Upload
gali
View
27
Download
0
Embed Size (px)
DESCRIPTION
SNMP Update. Jeff Case Founder and CTO SNMP Research, Inc. +1 865 573 1434 [email protected]. Please see www.snmp.com/jdctutorial.ppt for slides. Topics:. Introduction Differences between SNMPv1, SNMPv2c, and SNMPv3 Advantages of SNMPv3 over SNMPv1 and SNMPv2c - PowerPoint PPT Presentation
Citation preview
SNMP Update
Jeff CaseFounder and CTO
SNMP Research, Inc.+1 865 573 1434
[email protected] see www.snmp.com/jdctutorial.ppt for slides
2
Topics:
Introduction Differences between SNMPv1, SNMPv2c,
and SNMPv3Advantages of SNMPv3 over SNMPv1 and
SNMPv2cDisadvantages of SNMPv3
3
Topics (Continued):
Recent and Ongoing IETF Work ItemsSNMP-based Configuration Management
Policy MIB ModuleEOS Working Group: Evolution of SNMPSMIng Working Group: Evolution of the
Structure of Management InformationDistributed Management Working Group
(DISMAN)MIB Definitions
4
Topics (Continued):
A brief look at SNMP/MIB vis-à-visDMI/MIFsCIM/MOFsCOPS/PIBs
Conclusions
The SNMP-basedInternet Standard Management
Frameworkhas Evolved:
SNMPv1, SNMPv2c, and SNMPv3
6
SNMP: The Right Architecture, in part, for the Wrong Reason Multiple competing efforts circa 1987 - early
1988 with duplication of effort slowing progress and discouraging product development and deployment
The time of GOSIP Blue-ribbon panel develops direction statement SNMP was to be the “short-term interim”
standard Protocol independent SMI-based MIB MIB independent SMI-based protocol SMI “glue”
7
Protocol Versions:Summary Picture
Simple-Based Management
SNMPv3SNMPv2*
SNMPv2c
Common
SNMPv2uSNMPv2
SNMPv1Party-based
SNMPv2
Management Information Definitions (MIB Documents)
RFC1155Format
RFC1212/1215Format
RFC1442-4Format
RFC1902-4Format
RFC2578-80Format
8
SNMP: The Right Architecture, in part, for the Wrong Reason This architecture which was designed to
ease the shortening of the life of SNMP has actually allowed it to age gracefully and to evolve, thereby extending its useful life
People have been predicting the demise of SNMP for a decade and it just keeps going and growing while “replacements” appear and then disappear
9
The SNMP-based Internet-Standard Management Framework Based on the Simple Network Management
Protocol, but more than merely a protocol for data movement, but a complete framework:1. A data definition language
The Internet-standard Structure of Management Information (SMI)
2. Definitions of management information Instrumentation described in the [Internet-
standard] Management Information Base (MIB)
3. Protocol definition The Simple Network Management Protocol
10
Structure of Management Information (SMI) EvolutionModular (3 part) specification
architecture:1. A data definition language
The Internet-standard Structure of Management Information (SMI)
1st Generation (1988-1991): RFC 1155 2nd Generation (1991-1993): RFC 1212 and
1215 3rd Generation (1993-present): SMIv2
RFCs 2578-2580 4th Generation: SMIng: a new work in
progress
11
Advantages of SMIv2 over SMIv1 After about 1995, all information
modules (MIB definitions) should be written in SMIv2 format
Benefits:New Data Types
Counter64 BITS
Table indexing more clear and concise Improved set operations for row
create/delete (important for configuration/control)
12
Advantages of SMIv2 over SMIv1 Pragmatic Reality
Most management stations and applications will load SMIv2 format whereas a few still require SMIv1 format so you need both
Information in SMIv2 formatted documents is a superset of the information in an SMIv1 formatted document
If you have SMIv2 format, SMIv1 format can be generated automatically by throwing away information and reformatting via an automatic tool
If you have SMIv1 format, the tool is vi, emacs, etc plus human input
13
MIB Grammar Versions and Protocol Versions -- Decoupled In general, there is no need for the version
of the protocol to match the version number of the format of a MIB document
With few exceptions, can use any MIB object, regardless of the version of the grammar of the MIB document, with any version of the protocol
The only noteworthy exception is MIB documents containing MIB objects with a datatype of Counter64 (this datatype is not supported by version 1 of the protocol)
14
Protocol Versions:Summary Picture
Simple-Based Management
SNMPv3SNMPv2*
SNMPv2c
Common
SNMPv2uSNMPv2
SNMPv1Party-based
