SNMP Update Jeff Case Founder and CTO SNMP Research, Inc. +1 865 573 1434 [email protected] Please see ...

SNMP Update

Jeff CaseFounder and CTO

SNMP Research, Inc.+1 865 573 1434

[email protected] see www.snmp.com/jdctutorial.ppt for slides

2

Topics:

Introduction Differences between SNMPv1, SNMPv2c,

and SNMPv3Advantages of SNMPv3 over SNMPv1 and

SNMPv2cDisadvantages of SNMPv3

3

Topics (Continued):

Recent and Ongoing IETF Work ItemsSNMP-based Configuration Management

Policy MIB ModuleEOS Working Group: Evolution of SNMPSMIng Working Group: Evolution of the

Structure of Management InformationDistributed Management Working Group

(DISMAN)MIB Definitions

4

Topics (Continued):

A brief look at SNMP/MIB vis-à-visDMI/MIFsCIM/MOFsCOPS/PIBs

Conclusions

The SNMP-basedInternet Standard Management

Frameworkhas Evolved:

SNMPv1, SNMPv2c, and SNMPv3

6

SNMP: The Right Architecture, in part, for the Wrong Reason Multiple competing efforts circa 1987 - early

1988 with duplication of effort slowing progress and discouraging product development and deployment

The time of GOSIP Blue-ribbon panel develops direction statement SNMP was to be the “short-term interim”

standard Protocol independent SMI-based MIB MIB independent SMI-based protocol SMI “glue”

7

Protocol Versions:Summary Picture

Simple-Based Management

SNMPv3SNMPv2*

SNMPv2c

Common

SNMPv2uSNMPv2

SNMPv1Party-based

SNMPv2

Management Information Definitions (MIB Documents)

RFC1155Format

RFC1212/1215Format

RFC1442-4Format

RFC1902-4Format

RFC2578-80Format

8

SNMP: The Right Architecture, in part, for the Wrong Reason This architecture which was designed to

ease the shortening of the life of SNMP has actually allowed it to age gracefully and to evolve, thereby extending its useful life

People have been predicting the demise of SNMP for a decade and it just keeps going and growing while “replacements” appear and then disappear

9

The SNMP-based Internet-Standard Management Framework Based on the Simple Network Management

Protocol, but more than merely a protocol for data movement, but a complete framework:1. A data definition language

The Internet-standard Structure of Management Information (SMI)

2. Definitions of management information Instrumentation described in the [Internet-

standard] Management Information Base (MIB)

3. Protocol definition The Simple Network Management Protocol

10

Structure of Management Information (SMI) EvolutionModular (3 part) specification

architecture:1. A data definition language

The Internet-standard Structure of Management Information (SMI)

1st Generation (1988-1991): RFC 1155 2nd Generation (1991-1993): RFC 1212 and

1215 3rd Generation (1993-present): SMIv2

RFCs 2578-2580 4th Generation: SMIng: a new work in

progress

11

Advantages of SMIv2 over SMIv1 After about 1995, all information

modules (MIB definitions) should be written in SMIv2 format

Benefits:New Data Types

Counter64 BITS

Table indexing more clear and concise Improved set operations for row

create/delete (important for configuration/control)

12

Advantages of SMIv2 over SMIv1 Pragmatic Reality

Most management stations and applications will load SMIv2 format whereas a few still require SMIv1 format so you need both

Information in SMIv2 formatted documents is a superset of the information in an SMIv1 formatted document

If you have SMIv2 format, SMIv1 format can be generated automatically by throwing away information and reformatting via an automatic tool

If you have SMIv1 format, the tool is vi, emacs, etc plus human input

13

MIB Grammar Versions and Protocol Versions -- Decoupled In general, there is no need for the version

of the protocol to match the version number of the format of a MIB document

With few exceptions, can use any MIB object, regardless of the version of the grammar of the MIB document, with any version of the protocol

The only noteworthy exception is MIB documents containing MIB objects with a datatype of Counter64 (this datatype is not supported by version 1 of the protocol)

14



SNMPv3SNMPv2*

SNMPv2c

Common

SNMPv2uSNMPv2

SNMPv1Party-based

SNMPv2


RFC1155Format

RFC1212/1215Format

RFC1442-4Format

RFC1902-4Format

RFC2578-80Format

15

Management Information Base (MIB) EvolutionModular (3 part) specification architecture:2. Definitions of management information

Standard or non-standardProtocol independent Instrumentation described in the [Internet-

standard] Management Information Base (MIB)

Has undergone constant revision (mostly expansion) since first defined in 1988

A wide variety of technologies covered by standard MIB definitions and others through vendor-specific extensions

16

In the beginning (1988), there was MIB-I: basic to all managed systems

Next (early ‘90s) came MIB-2: a superset of MIB-I

When MIB-2 reached Full Standard status (Mar ‘91), MIB-I became historic

Change in strategy: a distributed approach of multiple committees with differentiated staffing producing many mini-MIB documents

Lost benefit of input from almost all current operators and administrators

Management Information Base(MIB) Evolution

17

Management Information Base(MIB) Evolution (Continued) Many of MIB documents are on the

standards track at various levels of standardization maturity and market acceptance/demandMost are adequate for monitoringMany must be supplemented for

configuration and control More standardization work needed Enterprise-specific extensions in the absence

of standards

18

Management Information Base(MIB) Evolution (Continued) Expanded scope of MIB reflective of

expanded application of the Internet-Standard Management Framework, the basis for seamless Internet management:traditional network managementsystem managementapplication managementservice managementproxy management of legacy devices

19

MIB Documents:Network ManagementADSL RFC 2662ATM MultipleAppleTalk RFC 1742BGPv4 RFC 1657Bridge RFC 1493Character Stream RFC 1658CLNS RFC 1238DECnet Phase IV RFC 1559DOCSIS Cable Modem Multiple

20

MIB Documents:Network Management (Continued)DS0, DS1/E1, DS3/E3 Interfaces

Multiple

Entity RFC 2737FDDI MultipleFrame Relay MultipleIEEE 802.3 MultipleIEEE 802.5 MultipleIEEE 802.12 MultipleIntegrated Services MultipleISDN Multiple

21

MIB Documents:Network Management (Continued)MIB-2 RFC 1213Modem RFC 1696PPP MultipleRMON MultipleRouting MultipleRS-232-Like RFC 1659SNA technology MultipleSonet/SDH RFC 1595X.25 technology Multiple

22

MIB Documents:Service Management Frame Relay Service RFC

1604 Meter RFC

2720 SMDS SIP RFC

1694

23

MIB Documents: System and Applications ManagementApplication RFC 2564Diffie-Helman USM Key Management RFC 2786DISMAN Scheduling RFC 2591DISMAN Scripting RFC 2592Domain Name System MultipleHost Resources RFC 2790Identification RFC 1414Mail Monitoring RFC 2249Network Services Monitoring RFC 2788

24

MIB Documents: System and Applications Management (Cont.)Parallel Printer RFC 1660Printer RFC 1759Radius MultipleRelational Database Server RFC 1697System Application RFC 2287TN3270 MultipleUPS RFC 1628WWW Server RFC 2594X.500 Directory Services Monitoring RFC

2605

25

The only relatively completeopenmulti-vendormulti-platform interoperablestandards-based management framework for seamless integrated management of

networks, systems, applications, and services

The SNMP-based Management Framework Is Not Just For Networks

26

Importance of Seamlessness

Sharing: Among cooperating management applications

Showing: User interfaces and reports Crunching: Converting data to

information and information to data Telling: SNMP-based movement of

management data Knowing: SMI-based instrumentation

27

Importance of Seamlessness

No single application or set of applications can meet all requirements

Sharing is essentialSingle naming schemeConsistent data definitionsStandard information semantics

Mapping functions do not work wellEvery time you convert you lose

Example: event correlation for network, system, and application management with point solutions and proprietary database formats

28



SNMPv3SNMPv2*

SNMPv2c

Common

SNMPv2uSNMPv2

SNMPv1Party-based

SNMPv2


RFC1155Format

RFC1212/1215Format

RFC1442-4Format

RFC1902-4Format

RFC2578-80Format

29

Evolution of the SNMP Protocol Portion of Internet-Standard Management FrameworkModular (3 part) specification architecture:3. Protocol definition

MIB independentThe Simple Network Management Protocol

Protocol operations Transport mappings Security and administration

First defined in RFC 1157 (SNMPv1)Separate documents beginning in SNMPv2Security and administration completed in

SNMPv3

30

Protocol Evolution

GenerationProtocol

OperationsTransportMappings

Security &Administration

1st

RFC 1157(1988–1993)

Community-based

2nd

RFC 1905(1993- )

RFC 1906(1993- )

Party-basedRFC 1445-47(1993-1995)

3rd

SNMP EOS(new work)

User-basedRFC 2570-76

(1998- )

31

New Features of SNMPv2c

Expanded data types: 64-bit counters Improved efficiency and performance: get-

bulk operator Confirmed event notifications: inform

operator Richer error handling: errors and exceptions Improved sets: especially row

creation/deletion Transport independence: IP, Appletalk,

IPX, ... Etc.

32

New Features of SNMPv3

New features inherited from SNMPv2c, plus

Security and Administration

33

New Features of SNMPv3 Inherited from SNMPv2c The list we just saw …

Expanded data types: 64-bit counters Improved efficiency and performance: get-bulk

operatorConfirmed event notifications: inform operatorRicher error handling: errors and exceptions Improved sets: especially row creation/deletionTransport independence: IP, AppleTalk, IPX, ...Etc.

Plus ...

34

Features of SNMPv3: Security and Administrative Framework Security

authenticationprivacy

AdministrationAuthorization and view-based access controlLogical contextsNaming of entities, identities, and informationPeople and policiesUsernames and key managementNotification destinations and proxy

relationshipsRemotely configurable via SNMP operations

35

Security Threats and Mechanisms Threats protected against by SNMPv3:

1. Masquerade/data origin authentication: interloper assumes the identity of a sender to gain its privileges.

2. Modification of information/data integrity: alteration of in-transit messages.

3. Message stream modification: messages are re-ordered, delayed, or replayed

4. Disclosure/data confidentiality: privileged information is obtained via eavesdropping on messages.

36

Security Mechanisms

SNMPv3 uses MD5 and DES as “symmetric,” i.e., private key mechanisms

(MD5 = Message Digest Algorithm 5, RFC 1321)

(DES = Data Encryption Standard)

37

SNMPv3 User-based Authentication Mechanism Based on:

MD5 message digest algorithm in HMAC indirectly provides data origin authentication directly defends against data modification attacks uses private key known by both sender and

receiver 16 byte key 128 bit digest (truncated to 96 bits)

SHA an optional alternative algorithmLoosely synchronized monotonically increasing

time indicator values defends against certain message stream

modification attacks

38

SNMPv3 User-based Privacy Mechanism Based on:

Symmetric encryption usedData Encryption Standard (DES) Cipher Block

Chaining (CBC) mode provides privacy / protection against disclosure uses encryption subject to export and use restrictions in many

jurisdictions16 byte key (8 bytes DES key, 8 byte DES

initialization vector)Multiple levels of compliance with respect to

DES due to problems associated with international use

39

Secret Rules

Note that both of these mechanisms depend on private keysSecrets must be kept secretNo postem notes, no world readable files Initial keys must be loaded out-of-bandNote that key management is a requirement

for a secure infrastructure because without a standardized key distribution mechanism, proper key hygiene will not be practiced

40

Remote Configuration MIB Modules Each document in the set of SNMPv3

specifications has appropriate Information Modules which define appropriate MIB instrumentation

Includes key management for proper key hygiene

User-friendly string-based naming UTF8 for international use

41

HTTP and IPSEC are not alternatives because they do only part of the job They provide authentication and privacy,

but do not help with the other parts of the problem:authorization and view-based access controlmultiple logical contexts and information namingMIB module for standards-based remote

configuration of security parameters including key management notification destinations, etc

HTTP over SSL has the additional problem of connection-orientation which rules it out for use in fault management

42

Mechanisms: Configurability

Can have:no authentication / no privacyauthentication / no privacyauthentication / privacy

