[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

snmpconf Re: ipsec-cfg MIB



Hi,

So four courses of action come to mind and there are probably 
others/combinations.
Have all of them been discussed besides #3?

Choice 1: Use the universal type "octet string"
   Pro: Simple to understand, follows requirement of not
          making mgmt itself more difficult than technology being managed.
   Con: Any PDU carrying this object will exceed MTU, bad performance results
           Certificate size is implicitly bounded at 65535 bytes per rfc 
2578 pg 6

Choice 2: Use a form of indirection, abstract the certs in the mib
   Pro: Follows the first bcp - use the "correct level of abstraction"
          Certificates are not artificially limited in size
   Con: Problem of actually getting the certificate transferred not solved.

Choice 3: Break Certificate into smaller chunks
     How done: A table could list the certs, and operations can move a cert 
into
     a distribution table that would then have major and minor index and some
     discussion on how to break apart/glue the certs into rows.
     Pro: Certificates are not artificially limited in size
     Con: Manipulating certificates becomes painful, and scaling to large 
number
             of certs will be difficult.

Choice 4: Punt and wait for bulk transfer to be resolved in some future SNMP wg
      pro:  A standard and non painful way of transferring arbitrarily 
large objects exists
      won't be a problem to migrate to.
      con: Certs handled in non-standard way until such a standard exists

Regards,
Mike MacFaden
www.riverstonenet.com


At 05:36 PM 8/13/2000 -0400, Jon Saperia wrote:
>Now I'm getting what you are talking about.  Those 4K byte MIB
> > objects are intended to hold certificates which have an undetermined
> > maximum size. I think that you are proposing that overly large objects
> > with unclear maximum sizes like these be downloaded to the device as a
> > series of smaller blocks. I think the idea has merit. And I would be
> > intersted in what folks in the SNMPCONF space have to say about a BCP
> > when sending down very large objects to divices. Therefore, I am cross
> > posting this to snmpconf@snmp.com
>
>I have now caught up on this thread. Beyond IPSec MIB Module questions and a
>IPSec Policy MIB Module, the question raised above is a general one. I have
>copied Mike MacFaden who is my co-author on the SNMCONF BCP. This discussion
>points to a deficiency in the BCP in that we do not discuss the issue of
>single data elements that are potentially larger than a single PDU. We
>discuss in terms of MIB design and manager/agent interactions multi-PDU
>transactions - more work needs to be done here as well.
>
>Specific suggestions for how to best deal with this with the current
>architecture are welcome.