wdiff draft-hamid-6lowpan-snmp-optimizations-02.txt draft-hamid-6lowpan-snmp-optimizations-03.txt

Network Working Group H. Mukhtar J. Schoenwaelder, Ed.
Internet-Draft S. Joo Jacobs University
Intended status: Informational ETRI H. Mukhtar
Expires: April 24, 2010 J. Schoenwaelder
Jacobs University Bremen 28, 2011 S. Joo
ETRI
K. Kim
Ajou University
October 21, 2009 25, 2010

SNMP optimizations Optimizations for 6LoWPAN
draft-hamid-6lowpan-snmp-optimizations-02.txt Constrained Devices
draft-hamid-6lowpan-snmp-optimizations-03.txt

Abstract

Simple Network Management Protocol (SNMP) is a widely deployed
application protocol for network management and in particular network
monitoring. This document describe the applicability of SNMP to
constrained devices, e.g., nodes in Low-power and Lossy Networks. We
discuss SNMP implementation techniques and we provide deployment
considerations. Our discussion also covers the applicability of MIB
modules to constrained devices.

Status of This Memo

This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on April 24, 2010. 28, 2011.

Copyright Notice
Copyright (c) 2009 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.

Abstract

Simple Network Management Protocol (SNMP) is a widely deployed
application protocol for network management and data retrieval. In Code Components extracted from this document we describe the applicability must
include Simplified BSD License text as described in Section 4.e of SNMP for 6LoWPANs. We
discuss
the implementation considerations of SNMP Agent Trust Legal Provisions and SNMP
Manager followed by are provided without warranty as
described in the deployment considerations BSD License.

This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the SNMP
protocol. Our discussion also covers IETF Trust the applicability right to allow
modifications of MIB
modules for 6LoWPAN devices.

Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document are to may not be interpreted modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as described in an RFC 2119 [RFC2119]. or to translate it into languages other
than English.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Why
2. SNMP Features and Overhead Considerations . . . . . . . . . . 6
2.1. SNMP Contexts . . . . . . . . . . . . . . . 4
2. Little-known SNMP Features . . . . . . . 6
2.2. SNMP Proxies . . . . . . . . . . . 5
2.1. SNMP Contexts . . . . . . . . . . . . 6
2.3. SNMP Subagents . . . . . . . . . . 5
2.2. SNMP Proxies . . . . . . . . . . . . 6
2.4. Maximum Message Sizes . . . . . . . . . . . 5
2.3. Message Size Restrictions . . . . . . . 7
2.5. SNMP Message Formats . . . . . . . . . 5
3. SNMP Agent Implementation Considerations . . . . . . . . . . 7
2.6. SNMPv3 Security Overhead . 6
3.1. Access Control . . . . . . . . . . . . . . . . 7
3. SNMP Agent Implementation Considerations . . . . . . 6
3.2. Overhead of the Different SNMP Message Formats . . . . . 9
3.1. Access Control . 6
3.2.1. Overhead Difference of SNMPv3 Security . . . . . . . . 6
3.2.2. Minimum Message Size Calculation . . . . . . . . . . . 7 . . 9
4. SNMP Manager Implementation Considerations . . . . . . . . . . 7 11
4.1. Polling, Pushing, and Trap-directed Polling . . . . . . . 8 11
4.2. Support for SNMP Proxies . . . . . . . . . . . . . . . . . 8 11
5. SNMP Deployment Considerations . . . . . . . . . . . . . . . . 8 12
5.1. Naming Issues . . . . . . . . . . . . . . . . . . . . . . 9 12
5.2. SNMP Protocol Operations . . . . . . . . . . . . . . . . . 9 12
5.3. Timeouts and Retransmissions . . . . . . . . . . . . . . . 9 12
5.4. Polling Intervals . . . . . . . . . . . . . . . . . . . . 9 12
5.5. Caching Issues . . . . . . . . . . . . . . . . . . . . . . 10 13
6. Applicable MIB Modules . . . . . . . . . . . . . . . . . . . . 10 14
6.1. Applicable Standardized MIBs . . . . MIB Modules . . . . . . . . . . . 10 14
6.2. MIB Design Guidelines for Low Overhead . . . . . . . . . . 10 14
7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 10 15
8. IANA Consideration . . . . . . . . . . . . . . . . . . . . . . 10 16
9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 17
10. Acknowledgments References . . . . . . . . . . . . . . . . . . . . . . . 11
11. . . . 18
10.1. Normative References . . . . . . . . . . . . . . . . . . . 18
10.2. Informative References . . . . . . . . . 11
11.1. Normative References . . . . . . . . . 19
Appendix A. Calculation of Minimum Message Sizes . . . . . . . . 21
A.1. SNMPv3/USM Minimum Message Size . . 11
11.2. Informative References . . . . . . . . . . . 22
A.2. SNMPv3/TSM Minimum Message Size . . . . . . . 12
Appendix A. Calculation of . . . . . . 22
A.3. SNMPv1/SNMPv2c Minimum packet size Message Size . . . . . . . . . 13 . . 23
Appendix B. Possible Implementation and Deployment Models for SNMP . . . . . . . . . 15 24
B.1. Lightweight SNMP End-to-End Model . . . . . . . . . . . . . . . . . . 15 24
B.2. SNMP Proxy Model . . . . . . . . . . . . . . . . . . . . . 24
B.3. SNMP Subagent Model . . 15
B.3. . . . . . . . . . . . . . . . . . 25
B.4. SNMP with Sub-Agent Protocols Data-Fusion Model . . . . . . . . . . . . . . 16 . . . . 25
Appendix C. Example: Contiki SNMP . . . . . . . . . . . . . . . . 27
Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 16 28
D.1. Changes from -02 to -03 . . . . . . . . . . . . . . . . . 28
D.2. Changes from -01 to -02 . . . . . . . . . . . . . . . . . 28

1. Introduction

The Simple Network Management Protocol (SNMP) is a UDP-based datagram-oriented
protocol operating in the application layer of the Internet Protocol Suite.
It protocol
suite. The underlying framework consists of four basic components: a components
[RFC3410]:

o several (typically many) managed node running nodes, each with an
agent; SNMP entity
which provides remote access to management instrumentation
(traditionally called an agent),

o at least one SNMP entity running with management applications (typically
called as a manager); manager),

o a management protocol used to convey management information
between the SNMP
entities; entities, and

o management information.

1.1. Why

The SNMP protocol is used to convey management information between
SNMP entities such as managers and agents. SNMP is datagram-oriented
and the implementations of SNMP can be very lightweight. It The
protocol is widely deployed for monitoring and troubleshooting
purposes and it may fit 6LoWPAN applications constrained devices very well. The following
features make SNMP suitable for this network.

- constrained devices on Low-power and
Lossy Networks (LLNs):

o Protocol Maturity: SNMPv3 is a full IETF standard having a high
degree of technical maturity with significant experiences in
implementation and operation.

o Data Naming: SNMP provides a hierarchical namespace utilizing
object identifiers (OIDs) for data naming purposes. The data
accessible via SNMP is described by Management Information Bases
(MIB modules). These MIB modules can either be standardized or
specific to certain enterprises.

o Network Management: According to [RFC4919] network management is
one of the goals for 6LoWPANs, wherein it is described that network
management functionality is critical for 6LoWPANs. SNMP is widely used for network management and
it is the Internet community's de facto network management and
monitoring protocol.

- As a consequence, it makes sense to utilize
SNMP also for the management and in particular monitoring of
resource constrained networks. Network management is also stated
as one of the goals in [RFC4919].

o Data Retrieval: SNMP employs a trap-directed polling scheme in
which data is being requested by a manager from the agents. In
addition, SNMP supports a push model in which data is sent from
agents to the managers without a prior request. Trap-directed
polling refers to a mode where polling is used with relatively
long polling intervals but agents can send notifications in order
to notify a manager of events that might require changes to the
polling strategy.

o Security: SNMPv3 can provide both message-level and transport-level transport-
level security. SNMPv3 defines User based Security model (USM)
[RFC3414] for message-driven security; and transport-based
security model (TSM) [RFC5591] for transport-driven security. TSM
makes it possible to use existing security protocols such as
Transport Layer Security (TLS) [RFC5246] and the Datagram
Transport Layer Security (DTLS) Protocol [RFC4347] with SNMPv3.
The modular design of SNMPv3 also allows new security and access
control protocols to be added to it.

o Access control: SNMP can provide access provides standard mechanisms to control of the information.
access to information [RFC3415].

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].

2. Little-known SNMP Features and Overhead Considerations

This section first explains some little-known less widely known SNMP concepts. concepts
before discussing message sizes.

2.1. SNMP Contexts

Each SNMP entity is composed of a single engine SNMP engine, which is
identified by an SNMP engine identifier. A context is a collection
of management information accessible by an SNMP entity and it is also
defined as a subset of a single SNMP entity. An SNMP
entity has access to one or more contexts where each context is
uniquely identified by its context names. name. In order to identify an
individual item of management information within the a management domain,
the SNMP entity's context is identified first (using the engine identifier
contextEngineID and context name) contextName) and this is followed by the object
type and instance. For further details, see [RFC3411].

2.2. SNMP Proxies

The term 'proxy' in SNMP has a restrictive meaning. A proxy refers
to a proxy forwarder application which forwards SNMP messages to
other SNMP engines and forwards the response to such previously
forwarded messages back to SNMP engine from which the original
message was received [RFC3413]. The forwarding decision is based on
contexts and it is irrespective taken irrespectively of the management objects
being accessed. Thus, an SNMP proxy can be used to forward messages
from one transport to another, or to translate SNMP messages from one
version to another version.

The SNMP proxy cannot be used for translation of SNMP requests into
operations of a non-SNMP management protocol and it cannot be used
for supporting aggregated objects. Proxies depend on context
information and the forwarding of messages is independent of the
objects being accessed. To support aggregated objects, where the
value of one object depends upon multiple other remote items, special
MIB modules and sub-agent protocols are used instead of proxies.

