[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Call for censensus on path forward

I have gone through the latest version of all 4 drafts and I think
it is time we heard nore voices - from developers and operators and,
some more analysis.

As I see it, the Aggregate MIB proposal and the extended capability
negotiation proposal of Dave Shield do not imply and/or require any
extension of the present SNMP protocol. (These DONOT belong to the
same category as the GetCols or OOPS proposals.) These are sort of
lateral extensions that add flexibility to applications and address
performance problems.

The Aggregate MIB works perfectly within the present framework. And,
it will work with ANY of the new extensions too. It solves a
performance problem that management applications face when polling
agents repeatedly. This does not overlap with any of the present
So the question is, why do we need Aggregate MIBs ?
Well, if you are not polling your devices regularly you DO NOT
need it. My bet is that a major part of the SNMP traffic in the
Internet and in the Intranets is routine polling. A majority of SNMP
applications are doing just polling. Same set of MOs are polled again
and again day in and day out. [MRTG, RRD, NetGrapher... ]

So the next question is: if these polling applications are already
there why do we need these Aggregate MIBs?
The answer is to solve the performance problem. There are not many
traffic graphs which show traffic at 1 sec intervals. (Try getting
a few hundred MOs at 1 second intervals and the performance problem
that operators and developers face will begin to menifest itself.)

But then why do we need to look at traffic at 1 second intervals?
If we are managing a reasonably fast network, and doing serious
management - then we probably need to look at traffic at even
smaller intervals. I will cite just two of the instances that we
have actually encountered.
a. Traffic graphs for a Gigabit network polled at, say, 1 minute
    intervals are USELESS. What we end up seeing is the traffic
    averaged over a minute! One never sees that real traffic
    characteristics from these graphs. [Isn't there anyone out there
    monitoring a high speed network ? I would be interested to know
    how you do it.]
b. Our security applications need high resolution traffic monitoring.
    There can be a sustained stealth DoS attack that is disrupting the
    network and seriously degrading its performance (with short and
    sharp bursts traffic) yet not a flicker shows on the traffic graphs
    to tell about the attack i.e. if you are monitoring at 5 minutes,
    1 minute or even several second intervals!

I would love to hear your comments.