Network Working Group J. Schoenwaelder Internet-Draft TU Braunschweig Expires April 2000 22. October 1999 SNMP Protocol Operations for Invoking Operations Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Distribution of this document is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract This document defines additional protocol operations for the Simple Network Management Protocol (SNMP) that support more efficient configuration management via SNMP. The CallRequest and CallResponse PDUs add an RPC style operation invocation mechanism to SNMP. The CompoundRequest and CompoundResponse PDUs add a mechanism to send multiple SNMP operations in a single SNMP message. Warning This document has not been written in order to specify a solution. Instead, this document has been written to stimulate (controversial) discussions within the NMRG (and elsewhere). Schoenwaelder [Page 1] Internet-Draft SNMP Protocol Operations for Operations October 1999 Table of Contents 1 Introduction ................................................. 3 2 Definitions .................................................. 4 3 PDU Processing ............................................... 7 4 Usage Examples ............................................... 7 5 Open Issues .................................................. 7 6 Security Considerations ...................................... 7 7 Authors' Address ............................................. 8 8 References ................................................... 8 9 Full Copyright Statement ..................................... 9 Schoenwaelder [Page 2] Internet-Draft SNMP Protocol Operations for Operations October 1999 1. Introduction The Simple Network Management Protocol (SNMP) is successfully used for tasks such as statistics gathering, status monitoring, topology discovery or event generation/distribution. All these application areas have in common that they mainly require read access to network elements. SNMP has been less successful as a network control protocol that is actually used to configure and exercise control over network elements. One often cited reason for the limited usage as a network configuration or control protocol is the lack of security mechanism in the widely deployed SNMP protocol version 1 (SNMPv1). Recent work on SNMP version 3 (SNMPv3) adds strong message security and access control mechanisms to SNMP. Work on SNMPv3 also adds remote administration MIBs that allow to configure the configuration parameters associated with an SNMP engine. Another reason for the limited success of SNMP as a network configuration or control protocol are the properties of the SNMP SetRequest protocol operation: (1) The SetRequest operation allows a command generator to build arbitrary complex operations that are hard to handle correctly on a command responder. (2) The SetRequest operation does not impose an ordering in the varbind list nor does it impose an ordering in the processing of the varbind list. (3) The SetRequest operation does not return result values upon successful completion of the operation. (4) The SetRequest operation does not return set request specific error codes. (5) It is generally hard to implement and complex operations as side effects on write operations to simple types variables. (6) The message size constraints results of the underlying transports for SNMP messages have lead to MIBs where complex write operations may be realized by a sequence of less complex write operations (dribble mode). (7) The dribble mode add complexity since SNMP allows concurrent access to a command responder from multiple SNMP command generators. This leads to additional complexity (e.g. spin locks) in order to serialize concurrent attempts to perform complex write operations. Schoenwaelder [Page 3] Internet-Draft SNMP Protocol Operations for Operations October 1999 This document defines two new protocol operations (CallRequest and CallResponse) that add an RPC style operation invocation mechanism to SNMP. Operations are formally defined using an SMIv2 extension and identified by an object identifier [SMIv2OPS]. Operations take a sequence of arguments and return either a sequence of results, an operation specific error code or a generic protocol error code. Two additional protocol operations (CompoundRequest and CompoundResponse) can be used to bind multiple SNMP operations together and to process them in a single SNMP message. This can be used to bind several related operations into a single transaction and reduces the overall message and security processing overhead. 