Configured at choice of network administrator with the user deciding how much to “spend”

on security, selecting the correct level of protection, potentially on a transaction-by-transaction

basis

43

Mechanisms: Configurability(Continued) Most administrators are expected to use the

three securityLevel choices as follows:Monitoring: no authentication / no privacyControl: authentication / no privacyDownloading secrets: authentication / privacy

Privacy use may possibly be limited by:Vendor reluctance to ship cryptographic

technology Multiple versions, extra paperwork, etc FUD DOTFWHAS: We should not confuse excuses for

reasonsUsage restrictions in some jurisdictions

44

Multi-Lingual Implementations forCoexistence and Transition Cannot upgrade all systems at once Some systems will never be upgraded Virtually all products expected to be multi-

lingual with simultaneous support for SNMPv1 and SNMPv3, perhaps including SNMPv2c, maybe including Web-based management

Old agent, old packet, old rules, old response;New agent, new packet, new rules, new response

Modular SNMPv3 architecture allows view-based access control to be applied to any/all of these paths

Advantages of SNMPv3

So What?Who Cares?

46

Good Things Operators and Administrators will like in SNMPv3 Able to practice safe sets

Configuration / Control / ProvisioningNo longer mere monitoringAble to augment or replace proprietary CLI

over TelnetVia standards-based solutions providing

Commercial-grade industrial strength security Authentication and Privacy

47

Now able to distribute management out to intelligent agents and mid-level managers Important for scalabilityKeep local management traffic localShorter feedback loops with lower latency

Good Things Operators and Administrators will like in SNMPv3 (Cont’d)

48

Good Things Operators and Administrators will like in SNMPv3 View-based Access Control

Various groups can have differentiated: levels of access, e.g. staff versus customers access to different information, e.g., customer 1

versus 2Example:

Some groups of users might be allowed: Read-write access to all of the MIB data Read-write access to subsets of the MIB

data Read-only access to all of the MIB data Read-only access to subsets of the MIB

data All others get no access

49

Better Notifications:Traps

Spray and pray The only option in SNMPv1

Informs Send, wait for acknowledgement Retry count and retry interval Added in SNMPv2c but with problems Problems fixed in SNMPv3

Standard MIB objects to configureSource-side notification suppression


50

Source Side Notification SuppressionToo many resources spent on uninteresting

notification messages, e.g., unwanted traps and informs

Notification generation Notification transmission and delivery Notification logging Notification filtering

SNMPv3 allows you to use a standard MIB and standards-based tools to turn unwanted notifications off at the source

You will really like this


51

Standards-based applications enabled through standard MIB definitions for ease of administrationUser names and keysAuthorization and access control rightsNotification destinations (traps and informs)Also management of SNMPv1 and SNMPv2c

parameters such as community strings


52

Better performanceThe Awesome getBulk operator works better

with SNMPv3 Less latency and lower overhead through a

smaller number of larger packets One to three orders of magnitude faster than

SNMPv1 getNext operator (typically two) Negotiates maximum message size correctly

Counter64 No need to poll as often

New features eliminate need for “gross hacks”e.g., logical contexts


53

Better error handling: In a Get Request with 10 items requested

and one is unavailable: In SNMPv1, returns in an error with no partial

results In SNMPv2/3, results in 9/10 good values and

one exception In a Set Request, if something fails:

In SNMPv1, results in a “No” In SNMPv2/3, results in a “No-because”


54

Security is expensiveMore to configure and administer

Unlocked doors are more convenient to use Community strings were relatively easy to

administer Off-the-shelf tools help

More overhead Message headers longer and more complex Cryptographic calculations can increase CPU load

approximately 20-ish percent It will run slower, it will run much slower if

software-based DES is used, especially if implemented in Java

Some machines do not have the hardware assets, but almost all do: NO EXCUSES

Disadvantages of SNMPv3

55

Export and international usage considerations

Incomplete product supportSome vendors claim customers (i.e., you)

don’t care about security Agents better than manager stations and

applicationsSNMPv3 code often less mature and shaken

out

Disadvantages of SNMPv3 (Cont’d)

56

Conclusion:What is SNMPv3? Newest version of the Internet-standard

Management Framework What SNMPv2 should have been - builds

on the good Compatible with the SMI and MIB you use

now Important enabling technology for

configuration and control: adds security and administration for safe sets

Security: authentication and privacy Administration: logical contexts, view-

based access control, remote configuration Available now

57

Conclusions about SNMPv3

There is a lot to like But we are not done yet -- there is more

to be done

The SNMP-basedInternet Standard Management

Frameworkis Still Evolving:

Recent and Ongoing IETF Work Items

59

The SNMP-based Management Framework is Evolved and Evolving Not the same old SNMP your mother used in

1988 Many positive advancements already

standardized, implemented, and deployed Some more are nearly done and ready for

implementation and deployment:SNMP-based configuration

Policy-based Management MIB Provisioning MIB for DiffServ

Some standardization work is just getting started:SMIngEvolution of SNMP: SNMP EOS

60

Recent and Ongoing IETF Work Items:Topics SNMP-based Configuration Management

Policy MIB Module EOS Working Group: Evolution of SNMP SMIng Working Group: Evolution of the

Structure of Management Information Distributed Management Working Group

(DISMAN) MIB Definitions

61

Significant Market Drivers

Growth and scale Dearth of expert personnel The need for seamlessness The need for security Standards and enabling technology Driver du jour:

secure policy-based configuration of policy, e.g., secure policy-based configuration of security policy

important to note multiple meanings of security and policy

62

Multiple Meanings of Policy

Policy-based distribution of configurations (targets selected according to a policy, e.g., every system which run Solaris and an Apache Web server)

Policy-based application of configuration rules within a system (targets selected according to roles), e.g., for each interface on a switch, apply configuration A on every backbone interface andconfiguration B on all other interfaces

Configuration of policy, e.g., QoS policy or Security policy

63

SNMP-based Configuration Management IETF SNMPCONF Working Group Goals

Show best practices regarding how to do it Deliverable: BCP document

Make it easier to do it Deliverable: Policy MIB Module

Provide a worked out example while addressing pressing immediate needs

DOTFWHAS: One example is worth two books Provisioning of DiffServ QoS Policy

64

SNMP-based Configuration ManagementPolicy MIB Module Challenges

Configure multiple parameters with many instances while, to the extent possible, being

Vendor independent (unlike CLI) Technology independent (ATM versus

DiffServ) Instance independent (at a higher level of

abstraction) Integration of configuration management

with fault management, performance monitoring, etc

65

SNMP-based Configuration ManagementPolicy MIB Module The PM MIB uses structured scripts to do

policy-based configuration of standard and vendor-specific MIB objects

A policy in the PM MIB is a pairing of a filter rule and an action (simple or complex)

The filter rule selects the applicable elements, i.e., if (an element has certain characteristics) then

(apply operation to that element) Alternately: if (policyFilter) then

(policyAction)

66

PolicyScript Language

The script language will look familiar to you if you use C, Perl, C++, Tcl, Python, or Javascript

A simple subsetNo pointers, structures, typed variables,

objects, classes, etc.Does contain expressions, variables, looping

67

The Policy-Based Management MIB PM MIB Policies can be applied to any

type of manageable element InterfacesCircuitsQueuesProcessesSoftwareothers...

68

A Conceptual Policy

TrunkEthernet

Gold100Mb

TrunkATMGold45Mb

TrunkEthernet

100Mb

AccessEthernet

Gold10Mb

AccessEthernet

Silver10Mb

AccessEthernet

10Mb

TrunkEthernet

Silver100Mb

AccessEthernet

Gold100Mb

TrunkFrame

45Mb

AccessFrameGold

512Kb

AccessFrameSilver512Kb

AccessFrame

128Kb

AccessEthernetBronze10Mb

AccessEthernet

Gold10Mb

Trunk AND Ethernet AND 100Mb:Trunk

EthernetGold

100Mb

TrunkEthernet

100Mb

TrunkEthernet

Silver100Mb

AutonegotiateOff

AutonegotiateOff

AutonegotiateOff

69

A Conceptual Policy

TrunkEthernet

Gold100Mb

TrunkATMGold45Mb

TrunkEthernet

100Mb

AccessEthernet

Gold10Mb

AccessEthernet

Silver10Mb

AccessEthernet

10Mb

TrunkEthernet

Silver100Mb

AccessEthernet

Gold100Mb

TrunkFrame

45Mb

AccessFrameGold

512Kb

AccessFrameSilver512Kb

AccessFrame

128Kb

AccessEthernetBronze10Mb

AccessEthernet

Gold10Mb

AccessEthernet

Gold10Mb

Ethernet AND Access AND Gold:Access

EthernetGold10Mb

AccessEthernet

Gold100Mb

AccessEthernet

Gold10Mb

AccessEthernet

Gold10Mb

DSCP = 5

DSCP = 5

DSCP = 5 DSCP = 5

.

70

PM MIB Goals

Leverage existing infrastructure, tools, and MIBsResulting simplicity will accelerate time to marketDon’t start from scratch in our data models

Flexibility for real-world policySimple or complex filters and simple or complex

actions Do not underestimate the power of configuring

by reference versus by value:Consider 5 configuration parameters for 500

interfaces is 2,500 operations. If these are common, then a single SET PDU could change them all simultaneously

71

policyFilter PseudoCode

Pseudocode:(is an ethernet AND is operational

AND gets gold or silver service)

Scripted As:((getvar(“ifType.$*”)== ethernet-csmacd) && (getvar(“ifOperStatus.$*”) == up) && (roleMatch("gold”)||roleMatch("silver")))

72

Execution Example

Filter: ((getvar(“ifType.$*”)== ethernet-csmacd)

&& (getvar(“ifOperStatus.$*”) == up) && (roleMatch("gold”)||roleMatch("silver"))) Action:setvar(“ifAdminStatus.$*”, down(2),Integer)Index Type Roles AdminStatus

1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Up4 Ethernet Silver Up5 Ethernet Silver Up

Index Type Roles AdminStatus

1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Down4 Ethernet Silver Up5 Ethernet Silver Up

73

Features of PM MIB

ScriptingVery flexible and understandable way to express

policy IT Personnel like the power of scriptingMuch more flexible than string matching

Policies based on operational statusCapabilities, status of interface, utilization, etc.Allows much more rich sets of policies than

using human-input strings Scheduling

Business calendars: “M-F 9-5” or “Last Friday of every month”

Videoconference from 12PM to 1PM

74

Features of PM MIB

Conflict resolutionUses a precedence tree to find best policy in

conflicts Error Recovery

Helps meet service level goals by having backup policies on managed systems

Policies have precedence - pmPolicyPrecedence Notifications if a policy encounters errors

Operational aspects:Ability to test a policyAbility to disable a policy on an element so

operator can take back control (“limp-home mode”) until policy is fixed

75

SNMP-based Configuration ManagementBenefits of the PM MIB Module Configuration tied to fault and

performance: Interface fails that has been configured with

DiffServ or IPSecStatistics can be collected based on

configuration - can selectively optimize data collection

Built with existing infrastructure and tools Leverages existing MIBs A complete package, including operational

aspects

76

SNMP-based Configuration Management Benefits of the PM MIB Module You will like how the Policy MIB module

works to configure DiffServ via the DiffServ MIB and DiffServ Provisioning MIB Modules

The same approach can and will be used with other areas of configuration such as The secure policy-based configuration of

security policyRoutingetc.

77

Evolution of SNMPIETF EOS Working Group The SNMP Protocol portion of the Internet

Standard Framework is in its 2nd generation

The EOS Working Group is chartered to develop and propose a 3rd generation

Performance enhancements under consideration / developmentEfficiency through OID suppression and

compressionEnhanced table manipulation Improved row operationsSupport for new data types

78

Evolution of the Structure of Management Information: IETF SMIng Working Group The SMIng Working Group is developing a

new proposal for a next generation data definition language

Currently compiling and winnowing requirements

Motivated to have a single protocol-independent data definition language to eliminate wasteful duplication between MIBs and PIBs

