ciscoIpUrpfMIBCompliances 1}ciscoIpUrpfMIBMainObjectGroup OBJECT-GROUPOBJECTS{
cipUrpfDropRateWindow,
cipUrpfComputeInterval,
cipUrpfDropNotifyHoldDownTime,
cipUrpfDrops,
cipUrpfDropRate,
cipUrpfIfDrops,
cipUrpfIfSuppressedDrops,
cipUrpfIfDropRate,
cipUrpfIfDropRateNotifyEnable,
cipUrpfIfNotifyDropRateThreshold,
cipUrpfIfNotifyDrHoldDownReset,
cipUrpfIfCheckStrict,
cipUrpfIfDiscontinuityTime
}STATUScurrentDESCRIPTION"The collection of common counter objects, those
needed by other objects, and the common interface
table."::={ ciscoIpUrpfMIBGroups 1}ciscoIpUrpfMIBVrfObjectGroup OBJECT-GROUPOBJECTS{
cipUrpfVrfName,
cipUrpfIfWhichRouteTableID,
cipUrpfIfVrfName,
cipUrpfVrfIfDrops,
cipUrpfVrfIfDiscontinuityTime
}STATUScurrentDESCRIPTION"The collection of objects needed to index by
VRF."::={ ciscoIpUrpfMIBGroups 2}
ciscoIpUrpfMIBNotifyGroup NOTIFICATION-GROUPNOTIFICATIONS{ cipUrpfIfDropRateNotify }STATUScurrentDESCRIPTION"The collection of objects which are used to specify
notifications for URPF."::={ ciscoIpUrpfMIBGroups 6}END