Unicast Reverse Path Forwarding (URPF) is a function that checks the validity of the source address of IP packets received on an...
Version: 2011-12-29
module CISCO-IP-URPF-MIB { yang-version 1; namespace "urn:ietf:params:xml:ns:yang:smiv2:CISCO-IP-URPF-MIB"; prefix CISCO-IP-URPF-MIB; import IF-MIB { prefix if-mib; } import SNMP-FRAMEWORK-MIB { prefix snmp-framework; } import ietf-yang-smiv2 { prefix smiv2; } import ietf-yang-types { prefix yang; } organization "Cisco System, Inc."; contact "Postal: Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA Tel: +1 800 553-NETS E-mail: cs-cef@cisco.com"; description "Unicast Reverse Path Forwarding (URPF) is a function that checks the validity of the source address of IP packets received on an interface. This in an attempt to prevent Denial of Service attacks based on IP address spoofing. URPF checks validity of a source address by determining whether the packet would be successfully routed as a destination address. Based on configuration, the check made can be for existence of any route for the address, or more strictly for a route out the interface on which the packet was received by the device. When a violating packet is detected, it can be dropped. This MIB allows detection of spoofingevents."; revision "2011-12-29" { description "2 New TC are defined to support Dynamic template MIB"; } revision "2004-11-12" { description "Initial version of this MIB module."; } smiv2:alias "cipUrpfIfConfTable" { description "This table contains statistics information on URPF on an interface."; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1"; } smiv2:alias "cipUrpfIfConfEntry" { description "A row exists in this table if a row exists in cipUrpfIfMonTable."; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1"; } smiv2:alias "ciscoIpUrpfMIB" { smiv2:oid "1.3.6.1.4.1.9.9.451"; } smiv2:alias "ciscoIpUrpfMIBNotifs" { smiv2:oid "1.3.6.1.4.1.9.9.451.0"; } smiv2:alias "ciscoIpUrpfMIBObjects" { smiv2:oid "1.3.6.1.4.1.9.9.451.1"; } smiv2:alias "cipUrpfScalar" { smiv2:oid "1.3.6.1.4.1.9.9.451.1.1"; } smiv2:alias "cipUrpfStatistics" { smiv2:oid "1.3.6.1.4.1.9.9.451.1.2"; } smiv2:alias "cipUrpfInterfaceConfig" { smiv2:oid "1.3.6.1.4.1.9.9.451.1.3"; } smiv2:alias "cipUrpfVrf" { smiv2:oid "1.3.6.1.4.1.9.9.451.1.4"; } smiv2:alias "ciscoIpUrpfMIBConformance" { smiv2:oid "1.3.6.1.4.1.9.9.451.2"; } smiv2:alias "ciscoIpUrpfMIBCompliances" { smiv2:oid "1.3.6.1.4.1.9.9.451.2.1"; } smiv2:alias "ciscoIpUrpfMIBGroups" { smiv2:oid "1.3.6.1.4.1.9.9.451.2.2"; } typedef UnicastRpfType { type enumeration { enum "strict" { value 1; } enum "loose" { value 2; } enum "disabled" { value 3; } } description "An enumerated integer-value describing the type of unicast Reverse Path Forwarding (RPF) a system applies to traffic received on an interface. UnicastRpfTypes 'strict' and 'loose' RPF methods are defined in RFC3704. 'disabled' The system does not perform unicast RPF on packets received by the interface. 'strict' The system performs strict unicast RPF on packets received by the interface. 'loose' The system performs loose unicast RPF on packets received by the interface."; reference "RFC3704 (http://tools.ietf.org/html/rfc3704)"; } typedef UnicastRpfOptions { type bits { bit allowDefault { position 0; } bit allowSelfPing { position 1; } } description "A bit string describing unicast Reverse Path Forwarding (RPF) options: 'allowDefault' Allows the use of the default route for RPF verification. 'allowSelfPing' Allows a router to ping its own interface or interfaces."; } container CISCO-IP-URPF-MIB { config false; container cipUrpfScalar { smiv2:oid "1.3.6.1.4.1.9.9.451.1.1"; leaf cipUrpfDropRateWindow { smiv2:defval "300"; smiv2:max-access "read-write"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.1.1"; type int32 { range "1..600"; } units "seconds"; description "The window of time in the recent past over which the drop count used in the drop rate computation is collected. This global value applies for the computation of all URPF rates, global and per-interface. Once the period over which computations have been performed exceeds cipUrpfDropRateWindow, every time a computation is performed, the window slides up to end at the