Re: [Isms] Questions on TLSTM/TSM and RFC 5343
"t.petch" <ietfc@btconnect.com> Tue, 18 January 2011 17:28 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C93D73A6F6C for <isms@core3.amsl.com>; Tue, 18 Jan 2011 09:28:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.039
X-Spam-Level:
X-Spam-Status: No, score=-2.039 tagged_above=-999 required=5 tests=[AWL=-0.040, BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHz9CjkUXt-c for <isms@core3.amsl.com>; Tue, 18 Jan 2011 09:28:20 -0800 (PST)
Received: from mail.btconnect.com (c2beaomr07.btconnect.com [213.123.26.185]) by core3.amsl.com (Postfix) with ESMTP id 23BFD3A6BA3 for <isms@ietf.org>; Tue, 18 Jan 2011 09:28:19 -0800 (PST)
Received: from host86-134-205-117.range86-134.btcentralplus.com (HELO pc6) ([86.134.205.117]) by c2beaomr07.btconnect.com with SMTP id BLC21277; Tue, 18 Jan 2011 17:30:51 +0000 (GMT)
Message-ID: <000901cbb72c$950d1e20$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Frank Fock <fock@agentpp.com>, isms@ietf.org
References: <4D32C788.5060604@agentpp.com>
Date: Tue, 18 Jan 2011 17:27:10 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0301.4D35CE46.01A5, actions=tag
X-Junkmail-Status: score=10/50, host=c2beaomr07.btconnect.com
X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B0204.4D35CE4F.02A1, ss=1, fgs=0, ip=0.0.0.0, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=single engine
X-Junkmail-IWF: false
Subject: Re: [Isms] Questions on TLSTM/TSM and RFC 5343
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2011 17:28:21 -0000
<inline> ----- Original Message ----- From: "Frank Fock" <fock@agentpp.com> To: <isms@ietf.org> Sent: Sunday, January 16, 2011 11:25 AM I am currently implementing RFC 5590, 5591 (TSM), 5953 (TLSTM), and 5343 (Context EngineID Discovery) for SNMP4J 2.0 (snmp4j.org). Next to the above, I also want to implement RFC 5592 (SSHTM). I have not performed any interoperability tests with other implementations yet, because my implementation of the SNMP-TLS-TM-MIB is not ready. Within the next two weeks, I will start interoperability testing with the NET-SNMP implementation. Nevertheless, I would like to give an early feedback and to use the opportunity to ask some questions. While the implementation of TSM and TLSTM was straightforward, RFC 5343 imposed some architectural difficulties: 1. The contextEngineID discovery mechanism of RFC 5343 cannot be implemented within the SNMPv3 message processing model (MPv3) because the MPs are not designed to be able to send messages themselves. The ASIs do not define a callback to the Dispatcher for sending PDUs on behalf of the MPs. Since timeout and retry values are also not available for the MPs, sending discovery PDUs has to be done by the Dispatcher. The Dispatcher however, needs to know if discovery is needed or not. In order to be able to decide that, the Dispatcher needs information of the used Security Model. Unfortunately, RFC 5343 requires that the USM discovery has precedence over RFC 5343 contextEngineID discovery. Whether USM discovery is executed can be decided within the MPv3/USM only, because the local engine ID cache needs to be checked therefore. It was unsatisfying to implement aspects of the contextEngineID discovery in two or three different components of the model. I have not thought about a better solution yet, but may be my second issue/question would provide an alternative? <tp> The MPP cannot send a message but does not need to. The Dispatcher is called by the application, and so knows the Security Model and whether or not the contextEngineID is known, so the dispatcher knows all that it needs to in order to know whether or not to invoke the discovery. I am unclear where the problem lies. </tp> 2. The reasoning for the contextEngineID discovery is not clear to me. If the TSM would replace the defined magic local engine ID ’8000000006’H (put in the scopedPDU by the sender) by the local engine ID of the SNMP entity receiving the scopedPDU before handing it over to the Dispatcher, then discovery would not be needed and the effect would be the same, wouldn't it? (The receiver would replace the local engine ID in any responses of the TSM with the magic local engine ID too.) <tp> engineID uniquely identifies an engine in a domain, making object values that would otherwise have the same identifiers unique. A Command Generator needs to know the engineId of the Command Responder. Originally, USM performed the discovery so no more was needed. With TSM, and perhaps with others, the Security Model does not perform discovery so another mechanism is needed; hence RFC5343 I would expect the well-known local value that all engines implementing this to have to only be used for discovery, not for any other PDU. </tp> 3. RFC 5591 §5.2.1 should be clarified. Is the "local engine ID" the magic engine ID ’8000000006’H or the engine ID of the SNMP entity processing the incoming message? <tp> Indeed it should, perhaps you should raise an erratum. RFC5591 existed as an I-D for many years before RFC5343 so when the I-D was written, local engineID could only mean the one that uniquely identified the local engine within the domain. RFC5343 introduced an ambiguity that those of us reviewing RFC5591 did not pick up. I am sure that many on this list will be very interested in your further experience and especially in your interoperability tests. Tom Petch </tp> All in all, the RFCs seem to be implementable as they are, however especially the discovery mechanism increases the implementation complexity. Implementations need to be able to send different PDUs on behalf of a single application level PDU and support REPORT processing for USM engine ID and time discovery at the same time as "steeling" regular RESPONSE PDUs from the incoming PDUs if they are responses on contextEngineId discovery requests. May be someone on the list can explain to me, why my suggestion (2) above, is not a feasible replacement of the contextEngineId discovery? The current (alpha) implementation of TLSTM and TSM for SNMP4J can be downloaded from: https://server.oosnmp.net/dist/snapshot/org/snmp4j/snmp4j/2.0-SNAPSHOT/ https://server.oosnmp.net/dist/snapshot/org/snmp4j/snmp4j-agent/2.0-SNAPSHOT/ Regards, Frank Fock
- Re: [Isms] Questions on TLSTM/TSM and RFC 5343 t.petch
- [Isms] Questions on TLSTM/TSM and RFC 5343 Frank Fock
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Wes Hardaker
- Re: [Isms] Questions on TLSTM/TSM and RFC 5343 Juergen Schoenwaelder
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Frank Fock
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Wes Hardaker
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 t.petch
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 David Harrington
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Frank Fock