NMRG J. Schoenwaelder
Internet-Draft International University Bremen
Intended status: Informational January 25, 2007
Expires: July 29, 2007
SNMP Traffic Measurements and Trace Exchange Formats
draft-irtf-nmrg-snmp-measure-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 29, 2007.
Copyright Notice
Copyright (C) The Internet Society (2007).
Schoenwaelder Expires July 29, 2007 [Page 1]
Internet-Draft SNMP Traffic Measurements January 2007
Abstract
The Simple Network Management Protocol (SNMP) is widely deployed to
monitor, control and configure network elements. Even though the
SNMP technology is well documented, it remains relatively unclear how
SNMP is used in practice and what typical SNMP usage patterns are.
This document proposes to carry out large scale SNMP traffic
measurements in order to develop a better understanding how SNMP is
used in real world production networks. It describes the motivation,
the measurement approach, and the tools and data formats needed to
carry out such a study.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Measurement Approach . . . . . . . . . . . . . . . . . . . . . 4
2.1. Capturing Traffic Traces . . . . . . . . . . . . . . . . . 4
2.2. Converting Traffic Traces . . . . . . . . . . . . . . . . 5
2.3. Filtering Traffic Traces . . . . . . . . . . . . . . . . . 6
2.4. Storing Traffic Traces . . . . . . . . . . . . . . . . . . 7
2.5. Processing Traffic Traces . . . . . . . . . . . . . . . . 7
3. Analysis of Traffic Traces . . . . . . . . . . . . . . . . . . 9
3.1. Basic Statistics . . . . . . . . . . . . . . . . . . . . . 9
3.2. Periodic vs. Aperiodic Traffic . . . . . . . . . . . . . . 9
3.3. Message Size and Latency Distributions . . . . . . . . . . 9
3.4. Concurrency Levels . . . . . . . . . . . . . . . . . . . . 9
3.5. Table Retrieval Approaches . . . . . . . . . . . . . . . . 10
3.6. Trap-Directed Polling - Myths or Reality? . . . . . . . . 10
3.7. Popular MIB Definitions . . . . . . . . . . . . . . . . . 10
3.8. Usage of Obsolete Objects . . . . . . . . . . . . . . . . 10
3.9. Encoding Length Distributions . . . . . . . . . . . . . . 11
3.10. Counters and Discontinuities . . . . . . . . . . . . . . . 11
3.11. Spin Locks . . . . . . . . . . . . . . . . . . . . . . . . 11
3.12. Row Creation . . . . . . . . . . . . . . . . . . . . . . . 11
4. Trace Exchange Formats . . . . . . . . . . . . . . . . . . . . 12
4.1. RELAX NG Schema Definition . . . . . . . . . . . . . . . . 12
4.2. CSV Format Definition . . . . . . . . . . . . . . . . . . 15
5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.1. Normative References . . . . . . . . . . . . . . . . . . . 19
7.2. Informative References . . . . . . . . . . . . . . . . . . 19
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
Intellectual Property and Copyright Statements . . . . . . . . . . 23
Schoenwaelder Expires July 29, 2007 [Page 2]
Internet-Draft SNMP Traffic Measurements January 2007
1. Introduction
The Simple Network Management Protocol (SNMP) was introduced in the
late 1980s [RFC1052] and has since then evolved to what is known
today as the SNMP version 3 Framework (SNMPv3) [RFC3410]. While SNMP
is widely deployed, it is not clear which features are being used,
how SNMP usage differs in different types of networks or
organizations, which information is frequently queried, and what
typical SNMP interactions patterns are in real world production
networks.
There have been several publications in the recent past dealing with
the performance of SNMP in general [SM99][Mal02][Pat01], the impact
of SNMPv3 security [DSR01][CT04], or the relative performance of SNMP
compared to Web Services [PDMQ04][PFGL04]. While these papers are
generally useful to better understand the impact of various design
decisions and technologies, some of these papers lack a strong
foundation because authors typically assume certain SNMP interaction
patterns without having experimental evidence that the assumptions
are correct. In fact, there are many speculations how SNMP is being
used in real world production networks and how it performs, but no
systematic measurements have been performed and published so far.
