Presentation is loading. Please wait.

Presentation is loading. Please wait.

Convergence of Network Management Protocols

Published byLydia Warren Modified over 6 years ago

Similar presentations

Presentation on theme: "Convergence of Network Management Protocols"— Presentation transcript:

1 Convergence of Network Management Protocols
David Harrington IETF64 O&M Area Meeting Vancouver, BC

2 Duplicate Efforts for Secure NM
A number of efforts occurring in the IETF are related to network management and security. Many of the options being considered are similar, but decisions are often made in isolation. Working together would be better resource management. Purpose of this presentation is to describe some efforts under way so people are aware of other work in a similar problem space Having a “balanced” security approach between NM protocols would provide a more secure NM environment.

3 Message Security WGs are striving to integrate Network Management protocols, including UDP-based, with existing security solutions Many security protocols run over TCP-based transport; few run over UDP-based transport A survey of NANOG operators showed the most popular for Network Management authentication: 66% local accounts 49% SSH

4 Message Security + Transport
Protocol SNMP/ISMS Netconf Syslog Content MIBs TBD Not Standard Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS TBD Operations Get-*/SET GET/EDIT none NM Protocols are converging on common security solutions Netconf runs over SSH (mandatory), BEEP, and SOAP ISMS WG developing SSH security model for SNMP SSH chosen as first Transport-mapped security model to be developed Architected to permit additional secure transports, such as SASL/TLS Syslog discussing secure transports possibly SSH in common with Netconf and SNMP TLS or other protocol may better fit syslog requirements Message Security USM->SSH SSH SSH or TLS? Transport UDP->TCP TCP UDP->TCP?

5 Operations Protocol ISMS Netconf Syslog Content MIBs TBD Not Standard
Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS TBD Operations GET*/Set/Notify GET/EDIT/Notify Log/Notify Operations for Netconf and SNMP are similar, but snmp currently offers finer granularity. Ultimately, the operations are read and write and notifications. We should discuss how operations can be shared and correlated. Message Security USM->SSH SSH SSH or TLS Transport UDP->TCP TCP UDP->TCP

6 Authorization Protocol ISMS Netconf Syslog Content MIBs TBD
Not Standard Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS/VACM All-or-nothing All-or-nothing Operations GET-*/SET GET/EDIT none SNMPv3 uses statically-defined view-based access control Groups have access to assigned views for specific operation types Currently, Users are statically assigned to VACM Groups (role-based access control) The ISMS will support AAA to authenticate the principal and tie into SNMPv3’s VACM Netconf - TBD Message Security SSH SSH SSH or TLS? Transport UDP->TCP TCP UDP->TCP

7 AAA Authorization A survey of NANOG operators showed these as most popular for NM authorization: 40% RADIUS 29% TACACS+ ISMS WG is asking RADEXT WG to define RADIUS attributes that name policies for management access control for SNMP, Netconf, and other NM protocols draft-nelson-radius-management-authorization-02.txt The mapping of authenticated principal to administratively-named policies to be done by AAA server Approach to policy and the mapping of policy names to policy implementations should be left to specific management protocols

8 Data Modeling Protocol ISMS Netconf Syslog Content MIBs
TBD, incl. MIBs Not Standard Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS TBD Operations GET-*/SET GET/EDIT SNMP MIB modules Wide deployment of SNMP MIB modules Large number of IETF standard MIB modules Large number of enterprise MIB modules Need to preserve the knowledge-base SNMP and XML Some SNMP tools and stacks support XML; NMRG has researched translating SNMP messages to XML format NMRG found SMIv2 a serious constraint to effective data modeling, and recommends utilizing XML without the SMIv2 constraints SMIv2 based on an adapted subset of ASN XML is more flexible, and is taught in schools XML being used by other SDO NM data models Message Security SSH SSH SSH or TLS Transport UDP->TCP TCP UDP->TCP

9 Data Modeling Languages
Lots of data overlap between protocols SNMP and XML Some SNMP tools and stacks support XML and NMRG has researched translating SNMP messages to XML format. NMRG and SMING WG found SMIv2 a serious constraint to effective data modeling, XML more extensible than SMIv2

10 Possible Convergence Work
Protocol SNMP/ISMS Netconf Syslog Content MIB models-- TBD, incl. MIBs <--Standardize Modeling Language SMIv2 XML Schema Structured ASCII Authorization RADIUS/AAA AAA Operations Get-*/SET GET/EDIT Develop loose “layered” architecture for IETF NM standards, ala Netconf or these slides Netconf and SNMP Develop Netconf <snmp-* > operations and an snmp varbind in XML so Netconf can access SNMP data (starter for migration purposes) Develop extended operations for accessing SNMP data (e.g. using XPath expressions) Develop common NM authorization in AAA for SNMP, Netconf, Syslog, and others Other Converge SIMPLE XML-based “patch” proposal with Netconf IPFIX and Syslog may be able to converge to a common TLS-secured transport maybe ISMS and Netconf should move to SASL/TLS as well Message Security SSH SSH SSH or TLS? Transport UDP->TCP TCP UDP->TCP?

11 Netconf and SNMP Multiple Approaches to Discuss
Use same secure transport (i.e. SSH) Develop common NM authorization in AAA for SNMP, Netconf, Syslog, and others, as applicable Develop Netconf <snmp-* > operations and an snmp varbind in XML so Netconf can access SNMP data (i.e. have netconf actually do snmp, and ultimately replace snmp) Develop extended operations for accessing SNMP data to supplement snmp, e.g. using XPath expressions rather than getnext/bulk Create “snmp” dataset (Cf. running, candidate)

Download ppt "Convergence of Network Management Protocols"

Similar presentations

YANG Boot Camp The YANG Gang IETF 71. YANG Boot Camp The YANG Gang IETF 71.

YANG Boot Camp The YANG Gang IETF 71. YANG Boot Camp The YANG Gang IETF 71.
XCON - IETF 62 (March 2005) - Minneapolis 1 XCON data modeling – NETCONF, RDF and others draft-schulzrinne-sipping-emergency-req-01 draft-sipping-sos Henning.

XCON - IETF 62 (March 2005) - Minneapolis 1 XCON data modeling – NETCONF, RDF and others draft-schulzrinne-sipping-emergency-req-01 draft-sipping-sos Henning.
Distributed components

Distributed components
2006 IEEE International Conference on Web Services ICWS 2006 Overview.

2006 IEEE International Conference on Web Services ICWS 2006 Overview.
NS-H0503-02/11041 SNMP. NS-H0503-02/11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.

NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)

Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)
Network Management Complexities Dan Romascanu (Contributed in discussions by Andy Bierman, David Harrington, Juergen Schoenwealder) IESG Retreat Boston,

Network Management Complexities Dan Romascanu (Contributed in discussions by Andy Bierman, David Harrington, Juergen Schoenwealder) IESG Retreat Boston,
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
Integrated Security Model for SNMPv3 (ISMS) pronounced is miss David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
1 Introduction to Internet Network Management Mi-Jung Choi Dept. of Computer Science KNU

1 Introduction to Internet Network Management Mi-Jung Choi Dept. of Computer Science KNU
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.
Www.bmc.com 1 © 1999 BMC SOFTWARE, INC. 2/10/00 SNMP Simple Network Management Protocol.

1 © 1999 BMC SOFTWARE, INC. 2/10/00 SNMP Simple Network Management Protocol.
SMI to XSD Translations IETF70 David Harrington. Agenda The Need The Approaches Comparisons.

SMI to XSD Translations IETF70 David Harrington. Agenda The Need The Approaches Comparisons.
Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman

Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman
© Hitachi, Ltd. 2007. All rights reserved. NETCONF Configuration I/F Advertisement by WSDL and XSD Hideki Okita, Tomoyuki Iijima, Yoshifumi Atarashi, Ray.

© Hitachi, Ltd All rights reserved. NETCONF Configuration I/F Advertisement by WSDL and XSD Hideki Okita, Tomoyuki Iijima, Yoshifumi Atarashi, Ray.
(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.
Abierman-netconf-mar03 1 NETCONF BOF 56th IETF San Francisco, California March 17, 2003 Discussion: Admin:

Abierman-netconf-mar03 1 NETCONF BOF 56th IETF San Francisco, California March 17, 2003 Discussion: Admin:

Similar presentations

Ads by Google