SNMPv2
Management Information Definitions (MIB Documents)
RFC1155Format
RFC1212/1215Format
RFC1442-4Format
RFC1902-4Format
RFC2578-80Format
15
Management Information Base (MIB) EvolutionModular (3 part) specification architecture:2. Definitions of management information
Standard or non-standardProtocol independent Instrumentation described in the [Internet-
standard] Management Information Base (MIB)
Has undergone constant revision (mostly expansion) since first defined in 1988
A wide variety of technologies covered by standard MIB definitions and others through vendor-specific extensions
16
In the beginning (1988), there was MIB-I: basic to all managed systems
Next (early ‘90s) came MIB-2: a superset of MIB-I
When MIB-2 reached Full Standard status (Mar ‘91), MIB-I became historic
Change in strategy: a distributed approach of multiple committees with differentiated staffing producing many mini-MIB documents
Lost benefit of input from almost all current operators and administrators
Management Information Base(MIB) Evolution
17
Management Information Base(MIB) Evolution (Continued) Many of MIB documents are on the
standards track at various levels of standardization maturity and market acceptance/demandMost are adequate for monitoringMany must be supplemented for
configuration and control More standardization work needed Enterprise-specific extensions in the absence
of standards
18
Management Information Base(MIB) Evolution (Continued) Expanded scope of MIB reflective of
expanded application of the Internet-Standard Management Framework, the basis for seamless Internet management:traditional network managementsystem managementapplication managementservice managementproxy management of legacy devices
19
MIB Documents:Network ManagementADSL RFC 2662ATM MultipleAppleTalk RFC 1742BGPv4 RFC 1657Bridge RFC 1493Character Stream RFC 1658CLNS RFC 1238DECnet Phase IV RFC 1559DOCSIS Cable Modem Multiple
20
MIB Documents:Network Management (Continued)DS0, DS1/E1, DS3/E3 Interfaces
Multiple
Entity RFC 2737FDDI MultipleFrame Relay MultipleIEEE 802.3 MultipleIEEE 802.5 MultipleIEEE 802.12 MultipleIntegrated Services MultipleISDN Multiple
21
MIB Documents:Network Management (Continued)MIB-2 RFC 1213Modem RFC 1696PPP MultipleRMON MultipleRouting MultipleRS-232-Like RFC 1659SNA technology MultipleSonet/SDH RFC 1595X.25 technology Multiple
22
MIB Documents:Service Management Frame Relay Service RFC
1604 Meter RFC
2720 SMDS SIP RFC
1694
23
MIB Documents: System and Applications ManagementApplication RFC 2564Diffie-Helman USM Key Management RFC 2786DISMAN Scheduling RFC 2591DISMAN Scripting RFC 2592Domain Name System MultipleHost Resources RFC 2790Identification RFC 1414Mail Monitoring RFC 2249Network Services Monitoring RFC 2788
24
MIB Documents: System and Applications Management (Cont.)Parallel Printer RFC 1660Printer RFC 1759Radius MultipleRelational Database Server RFC 1697System Application RFC 2287TN3270 MultipleUPS RFC 1628WWW Server RFC 2594X.500 Directory Services Monitoring RFC
2605
25
The only relatively completeopenmulti-vendormulti-platform interoperablestandards-based management framework for seamless integrated management of
networks, systems, applications, and services
The SNMP-based Management Framework Is Not Just For Networks
26
Importance of Seamlessness
Sharing: Among cooperating management applications
Showing: User interfaces and reports Crunching: Converting data to
information and information to data Telling: SNMP-based movement of
management data Knowing: SMI-based instrumentation
27
Importance of Seamlessness
No single application or set of applications can meet all requirements
Sharing is essentialSingle naming schemeConsistent data definitionsStandard information semantics
Mapping functions do not work wellEvery time you convert you lose
Example: event correlation for network, system, and application management with point solutions and proprietary database formats
28
Protocol Versions:Summary Picture
Simple-Based Management
SNMPv3SNMPv2*
SNMPv2c
Common
SNMPv2uSNMPv2
SNMPv1Party-based
SNMPv2
Management Information Definitions (MIB Documents)
RFC1155Format
RFC1212/1215Format
RFC1442-4Format
RFC1902-4Format
RFC2578-80Format
29
Evolution of the SNMP Protocol Portion of Internet-Standard Management FrameworkModular (3 part) specification architecture:3. Protocol definition
