Convergence of Network Management Protocols David Harrington IETF64 O&M Area Meeting Vancouver, BC

Duplicate Efforts for Secure NM A number of efforts occurring in the IETF are related to network management and security. Many of the options being considered are similar, but decisions are often made in isolation. Working together would be better resource management. Purpose of this presentation is to describe some efforts under way so people are aware of other work in a similar problem space Having a “balanced” security approach between NM protocols would provide a more secure NM environment.

Message Security WGs are striving to integrate Network Management protocols, including UDP-based, with existing security solutions Many security protocols run over TCP-based transport; few run over UDP-based transport A survey of NANOG operators showed the most popular for Network Management authentication: 66% local accounts 49% SSH

Message Security + Transport Protocol SNMP/ISMS Netconf Syslog Content MIBs TBD Not Standard Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS TBD Operations Get-*/SET GET/EDIT none NM Protocols are converging on common security solutions Netconf runs over SSH (mandatory), BEEP, and SOAP ISMS WG developing SSH security model for SNMP SSH chosen as first Transport-mapped security model to be developed Architected to permit additional secure transports, such as SASL/TLS Syslog discussing secure transports possibly SSH in common with Netconf and SNMP TLS or other protocol may better fit syslog requirements Message Security USM->SSH SSH SSH or TLS? Transport UDP->TCP TCP UDP->TCP?

Operations Protocol ISMS Netconf Syslog Content MIBs TBD Not Standard Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS TBD Operations GET*/Set/Notify GET/EDIT/Notify Log/Notify Operations for Netconf and SNMP are similar, but snmp currently offers finer granularity. Ultimately, the operations are read and write and notifications. We should discuss how operations can be shared and correlated. Message Security USM->SSH SSH SSH or TLS Transport UDP->TCP TCP UDP->TCP

Authorization Protocol ISMS Netconf Syslog Content MIBs TBD Not Standard Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS/VACM All-or-nothing All-or-nothing Operations GET-*/SET GET/EDIT none SNMPv3 uses statically-defined view-based access control Groups have access to assigned views for specific operation types Currently, Users are statically assigned to VACM Groups (role-based access control) The ISMS will support AAA to authenticate the principal and tie into SNMPv3’s VACM Netconf - TBD Message Security SSH SSH SSH or TLS? Transport UDP->TCP TCP UDP->TCP

AAA Authorization A survey of NANOG operators showed these as most popular for NM authorization: 40% RADIUS 29% TACACS+ ISMS WG is asking RADEXT WG to define RADIUS attributes that name policies for management access control for SNMP, Netconf, and other NM protocols draft-nelson-radius-management-authorization-02.txt The mapping of authenticated principal to administratively-named policies to be done by AAA server Approach to policy and the mapping of policy names to policy implementations should be left to specific management protocols

Data Modeling Protocol ISMS Netconf Syslog Content MIBs TBD, incl. MIBs Not Standard Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS TBD Operations GET-*/SET GET/EDIT SNMP MIB modules Wide deployment of SNMP MIB modules Large number of IETF standard MIB modules Large number of enterprise MIB modules Need to preserve the knowledge-base SNMP and XML Some SNMP tools and stacks support XML; NMRG has researched translating SNMP messages to XML format NMRG found SMIv2 a serious constraint to effective data modeling, and recommends utilizing XML without the SMIv2 constraints SMIv2 based on an adapted subset of ASN.1-1998 XML is more flexible, and is taught in schools XML being used by other SDO NM data models Message Security SSH SSH SSH or TLS Transport UDP->TCP TCP UDP->TCP

Data Modeling Languages Lots of data overlap between protocols SNMP and XML Some SNMP tools and stacks support XML and NMRG has researched translating SNMP messages to XML format. NMRG and SMING WG found SMIv2 a serious constraint to effective data modeling, XML more extensible than SMIv2

Possible Convergence Work Protocol SNMP/ISMS Netconf Syslog Content MIB models-- TBD, incl. MIBs <--Standardize Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS/AAA AAA Operations Get-*/SET GET/EDIT Develop loose “layered” architecture for IETF NM standards, ala Netconf or these slides Netconf and SNMP Develop Netconf <snmp-* > operations and an snmp varbind in XML so Netconf can access SNMP data (starter for migration purposes) Develop extended operations for accessing SNMP data (e.g. using XPath expressions) Develop common NM authorization in AAA for SNMP, Netconf, Syslog, and others Other Converge SIMPLE XML-based “patch” proposal with Netconf IPFIX and Syslog may be able to converge to a common TLS-secured transport maybe ISMS and Netconf should move to SASL/TLS as well Message Security SSH SSH SSH or TLS? Transport UDP->TCP TCP UDP->TCP?

Netconf and SNMP Multiple Approaches to Discuss Use same secure transport (i.e. SSH) Develop common NM authorization in AAA for SNMP, Netconf, Syslog, and others, as applicable Develop Netconf <snmp-* > operations and an snmp varbind in XML so Netconf can access SNMP data (i.e. have netconf actually do snmp, and ultimately replace snmp) Develop extended operations for accessing SNMP data to supplement snmp, e.g. using XPath expressions rather than getnext/bulk Create “snmp” dataset (Cf. running, candidate)