Many authors use the ifTable of the IF-MIB [RFC2863] or the
tcpConnTable of the TCP-MIB [RFC4022] as a starting point for their
analysis and comparison. Despite the fact that there is no evidence
that operations on these tables dominate SNMP traffic, it is even
more unclear how these tables are read and which optimizations are
done (or not done) by real world applications. It is also unclear
what the actual traffic trade-off between periodic polling and more
aperiodic bulk data retrieval is. Furthermore, we do not generally
understand how much traffic is devoted to standardized MIB objects
and how much traffic deals with proprietary MIB objects and whether
the operation mix differs between these object classes or between
different operational environments.
This document describes an effort to collect SNMP traffic traces in
order to find answers to some of these questions. It describes the
tools that have been developed to allow network operators to collect
traffic traces and to share them with research groups interested in
analyzing and modeling network management interactions.
Schoenwaelder Expires July 29, 2007 [Page 3]
Internet-Draft SNMP Traffic Measurements January 2007
2. Measurement Approach
This section outlines the process of doing SNMP traffic measurements
and analysis. The process consists of the following five basic
steps:
1. Capture raw SNMP traffic traces in pcap capture files.
2. Convert the raw traffic traces into a structured machine and
human readable format. A suitable XML schema has been developed
for this purpose which captures all SNMP message details. In
addition, another more compact comma separated values (CSV)
format has been developed which only keeps key information about
SNMP messages.
3. Filter the converted traffic traces to hide or anonymize
sensitive information. While the filtering is conceptually a
separate step, filtering may actually be implemented as part of
the previous data conversion step for efficiency reasons.
4. Submit the filtered traffic traces to a repository from where
they can be retrieved and analyzed. Such a repository may be
public, it may be under the control of a research group, or it
may be under the control of a network operator who commits to run
analysis scripts on the repository on behalf of researchers.
5. Analyze the traces by creating and executing analysis scripts
which extract and aggregate information.
Several of the steps listed above require the involvement of network
operators supporting the SNMP measurement projects. In many cases,
the filtered XML and CSV representation of the SNMP traces will be
the binding interface between the researchers writing analysis
scripts and the operators involved in the measurement activity. It
is therefore important to have a well defined specification of these
interfaces.
This section provides some advice and concrete hints how the steps
listed above can be carried out efficiently. Some special tools have
been developed to assist network operators and researchers so that
the time spent on supporting SNMP traffic measurement projects is
limited. The following sections describe the five steps and some
tools in more detail.
2.1. Capturing Traffic Traces
Capturing SNMP traffic traces can be done using packet sniffers such
as tcpdump [1], ethereal [2], or similar applications. Some care
Schoenwaelder Expires July 29, 2007 [Page 4]
Internet-Draft SNMP Traffic Measurements January 2007
must be taken to specify pcap filter expressions that match the SNMP
transport endpoints used to carry SNMP traffic (typically 'udp and
(port 161 or port 162)'). Furthermore, it is necessary to ensure
that full packets are captured, that is packets are not truncated
(tcpdump option -s 0). Finally, it is necessary to carefully select
the placement of the capturing probe within the network. Especially
on bridged LANs, it is important to ensure that all management
traffic is captured and that the probe has access to all virtual LANs
carrying management traffic. This usually requires to place the
probe(s) close to the management system(s) and to configure dedicated
monitoring ports on bridged networks.
It is recommended to capture at least a full week of data. Operators
are encouraged to capture traces over even longer periods of time.
Tools such as tcpslice [1] or pcapmerge [3] can be used to merge or
split pcap trace files as needed.
Several operating systems can offload some of the TCP/IP processing
such as the calculation of transport layer checksum to network
interface cards. Traces that include traffic to/from a capturing
interface which supports TCP/IP offloading can include incorrect
transport layer checksums. The simplest solution is of course to
turn checksum offloading off while capturing traces (if that is
feasible without loosing too many packets). The other solution is to
correct or ignore checksums during the subsequent analysis of the raw
pcap files.
It is important to note that the raw pcap files should be kept in
stable storage (e.g., compressed and encrypted on a CD ROM or DVD).
To verify measurements, it might be necessary to go back to the
original pcap files if for example bugs in the tools described below
have been detected and fixed.
For each captured trace, some meta data should be recorded and made
available. The meta data should include information such as where
the traces was collected, when it was collected, contact information,
the size of the trace, any known special events during the data
collection period and so on. It is also extremely useful to provide
a unique identification. There are special online services such as
DatCat [4] where meta data can be store and which provide unique
identifiers.
2.2. Converting Traffic Traces
Raw traces in pcap format must be converted into a format that is (a)
human readable and (b) machine readable for efficient post-
processing. Human readability makes it easy for an operator to
verify that no sensitive data is left in a trace while machine
Schoenwaelder Expires July 29, 2007 [Page 5]
Internet-Draft SNMP Traffic Measurements January 2007
readability is needed to efficiently extract relevant information.
The natural choice here is to use an XML format since XML is human as
well as machine readable and there are many tools and high-level
scripting language application programming interfaces (APIs) that can
be used to process XML documents and to extract meaningful
information. However, it should be noted that XML is also pretty
verbose which increases processing overhead. In particular, the
usage of XML streaming APIs is strongly suggested since APIs that
require an in memory representation of XML documents do not handle
large traces well.
Section 4.1 of this document defines a [OASISRNG] schema for
representing SNMP traffic traces in XML. The schema captures all
relevant details of an SNMP messages in the XML format. Note that
the XML format retains some information about the original ASN.1/BER
encoding to support message size analysis.
A lightweight alternative to the full blown XML representation based
on comma separated values (CSV) is defined in Section 4.2. The CSV
format only captures the most essential parts of SNMP messages and is
thus more compact and faster to process.
As explained in the previous sections, analysis programs which
process raw pcap files should have an option to ignore incorrect
checksums caused by TCP/IP offloading. In addition, analysis
programs which process raw pcap files should be able to perform IP
reassembly for SNMP messages that got fragmented at the IP layer.
The snmpdump [5] package has been developed to convert raw pcap files
into XML and CSV format. The snmpdump program reads either pcap
files or XML files as input and produces XML files or CSV files as
output. Specific elements can be filtered if that is required to
protect sensitive data.
2.3. Filtering Traffic Traces
Filtering sensitive data can be achieved by manipulating the XML
representation of an SNMP trace. Standard XSLT processors such as
xsltproc [6] can be used for this purpose. People familiar with Perl
might also be interested in using the XML::LibXML [7] Perl package to
manipulate XML documents from within Perl.
The snmpdump program can filter out sensitive information, e.g., by
deleting or clearing all XML elements whose name matches a regular
expression. Work is in progress to provide data type specific
anonymization transformations that maintain lexicographic ordering
for values that appear in instance identifiers [HS06].
Schoenwaelder Expires July 29, 2007 [Page 6]
Internet-Draft SNMP Traffic Measurements January 2007
2.4. Storing Traffic Traces
The pcap traces together with the XML / CSV formatted traces should
be stored in a stable archive or repository. Such an archive or
repository might either be maintained by research groups (e.g., the
NMRG) or by network operators. It is of key importance that captured
traces are not lost or modified as they may form the basis of future
research projects and may also be needed to verify published research
results. Access to the archive might be restricted to those who have
signed some sort of a non-disclosure agreement.
Lossless compression algorithms embodied in programs such as gzip or
bzip2 can be used to compress even large trace files down to a size
where they can be burned on DVDs for cheap longterm storage.
It must be stressed again that it is important to keep the original
pcap traces in addition to the XML / CSV formatted traces since the
pcap traces are the most authentic source of information.
Improvements in the tool chain may require to go back to the original
pcap traces and to rebuild all intermediate formats from them.
2.5. Processing Traffic Traces
Scripts that analyze traffic traces must be verified for correctness.
Ideally, all scripts used to analyze traffic traces would be
publically accessible so that third parties can verify them.
Furthermore, sharing scripts will enable other parties to repeat an
analysis on other traffic traces and to extend such analysis scripts.
A common versioned repository for analysis scripts might be useful to
establish.
Due to the availability of XML parsers and the simplicity of the CSV
format, trace files can be processed with tools written in almost any
programming language. However, in order to facilitate a common
vocabulary and to allow operators to easily read scripts they execute
on trace files, it is suggested that analysis scripts are written in
the Perl programming language using the XML::LibXML [7] Perl package
to read the XML format of the trace files. Using a scripting
language such as Perl instead of system programming languages such as
C or C++ has the advantage to reduce development time and to make
scripts more accessible to operators who may want to verify scripts
before running them on trace files which potentially contain
sensitive data.
It should be noted here that the snmpdump tool provides an API to
process SNMP messages in C/C++. While the coding of trace analysis
programs in C/C++ should in general be avoided for code readability,
verifiability and portability reasons, using C/C++ might be the only
Schoenwaelder Expires July 29, 2007 [Page 7]
Internet-Draft SNMP Traffic Measurements January 2007
option to deal with very large traces efficiently.
Schoenwaelder Expires July 29, 2007 [Page 8]
Internet-Draft SNMP Traffic Measurements January 2007
3. Analysis of Traffic Traces
This section discusses several questions that can be answered by
analyzing SNMP traffic traces. The questions raised in the following
subsections are meant to be illustrative and no attempt has been made
to provide a complete list.
3.1. Basic Statistics
Basic statistics cover things such as the SNMP protocol versions used
or the protocol operations used in a traffic trace. In addition, a
rough classification of the data manipulated into 'standardized',
'proprietary', and 'experimental' data can be done. Finally, general
trace characteristics such as message size distributions or the
periodicity of traces can be analyzed.
3.2. Periodic vs. Aperiodic Traffic
SNMP is used to periodically poll devices as well as to retrieve
information on request of an operator or application. The periodic
polling leads to periodic traffic patterns while the on demand
information retrieval causes more aperiodic traffic patterns. It is
worthwhile to understand what the relationship is between the amount
of periodic and aperiodic traffic. In addition, it will be
interesting to research whether there are multiple levels of
periodicity at different time scales.
3.3. Message Size and Latency Distributions
SNMP messages are size constrained by the transport mappings used and
the buffers provided by the SNMP engines. For the further evolution
of the SNMP framework, it would be useful to know what the actual
message size distributions are. In addition, it would be useful to
understand the latency distributions, especially the distribution of
the processing times by SNMP command responders. Some SNMP
implementations approximate networking delays by measuring request-
response times and it would be useful to understand to what extent
this is a viable approach.
3.4. Concurrency Levels
SNMP allows management stations to retrieve information from multiple
agents concurrently. It will be interesting to identify what the
typical concurrency level is that can be observed on production
networks or whether management applications prefer more sequential
ways of retrieving data.
Schoenwaelder Expires July 29, 2007 [Page 9]
Internet-Draft SNMP Traffic Measurements January 2007
3.5. Table Retrieval Approaches
Tables can be read in several different ways. The simplest and most
inefficient approach is to retrieve tables cell-by-cell in column-by-
column order. More advanced approaches try to read tables row-by-row
or even multiple-rows-by-multiple-rows. In addition, the retrieval
of index elements can be suppressed in most cases. It will be useful
to know which of these approaches are actually used on production
networks.
3.6. Trap-Directed Polling - Myths or Reality?
SNMP is built around a concept called trap-directed polling.
Management applications are responsible to periodically poll SNMP
agents to determine their status. SNMP agents can in addition send
traps to notify SNMP managers about events so that SNMP managers can
adopt their polling strategy and basically react faster than normal
polling would allow to do.
Analysis of SNMP traffic traces can identity whether trap-directed
polling is actually deployed. In particular, the question that
should be addressed is whether SNMP notifications lead to changes in
the short-term polling behavior of management stations. In
particular, it should be investigated to what extent SNMP managers
use automated procedures to track down the meaning of the event
conveyed by an SNMP notification.
3.7. Popular MIB Definitions
An analysis of object identifier prefixes can identify the most
popular MIB modules and the most important object types or
notification types defined by these modules. Such information would
be very valuable for the further maintenance and development of these
and related MIB modules.
3.8. Usage of Obsolete Objects
Several objects from the early days have been obsoleted because they
cannot properly represent today's networks. A typical example is the
ipRouteTable which was obsoleted because it was not able to represent
classless routing, introduced and deployed on the Internet in 1993.
Some of these obsolete objects are still mentioned in popular
publications as well as research papers. It will be interesting to
find out whether they are also still used by management applications
or whether management applications have been updated to use the
replacement objects.
Schoenwaelder Expires July 29, 2007 [Page 10]
Internet-Draft SNMP Traffic Measurements January 2007
3.9. Encoding Length Distributions
It will be useful to understand the encoding length distributions for
various data types. Assumption about encoding length distributions
are sometimes used to estimate SNMP message sizes in order to meet
transport and buffer size constraints.
3.10. Counters and Discontinuities
Counters can experience discontinuities [RFC2578]. The default
discontinuity indicator is the sysUpTime scalar of the SNMPv2-MIB
[RFC3418], which can also be used to detect counter roll-overs. Some
MIB modules introduce more specific discontinuity indicators, e.g.,
the ifCounterDiscontinuityTime of the IF-MIB [RFC2863]. It will be
interesting to study to what extent these objects are actually used
by management applications to handle discontinuity events.
3.11. Spin Locks
Cooperating command generators can use advisory locks to coordinate
their usage of SNMP write operations. The snmpSetSerialNo scalar of
the SNMPv2-MIB [RFC3418] is the default course-grain coordination
object. It will be interesting to find out whether there are command
generators which coordinate themselves using these spin locks.
3.12. Row Creation
Row creation is an operation not natively supported by the protocol
operations. Instead, conceptual tables supporting row creation
typically provide a control column which uses the RowStatus textual
convention defined in the SNMPv2-TC module. The RowStatus itself
supports different row creation modes, namely createAndWait (dribble-
mode) and createAndGo (one-shot mode). In addition, different
approaches can be used to derive the instance identifier if it does
not have special semantics associated. It will be useful to study
which of the various row creation approaches are actually used by
management applications on production networks.
Schoenwaelder Expires July 29, 2007 [Page 11]
Internet-Draft SNMP Traffic Measurements January 2007
4. Trace Exchange Formats
4.1. RELAX NG Schema Definition
The XML format has been designed to keep all information associated
with SNMP messages. The format is specified in RELAX NG compact
notation [OASISRNC]. Freely available tools such as trang [8] can be
used to convert RELAX NG compact syntax to other XML schema
notations.
# Relax NG grammar for the XML SNMP trace format.
#
# Published as part of RFC XXXX.
#
# Note that we do not use the IANA namespace registry since RFC 3688
# seems to restrict it to IETF documents (and this specification is
# originating from the IRTF).
#
# $Id: snmptrace.rnc 2155 2007-01-25 22:30:16Z schoenw $
default namespace = "http://www.nosuchname.net/nmrg/snmptrace"
start =
element snmptrace {
packet.elem*
}
packet.elem =
element packet {
element time-sec { xsd:unsignedInt },
element time-usec { xsd:unsignedInt },
element src-ip { ipaddress.type },
element src-port { xsd:unsignedInt },
element dst-ip { ipaddress.type },
element dst-port { xsd:unsignedInt },
snmp.elem
}
snmp.elem =
element snmp {
length.attrs?,
message.elem
}
message.elem =
element version { length.attrs, xsd:int },
element community { length.attrs, xsd:hexBinary },
pdu.elem
Schoenwaelder Expires July 29, 2007 [Page 12]
Internet-Draft SNMP Traffic Measurements January 2007
message.elem |=
element version { length.attrs, xsd:int },
element message {
length.attrs,
element msg-id { length.attrs, xsd:unsignedInt },
element max-size { length.attrs, xsd:unsignedInt },
element flags { length.attrs, xsd:hexBinary },
element security-model { length.attrs, xsd:unsignedInt }
},
usm.elem?,
element scoped-pdu {
length.attrs,
element context-engine-id { length.attrs, xsd:hexBinary },
element context-name { length.attrs, xsd:string },
pdu.elem
}
usm.elem =
element usm {
length.attrs,
element auth-engine-id { length.attrs, xsd:hexBinary },
element auth-engine-boots { length.attrs, xsd:unsignedInt },
element auth-engine-time { length.attrs, xsd:unsignedInt },
element user { length.attrs, xsd:hexBinary },
element auth-params { length.attrs, xsd:hexBinary },
element priv-params { length.attrs, xsd:hexBinary }
}
pdu.elem =
element trap {
length.attrs,
element enterprise { length.attrs, oid.type },
element agent-addr { length.attrs, ipv4address.type },
element generic-trap { length.attrs, xsd:int },
element specific-trap { length.attrs, xsd:int },
element time-stamp { length.attrs, xsd:int },
element variable-bindings { length.attrs, varbind.elem* }
}
pdu.elem |=
element (get-request | get-next-request | get-bulk-request |
set-request | inform | trap2 | response | report) {
length.attrs,
element request-id { length.attrs, xsd:int },
element error-status { length.attrs, xsd:int },
element error-index { length.attrs, xsd:int },
element variable-bindings { length.attrs, varbind.elem* }
}
Schoenwaelder Expires July 29, 2007 [Page 13]
Internet-Draft SNMP Traffic Measurements January 2007
varbind.elem =
element varbind { length.attrs, name.elem, value.elem }
name.elem =
element name { length.attrs, oid.type }
value.elem =
element null { length.attrs, empty } |
element integer32 { length.attrs, xsd:int } |
element unsigned32 { length.attrs, xsd:unsignedInt } |
element unsigned64 { length.attrs, xsd:unsignedLong } |
element ipaddress { length.attrs, ipv4address.type } |
element octet-string { length.attrs, xsd:hexBinary } |
element object-identifier { length.attrs, oid.type } |
element opaque { length.attrs, xsd:hexBinary } |
element no-such-object { length.attrs, empty } |
element no-such-instance { length.attrs, empty } |
element end-of-mib-view { length.attrs, empty }
# The blen attribute indicates the number of bytes used by the BER
# encoded tag / length / value triple. The vlen attribute indicates
# the number of bytes used by the BER encoded value alone.
length.attrs =
( attribute blen { xsd:unsignedShort },
attribute vlen { xsd:unsignedShort } )?
oid.type =
xsd:string {
pattern =
"""[0-2](\.[0-9]+)+"""
}
# The types below are for IP addresses. Note that SNMP's buildin
# IpAddress type only supports IPv4 addresses; IPv6 addresses are only
# introduced to cover SNMP over IPv6 endpoints.
ipv4address.type =
xsd:string {
pattern =
"""[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"""
}
ipv6address.type =
xsd:string {
pattern =
"""(([0-9a-fA-F]+:){7}[0-9a-fA-F]+)|(([0-9a-fA-F]+:)*[0-9a-fA-F]+)?::(([0-9a-fA-F]+:)*[0-9a-fA-F]+)?"""
}
Schoenwaelder Expires July 29, 2007 [Page 14]
Internet-Draft SNMP Traffic Measurements January 2007
ipaddress.type = ipv4address.type | ipv6address.type
4.2. CSV Format Definition
The comma separated values (CSV) format has been design to capture
only the most relevant information about an SNMP message. The CSV
format uses the following fields:
1. Time-stamp in the format seconds.microseconds since 1970, for
example "1137764769.425484".
2. Source IP address in dotted quad notation (IPv4), for example
"127.0.0.1", or compact hexadecimal notation (IPv6), for example
"::1".
3. Source port number represented as a decimal number, for example
"4242".
4. Destination IP address in dotted quad notation (IPv4), for
example "127.0.0.1", or compact hexadecimal notation (IPv6), for
example "::1".
5. Destination port number represented as a decimal number, for
example "161".
6. Size of the SNMP message (a decimal number) counted in bytes,
for example "123". The size excludes all transport, network,
and link-layer headers.
7. SNMP message version represented as a decimal number. The
version 0 stands for SNMPv1, 1 for SNMPv2c, and 3 for SNMPv3,
for example "3".
8. SNMP protocol operation indicated by one of the keywords get-
request, get-next-request, get-bulk-request, set-request, trap,
trap2, inform, response, report.
9. SNMP request-id in decimal notation, for example "1511411010".
10. SNMP error-status in decimal notation, for example "0".
11. SNMP error-index in decimal notation, for example "0".
12. Number of variable-bindings contained in the varbind-list in
decimal notation, for example "5".
Schoenwaelder Expires July 29, 2007 [Page 15]
Internet-Draft SNMP Traffic Measurements January 2007
13. For each varbind in the varbind list, three output elements are
generated
1. Object names given as object identifiers in dotted decimal
notation, for example "1.3.6.1.2.1.1.3.0". Object names are
separated by commas.
2. Object base type name or exception names, that is one of the
following: null, integer32, unsigned32, unsigned64,
ipaddress, octet-string, object-identifier, no-such-object,
no-such-instance, and end-of-mib-view.
3. Object values are printed as numbers if the underlying base
type is numeric. IPv4 addresses are printed in the usual
decimal notation and IPv6 addresses in the usual hexadecimal
notation. Octet string values are printed in hexadecimal
format while object identifiers are printed in dotted
decimal notation. Exceptions are encoded by their name,
that is no-such-object, no-such-instance, and end-of-mib-
view.
Note that the format does not preserve the information needed to
understand SNMPv1 traps. It is therefore recommended that
implementations are able convert the old SNMPv1 trap format into the
new trap format used by SNMPv2c and SNMPv3, according to the rules
defined in [RFC3584]. The activation of trap format conversion
should be the user's choice.
Schoenwaelder Expires July 29, 2007 [Page 16]
Internet-Draft SNMP Traffic Measurements January 2007
5. Security Considerations
SNMP traffic traces usually contain sensitive information. It is
therefore necessary to (a) remove unneeded information and (b) to
anonymize the remaining necessary information before traces are made
available for analysis.
Implementations that generate XML traces from raw pcap files should
have an option to suppress values. Note that instance identifiers of
tables also include values and it might therefore be necessary to
suppress (parts of) the instance identifiers. Similarly, the packet
and message headers typically contain sensitive information about the
source and destination of SNMP messages as well as authentication
information (community strings or user names).
Anonymization techniques can be applied to keep more information in
traces which could reveal sensitive information. When using
anonymization, values should only be added when the underlying data
type is known and an appropriate anonymization transformation is
available (filter-in principle). For values appearing in instance
identifiers, it is usually desirable to maintain the lexicographic
order. Special anonymization transformations which preserve this
property have been developed, although their anonymization strength
is usually reduced compared to transformations that do not preserve
lexicographic ordering [HS06].
Schoenwaelder Expires July 29, 2007 [Page 17]
Internet-Draft SNMP Traffic Measurements January 2007
6. Acknowledgements
This document was influenced by discussions within the Network
Management Research Group (NMRG). Special thanks to Remco van de
Meent for writing the initial Perl script that lead to the
development of the snmpdump software package and Matus Harvan for his
work on lexicographic order preserving anonymization transformations.
Aiko Pras contributed ideas to Section 3 while David Harrington
helped to improve the readability of this document.
Part of this work was funded by the European Commission under grant
FP6-2004-IST-4-EMANICS-026854-NOE.
Schoenwaelder Expires July 29, 2007 [Page 18]
Internet-Draft SNMP Traffic Measurements January 2007
7. References
7.1. Normative References
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Structure of Management Information Version 2 (SMIv2)",
STD 58, RFC 2578, April 1999.
[RFC3418] Presuhn, R., Case, J., McCloghrie, K., Rose, M., and S.
Waldbusser, "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62,
RFC 3418, December 2002.
[OASISRNG]
Clark, J. and M. Makoto, "RELAX NG Specification",
OASIS Committee Specification, December 2001.
[OASISRNC]
Clark, J., "RELAX NG Compact Syntax", OASIS Committee
Specification, November 2002.
[RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen,
"Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework",
RFC 3584, August 2003.
7.2. Informative References
[RFC1052] Cerf, V., "IAB Recommendations for the Development of
Internet Network Management Standards", RFC 1052,
April 1998.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
MIB", RFC 2863, June 2000.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet
Standard Management Framework", RFC 3410, December 2002.
[RFC4022] Raghunarayan, R., "Management Information Base for the
Transmission Control Protocol (TCP)", RFC 4022,
March 2005.
[PDMQ04] Pras, A., Drevers, T., van de Meent, R., and D. Quartel,
"Comparing the Performance of SNMP and Web Services based
Management", IEEE electronic Transactions on Network and
Service Management 1(2), November 2004.
Schoenwaelder Expires July 29, 2007 [Page 19]
Internet-Draft SNMP Traffic Measurements January 2007
[Pat01] Pattinson, C., "A Study of the Behaviour of the Simple
Network Management Protocol", Proc. 12th IFIP/IEEE
Workshop on Distributed Systems: Operations and
Management , October 2001.
[DSR01] Du, X., Shayman, M., and M. Rozenblit, "Implementation and
Performance Analysis of SNMP on a TLS/TCP Base", Proc. 7th
IFIP/IEEE International Symposium on Integrated Network
Management , May 2001.
[CT04] Corrente, A. and L. Tura, "Security Performance Analysis
of SNMPv3 with Respect to SNMPv2c", Proc. 2004 IEEE/IFIP
Network Operations and Management Symposium , April 2004.
[PFGL04] Pavlou, G., Flegkas, P., Gouveris, S., and A. Liotta, "On
Management Technologies and the Potential of Web
Services", IEEE Communications Magazine 42(7), July 2004.
[SM99] Sprenkels, R. and J. Martin-Flatin, "Bulk Transfers of MIB
Data", Simple Times 7(1), March 1999.
[Mal02] Malowidzki, M., "GetBulk Worth Fixing", Simple
Times 10(1), December 2002.
[HS06] Harvan, M. and J. Schoenwaelder, "Prefix- and
Lexicographical-order-preserving IP Address
Anonymization", IEEE/IFIP Network Operations and
Management Symposium NOMS 2006, April 2006.
Schoenwaelder Expires July 29, 2007 [Page 20]
Internet-Draft SNMP Traffic Measurements January 2007
URIs
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
Schoenwaelder Expires July 29, 2007 [Page 21]
Internet-Draft SNMP Traffic Measurements January 2007
Author's Address
Juergen Schoenwaelder
International University Bremen
Campus Ring 1
28725 Bremen
Germany
Phone: +49 421 200-3587
Email: j.schoenwaelder@iu-bremen.de
Schoenwaelder Expires July 29, 2007 [Page 22]
Internet-Draft SNMP Traffic Measurements January 2007
Full Copyright Statement
Copyright (C) The Internet Society (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Schoenwaelder Expires July 29, 2007 [Page 23]