From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc6632.txt | 4763 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 4763 insertions(+) create mode 100644 doc/rfc/rfc6632.txt (limited to 'doc/rfc/rfc6632.txt') diff --git a/doc/rfc/rfc6632.txt b/doc/rfc/rfc6632.txt new file mode 100644 index 0000000..8c5ddf2 --- /dev/null +++ b/doc/rfc/rfc6632.txt @@ -0,0 +1,4763 @@ + + + + + + +Internet Engineering Task Force (IETF) M. Ersue, Ed. +Request for Comments: 6632 Nokia Siemens Networks +Category: Informational B. Claise +ISSN: 2070-1721 Cisco Systems, Inc. + June 2012 + + + An Overview of the IETF Network Management Standards + +Abstract + + This document gives an overview of the IETF network management + standards and summarizes existing and ongoing development of IETF + Standards Track network management protocols and data models. The + document refers to other overview documents, where they exist and + classifies the standards for easy orientation. The purpose of this + document is, on the one hand, to help system developers and users to + select appropriate standard management protocols and data models to + address relevant management needs. On the other hand, the document + can be used as an overview and guideline by other Standard + Development Organizations or bodies planning to use IETF management + technologies and data models. This document does not cover + Operations, Administration, and Maintenance (OAM) technologies on the + data-path, e.g., OAM of tunnels, MPLS Transport Profile (MPLS-TP) + OAM, and pseudowire as well as the corresponding management models. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6632. + + + + + + + + + + +Ersue & Claise Informational [Page 1] + +RFC 6632 IETF Management Standards June 2012 + + +Copyright Notice + + Copyright (c) 2012 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Scope and Target Audience ..................................4 + 1.2. Related Work ...............................................5 + 1.3. Terminology ................................................6 + 2. Core Network Management Protocols ...............................8 + 2.1. Simple Network Management Protocol (SNMP) ..................8 + 2.1.1. Architectural Principles of SNMP ....................8 + 2.1.2. SNMP and Its Versions ...............................9 + 2.1.3. Structure of Managed Information (SMI) .............11 + 2.1.4. SNMP Security and Access Control Models ............12 + 2.1.4.1. Security Requirements on the SNMP + Management Framework ......................12 + 2.1.4.2. User-Based Security Model (USM) ...........12 + 2.1.4.3. View-Based Access Control Model (VACM) ....13 + 2.1.5. SNMP Transport Subsystem and Transport Models ......13 + 2.1.5.1. SNMP Transport Security Model .............14 + 2.2. Syslog Protocol ...........................................15 + 2.3. IP Flow Information eXport (IPFIX) and Packet + SAMPling (PSAMP) Protocols ................................16 + 2.4. Network Configuration .....................................19 + 2.4.1. Network Configuration Protocol (NETCONF) ...........19 + 2.4.2. YANG - NETCONF Data Modeling Language ..............21 + 3. Network Management Protocols and Mechanisms with + Specific Focus .................................................23 + 3.1. IP Address Management .....................................23 + 3.1.1. Dynamic Host Configuration Protocol (DHCP) .........23 + 3.1.2. Ad Hoc Network Autoconfiguration ...................24 + 3.2. IPv6 Network Operations ...................................25 + 3.3. Policy-Based Management ...................................26 + 3.3.1. IETF Policy Framework ..............................26 + + + + +Ersue & Claise Informational [Page 2] + +RFC 6632 IETF Management Standards June 2012 + + + 3.3.2. Use of Common Open Policy Service (COPS) + for Policy Provisioning (COPS-PR) ..................26 + 3.4. IP Performance Metrics (IPPM) .............................27 + 3.5. Remote Authentication Dial-In User Service (RADIUS) .......29 + 3.6. Diameter Base Protocol (Diameter) .........................31 + 3.7. Control and Provisioning of Wireless Access Points + (CAPWAP) ..................................................35 + 3.8. Access Node Control Protocol (ANCP) .......................36 + 3.9. Application Configuration Access Protocol (ACAP) ..........36 + 3.10. XML Configuration Access Protocol (XCAP) .................37 + 4. Network Management Data Models .................................38 + 4.1. IETF Network Management Data Models .......................39 + 4.1.1. Generic Infrastructure Data Models .................39 + 4.1.2. Link-Layer Data Models .............................40 + 4.1.3. Network-Layer Data Models ..........................40 + 4.1.4. Transport-Layer Data Models ........................40 + 4.1.5. Application-Layer Data Models ......................41 + 4.1.6. Network Management Infrastructure Data