analysis of proposals
case@snmp.com Tue, 22 August 1995 22:19 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa22737; 22 Aug 95 18:19 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa22733; 22 Aug 95 18:19 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa22299; 22 Aug 95 18:19 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa23030; 22 Aug 95 17:33 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa23026; 22 Aug 95 17:16 EDT
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: case@snmp.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from seymour4.snmp.com(192.147.142.4) by relay.tis.com via smap (g3.0.1) id xma011143; Tue, 22 Aug 95 17:07:04 -0400
Received: by seymour4 (5.61++/2.8s-SNMP ) id AA04847; Tue, 22 Aug 95 17:12:48 -0400
Date: Tue, 22 Aug 1995 17:12:48 -0400
Message-Id: <9508222112.AA04847@seymour4>
To: snmpv2@tis.com
Subject: analysis of proposals
several of us have been looking carefully at the various proposals the following document is a resulting analysis it is clear that every proposal had good ideas regrettably, every proposal also had architectural as well as technical defects, some severe as such, no proposal, on its own, is adequate or acceptable consequently, it looks like the working group must come up with a synthesis but it looks like such a synthesis is possible, and if done properly, can be better than the original snmpv2 design we welcome your comments to the list regards, jdc ---------------------------------------------------------------------------- Problems with the SNMPv2 Proposals Problems with the SNMPv2 Proposals Tue Aug 22 Jeffrey D. Case SNMP Research, Inc. case@snmp.com Dave Harrington Cabletron Systems, Inc. dbh@ctron.com David Levi SNMP Research, Inc. levi@snmp.com Brian J. O'Keefe Hewlett Packard Company bok@cnd.hp.com Jon Saperia BGS Systems, Inc. saperia@bgs.com Steve Waldbusser International Network Services waldbusser@ins.com 1. Introduction This document is an analysis of the proposals which have been submitted for consideration by the SNMPv2 working group in response to a call for alternate designs of an administrative model. It outlines some of the problems with regard to the current set of proposals. Rather than analyze each specific proposal, it concentrates on the problems to be resolved by synthesizing the proposals. [Page 1] Problems with the SNMPv2 Proposals The documents considered in this analysis are: draft-kzm-snmpv2-sec-alt-00.txt (usec) draft-kzm-snmpv2-adminv2-alt-00.txt (usec admin) draft-kzm-snmpv2-proto-alt-00.txt (proto) draft-kzm-snmpv2-mib-alt-00.txt (mib4v2) draft-kzm-snmpv2-usec-conf-alt-00.txt (configmib) draft-alten-snmp-sec-encap-00.txt (alten) draft-blumenthal-snmpv2a-community-00.txt (snmpv2a) draft-wijnen-snmpv2-snmpv2t-00.txt (snmpv2t) draft-kornegay-snmpv2-emf-00.txt (emf) draft-mahoney-snmpv2-features-00.txt (features) draft-mahoney-snmpv2-proto-alt-00.txt (mahoney protocol) draft-harrington-data-filter-mib-00.txt (datafilter) draft-harrington-control-mib-00.txt (controlmib) draft-romanov-simple-snmp-00.txt (simple) While this document makes occasional references to the 17 documents which describe the SNMPv2 Classic proposal and the 16 documents which describe the SNMPv2 Classic+ proposal, it does not review the problems which are particular to them. This does not imply that these two proposals are believed to be flawless. Indeed, both clearly have problems as well; they are merely outside the scope of this document. Regrettably, some of the documents considered in this analysis "borrow" from those two designs and have inherited one or more of their defects from flaws in the previous two designs. There are a number of problems with the proposals and the documents which present them. In the interest of brevity, this note introduces only some of them. The primary problems can be categorized into five broad areas: (1) Model Consistency (2) Transmission and Processing of Notifications (3) Proxy Operations and the Transparency Principle (4) Extensibility of Authentication and Privacy Mechanisms (5) Standards-Based Remote Configuration Ancillary issues and minor editorial items are not discussed herein. [Page 2] Problems with the SNMPv2 Proposals The problems identified herein are intended as examples and are not exhaustive. Since many of the proposals are complementary to the user-based security model for SNMPv2 (USEC), and the USEC documents are therefore important to the implementation of many of the proposals, the USEC documents will be used for most text examples. 2. Model Consistency The first type of problems relate to correctness and clarity issues with regard to consistent application of a model. These involve areas which are presently unworkable and which will negatively impact implementability and interoperability. The documents which describe the proposals are confusing as a result of multiple fundamental shifts in the underlying model which were not carefully carried through to completion. A synthesis of the proposals must reconcile these shifts and present a consistent, complete model. There are several areas of concern in this regard. Three are: (1) Context uniqueness (2) Roles and Informs (3) Notification Endpoints 2.1. Context Uniqueness The proposals are not consistent in requiring uniqueness of contexts. For example, the usec document says: Each SNMPv2 message contains a context selector which uniquely identifies an SNMPv2 context accessible by the SNMPv2 agent to which the message is directed. At the option of the administrator, a context selector may uniquely identify an SNMPv2 context among all SNMPv2 contexts within the administrative domain. That is, an SNMPv2 context may or may not be unique within an administrative domain; whereas the usec admin document says: Thus, in order to identify an individual item of management information within the management domain, its context must be identified in addition to its object type and its instance. Note [Page 3] Problems with the SNMPv2 Proposals that this requires each context to have a globally-unique identification within the management domain. However, it is quite clear from the recommendations in the Appendix of the USEC Security document that contextSelectors are most likely to be equal to the constant zero-length string, and not at all globally unique. It is expected that many contexts will be administratively assigned by agents using vendor-specific naming conventions, rather than by an administrator using a domain-consistent administrative naming convention. Therefore, context names cannot be expected to be unique within an administrative domain. To reconcile these requirements, contexts need not be unique but must always be coupled implicitly or explicitly with a unique identifier of the relevant node where that context "lives" and the combination is therefore always unique within the administrative domain. There is, of course, a distinction between a context being uniquely identified within an administrative domain and the need for contextSelector to be globally unique. Specifically, there is nothing wrong with defining the "fully distinguished name" of a context (global identification) to be the specified by the pair of AgentID and ContextSelector. It appears that this was the intention of the USEC document and its accompanying admin document; however they need to be more clear in this regard. Furthermore, the overloading of AgentID is problematic as described elsewhere in this document. It is crucial that the USEC documents be self-consistent, and the correct behavior in this case is for the document to be modified to require the uniqueness of contexts. This is one of the prerequisites to solving problems with transparent proxies, informs, informs through proxies, and to restore harmony with the transparency principle. 2.2. Roles and Informs Text describing the roles involved in an SNMPv2 transaction, and text describing the roles involved in an inform transaction are inconsistent. The USEC protocol document says: A SNMPv2 entity acts in an agent role when it performs SNMPv2 management operations in response to received SNMPv2 protocol messages (other than an inform notification) or when it sends trap [Page 4] Problems with the SNMPv2 Proposals notifications. A SNMPv2 entity acts in a manager role when it initiates SNMPv2 management operations by the generation of SNMPv2 protocol messages or when it performs SNMPv2 management operations in response to received trap or inform notifications. Hence, it indicates that inform notifications are initiated by an entity in a manager role and sent to another entity also acting in a manager role. This is the expected text, i.e., manager-to-manager inform notifications are conducted between managers. But in the usec document, it states It is that entity acting in an agent role which is authoritative with respect to these variables for the Inform-Request. Since the purpose of an Inform request is to transmit information from one manager to another, and it cannot be assumed that all managers will be dual-role entities, i.e., with an agent component, it cannot be assumed that all communications involve an agent. 2.3. Notification Endpoints The language used to refer to notification endpoints is inconsistent among the proposals and within the proposals. Common description of procedure for traps and informs often use terms which are accurate only for a trap or an inform, but are inaccurate when used to describe both operations. Some text assumes that all transactions will have an agent as one of the endpoints but this is specifically not the case for inform requests which are sent from one manager to another. For example, the usec document states Included in each message is an identifier unique to the SNMPv2 agent which is the sender or intended recipient of the message. and the mahoney protocol document states If the agent is able to determine the request-id field of the received PDU, then it uses that value for the request-id field of the report PDU. [Page 5] Problems with the SNMPv2 Proposals These assume that all transactions will have an agent as one of the endpoints but this is specifically not the case for inform requests which are sent from one manager to another. Text which assumes incorrectly that all transactions include an agent and a manager should be modified to reflect that all transactions include two SNMPv2 entities. 3. Traps and Informs The current proposals devote considerably more attention to get and set operations than to notifications. As a result, trap and inform operations have severe problems in the current proposals. There are problems with agent identification, clock synchronization, and use of the context selector. This section also describes how the overloading of AgentID within the USEC proposal is problematic because the value of AgentID is used to qualify, or scope, both the authentication information in the header as well as the payload information in the PDU but sometimes these two uses are in conflict with one another and a single value is insufficient for both uses. 3.1. Agent Identification The usec document says: Each SNMPv2 agent maintains three objects: - agentID ... - agentBoots ... - agentTime ... An SNMPv2 agent is always authoritative with respect to these variables. It is the responsibility of an SNMPv2 manager to synchronize with the agent, as appropriate. For a manager-to-manager communication, it is possible that neither entity is