IETF Logo Mail Archive

[Isms] Questions on TLSTM/TSM and RFC 5343

Frank Fock <fock@agentpp.com> Sun, 16 January 2011 10:25 UTC

Return-Path: <fock@agentpp.com>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 442B93A6E4A for <isms@core3.amsl.com>; Sun, 16 Jan 2011 02:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id diABxUK6h23A for <isms@core3.amsl.com>; Sun, 16 Jan 2011 02:25:02 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by core3.amsl.com (Postfix) with ESMTP id A75713A6C9D for <isms@ietf.org>; Sun, 16 Jan 2011 02:25:00 -0800 (PST)
Received: from [127.0.0.1] (p5B204BFA.dip.t-dialin.net [91.32.75.250]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0MBr6d-1PWU1F3YFL-00AArs; Sun, 16 Jan 2011 11:27:30 +0100
Message-ID: <4D32C788.5060604@agentpp.com>
Date: Sun, 16 Jan 2011 11:25:12 +0100
From: Frank Fock <fock@agentpp.com>
Organization: AGENT++
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: isms@ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V02:K0:R3zBp2uljJoZoNzdUc/TmEFstxcmQjsR/45uqus0vM3 FES6KVLB7iz5HtEZE0iFg1egsuLVY10iSA/1ykDWiRXUEDDDix GRFjDyEs93jIDKzrsCkNyIkjYuPUQljnH1he9LvuogLw93AKxb aER9kXfGjyt0xbT2R1rTfsjOnaCEB2fofoCn/DCbEBEo6DpFSm s2fFxOJB5L0rr77aQ2au8uP1VKkNyQuws5qnunwXX8=
Subject: [Isms] Questions on TLSTM/TSM and RFC 5343
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jan 2011 10:25:06 -0000

Hi,

I am currently implementing RFC 5590, 5591 (TSM),
5953 (TLSTM), and 5343 (Context EngineID Discovery)
for SNMP4J 2.0 (snmp4j.org).

Next to the above, I also want to implement RFC 5592
(SSHTM).

I have not performed any interoperability tests with
other implementations yet, because my implementation
of the SNMP-TLS-TM-MIB is not ready. Within the
next two weeks, I will start interoperability
testing with the NET-SNMP implementation.

Nevertheless, I would like to give an early feedback
and to use the opportunity to ask some questions.

While the implementation of TSM and TLSTM was
straightforward, RFC 5343 imposed some
architectural difficulties:

1. The contextEngineID discovery mechanism of
RFC 5343 cannot be implemented within the SNMPv3
message processing model (MPv3) because the
MPs are not designed to be able to send messages
themselves.
The ASIs do not define a callback to the
Dispatcher for sending PDUs on behalf of the MPs.
Since timeout and retry values are also
not available for the MPs, sending discovery
PDUs has to be done by the Dispatcher.

The Dispatcher however, needs to know if
discovery is needed or not. In order to
be able to decide that, the Dispatcher needs
information of the used Security Model.
Unfortunately, RFC 5343 requires that the
USM discovery has precedence over RFC 5343
contextEngineID discovery. Whether USM
discovery is executed can be decided within
the MPv3/USM only, because the local engine
ID cache needs to be checked therefore.

It was unsatisfying to implement aspects
of the contextEngineID discovery in two
or three different components of the model.

I have not thought about a better solution
yet, but may be my second issue/question
would provide an alternative?

2. The reasoning for the contextEngineID
discovery is not clear to me. If the
TSM would replace the defined magic
local engine ID ’8000000006’H (put in
the scopedPDU by the sender) by the
local engine ID of the SNMP entity
receiving the scopedPDU before handing
it over to the Dispatcher, then discovery
would not be needed and the effect
would be the same, wouldn't it?

(The receiver would replace the local
engine ID in any responses of the TSM
with the magic local engine ID too.)

3. RFC 5591 §5.2.1 should be clarified.
Is the "local engine ID" the magic
engine ID ’8000000006’H or the engine
ID of the SNMP entity processing the
incoming message?

All in all, the RFCs seem to be implementable
as they are, however especially the discovery
mechanism increases the implementation complexity.
Implementations need to be able to send different
PDUs on behalf of a single application level PDU
and support REPORT processing for USM engine ID
and time discovery at the same time as "steeling"
regular RESPONSE PDUs from the incoming PDUs if
they are responses on contextEngineId discovery
requests.

May be someone on the list can explain to me,
why my suggestion (2) above, is not a feasible
replacement of the contextEngineId discovery?

The current (alpha) implementation of TLSTM
and TSM for SNMP4J can be downloaded from:

https://server.oosnmp.net/dist/snapshot/org/snmp4j/snmp4j/2.0-SNAPSHOT/
https://server.oosnmp.net/dist/snapshot/org/snmp4j/snmp4j-agent/2.0-SNAPSHOT/

Regards,
Frank Fock

v2.23.0 | Report a Bug | By Email