2.3. Message Size Restrictions SNMP Subagents

In order to support modular systems, SNMP agents often do not
implement all MIB objects internally. Instead, the SNMP agent is
delegating the access to the instrumentation to other processes,
called subagents. A special purpose protocol is used between the
SNMP agent and its subagents. The Agent Extensibility Protocol
(AgentX) is a standard subagent access protocol [RFC2741]

2.4. Maximum Message Sizes

An SNMPv3 message contains a the msgMaxSize field field, which is used to
communicate the maximum message size at the a sender and the receiver side. The
maximum message size is able to receive.
The response to a request should not exceed the maximum message size
of a message that can be
accepted by the receiving requesting SNMP entity. The minimum required to implement maximum message
size to implement is transport model specific. For SNMP over UDP,
the size is 484 octets.

3. SNMP Agent Implementation Considerations

This section covers SNMP agent implementation considerations for
6LoWPAN.

3.1. Access Control

The Local Configuration Datastore (LCD), which contains access rights
and policies of an SNMP entity, need not be configured remotely. It
is recommended to have permanent access control tables on the nodes.
The implementers should keep the authorization tables as compact as
possible to reduce the memory and codesize overhead. Compact
permanent authorization tables on the nodes can for example provide
read-only and read-write access to the management instrumentation on
the node at almost zero processing cost since the SNMP agents may not
support instance level access control granularity to further reduce
performance cost.

3.2. Overhead of the Different

2.5. SNMP Message Formats

SNMPv1 [RFC1157] is the earliest first version of SNMP and it reached the IETF
full standard status. status in 1990. The protocol operation consisted of Get,
Get-Next,
Get and Trap Operations Get-Next, for data retrieval and retrieval, Trap for event notification,
the Set
operation for configuration. SNMPv1 security is based on uses clear-text community
string based authentication. authentication, which is easy to break. Access control is
provided with SNMP MIB views. SNMPv2c was is an experimental improvement over SNMPv1
which introduced new data retrieval and event notificaiton
operations, i.e., Get-Bulk and Inform,
and Inform. It also introduced improved
error handling. handling for Set operations. SNMPv2c could only reach the
experimental
Experimental status.

SNMPv3, Std 62 [RFC3411]-[RFC3418], STD 62, [RFC3411] [RFC3412] [RFC3413] [RFC3414] [RFC3415]
[RFC3416] [RFC3417] [RFC3418], supports all the aforementioned data
retrieval and configuration options of SNMPv1 and SNMPv2c. The
SNMPv3 framework is modular in order to enhance extensibility.
Moreover, SNMPv3 supports authentication and data integrity and an
additional privacy option for confidentiality. After SNMPv3 became a
full standard, SNMPv1 and SNMPv2c were declared Historic due to their
weak security features. However, SNMPv3 can coexist with the earlier
versions of SNMP [RFC3584].

3.2.1. Overhead Difference of

2.6. SNMPv3 Security Overhead

SNMP security can be supported by two different approaches, i.e.,
message-driven security and transport-driven security. With message-
driven security (the User-based Security Model, USM), security, SNMP provides its own security where the security
parameters are passed within each SNMP message. On the other hand,
transport-driven security enables operators to leverage existing
secure transport protocols (e.g., the
Transport protocols. Security Model, TSM). is provided at the transport
layer, usually establishling a security session.

The User-based Security Model [RFC3414] is a shared secret scheme scheme,
which uses provides message-driven security. Although it utilizes
existing mechanisms, it is designed independent of to not depend on other security
infrastructures. It As a consequence, it provides its own security
processing and has its own key management infrastructure. The
operator configures secrets (authentication and encryption keys) in
the SNMP engines used by management applications. These independent
authentication and encryption keys are used to secure communication. engines. Messages can be authenticated, or authenticated
and encrypted.

The Transport Security Model (TSM) [RFC5591] enables operators to
leverage existing security infrastructures and secure transport protocols. infrastructures. TSM allows security to
be provided by an external secure transport
protocol. TSM protocol and as such
enables the use of existing security mechanisms, such as Transport
Layer Security (TLS) [RFC5246], Datagram Transport Layer Security
(DTLS) Protocol [RFC4347], and the Secure Shell (SSH) Protocol
[RFC4251].

In transport-driven protocols protocols, DTLS, which is UDP based, can be
considered for 6LoWPAN. [I-D.draft-ietf-isms-dtls-tm] specifies constrained networks since it does not require TCP.
[RFC5953] details how DTLS can be used with SNMP. Transport Model for SNMPv3/TSM. The DTLS
transport protocol involves an initial handshake to establish a
session. Upon successful session establishment, the security related
session parameters are cached in the client and the server for the
duration of the session instead of being sent in all messages.

The session is
based on UDP source and destination address/port pairs. Therefore
for session de-multiplexing a different UDP source port is selected
for every new session to distinguish between multiple sessions from a
source to same port on the destination.

3.2.2. Minimum Message Size Calculation

The minimum message size for SNMPv3 with USM (SNMPv3/USM) is 67 bytes
octets whereas the minimum message size for SNMPv3 with TSM (SNMPv3/
TSM) utilizing DTLS is 46 bytes. octets (59 octets if the DTLS header is
included). The minimum message size for the historic SNMPv1 message
format is 20 byte. The details of the calculation can be found in
Appendix A. TSM may involve additional session establishment cost costs
consisting of the initial handshake and the caching of transport
parameters. The tradeoff between the message size and session
overhead should be kept in mind while designing applications.

