[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: snmpconf Re: ANNOUNCEMENT: WG last call on draft-ietf-snmpconf-bcp-06.txt (fwd)



John, below is a note, I meant to send - but apparently never got to the
snmpconf list. It was in response to some of your questions. Since that
time, I see that you and Wayne have discussed one of the points so keep
in mind this was written prior to that discussion.

One more item, while I happy to provide this comments, I was also hoping
other memebers of the group would make comments as well.  In any case
here is what I had meant to send:
----

John, we will have to let users speak up, but there are a number of IETF
standards that most would agree are widely deployed and use
configuration management via SNMP. Examples include the various RMON MIB
Modules. They are widely implemented and used in production networks and
are non trivial. RFC 1850 which is for OSPF, is also in use. I have
worked at companies that have implemented the configuration aspects of
this MIB Module as well. Beyond that there are 'private' MIB Modules
used for configuration. Sitara is one that I know of. Not only do they
have full configurability of QoS via a MIB module, they also have a
policy management application that uses the mib objects for
configuration. Others on this list might have other examples as well.

> >> 6.  DEPLOYMENT AND SECURITY ISSUES
> >>
> >> Network devices are configured using many mechanisms, however two 
> >> methods remain the most common: SNMP and Command Line Interface (CLI).
> 
> An issue which was framed more crisply in the Policy Framework WG, but
> still applies here because policy configuration is advocated, is the need
> to control which persons can modify (possibly even read) which 
> configuration items. It is well known that different persons or teams
> are responsible for different configuration parameters on production
> networks. It is not clear from the relevant section how different user's
> access is controlled to different items. For example, where is the
> control information stored?

In section 6.2 of the document it is stated: 

   "SNMPv3 provides authentication and privacy protection and is
   recommended for all devices that support SNMP-based configuration."

As you know, v3 provides for role-based access control. The v3 documents
contain quite a lot of detail about these questions. 

> 
> >> 6.4.  Sensitive Information Handling
> >>
> >> Some MIB modules contain objects that may contain data for keys, 
> >> passwords and other such sensitive information and hence must be 
> >> protected from unauthorized access.
> 
> How can the "new SNMPCONF technology" be the subject of "best practice"
> without distorting the very idea that technology has been already found
> effective in practice?

If there is a question here, it is not clear. Can you rephrase it?
> 
> 
> 
> >> 7.  POLICY BASED MANAGEMENT
> >>
> >> A common practice used to move large amounts of data that some vendors
> >> employ involves using SNMP as a control channel in combination with
> >> other protocols defined for transporting bulk data. This approach is
> >> sub-optimal since it raises a number of security and other concerns.
> >> Transferring large amounts of configuration data via SNMP can be 
> >> efficiently performed with several of the techniques described earlier 
> >> in this document. This policy section shows how even greater efficiency 
> >> can be achieved using the new SNMPCONF technology. 
> 
> Please do not simply repeat the refrain that these fundamental problems
> have been addressed already, or that they are (surprisingly) appearing
> only at the last-call stage of discussion. It appears they have not yet
> been actually resolved.
> 
If you have additional specific questions please pose them. With regard
to the 'goodness' of describing how one could use SNMPCONF in this
context that discussion has been on the mailing list. See:

http://www.snmp.com/snmpconf/mailing-list/msg00946.html

Thanks 
/jon



------- Forwarded Message

Date:    Mon, 10 Sep 2001 16:57:17 -0400
From:    John Schnizlein <jschnizl@cisco.com>
To:      snmpconf@snmp.com
Subject: Re: snmpconf Re: ANNOUNCEMENT: WG last call on draft-ietf-snmpconf-bcp
	  -06.txt

Wayne,

Yes, fixing 3.3.5 and the beginning of 7., 
but leaving the example in 7.1 would work.

I have not seen Jon's response to the other concerns. 
Would you please forward that message?

John

At 03:52 PM 9/10/2001, Wayne F. Tackabury wrote:

>At 05:47 PM 9/6/2001 -0400, John Schnizlein wrote:
>>How can the "new SNMPCONF technology" be the subject of "best practice"
>>without distorting the very idea that technology has been already found
>>effective in practice?
>
>In principle, I agree with you...
>
>One is in sec. 3.3.5, and as I look at it now, does look a bit out of place he
re.  ...
>
>I'd definitely be game for changing this section to reflect this more generic 
sense, and remove any direct reference to snmpconf here.
>
>Another mention is at the beginning of section 7.  That's really mostly an ove
rsight given how this section was reformatted.  I'm very game for shooting that
 penultimate sentence of section 7.
>
>Last is the final sentence of section 7.1.  It clearly defines snmpconf as a l
atest-example of a system supporting policy abstraction directly using SNMP, an
d the bibliographic reference is to a work-in-progress.  I'd vote that this isn
't dictating anything or outlining a highly current practice, but merely being 
illustrative as to new developments in the practice, and hence, is appropriatel
y framed for your concerns.
>
>Let me know if with these mods, the essence of your concern is addressed.  You
 had two other significant concerns, which I think Jon addressed (feel free to 
repost if you have concerns that what he pointed out needs amplification).  Tha
nks for your time and attention in looking at the document.



------- End of Forwarded Message