current time and start at cipUrpfDropRateWindow seconds before. The cipUrpfDropRateWindow must be greater than or equal to the interval between computations (cipUrpfComputeInterval). Since the agent must save the drop count values for each compute interval in order to slide the window, the number of counts saved is the quotient of cipUrpfDropRateWindow divided by cipUrpfComputeInterval."; } leaf cipUrpfComputeInterval { smiv2:defval "30"; smiv2:max-access "read-write"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.1.2"; type int32 { range "1..120"; } units "seconds"; description "The time between rate computations. This global value applies for the computation of all URPF rates, global and per-interface. When the value of cipUrpfComputeInterval is changed, the interval in-progress proceeds as though the value had not changed. The change will apply to the length of subsequent intervals. The cipUrpfComputeInterval must be less than or equal to the cipUrpfDropRateWindow."; } leaf cipUrpfDropNotifyHoldDownTime { smiv2:defval "300"; smiv2:max-access "read-write"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.1.3"; type int32 { range "1..1000"; } units "seconds"; description "The minimum time between issuance of cipUrpfIfDropRateNotify notifications for a particular interface and packet forwarding type. Notifications are generated for each interface and packet forwarding type that exceeds the drop-rate. When a Notify is sent because the drop-rate is exceeded for a particular interface and forwarding type, the time specified by this object is used to specify the minimum time that must elapse before another Notify can be sent for that interface and forwarding type. The time is specified globally but used individually."; } } // container cipUrpfScalar container cipUrpfTable { smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.1"; description "This table contains summary information for the managed device on URPF dropping."; list cipUrpfEntry { smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.1.1"; key "cipUrpfIpVersion"; description "If the managed device supports URPF dropping, a row exists for each IP version type (v4 and v6). A row contains summary information on URPF dropping over the entire managed device."; leaf cipUrpfIpVersion { smiv2:max-access "not-accessible"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.1.1.1"; type enumeration { enum "ipv4" { value 1; } enum "ipv6" { value 2; } } description "Specifies the version of IP forwarding on an interface to which the table row URPF counts, rates, and configuration apply."; } leaf cipUrpfDrops { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.1.1.2"; type yang:counter32; units "packets"; description "Sum of dropped IP version cipUrpfIpVersion packets failing a URPF check. This value is the sum of drops of packets received on all interfaces of the managed device."; } leaf cipUrpfDropRate { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.1.1.3"; type yang:gauge32; units "packets per second"; description "The rate of packet drops of IP version cipUrpfIpVersion packets due to URPF for the managed device. The per-interface drop rate notification is issued on rates exceeding a limit (rising rate). This dropping may indicate an security attack on the network. To determine whether the attack/event is over, the NMS must consult the managed device. This object can be polled to determine the recent drop rate for the managed device as a whole, in addition to querying particular interface objects. This object is the average rate of dropping over the most recent window of time. The rate is computed by dividing the number of packets dropped over a window by the window time in seconds. The window time is specified by cipUrpfDropRateWindow. Each time the drop rate is computed, and at system startup, a snapshot is taken of the latest value of cipUrpfDrops. Subtracting from this the snapshot of cipUrpfDrops at the start of the current window of time gives the number of packets dropped. The drop rate is computed every cipUrpfComputeInterval seconds. As an example, let cipUrpfDropRateWindow be 300 seconds, and cipUrpfComputeInterval 30 seconds. Every 30 seconds, the drop count