3. SNMP Agent Implementation Considerations

This section covers SNMP agent implementation considerations for
constrained devices.

3.1. Access Control

The Local Configuration Datastore (LCD), which contains access rights
and policies of an SNMP entity, need not be configured remotely. It
is recommended to have permanent access control tables on the nodes.
The implementers should keep the authorization tables as compact as
possible to reduce the memory and code size overhead. Compact
permanent authorization tables on the nodes can, for example, provide
read-only and read-write access to the management instrumentation on
the node at almost zero processing cost since the SNMP agents may not
support instance level access control granularity to further reduce
performance cost.

A minimal View-based Access Control Model (VACM) implementation only
provides a static view granting access to all MIB objects. The
access rights are statically configured to either grant full read
access or full read and write access. There is only support for the
default context. Such a simplified implementation processes the
isAccessAllowed() ASI [RFC3415] as follows:

1) If the viewType is "write", the securityName is "w" (for any
securityModel and any securityLevel), and the contextName is "",
then grant access to the requested variable.

2) Otherwise, if the viewType is either "read" or "notifiy", the
securityName is "r" (for any securityModel and any
securityLevel), and the contextName is "", then grant access to
the requested variable.

3) Otherwise, return an errorIndication (noAccessEntry) to the
calling module.

An implementation should provide the following MIB objects (note that
all values are permanent):

vacmContextName."" = ""

vacmGroupName.0."r" = "r"
vacmGroupName.0."w" = "w"
vacmSecurityToGroupStorageType.0."r" = 5 (readOnly)
vacmSecurityToGroupStorageType.0."w" = 5 (readOnly)
vacmSecurityToGroupStatus.0."r" = 1 (active)
vacmSecurityToGroupStatus.0."w" = 1 (active)

vacmAccessContextMatch."r"."".0.1 = 1 (exact)
vacmAccessContextMatch."w"."".0.1 = 1 (exact)
vacmAccessReadViewName."r"."".0.1 = "a"
vacmAccessReadViewName."w"."".0.1 = "a"
vacmAccessWriteViewName."r"."".0.1 = "a"
vacmAccessWriteViewName."w"."".0.1 = "a"
vacmAccessNotifyViewName."r"."".0.1 = "a"
vacmAccessNotifyViewName."w"."".0.1 = "a"
vacmAccessStorageType."r"."".0.1 = 5 (readOnly)
vacmAccessStorageType."w"."".0.1 = 5 (readOnly)
vacmAccessStatus."r"."".0.1 = 1 (active)
vacmAccessStatus."w"."".0.1 = 1 (active)

vacmViewTreeFamilyMask."a".2.1.3 = ""
vacmViewTreeFamilyType."a".2.1.3 = 1 (included)
vacmViewTreeFamilyStorageType."a".2.1.3 = 5 (readOnly)
vacmViewTreeFamilyStatus."a".2.1.3 = 1 (active)

4. SNMP Manager Implementation Considerations

This section covers SNMP manager implementation considerations for
6LoWPAN.

4.1. Polling, Pushing, and Trap-directed Polling

In Sensor networks, polling can be reactive or proactive. Data
gathering or event reporting sensors may 'push' their information
towards the managers or they may wait for a manager to 'pull' the
information through a request.

When the demand for data is relatively high, push mechanisms are
deployed in order to save energy cost where the data flows from
managed entities towards the managers. SNMP notifications are a
realization the push based model in which data is sent to the manager
without a prior request. Data can be reported periodically from the
SNMP agent to the manager through SNMP notifications and the
notifications can take the advantage of SNMP security and access
control features to ensure the access to legitimate users along with
confidentiality and integrity of the data. The SNMP Inform PDU
requires a response back from the receiving manager and it can be
used in applications in which reliability is important.

The use of notifications is recommended for data flows from sensors
to the manager and also for the scenarios where multiple nodes
generate the same information.

4.2. Support for SNMP Proxies

The SNMP proxy forwarder application resides on an intermediate SNMP
entity (e.g. an SNMP entity on a management server or an edge router
in case of 6LoWPAN). The proxy forwarder registers each context to
which it wishes to forward messages. After the remote context is
registered, the managers send messages to the proxy forwarder's
engine with the context information of the remote host. The proxy
forwarder forwards the message to the remote context. Upon reception
of a response from the remote host, it forwards the response back to
the manager.

In 6LoWPAN networks proxies may be used to change message encoding,
or they may be used to translate between SNMP versions, or they may
be used to change the security domain at the 6LoWPAN side of the
network.

5. SNMP Deployment Considerations

Following are a list of considerations for deployment of SNMP in
6LoWPANs.

5.1. Naming Issues

In order to reduce the message overhead, the managers are advised to
use short values for Engine Identifiers. The minimum length for an
Engine Identifier is 5 octets. The managers may generate and assign
the Engine identifiers using the 16-bit short address or the 64-bit
IEEE EUI-64 addresses of a node. Context name is an administratively
assigned octet string that names a context. In order to reduce the
message size overhead the length of the string should be kept short.
The default context is identified by a a zero-length context name.

5.2. SNMP Protocol Operations

SNMP supports four basic data retrieval operations i.e. GetRequest-
PDU, GetNextRequest-PDU, GetBulkRequest-PDU [RFC3416]. The
GetRequest-PDU is useful for retrieving well known scalar data,
whereas the GetNextRequest-PDU and GetBulkRequest-PDU operations are
particularly advantageous for retrieving dynamically changing tabular
data. The SNMPv2-Trap-PDU and InformRequest-PDU can be used for
push-based data retrieval, in which periodic or event-based
notifications are sent to the managers.

During the processing of a GetBulkRequest-PDU operation, the agent
can decide the number of objects to include in response. For
requesting objects the manager has to consider the underlying packet
size constraints. Also, the number of objects in the variable-
binding in request messages and max-repeaters field of GetBulk
operation should be selected keeping the constraint in mind.

5.3. Timeouts and Retransmissions

In 6LoWPANs, the SNMP message may be fragmented or may encounter more
latency because of underlying wireless link. The value of timeouts
should be adjusted on the manager side by considering the link
characteristics so that SNMP does not timeout between queries. In
some cases the number of retries may also be adjusted to cater for
link characteristics.

5.4. Polling Intervals

Similarly, in order to reduce the amount of polling, the polling
interval should be increased for less time critical data. 6LoWPANs
are energy constrained networks and excessive polling is not
recommended.

5.5. Caching Issues

Caching the important information can save the transmission cost e.g.
caching the snmpEngineID would save the traffic overhead of EngineID
discovery mechanisms. It is recommended that the EngineID should be
cached in order to reduce the transmission cost. In case of TSM,
caching the transport parameters can reduce the message sizes.

6. Applicable MIB Modules

This section describes some MIB modules relevant for constrained
devices and it provides guidelines for authors of MIB modules which that
can be used efficiently in
6LoWPAN. constrained networks.

6.1. Applicable Standardized MIBs MIB Modules

Below is a list of MIB modules that may be applicable to a
constrained device:

o The SNMPv2-MIB [RFC3418] MUST be implemented as it provides basic
information about the SNMP agent and crucial objects that allow to
detect continuities.

o The IF-MIB [RFC2863] SHOULD be implemented in order to provide
basic statistics about the network interfaces of the constrained
device. [TODO: Define what is really essential from the IF-MIB.]

o Devices supporting IPv4 or IPv6 SHOULD implement the IP-MIB
[RFC4293]. [TODO: Define what is really essential from the IP-
MIB.]

o Devices supporting UDP SHOULD implement the UDP-MIB [RFC2013].
[TODO: Define what is really essential from the UDP-MIB.]

o Devices supporting IPv6 over 802.15.4 (6LoWPAN) SHOULD implement
the LOWPAN-MIB. [TODO: There is no LOWPAN-MIB yet.]

o Devices supporting the RPL routing protocol SHOULD implement the
RPL-MIB. [TODO: There is no RPL-MIB yet.]

o Devices supporting sensors MAY implement the ENTITY-SENSOR-MIB [RFC3433]
[RFC3433], which defines objects for information that is
associated with reading physical sensors (e.g.
(e.g., the current value of the sensor, the operational status, and status of
a sensor, or the data units precision associated with the a sensor). It can be reused for 6LoWPANs. Other applicable
MIB modules are TBD.
The ENTITY-SENSOR-MIB depends on the ENTITY-MIB [RFC4133]. [TODO:
Define what is really essential from the ENTITY-MIB.]

6.2. MIB Design Guidelines for Low Overhead

When defining MIB modules, the MIB designers should avoid using long
OIDs by avoiding unnecessary data hierarchies. Moreover, complex
indexing schemes should be avoided in order to keep the overhead
resulting from instance identifiers as low small as possible.

7. Conclusion

SNMP can be very useful protocol for 6LoWPANs due to its constrained devices with
significant implementation and operational experiences. The SNMP
standards allow for memory and CPU efficient implementations. The
utilization of secure transports such as DTLS can reduce the overhead
of message-based security mechanisms. This document explored the applicability of
SNMP for its use in 6LoWPAN.

8. IANA Consideration

TBD.

TBD

9. Security Considerations

TBD.

TBD

10. Acknowledgments

TBD.

11. References

11.1.

10.1. Normative References

[RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin,
"Simple Network Management Protocol (SNMP)", STD 15,
RFC 1157, May 1990.

[RFC2013] McCloghrie, K., "SNMPv2 Management Information Base for
the User Datagram Protocol using SMIv2", RFC 2013,
November 1996.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
MIB", RFC 2863, June 2000.

[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.

[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002.

[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62,
RFC 3413, December 2002.

[RFC3414] Blumenthal, U. and B. Wijnen, "User-
based "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415,
December 2002.

[RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the
Simple Network Management Protocol (SNMP)", STD 62,
RFC 3416, December 2002.

[RFC3417] Presuhn, R., "Transport Mappings for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3417,
December 2002.

