Re: [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt
Mark Bakke <mbakke@cisco.com> Mon, 23 September 2002 21:25 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25661 for <dhcwg-archive@odin.ietf.org>; Mon, 23 Sep 2002 17:25:15 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8NLQfQ07203 for dhcwg-archive@odin.ietf.org; Mon, 23 Sep 2002 17:26:41 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8NLQfv07200 for <dhcwg-web-archive@optimus.ietf.org>; Mon, 23 Sep 2002 17:26:41 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25644 for <dhcwg-web-archive@ietf.org>; Mon, 23 Sep 2002 17:24:45 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8NLKXv06919; Mon, 23 Sep 2002 17:20:33 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8NLJ5v06859 for <dhcwg@optimus.ietf.org>; Mon, 23 Sep 2002 17:19:05 -0400
Received: from sj-msg-core-3.cisco.com (sj-msg-core-3.cisco.com [171.70.157.152]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25370 for <dhcwg@ietf.org>; Mon, 23 Sep 2002 17:17:08 -0400 (EDT)
Received: from sj-msg-av-2.cisco.com (sj-msg-av-2.cisco.com [171.69.24.12]) by sj-msg-core-3.cisco.com (8.12.2/8.12.2) with ESMTP id g8NLIN3x028404; Mon, 23 Sep 2002 14:18:23 -0700 (PDT)
Received: from nisser.cisco.com (localhost [127.0.0.1]) by sj-msg-av-2.cisco.com (8.12.2/8.12.2) with ESMTP id g8NLISc8000718; Mon, 23 Sep 2002 14:18:28 -0700 (PDT)
Received: from cisco.com (mbakke-lnx2.cisco.com [64.101.211.59]) by nisser.cisco.com (8.8.6 (PHNE_14041)/CISCO.SERVER.1.2) with ESMTP id OAA23285; Mon, 23 Sep 2002 14:18:16 -0700 (PDT)
Message-ID: <3D8F8518.ACAF702C@cisco.com>
Date: Mon, 23 Sep 2002 16:18:16 -0500
From: Mark Bakke <mbakke@cisco.com>
X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.9-34.cisco.2 i686)
X-Accept-Language: en, de
MIME-Version: 1.0
To: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
CC: "'dhcwg@ietf.org'" <dhcwg@ietf.org>, "snmpv3@lists. tislabs. com (E-mail)" <snmpv3@lists.tislabs.com>, mibs@ops.ietf.org
Subject: Re: [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt
References: <A451D5E6F15FD211BABC0008C7FAD7BC0EFFDEFF@nl0006exch003u.nl.lucent.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
"Wijnen, Bert (Bert)" wrote: > > So it seems you did not think about it in detail. > What I hate to see is a partial solution to jsut the trap > handling. That is what the IPCDN (cable modem folk) seemed > to be doing too... and I pushed back on that (partial) > solution too. I do not have a answer ready... > > First question would be: is it a generic problem that people face? Yes. There are increasingly more solutions that allow hosts, racks of servers, embedded devices, etc. to be booted from the network. When this fails, the host's normal configuration info (particularly the SNMP notification list) is not available, so there's no good way to tell a management station about it. I assume that most networks would want to use SNMP for this, but syslog would work as well. > > Second question: what is the complete scope of the problem? My personal complete scope is to set a notification list for SNMPv1 and v2c hosts, with v3 a possibility in the future. Since this is used only for notifications, I assume that supporting v3 authentication would be a good idea (so notifications are not spoofed) but that privacy is probably not that much of an issue (but again, may need to be there for completeness). > Third question: what would be a good/feasable/workable solution? However, it may not be possible to configure enough of the security stuff securely (did I say that right) using DHCP to actually make use of v3 security. If that's the case, there could be a compromise: - Configure the list of v1, v2c, and v3 notification targets as I had proposed, with only the security name (and not the keys) in the v3 target strings. - During boot, if a notification needs to be sent, and the v3 security parameters are not yet known for a target, skip that target, but still send to the others in the list (such as the v1 and v2c targets). - Once the host has booted far enough so the security parameters are known (through its normal configuration), include the v3 targets in any notifications. This means two scenarios can happen: 1. A host, during boot, only sends v1 and/or v2c notifications without security. Once it's up and running, notifications include v3 targets, too. 2. A host has v3 username-to-security-parameter settings in its non-volatile configuration. These are available during boot, and can be associated with a notification target from DHCP by its security-name. This might be the best direction to go for the future; have security keys in the machines, and the actual targets for notification controlled centrally via DHCP. I think this would be a reasonable solution, given that it's probably not practical to configure the security keys for a host using DHCP. Does this help? -- Mark > > Thanks, > Bert > > > -----Original Message----- > > From: Mark Bakke [mailto:mbakke@cisco.com] > > Sent: maandag 23 september 2002 15:55 > > To: Wijnen, Bert (Bert) > > Cc: 'dhcwg@ietf.org'; snmpv3@lists. tislabs. com (E-mail); > > mibs@ops.ietf.org > > Subject: Re: draft-bakke-dhc-snmp-trap-00.txt > > > > > > I assumed that, when we get to configuring SNMPv3 security, > > that the names "joe" and "bob" would be separately associated > > with their keys. I wanted to keep this particular DHCP > > option scope to include the notification list, and the names > > would reference keys configured somewhere else (perhaps another > > DHCP option, but since I haven't seen encrypted DHCP, this > > might not work). In other words, I don't know, but I think > > that if it was DHCP, it would be better as a separate option. > > > > Any ideas? > > > > "Wijnen, Bert (Bert)" wrote: > > > > > > So in your new proposal, how did/do users Joe and Bob get > > > defined with their secret keys etc at the agent side? > > > > > > Thanks, > > > Bert > > > > -- > > Mark A. Bakke > > Cisco Systems > > mbakke@cisco.com > > 763.398.1054 > > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www1.ietf.org/mailman/listinfo/dhcwg -- Mark A. Bakke Cisco Systems mbakke@cisco.com 763.398.1054 _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Re: draft-bakke-dhc-snmp-trap-00.txt Mark Bakke
- [dhcwg] draft-bakke-dhc-snmp-trap-00.txt Harrington, David
- [dhcwg] Re: draft-bakke-dhc-snmp-trap-00.txt Mark Bakke
- [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Harrington, David
- [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Wijnen, Bert (Bert)
- Re: [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Mark Bakke
- [dhcwg] Re: draft-bakke-dhc-snmp-trap-00.txt Mark Bakke
- [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Wijnen, Bert (Bert)
- Re: [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Mark Bakke
- RE: [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Wijnen, Bert (Bert)
- RE: [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Randy Presuhn
- RE: [dhcwg] RE: draft-bakke-dhc-snmp-trap-00.txt Andrea Westerinen