Network Working Group J. Schoenwaelder
Internet-Draft TU Braunschweig
Expires: May 25, 2001 November 24, 2000
SNMP over TCP Transport Mapping
draft-irtf-nmrg-snmp-tcp-05.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of Internet-Draft Shadow Directories, see
http://www.ietf.org/shadow.html.
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/iid-abstracts.txt
This Internet-Draft will expire on May 25, 2001.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This memo defines a transport mapping for using the Simple Network
Management Protocol (SNMP) over TCP. The transport mapping can be
used with any version of SNMP. This document extends the transport
mappings defined in RFC 1906.
Schoenwaelder Expires May 25, 2001 [Page 1]
Internet-Draft SNMP over TCP Transport Mapping November 2000
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. SNMP over TCP . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1 Serialization . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2 Well-Known Values . . . . . . . . . . . . . . . . . . . . . . 6
3.3 Connection Management . . . . . . . . . . . . . . . . . . . . 6
3.4 Reliable Transport versus Confirmed Operations . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 10
A. OPEN ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . 10
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 11
Schoenwaelder Expires May 25, 2001 [Page 2]
Internet-Draft SNMP over TCP Transport Mapping November 2000
1. Introduction
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2571 [2].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in STD
16, RFC 1155 [3], STD 16, RFC 1212 [4] and RFC 1215 [5]. The
second version, called SMIv2, is described in STD 58, RFC 2578
[6], STD 58, RFC 2579 [7] and STD 58, RFC 2580 [8].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in STD 15, RFC 1157 [9]. A second version of the SNMP
message protocol, which is not an Internet standards track
protocol, is called SNMPv2c and described in RFC 1901 [10] and
RFC 1906 [11]. The third version of the message protocol is
called SNMPv3 and described in RFC 1906 [11], RFC 2572 [12] and
RFC 2574 [13].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in STD 15, RFC 1157 [9]. A second set of protocol
operations and associated PDU formats is described in RFC 1905
[14].
o A set of fundamental applications described in RFC 2573 [15] and
the view-based access control mechanism described in RFC 2575
[16].
A more detailed introduction to the current SNMP Management
Framework can be found in RFC 2570 [17].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo defines a transport mapping for using the Simple Network
Management Protocol (SNMP) over TCP. The transport mapping can be
used with any version of SNMP. This document extends the transport
mappings defined in RFC 1906 [11].
The SNMP over TCP transport mapping is an optional transport
mapping. SNMP protocol engines that implement the SNMP over TCP
transport mapping MUST also implement the SNMP over UDP transport
mapping as defined in RFC 1906 [11].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
Schoenwaelder Expires May 25, 2001 [Page 3]
Internet-Draft SNMP over TCP Transport Mapping November 2000
2. Definitions
IRTF-NMRG-SNMP-TM DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-IDENTITY, experimental FROM SNMPv2-SMI
TEXTUAL-CONVENTION FROM SNMPv2-TC;
nmrgSnmpDomains MODULE-IDENTITY
LAST-UPDATED "200004031800Z"
ORGANIZATION "IRTF Network Management Research Group"
CONTACT-INFO
"Juergen Schoenwaelder
TU Braunschweig
Bueltenweg 74/75
38106 Braunschweig
Germany
Phone: +49 531 391-3283
Email: schoenw@ibr.cs.tu-bs.de"
DESCRIPTION
"This MIB module defines the SNMP over TCP transport mapping."
REVISION "200004031800Z"
DESCRIPTION
"Initial version, published as RFC XXXX."
::= { experimental nmrg(91) 1 }
-- SNMP over TCP over IPv4
snmpTCPDomain OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The SNMP over TCP over IPv4 transport domain. The
corresponding transport address is of type SnmpTCPAddress."
::= { nmrgSnmpDomains 1 }
SnmpTCPAddress ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1d.1d.1d.1d/2d"
STATUS current
DESCRIPTION
"Represents a TCP/IPv4 address:
octets contents encoding
1-4 IP-address network-byte order
5-6 TCP-port network-byte order
"
SYNTAX OCTET STRING (SIZE (6))
END
Schoenwaelder Expires May 25, 2001 [Page 4]
Internet-Draft SNMP over TCP Transport Mapping November 2000
3. SNMP over TCP
SNMP over TCP is an experimental optional transport mapping. It is
primarily defined to support more efficient bulk transfer mechanisms
within the SNMP framework [20].
The originator of a request/response transaction chooses the
transport protocol for the entire transaction. The transport
protocol MUST NOT change during a transaction.
In general, originators of request/response transactions are free to
use the transport they assume is the best in a given situation.
