[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
snmpconf Re: ipsec-cfg MIB
So four courses of action come to mind and there are probably
Have all of them been discussed besides #3?
Choice 1: Use the universal type "octet string"
Pro: Simple to understand, follows requirement of not
making mgmt itself more difficult than technology being managed.
Con: Any PDU carrying this object will exceed MTU, bad performance results
Certificate size is implicitly bounded at 65535 bytes per rfc
2578 pg 6
Choice 2: Use a form of indirection, abstract the certs in the mib
Pro: Follows the first bcp - use the "correct level of abstraction"
Certificates are not artificially limited in size
Con: Problem of actually getting the certificate transferred not solved.
Choice 3: Break Certificate into smaller chunks
How done: A table could list the certs, and operations can move a cert
a distribution table that would then have major and minor index and some
discussion on how to break apart/glue the certs into rows.
Pro: Certificates are not artificially limited in size
Con: Manipulating certificates becomes painful, and scaling to large
of certs will be difficult.
Choice 4: Punt and wait for bulk transfer to be resolved in some future SNMP wg
pro: A standard and non painful way of transferring arbitrarily
large objects exists
won't be a problem to migrate to.
con: Certs handled in non-standard way until such a standard exists
At 05:36 PM 8/13/2000 -0400, Jon Saperia wrote:
>Now I'm getting what you are talking about. Those 4K byte MIB
> > objects are intended to hold certificates which have an undetermined
> > maximum size. I think that you are proposing that overly large objects
> > with unclear maximum sizes like these be downloaded to the device as a
> > series of smaller blocks. I think the idea has merit. And I would be
> > intersted in what folks in the SNMPCONF space have to say about a BCP
> > when sending down very large objects to divices. Therefore, I am cross
> > posting this to email@example.com
>I have now caught up on this thread. Beyond IPSec MIB Module questions and a
>IPSec Policy MIB Module, the question raised above is a general one. I have
>copied Mike MacFaden who is my co-author on the SNMCONF BCP. This discussion
>points to a deficiency in the BCP in that we do not discuss the issue of
>single data elements that are potentially larger than a single PDU. We
>discuss in terms of MIB design and manager/agent interactions multi-PDU
>transactions - more work needs to be done here as well.
>Specific suggestions for how to best deal with this with the current
>architecture are welcome.