Models ......41 + 4.2. Network Management Data Models - FCAPS View ...............41 + 4.2.1. Fault Management ...................................42 + 4.2.2. Configuration Management ...........................44 + 4.2.3. Accounting Management ..............................45 + 4.2.4. Performance Management .............................46 + 4.2.5. Security Management ................................48 + 5. Security Considerations ........................................49 + 6. Contributors ...................................................51 + 7. Acknowledgements ...............................................52 + 8. Informative References .........................................52 + Appendix A. High-Level Classification of Management Protocols + and Data Models .......................................77 + A.1. Protocols Classified by Standards Maturity in the IETF .....77 + A.2. Protocols Matched to Management Tasks ......................79 + A.3. Push versus Pull Mechanism .................................80 + A.4. Passive versus Active Monitoring ...........................80 + A.5. Supported Data Model Types and Their Extensibility ........81 + Appendix B. New Work Related to IETF Management Standards .........83 + B.1. Energy Management (EMAN) ...................................83 + + + + + + + + + + + + + + +Ersue & Claise Informational [Page 3] + +RFC 6632 IETF Management Standards June 2012 + + +1. Introduction + +1.1. Scope and Target Audience + + This document gives an overview of the IETF network management + standards and summarizes existing and ongoing development of IETF + Standards Track network management protocols and data models. The + document refers to other overview documents where they exist and + classifies the standards for easy orientation. + + The target audience of the document is, on the one hand, IETF working + groups, which aim to select appropriate standard management protocols + and data models to address their needs concerning network management. + On the other hand, the document can be used as an overview and + guideline by non-IETF Standards Development Organizations (SDOs) + planning to use IETF management technologies and data models for the + realization of management applications. The document can also be + used to initiate a discussion between the bodies with the goal to + gather new requirements and to detect possible gaps. Finally, this + document is directed to all interested parties that seek to get an + overview of the current set of the IETF network management protocols + such as network administrators or newcomers to the IETF. + + Section 2 gives an overview of the IETF core network management + standards with a special focus on Simple Network Management Protocol + (SNMP), syslog, IP Flow Information eXport / Packet SAMPling (IPFIX/ + PSAMP), and Network Configuration (NETCONF). Section 3 discusses + IETF management protocols and mechanisms with a specific focus, e.g., + IP address management or IP performance management. Section 4 + discusses IETF data models, such as MIB modules, IPFIX Information + Elements, Syslog Structured Data Elements, and YANG modules designed + to address a specific set of management issues and provides two + complementary overviews for the network management data models + standardized within the IETF. Section 4.1 focuses on a broader view + of models classified into categories such as generic and + infrastructure data models as well as data models matched to + different layers. Whereas Section 4.2 structures the data models + following the management application view and maps them to the + network management tasks fault, configuration, accounting, + performance, and security management. + + Appendix A guides the reader for the high-level selection of + management standards. For this, the section classifies the protocols + according to high-level criteria, such as push versus pull + mechanisms, passive versus active monitoring, as well as categorizes + the protocols concerning the network management task they address and + their data model extensibility. If the reader is interested only in + a subset of the IETF network management protocols and data models + + + +Ersue & Claise Informational [Page 4] + +RFC 6632 IETF Management Standards June 2012 + + + described in this document, Appendix A can be used as a dispatcher to + the corresponding chapter. Appendix B gives an overview of the new + work on Energy Management in the IETF. + + This document mainly refers to Proposed, Draft, or Internet Standard + documents from the IETF (see [RFCSEARCH]). Whenever valuable, Best + Current Practice (BCP) documents are referenced. In exceptional + cases, and if the document provides substantial guideline for + standard usage or fills an essential gap, Experimental and + Informational RFCs are noticed and ongoing work is mentioned. + + Information on active and concluded IETF working groups (e.g., their + charters, published or currently active documents, and mail archives) + can be found at [IETF-WGS]). + + Note that this document does not cover OAM technologies on the data- + path including MPLS forwarding plane and control plane protocols + (e.g., OAM of tunnels, MPLS-TP OAM, and pseudowire) as well as the + corresponding management models and MIB modules. For a list of + related work, see Section 1.2. + +1.2. Related Work + + "Internet Protocols for the Smart Grid" [RFC6272] gives an overview + and guidance on the key protocols of the Internet Protocol Suite. In + analogy to [RFC6272], this document gives an overview of the IETF + network management standards and their usage scenarios. + + "Overview of the 2002 IAB Network Management Workshop" [RFC3535] + documented strengths and weaknesses of some IETF management + protocols. In choosing existing protocol solutions to meet the + management requirements, it is recommended that these strengths and + weaknesses be considered, even though some of the recommendations + from the 2002 IAB workshop have become outdated, some have been + standardized, and some are being worked on within the IETF. + + "Guidelines for Considering Operations and Management of New + Protocols and Extensions" [RFC5706] recommends working groups + consider operations and management needs and then select appropriate + management protocols and data models. This document can be used to + ease surveying the IETF Standards Track network management protocols + and management data models. + + "Multiprotocol Label Switching (MPLS) Management Overview" [RFC4221] + describes the management architecture for MPLS and indicates the + interrelationships between the different MIB modules used for MPLS + + + + + +Ersue & Claise Informational [Page 5] + +RFC 6632 IETF Management Standards June 2012 + + + network management, where "Operations, Administration, and + Maintenance Framework for MPLS-Based Transport Networks" [RFC6371] + describes the OAM Framework for MPLS-based Transport Networks. + + "An Overview of Operations, Administration, and Maintenance (OAM) + Mechanisms" [OAM-OVERVIEW] gives an overview of the OAM toolset for + detecting and reporting connection failures or measuring connection + performance parameters. + + "An Overview of the OAM Tool Set for MPLS-based Transport Networks" + [OAM-ANALYSIS] provides an overview of the OAM toolset for MPLS-based + Transport Networks including a brief summary of MPLS-TP OAM + requirements and functions and of generic mechanisms created in the + MPLS data plane to allow the OAM packets run in-band and share their + fate with data packets. The protocol definitions for each MPLS-TP + OAM tool are listed in separate documents, which are referenced. + + "MPLS-TP MIB-based Management Overview" [MPLSTP-MIB] describes the + MIB-based architecture for MPLS-TP, and indicates the + interrelationships between different existing MIB modules that can be + leveraged for MPLS-TP network management and identifies areas where + additional MIB modules are required. + + Note that so far, the IETF has not developed specific technologies + for the management of sensor networks. IP-based sensors or + constrained devices in such an environment, i.e., with very limited + memory and CPU resources, can use, e.g., application-layer protocols + to do simple resource management and monitoring. + +1.3. Terminology + + This document does not describe standard requirements. Therefore, + key words from RFC 2119 [RFC2119] are not used in the document. + + o 3GPP: 3rd Generation Partnership Project, a collaboration between + groups of telecommunications associations, to prepare the third- + generation (3G) mobile phone system specification. + + o Agent: A software module that performs the network management + functions requested by network management stations. An agent may + be implemented in any network element that is to be managed, such + as a host, bridge, or router. The 'management server' in NETCONF + terminology. + + o BCP: An IETF Best Current Practice document. + + o CLI: Command Line Interface. A management interface that system + administrators can use to interact with networking equipment. + + + +Ersue & Claise Informational [Page 6] + +RFC 6632 IETF Management Standards June 2012 + + + o Data model: A mapping of the contents of an information model into + a form that is specific to a particular type of datastore or + repository (see [RFC3444]). + + o Event: An occurrence of something in the "real world". Events can + be indicated to managers through an event message or notification. + + o IAB: Internet Architecture Board + + o IANA: Internet Assigned Numbers Authority, an organization that + oversees global IP address allocation, autonomous system number + allocation, media types, and other IP-related code point + allocations. + + o Information model: An abstraction and representation of entities + in a managed environment, their properties, attributes, + operations, and the way they relate to each other, independent of + any specific repository, protocol, or platform (see [RFC3444]). + + o ITU-T: International Telecommunication Union - Telecommunication + Standardization Sector + + o Managed object: A management abstraction of a resource; a piece of + management information in a MIB module. In the context of SNMP, a + structured set of data variables that represent some resource to + be managed or other aspect of a managed device. + + o Manager: An entity that acts in a manager role, either a user or + an application. The counterpart to an agent. A 'management + client' in NETCONF terminology. + + o Management Information Base (MIB): An information repository with + a collection of related objects that represent the resources to be + managed. + + o MIB module: MIB modules usually contain object definitions, may + contain definitions of event notifications, and sometimes include + compliance statements in terms of appropriate object and event + notification groups. A MIB that is provided by a management agent + is typically composed of multiple instantiated MIB modules. + + o Modeling language: A modeling language is any artificial language + that can be used to express information or knowledge or systems in + a structure that is defined by a consistent set of rules. + Examples are Structure of Management Information Version 2 (SMIv2) + [STD58], XML Schema Definition (XSD) [XSD-1], and YANG [RFC6020]. + + + + + +Ersue & Claise Informational [Page 7] + +RFC 6632 IETF Management Standards June 2012 + + + o Notification: An unsolicited message sent by an agent to a + management station to notify it of an unusual event. + + o OAM: Operations, Administration, and Maintenance + + o PDU: Protocol Data Unit, a unit of data, which is specified in a + protocol of a given layer consisting protocol-control information + and possibly layer-specific data. + + o Principal: An application, an individual, or a set of individuals + acting in a particular role, on whose behalf access to a service + or MIB is allowed. + + o RELAX NG: REgular LAnguage for XML Next Generation, a schema + language for XML [RELAX-NG]. + + o SDO: Standards Development Organization + + o SMI: Structure of Managed Information, the notation and grammar + for the managed information definition used to define MIB modules + [STD58]. + + o STDnn: An Internet Standard published at IETF, also referred as + Standard, e.g., [STD62]. + + o URI: Uniform Resource Identifier, a string of characters used to + identify a name or a resource on the Internet [STD66]. Can be + classified as locators (URLs), as names (URNs), or as both. + + o XPATH: XML Path Language, a query language for selecting nodes + from an XML document [XPATH]. + +2. Core Network Management Protocols + +2.1. Simple Network Management Protocol (SNMP) + +2.1.1. Architectural Principles of SNMP + + The SNMPv3 Framework [RFC3410], builds upon both the original SNMPv1 + and SNMPv2 Frameworks. The basic structure and components for the + SNMP Framework did not change between its versions and comprises the + following components: + + o managed nodes, each with an SNMP entity providing remote access to + management instrumentation (the agent), + + o at least one SNMP entity with management applications (the + manager), and + + + +Ersue & Claise Informational [Page 8] + +RFC 6632 IETF Management Standards June 2012 + + + o a management protocol used to convey management information + between the SNMP entities and management information. + + During its evolution, the fundamental architecture of the SNMP + Management Framework remained consistent based on a modular + architecture, which consists of: + + o a generic protocol definition independent of the data it is + carrying, + + o a protocol-independent data definition language, + + o an information repository containing a data set of management + information definitions (the Management Information Base, or MIB), + and + + o security and administration. + + As such, the following standards build up the basis of the current + SNMP Management Framework: + + o the SNMPv3 protocol [STD62], + + o the modeling language SMIv2 [STD58], and + + o the MIB modules for different management issues. + + The SNMPv3 Framework extends the architectural principles of SNMPv1 + and SNMPv2 by: + + o building on these three basic architectural components, in some + cases, incorporating them from the SNMPv2 Framework by reference, + and + + o by using the same layering principles in the definition of new + capabilities in the security and administration portion of the + architecture. + +2.1.2. SNMP and Its Versions + + SNMP is based on three conceptual entities: Manager, Agent, and the + Management Information Base (MIB). In any configuration, at least + one manager node runs SNMP management software. Typically, network + devices, such as bridges, routers, and servers, are equipped with an + agent. The agent is responsible for providing access to a local MIB + of objects that reflects the resources and activity at its node. + + + + + +Ersue & Claise Informational [Page 9] + +RFC 6632 IETF Management Standards June 2012 + + + Following the manager-agent paradigm, an agent can generate + notifications and send them as unsolicited messages to the management + application. + + SNMPv2 enhances this basic functionality with an Inform PDU, a bulk + transfer capability and other functional extensions like an + administrative model for access control, security extensions, and + Manager-to-Manager communication. SNMPv2 entities can have a dual + role as manager and agent. However, neither SNMPv1 nor SNMPv2 offers + sufficient security features. To address the security deficiencies + of SNMPv1/v2, SNMPv3 [STD62] has been issued. + + "Coexistence between Version 1, Version 2, and Version 3 of the + Internet-standard Network Management Framework" [BCP074] gives an + overview of the relevant Standard documents on the three SNMP + versions. The BCP document furthermore describes how to convert MIB + modules from SMIv1 to SMIv2 format and how to translate notification + parameters. It also describes the mapping between the message + processing and security models. + + SNMP utilizes the MIB, a virtual information store of modules of + managed objects. Generally, standard MIB modules support common + functionality in a device. Operators often define additional MIB + modules for their enterprise or use the Command Line Interface (CLI) + to configure non-standard data in managed devices and their + interfaces. + + SNMPv2 Trap and Inform PDUs can alert an operator or an application + when some aspects of a protocol fail or encounter an error condition, + and the contents of a notification can be used to guide subsequent + SNMP polling to gather additional information about an event. + + SNMP is widely used for the monitoring of fault and performance data + and with its stateless nature, SNMP also works well for status + polling and determining the operational state of specific + functionality. The widespread use of counters in standard MIB + modules permits the interoperable comparison of statistics across + devices from different vendors. Counters have been especially useful + in monitoring bytes and packets going in and out over various + protocol interfaces. SNMP is often used to poll a basic parameter of + a device (e.g., sysUpTime, which reports the time since the last re- + initialization of the network management portion of the device) to + check for operational liveliness and to detect discontinuities in + counters. Some operators also use SNMP for configuration management + in their environment (e.g., for systems based on Data Over Cable + Service Interface Specification (DOCSIS) such as cable modems). + + + + + +Ersue & Claise Informational [Page 10] + +RFC 6632 IETF Management Standards June 2012 + + + SNMPv1 [RFC1157] has been declared Historic and its use is not + recommended due to its lack of security features. "Introduction to + Community-based SNMPv2" [RFC1901] is an Experimental RFC, which has + been declared Historic, and its use is not recommended due to its + lack of security features. + + Use of SNMPv3 [STD62] is recommended due to its security features, + including support for authentication, encryption, message timeliness + and integrity checking, and fine-grained data access controls. An + overview of the SNMPv3 document set is in [RFC3410]. + + Standards exist to use SNMP over diverse transport and link-layer + protocols, including Transmission Control Protocol (TCP) [STD07], + User Datagram Protocol (UDP) [STD06], Ethernet [RFC4789], and others + (see Section 2.1.5.1). + +2.1.3. Structure of Managed Information (SMI) + + SNMP MIB modules are defined with the notation and grammar specified + as the Structure of Managed Information (SMI). The SMI uses an + adapted subset of Abstract Syntax Notation One (ASN.1) [ITU-X680]. + + The SMI is divided into three parts: module definitions, object + definitions, and notification definitions. + + o Module definitions are used when describing information modules. + An ASN.1 macro, MODULE-IDENTITY, is used to concisely convey the + semantics of an information module. + + o Object definitions are used when describing managed objects. An + ASN.1 macro, OBJECT-TYPE, is used to concisely convey the syntax + and semantics of a managed object. + + o Notification definitions are used when describing unsolicited + transmissions of management information. An ASN.1 macro, + NOTIFICATION-TYPE, is used to concisely convey the syntax and + semantics of a notification. + + SMIv1 is specified in "Structure and Identification of Management + Information for TCP/IP-based Internets" [RFC1155] and "Concise MIB + Definitions" [RFC1212], both part