2. Definitions SNMP-OPS-PDU DEFINITIONS ::= BEGIN IMPORTS ObjectSyntax FROM SNMPv2-SMI GetRequest-PDU, GetNextRequest-PDU, GetBulkRequest-PDU, Response-PDU, SetRequest-PDU, InformRequest-PDU, SNMPv2-Trap-PDU, Report-PDU, max-bindings FROM SNMPv2-PDU; max-pdus INTEGER ::= 2147483647 PDUs ::= CHOICE { get-request GetRequest-PDU, get-next-request GetNextRequest-PDU, get-bulk-request GetBulkRequest-PDU, response Response-PDU, set-request SetRequest-PDU, inform-request InformRequest-PDU, Schoenwaelder [Page 4] Internet-Draft SNMP Protocol Operations for Operations October 1999 snmpV2-trap SNMPv2-Trap-PDU, report Report-PDU, call-request CallRequest-PDU, call-response CallResponse-PDU } CallRequest-PDU ::= [42] IMPLICIT OPS-PDU CallResponse-PDU ::= [43] IMPLICIT OPS-PDU CompoundRequest-PDU ::= [44] IMPLICIT COMP-PDU CompoundResponse-PDU ::= [45] IMPLICIT COMP-PDU OPS-PDU ::= SEQUENCE { request-id INTEGER (-2147483648..2147483647), error-status INTEGER { noError(0), tooBig(1), noSuchName(2), -- for proxy compatibility badValue(3), -- for proxy compatibility readOnly(4), -- for proxy compatibility genErr(5), noAccess(6), wrongType(7), wrongLength(8), wrongEncoding(9), wrongValue(10), noCreation(11), inconsistentValue(12), resourceUnavailable(13), commitFailed(14), undoFailed(15), authorizationError(16), notWritable(17), inconsistentName(18), noErrorMoreFollows(19) }, Schoenwaelder [Page 5] Internet-Draft SNMP Protocol Operations for Operations October 1999 error-index INTEGER (0..max-bindings), -- or sequence number values ValueList } ValueList ::= SEQUENCE (SIZE (0..max-bindings)) OF ObjectSyntax COMP-PDU ::= SEQUENCE { request-id INTEGER (-2147483648..2147483647), error-status INTEGER { noError(0), tooBig(1), noSuchName(2), -- for proxy compatibility badValue(3), -- for proxy compatibility readOnly(4), -- for proxy compatibility genErr(5), noAccess(6), wrongType(7), wrongLength(8), wrongEncoding(9), wrongValue(10), noCreation(11), inconsistentValue(12), resourceUnavailable(13), commitFailed(14), undoFailed(15), authorizationError(16), notWritable(17), inconsistentName(18), noErrorMoreFollows(19) }, error-index INTEGER (0..max-pdus), -- or sequence number pdus PduList } PduList ::= SEQUENCE (SIZE (0..max-pdus)) OF PDUs END Schoenwaelder [Page 6] Internet-Draft SNMP Protocol Operations for Operations October 1999 3. PDU Processing TBD 4. Usage Examples 5. Open Issues 1. need to support linked Return-PDUs, similar to linked Response- PDUs: where to allocate the missing bit? 2. error-status indicates whether values in response contains results, exceptions or arguments 3. error-status and error-index are most likely not used in a COMP-PDU (other than having a sequence number in there). 4. where to encode the operation name (OID)? 5. what to do about access control? for which objects do you call isAccessAllowed()? 6. allow a compound PDU within a compound PDU? 7. what about a GetConfig-PDU? 6. Security Considerations This document defines new SNMP protocol operations to invoke operations on collections of MIB objects and to combine multiple SNMP operations into a single SNMP message. Message security is not affected by these new protocol operations. Message security therefore depends on the security model used by the message format. Compound SNMP operations are processed as if they were send in a sequence of separate messages. Thus, access control is still subject of the access control processing of the protocol operations contained in a compound SNMP operation. Operations that invoke operations on collections of MIB objects rely on the access control for the MIB objects. (TBD) Schoenwaelder [Page 7] Internet-Draft SNMP Protocol Operations for Operations October 1999 7. Authors' Address Juergen Schoenwaelder TU Braunschweig Bueltenweg 74/75 38106 Braunschweig Germany Phone: +49 531 391-3283 EMail: schoenw@ibr.cs.tu-bs.de 8. References [ASN1] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), International Organization for Standardization. International Standard 8824, December, 1987 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996 [SMIv2OPS] J. Schoenwaelder, "Operation-Types for SMIv2", , October 1999 Schoenwaelder [Page 8] Internet-Draft SNMP Protocol Operations for Operations October 1999 9. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Schoenwaelder [Page 9]