[Isms] SNMP over (D)TLS implementation report

[Alan Luchuk <luchuk@snmp.com>]

Hello,

My apology for such a late submission.  Still, I hope it is helpful for
evaluating the SNMP over (D)TLS draft and moving it forward in the 
standardization process.

Regards,
--Alan



Background
----------

Several of SNMP Research's customers have expressed interest in SNMP over
(D)TLS.  To respond to the customer demand, we are implementing SNMP over
(D)TLS.  Much of our development is based upon earlier drafts, but we are
implementing the latest available draft, draft-ietf-isms-dtls-tm-14.txt,
"Transport Layer Security (TLS) Transport Model for the Simple Network
Management Protocol (SNMP)."  We are also implementing related specifications
including RFC 5590, "Transport Security Model for the Simple Network
Management Protocol" and RFC 5343, "Simple Network Management Protocol
(SNMP) Context EngineID Discovery".


Implementation Status
---------------------

As of this writing, we have added SNMP over (D)TLS support to SNMP Research's
agent products and command-line utilities.  As the market demands, we
anticipate adding SNMP over (D)TLS support to SNMP Research's manager toolkits.
We anticipate that most of the code devloped for the agents will be reusable
in the manager toolkits

Architecturally SNMP Research's implementation resembles the "Transport
Subsystem" decribed in RFC 5590, and shown graphically in Section 3.2.1 of
RFC 5590.  To preserve the agent's reliability, the Transport Subsystem was
integrated into the agent with the minimal required changes.  We have
implemented SNMP get/set operations and SNMP trap operations over (D)TLS.
All of these map between X.509 certificates and SNMP security names through
the MIB tables specified in the TLS Transport Model draft.


Testing
-------

We have tested communication between SNMP Research's agent products and
SNMP Research's  command-line utilities.  We also have done preliminary
interoperability testing of SNMP get/set operations between SNMP Research's
implementation and the Net-SNMP open-source implementation.

We have successfully exchanged SNMP get, set, and trap messages with our
internal implemenation.  We have successfully exchanged SNMP get messages
from the Net-SNMP command-line utilities to the SNMP Research agent, and
have successfully exchanged SNMP get messages from the SNMP Research
command-line utilities to the Net-SNMP agent.


Results
-------

During development we encountered and resolved problems testing SNMP
Research's agent with SNMP Research's command-line tools.  During our
limited interoperability testing, we encountered and resolved problems
that do NOT appear to be inherent flaws in the drafts or specifications.

Perhaps the single largest development slowdown occurred from using an
open-source (D)TLS implementation.  The slowdown was largely due to a
shortage of DTLS programming examples and documentation, and also due to
programming examples with a different programming model than that of
our agent and utilities.


Comments
--------

Had we implemented SNMP over (D)TLS earlier in the standardization process,
there are changes that we believe would have either improved the auditability
of the SNMP-TLS-TM-MIB, or simplified the use of SNMP over (D)TLS and its
MIBs.  However, we find the latest SNMP over (D)TLS draft to be complete,
clear, and implementable without changes.


Summary
-------

We know of market demand for SNMP over (D)TLS.  We are implementing SNMP
over (D)TLS as specified in draft-ietf-isms-dtls-tm-14.txt, have tested it
internally, and have done preliminary interoperability testing with the
Net-SNMP implementation.  We have found draft-ietf-isms-dtls-tm-14.txt to
be implementable and without obvious design flaws.  We believe
draft-ietf-isms-dtls-tm-14.txt can and should move forward in the
standardization process.



---
Alan Luchuk               SNMP Research, Inc             voice: +1 865 573 1434
Senior Software Engineer  3001 Kimberlin Heights Rd.     fax: +1 865 573 9197
luchuk at snmp.com        Knoxville, TN 37920-9716 USA   http://www.snmp.com