[RFC3418] Presuhn, R., "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62,
RFC 3418, December 2002.

[RFC4944] Montenegro, G., Kushalnagar, N., Hui,
J.,

[RFC3433] Bierman, A., Romascanu, D., and D. Culler, "Transmission of
IPv6 Packets over IEEE 802.15.4
Networks", K. Norseth, "Entity Sensor
Management Information Base", RFC 4944, September 2007.

[RFC5590] Harrington, D. 3433, December 2002.

[RFC4133] Bierman, A. and J. Schoenwaelder,
"Transport Subsystem K. McCloghrie, "Entity MIB (Version 3)",
RFC 4133, August 2005.

[RFC4293] Routhier, S., "Management Information Base for the Simple
Network Management
Internet Protocol (SNMP)", (IP)", RFC 5590, June 2009. 4293, April 2006.

[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
for the Simple Network Management Protocol (SNMP)",
RFC 5591, June 2009.

[RFC3433] Bierman, A., Romascanu, D., and K.
Norseth, "Entity Sensor Management
Information Base", RFC 3433,
December 2002.

[RFC1157] Case, J., Fedor, M., Schoffstall, M.,
and J. Davin, "Simple Network
Management Protocol (SNMP)", STD 15,
RFC 1157, May 1990.

[I-D.draft-ietf-isms-dtls-tm]

[RFC5953] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for SNMP",
September 2009.

11.2. the Simple Network Management Protocol (SNMP)",
RFC 5953, August 2010.

10.2. Informative References

[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.

[RFC2741] Daniele, M., Wijnen, B., Ellison, M., and D. Francisco,
"Agent Extensibility (AgentX) Protocol Version 1",
RFC 2741, January 2000.

[RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen,
"Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework",
BCP 74, RFC 3584, August 2003.

[RFC4919] Kushalnagar, N., Montenegro, G., and C. Schumacher, "IPv6
over Low-Power Wireless Personal Area Networks (6LoWPANs):
Overview, Assumptions, Problem Statement, and Goals",
RFC 4919, August 2007.

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.

[RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security", RFC 4347, April 2006.

[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006.

[RFC4789] Schoenwaelder, J. and T. Jeffree,
"Simple Network Management Protocol
(SNMP) over IEEE 802 Networks",
RFC 4789, November 2006.

Appendix A. Calculation of Minimum packet size Message Sizes

A very rough simple way to estimate the size needed by a varbind that is
essentially a number (in octets) of an SNMP variable
binding is the following formula:

varbind-size formula (where |OID| denotes the number of
subidentifier of an OID):

sizeof(VarBind) = 6 (2 + |OID|) + number-of-OID-subidentifier

That (2 + 2)

The assumption here is that every OID subidentifier encodes into a
single octet. An additional octet is needed for sysUpTime (1.3.6.1.2.1.1.3), we get 14 bytes the OID tag and thus the
SNMPv1 message is 34 bytes, SNMPv3/TSM is 60 bytes,
OID length. Since most values are 32-bit numbers, we calculate one
octet for the value tag, one octet for the value length, and 2 octets
on average for the SNMPv3/
USM message is 81 bytes. TSM may imply security overhead at value itself. While the
transport layer e.g. BER encoding of 32-bit
unsigned numbers may require 5 octets, in case general small numbers tend
to dominate due to their usage in enumerations or many error counters
staying close to zero. For sysUpTime.0 (1.3.6.1.2.1.1.3.0), we
calculate 15 octets as the typical varbind encoding size of DTLS
sysUpTime.0.

For the transport layer framing
overhead is PDU sequence [RFC3416], we calculate the following:

PDU 2 octets
request-id 3 octets
error-status 3 octets
error-index 3 octets
variable-bindings 2 octets
---------
13 bytes (compressed DTLS may further reduce octets

A PDU carrying a sysUpTime.0 varbind thus requires about 13+15 = 28
octets.

For the
application payload length). The details of ScopedPDU sequence used by SNMPv3 [RFC3412], we calculate the calculation in
section 3.2.2 are as follows:

*
following:

ScopedPDU 2 octets
contextEngineID 7 octets
contextName 2 octets
PDU 13 octets
---------
24 octets

A scoped PDU carrying a sysUpTime.0 varbind thus requires about 24+15
= 39 octets.

For the HeaderData sequence used by SNMPv3 [RFC3412], we calculate
the following:

HeaderData 2 octets
msgID 3 octets
msgMaxSize 4 octets
msgFlags 3 octets
msgSecurityModel 3 octets
---------
15 octets

A.1. SNMPv3/USM Minimum Message Size

The minimum message size calculation of an SNMPv3/USM message can be calculated as
follows:

SNMPv3Message (USM) 2 byte octets
msgVersion 3 byte octets
msgGlobalData (HeaderData) 15 byte octets
msgSecurityParameters 23 byte 24 octets (UsmSecurityParameters)
msgData (ScopedPDU) 24 byte
------- octets
---------
67 byte octets

UsmSecurityParameters 2 octets
msgAuthoritativeEngineID 7 octets
msgAuthoritativeEngineBoots 3 octets
msgAuthoritativeEngineTime 3 octets
msgUserName 3 octets
msgAuthenticationParameters 2 octets
msgPrivacyParameters 2 octets
---------
22 octets

A complete SNMPv3/USM message to retrieve sysUpTime.0 therefore
requires 67+15 = 82 octets.