associated with an agent and thereby may not have access to agentID, agentBoots, and agentTime. This information is critical to clock synchronization - if neither endpoint has access to these objects, it is impossible to synchronize [Page 6] Problems with the SNMPv2 Proposals clocks, and it is therefore impossible to authenticate messages. Since potentially neither entity involved in an inform transaction is associated with an agent, the proposed scheme is insufficient. There are three possible sources for clock synchronization information in an Inform request: the invoking manager, the responding manager, or some neutral third party. The use of a third party is disharmonious with SNMP design philosophies so it will not be discussed further. If one uses either the invoking manager or the responding manager, then there must be provisions for establishing clock synchronization in the absence of agent support. It is misleading to refer to the manager's identification objects as agentID, agentBoots, and agentTime, since the values do not necessarily identify an agent, and therefore the objects should be renamed to componentID, componentBoots, and componentTime [or snmpID, snmpBoots, and snmpTime]. 3.2. Synchronizing Inform Requests The usec and snmpv2d proposals use the combination of a unique identifier, a reboot count, and a timer to guard against replay attacks. According to the USEC document, An SNMPv2 manager achieves time synchronization with an agent by issuing a maintenance function to retrieve agentID.0, agentBoots.0, and, agentTime.0. It is recommended that after these values are retrieved, that the manager attempt an authenticated retrieval using the new values before updating its local configuration datastore. Since there is no agent involved in an Inform request, the manager must achieve time synchronization with a manager, not an agent. However, there is also the issue of which end is authoritative when sending Inform Requests. According to the USEC document: An SNMPv2 agent is always authoritative with respect to these variables. It is the responsibility of an SNMPv2 manager to synchronize with the agent, as appropriate. In the case of an SNMPv2 dual-role entity sending an Inform-Request, it is that [Page 7] Problems with the SNMPv2 Proposals entity acting in an agent role which is authoritative with respect to these variables for the Inform- Request. This choice of the inform sender as the authoritative node is extremely problematic for the following reasons: 1) The authoritative endpoint should be the endpoint that is most long-lived because it must be the non-volatile store of authentication information. The receiver of informs is long-lived because it must exist at a well-known address that is advertised to receive informs. In contrast, inform senders may be transient, especially in examples such as a user-initiated program that submits a trouble ticket in an Inform request. 2) The authoritative endpoint, by definition, always knows the correct secrets for any communication for which it is authoritative. In contrast, the non-authoritative endpoint may not have that information available, especially because it needs to have that information available for the many endpoints it may communicate with. Because of this, it is especially convenient if the non-authoritative endpoint is the end that is more often able to ask a human for the correct secrets. This is more convincing when one realizes that the inform sender is the endpoint that chooses whether or not to send an inform. It stands to reason that it can choose to send informs only to those managers it has information about. In contrast, the inform receiver does not choose who will send informs to it, so any sender can send it messages without regard to whether the receiver has been configured with the correct security information. If the receiver is authoritative, this is a much more stable situation - then senders will only send data after they have determined the correct information for the receiver, and the receiver will implicitly have the correct information at all times. 3) When an inform receiver receives an authenticated inform, it needs to pass the inform and the authenticated identity to an application which will base its trust of the information on that authenticated identity. It is easy for the receiver to know the trust level for a user who is authoritatively defined on the receiver. It is difficult for the receiver to know the trust level for a user who is defined on some other system. Therefore, the manager that receives informs must be authoritative for inform transactions. [Page 8] Problems with the SNMPv2 Proposals Upon receipt of the request by the receiving entity, the packet should be checked for authenticity and if the values of componentID, componentBoots, and componentTime are found to be problematic, then the receiving entity should send an appropriate Report-PDU. In this case, the receiving entity is a logically remote manager, acting in a manager role, and it must send a Report-PDU. This would require a change to the text in the usec document which states: A report PDU is never sent by an SNMPv2 entity acting in a manager role, ... When the Report-PDU is generated, the values of xxxID, xxxBoots, and xxxTime relevant to the receiving manager should be included so that the initiating manager can update its notions of the remote managers' notion of these values. This makes synchronization and resynchronization possible in the absence of agent support. However, when the authoritative endpoint is changed to the receiver of informs, the agentID in the inform must then point to the receiver, rather than the sender. Unfortunately, the agentID is identifying both the endpoint that is authoritative for the MIB data, as well as the endpoint that is authoritative for the authentication information. These two endpoints are the same for all get, set, and trap operations, while they must be different for inform operations. USEC currently only allows one of these two endpoints to be specified, and the model doesn't make it clear which endpoint is being specified. 3.3. Contexts in Trap and Inform Messages Some text assumes that all SNMPv2 messages are directed to agents, and the text states that the context provided in the message refers to a context local to the receiving entity. The usec document states: An SNMPv2 context is a collection of management information accessible (locally or via proxy) by an SNMPv2 agent. An SNMPv2 agent potentially has access to many contexts. Each SNMPv2 message contains a context selector which uniquely identifies an SNMPv2 context accessible by the SNMPv2 agent to which the message is directed. Traps and informs are sent to managers, for whom the context will not be local to the receiver, but to the sender. The message should therefore contain a context local to the sender rather than the receiver. [Page 9] Problems with the SNMPv2 Proposals Messages should have the context selector related to the information in the PDU. 4. Proxy The elements of procedure in some proposals do not provide descriptions of the data elements to be examined in the Local Configuration Datastore (LCD) for proxy operations. The lack of specifics makes it virtually impossible to determine what must be supported in a compliant implementation, in order to construct independent interoperable implementations. For example, in the usec proposal, the manipulations of context identifiers as they pass through proxies is unclear. The defined transparency principle implies that the context identifiers remain constant as traffic passes through proxies. However, the authentication mechanism implies that the context must change as traffic passes through proxies. An implementer cannot determine if a compliant implementation must, may, or shall not allow a configuration which allows, requires, or prohibits the remapping of context identifiers as traffic passes through proxies. 4.1. SNMPv2 to SNMPv1 Proxies Although the usec coexistence document presents SNMPv2 to SNMPv1 proxies as one of the viable coexistence and transition strategies, the elements of procedure and the MIB design obviate this possibility. 4.2. Notification Forwarding Through Proxies The problems with regard to notifications and problems with regard to proxies renders the analysis of notifications through proxies impossible. 5. Extensibility Mechanisms There are several architectural issues with extensibility mechanisms in the proposals. Since the USEC proposals are the basis for other proposals, the architectural problems of USEC are critical. Areas of concern: (1) Proliferation of Authentication and Privacy Extensibility Mechanisms [Page 10] Problems with the SNMPv2 Proposals (2) Implementation Costs of Extensibility (3) Mapping Mechanisms to Users 5.1. Proliferation The administrative frameworks described in the proposals are extensible to allow for future security models. This was intended to be a feature, and in some ways, it is, but it is also a weakness. It is almost certain that extensibility will be required during the useful life of the SNMPv2 specification. New authentication and privacy mechanisms may be needed for a number of reasons: - to enable new features - to improve ease-of-use - to replace mechanisms that are found to be unsound - to enable public key authentication once relevant patents expire - to enable delegated certification for addressing problems associated with management across administrative domains - to allow privacy mechanisms less encumbered by export controls Providing for extensibility within the framework to accommodate each of these possibilities is a GOOD THING. SNMPv2 classic allowed for multiple authentication and privacy protocols within a consistent naming scheme. However, some proposals allow for unbridled change. The proposed administrative frameworks allow models to specify virtually any naming scheme. New models can make changes to key elements such as the way contexts are named, mechanisms for accessing views, and redefinition of access control. These key areas need stability. A single, consistent naming scheme needs to be identified and adopted as a part of a single unchanging model but with that model allowing constrained change to accommodate changing needs, requirements, capabilities, and perceived threats. The constrained change needs to be within a consistent naming scheme in order to preserve investments and encourage reuse of stable code. [Page 11] Problems with the SNMPv2 Proposals 5.2. Implementation Costs As a result of unbounded extensibility, the cost of including future models is unnecessarily high. The cost within an agent application of a change in the administrative framework is normally concentrated in the core agent engine, configuration store (configuration files on open systems or NV-RAM on embedded systems), console interfaces, a remote configuration MIB, and remote configuration applications which effect configuration through the MIB. However, the cost of change is not limited to the core agent engine and configuration- related aspects but also includes method routines. This may affect not only the method routines for remote configuration of an entity, but ALL method routines. The investment in method routines is by far the most significant cost in implementing and deploying the management portion of an SNMP-manageable product, and there necessarily is a strong wish in the community to preserve investments in method routines. Method routines are impacted because implementation of certain classes of MIB objects require knowledge of context information and/or knowledge of the remote entity requesting a particular operation. Examples include customer network management (CNM) with multiple virtual agents being implemented within method routines for certain MIB objects. Other examples include per-varbind (foreign) proxies. Method routines which support these classes of MIB objects typically need to have access to these data which are a part of the administrative framework. These data are often available today in SNMPv1 agents and are required of SNMPv2 agents if they are to displace the installed base and transition to SNMPv2. The need for these data directly leads to a need for stability in the naming of these data, including their number, type, and size. The cost of transitioning from SNMPv2 to the usec proposal is illustrative. While some vendors are willing to re-engineer their existing method routine interfaces to transition from party-party- context naming to a new naming scheme, they are not willing to do this each and every time a new model is developed, especially considering the probability that multiple additional models will be proposed and adopted. The extensibility mechanism must be bounded by a consistent naming scheme. [Page 12] Problems with the SNMPv2 Proposals 5.3. Mapping Mechanisms to Users The usec proposal introduces the concept of quality of service, or qoS. However, the proposed use of qoS limits a user to at most one (non-null) authentication protocol and at most one (non-null) privacy protocol. Since qoS is defined as an ordered set, it is not easily extended to support multiple authentication and privacy technologies which might demand a different ordering. The way qoS is defined makes it unnecessarily difficult to deploy multiple authentication and privacy schemes within an administrative domain because any given user is limited to exactly one of each and additional pseudo-users would need to be defined to use these alternatives, with the attendant additional administrative burden. The qoS mechanism must be modified to better match the extensibility of the admin and security models. 6. Standards-based Remote Administrative Configuration The architectural decision to exclude remote configuration from the basic administrative framework does not adequately address market requirements. The timely inclusion of standards-based remote configuration of the administrative framework is absolutely essential to enterprise management and the success of SNMPv2. The administrative description documents provided with the usec, snmpv2d, and snmpv2emf proposals state that it is the role of a security model to describe the details of the MIB for the remote configuration of security. However, there are several instances where this is not sufficient. For example, the usec design retains virtually every concept from the original SNMPv2; however, wherever the old model contained details as to how something related to a party, instead the new model explains that it is the role of a security model to describe these details. o The original design allows a logically remote manager to configure the LCD of an agent o The original design allows a logically remote manager to configure a proxy agent [Page 13] Problems with the SNMPv2 Proposals o The original design allows a logically remote manager to configure the LCD of a mid-level manager o The original design allows a logically remote manager to configure the LCD of another logically remote manager o The original design allows a logically remote manager to configure an agent for trap destinations o The original design allows a logically remote manager to configure an agent for trap filtering o The original design allows non-privileged users to alter their secret keys o The original design accommodates the configuration requirements of the SNMPv1 portion of bilingual entities (albeit imperfectly) The proposed usec design has no such capabilities or their equivalent. The needs for remote configuration require a standards-based solution because proliferation of private MIB-based solutions in this space would be especially problematic and would stunt the growth and ultimate success of SNMPv2. These needs must be addressed in a timely fashion, contemporaneous with the other portions of the specification, because failure to do so will: (1) make it impossible to be sufficiently specific in the elements of procedure to have an unambiguous specification; (2) result in the unnecessary and harmful proliferation of private MIB-based solutions; (3) cause otherwise avoidable confusion about what constitutes a compliant SNMPv2 implementation; and (4) delay implementations. Each of these problems can and must be avoided. [Page 14] Problems with the SNMPv2 Proposals 7. Conclusion There is much work to be done if the proposals are to be synthesized into a viable composite. If the work is done to satisfactorily address the problems identified in this document and elsewhere, then the resultant proposal can become a positive step and a useful replacement for the original SNMPv2 administrative framework and related documents. [Page 15]
- analysis of proposals case
- re: analysis of proposals glenn (g.) waters
- Re: analysis of proposals Brian O'Keefe
- Re: analysis of proposals Brian O'Keefe
- Re: analysis of proposals Brian O'Keefe
- Re: analysis of proposals romanov
- Re: analysis of proposals Peter Houck
- Re: analysis of proposals David Levi
- Re: analysis of proposals Alex Alten
- Re: analysis of proposals Brian O'Keefe
- Re: analysis of proposals David Levi
- Re: analysis of proposals Brian O'Keefe