[Isms] SNMP over (D)TLS implementation report
Alan Luchuk <luchuk@snmp.com> Fri, 23 July 2010 20:22 UTC
Return-Path: <luchuk@snmp.com>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70BC93A6AAD for <isms@core3.amsl.com>; Fri, 23 Jul 2010 13:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.37
X-Spam-Level:
X-Spam-Status: No, score=-0.37 tagged_above=-999 required=5 tests=[AWL=-0.185, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56UdV46dKC98 for <isms@core3.amsl.com>; Fri, 23 Jul 2010 13:22:39 -0700 (PDT)
Received: from mailbox.snmp.com (mailbox.snmp.com [192.147.142.80]) by core3.amsl.com (Postfix) with ESMTP id 700823A6A10 for <isms@ietf.org>; Fri, 23 Jul 2010 13:22:39 -0700 (PDT)
Received: from sol8.snmp.com (sol8.snmp.com [192.147.142.173]) by mailbox.snmp.com (8.9.3p2-20030922/m.0080228) with ESMTP id QAA04521; Fri, 23 Jul 2010 16:22:56 -0400 (EDT)
Received: from sol8 (localhost [127.0.0.1]) by sol8.snmp.com (8.11.7p1+Sun/8.11.2/snmpclient.mc-011018) with ESMTP id o6NKMuY09903; Fri, 23 Jul 2010 16:22:56 -0400 (EDT)
Message-Id: <201007232022.o6NKMuY09903@sol8.snmp.com>
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.0.4
To: isms@ietf.org
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Fri, 23 Jul 2010 16:22:56 -0400
From: Alan Luchuk <luchuk@snmp.com>
Subject: [Isms] SNMP over (D)TLS implementation report
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2010 20:22:41 -0000
Hello, My apology for such a late submission. Still, I hope it is helpful for evaluating the SNMP over (D)TLS draft and moving it forward in the standardization process. Regards, --Alan Background ---------- Several of SNMP Research's customers have expressed interest in SNMP over (D)TLS. To respond to the customer demand, we are implementing SNMP over (D)TLS. Much of our development is based upon earlier drafts, but we are implementing the latest available draft, draft-ietf-isms-dtls-tm-14.txt, "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)." We are also implementing related specifications including RFC 5590, "Transport Security Model for the Simple Network Management Protocol" and RFC 5343, "Simple Network Management Protocol (SNMP) Context EngineID Discovery". Implementation Status --------------------- As of this writing, we have added SNMP over (D)TLS support to SNMP Research's agent products and command-line utilities. As the market demands, we anticipate adding SNMP over (D)TLS support to SNMP Research's manager toolkits. We anticipate that most of the code devloped for the agents will be reusable in the manager toolkits Architecturally SNMP Research's implementation resembles the "Transport Subsystem" decribed in RFC 5590, and shown graphically in Section 3.2.1 of RFC 5590. To preserve the agent's reliability, the Transport Subsystem was integrated into the agent with the minimal required changes. We have implemented SNMP get/set operations and SNMP trap operations over (D)TLS. All of these map between X.509 certificates and SNMP security names through the MIB tables specified in the TLS Transport Model draft. Testing ------- We have tested communication between SNMP Research's agent products and SNMP Research's command-line utilities. We also have done preliminary interoperability testing of SNMP get/set operations between SNMP Research's implementation and the Net-SNMP open-source implementation. We have successfully exchanged SNMP get, set, and trap messages with our internal implemenation. We have successfully exchanged SNMP get messages from the Net-SNMP command-line utilities to the SNMP Research agent, and have successfully exchanged SNMP get messages from the SNMP Research command-line utilities to the Net-SNMP agent. Results ------- During development we encountered and resolved problems testing SNMP Research's agent with SNMP Research's command-line tools. During our limited interoperability testing, we encountered and resolved problems that do NOT appear to be inherent flaws in the drafts or specifications. Perhaps the single largest development slowdown occurred from using an open-source (D)TLS implementation. The slowdown was largely due to a shortage of DTLS programming examples and documentation, and also due to programming examples with a different programming model than that of our agent and utilities. Comments -------- Had we implemented SNMP over (D)TLS earlier in the standardization process, there are changes that we believe would have either improved the auditability of the SNMP-TLS-TM-MIB, or simplified the use of SNMP over (D)TLS and its MIBs. However, we find the latest SNMP over (D)TLS draft to be complete, clear, and implementable without changes. Summary ------- We know of market demand for SNMP over (D)TLS. We are implementing SNMP over (D)TLS as specified in draft-ietf-isms-dtls-tm-14.txt, have tested it internally, and have done preliminary interoperability testing with the Net-SNMP implementation. We have found draft-ietf-isms-dtls-tm-14.txt to be implementable and without obvious design flaws. We believe draft-ietf-isms-dtls-tm-14.txt can and should move forward in the standardization process. --- Alan Luchuk SNMP Research, Inc voice: +1 865 573 1434 Senior Software Engineer 3001 Kimberlin Heights Rd. fax: +1 865 573 9197 luchuk at snmp.com Knoxville, TN 37920-9716 USA http://www.snmp.com
- [Isms] SNMP over (D)TLS implementation report Alan Luchuk
- Re: [Isms] SNMP over (D)TLS implementation report Juergen Schoenwaelder