A.2. SNMPv3/TSM Minimum Message Size

The minimum size of an SNMPv3/TSM message can be calculated as
follows:

SNMPv3Message (TSM) 2 byte octets
msgVersion 3 byte octets
msgGlobalData (HeaderData) 15 byte octets
msgSecurityParameters 2 byte octets (TsmSecurityParameters)
msgData (ScopedPDU) 24 byte
------- octets
---------
46 byte

UsmSecurityParameters 2 byte
msgAuthoritativeEngineID 7 byte
msgAuthoritativeEngineBoots 3 byte
msgAuthoritativeEngineTime 3 byte
msgUserName 2 byte
msgAuthenticationParameters 2 byte
msgPrivacyParameters 2 byte
-------
21 byte octets

TsmSecurityParameters 2 byte
------- octets
---------
2 byte

HeaderData octets

A complete SNMPv3/TSM message to retrieve sysUpTime.0 therefore
requires 46+15 = 61 octets. If the secure transport used by SNMPv3/
TSM is DTLS, then the encoded message is wrapped in a DTLS record,
which adds the following number of octets:

type 1 octets
version 2 byte
msgID 3 byte
msgMaxSize 4 byte
msgFlags 3 byte
msgSecurityModel 3 byte
-------
15 byte

ScopedPDU octets
epoch 2 byte
contextEngineID 7 byte
contextName octets
sequence_number 6 octets
length 2 byte
PDU octets
---------
13 byte
-------
24 byte

PDU 2 byte
request-id 3 byte
error-status 3 byte
error-index 3 byte
variable-bindings 2 byte
------- octets

The size of the resulting DTLS record is 61 + 13 byte

* SNMPv1 / SNMPv2c = 74 octets.

A.3. SNMPv1/SNMPv2c Minimum Message Size

The minimum mesage size calculation of an SNMPv3/TSM message can be calculated as
follows (assuming a one character community string):

SNMPv1Message 2 byte octets
version 3 byte octets
community 2 byte 3 octets
data (PDU) 13 byte
-------
20 byte

The details of the calculation octets
---------
21 octets

A complete SNMPv3/TSM message to retrieve sysUpTime.0 therefore
requires 21+15 = 36 octets. Note, however, that SNMPv1/SNMPv2c does
not provide security nor does it provide direct support for DTLS framing as follows:

Type 1 byte
Version 2 byte
Epoch 2 byte
Sequence_number 6 byte
Length 2 byte proxying.

Appendix B. Possible Implementation and Deployment Models for SNMP

There can be three fundamental are four fundamentally different implementation / deployment
models for SNMPv3 in constrained networks.

B.1. Lightweight SNMP End-to-End Model

The SNMP manager talks SNMPv3 end-to-end to the 6LoWPAN nodes. In
this way model, existing management tools can be reused and only a few
adaptations may be needed by specifying suitable deployment
parameters through an
Applicability Statement as covered by this draft. applicability statement.

Manager <-------------------------------------> <-----------------------------------------> 6LoWPAN nodes
SNMPv3 nodes

The characteristics of this solution can be summarized as follows:

+ Straightforward access to individual 6LoWPAN nodes

+ Reuse of existing deployed SNMP-based tools

o End-to-end security and end-to-end key management

- Message size and potential fragmentation issues

- 6LoWPAN nodes must run an SNMP engine

- Trap-directed polling nature of SNMP has high energy costs

B.2. SNMP Proxy Model

The SNMP manager talks SNMPv3 to an SNMP proxy residing on the
6LoWPAN Gateway (or a proxy server) as explained in this document. 6LoWPAN
edge router (ER). Existing management tools (as long as they are
proxy aware, which is not generally true) can be reused.

Manager <--------> SNMP Proxy <--------------> <-----------------> 6LoWPAN nodes
SNMPv3 (6LoWPAN ER) SNMPv3 nodes

The characteristics of this solution can be summarized as follows:

+ Alternate transport encoding can reduce message sizes

o Indirect access to individual 6LoWPAN nodes

o Reuse of existing SNMP-based tools supporting proxies
o Two security domains, different key management schemes

- 6LoWPAN nodes must run an SNMP engine

- Trap-directed polling nature of SNMP has high energy costs

B.3. SNMP with Sub-Agent Protocols Subagent Model

The SNMP manager talks SNMPv3 to an extensible SNMP agent residing on
the 6LoWPAN router which edge router. This agent uses a subagent protocol (e.g. a 6LoWPAN
enhanced version of AgentX, [RFC2741]) to populate its MIB. However,
the (e.g.,
AgentX [RFC2741]). The current standard subagent protocol is not
necessarily suitable for 6LoWPAN networks since it assumes a reliable
stream-oriented transport and an adaptation of an existing a subagent protocol
may be required. Thus, this model
is not recommended for 6LoWPANs.

