Re: [midcom] MIDCOM MIB design question

[Tom Taylor <taylor@nortelnetworks.com>]

I know you can use views to separate out what one user sees vs. another, 
but I figured separation by module was cleaner.  Juergen is talking 
about separating what the administrator is interested in from what the 
MIDCOM agent is interested in.  Agreed that they both address the same 
underlying data structures, but I would think security setup would be 
simpler if you could specify access by module rather than having to do 
it object by object.

Harrington, David wrote:

> Hi Juergen,
>
> SNMP is a protocol that manipulates sets of data on remote devices. The
> set of data is typically used by many users. You separate mib data sets
> by the functionality they contain, not by which "user" will use it. 
>
> It would be really helpful if you were more explicit about the
> requirements and the separate objects you think are needed in each mib.
> Objects that "serve management purposes" means nothing to me. It depends
> on the manager.
>
> I might have one network manager or application whose job is to monitor
> performance, and he/it might use ifInOctets in its calculations. I might
> have a second application whose job is to isolate faulty interfaces, and
> it might use ifInOctets. I might have an intruder detection system that
> watches for anomalies and it might use ifInOctets. I wouldn't want three
> duplicate ifInOctet objects to rpvoide this information just because I
> happen to have three different managers/users looking at the datum for
> different purposes.
>
> You did list three things as management:
> 1)  the priority with which requested pinholes are configured in the
> firewall,
> 2) a table showing the mapping of MIDCOM pinholes to firewall resources
> or of MIDCOM NAT sessions/bindings to NAT resources,
> 3) a protocol statistics table listing the set of active MIDCOM
> sessions, protocol errors, etc.
>
> I'm not quite sure what type of priority you are referring to in 1).
> Priority relative to what? To other pinholes? To other firewall rules?
> To other MIDCOM rules within a group? To other MIDCOM groups? The
> priority of the operator performing the opeation? The priority of the
> operation versus other tasks the device needs to perform? 
>
> The MIDCOM MIB manipulates the mappings of MIDCOM pinholes to resources,
> so the map available to monitor this mapping belongs in the same mib, in
> my opinion. You don't need to duplicate the information just so another
> user can read it.
>
> Statistics are about the MIDCOM sessions and whatnot being configured in
> this mib. You don't need to separate which mib this is in.
>
> It is generally better to keep the status related to a functionality in
> the same mib as the configuration of the functionality. Statistics are
> part of status, and so are the configuration settings.
>
> dbh
>
>
> > -----Original Message-----
> > From: Tom Taylor [mailto:taylor@nortelnetworks.com] 
> > Sent: Wednesday, December 10, 2003 1:13 PM
> > To: Juergen Quittek
> > Cc: mibs@ops.ietf.org; midcom@ietf.org
> > Subject: Re: [midcom] MIDCOM MIB design question
> >
> >
> > I'd say they should be in separate modules because they are 
> > likely to be 
> > implemented on separate boxes on the SNMP client side.
> >
> > Juergen Quittek wrote:
> >
> >
> > > Dear all,
> > >
> > > In the MIDCOM working group we are developing a protocol 
> >
> > for dynamically
> >
> > > requesting pinholes in firewalls and bindings/sessions on NATs.
> > >
> > > The working group decided to use SNMP as basic protocol and 
> >
> > now we are
> >
> > > defining a MIDCOM MIB module.  While doing this, we found 
> >
> > that we are
> >
> > > defining two separate groups of objects:  Objects 
> >
> > implementing the MIDCOM
> >
> > > protocol (for which we already have a protocol semantics 
> >
> > document, see
> >
> > > draft-ietf-midcom-semantics-06.txt) and objects serving management 
> > > purposes.
> > > Management purposes include for example configurations, such as
> > > - the priority with which requested pinholes are configured in the 
> > > firewall,
> > > - a table showing the mapping of MIDCOM pinholes to 
> >
> > firewall resources
> >
> > >   or of MIDCOM NAT sessions/bindings to NAT resources
> > > - a protocol statistics table listing the set of active 
> >
> > MIDCOM sessions,
> >
> > >   protocol errors, etc.
> > >
> > > For these two groups of objects there are also two separate 
> >
> > groups of 
> >
> > > users:
> > > - middlebox controllers sending requests for dynamic 
> >
> > pinholes and NAT
> >
> > >   sessions/bindings
> > > - network managers configuring the middlebox (firewall or NAT) and
> > >   monitoring its operation
> > >
> > > The middlebox controllers only need access to the objects 
> >
> > implementing
> >
> > > the MIDCOM protocol.
> > >
> > > The network managers would rather use the objects serving 
> >
> > management 
> >
> > > purposes
> > > although in some cases they might need to access the other 
> >
> > group also.
> >
> > > Now, we have a draft defining these objects and the 
> >
> > following question:
> >
> > > Does someone have an opinion about whether these two groups 
> >
> > of objects
> >
> > > should be contained in a single MIB module or in two separate ones?
> > >
> > > Usually, this problem does not occur, because most control protocol,
> > > say GSMP are not defined on top of SNMP.  Therefore in GSMP there is
> > > a clear separation between the protocol and the MIB with 
> >
> > objects serving
> >
> > > network management purposes.  But in our case, SNMP is used for both
> > > purposes.
> > >
> > > Thanks,
> > >
> > >  Juergen
> >
> >
> > _______________________________________________
> > midcom mailing list
> > midcom@ietf.org
> > https://www1.ietf.org/mailman/listinfo/midcom