📄 rfc2962.txt
字号:
Network Working Group D. Raz
Request for Comments: 2962 Lucent Technologies
Category: Informational J. Schoenwaelder
TU Braunschweig
B. Sugla
ISPSoft Inc.
October 2000
An SNMP Application Level Gateway for Payload Address Translation
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
IESG Note
This document describes an SNMP application layer gateway (ALG),
which may be useful in certain environments. The document does also
list the issues and problems that can arise when used as a generic
SNMP ALG. Specifically, when using SNMPv3's authentication and
privacy mechanisms this approach may be very problematic and
jeopardize the SNMP security. The reader is urged to carefully
consider these issues before deciding to deploy this type of SNMP
ALG.
Abstract
This document describes the ALG (Application Level Gateway) for the
SNMP (Simple Network Management Protocol) by which IP (Internet
Protocol) addresses in the payload of SNMP packets are statically
mapped from one group to another. The SNMP ALG is a specific case of
an Application Level Gateway as described in [15].
An SNMP ALG allows network management stations to manage multiple
networks that use conflicting IP addresses. This can be important in
environments where there is a need to use SNMP with NAT (Network
Address Translator) in order to manage several potentially
overlapping addressing realms.
Raz, et al. Informational [Page 1]
RFC 2962 SNMP Payload Address Translation October 2000
This document includes a detailed description of the requirements and
limitations for an implementation of an SNMP Application Level
Gateway. It also discusses other approaches to exchange SNMP packets
across conflicting addressing realms.
Table of Contents
1. Introduction ..................................................2
2. Terminology and Concepts Used ................................5
3. Problem Scope and Requirements ................................5
3.1 IP Addresses in SNMP Messages ................................6
3.2 Requirements ..................................................7
4. Translating IP Addresses in SNMP Packets ......................7
4.1 Basic SNMP Application Level Gateway ..........................8
4.2 Advanced SNMP Application Level Gateway ......................8
4.3 Packet Size and UDP Checksum ..................................9
5. Limitations and Alternate Solutions .........................10
6. Security Considerations .....................................12
7. Summary and Recommendations .................................13
8. Current Implementations .....................................14
9. Acknowledgments .............................................14
10. References ...................................................14
11. Authors' Addresses ...........................................16
12. Description of the Encoding of SNMP Packets .................17
13. Full Copyright Statement .....................................20
1. Introduction
The need for IP address translation arises when a network's internal
IP addresses cannot be used outside the network. Using basic network
address translation allows local hosts on such private networks
(addressing realms) to transparently access the external global
Internet and enables access to selective local hosts from the
outside. In particular it is not unlikely to have several addressing
realms that are using the same private IPv4 address space within the
same organization.
In many of these cases, there is a need to manage the local
addressing realm from a manager site outside the domain. However,
managing such a network presents unique problems and challenges.
Most available management applications use SNMP (Simple Network
Management Protocol) to retrieve information from the network
elements. For example, a router may be queried by the management
application about the addresses of its neighboring elements. This
information is then sent by the router back to the management
Raz, et al. Informational [Page 2]
RFC 2962 SNMP Payload Address Translation October 2000
station as part of the payload of an SNMP packet. In order to retain
consistency in the view as seen by the management station we need to
be able to locate and translate IP address related information in the
payload of such packets.
The SNMP Application Level Gateway for Payload Address Translation,
or SNMP ALG, is a technique in which the payload of SNMP packets
(PDUs) is scanned and IP address related information is translated if
needed. In this context, an SNMP ALG can be an additional component
in a NAT implementation, or it can be a separate entity, that may
reside in the same gateway or even on a separate node. Note that in
our context of management application all devices in the network are
assumed to have a fixed IP address. Thus, SNMP ALG should only be
combined with NAT that uses static address assignment for all the
devices in the network.
A typical scenario where SNMP ALG is deployed as part of NAT is
presented in figure Figure 1. A manager device is managing a remote
stub, with translated IP addresses.
\ | / .
+---------------+ WAN . +------------------------------+
|Regional Router|-----------------|Stub Router w/NAT and SNMP ALG|
+---------------+ . +------------------------------+
| . |
| . | LAN
+----------+ . ---------------
| Manager | Stub border Managed network
+----------+
Figure 1: SNMP ALG in a NAT configuration
Raz, et al. Informational [Page 3]
RFC 2962 SNMP Payload Address Translation October 2000
A similar scenario occurs when several subnetworks with private (and
possibly conflicting) IP addresses are to be managed by the same
management station. This scenario is presented in Figure 2.
+---------------+ +-----------------+
| SNMP ALG |-----|Management device|
+---------------+ +-----------------+
T1 | | T1
| |
Stub A .............|.... ....|............ Stub B
| |
+---------------+ +----------------+
|Bi-directional | |Bi-directional |
|NAT Router w/ | |NAT Router w/ |
|static address | |static address |
|mapping | |mapping |
+---------------+ +---------------+
| |
| LAN LAN |
------------- -------------
192.10.x.y | | 192.10.x.y
/____\ /____\
Figure 2: Using external SNMP ALG to manage two private networks
Since the devices in the managed network are monitored by the manager
device they must obtain a fixed IP address. Therefore, the NAT used
in this case must be a basic NAT with a static one to one mapping.
An SNMP ALG is required to scan all the payload of SNMP packets, to
detect IP address related data, and to translate this data if needed.
This is a much more computationally involved process than the bi-
directional NAT, however they both use the same translation tables.
In many cases the router may be unable to handle SNMP ALG and retain
acceptable performance. In these cases it may be better to locate the
SNMP ALG outside the router, as described in Figure 2.
Raz, et al. Informational [Page 4]
RFC 2962 SNMP Payload Address Translation October 2000
2. Terminology and Concepts Used
In general we adapt the terminology defined in [15]. Our main
concern are SNMP messages exchanged between SNMP engines. This
document only discusses SNMP messages that are send over UDP, which
is the preferred transport mapping for SNMP messages [5]. SNMP
messages send over other transports can be handled in a similar way.
Thus, the term SNMP packet is used throughout this document to refer
to an SNMP message contained in an UDP packet.
SNMP messages contain SNMP PDUs (Protocol Data Units). An SNMP PDU
defines the parameters for a specific SNMP protocol operation. The
notion of flow is less relevant in this case, and hence we will focus
on the information contained in a single SNMP packet.
There are currently three versions of SNMP. SNMP version 1 (SNMPv1)
protocol is defined in STD 15, RFC 1157 [2]. The SNMP version 2c
(SNMPv2c) protocol is defined in RFC 1901 [3], RFC 1905 [4] and RFC
1906 [5]. Finally, the SNMP version 3 (SNMPv3) protocol is defined
in RFC 1905 [4], 1906 [5], RFC 2572 [10] and RFC 2574 [12]. See RFC
2570 [9] for a more detailed overview over the SNMP standards. In
the following, unless otherwise mentioned, we use the term SNMP in
statements that are applicable to all three SNMP versions.
SNMP uses ASN.1 [13] to define the abstract syntax of the messages.
The actual encoding of the messages is done by using the Basic
Encoding Rules (BER) [14], which provide the transfer syntax.
We refer to packets that go from a management station to the network
elements as "outgoing", and packets that go from the network elements
to the management station as "incoming".
A basic SNMP ALG is an SNMP ALG implementation in which only IP
address values encoded in the IpAddress type are translated. A basic
SNMP ALG therefore does not need to be MIB aware.
An advanced SNMP ALG is an SNMP ALG implementation which is capable
of handling and replacing IP address values encoded in well known IP
address data types and instance identifiers derived from those data
types. This implies that an advanced SNMP ALG is MIB aware.
3. Problem Scope and Requirements
As mentioned before, in many cases, there is a need to manage a local
addressing realm that is using NAT, from a manager site outside the
realm. A particular important example is the case of network
management service providers who provide network management services
from a remote site. Such providers may have many customers, each
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -