--- 1/draft-ietf-opsawg-vmm-mib-03.txt 2015-08-05 01:15:02.635950385 -0700 +++ 2/draft-ietf-opsawg-vmm-mib-04.txt 2015-08-05 01:15:02.735952821 -0700 @@ -1,85 +1,86 @@ OPSAWG H. Asai Internet-Draft Univ. of Tokyo Intended status: Standards Track M. MacFaden -Expires: November 27, 2015 VMware Inc. +Expires: February 6, 2016 VMware Inc. J. Schoenwaelder Jacobs University K. Shima IIJ Innovation Institute Inc. T. Tsou Huawei Technologies (USA) - May 26, 2015 + August 5, 2015 Management Information Base for Virtual Machines Controlled by a Hypervisor - draft-ietf-opsawg-vmm-mib-03 + draft-ietf-opsawg-vmm-mib-04 Abstract This document defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, this specifies objects for managing virtual machines controlled by a hypervisor (a.k.a. virtual machine monitor). -Status of this Memo +Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 27, 2015. + This Internet-Draft will expire on February 6, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. The Internet-Standard Management Framework . . . . . . . . . . 4 - 3. Overview and Objectives . . . . . . . . . . . . . . . . . . . 5 - 4. Structure of the VM-MIB Module . . . . . . . . . . . . . . . . 7 - 5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 10 - 6. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 6.1. VM-MIB . . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 6.2. IANA-STORAGE-MEDIA-TYPE-MIB . . . . . . . . . . . . . . . 45 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 48 - 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 49 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 50 - 10.1. Normative References . . . . . . . . . . . . . . . . . . . 50 - 10.2. Informative References . . . . . . . . . . . . . . . . . . 51 - Appendix A. State Transition Table . . . . . . . . . . . . . . . 52 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 54 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2. The Internet-Standard Management Framework . . . . . . . . . 3 + 3. Overview and Objectives . . . . . . . . . . . . . . . . . . . 3 + 4. Structure of the VM-MIB Module . . . . . . . . . . . . . . . 5 + 5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 7 + 6. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 6.1. VM-MIB . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 6.2. IANA-STORAGE-MEDIA-TYPE-MIB . . . . . . . . . . . . . . . 43 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 44 + 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 46 + 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 46 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 + 11.1. Normative References . . . . . . . . . . . . . . . . . . 46 + 11.2. Informative References . . . . . . . . . . . . . . . . . 48 + Appendix A. State Transition Table . . . . . . . . . . . . . . . 48 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 1. Introduction This document defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, this specifies objects for managing virtual machines controlled by a hypervisor (a.k.a. virtual machine monitor). A hypervisor controls multiple virtual machines on a single physical machine by allocating resources to each virtual machine using virtualization technologies. Therefore, this MIB @@ -162,68 +163,68 @@ objects are managed at the hypervisor. In case that the objects are accessed through the SNMP, an SNMP agent is launched at the hypervisor to provide access to the objects. The objects are managed from the viewpoint of the operators of hypervisors, but not the operators of virtual machines; i.e., the objects do not take into account the actual resource utilization on each virtual machine but the resource allocation from the physical resources. For example, vmNetworkIfIndex indicates the virtual interface associated with an interface of a virtual machine at the - hypervisor, and consequently, the `in' and `out' directions denote - `from a virtual machine to the hypervisor' and `from the hypervisor + hypervisor, and consequently, the 'in' and 'out' directions denote + 'from a virtual machine to the hypervisor' and 'from the hypervisor to a virtual machine', respectively. Moreover, vmStorageAllocatedSize denotes the size allocated by the hypervisor, but not the size actually used by the operating system on the virtual machine. This means that vmStorageDefinedSize and vmStorageAllocatedSize do not take different values when the - vmStorageSourceType is `block' or `raw'. + vmStorageSourceType is 'block' or 'raw'. The objectives of this document are the followings: 1) This document defines the MIB objects common to many hypervisors for the management of virtual machines controlled by a hypervisor. 2) This document clarifies the relationship with other MIB modules for managing host computers and network devices. 4. Structure of the VM-MIB Module The MIB module is organized into a group of scalars and tables. The - scalars below `vmHypervisor' provide basic information about the - hypervisor. The `vmTable' lists the virtual machines (guests) that - are known to the hypervisor. The `vmCpuTable' provides the mapping + scalars below 'vmHypervisor' provide basic information about the + hypervisor. The 'vmTable' lists the virtual machines (guests) that + are known to the hypervisor. The 'vmCpuTable' provides the mapping table of virtual CPUs to virtual machines, including CPU time used by each virtual CPU. The 'vmCpuAffinityTable' provides the affinity of - each virtual CPU to a physical CPU. The `vmStorageTable' provides + each virtual CPU to a physical CPU. The 'vmStorageTable' provides the list of virtual storage devices and their mapping to virtual - machines. In case that an entry in the `vmStorageTable' has a + machines. In case that an entry in the 'vmStorageTable' has a corresponding parent physical storage device managed in - `vmStorageTable' of HOST-RESOURCES-MIB [RFC2790], the entry contains - a pointer `vmStorageParent' to the physical storage device. The - `vmNetworkTable' provides the list of virtual network interfaces and + 'vmStorageTable' of HOST-RESOURCES-MIB [RFC2790], the entry contains + a pointer 'vmStorageParent' to the physical storage device. The + 'vmNetworkTable' provides the list of virtual network interfaces and their mapping to virtual machines. Each entry in the - `vmNetworkTable' also provides a pointer `vmNetworkIfIndex' to the - corresponding entry in the `ifTable' of IF-MIB [RFC2863]. In case - that an entry in the `vmNetworkTable' has a corresponding parent - physical network interface managed in the `ifTable' of IF-MIB, the - entry contains a pointer `vmNetworkParent' to the physical network + 'vmNetworkTable' also provides a pointer 'vmNetworkIfIndex' to the + corresponding entry in the 'ifTable' of IF-MIB [RFC2863]. In case + that an entry in the 'vmNetworkTable' has a corresponding parent + physical network interface managed in the 'ifTable' of IF-MIB, the + entry contains a pointer 'vmNetworkParent' to the physical network interface. Notation: +-------------+ | vmOperState | : Finite state; the first line presents the - | | `vmOperState', and the second line presents a + | | 'vmOperState', and the second line presents a +-------------+ notification generated if applicable. + - - - - - - + | vmOperState | : Transient state; first line presents the - | | `vmOperState', and the second line presents a + | | 'vmOperState', and the second line presents a + - - - - - - + notification generated if applicable. ! : Notification; a text followed by the symbol "!" denotes a notification generated. ===================================================================== +---------------+ + - - - - - - - -+ +------------+ | suspended(6) |<--| suspending(5) | | paused(8) | | !vmSuspended | | !vmSuspending | | !vmPaused | @@ -248,69 +249,67 @@ | v !vmDeleted +--------------+ + - - - - - - - -+ (Deleted from | crashed(12) | | preparing(3) | vmTable) | !vmCrashed | | | +--------------+ + - - - - - - - -+ The overview of the state transition of a virtual machine Figure 2: State transition of a virtual machine - The `vmAdminState' and `vmOperState' textual conventions define an + The 'vmAdminState' and 'vmOperState' textual conventions define an administrative state and an operational state model for virtual machines. Events causing transitions between major operational states will cause the generation of notifications. Per virtual machine (per-VM) notifications (vmRunning, vmShutdown, vmPaused, vmSuspended, vmCrashed, vmDeleted) are generated if vmPerVMNotificationsEnabled is true(1). Bulk notifications (vmBulkRunning, vmBulkShutdown, vmBulkPaused, vmBulkSuspended, vmBulkCrashed, vmBulkDeleted) are generated if vmBulkNotificationsEnabled is true(1). The overview of the - transition of `vmOperState' by the write access to `vmAdminState' and + transition of 'vmOperState' by the write access to 'vmAdminState' and the notifications generated by the operational state changes are illustrated in Figure 2. The detailed state transition is summarized in Appendix A. Note that the notifications shown in this figure are per-VM notifications. In the case of Bulk notifications, the prefix - `vm' is replaced with 'vmBulk'. + 'vm' is replaced with 'vmBulk'. The bulk notification mechanism is designed to reduce the number of notifications that are trapped by an SNMP manager. This is because the number of virtual machines managed by a bunch of hypervisors in a datacenter possibly becomes several thousands or more, and consequently, many notifications could be trapped if these virtual machines frequently change their administrative state. The per-VM notifications carry more detailed information, but the scalability is - a problem. An implementation MUST support both, either of, or none - of per-VM notifications and bulk notifications. The notification - filtering mechanism described in section 6 of RFC 3413 [RFC3413] is - used by the management applications to control the notifications. + a problem. The notification filtering mechanism described in section + 6 of RFC 3413 [RFC3413] is used by the management applications to + control the notifications. 5. Relationship to Other MIB Modules - HOST-RESOURCES-MIB [RFC2790] defines the MIB objects for managing - host systems. Hypervisors MUST implement HOST-RESOURCES-MIB. On - systems implementing HOST-RESOURCES-MIB, the objects of HOST- - RESOURCES-MIB indicate resources of a hypervisor. Some objects of - HOST-RESOURCES-MIB are used to indicate physical resources through - indexes. On systems implementing HOST-RESOURCES-MIB, the - `vmCpuPhysIndex' points to the processor's `hrDeviceIndex' in the - `hrProcessorTable'. The `vmStorageParent' also points to the storage - device's `hrStorageIndex' in the `hrStorageTable'. + The HOST-RESOURCES-MIB [RFC2790] defines the MIB objects for managing + host systems. On systems implementing the HOST-RESOURCES-MIB, the + objects of HOST-RESOURCES-MIB indicate resources of a hypervisor. + Some objects of HOST-RESOURCES-MIB are used to indicate physical + resources through indexes. On systems implementing HOST-RESOURCES- + MIB, the 'vmCpuPhysIndex' points to the processor's 'hrDeviceIndex' + in the 'hrProcessorTable'. The 'vmStorageParent' also points to the + storage device's 'hrStorageIndex' in the 'hrStorageTable'. - IF-MIB [RFC2863] defines the MIB objects for managing network + The IF-MIB [RFC2863] defines the MIB objects for managing network interfaces. Both physical and virtual network interfaces are - required to be contained in the `ifTable' of IF-MIB. The virtual - network interfaces in the `ifTable' of IF-MIB are pointed from the - `vmNetworkTable' defined in this document through a pointer - `vmNetworkIfIndex'. In case that an entry in the `vmNetworkTable' + required to be contained in the 'ifTable' of IF-MIB. The virtual + network interfaces in the 'ifTable' of IF-MIB are pointed from the + 'vmNetworkTable' defined in this document through a pointer + 'vmNetworkIfIndex'. In case that an entry in the 'vmNetworkTable' has a corresponding parent physical network interface managed in the - `ifTable' of IF-MIB, the entry contains a pointer `vmNetworkParent' + 'ifTable' of IF-MIB, the entry contains a pointer 'vmNetworkParent' to the physical network interface. The objects related to virtual switches are not included in the MIB module defined in this document though virtual switches MAY be placed on a hypervisor. This is because the virtual network interfaces are the lowest abstraction of network resources allocated to a virtual machine. Instead of including the objects related to virtual switches, for example, IEEE8021-BRIDGE-MIB [IEEE8021-BRIDGE-MIB] and IEEE8021-Q-BRIDGE-MIB [IEEE8021-Q-BRIDGE-MIB] could be used. @@ -337,21 +336,21 @@ SnmpAdminString FROM SNMP-FRAMEWORK-MIB UUIDorZero FROM UUID-TC-MIB InterfaceIndexOrZero FROM IF-MIB IANAStorageMediaType FROM IANA-STORAGE-MEDIA-TYPE-MIB; vmMIB MODULE-IDENTITY - LAST-UPDATED "201505260000Z" -- 26 May 2015 + LAST-UPDATED "201508050000Z" -- 5 August 2015 ORGANIZATION "IETF Operations and Management Area Working Group" CONTACT-INFO " WG E-mail: opsawg@ietf.org Mailing list subscription info: https://www.ietf.org/mailman/listinfo/opsawg Hirochika Asai The University of Tokyo 7-3-1 Hongo @@ -381,40 +380,41 @@ Tina Tsou Huawei Technologies (USA) 2330 Central Expressway Santa Clara CA 95050 USA Email: tina.tsou.zouting@huawei.com " DESCRIPTION "This MIB module is for use in managing a hypervisor and - virtual machines controlled by the hypervisor. The OID - `yyy' is temporary one, and it must be assigned by IANA - when this becomes an official document. + virtual machines controlled by the hypervisor. Copyright (c) 2015 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info)." - REVISION "201505260000Z" -- 26 May 2015 + REVISION "201508050000Z" -- 5 August 2015 DESCRIPTION - "The original version of this MIB, published as + "The initial version of this MIB, published as RFCXXXX." ::= { mib-2 yyy } + -- RFC Ed.: replace XXXX with RFC number and remove this note + -- RFC Ed.: replace yyy with actual number and remove this note + vmNotifications OBJECT IDENTIFIER ::= { vmMIB 0 } vmObjects OBJECT IDENTIFIER ::= { vmMIB 1 } vmConformance OBJECT IDENTIFIER ::= { vmMIB 2 } -- Textual conversion definitions -- VirtualMachineIndex ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION @@ -698,47 +697,47 @@ network interface MUST remain constant at least from one re-initialization of the hypervisor to the next re-initialization." SYNTAX Integer32 (1..2147483647) VirtualMachineList ::= TEXTUAL-CONVENTION DISPLAY-HINT "1x" STATUS current DESCRIPTION "Each octet within this value specifies a set of eight - virtual machine vmIndex, with the first octet specifying - virtual machine 1 through 8, the second octet specifying - virtual machine 9 through 16, etc. Within each octet, - the most significant bit represents the lowest numbered - vmIndex, and the least significant bit represents the - highest numbered vmIndex. Thus, each virtual machine of - the host is represented by a single bit within the value - of this object. If that bit has a value of '1', then - that virtual machine is included in the set of virtual - machines; the virtual machine is not included if its bit - has a value of '0'." + virtual machine vmIndex values, with the first octet + specifying virtual machine 1 through 8, the second octet + specifying virtual machine 9 through 16, etc. Within + each octet, the most significant bit represents the + lowest numbered vmIndex, and the least significant bit + represents the highest numbered vmIndex. Thus, each + virtual machine of the host is represented by a single + bit within the value of this object. If that bit has + a value of '1', then that virtual machine is included + in the set of virtual machines; the virtual machine is + not included if its bit has a value of '0'." SYNTAX OCTET STRING -- The hypervisor group -- -- A collection of objects common to all hypervisors. -- vmHypervisor OBJECT IDENTIFIER ::= { vmObjects 1 } vmHvSoftware OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "A textual description of the hypervisor software. This - value SHOULD not include its version as it SHOULD be - included in `vmHvVersion'." + value SHOULD NOT include its version as it SHOULD be + included in 'vmHvVersion'." ::= { vmHypervisor 1 } vmHvVersion OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "A textual description of the version of the hypervisor software." ::= { vmHypervisor 2 } @@ -1105,27 +1106,27 @@ vmCpuAffinity OBJECT-TYPE SYNTAX INTEGER { unknown(0), -- unknown enable(1), -- enabled disable(2) -- disabled } MAX-ACCESS read-only STATUS current DESCRIPTION "The CPU affinity of this virtual CPU to the physical - CPU represented by `vmCpuPhysIndex'." + CPU represented by 'vmCpuPhysIndex'." ::= { vmCpuAffinityEntry 3 } -- The virtual storage devices on each virtual machine. This -- document defines some overlapped objects with hrStorage in -- HOST-RESOURCES-MIB [RFC2790], because virtual resources are - -- allocated from the hypervisor's resources, which is the `host + -- allocated from the hypervisor's resources, which is the 'host -- resources' vmStorageTable OBJECT-TYPE SYNTAX SEQUENCE OF VmStorageEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual table of virtual storage devices attached to the virtual machine." ::= { vmObjects 7 } @@ -1240,21 +1241,21 @@ "The media type of the virtual storage device." ::= { vmStorageEntry 8 } vmStorageMediaTypeString OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "A (detailed) textual string of the virtual storage media. For example, this represents the specific driver - name of the emulated media such as `IDE' and `SCSI'." + name of the emulated media such as 'IDE' and 'SCSI'." ::= { vmStorageEntry 9 } vmStorageSizeUnit OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The multiplication unit in byte for vmStorageDefinedSize and vmStorageAllocatedSize. For example, when this value is 1048576, the storage size @@ -1276,21 +1277,21 @@ SYNTAX Integer32 (-1|0..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The storage size allocated to the virtual storage from a physical storage in the unit designated by vmStorageSizeUnit. When the virtual storage is block device or raw file, this value and vmStorageDefinedSize are supposed to equal. This value MUST NOT be different from vmStorageDefinedSize when vmStorageSourceType is - `block' or `raw'. If this information is not available, + 'block' or 'raw'. If this information is not available, this value MUST be -1." ::= { vmStorageEntry 12 } vmStorageReadIOs OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of read I/O requests. @@ -1435,21 +1436,21 @@ represented in the ifTable." ::= { vmNetworkEntry 3 } vmNetworkModel OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "A textual string containing the (emulated) model of virtual network interface. For example, this value is - `virtio' when the emulation driver model is virtio." + 'virtio' when the emulation driver model is virtio." ::= { vmNetworkEntry 4 } vmNetworkPhysAddress OBJECT-TYPE SYNTAX PhysAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The MAC address of the virtual network interface." ::= { vmNetworkEntry 5 } @@ -1988,45 +1991,53 @@ IANA-STORAGE-MEDIA-TYPE-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, mib-2 FROM SNMPv2-SMI TEXTUAL-CONVENTION FROM SNMPv2-TC; ianaStorageMediaTypeMIB MODULE-IDENTITY - LAST-UPDATED "201505260000Z" -- 26 May 2015 + LAST-UPDATED "201508050000Z" -- 5 August 2015 ORGANIZATION "IANA" CONTACT-INFO - "TBD" + "Internet Assigned Numbers Authority + Postal: ICANN + 12025 Waterfront Drive, Suite 300 + Los Angeles, CA 90094-2536 + Tel: +1 310-301-5800 + E-Mail: iana&iana.org" DESCRIPTION "This MIB module defines Textual Conventions representing the media type of a storage device. Copyright (c) 2015 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info)." - REVISION "201505260000Z" -- 26 May 2015 + REVISION "201508050000Z" -- 5 August 2015 DESCRIPTION - "The original version of this MIB, published as + "The initial version of this MIB, published as RFCXXXX." ::= { mib-2 zzz } + -- RFC Ed.: replace XXXX with RFC number and remove this note + -- RFC Ed.: replace zzz with actual number and remove this note + IANAStorageMediaType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The media type of a storage device: unknown(1) The media type is unknown, e.g., because the implementation failed to obtain the media type from the hypervisor. other(2) The media type is other than those @@ -2055,149 +2066,193 @@ to be added to the enumeration in IANAStorageMediaType. An Expert Review, as defined in RFC 5226 [RFC5226], is REQUIRED for each modification. The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- - vmMIB { mib-2 TBD } - IANAStorageMediaTypeMIB { mib-2 TBD } + vmMIB { mib-2 yyy } + IANAStorageMediaTypeMIB { mib-2 zzz } 8. Security Considerations - There are two objects defined in this MIB, + This MIB module is typically implemented on the hypervisor not inside + a virtual machine. Virtual machines, possibly under other + administrative domains, would not have access to this MIB as the SNMP + service would typically operate in a separate management network. + + There are two objects defined in this MIB module, vmPerVMNotificationsEnabled and vmBulkNotificationsEnabled, that have a MAX-ACCESS clause of read-write. Enabling notifications can lead - to a noticeable number of notifications if many virtual machines + to a substantial number of notifications if many virtual machines change their state concurrently. Hence, such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on the management system. It - is recommended that attention be given to these objects in scenarios - that DO NOT use SNMPv3 strong security, i.e. authentication and - encryption. When SNMPv3 strong security is not used, these objects - SHOULD have access of read-only, not read-write. + is RECOMMENDED that these objects have access of read-only instead of + read-write on deployments where SNMPv3 strong security (i.e., + authentication and encryption) is not used. There are a number of managed objects in this MIB that may contain sensitive information. The objects in the vmHvSoftware and vmHvVersion list information about the hypervisor's software and version. Some may wish not to disclose to others which software they are running. Further, an inventory of the running software and versions may be helpful to an attacker who hopes to exploit software bugs in certain applications. Moreover, the objects in the vmTable, - vmCpuTable, vmCpuAffinityTable, vmStorageTable and vmNetworkTable - list information about the virtual machines and their virtual - resource allocation. Some may wish not to disclose to others how - many and what virtual machines they are operating. + vmCpuTable, vmCpuAffinityTable, vmStorageTable and + vmNetworkTable list information about the virtual machines and their + virtual resource allocation. Some may wish not to disclose to others + how many and what virtual machines they are operating. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these object when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/ SET (read/change/create/delete) the objects in this MIB. - It is recommended that the implementers consider the security + It is recommended that the implementers consider using the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model [RFC3414] and the View-based Access Control Model [RFC3415] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/ create/delete) them. -9. Acknowledgements +9. Contributors - The authors like to thank Joe Marcus Clarke, Randy Presuhn, David - Black, Joel Jaeggli, Tom Petch, Andy Bierman, C. M. Heard, and Ian + Yuji Sekiya + The University of Tokyo + 2-11-16 Yayoi + Bunkyo-ku, Tokyo 113-8658 + Japan + + Email: sekiya@wide.ad.jp + + Cathy Zhou + Huawei Technologies + Bantian, Longgang District + Shenzhen 518129 + P.R. China + + Email: cathyzhou@huawei.com + + Hiroshi Esaki + The University of Tokyo + 7-3-1 Hongo + Bunkyo-ku, Tokyo 113-8656 + Japan + + Email: hiroshi@wide.ad.jp + +10. Acknowledgements + + The authors like to thank Andy Bierman, David Black, Joe Marcus + Clarke, C.M. Heard, Joel Jaeggli, Tom Petch, Randy Presuhn, and Ian West for providing helpful comments during the development of this specification. Juergen Schoenwaelder was partly funded by Flamingo, a Network of Excellence project (ICT-318488) supported by the European Commission under its Seventh Framework Programme. -10. References +11. References -10.1. Normative References +11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. + Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ + RFC2119, March 1997, + . [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information - Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. + Version 2 (SMIv2)", STD 58, RFC 2578, DOI 10.17487/ + RFC2578, April 1999, + . [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. - Schoenwaelder, Ed., "Textual Conventions for SMIv2", - STD 58, RFC 2579, April 1999. + Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD + 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, + . - [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, - "Conformance Statements for SMIv2", STD 58, RFC 2580, - April 1999. + [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Conformance Statements for SMIv2", + STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, + . - [RFC2790] Waldbusser, S. and P. Grillo, "Host Resources MIB", - RFC 2790, March 2000. + [RFC2790] Waldbusser, S. and P. Grillo, "Host Resources MIB", RFC + 2790, DOI 10.17487/RFC2790, March 2000, + . [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group - MIB", RFC 2863, June 2000. + MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, + . [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network - Management Protocol (SNMP) Applications", STD 62, - RFC 3413, December 2002. + Management Protocol (SNMP) Applications", STD 62, RFC + 3413, DOI 10.17487/RFC3413, December 2002, + . [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management - Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. + Protocol (SNMPv3)", STD 62, RFC 3414, DOI 10.17487/ + RFC3414, December 2002, + . [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network - Management Protocol (SNMP)", STD 62, RFC 3415, - December 2002. - - [RFC3418] Presuhn, R., "Management Information Base (MIB) for the - Simple Network Management Protocol (SNMP)", STD 62, - RFC 3418, December 2002. + Management Protocol (SNMP)", STD 62, RFC 3415, DOI 10 + .17487/RFC3415, December 2002, + . - [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally - Unique IDentifier (UUID) URN Namespace", RFC 4122, - July 2005. + [RFC3418] Presuhn, R., Ed., "Management Information Base (MIB) for + the Simple Network Management Protocol (SNMP)", STD 62, + RFC 3418, DOI 10.17487/RFC3418, December 2002, + . [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, - May 2008. + DOI 10.17487/RFC5226, May 2008, + . [RFC6933] Bierman, A., Romascanu, D., Quittek, J., and M. - Chandramouli, "Entity MIB (Version 4)", RFC 6933, - May 2013. + Chandramouli, "Entity MIB (Version 4)", RFC 6933, DOI 10 + .17487/RFC6933, May 2013, + . -10.2. Informative References +11.2. Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- - Standard Management Framework", RFC 3410, December 2002. + Standard Management Framework", RFC 3410, DOI 10.17487/ + RFC3410, December 2002, + . [IEEE8021-BRIDGE-MIB] - IEEE, "IEEE8021-BRIDGE-MIB", . + IEEE, "IEEE8021-BRIDGE-MIB", October 2008, + . [IEEE8021-Q-BRIDGE-MIB] - IEEE, "IEEE8021-BRIDGE-MIB", . Appendix A. State Transition Table +--------------+----------------+--------------+--------------------+ | State | Change to | Next state | Notification | | | vmAdminState | | | | | at the | | | | | hypervisor or | | | | | (Event) | | | @@ -2297,42 +2352,17 @@ Email: j.schoenwaelder@jacobs-university.de Keiichi Shima IIJ Innovation Institute Inc. 2-10-2 Fujimi Chiyoda-ku, Tokyo 102-0071 JP Email: keiichi@iijlab.net - Tina Tsou Huawei Technologies (USA) 2330 Central Expressway Santa Clara CA 95050 USA Email: tina.tsou.zouting@huawei.com - Yuji Sekiya - The University of Tokyo - 2-11-16 Yayoi - Bunkyo-ku, Tokyo 113-8658 - JP - - Email: sekiya@wide.ad.jp - - Cathy Zhou - Huawei Technologies - Bantian, Longgang District - Shenzhen 518129 - P.R. China - - Email: cathyzhou@huawei.com - - Hiroshi Esaki - The University of Tokyo - 7-3-1 Hongo - Bunkyo-ku, Tokyo 113-8656 - JP - - Phone: +81 3 5841 6748 - Email: hiroshi@wide.ad.jp