MIB independentThe Simple Network Management Protocol
Protocol operations Transport mappings Security and administration
First defined in RFC 1157 (SNMPv1)Separate documents beginning in SNMPv2Security and administration completed in
SNMPv3
30
Protocol Evolution
GenerationProtocol
OperationsTransportMappings
Security &Administration
1st
RFC 1157(1988–1993)
Community-based
2nd
RFC 1905(1993- )
RFC 1906(1993- )
Party-basedRFC 1445-47(1993-1995)
3rd
SNMP EOS(new work)
User-basedRFC 2570-76
(1998- )
31
New Features of SNMPv2c
Expanded data types: 64-bit counters Improved efficiency and performance: get-
bulk operator Confirmed event notifications: inform
operator Richer error handling: errors and exceptions Improved sets: especially row
creation/deletion Transport independence: IP, Appletalk,
IPX, ... Etc.
32
New Features of SNMPv3
New features inherited from SNMPv2c, plus
Security and Administration
33
New Features of SNMPv3 Inherited from SNMPv2c The list we just saw …
Expanded data types: 64-bit counters Improved efficiency and performance: get-bulk
operatorConfirmed event notifications: inform operatorRicher error handling: errors and exceptions Improved sets: especially row creation/deletionTransport independence: IP, AppleTalk, IPX, ...Etc.
Plus ...
34
Features of SNMPv3: Security and Administrative Framework Security
authenticationprivacy
AdministrationAuthorization and view-based access controlLogical contextsNaming of entities, identities, and informationPeople and policiesUsernames and key managementNotification destinations and proxy
relationshipsRemotely configurable via SNMP operations
35
Security Threats and Mechanisms Threats protected against by SNMPv3:
1. Masquerade/data origin authentication: interloper assumes the identity of a sender to gain its privileges.
2. Modification of information/data integrity: alteration of in-transit messages.
3. Message stream modification: messages are re-ordered, delayed, or replayed
4. Disclosure/data confidentiality: privileged information is obtained via eavesdropping on messages.
36
Security Mechanisms
SNMPv3 uses MD5 and DES as “symmetric,” i.e., private key mechanisms
(MD5 = Message Digest Algorithm 5, RFC 1321)
(DES = Data Encryption Standard)
37
SNMPv3 User-based Authentication Mechanism Based on:
MD5 message digest algorithm in HMAC indirectly provides data origin authentication directly defends against data modification attacks uses private key known by both sender and
receiver 16 byte key 128 bit digest (truncated to 96 bits)
SHA an optional alternative algorithmLoosely synchronized monotonically increasing
time indicator values defends against certain message stream
modification attacks
38
SNMPv3 User-based Privacy Mechanism Based on:
Symmetric encryption usedData Encryption Standard (DES) Cipher Block
Chaining (CBC) mode provides privacy / protection against disclosure uses encryption subject to export and use restrictions in many
jurisdictions16 byte key (8 bytes DES key, 8 byte DES
initialization vector)Multiple levels of compliance with respect to
DES due to problems associated with international use
39
Secret Rules
Note that both of these mechanisms depend on private keysSecrets must be kept secretNo postem notes, no world readable files Initial keys must be loaded out-of-bandNote that key management is a requirement
for a secure infrastructure because without a standardized key distribution mechanism, proper key hygiene will not be practiced
40
Remote Configuration MIB Modules Each document in the set of SNMPv3
specifications has appropriate Information Modules which define appropriate MIB instrumentation
Includes key management for proper key hygiene
User-friendly string-based naming UTF8 for international use
41
HTTP and IPSEC are not alternatives because they do only part of the job They provide authentication and privacy,
but do not help with the other parts of the problem:authorization and view-based access controlmultiple logical contexts and information namingMIB module for standards-based remote
configuration of security parameters including key management notification destinations, etc
HTTP over SSL has the additional problem of connection-orientation which rules it out for use in fault management
42
Mechanisms: Configurability
Can have:no authentication / no privacyauthentication / no privacyauthentication / privacy
