📄 rfc2962.txt
字号:
Network Working Group D. RazRequest for Comments: 2962 Lucent TechnologiesCategory: Informational J. Schoenwaelder TU Braunschweig B. Sugla ISPSoft Inc. October 2000 An SNMP Application Level Gateway for Payload Address TranslationStatus of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved.IESG Note This document describes an SNMP application layer gateway (ALG), which may be useful in certain environments. The document does also list the issues and problems that can arise when used as a generic SNMP ALG. Specifically, when using SNMPv3's authentication and privacy mechanisms this approach may be very problematic and jeopardize the SNMP security. The reader is urged to carefully consider these issues before deciding to deploy this type of SNMP ALG.Abstract This document describes the ALG (Application Level Gateway) for the SNMP (Simple Network Management Protocol) by which IP (Internet Protocol) addresses in the payload of SNMP packets are statically mapped from one group to another. The SNMP ALG is a specific case of an Application Level Gateway as described in [15]. An SNMP ALG allows network management stations to manage multiple networks that use conflicting IP addresses. This can be important in environments where there is a need to use SNMP with NAT (Network Address Translator) in order to manage several potentially overlapping addressing realms.Raz, et al. Informational [Page 1]
RFC 2962 SNMP Payload Address Translation October 2000 This document includes a detailed description of the requirements and limitations for an implementation of an SNMP Application Level Gateway. It also discusses other approaches to exchange SNMP packets across conflicting addressing realms.Table of Contents 1. Introduction ..................................................2 2. Terminology and Concepts Used ................................5 3. Problem Scope and Requirements ................................5 3.1 IP Addresses in SNMP Messages ................................6 3.2 Requirements ..................................................7 4. Translating IP Addresses in SNMP Packets ......................7 4.1 Basic SNMP Application Level Gateway ..........................8 4.2 Advanced SNMP Application Level Gateway ......................8 4.3 Packet Size and UDP Checksum ..................................9 5. Limitations and Alternate Solutions .........................10 6. Security Considerations .....................................12 7. Summary and Recommendations .................................13 8. Current Implementations .....................................14 9. Acknowledgments .............................................14 10. References ...................................................14 11. Authors' Addresses ...........................................16 12. Description of the Encoding of SNMP Packets .................17 13. Full Copyright Statement .....................................201. Introduction The need for IP address translation arises when a network's internal IP addresses cannot be used outside the network. Using basic network address translation allows local hosts on such private networks (addressing realms) to transparently access the external global Internet and enables access to selective local hosts from the outside. In particular it is not unlikely to have several addressing realms that are using the same private IPv4 address space within the same organization. In many of these cases, there is a need to manage the local addressing realm from a manager site outside the domain. However, managing such a network presents unique problems and challenges. Most available management applications use SNMP (Simple Network Management Protocol) to retrieve information from the network elements. For example, a router may be queried by the management application about the addresses of its neighboring elements. This information is then sent by the router back to the managementRaz, et al. Informational [Page 2]
RFC 2962 SNMP Payload Address Translation October 2000 station as part of the payload of an SNMP packet. In order to retain consistency in the view as seen by the management station we need to be able to locate and translate IP address related information in the payload of such packets. The SNMP Application Level Gateway for Payload Address Translation, or SNMP ALG, is a technique in which the payload of SNMP packets (PDUs) is scanned and IP address related information is translated if needed. In this context, an SNMP ALG can be an additional component in a NAT implementation, or it can be a separate entity, that may reside in the same gateway or even on a separate node. Note that in our context of management application all devices in the network are assumed to have a fixed IP address. Thus, SNMP ALG should only be combined with NAT that uses static address assignment for all the devices in the network. A typical scenario where SNMP ALG is deployed as part of NAT is presented in figure Figure 1. A manager device is managing a remote stub, with translated IP addresses. \ | / . +---------------+ WAN . +------------------------------+ |Regional Router|-----------------|Stub Router w/NAT and SNMP ALG| +---------------+ . +------------------------------+ | . | | . | LAN +----------+ . --------------- | Manager | Stub border Managed network +----------+ Figure 1: SNMP ALG in a NAT configurationRaz, et al. Informational [Page 3]
RFC 2962 SNMP Payload Address Translation October 2000 A similar scenario occurs when several subnetworks with private (and possibly conflicting) IP addresses are to be managed by the same management station. This scenario is presented in Figure 2. +---------------+ +-----------------+ | SNMP ALG |-----|Management device| +---------------+ +-----------------+ T1 | | T1 | | Stub A .............|.... ....|............ Stub B | | +---------------+ +----------------+ |Bi-directional | |Bi-directional | |NAT Router w/ | |NAT Router w/ | |static address | |static address | |mapping | |mapping | +---------------+ +---------------+ | | | LAN LAN | ------------- ------------- 192.10.x.y | | 192.10.x.y /____\ /____\ Figure 2: Using external SNMP ALG to manage two private networks Since the devices in the managed network are monitored by the manager device they must obtain a fixed IP address. Therefore, the NAT used in this case must be a basic NAT with a static one to one mapping. An SNMP ALG is required to scan all the payload of SNMP packets, to detect IP address related data, and to translate this data if needed. This is a much more computationally involved process than the bi- directional NAT, however they both use the same translation tables. In many cases the router may be unable to handle SNMP ALG and retain acceptable performance. In these cases it may be better to locate the SNMP ALG outside the router, as described in Figure 2.Raz, et al. Informational [Page 4]
RFC 2962 SNMP Payload Address Translation October 20002. Terminology and Concepts Used In general we adapt the terminology defined in [15]. Our main concern are SNMP messages exchanged between SNMP engines. This document only discusses SNMP messages that are send over UDP, which is the preferred transport mapping for SNMP messages [5]. SNMP messages send over other transports can be handled in a similar way. Thus, the term SNMP packet is used throughout this document to refer to an SNMP message contained in an UDP packet. SNMP messages contain SNMP PDUs (Protocol Data Units). An SNMP PDU defines the parameters for a specific SNMP protocol operation. The notion of flow is less relevant in this case, and hence we will focus on the information contained in a single SNMP packet. There are currently three versions of SNMP. SNMP version 1 (SNMPv1) protocol is defined in STD 15, RFC 1157 [2]. The SNMP version 2c (SNMPv2c) protocol is defined in RFC 1901 [3], RFC 1905 [4] and RFC 1906 [5]. Finally, the SNMP version 3 (SNMPv3) protocol is defined in RFC 1905 [4], 1906 [5], RFC 2572 [10] and RFC 2574 [12]. See RFC 2570 [9] for a more detailed overview over the SNMP standards. In the following, unless otherwise mentioned, we use the term SNMP in statements that are applicable to all three SNMP versions. SNMP uses ASN.1 [13] to define the abstract syntax of the messages. The actual encoding of the messages is done by using the Basic Encoding Rules (BER) [14], which provide the transfer syntax. We refer to packets that go from a management station to the network elements as "outgoing", and packets that go from the network elements to the management station as "incoming". A basic SNMP ALG is an SNMP ALG implementation in which only IP address values encoded in the IpAddress type are translated. A basic SNMP ALG therefore does not need to be MIB aware. An advanced SNMP ALG is an SNMP ALG implementation which is capable of handling and replacing IP address values encoded in well known IP address data types and instance identifiers derived from those data types. This implies that an advanced SNMP ALG is MIB aware.3. Problem Scope and Requirements As mentioned before, in many cases, there is a need to manage a local addressing realm that is using NAT, from a manager site outside the realm. A particular important example is the case of network management service providers who provide network management services from a remote site. Such providers may have many customers, each⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -