Hi David,
Nelson, David wrote:
Let's assume, for the sake of discussion, that SNMP must always work
across Firewalls and NATs. The original objection to the proposed
charter was that it did not include support for "Call Home"
functionality.
First, let's be clear that nobody is suggesting that all connections
should be turned, but that sufficient flexibility must be available to
maneuver through firewalls and NATs. But let me take this opportunity
to more clearly state why it is the functionality needs to work *both* ways.
A basic tenet of scalable fault management is something known as
trap-based polling. That is, don't poll excessively (only a periodic
single heartbeat query) until some event event happens and then query as
much as necessary to determine more information. So for instance, every
five minutes or so a query is made of the device and sysUptime. But
then at some point an RMON event is triggered indicating that a
particular ifOperStatus has changed to down. At that point the
management station might query for additional error counts off of the
IF-MIB, perhaps a SONET or ETHERLIKE mib, and perhaps other related
functions, the idea being to isolate the problem (and this probably is
not limited to a single device).
The problem is this: if a non-participating firewall or a NAT is in
place anywhere between the management station and the device, the
management station will either receive the trap but be unable to query
or only be able to query and NOT receive the trap.
The reason CH fixes this problem is that one way or another prior to a
failure, one can be assured that the management station and agent are
able to communicate both because connection direction is the same for
both functions.
I can see how Call Home would solve the NAT problem, at least on a
sporadic basis. The managed entity could initiate an "outgoing" NAT
session to the management station, and the management station could use
that connection as needed. I don't see how this allows the management
station to later initiate an "incoming" connection to the NAT'ed managed
entity. Nor do I see how it would enable firewalls to safely pass
through only the desired SNMP traffic.
So, as described above, a management station would not initiate an
incoming connection to a managed entity but the other way around. As to
your other question, this solution addresses the case where the firewall
is not capable of such functions. This is the case for most commercial
firewalls today.
Clarification would be helpful. Thanks.
HTH,
Eliot
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf