IETF Logo Mail Archive

Re: ISMS working group and charter problems

Jim Thompson <jim@netgate.com> Thu, 08 September 2005 15:51 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EDOgT-0005VG-1w; Thu, 08 Sep 2005 11:51:29 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECn4z-0000PA-IJ; Tue, 06 Sep 2005 19:42:17 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA16240; Tue, 6 Sep 2005 19:42:14 -0400 (EDT)
Received: from mail.netgate.com ([64.62.194.115] helo=netgate.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECn81-0001dP-93; Tue, 06 Sep 2005 19:45:27 -0400
Received: by netgate.com (Postfix, from userid 45) id A2C48280044; Tue, 6 Sep 2005 16:42:06 -0700 (PDT)
Received: from [192.168.1.183] (rrcs-67-52-77-54.west.biz.rr.com [67.52.77.54]) by netgate.com (Postfix) with ESMTP id 4F82A28003A; Tue, 6 Sep 2005 16:42:03 -0700 (PDT)
In-Reply-To: <431DD59A.4000400@ofcourseimright.com>
References: <431DD59A.4000400@ofcourseimright.com>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <783E51A7-02A3-4E94-B6B0-495F2079ECD6@netgate.com>
Content-Transfer-Encoding: 7bit
From: Jim Thompson <jim@netgate.com>
Date: Tue, 06 Sep 2005 13:42:01 -1000
To: IETF Discussion <ietf@ietf.org>, iesg@ietf.org
X-Mailer: Apple Mail (2.734)
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on he-colo.netgate.com
X-Spam-Status: No, score=-2.6 required=3.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.3
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 225414c974e0d6437992164e91287a51
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 08 Sep 2005 11:51:23 -0400
Cc: Eliot Lear <lear@ofcourseimright.com>
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

I agree with Eliot on this subject.

> From: Eliot Lear <lear@cisco.com>
> Date: September 6, 2005 7:37:01 AM HST
> To: IETF Discussion <ietf@ietf.org>,  nanog@merit.edu,  iesg@ietf.org
> Subject: ISMS working group and charter problems
>
>
> Dear Communities,
>
> I need your help to correct for an impending mistake by the ISMS
> working group in the IETF.
>
> Short Version
>
> The ISMS working group is chartered to find a way for SNMP to make use
> of existing authentication mechanisms.  The current proposed
> approaches will make use of TCP.
>
> I seek a change to the proposed ISMS charter that requests the working
> group pay attention to firewall and NAT concerns.  The current
> envisioned approach will not work through firewalls and NATs.  I
> specifically request that the working group be directed to consider
> "Call Home" functionality as a non-exclusive alternative, where the
> managed device contacts the manager much the same way as your PC
> contacts Microsoft, Apple, etc for updates.
>
> The addition of call home functionality won't represent a major
> architectural change to SNMP.  The major architectural change (if  
> there
> is one) will be the use of SSH at all and the use of TCP.
>
> If you agree with me, I ask that you respond to this note including
> the ietf@ietf.org and iesg@ietf.org so indicating.
>
> Reasoning
>
> Long gone are the days when the IETF can simply ignore firewalls, as
> this working group is currently planning.  An approach that
> demonstrates robustness in the face of firewalls is required.
>
> Long Version
>
> SNMP version 3 has a unique authentication mechanism that does not
> easily integrate with other AAA systems such as radius or kerberos.
> After many years of complaints and lack of deployment of SNMPv3, a
> working group called ISMS was chartered last year to address this
> problem.  At IETF 63 the working group decided to move forward with an
> approach based on SSH.
>
> As you all know, SSH is TCP-based.  This represents a substantial
> change for SNMP.  It also represents a substantial opportunity to
> extend manageability through firewalls.  Currently, if you want to
> manage devices with SNMP through firewalls you must either have the
> firewall run an application layer gateway or you must poke a hole in
> the firewall based on UDP ports.  If you do not control the network
> element, the network manager, AND the firewall, you assuredly have no
> hope of getting SNMP through.  Even if you DO control the firewall,
> configuration of authorized address mappings may make it prohibitively
> difficult to allow management protocols through, especially in the
> face of dynamic address assignment mechanisms such as DHCP and PPP.
> Because we now are considering a TCP-based approach we have the
> opportunity to fix this huge problem.
>
> Why is this important?
>
> Firewalls exist today throughout our infrastructure.  There's a good
> chance you have a simple one at home.  Indeed firewalls exist between
> departments within enterprises.  As companies add services and
> functions onto the Internet their ability to manage these services
> with SNMP deteriorates, requiring the need for expensive custom
> solutions and out of band management.
>
> Furthermore, many telcos today offer managed services, where they
> manage enterprise and consumer devices (routers, switches, etc).  The
> whole concept of an enterprise network has, if you will, become
> virtualized.  Today SNMP does not offer any joy to those who want to
> build a unified management system.
>
> More and more voice over ip (VoIP) has gained acceptance in the market
> place.  However, the ability to debug end points real time is limited.
> Wouldn't it be nice for a manager to query a phone to determine how
> many data packets it thinks it has sent to a far end and then follow
> that stream to determine who is dropping?  In order to accomplish this
> task, the manager has to have access to a phone which, if remote, may
> well be sitting behind a firewall such as the one you have at home.
> Furthermore, if the phone wants to send a notification to a  
> manager, it
> too is likely to reside behind a firewall.
>
> Networks are certainly not the only functions to be managed.  One
> could easily imagine power management services making use of standard
> MIBs as well as enterprise MIBs to handle capacity planning as well as
> dispatch in the face of live problems.
>
> What is currently envisioned by ISMS?
>
> What is currently being discussed is the traditional model, where if
> you want to request information you open up an SSH connection and make
> an SNMP query on top of it once you've authenticated.  If the managed
> device resides behind a firewall, you lose.
>
> Worse, the currently envisioned solution calls for a separate
> connection to be opened to send notifications (traps).  This time, if
> the network management station resides behind you lose again.
>
> What this means is that if there exists a firewall anywhere between
> the firewall and the management station, the currently proposed
> solution will fail.  The astute will note that this approach looks a
> lot like old fashion FTP and will break just in just the same way.
>
> What is needed?
>
> I propose a flexible standard mechanism where either the device or the
> manager can be configured to initiate a connection, and that
> notifications occur either across the same TCP stream, when it
> exists.  For instance, if in the classic case of a manager  
> connecting to
> the element the manager requests the "snmp-request" ssh service, we  
> also
> simply allow for the device to also initiate a connection but instead
> ask for the "snmp-turn" service (with all due credit to the authors of
> SMTP who first anticipated this problem over 20 years ago!).  The same
> for notifications.  This "-turn" approach is sometimes referred to as
> "Call Home" (CH) functionality.
>
> CH has an added advantage as well.  Many devices come and go from the
> network, and it is not reasonable, scalable, or cost effective to poll
> such devices if they are not there.  CH provides a natural discovery
> mechanism for such devices because they initiate request for  
> management.
>
> This proposal does NOT represent a dramatic architectural change to
> SNMP.  The dramatic architectural change will be the use of SSH at  
> all,
> and not who initiates the connection.
>
> What I'm asking you to do
>
> The good news here is that all you have to do is drop the IETF and the
> IESG a note, saying you want to a solution.  This is one of those
> times when you don't even need to fix it yourself.
>
> Please reply to this message, CCing the iesg@ietf.org and
> ietf@ietf.org indicating that you agree that ISMS should not miss the
> opportunity now take into account firewalls.
>
> If you do nothing, the problem will probably be ignored by ISMS.  SNMP
> will continue to serve the needs it serves today, but likely no more.
> Proprietary and competing standards approaches will continue to be
> developed.  Multiple standards in this space would be a waste of
> effort on the part of implementors and operators alike.  Don't let
> this happen!
>
> Eliot
>
>
>
>


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email