five minutes previous is subtracted from the current drop count, and the result is divided by 300 to arrive at the drop rate. At device start-up, until the device has been up more than cipUrpfDropRateWindow, when drop rate is computed, the value of cipUrpfDrops is divided by the time the device has been up. After the device has been up for cipUrpfDropRateWindow, when drop rate is computed, the number of packet drops counted from interval start time to the computation time is divided by cipUrpfDropRateWindow. Changes to cipUrpfDropRateWindow are not reflected in this object until the next computation time. The rate from the most recent computation is the value fetched until the subsequent computation is performed."; } } // list cipUrpfEntry } // container cipUrpfTable container cipUrpfIfMonTable { smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.2"; description "This table contains information on URPF dropping on an interface."; list cipUrpfIfMonEntry { smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.2.1"; key "ifIndex cipUrpfIfIpVersion"; description "If IPv4 packet forwarding is configured on an interface, and is configured to perform URPF checking, a row appears in this table with indices [ifIndex][ipv4]. If IPv4 packet forwarding is deconfigured, or URPF checking is deconfigured, the row disappears. If IPv6 packet forwarding is configured on an interface, and is configured to perform URPF checking, a row appears in the table with indices [ifIndex][ipv6]. If IPv6 packet forwarding is deconfigured, or URPF checking is deconfigured, the row disappears."; leaf ifIndex { type leafref { path "/if-mib:IF-MIB/if-mib:ifTable/if-mib:ifEntry/if-mib:ifIndex"; } } leaf cipUrpfIfIpVersion { smiv2:max-access "not-accessible"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.2.1.1"; type enumeration { enum "ipv4" { value 1; } enum "ipv6" { value 2; } } description "Specifies the version of IP forwarding on an interface to which the table row URPF counts, rates, and configuration apply."; } leaf cipUrpfIfDrops { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.2.1.2"; type yang:counter32; units "packets"; description "The number of IP packets of version cipUrpfIfIpVersion failing the URPF check and dropped by the managed device on a particular interface. Discontinuities in the value of this variable can occur at re-initialization of the management system, and at other times as indicated by the values of cipUrpfIfDiscontinuityTime."; } leaf cipUrpfIfSuppressedDrops { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.2.1.3"; type yang:counter32; units "packets"; description "The number of IP packets of version cipUrpfIfIpVersion failing the URPF check but given a reprieve and not dropped by the managed device. Depending on the device configuration and capabilities, the following cases may cause incrementing of the counter: - if the managed device is configured to allow self-pings and the managed device pings itself. - if the managed device is configured for loose URPF (if any interface has a route to the source), and the strict case fails while the loose case passes. - DHCP Request packets (src 0.0.0.0 dst 255.255.255.255) will pass after initially being marked for drop. - RIP routing on unnumbered interfaces will pass after initially being marked for drop. - multicast packets will pass after initially being marked for drop - ACL's can be applied to permit packets after initially being marked for drop. Discontinuities in the value of this variable can occur at re-initialization of the management system, and at other times as indicated by the values of cipUrpfIfDiscontinuityTime."; } leaf cipUrpfIfDropRate { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.2.1.4"; type yang:gauge32; units "packets/second"; description "The rate of packet drops of IP version cipUrpfIfIpVersion packets due to URPF on the interface. This object is the average rate of dropping over the most recent interval of time. The rate is computed by dividing the number of packets dropped over an interval by the interval time in seconds. Each time the drop rate is computed, and at system startup, a snapshot is taken of the latest value of cipUrpfIfDrops. Subtracting