However, since TCP has a larger footprint on resource usage than
UDP, engines using SNMP over TCP may choose to switch back to UDP by
refusing new TCP connections whenever necessary (e.g. too many open
TCP connections).
When selecting the transport, it is useful to consider how SNMP
interacts with TCP acknowledgements and timers. In particular,
infrequent SNMP interactions over TCP may lead to additional IP
packets carrying acknowledgements for SNMP responses if there is no
chance to piggyback them. Furthermore, it is recommended to
configure SNMP timers to fire later when using SNMP over TCP to
avoid application specific timeouts before the TCP timers have
expired.
3.1 Serialization
Each instance of a message is serialized into a single BER-encoded
message, using the algorithm specified in Section 8 of RFC 1906
[11]. The BER-encoded message is then sent over a TCP connection. An
SNMP engine MUST NOT interleave SNMP messages within the TCP byte
stream. All the bytes of one SNMP message must be sent before any
bytes of a different SNMP message.
It is possible to exchange multiple SNMP request/response pairs over
a single (persistent) TCP connection. TCP connections are per
default full-duplex and data can travel in both directions at
different speeds. It is therefore possible to send multiple SNMP
messages to a remote SNMP engine before receiving responses from the
same SNMP engine. Note that an SNMP engine is not required to return
responses in the same order as it received the requests.
It is possible that the underlying TCP implementation delivers byte
sequences that do not coincide with SNMP message boundaries. A
receiving SNMP engine MUST therefore use the length field in the
BER-encoded SNMP message to separate multiple requests sent over a
single TCP connection.
Schoenwaelder Expires May 25, 2001 [Page 5]
Internet-Draft SNMP over TCP Transport Mapping November 2000
3.2 Well-Known Values
It is RECOMMENDED that administrators configure their SNMP entities
containing command responders to listen on TCP port 161 for incoming
connections. It is also RECOMMENDED that SNMP entities containing
notification receivers be configured to listen on TCP port 162 for
connection requests.
When an SNMP entity uses the TCP transport mapping, it MUST be
capable of accepting messages that are at least 8192 octets in size.
Implementation of larger values is encouraged whenever possible.
3.3 Connection Management
The use of TCP connections introduces costs [18]. Connection
establishment and teardown cause additional network traffic.
Furthermore, maintaining open connections binds resources in the
network layer of the underlying operating system.
SNMP over TCP is intended to be used when the size of the
transferred data is large since TCP offers flow control and
efficient segmentation. The transport of large amounts of management
data via SNMP over UDP requires many request/response interactions
with small-sized SNMP over UDP messages, which causes latency to
increase excessively.
All SNMP entities (whether in an agent role or manager role) can
close TCP connections at any point in time. This ensures that SNMP
entities can control their resource usage and shut down TCP
connections that are not used. Note that SNMP engines MUST process
SNMP messages even if the incoming half of the TCP connection is
closed while the outgoing half remains open.
The processing of any outstanding SNMP requests when both halves of
the TCP connection have been closed is implementation dependent. The
sending SNMP entity SHOULD therefore not make assumptions about the
processing of outstanding SNMP requests once a TCP connection is
closed. A timeout error condition SHOULD be signalled for confirmed
requests if the TCP connection is closed before a response has been
received.
3.4 Reliable Transport versus Confirmed Operations
The transport of SNMP messages over TCP results in a reliable
exchange of SNMP messages between SNMP engines. In particular, TCP
guarantees (in the absence of security attacks) that the delivered
data is not damaged, lost, duplicated, or delivered out of order
[19].
Schoenwaelder Expires May 25, 2001 [Page 6]
Internet-Draft SNMP over TCP Transport Mapping November 2000
The SNMP protocol has been designed to support confirmed as well as
unconfirmed operations [2]. The inform-request protocol operation is
an example for a confirmed operation while the snmpV2-trap operation
is an example for an unconfirmed operation.
There is an important difference between an unconfirmed protocol
operation sent over a reliable transport and a confirmed protocol
operation. A reliable transport such as TCP only guarantees that
delivered data is not damaged, lost, duplicated, or delivered out of
order. It does not guarantee that the delivered data was actually
processed in any way by the application process. Furthermore, even a
reliable transport such as TCP can not guarantee that data sent to a
remote system is eventually delivered on the remote system. Even a
graceful close of the TCP connection does not guarantee that the
receiving TCP engine has actually delivered all the data to an
application process.
With a confirmed SNMP operation, the receiving SNMP engine
acknowledges that the data was actually received. Depending on the
SNMP protocol operation, a confirmation may indicate that further
processing was done. For example, the response to an inform-request
protocol operation also indicates to the notification originator
that the notification passed the security model and that it was
delivered to the notification receiver application. Similarily, the
response to a set-request indicates that the data passed the
transport, the authentication mechanism and that the write request
was actually processed by the command responder.
A reliable transport is thus only a poor approximation for confirmed
operations. Applications that need confirmation of delivery or
processing are encouraged to use the confirmed operations, such as
the inform-request, rather than using unconfirmed operations, such
as snmpV2-trap, over a reliable transport.
4. Security Considerations
It is recommended that implementors consider the security features
as provided by the SNMPv3 framework in order to provide SNMP
security. Specifically, the use of the User-based Security Model
RFC 2574 [13] and the View-based Access Control Model RFC 2575 [16]
is recommended.
It is then a customer/user responsibility to ensure that the SNMP
entity giving access to a MIB is properly configured to give access
to the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change) them.
The SNMP over TCP transport mapping does not have any impact on the
security mechanisms provided by SNMPv3. However, SNMP over TCP may
Schoenwaelder Expires May 25, 2001 [Page 7]
Internet-Draft SNMP over TCP Transport Mapping November 2000
introduce new vulnerabilities to denial of service attacks (such as
TCP syn flooding) that do not exist in this form in other transport
mappings.
5. Acknowledgments
This document is the result of discussions within the Network
Management Research Group (NMRG) of the Internet Research Task
Force[21] (IRTF). Special thanks to Luca Deri, Jean-Philippe
Martin-Flatin, Aiko Pras, Ron Sprenkels, and Bert Wijnen for their
comments and suggestions.
Additional useful comments have been made by Mike Ayers, Jeff Case,
Mike Daniele, David Harrington, Lauren Heintz, Keith McCloghrie, and
Dave Shield.
Luca Deri, Wes Hardaker, Bert Helthuis, and Erik Schoenfelder helped
to create prototype implementations. The SNMP over TCP transport
mapping is currently supported by the NET-SNMP package[22] and the
Linux CMU SNMP package[23].
References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for
Describing SNMP Management Frameworks", RFC 2571, April 1999.
[3] Rose, M. and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", STD 16, RFC
1155, May 1990.
[4] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16,
RFC 1212, March 1991.
[5] Rose, M., "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991.
[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58,
RFC 2579, April 1999.
[8] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Conformance Statements for SMIv2", STD
Schoenwaelder Expires May 25, 2001 [Page 8]
Internet-Draft SNMP over TCP Transport Mapping November 2000
58, RFC 2580, April 1999.
[9] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "A Simple
Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.
[10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January
1996.
[11] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
[12] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, April 1999.
[13] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM)
for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2574, April 1999.
[14] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1905, January 1996.
[15] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC
2573, April 1999.
[16] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2575, April 1999.
[17] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction
to Version 3 of the Internet-standard Network Management
Framework", RFC 2570, April 1999.
[18] Kastenholz, F., "SNMP Communications Services", RFC 1270,
October 1991.
[19] Postel, J., "Transmission Control Protocol", STD 7, RFC 793,
September 1981.
[20] Sprenkels, R. and J.P. Martin-Flatin, "Bulk Transfers of MIB
Data", Simple Times 7(1), March 1999.
[21] http://www.irtf.org/
[22] http://net-snmp.sourceforge.net/
Schoenwaelder Expires May 25, 2001 [Page 9]
Internet-Draft SNMP over TCP Transport Mapping November 2000
[23] http://www.gaertner.de/snmp/
Author's Address
Juergen Schoenwaelder
TU Braunschweig
Bueltenweg 74/75
38106 Braunschweig
Germany
Phone: +49 531 391-3289
EMail: schoenw@ibr.cs.tu-bs.de
Appendix A. OPEN ISSUES
1. The requirement to handle half-closed TCP connections causes
additional implementation complexity in event-driven
applications since a half-closed socket would need to be
excluded from Randy> poll/select lists input checking (since the
descriptor would Randy> always come up ready for read) but be
left in the write list Randy> until the application decides to
close the socket after writing Randy> the response. This may
turn out hard to implement consistently across platforms.
Perhaps it would be simpler to just disallow half-closed TCP
connections in order to enhance interoperability.
2. The text does not explicitely say when TCP connections are
opened and by whom. However, some people believe that only one
sensible interpretation is actually possible. The question is
how precise we have to be without interacting too deeply with
RFC 2573.
Schoenwaelder Expires May 25, 2001 [Page 10]
Internet-Draft SNMP over TCP Transport Mapping November 2000
Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Schoenwaelder Expires May 25, 2001 [Page 11]