Convergence of Network Management Protocols

1
Convergence of Network Management Protocols

• David Harrington
• IETF64 OM Area Meeting
• Vancouver, BC

2
Duplicate Efforts for Secure NM

• A number of efforts occurring in the IETF are
  related to network management and security.
• Many of the options being considered are similar,
  but decisions are often made in isolation.
  Working together would be better resource
  management.
• Purpose of this presentation is to describe some
  efforts under way so people are aware of other
  work in a similar problem space
• Having a balanced security approach between NM
  protocols would provide a more secure NM
  environment.

3
Message Security

• WGs are striving to integrate Network Management
  protocols, including UDP-based, with existing
  security solutions
• Many security protocols run over TCP-based
  transport few run over UDP-based transport
• A survey of NANOG operators showed the most
  popular for Network Management authentication
• 66 local accounts
• 49 SSH

4
Message Security Transport

Protocol
SNMP/ISMS
Netconf
Syslog
Content
MIBs
TBD
Not Standard
Modeling Language
SMIv2
XML Schema
Structured ASCII
Authorization
RADIUS
TBD

Operations
Get-/SET
GET/EDIT
none
Message Security
USM-gtSSH
SSH
SSH or TLS?
Transport
UDP-gtTCP
TCP
UDP-gtTCP?
5
Operations

Protocol
ISMS
Netconf
Syslog
Content
MIBs
TBD
Not Standard
Modeling Language
SMIv2
XML Schema
Structured ASCII
Authorization
RADIUS
TBD

Operations
GET/Set/Notify
GET/EDIT/Notify
Log/Notify
Message Security
USM-gtSSH
SSH
SSH or TLS
Transport
UDP-gtTCP
TCP
UDP-gtTCP
6
Authorization

Protocol
ISMS
Netconf
Syslog
Content
MIBs
TBD
Not Standard
Modeling Language
SMIv2
XML Schema
Structured ASCII
Authorization
RADIUS/VACM
All-or-nothing
All-or-nothing
Operations
GET-/SET
GET/EDIT
none
Message Security
SSH
SSH
SSH or TLS?
Transport
UDP-gtTCP
TCP
UDP-gtTCP
7
AAA Authorization

• A survey of NANOG operators showed these as most
  popular for NM authorization
• 40 RADIUS
• 29 TACACS
• ISMS WG is asking RADEXT WG to define RADIUS
  attributes that name policies for management
  access control for SNMP, Netconf, and other NM
  protocols
• draft-nelson-radius-management-authorization-02.tx
  t
• The mapping of authenticated principal to
  administratively-named policies to be done by AAA
  server
• Approach to policy and the mapping of policy
  names to policy implementations should be left to
  specific management protocols

8
Data Modeling

Protocol
ISMS
Netconf
Syslog
Content
MIBs
TBD, incl. MIBs
Not Standard
Modeling Language
SMIv2
XML Schema
Structured ASCII
Authorization
RADIUS
TBD

Operations
GET-/SET
GET/EDIT

Message Security
SSH
SSH
SSH or TLS
Transport
UDP-gtTCP
TCP
UDP-gtTCP
9
Data Modeling Languages

• Lots of data overlap between protocols
• SNMP and XML
• Some SNMP tools and stacks support XML and NMRG
  has researched translating SNMP messages to XML
  format.
• NMRG and SMING WG found SMIv2 a serious
  constraint to effective data modeling,
• XML more extensible than SMIv2

10
Possible Convergence Work

Protocol
SNMP/ISMS
Netconf
Syslog
Content
MIB models--?
TBD, incl. MIBs
lt--Standardize
Modeling Language
SMIv2
XML Schema
Structured ASCII
Authorization
RADIUS/AAA
AAA

Operations
Get-/SET?
GET/EDIT

Message Security
SSH
SSH
SSH or TLS?
Transport
UDP-gtTCP
TCP
UDP-gtTCP?
11
Netconf and SNMP

• Multiple Approaches to Discuss
• Use same secure transport (i.e. SSH)
• Develop common NM authorization in AAA for SNMP,
  Netconf, Syslog, and others, as applicable
• Develop Netconf ltsnmp- gt operations and an snmp
  varbind in XML so Netconf can access SNMP data
  (i.e. have netconf actually do snmp, and
  ultimately replace snmp)
• Develop extended operations for accessing SNMP
  data to supplement snmp, e.g. using XPath
  expressions rather than getnext/bulk
• Create snmp dataset (Cf. running, candidate)