[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The datamodel in Notification Draft

To: Balazs Lengyel <balazs.lengyel@ericsson.com>
Subject: Re: The datamodel in Notification Draft
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
Date: Thu, 18 May 2006 14:34:48 +0200
Cc: Andy Bierman <ietf@andybierman.com>, "Netconf (E-mail)" <netconf@ops.ietf.org>
In-reply-to: <446C61BE.6060709@ericsson.com>
Mail-followup-to: Balazs Lengyel <balazs.lengyel@ericsson.com>, Andy Bierman <ietf@andybierman.com>, "Netconf (E-mail)" <netconf@ops.ietf.org>
References: <713043CE8B8E1348AF3C546DBE02C1B4086CC037@zcarhxm2.corp.nortel.com> <446B4FDB.6000102@ericsson.com> <446B5BF5.5040102@andybierman.com> <446C5792.6050306@ericsson.com> <446C5FBB.70801@andybierman.com> <446C61BE.6060709@ericsson.com>
Reply-to: j.schoenwaelder@iu-bremen.de
User-agent: Mutt/1.5.10i

On Thu, May 18, 2006 at 01:59:58PM +0200, Balazs Lengyel wrote:

> JURGEN! Could you tell us how ISMS is solving the session based security?
> As I understand they also decided to have proper security you need to 
> maintain sessions.

ISMS is all about using existing security solutions for SNMP. It turns
out that the most widely deployed security solutions are somehow
session based and the most widely deployed onces are running over
TCP. Note that session based security is not the same as running over
TCP.

The statement "to have proper security you need to maintain sessions"
per se might not be correct. But to have security, you need to
maintain some state between the communicating endpoints and setting
this up involves some work, even in the case of SNMPv3/USM.

We will soon post some measurement data to the ISMS list which shows
the cost of the various transport and security options for SNMP. We
did the measurements on a perfect network but also under conditions of
packet loss. All I can say is that those who use a stock net-snmp
implementation really should not worry about a TCP transport in case
the network is in trouble. With other SNMP stacks you might be better
off - we did not measure them.

/js

PS: Also SNMPv3/USM has some overhead when you send the first
    notification and you have to synchronize clocks. You do not establish
    a session key which saves on round trip times, but also reduces
    the level of security you get if you are paranoid (or you have to
    do more frequent key changes). The point is that you have to look
    at the whole system and that it is misleading to separate out
    pieces of the picture and to look at it in isolation.

PPS: Even if you consider signed syslog messages over plain UDP, it might
     be instructive to figure out what the overall performance will be
     end-to-end including generation and verification of the
     signatures.

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- RE: The datamodel in Notification Draft
  - From: "David B Harrington" <dbharrington@comcast.net>

References:
- The datamodel in Notification Draft
  - From: "Sharon Chisholm" <schishol@nortel.com>
- Re: The datamodel in Notification Draft
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: The datamodel in Notification Draft
  - From: Andy Bierman <ietf@andybierman.com>
- Re: The datamodel in Notification Draft
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>
- Re: The datamodel in Notification Draft
  - From: Andy Bierman <ietf@andybierman.com>
- Re: The datamodel in Notification Draft
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>

Prev by Date: Re: The datamodel in Notification Draft
Next by Date: Re: event classes (sec. 3.5)
Previous by thread: Re: The datamodel in Notification Draft
Next by thread: RE: The datamodel in Notification Draft
Index(es):
- Date
- Thread