Realistic requirements that can be supported by the SNMP and COPS-PR protocols

79

Evolution of the Structure of Management Information: IETF SMIng Working Group Best hits album of SMIv2 and SPPI, plus

(still being decided):General cleanup / housekeepingAdditional data types

Signed and unsigned 64 bit integers Floating point: Float32, Float64, and Float128

(# of bits) Unions and discriminated unions Arrays Aggregate data types

New C-like grammar / syntax Language extensibility

80

Evolution of the Structure of Management Information: IETF SMIng Working Group …

Object Oriented Design Features Classes Inheritance Containment Methods Procedures Constraints: existence constraints, attribute

transaction constraints, attribute value constraints, method constraints

Associations and association cardinalities

Not all of the proposals will make the cut

81

Distributed Management:IETF DISMAN Working Group With security, it is possible to have

intelligent agents or mid-level managers doing distributed management Intelligent requires configurationConfiguration requires securityorSecurity enables configurationConfiguration enables intelligent

Multiple proprietary MIB modules for years

IETF DISMAN adding standardization

82

Distributed Management:IETF DISMAN Working Group IETF DISMAN chartered to define MIB

specs for distributed network management applications

Remotely configured as an SNMP agent, acts as a distributed SNMP manager application

Off-load polling, keeping local polling local

Proximity yielding lower latency and shorter feedback loops

Important for scalability

83

Distributed Management:IETF DISMAN Working Group Published Work Products

Schedule MIB (RFC 2591): Time driven execution

Script MIB: (RFC 2592): Movement of scripts, not standardizing language

Remote Operations MIB: (RFC 2925): ping, traceroute, DNS lookup

Event MIB (RFC 2981): actions based upon threshholds

Notification Log MIB (RFC 3014) Works in progress

Alarm MIB, ITU Alarm MIB, SNMP Alarms

84

MIB Definitions

Multiple Standards-track SpecificationsWWW MIBApplication MIBSystem Application MIBNetwork Services Monitoring MIBHost Resources MIB

You can use these to monitor your and your customers’ mission-critical servers and services running on open systems DNS Web, e-commerce etc

85

MIB Definitions

Use of a single paradigm allows integrated and correlated data and operations

Addresses frustration of multiple, independent, incompatible databases

Conclusions

87

Originally “the short-term interim standard”

According to the pundits, has been on its last legs since 1988 To be eclipsed by a succession of

replacements SNMP-based management is still

growingexpanding scopeevolving

While “replacements” come and go

Conclusions: The SNMP-based Management Framework is Sturdy

88

What ever happened to?

Pre 1989 Proprietary, e.g. IBM Netview, DEC NMCC

1989 CMIP over TCP/IP (CMOT)

1990 DCE RPC – based management

1991 Open Software Foundation DistributedManagement Environment (OSF DME)

1992 CMIP over LANs (CMOL)

89


1993 DMTF’s Distributed Management Interface(DMI) Management Information File (MIF)

1994 OMNIPoint

1995 CORBA

1996 Web-based device management, Webenabled management

1997 DMTF’s WBEM: HMMS, HMMP, HMOM,etc

90


1998 JMAPI over Java and DEN/LDAP

1999 JDMK over Java and CIM

2000 COPS/PIBs

2001 XML

Beyond … more to come …

91

Conclusions:

The Internet-Standard Management Framework based on SNMP isEvolvedNot just for networksSecureSturdy

But there is much more work to be doneAdditional standards workBetter applications ImplementationDeployment

92

Conclusions:

SNMP-based management is far from perfect, but it continues to be the best game in town

The architecture and vision are fine We need to execute to completion You do not yet get to live that vision, in

part because the vendors are not supplying complete and compliant products

93

Conclusions:

The vendors are not fully implementing and supplying products based on that vision, in part because you are not insisting that they do soSome vendors claim they see little market

demand for secure management There is an alternative to scripts and

proprietary CLI over Telnet: the Internet Standard Management Framework

Questions / Comments

Thank you for your participation

Date post:	22-Dec-2015
Category:	Documents
Upload:	hector-sharp
View:	221 times
Download:	0 times