Configured at choice of network administrator with the user deciding how much to “spend”
on security, selecting the correct level of protection, potentially on a transaction-by-transaction
basis
43
Mechanisms: Configurability(Continued) Most administrators are expected to use the
three securityLevel choices as follows:Monitoring: no authentication / no privacyControl: authentication / no privacyDownloading secrets: authentication / privacy
Privacy use may possibly be limited by:Vendor reluctance to ship cryptographic
technology Multiple versions, extra paperwork, etc FUD DOTFWHAS: We should not confuse excuses for
reasonsUsage restrictions in some jurisdictions
44
Multi-Lingual Implementations forCoexistence and Transition Cannot upgrade all systems at once Some systems will never be upgraded Virtually all products expected to be multi-
lingual with simultaneous support for SNMPv1 and SNMPv3, perhaps including SNMPv2c, maybe including Web-based management
Old agent, old packet, old rules, old response;New agent, new packet, new rules, new response
Modular SNMPv3 architecture allows view-based access control to be applied to any/all of these paths
Advantages of SNMPv3
So What?Who Cares?
46
Good Things Operators and Administrators will like in SNMPv3 Able to practice safe sets
Configuration / Control / ProvisioningNo longer mere monitoringAble to augment or replace proprietary CLI
over TelnetVia standards-based solutions providing
Commercial-grade industrial strength security Authentication and Privacy
47
Now able to distribute management out to intelligent agents and mid-level managers Important for scalabilityKeep local management traffic localShorter feedback loops with lower latency
Good Things Operators and Administrators will like in SNMPv3 (Cont’d)
48
Good Things Operators and Administrators will like in SNMPv3 View-based Access Control
Various groups can have differentiated: levels of access, e.g. staff versus customers access to different information, e.g., customer 1
versus 2Example:
Some groups of users might be allowed: Read-write access to all of the MIB data Read-write access to subsets of the MIB
data Read-only access to all of the MIB data Read-only access to subsets of the MIB
data All others get no access
49
Better Notifications:Traps
Spray and pray The only option in SNMPv1
Informs Send, wait for acknowledgement Retry count and retry interval Added in SNMPv2c but with problems Problems fixed in SNMPv3
Standard MIB objects to configureSource-side notification suppression
Good Things Operators and Administrators will like in SNMPv3 (Cont’d)
50
Source Side Notification SuppressionToo many resources spent on uninteresting
notification messages, e.g., unwanted traps and informs
Notification generation Notification transmission and delivery Notification logging Notification filtering
SNMPv3 allows you to use a standard MIB and standards-based tools to turn unwanted notifications off at the source
You will really like this
Good Things Operators and Administrators will like in SNMPv3 (Cont’d)
51
Standards-based applications enabled through standard MIB definitions for ease of administrationUser names and keysAuthorization and access control rightsNotification destinations (traps and informs)Also management of SNMPv1 and SNMPv2c
parameters such as community strings
Good Things Operators and Administrators will like in SNMPv3 (Cont’d)
52
Better performanceThe Awesome getBulk operator works better
with SNMPv3 Less latency and lower overhead through a
smaller number of larger packets One to three orders of magnitude faster than
SNMPv1 getNext operator (typically two) Negotiates maximum message size correctly
Counter64 No need to poll as often
New features eliminate need for “gross hacks”e.g., logical contexts
Good Things Operators and Administrators will like in SNMPv3 (Cont’d)
53
Better error handling: In a Get Request with 10 items requested
and one is unavailable: In SNMPv1, returns in an error with no partial
results In SNMPv2/3, results in 9/10 good values and
one exception In a Set Request, if something fails:
In SNMPv1, results in a “No” In SNMPv2/3, results in a “No-because”
Good Things Operators and Administrators will like in SNMPv3 (Cont’d)
54
Security is expensiveMore to configure and administer
Unlocked doors are more convenient to use Community strings were relatively easy to
administer Off-the-shelf tools help
More overhead Message headers longer and more complex Cryptographic calculations can increase CPU load
approximately 20-ish percent It will run slower, it will run much slower if
software-based DES is used, especially if implemented in Java
Some machines do not have the hardware assets, but almost all do: NO EXCUSES
Disadvantages of SNMPv3
55
Export and international usage considerations
Incomplete product supportSome vendors claim customers (i.e., you)
don’t care about security Agents better than manager stations and
applicationsSNMPv3 code often less mature and shaken
out
Disadvantages of SNMPv3 (Cont’d)
56
Conclusion:What is SNMPv3? Newest version of the Internet-standard
Management Framework What SNMPv2 should have been - builds
on the good Compatible with the SMI and MIB you use
now Important enabling technology for
configuration and control: adds security and administration for safe sets
Security: authentication and privacy Administration: logical contexts, view-
based access control, remote configuration Available now
57
Conclusions about SNMPv3
There is a lot to like But we are not done yet -- there is more
to be done
The SNMP-basedInternet Standard Management
Frameworkis Still Evolving:
Recent and Ongoing IETF Work Items
59
The SNMP-based Management Framework is Evolved and Evolving Not the same old SNMP your mother used in
1988 Many positive advancements already
standardized, implemented, and deployed Some more are nearly done and ready for
implementation and deployment:SNMP-based configuration
Policy-based Management MIB Provisioning MIB for DiffServ
Some standardization work is just getting started:SMIngEvolution of SNMP: SNMP EOS
60
Recent and Ongoing IETF Work Items:Topics SNMP-based Configuration Management
Policy MIB Module EOS Working Group: Evolution of SNMP SMIng Working Group: Evolution of the
Structure of Management Information Distributed Management Working Group
(DISMAN) MIB Definitions
61
Significant Market Drivers
Growth and scale Dearth of expert personnel The need for seamlessness The need for security Standards and enabling technology Driver du jour:
secure policy-based configuration of policy, e.g., secure policy-based configuration of security policy
important to note multiple meanings of security and policy
62
Multiple Meanings of Policy
Policy-based distribution of configurations (targets selected according to a policy, e.g., every system which run Solaris and an Apache Web server)
Policy-based application of configuration rules within a system (targets selected according to roles), e.g., for each interface on a switch, apply configuration A on every backbone interface andconfiguration B on all other interfaces
Configuration of policy, e.g., QoS policy or Security policy
63
SNMP-based Configuration Management IETF SNMPCONF Working Group Goals
Show best practices regarding how to do it Deliverable: BCP document
Make it easier to do it Deliverable: Policy MIB Module
Provide a worked out example while addressing pressing immediate needs
DOTFWHAS: One example is worth two books Provisioning of DiffServ QoS Policy
64
SNMP-based Configuration ManagementPolicy MIB Module Challenges
Configure multiple parameters with many instances while, to the extent possible, being
Vendor independent (unlike CLI) Technology independent (ATM versus
DiffServ) Instance independent (at a higher level of
abstraction) Integration of configuration management
with fault management, performance monitoring, etc
65
SNMP-based Configuration ManagementPolicy MIB Module The PM MIB uses structured scripts to do
policy-based configuration of standard and vendor-specific MIB objects
A policy in the PM MIB is a pairing of a filter rule and an action (simple or complex)
The filter rule selects the applicable elements, i.e., if (an element has certain characteristics) then
(apply operation to that element) Alternately: if (policyFilter) then
(policyAction)
66
PolicyScript Language
The script language will look familiar to you if you use C, Perl, C++, Tcl, Python, or Javascript
A simple subsetNo pointers, structures, typed variables,
objects, classes, etc.Does contain expressions, variables, looping
67
The Policy-Based Management MIB PM MIB Policies can be applied to any
type of manageable element InterfacesCircuitsQueuesProcessesSoftwareothers...
