Ellison Software Consulting

The following articles were updated on Friday 6 March 2009 to the current snapshot of activities:

“Work-in-Progress: Current IETF activity related to SNMP”

“Work-in-Progress: Current IETF activity related to MIBs”

These updates are provided in anticipation of the 74th IETF meeting to be held in San Francisco, CA, USA, 22-27 March 2009.

In a world of commercial and open source software toolkits, how can we best identify and select the option lowering the cost of developing SNMP Agent and SNMP Manager applications?

The goal in selecting an SNMP developers’ toolkit is to find the most cost effective means to accelerate development and realize successful project completion.

During the process of SNMP toolkit evaluation, we need to consider factors from both the technical perspective and business perspective.

Some examples of business factors:

• What are the terms and obligations of the distribution license?
• What level of engineering expertise do we need on staff to effectively use the toolkit?
• What is the initial cost for the toolkit?
• Are there annual maintenance and support costs?
• Do we need to track and pay royalties on derivative works?

Some examples of technical factors:

• Does the toolkit include fully compliant implementations of SNMPv1, SNMPv2c and SNMPv3?
• How well does the toolkit scale when handling a heavy volume of encrypted SNMPv3 messages?
• Is the toolkit easily portable to a variety of hardware platforms and operating systems?
• What useful MIB implementations and utilities are included with the toolkit?
• How helpful is the developers documentation?
• Is the SNMP toolkit API concise or bloated?
• Is the SNMP and MIB terminology used in the toolkit consistent with IETF published RFCs?

• What level of technical support exists? Is there an active developer and user community?
• Does the SNMP toolkit integrate well with other technologies (e.g. Corba, WBEM, Syslog, XML, JMX, TL1)?

Based upon the relative significance of each factor we can identify and select the SNMP developers’ toolkit offering the best value and most cost effective means to accelerate development and realize successful project completion. The right SNMP developers’ toolkit is not necessarily the least expensive. Rather, the right SNMP developers’ toolkit is the one that is capable of providing substantial engineering efficiencies during development and facilitates the delivery of a less encumbered, more profitable product.

Open-source SNMP software was initially created as a reference implementation for interoperability testing with proprietary implementations of the SNMP protocol. Over time, the quality of open-source SNMP developers’ toolkits has improved to a point where there is a suitable match for a variety of OEM development efforts.

Commercial SNMP software often provide a much richer feature set than open-source developers’ toolkits. Also, commercial SNMP software offerings have adjusted to low-end market realities of quality open-source software to a point where there is a low cost or no cost binary commercial version that is often competitive with open-source alternatives.

In either case, open-source or commercial, it is important to have sufficient development expertise with SNMP and MIB technologies to make effective use of the selected SNMP developers’ toolkit. This is the core value provided to your project by the right choice of SNMP consultant.

The next step to gaining a better understanding of the alternatives and trade-offs when identifying and selecting the best choice of commercial or open-source SNMP developers’ toolkit is to contact me with your project requirements and questions.

Updated on Tuesday 10 March 2009

The Structure of Management Information version 2 (SMIv2) provides the standard for the definition of managed objects within Management Information Base (MIB) modules. The current specifications for SMIv2 as published in April of 1999 by the Internet Engineering Task Force (IETF) are freely available as IETF Standard 58, a set of three RFCs (2578-2580).

I am often asked what MIB modules are IETF working groups developing. MIB modules are defined within the relevant working group and reviewed by a small cadre of IETF MIB doctors prior to publication as an RFC. The following provides a brief outline of and links to the current work-in-progress.

Note that Internet-Drafts are works-in-progress and expire when a subsequent revision is available, or six months after initial publication, whichever occurs first.

I am happy to discuss the usefulness and applicability of the below works-in-progress to your project. Just contact me with your project parameters and ideas.

Operations and Management Area:

• Control And Provisioning of Wireless Access Points (capwap)
  • CAPWAP Protocol Base MIB
    draft-ietf-capwap-base-mib-04 - 28-Feb-09
  • CAPWAP Protocol Binding MIB for IEEE 802.11
    draft-ietf-capwap-802dot11-mib-03 - 3-Mar-09

• IP over Cable Data Network (ipcdn)
  • Management Event Management Information Base (MIB) for PacketCable- and IPCablecom-Compliant Devices
    draft-ietf-ipcdn-pktc-eventmess-14 - 17-Aug-08

• IP Flow Information Export (ipfix)
  • Definitions of Managed Objects for IP Flow Information Export
    draft-ietf-ipfix-mib-06 - 9-Mar-09

• Operations and Management Area Working Group (opsawg)
  • Definitions of Managed Objects for Mapping SYSLOG Messages to Simple Network Management Protocol (SNMP) Notifications
    draft-ietf-opsawg-syslog-msg-mib-02 - 9-Mar-09

Internet Area:

• Access Node Control Protocol (ancp)
  • Access Node Control Protocol (ANCP) MIB module for Access Nodes draft-ietf-ancp-mib-an-03 - 24-Jun-08

• Layer 2 Virtual Private Networks (l2vpn)
  • Virtual Private Lan Services (VPLS) Management Information Base draft-ietf-l2vpn-vpls-mib-02 - 15-Jul-08

• Multicast & Anycast Group Membership (magma)
  • Multicast Group Membership Discovery MIB
    draft-ietf-magma-mgmd-mib-15 - 9-Feb-09

• Mobility EXTensions for IPv6 (mext)
  • NEMO Management Information Base
    draft-ietf-mext-nemo-mib-06 - 1-Feb-09

• Mobility for IPv4 (mip4)
  • The Definitions of Managed Objects for Mobile IP UDP Tunneling
    draft-ietf-mip4-udptunnel-mib-02 - 23-Feb-09

• Network Time Protocol (ntp)
  • Definitions of Managed Objects for Network Time Protocol Version 4 (NTPv4)
    draft-ietf-ntp-ntpv4-mib-05 - 28-Aug-08

• Pseudowire Emulation Edge to Edge (pwe3)
  • Pseudowire (PW) Management Information Base (MIB)
    draft-ietf-pwe3-pw-mib-14 - 9-Jan-08
  • Pseudowire (PW) over MPLS PSN Management Information Base (MIB)
    draft-ietf-pwe3-pw-mpls-mib-14 - 9-Jan-08
  • Definitions of Textual Conventions for Pseudowires (PW) Management
    draft-ietf-pwe3-pw-tc-mib-15 - 23-Feb-09
  • SONET/SDH Circuit Emulation Service Over Packet (CEP) Management Information Base (MIB) Using SMIv2
    draft-ietf-pwe3-cep-mib-12 - 9-Jan-08
  • Ethernet Pseudowire (PW) Management Information Base (MIB)
    draft-ietf-pwe3-enet-mib-14 - 20-Feb-09
  • Managed Objects for ATM over Packet Switched Network (PSN)
    draft-ietf-pwe3-pw-atm-mib-06 - 21-Oct-08
  • Managed Objects for TDM over Packet Switched Network (PSN)
    draft-ietf-pwe3-tdm-mib-11 - 21-Oct-08

Security Area:

• Security Issues in Network Event Logging (syslog)
  • Textual Conventions for Syslog Management
    draft-ietf-syslog-tc-mib-08 - 22-May-08

Routing Area:

• Bidirectional Forwarding Detection (bfd)
  • BFD Management Information Base
    draft-ietf-bfd-mib-06 - 31-Oct-08

• Common Control and Measurement Plane (ccamp)
  • Traffic Engineering Database Management Information Base in support of MPLS-TE/GMPLS
    draft-ietf-ccamp-gmpls-ted-mib-05 - 30-Jan-09

• Forwarding and Control Element Separation (forces)
  • ForCES MIB draft-ietf-forces-mib-10 - 10-Sep-08

• Inter-Domain Routing (idr)
  • Definitions of Managed Objects for the Fourth Version of Border Gateway Protocol (BGP-4), Second Version
    draft-ietf-idr-bgp4-mibv2-09 - 18-Feb-09
  • Definitions of Textual Conventions for the Management of the Fourth Version of Border Gateway Protocol (BGP-4)
    draft-ietf-idr-bgp4-mibv2-tc-mib-00 - 18-Feb-09

• Mobile Ad-hoc Networks (manet)
  • Definition of Managed Objects for the DYMO Manet Routing Protocol
    draft-ietf-manet-dymo-mib-02 - 24-Feb-09

• Multiprotocol Label Switching (mpls)
  • Multiprotocol Label Switching (MPLS) Traffic Engineering Management Information Base for Fast Reroute
    draft-ietf-mpls-fastreroute-mib-11 - 24-Feb-09
  • Point-to-Multipoint Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Management Information Base (MIB) module
    draft-ietf-mpls-p2mp-te-mib-08 - 8-Mar-09

• Open Shortest Path First IGP (ospf)
  • Management Information Base for OSPFv3
    draft-ietf-ospf-ospfv3-mib-13 - 25-Nov-08
  • OSPF Version 2 MIB for Multi-Topology (MT) Routing
    draft-ietf-ospf-mt-mib-03 - 18-Nov-08

• Path Computation Element (pce)
  • Definitions of Managed Objects for Path Computation Element Discovery
    draft-ietf-pce-disc-mib-03 - 24-Oct-08
  • Definitions of Textual Conventions for Path Computation Element
    draft-ietf-pce-tc-mib-04 - 4-Mar-09
  • PCE communication protocol (PCEP) Management Information Base
    draft-ietf-pce-pcep-mib-00 - 21-Jan-09

Transport Area:

• Reliable Server Pooling (rserpool)
  • Reliable Server Pooling MIB Module Definition
    draft-ietf-rserpool-mib-12 - 9-Mar-09

Individual Submissions:

• various working groups
  • Diameter Base Protocol MIB
    draft-zorn-dime-diameter-base-protocol-mib-05 - 6-Mar-09
  • Diameter Credit Control Application MIB
    draft-zorn-dime-diameter-cc-appl-mib-05 - 6-Mar-09
  • The DVB-RCS MIB
    draft-combes-ipdvb-mib-rcs-04 - 4-Sep-08
  • Definitions of Managed Objects for the Fourth Version of Border Gateway Protocol (BGP-4), BGP Community Extension
    draft-jhaas-idr-bgp4-mibv2-community-02 - 2-Nov-08
  • Retriving MIB Information based on NGI
    draft-jinxiang-operations-and-management-ngi-01 - 8-Oct-08
  • Conversion of MIB to XSD for NETCONF
    draft-xiao-conversion-dm-01 - 24-Nov-08
  • Definition of Managed Objects for the Neighborhood Discovery Protocol
    draft-cole-manet-nhdp-mib-01 - 21-Feb-09
  • Proxy Mobile IPv6 Management Information Base
    draft-glenn-netlmm-pmipv6-mib-01 - 3-Nov-08
  • Definition of Managed Objects for the Manet Simplified Multicast Framework Relay Set Process
    draft-cole-manet-smf-mib-02 - 28-Feb-09
  • PANA (Protocol for Carrying Authentication for Network Access) Base Protocol MIB
    draft-fajardo-pana-pana-mib-00 - 23-Oct-08
  • Definition of Managed Objects for the MANET Optimized Link State RoutingProtocol version 2
    draft-cole-manet-olsrv2-mib-01 - 21-Feb-09
  • draft-kumar-mpls-fec-to-nhlfe-mib-00
    draft-kumar-mpls-fec-to-nhlfe-mib-00 - 19-Dec-08
  • Translation of SMIv2 MIB Modules to YANG Modules
    draft-schoenw-netmod-smi-yang-00 - 30-Jan-09
  • Definitions of Managed Objects for lock via network management protocols
    draft-meng-fan-lock-mib-00 -
    27-Feb-09

Updated on Tuesday 10 March 2009

The Simple Network Management Protocol version 3 (SNMPv3) is the Internet-Standard Management Framework. The current specifications for SNMPv3 as published in December of 2002 by the Internet Engineering Task Force (IETF) are freely available as IETF Standard 62, a set of eight RFCs (3411-3418).

I am often asked what IETF working groups have work-in-progress on improving upon the current SNMPv3 standard. The following provides a brief outline of and links to the current work-in-progress.

Within the Security Area:

• Integrated Security Model for SNMP Working Group (isms)The goal of the ISMS working group is developing a new security model for SNMP that integrates with widely deployed user and key management systems, as a supplement to the USM security model.Current Internet-Drafts include:
  • Secure Shell Transport Model for SNMP
    draft-ietf-isms-secshell-15 - 9-Mar-09
  • Transport Subsystem for the Simple Network Management Protocol (SNMP)
    draft-ietf-isms-tmsm-16 - 25-Feb-09
  • Transport Security Model for SNMP
    draft-ietf-isms-transport-security-model-12 - 9-Mar-09
  • Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models
    draft-ietf-isms-radius-usage-05 - 8-Mar-09

Within the Operations and Management Area:

• Network Configuration Working Group (netconf)The NETCONF Working Group is chartered to produce a protocol suitable for network configuration. The NETCONF protocol is using XML for data encoding purposes, because XML is a widely deployed standard which is supported by a large number of applications.Current Internet-Drafts include:
  • NETCONF Over Transport Layer Security (TLS)
    draft-ietf-netconf-tls-07 - 24-Feb-09
  • Partial Lock RPC for NETCONF
    draft-ietf-netconf-partial-lock-07 - 19-Feb-09
  • NETCONF Monitoring Schema
    draft-ietf-netconf-monitoring-04 - 9-Mar-09
  • With-defaults capability for NETCONF
    draft-ietf-netconf-with-defaults-00 - 18-Feb-09
  • NETCONF Configuration Protocol
    draft-ietf-netconf-4741bis-00 - 4-Mar-09

  Current RFCs include:

  • Experience of Implementing NETCONF over SOAP
    RFC5381 - October 2008, Informational
  • NETCONF Event Notifications
    RFC5277 - July 2008, Proposed Standard
  • Using the NETCONF Protocol over the Blocks Extensible Exchange Protocol (BEEP)
    RFC4744 - December 2006, Proposed Standard
  • Using NETCONF over the Simple Object Access Protocol (SOAP)
    RFC4743 - December 2006, Proposed Standard
  • Using the NETCONF Configuration Protocol over Secure Shell (SSH)
    RFC4742 - December 2006, Proposed Standard
  • NETCONF Configuration Protocol
    RFC4741 - December 2006, Proposed Standard

• NETCONF Data Modeling Language Working Group (netmod)The NETMOD Working Group will define a “human-friendly” modeling language defining the semantics of operational data, configuration data, notifications, and operations.Current Internet-Drafts include:
  • YANG - A data modeling language for NETCONF
    draft-ietf-netmod-yang-04 - 6-Mar-09
  • Common YANG Data Types
    draft-ietf-netmod-yang-types-02 - 9-Mar-09
  • Mapping YANG to Document Schema Definition Languages and Validating NETCONF Content
    draft-ietf-netmod-dsdl-map-01 - 8-Mar-09
  • An Architecture for Network Management
    draft-ietf-netmod-arch-00 - 3-Mar-09

• Operations and Management Area Working Group (opsawg)The Operations and Management Area receives occasional proposals for the development and publication of RFCs dealing with operational and management topics that are not in scope of an existing working group and do not justify the formation of a new working group.Current Internet-Drafts include:
  • Guidelines for Considering Operations and Management of New Protocols
    draft-ietf-opsawg-operations-and-management-06 - 9-Mar-09
  • Expressing SNMP SMI Datatypes in XML Schema Definition Language
    draft-ietf-opsawg-smi-datatypes-in-xsd-04 - 28-Oct-08
  • Alarms in SYSLOG
    draft-ietf-opsawg-syslog-alarm-01 - 2-Nov-08
  • Definitions of Managed Objects for Mapping SYSLOG Messages to Simple Network Management Protocol (SNMP) Notifications
    draft-ietf-opsawg-syslog-msg-mib-01 - 16-Feb-09
  • Mapping Simple Network Management Protocol (SNMP) Notifications to SYSLOG Messages
    draft-ietf-opsawg-syslog-snmp-01 - 9-Mar-09
  • Survey of IETF Network Management Standards
    draft-ietf-opsawg-survey-management-00 - 2-Mar-09

  Current RFCs include:

  • Simple Network Management Protocol (SNMP) Traffic Measurements and Trace Exchange Formats
    RFC5345 - October 2008, Informational
  • Simple Network Management Protocol (SNMP) Context EngineID Discovery
    RFC5343 - September 2008, Proposed Standard (Updates RFC3411 )

Individual Submissions:

• various working groups
  • Mapping Simple Network Management Protocol (SNMP) Notifications to SYSLOG Messages
    draft-marinov-syslog-snmp-02 - 1-Oct-08
  • Definitions of Managed Objects for Mapping SYSLOG Messages to Simple Network Management Protocol (SNMP) Notifications
    draft-schoenw-syslog-msg-mib-02 - 9-Feb-09
  • Simplified View-based Access Control Model (SVACM) for the Simple NetworkManagement Protocol (SNMP)
    draft-li-isms-svacm-01 - 18-Nov-08
  • Datagram Transport Layer Security Transport Model for SNMP
    draft-hardaker-isms-dtls-tm-02 - 9-Mar-09
  • SNMP optimizations for 6LoWPAN
    draft-hamid-6lowpan-snmp-optimizations-00 - 4-Mar-09
  • Conversion of MIB to XSD for NETCONF
    draft-xiao-conversion-dm-01 - 24-Nov-08
  • NETCONF DSDL and Yang Mapping
    draft-lhotka-yang-dsdl-map-01 - 3-Nov-08
  • Robust Configuration Management within NETCONF
    draft-cole-netconf-robust-config-00 - 26-Feb-09
  • The Extension of Subtree Filtering of NETCONF
    draft-zhang-netconf-subtree-00 - 28-Feb-09
  • Modular RELAX NG Schema of NETCONF RPC and Protocol Operations
    draft-lhotka-netconf-relaxng-00 - 2-Mar-09
  • A YANG Module for the NETCONF Protocol
    draft-bierman-netmod-netconf-module-00 - 19-Jan-09
  • Guidelines for Authors and Reviewers of YANG Data Model Documents
    draft-bierman-netmod-yang-usage-00 - 23-Jan-09
  • Translation of SMIv2 MIB Modules to YANG Modules
    draft-schoenw-netmod-smi-yang-00 - 30-Jan-09

Management Information Base (MIB) modules are designed within the applicable protocol working group and is the topic of another article.

I am happy to discuss the usefulness and applicability of the above works-in-progress to your project. Just contact me with your project parameters and ideas.

Versions of the SNMP prior to third version (SNMPv3) did not include adequate security. Any sufficiently motivated individual with physical access to a shared network link and a protocol sniffer had the ability to capture clear text messages exchanged between a manager application and its agents. Once captured, it was simply a matter of extracting community strings and agent addresses of interest in order to usurp the role of the manager application, possibly hijacking and re-configuring network devices along the way.

The design of SNMPv3 included authentication and privacy (encryption) mechanisms for the protocol. By incorporating these mechanisms, SNMPv3 became self sufficient with no need of any other network services for the secure transmission of SNMP messages. After all, network operators need their network management protocol to be functional even when major portions of the network and its services are impaired.

Three security levels are defined for SNMPv3, in increasing degree of security as follow:

• noAuthNoPriv - essentially clear text messages providing backwards compatibility with earlier versions of the SNMP
• authNoPriv - authenticated messages (SHA1 or MD5 hash), but messages are still transmitted in clear text
• authPriv - authenticated messages with the scoped PDU portion of message encrypted (DES or AES)

For manager applications that only require their agents to verify the authenticity of SNMP message exchanges, the authNoPriv security level is sufficient. This security level offers adequate protection for SNMP message exchanges that do not include sensitive data.

For manager applications that require their agents to both verify the authenticity of SNMP message exchanges and to provide privacy (encryption) of sensitive data contained within the scoped PDU portion of the SNMP message, the authPriv security level must be used. Since the DES encryption cipher is considered cracked, an AES encryption cipher of sufficient length should be used.

However, it is important to avoid using weak authentication or privacy pass phrases. Even when an SNMP manager application uses the authPriv security level with the AES cipher, you can jeopardize secure SNMPv3 message transmissions. In better deployments, the SNMP configuration and applications work together with the proper ciphers and strong pass phrases to ensure secure SNMPv3 message transmission and I am happy to show you just how easy it is to get this right.

In highly secure environments snmpEngineID values should also be protected by using a discovery mechanism together with a security model that avoids exchanging cleartext SNMP messages on network links.

The next step towards using SNMPv3 for secure transmission of SNMP messages is to contact me with your project requirements and questions.

In our current business economy development schedules are short and project budgets constrained.

When a software project involves the design of Enterprise MIB modules, there is a tried and true approach to reducing associated cost and risk factors. This valuable design approach leverages the practical wisdom and lessons-learned from the development of more than 250 IETF standards-track MIB modules.

The IETF Operations And Management (OAM) Area directorate collected and posted helpful information related to MIB design on the following topics:

• A boilerplate for MIB documents
• Suggested guidelines for MIB security sections
• A list of generic and common textual conventions
• Readily available MIB review and validation tools

These topics and others are published as a “Best Current Practice” in RFC 4181, “Guidelines for MIB Documents”. RFC 4181 describe a better approach towards the design of MIB modules, but does not address the single largest cause of rework and redesign. This critical step, is the creation of an Information Model, as cited by the Network Management Research Group (NMRG).

Within each IETF standards-track MIB module there exists a tacit, de-facto Information Model. This NMRG view describes how Information Models can represent different abstraction levels and provides a set of reverse-engineered Information models for IETF published MIB modules. This NMRG point of view is described in RFC 3444, “On the Difference between Information Models and Data Models”. Since publication of RFC 3444, IETF working groups now define an Information Model before designing their MIB modules.

My consulting clients who choose to first define an Information Model regard this initial step as a great value for reasons that include the following:

• Efficient knowledge transfer from domain subject experts
• Easy to understand graphic format
• Identifies major system components, their relationships and multiplicity
• Effectively specifies the SNMP INDEX for each system component
• Provides a means to express and analysis use cases

And the best value yielded by the small amount of time and effort spent on first defining an Information Model is the significant reduction in latter development stage risk involving re-design of portions of their Enterprise MIB modules.

It is simply easier to identify and correct logic on a single page or screen image than it is to modify definitions and descriptive text across the hundreds of pages comprising a set of enterprise MIB modules. The simple fact that the need for re-design is often first detected during the latter phases of implementing MIB modules in an SNMP Agent or SNMP Manager application serves to compound the value provided by the initial definition of an Information Model.

Certainly the design approach of information modeling before Enterprise MIB design reduces cost and reduces risk that can adversely impact project budget and schedule.

The next step in taking advantage of this valuable design approach is to contact me with your project requirements and questions.