from this the snapshot of cipUrpfIfDrops at the start of the current interval of time gives the number of packets dropped. The drop rate is computed every cipUrpfComputeInterval seconds. When drop rate is computed, if time since the creation of a row in cipUrpfIfMonTable is less than cipUrpfDropRateWindow, the value of cipUrpfIfDrops is divided by the time since row was created. After the row has been in existence for cipUrpfDropRateWindow, when drop rate is computed, the number of packet drops counted on the interface from interval start time to the computation time is divided by cipUrpfDropRateWindow. Changes to cipUrpfDropRateWindow are not reflected in this object until the next computation time. The rate from the most recent computation is the value fetched until the subsequent computation is performed."; } leaf cipUrpfIfDiscontinuityTime { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.2.1.5"; type yang:timestamp; description "The value of sysUpTime on the most recent occasion at which this interface's counters suffered a discontinuity. If no such discontinuities have occurred since the last re-initialization of the local management subsystem, then this object contains a value of zero."; } } // list cipUrpfIfMonEntry } // container cipUrpfIfMonTable container cipUrpfVrfIfTable { smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.3"; description "This table contains statistics information for interfaces performing URPF using VRF table to determine reachability."; list cipUrpfVrfIfEntry { smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.3.1"; key "cipUrpfVrfName ifIndex"; description "An entry exists for a VRF and interface if and only if the VRF associated with the interface is configured to perform IP URPF checking using the routing table for the VRF."; leaf cipUrpfVrfName { type leafref { path "/CISCO-IP-URPF-MIB:CISCO-IP-URPF-MIB/CISCO-IP-URPF-MIB:cipUrpfVrfTable/CISCO-IP-URPF-MIB:cipUrpfVrfEntry/CISCO-IP-URPF-MIB:cipUrpfVrfName"; } } leaf ifIndex { type leafref { path "/if-mib:IF-MIB/if-mib:ifTable/if-mib:ifEntry/if-mib:ifIndex"; } } leaf cipUrpfVrfIfDrops { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.3.1.2"; type yang:counter32; units "packets"; description "The number of packets failing the URPF check for a VRF on the interface and dropped by the managed device. Discontinuities in the value of this variable can occur at re-initialization of the management system, and at other times as indicated by the values of cipUrpfVrfIfDiscontinuityTime."; } leaf cipUrpfVrfIfDiscontinuityTime { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.2.3.1.3"; type yang:timestamp; description "The value of sysUpTime on the most recent occasion at which the URPF counters for this VRF on this interface suffered a discontinuity. If no such discontinuities have occurred since the last re-initialization of the local management subsystem, then this object contains a value of zero."; } } // list cipUrpfVrfIfEntry } // container cipUrpfVrfIfTable container cipUrpfVrfTable { smiv2:oid "1.3.6.1.4.1.9.9.451.1.4.1"; description "This table enables indexing URPF drop statistics by Virtual Routing and Forwarding instances."; list cipUrpfVrfEntry { smiv2:oid "1.3.6.1.4.1.9.9.451.1.4.1.1"; key "cipUrpfVrfName"; description "An entry exists for a VRF if and only if the VRF is associated with an interface that is configured to perform IP URPF checking using the routing table for that VRF."; leaf cipUrpfVrfName { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.4.1.1.1"; type snmp-framework:SnmpAdminString { length "0..32"; } description "This field is used to specify the VRF Table name."; } } // list cipUrpfVrfEntry } // container cipUrpfVrfTable } // container CISCO-IP-URPF-MIB augment /CISCO-IP-URPF-MIB:CISCO-IP-URPF-MIB/CISCO-IP-URPF-MIB:cipUrpfIfMonTable/CISCO-IP-URPF-MIB:cipUrpfIfMonEntry { smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1"; description "A row exists in this table if a row exists in cipUrpfIfMonTable."; leaf cipUrpfIfDropRateNotifyEnable { smiv2:defval "false"; smiv2:max-access "read-write"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1.1"; type boolean; description "This object specifies whether the system produces the cipUrpfIfDropRateNotify notification as a result of URPF dropping of version cipUrpfIfIpVersion IP packets on this interface. A false value prevents such notifications from being generated by this system."; } leaf cipUrpfIfNotifyDropRateThreshold { smiv2:defval "1000"; smiv2:max-access "read-write"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1.2"; type uint32; units "packets/second"; description "When the calculated rate of URPF packet drops (cipUrpfIfDropRate) meets or exceeds the value specified by this object, a cipUrpfIfDropRateNotify notification is sent if cipUrpfIfDropRateNotifyEnable is set to true, and no such notification for the IP version has been sent for this interface for the hold-down period. Note that due to the calculation used for drop rate, if there are less than n drop events in an n-second period the notification will not be generated. To allow for the detection of a small number of drop events, the value 0 (zero) is used to indicate that if any drop events occur during the interval, a notification is generated."; } leaf cipUrpfIfNotifyDrHoldDownReset { smiv2:defval "false"; smiv2:max-access "read-write"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1.3"; type boolean; description "Setting this object to true causes the five-minute hold-down timer for emitting URPF drop rate notifications for IP version cipUrpfIfIpVersion on the interface to be short-circuited. If a notification is due and would be emitted for the interface if the five-minutes elapsed, setting this object will cause the notification to be sent. This is a trigger, and doesn't hold information. It is set and an action is performed. Therefore a get for this object always returns false."; } leaf cipUrpfIfCheckStrict { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1.4"; type enumeration { enum "strict" { value 1; } enum "loose" { value 2; } } description "Interface configuration indicating the strictness of the reachability check performed on the interface. - strict: check that source addr is reachable via the interface it came in on. - loose : check that source addr is reachable via some interface on the device."; } leaf cipUrpfIfWhichRouteTableID { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1.5"; type enumeration { enum "default" { value 1; } enum "vrf" { value 2; } } description "Interface configuration indicating the routing table consulted for the reachability check: - default: the non-private routing table for of the managed system. - vrf : a particular VPN routing table."; } leaf cipUrpfIfVrfName { smiv2:max-access "read-only"; smiv2:oid "1.3.6.1.4.1.9.9.451.1.3.1.1.6"; type snmp-framework:SnmpAdminString { length "0..32"; } description "If the value of cipUrpfIfWhichRouteTableID is 'vrf', the name of the VRF Table. Otherwise a zero-length string."; } } notification cipUrpfIfDropRateNotify { smiv2:oid "1.3.6.1.4.1.9.9.451.0.1"; description "This notification is generated when cipUrpfIfDropRateNotifyEnable is set to true and the calculated URPF drop rate (cipUrpfIfDropRate) exceeds the notification threshold drop rate (cipUrpfIfNotifyDropRateThreshold). Note the exceptional value of 0 for threshold allows notification generation if any drop events occur in an interval. After generating this notification, another such notification will not be sent out for a minimum of five minutes (note the exception to this provided by cipUrpfIfNotifyDrHoldDownReset). The object value present in the notification is the the drop rate that exceeded the threshold."; container object-1 { leaf ifIndex { type leafref { path "/if-mib:IF-MIB/if-mib:ifTable/if-mib:ifEntry/if-mib:ifIndex"; } } leaf cipUrpfIfIpVersion { type leafref { path "/CISCO-IP-URPF-MIB:CISCO-IP-URPF-MIB/CISCO-IP-URPF-MIB:cipUrpfIfMonTable/CISCO-IP-URPF-MIB:cipUrpfIfMonEntry/CISCO-IP-URPF-MIB:cipUrpfIfIpVersion"; } } leaf cipUrpfIfDropRate { type leafref { path "/CISCO-IP-URPF-MIB:CISCO-IP-URPF-MIB/CISCO-IP-URPF-MIB:cipUrpfIfMonTable/CISCO-IP-URPF-MIB:cipUrpfIfMonEntry/CISCO-IP-URPF-MIB:cipUrpfIfDropRate"; } } } // container object-1 } // notification cipUrpfIfDropRateNotify } // module CISCO-IP-URPF-MIB
© 2023 YumaWorks, Inc. All rights reserved.