68
A Conceptual Policy
TrunkEthernet
Gold100Mb
TrunkATMGold45Mb
TrunkEthernet
100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Silver10Mb
AccessEthernet
10Mb
TrunkEthernet
Silver100Mb
AccessEthernet
Gold100Mb
TrunkFrame
45Mb
AccessFrameGold
512Kb
AccessFrameSilver512Kb
AccessFrame
128Kb
AccessEthernetBronze10Mb
AccessEthernet
Gold10Mb
Trunk AND Ethernet AND 100Mb:Trunk
EthernetGold
100Mb
TrunkEthernet
100Mb
TrunkEthernet
Silver100Mb
AutonegotiateOff
AutonegotiateOff
AutonegotiateOff
69
A Conceptual Policy
TrunkEthernet
Gold100Mb
TrunkATMGold45Mb
TrunkEthernet
100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Silver10Mb
AccessEthernet
10Mb
TrunkEthernet
Silver100Mb
AccessEthernet
Gold100Mb
TrunkFrame
45Mb
AccessFrameGold
512Kb
AccessFrameSilver512Kb
AccessFrame
128Kb
AccessEthernetBronze10Mb
AccessEthernet
Gold10Mb
AccessEthernet
Gold10Mb
Ethernet AND Access AND Gold:Access
EthernetGold10Mb
AccessEthernet
Gold100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Gold10Mb
DSCP = 5
DSCP = 5
DSCP = 5 DSCP = 5
.
70
PM MIB Goals
Leverage existing infrastructure, tools, and MIBsResulting simplicity will accelerate time to marketDon’t start from scratch in our data models
Flexibility for real-world policySimple or complex filters and simple or complex
actions Do not underestimate the power of configuring
by reference versus by value:Consider 5 configuration parameters for 500
interfaces is 2,500 operations. If these are common, then a single SET PDU could change them all simultaneously
71
policyFilter PseudoCode
Pseudocode:(is an ethernet AND is operational
AND gets gold or silver service)
Scripted As:((getvar(“ifType.$*”)== ethernet-csmacd) && (getvar(“ifOperStatus.$*”) == up) && (roleMatch("gold”)||roleMatch("silver")))
72
Execution Example
Filter: ((getvar(“ifType.$*”)== ethernet-csmacd)
&& (getvar(“ifOperStatus.$*”) == up) && (roleMatch("gold”)||roleMatch("silver"))) Action:setvar(“ifAdminStatus.$*”, down(2),Integer)Index Type Roles AdminStatus
1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Up4 Ethernet Silver Up5 Ethernet Silver Up
Index Type Roles AdminStatus
1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Down4 Ethernet Silver Up5 Ethernet Silver Up
73
Features of PM MIB
ScriptingVery flexible and understandable way to express
policy IT Personnel like the power of scriptingMuch more flexible than string matching
Policies based on operational statusCapabilities, status of interface, utilization, etc.Allows much more rich sets of policies than
using human-input strings Scheduling
Business calendars: “M-F 9-5” or “Last Friday of every month”
Videoconference from 12PM to 1PM
74
Features of PM MIB
Conflict resolutionUses a precedence tree to find best policy in
conflicts Error Recovery
Helps meet service level goals by having backup policies on managed systems
Policies have precedence - pmPolicyPrecedence Notifications if a policy encounters errors
Operational aspects:Ability to test a policyAbility to disable a policy on an element so
operator can take back control (“limp-home mode”) until policy is fixed
75
SNMP-based Configuration ManagementBenefits of the PM MIB Module Configuration tied to fault and
performance: Interface fails that has been configured with
DiffServ or IPSecStatistics can be collected based on
configuration - can selectively optimize data collection
Built with existing infrastructure and tools Leverages existing MIBs A complete package, including operational
aspects
76
SNMP-based Configuration Management Benefits of the PM MIB Module You will like how the Policy MIB module
works to configure DiffServ via the DiffServ MIB and DiffServ Provisioning MIB Modules
The same approach can and will be used with other areas of configuration such as The secure policy-based configuration of
security policyRoutingetc.
77
Evolution of SNMPIETF EOS Working Group The SNMP Protocol portion of the Internet
Standard Framework is in its 2nd generation
The EOS Working Group is chartered to develop and propose a 3rd generation
Performance enhancements under consideration / developmentEfficiency through OID suppression and
compressionEnhanced table manipulation Improved row operationsSupport for new data types
78
Evolution of the Structure of Management Information: IETF SMIng Working Group The SMIng Working Group is developing a
new proposal for a next generation data definition language
Currently compiling and winnowing requirements
Motivated to have a single protocol-independent data definition language to eliminate wasteful duplication between MIBs and PIBs
Realistic requirements that can be supported by the SNMP and COPS-PR protocols
79
Evolution of the Structure of Management Information: IETF SMIng Working Group Best hits album of SMIv2 and SPPI, plus
(still being decided):General cleanup / housekeepingAdditional data types
Signed and unsigned 64 bit integers Floating point: Float32, Float64, and Float128
(# of bits) Unions and discriminated unions Arrays Aggregate data types
New C-like grammar / syntax Language extensibility
80
Evolution of the Structure of Management Information: IETF SMIng Working Group …
Object Oriented Design Features Classes Inheritance Containment Methods Procedures Constraints: existence constraints, attribute
transaction constraints, attribute value constraints, method constraints
Associations and association cardinalities
Not all of the proposals will make the cut
81
Distributed Management:IETF DISMAN Working Group With security, it is possible to have
intelligent agents or mid-level managers doing distributed management Intelligent requires configurationConfiguration requires securityorSecurity enables configurationConfiguration enables intelligent
Multiple proprietary MIB modules for years
IETF DISMAN adding standardization
82
Distributed Management:IETF DISMAN Working Group IETF DISMAN chartered to define MIB
specs for distributed network management applications
Remotely configured as an SNMP agent, acts as a distributed SNMP manager application
Off-load polling, keeping local polling local
Proximity yielding lower latency and shorter feedback loops
Important for scalability
83
Distributed Management:IETF DISMAN Working Group Published Work Products
Schedule MIB (RFC 2591): Time driven execution
Script MIB: (RFC 2592): Movement of scripts, not standardizing language
Remote Operations MIB: (RFC 2925): ping, traceroute, DNS lookup
Event MIB (RFC 2981): actions based upon threshholds
Notification Log MIB (RFC 3014) Works in progress
Alarm MIB, ITU Alarm MIB, SNMP Alarms
84
MIB Definitions
Multiple Standards-track SpecificationsWWW MIBApplication MIBSystem Application MIBNetwork Services Monitoring MIBHost Resources MIB
You can use these to monitor your and your customers’ mission-critical servers and services running on open systems DNS Web, e-commerce etc
85
MIB Definitions
Use of a single paradigm allows integrated and correlated data and operations
Addresses frustration of multiple, independent, incompatible databases
Conclusions
87
Originally “the short-term interim standard”
According to the pundits, has been on its last legs since 1988 To be eclipsed by a succession of
replacements SNMP-based management is still
growingexpanding scopeevolving
While “replacements” come and go
Conclusions: The SNMP-based Management Framework is Sturdy
88
What ever happened to?
Pre 1989 Proprietary, e.g. IBM Netview, DEC NMCC
1989 CMIP over TCP/IP (CMOT)
1990 DCE RPC – based management
1991 Open Software Foundation DistributedManagement Environment (OSF DME)
1992 CMIP over LANs (CMOL)
89
What ever happened to?
1993 DMTF’s Distributed Management Interface(DMI) Management Information File (MIF)
1994 OMNIPoint
1995 CORBA
1996 Web-based device management, Webenabled management
1997 DMTF’s WBEM: HMMS, HMMP, HMOM,etc
90
What ever happened to?
1998 JMAPI over Java and DEN/LDAP
1999 JDMK over Java and CIM
2000 COPS/PIBs
2001 XML
Beyond … more to come …
91
Conclusions:
The Internet-Standard Management Framework based on SNMP isEvolvedNot just for networksSecureSturdy
But there is much more work to be doneAdditional standards workBetter applications ImplementationDeployment
92
Conclusions:
SNMP-based management is far from perfect, but it continues to be the best game in town
The architecture and vision are fine We need to execute to completion You do not yet get to live that vision, in
part because the vendors are not supplying complete and compliant products
93
Conclusions:
The vendors are not fully implementing and supplying products based on that vision, in part because you are not insisting that they do soSome vendors claim they see little market
demand for secure management There is an alternative to scripts and
proprietary CLI over Telnet: the Internet Standard Management Framework
Questions / Comments
Thank you for your participation