draft-ietf-disman-framework-00.txt   draft-ietf-disman-framework-01.txt 
Distributed Management Framework Distributed Management Framework
<draft-ietf-disman-framework-00.txt> <draft-ietf-disman-framework-01.txt>
December 27, 1996 December 15, 1996
Authors: Authors:
Andy Bierman Andy Bierman
Cisco Systems Cisco Systems
abierman@cisco.com abierman@cisco.com
Maria Greene Maria Greene
Ascom Nexion Ascom Nexion
greene@nexen.com greene@nexen.com
skipping to change at page 3, line 20 skipping to change at page 3, line 20
management, this function is desired and has been implemented management, this function is desired and has been implemented
and deployed in the internet using proprietary architectures. and deployed in the internet using proprietary architectures.
It is desired that there be a standard upon which to promote It is desired that there be a standard upon which to promote
interoperability, as well as a common framework upon which interoperability, as well as a common framework upon which
various systems can be built. various systems can be built.
The goals of distributed management are: The goals of distributed management are:
o Scalability through Distribution o Scalability through Distribution
In order to build network management systems that have the In order to build network management systems that have the
power to manage very large networks, it is important that power to manage very large networks, it is important to
a system not have a single bottleneck point. Therefore, reduce bottlenecks in the management system. Therefore, a
large network management systems must be built as distributed systems approach is often helpful when
distributed systems. building large management systems. A distributed approach
is often very effective at reducing load on the central
management station, and may be effective at reducing the
load that the central management station places on
backbone networks. However, a distributed approach usually
has no benefit in reducing load on remote networks and has
no benefit in reducing load on management agents. Further,
in a distributed data collection architecture, if all data
collected is eventually forwarded to the central
management station (without aggregation or compression),
then no benefit in backbone load or central management
station load should be expected (except perhaps to time-
shift this load to a time of excess capacity, at the
expense of a lack of timeliness of data.
o Disconnected or Low-Bandwidth Operation o Disconnected or Low-Bandwidth Operation
There are sometimes conditions when a management station There are sometimes conditions when a management station
will not be in constant contact with all portions of the will not be in constant contact with all portions of the
managed network. This is sometimes by design in an attempt managed network. This is sometimes by design in an attempt
to lower communications costs (especially when to lower communications costs (especially when
communicating over a WAN or dialup link), or by accident communicating over a WAN or dialup link), or by accident
as network failures affect the communications between the as network failures affect the communications between the
management station and portions of the managed network. management station and portions of the managed network.
skipping to change at page 4, line 11 skipping to change at page 4, line 24
Business organizations are typically set up in a Business organizations are typically set up in a
hierarchical fashion. Multiple people in the hierarchy hierarchical fashion. Multiple people in the hierarchy
have different roles, responsibilites, and authority. The have different roles, responsibilites, and authority. The
network management system often has to be configured to network management system often has to be configured to
match this organization. Distributed network managers can match this organization. Distributed network managers can
be set up in a hierarchy that matches the roles of various be set up in a hierarchy that matches the roles of various
people in the organization. people in the organization.
o Promotes a modular system architecture o Promotes a modular system architecture
A modular system architecture allows flexibility and re- A modular system architecture allows flexibility and re-
usability of network management components. A distributed usability of network management components. This also
network management system with well-defined interfaces enables a multi-vendor approach to building management
creates this modular scheme. systems. A distributed network management system with
well-defined interfaces creates this modular scheme.
This document defines an architectural framework for This document defines an architectural framework for
standards-based distributed management standards-based distributed management
4. The Network Management Framework 4. The Network Management Framework
A distributed network management station is a management A distributed network management station is a management
station that receives requests from another manager and station that receives requests from another manager and
executes those requests by performing management operations on executes those requests by performing management operations on
agents or other managers. Note that these requests may take a agents or other managers. Note that these requests may take a
skipping to change at page 7, line 27 skipping to change at page 7, line 43
The purpose of this service is to direct management operations The purpose of this service is to direct management operations
to be performance only on those systems where that operation to be performance only on those systems where that operation
would make sense. Because this is described as a filter, there would make sense. Because this is described as a filter, there
are no static configuration requirements that would be are no static configuration requirements that would be
unacceptable in a dynamically changing network environment. unacceptable in a dynamically changing network environment.
An example of a management operation target list is the subset An example of a management operation target list is the subset
of all known routers on the engineering LAN. of all known routers on the engineering LAN.
5.4. Delegation Control 5.4. Credential Delegation
The Credential Delegation Service allows credentials of a
network management user to be delegated to a distributed
management application so that it can perform secure
operations on behalf of that user.
Fundamental to this distributed management architecture is the
notion that distributed management operations must not run
with the credentials of the distributed manager. To do so
would require that the authorization of these credentials (or
subsets of this authorization) would need to be apportioned to
users of that distributed manager in a pre-defined and secure
way. This would require the creation of a access control
architecture mirroring the SNMP View-Based Access Control
architecture that would control what subsets of authority are
available to what users. The existing View-Based Access
Control mechanism was not designed for this task and is not
appropriate. Further, it would require that the distributed
manager be configured in a way that was consistent with the
access control policy embodied in the managed systems. This
would be extremely problematic because:
1. This would require a massive amount of configuration
to be replicated on the distribute manager
2. If any part of this configuration on the distribute
manager is inconsistent with that on the managed systems,
a security hole could be exposed.
Because it is assumed that the distributed manager adds no
credentials to management operations, when a manager wishes to
configure a distributed manager to perform secure transactions
on its behalf, it must download to the distributed manager the
appropriate credentials to be placed in secure SNMP messages,
identifying them as the manager. A credential contains at
least the securityModel, securityName, securityLevel,
authentication and privacy keys, and an indication of which
management targets the credential should be used for.
5.4.1. Definitions
----------- --------------- --------------
| | | | | |
| Manager |---------->| Distributed |------------->| Management |
| | Disman | Manager | Target | Target |
| | User | | User | |
| | | | Identity | |
| | | | | |
----------- --------------- --------------
1. Disman User - The user whose credentials are used to
configure the distribute manager for an operation and to
download credentials for that operation. There is no
relationship implied between the disman user and the
user(s) who's credentials are installed (in other words,
"joe" can install credentials for "ops-center-east" as
well as "joe").
2. Target User Identity - The user identity used in SNMP
messages between the distributed manager and management
targets.
3. Credential - The set of secrets that are transferred
to the distributed manager giving it the authority to act
as an identity.
4. Owner - The disman user who sets up a distributed
management function, including the credentials for the
function.
5. Invoker - The user who invokes a previously setup
distributed management function. The owner may choose to
allow others to invoke a function, potentially allowing
that function to operate with the owner's credentials (of
course the owner would want to tightly constrain what the
function was configured to perform).
6. Invokation Identity - The identity of the credentials
a function is operating with. These may be of the owner,
of the invoker, or possibly the union of both
credentials.
Because multiple Disman Users will have access to a
Distributed Manager, the Credential Delegation Service will be
responsible for ensuring that credentials are only used by
authorized users. The Credential Delegation Service will
include:
1. Credential Store - a MIB in which to transfer and
store credentials
2. MIB prototype - a prototype MIB fragment that will be
added to disman functions that wish to use the Credential
Store
3. Access Control Policy - a policy for configuration of
the VACM MIB for use with the Credential Delegation
Service. This will limit access to the credential store.
5.5. Delegation Control
The Delegation Control Service provides functions that limit The Delegation Control Service provides functions that limit
the resource usage of a distributed management application the resource usage of a distributed management application
that has had control delegated to it. that has had control delegated to it.
Network management applications are often responsible for Network management applications are often responsible for
adding stress on the network and causing problems. Examples adding stress on the network and causing problems. Examples
are excessive polling load on slow-speed networks or on router are excessive polling load on slow-speed networks or on router
CPUs. This problem will become even more dangerous when CPUs. This problem will become even more dangerous when
network management functions are delegated to distributed network management functions are delegated to distributed
skipping to change at page 8, line 5 skipping to change at page 10, line 32
Policies need to be configured that limit average and burst Policies need to be configured that limit average and burst
polling, notification, and broadcast rates. These rates may polling, notification, and broadcast rates. These rates may
be defined for the sending system as a whole, per end node, or be defined for the sending system as a whole, per end node, or
per management application on the sending system. per management application on the sending system.
It is also important to have a "Deadman's switch" so that It is also important to have a "Deadman's switch" so that
delegated applications will not continue indefinitely if their delegated applications will not continue indefinitely if their
"sponsor" has forgotten about them. "sponsor" has forgotten about them.
5.5. Scheduling 5.6. Scheduling
The Scheduling Service allows the execution of distributed The Scheduling Service allows the execution of distributed
management applications to be controlled so that they run at a management applications to be controlled so that they run at a
particular time, periodically, or based on the occurance of particular time, periodically, or based on the occurance of
another event. another event.
5.6. Reliable Notification 5.7. Reliable Notification
The Reliable Notification Service provides services that The Reliable Notification Service provides services that
ensure that notifications are received correctly. ensure that notifications are received correctly.
For example, all the information that describes an event may For example, all the information that describes an event may
not fit within a single PDU, so an eventID varbind is defined not fit within a single PDU, so an eventID varbind is defined
that associates multiple PDU's as describing the same event. that associates multiple PDU's as describing the same event.
It is also necessary to know if the entire notification has It is also necessary to know if the entire notification has
been received or if more PDU's are still outstanding. been received or if more PDU's are still outstanding.
Further, a receiving management station must be given more Further, a receiving management station must be given more
information so that it can distinguish duplicated inform PDU's information so that it can distinguish duplicated inform PDU's
because events are not idempotent. No rule makes it mandatory because events are not idempotent. No rule makes it mandatory
for the requestID to be unique for all PDUs sent from a for the requestID to be unique for all PDUs sent from a
system. system.
In addition, a logging mechanism provides for retrieval of In addition, a logging mechanism provides for retrieval of
notifications after a communications failure. notifications after a communications failure.
skipping to change at page 8, line 32 skipping to change at page 11, line 16
Further, a receiving management station must be given more Further, a receiving management station must be given more
information so that it can distinguish duplicated inform PDU's information so that it can distinguish duplicated inform PDU's
because events are not idempotent. No rule makes it mandatory because events are not idempotent. No rule makes it mandatory
for the requestID to be unique for all PDUs sent from a for the requestID to be unique for all PDUs sent from a
system. system.
In addition, a logging mechanism provides for retrieval of In addition, a logging mechanism provides for retrieval of
notifications after a communications failure. notifications after a communications failure.
5.7. Notification Destinations 5.8. Notification Destinations
The Notification Destination Service provides services for The Notification Destination Service provides services for
configuring destinations for notifications. configuring destinations for notifications.
When management functions are delegated and MLMs are given the When management functions are delegated and MLMs are given the
autonomy to generate notifications, they need to be configured autonomy to generate notifications, they need to be configured
as to where the notifications should be sent. Additionally, as to where the notifications should be sent. Additionally,
retry counts and numbers need to be configured. Average and retry counts and numbers need to be configured. Average and
burst notification rates need to be defined. burst notification rates need to be defined.
skipping to change at page 24, line 13 skipping to change at page 26, line 13
International, Menlo Park, California, (March, 1991). International, Menlo Park, California, (March, 1991).
Table of Contents Table of Contents
1 Status of this Memo ................................... 1 1 Status of this Memo ................................... 1
2 Abstract .............................................. 2 2 Abstract .............................................. 2
3 Overview .............................................. 3 3 Overview .............................................. 3
4 The Network Management Framework ...................... 4 4 The Network Management Framework ...................... 4
5 Distributed Management Framework ...................... 5 5 Distributed Management Framework ...................... 5
5.1 Known Systems ....................................... 6 5.1 Known Systems ....................................... 6
5.2 Management Domains .................................. 6 5.2 Management Domains .................................. 7
5.3 Management Operations Targets ....................... 7 5.3 Management Operations Targets ....................... 7
5.4 Delegation Control .................................. 7 5.4 Credential Delegation ............................... 7
5.5 Scheduling .......................................... 8 5.4.1 Definitions ....................................... 8
5.6 Reliable Notification ............................... 8 5.5 Delegation Control .................................. 10
5.7 Notification Destinations ........................... 8 5.6 Scheduling .......................................... 10
6 Acknowledgments ....................................... 21 5.7 Reliable Notification ............................... 10
7 References ............................................ 21 5.8 Notification Destinations ........................... 11
6 Acknowledgments ....................................... 24
7 References ............................................ 24
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/