[Isms] Questions on TLSTM/TSM and RFC 5343
Frank Fock <fock@agentpp.com> Sun, 16 January 2011 10:25 UTC
Return-Path: <fock@agentpp.com>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 442B93A6E4A for <isms@core3.amsl.com>; Sun, 16 Jan 2011 02:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id diABxUK6h23A for <isms@core3.amsl.com>; Sun, 16 Jan 2011 02:25:02 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by core3.amsl.com (Postfix) with ESMTP id A75713A6C9D for <isms@ietf.org>; Sun, 16 Jan 2011 02:25:00 -0800 (PST)
Received: from [127.0.0.1] (p5B204BFA.dip.t-dialin.net [91.32.75.250]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0MBr6d-1PWU1F3YFL-00AArs; Sun, 16 Jan 2011 11:27:30 +0100
Message-ID: <4D32C788.5060604@agentpp.com>
Date: Sun, 16 Jan 2011 11:25:12 +0100
From: Frank Fock <fock@agentpp.com>
Organization: AGENT++
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: isms@ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V02:K0:R3zBp2uljJoZoNzdUc/TmEFstxcmQjsR/45uqus0vM3 FES6KVLB7iz5HtEZE0iFg1egsuLVY10iSA/1ykDWiRXUEDDDix GRFjDyEs93jIDKzrsCkNyIkjYuPUQljnH1he9LvuogLw93AKxb aER9kXfGjyt0xbT2R1rTfsjOnaCEB2fofoCn/DCbEBEo6DpFSm s2fFxOJB5L0rr77aQ2au8uP1VKkNyQuws5qnunwXX8=
Subject: [Isms] Questions on TLSTM/TSM and RFC 5343
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jan 2011 10:25:06 -0000
Hi, I am currently implementing RFC 5590, 5591 (TSM), 5953 (TLSTM), and 5343 (Context EngineID Discovery) for SNMP4J 2.0 (snmp4j.org). Next to the above, I also want to implement RFC 5592 (SSHTM). I have not performed any interoperability tests with other implementations yet, because my implementation of the SNMP-TLS-TM-MIB is not ready. Within the next two weeks, I will start interoperability testing with the NET-SNMP implementation. Nevertheless, I would like to give an early feedback and to use the opportunity to ask some questions. While the implementation of TSM and TLSTM was straightforward, RFC 5343 imposed some architectural difficulties: 1. The contextEngineID discovery mechanism of RFC 5343 cannot be implemented within the SNMPv3 message processing model (MPv3) because the MPs are not designed to be able to send messages themselves. The ASIs do not define a callback to the Dispatcher for sending PDUs on behalf of the MPs. Since timeout and retry values are also not available for the MPs, sending discovery PDUs has to be done by the Dispatcher. The Dispatcher however, needs to know if discovery is needed or not. In order to be able to decide that, the Dispatcher needs information of the used Security Model. Unfortunately, RFC 5343 requires that the USM discovery has precedence over RFC 5343 contextEngineID discovery. Whether USM discovery is executed can be decided within the MPv3/USM only, because the local engine ID cache needs to be checked therefore. It was unsatisfying to implement aspects of the contextEngineID discovery in two or three different components of the model. I have not thought about a better solution yet, but may be my second issue/question would provide an alternative? 2. The reasoning for the contextEngineID discovery is not clear to me. If the TSM would replace the defined magic local engine ID ’8000000006’H (put in the scopedPDU by the sender) by the local engine ID of the SNMP entity receiving the scopedPDU before handing it over to the Dispatcher, then discovery would not be needed and the effect would be the same, wouldn't it? (The receiver would replace the local engine ID in any responses of the TSM with the magic local engine ID too.) 3. RFC 5591 §5.2.1 should be clarified. Is the "local engine ID" the magic engine ID ’8000000006’H or the engine ID of the SNMP entity processing the incoming message? All in all, the RFCs seem to be implementable as they are, however especially the discovery mechanism increases the implementation complexity. Implementations need to be able to send different PDUs on behalf of a single application level PDU and support REPORT processing for USM engine ID and time discovery at the same time as "steeling" regular RESPONSE PDUs from the incoming PDUs if they are responses on contextEngineId discovery requests. May be someone on the list can explain to me, why my suggestion (2) above, is not a feasible replacement of the contextEngineId discovery? The current (alpha) implementation of TLSTM and TSM for SNMP4J can be downloaded from: https://server.oosnmp.net/dist/snapshot/org/snmp4j/snmp4j/2.0-SNAPSHOT/ https://server.oosnmp.net/dist/snapshot/org/snmp4j/snmp4j-agent/2.0-SNAPSHOT/ Regards, Frank Fock
- Re: [Isms] Questions on TLSTM/TSM and RFC 5343 t.petch
- [Isms] Questions on TLSTM/TSM and RFC 5343 Frank Fock
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Wes Hardaker
- Re: [Isms] Questions on TLSTM/TSM and RFC 5343 Juergen Schoenwaelder
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Frank Fock
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Wes Hardaker
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 t.petch
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 David Harrington
- Re: [Isms] IsmsQuestions on TLSTM/TSM and RFC 5343 Frank Fock