Manager <-------> <--------> SNMP Agent <-----------------> 6LoWPAN nodes
SNMPv3 (6LoWPAN ER) SubAgent Protocol nodes

The characteristics of this solution can be summarized as follows:

+ Alternate transport encoding can reduce message sizes

o Indirect access to individual 6LoWPAN nodes

o Reuse of existing SNMP-based tools supporting proxies

o Two security domains, different key management schemes

+ 6LoWPAN nodes must run an SNMP subagent

- Trap-directed polling nature of SNMP has high energy costs

B.4. SNMP Data-Fusion Model

The SNMP manager talks SNMPv3 to an SNMP agent residing on the
6LoWPAN edge router. This agent uses a different protocol (e.g., a
protocol such as CoAP) to retrieve information from the 6LoWPAN
network. In the ideal case, the protocol supports caching and in
network data aggregation.

Manager <--------> SNMP Agent <-----------------> 6LoWPAN
SNMPv3 (6LoWPAN ER) CoAP Data Fusion nodes

The characteristics of this solution can be summarized as follows:

+ Indirect access to individual 6LoWPAN nodes

+ Leveraging a cache-aware data fusion protocol

+ SNMP agent acting as a cache, no expensive polling

o Reuse of existing SNMP-based tools supporting contexts

o Two security domains, different key management schemes

Appendix C. Example: Contiki SNMP

Contiki-SNMP is an SNMP implementation for the Contiki operating
system, designed to run on Atmel Raven boards (8-bit microcontroller
running at 20 MHz with 16K of RAM and 128K of Flash). Contiki-SNMP
supports SNMP messages up to 484 octets length. The currently
supported message types are Get, GetNext, and Set. The currently
supported message versions are SNMPv1 and SNMPv3/USM. The
implementation provides an API to define and configure managed
objects (MIB variables). The USM implementation supports HMAC-MD5-96
and CFB128-AES-128.

If both SNMPv1 and SNMPv3 are enabled, the code uses 31220 octets of
ROM (around 24% of the available ROM) plus 235 octets of statically
allocated RAM. With only SNMPv1 enabled, the code uses 8860 octets
of ROM (around 7% of the available ROM) plus 43 bytes of statically
allocated RAM. Leveraging the AES hardware support of the 802.15.4
transceiver will significantly reduce the footprint of the SNMPv3
option.

The heap usage is not more than 910 octets for processing an SNMPv1
message. About 16 octets are used for each managed object
implemented. If a managed object is of a string-based type,
additional heap storage space is used to store the value.

The maximum observed stack usage is show in Table 1.

Table 1: Maximum observed stack usage

For SNMPv3/USM noAuthNoPriv messages and SNMPv1 messages, the round-
trip latency is dominated by the data transfer tim of the 802.15.4
radio. For SNMPv3/USM authPriv messages, the processing time is
almost the same as the data transmission delay. The authNoPriv
security level is slightly faster.

Appendix D. Change Log

D.1. Changes from -02 to -03

Broadened the scope of the document to discuss SNMP on constrained
devices, not limited to 6LoWPAN networks.

1. Added a data fusion protocol scenario.

2. Reorganization of the text.

3. Reorganization of Section 2.4.

4. Addition of Appendix C.

5. Added details about minimal VACM implementation.

6. Started a discussion of relevant MIB modules.

D.2. Changes from -01 to -02: -02

The draft now covers applicability of SNMPv3 for 6LoWPANs. The focus
of the draft is shifted towards supporting SNMPv3 'as is' in
6LoWPANs.

1. Added SNMP Agent Implentation Implementation Considerations for 6LoWPANs.

2. Added SNMP Manager Implentation Implementation Considerations for 6LoWPANs.

3. Added the Deployment Considerations for 6LoWPANs.

4. Added the Applicable MIB modules for 6LoWPANs.

5. Moved SNMP Deployment Models to Appendix.

6. Removed the section on Packet Compression.

Authors' Addresses

Juergen Schoenwaelder (editor)
Jacobs University Bremen
Campus Ring 1
Bremen 28725
Germany

Phone: +49 421 200-3587
EMail: j.schoenwaelder@jacobs-university.de

Hamid Mukhtar (editor)
ETRI
USN Research Division, ETRI, 161 Gajeong-dong, Yuseong-gu, Yuseong-gu
Daejeon 305-350
KOREA

Phone: +82 42 860 5435
EMail: hamid@etri.re.kr

Seong-Soon Joo
ETRI
USN Research Division, ETRI, 161 Gajeong-dong, Yuseong-gu, Yuseong-gu
Daejeon 305-350
KOREA

Phone: +82 42 860 6333
EMail: ssjoo@etri.re.kr

Juergen Schoenwaelder
Jacobs University Bremen
Campus Ring 1
Bremen 28725
Germany

Phone: +49 421 200-3587
EMail: j.schoenwaelder@jacobs-university.de

Kim, Ki Hyung
Ajou University
San 5 Wonchun-dong, Yeongtong-gu
Suwon-si, Gyeonggi-do 442-749
KOREA

Phone: +82 31 219 2433
EMail: kkim86@ajou.ac.kr