of [STD16]. [RFC1215] specifies + conventions for defining SNMP traps. Note that SMIv1 is outdated and + its use is not recommended. + + SMIv2 is the new notation for managed information definitions and + should be used to define MIB modules. SMIv2 is specified in the + following RFCs. With the exception of BCP 74, they are all part of + [STD58]: + + + +Ersue & Claise Informational [Page 11] + +RFC 6632 IETF Management Standards June 2012 + + + o [RFC2578] defines Version 2 of the Structure of Management + Information (SMIv2), + + o [RFC2579] defines the textual conventions macro for defining new + types and it provides a core set of generally useful textual + convention definitions, + + o [RFC2580] defines conformance statements and requirements for + defining agent and manager capabilities, and + + o [BCP074] defines the mapping rules for and the conversion of MIB + modules between SMIv1 and SMIv2 formats. + +2.1.4. SNMP Security and Access Control Models + +2.1.4.1. Security Requirements on the SNMP Management Framework + + Several of the classical threats to network protocols are applicable + to management problem space and therefore are applicable to any + security model used in an SNMP Management Framework. This section + lists primary and secondary threats, and threats that are of lesser + importance (see [RFC3411] for the detailed description of the + security threats). + + The primary threats against which SNMP Security Models can provide + protection are, "modification of information" by an unauthorized + entity, and "masquerade", i.e., the danger that management operations + not authorized for some principal may be attempted by assuming the + identity of another principal. + + Secondary threats against which SNMP Security Models can provide + protection are "message stream modification", e.g., reordering, + delay, or replay of messages, and "disclosure", i.e., the danger of + eavesdropping on the exchanges between SNMP engines. + + There are two threats against which the SNMP Security Model does not + protect, since they are deemed to be of lesser importance in this + context: Denial of Service and Traffic Analysis (see [RFC3411]). + +2.1.4.2. User-Based Security Model (USM) + + SNMPv3 [STD62] introduced the User-based Security Model (USM). USM + is specified in [RFC3414] and provides authentication and privacy + services for SNMP. Specifically, USM is designed to secure against + the primary and secondary threats discussed in Section 2.1.4.1. USM + does not secure against Denial of Service and attacks based on + Traffic Analysis. + + + + +Ersue & Claise Informational [Page 12] + +RFC 6632 IETF Management Standards June 2012 + + + The USM supports following security services: + + o Data integrity is the provision of the property that data has not + been altered or destroyed in an unauthorized manner, nor have data + sequences been altered to an extent greater than can occur non- + maliciously. + + o Data origin authentication is the provision of the property that + the claimed identity of the user on whose behalf received data was + originated is supported. + + o Data confidentiality is the provision of the property that + information is not made available or disclosed to unauthorized + individuals, entities, or processes. + + o Message timeliness and limited replay protection is the provision + of the property that a message whose generation time is outside of + a specified time window is not accepted. + + See [RFC3414] for a detailed description of SNMPv3 USM. + +2.1.4.3. View-Based Access Control Model (VACM) + + SNMPv3 [STD62] introduced the View-based Access Control (VACM) + facility. The VACM is defined in [RFC3415] and enables the + configuration of agents to provide different levels of access to the + agent's MIB. An agent entity can restrict access to a certain + portion of its MIB, e.g., restrict some principals to view only + performance-related statistics or disallow other principals to read + those performance-related statistics. An agent entity can also + restrict the access to monitoring (read-only) as opposed to + monitoring and configuration (read-write) of a certain portion of its + MIB, e.g., allowing only a single designated principal to update + configuration parameters. + + VACM defines five elements that make up the Access Control Model: + groups, security level, contexts, MIB views, and access policy. + Access to a MIB module is controlled by means of a MIB view. + + See [RFC3415] for a detailed description of SNMPv3 VACM. + +2.1.5. SNMP Transport Subsystem and Transport Models + + The User-based Security Model (USM) was designed to be independent of + other existing security infrastructures to ensure it could function + when third-party authentication services were not available. As a + result, USM utilizes a separate user and key-management + + + + +Ersue & Claise Informational [Page 13] + +RFC 6632 IETF Management Standards June 2012 + + + infrastructure. Operators have reported that the deployment of a + separate user and key-management infrastructure in order to use + SNMPv3 is costly and hinders the deployment of SNMPv3. + + SNMP Transport Subsystem [RFC5590] extends the original SNMP + architecture and Transport Model and enables the use of transport + protocols to provide message security unifying the administrative + security management for SNMP and other management interfaces. + + Transport Models are tied into the SNMP Framework through the + Transport Subsystem. The Transport Security Model [RFC5591] has been + designed to work on top of lower-layer, secure Transport Models. + + The SNMP Transport Model defines an alternative to existing standard + transport mappings described in [RFC3417], e.g., for SNMP over UDP, + in [RFC4789] for SNMP over IEEE 802 networks, and in the Experimental + RFC [RFC3430] defining SNMP over TCP. + +2.1.5.1. SNMP Transport Security Model + + The SNMP Transport Security Model [RFC5591] is an alternative to the + existing SNMPv1 and SNMPv2 Community-based Security Models [BCP074], + and the User-based Security Model [RFC3414], part of [STD62]. + + The Transport Security Model utilizes one or more lower-layer + security mechanisms to provide message-oriented security services. + These include authentication of the sender, encryption, timeliness + checking, and data integrity checking. + + A secure Transport Model sets up an authenticated and possibly + encrypted session between the Transport Models of two SNMP engines. + After a transport-layer session is established, SNMP messages can be + sent through this session from one SNMP engine to the other. The new + Transport Model supports the sending of multiple SNMP messages + through the same session to amortize the costs of establishing a + security association. + + The Secure Shell (SSH) Transport Model [RFC5592] and the Transport + Layer Security (TLS) Transport Model [RFC6353] are current examples + of Transport Security Models. + + The SSH Transport Model makes use of the commonly deployed SSH + security and key-management infrastructure. Furthermore, [RFC5592] + defines MIB objects for monitoring and managing the SSH Transport + Model for SNMP. + + + + + + +Ersue & Claise Informational [Page 14] + +RFC 6632 IETF Management Standards June 2012 + + + The Transport Layer Security (TLS) Transport Model [RFC6353] uses + either the TLS protocol [RFC5246] or the Datagram Transport Layer + Security (DTLS) protocol [RFC6347]. The TLS and DTLS protocols + provide authentication and privacy services for SNMP applications. + The TLS Transport Model supports the sending of SNMP messages over + TLS and TCP and over DTLS and UDP. Furthermore, [RFC6353] defines + MIB objects for managing the TLS Transport Model for SNMP. + + [RFC5608] describes the use of a Remote Authentication Dial-In User + Service (RADIUS) service by SNMP secure Transport Models for + authentication of users and authorization of services. Access + control authorization, i.e., how RADIUS attributes and messages are + applied to the specific application area of SNMP Access Control + Models, and VACM in particular has been specified in [RFC6065]. + +2.2. Syslog Protocol + + Syslog is a mechanism for distribution of logging information + initially used on Unix systems (see [RFC3164] for BSD syslog). The + IETF Syslog Protocol [RFC5424] introduces a layered architecture + allowing the use of any number of transport protocols, including + reliable and secure transports, for transmission of syslog messages. + + The Syslog protocol enables a machine to send system log messages + across networks to event message collectors. The protocol is simply + designed to transport and distribute these event messages. By + default, no acknowledgements of the receipt are made, except the + reliable delivery extensions specified in [RFC3195] are used. The + Syslog protocol and process does not require a stringent coordination + between the transport sender and the receiver. Indeed, the + transmission of syslog messages may be started on a device without a + receiver being configured, or even actually physically present. + Conversely, many devices will most likely be able to receive messages + without explicit configuration or definitions. + + BSD syslog had little uniformity for the message format and the + content of syslog messages. The body of a BSD syslog message has + traditionally been unstructured text. This content is human + friendly, but difficult to parse for applications. With the Syslog + Protocol [RFC5424], the IETF has standardized a new message header + format, including timestamp, hostname, application, and message ID, + to improve filtering, interoperability, and correlation between + compliant implementations. + + The Syslog protocol [RFC5424] also introduces a mechanism for + defining Structured Data Elements (SDEs). The SDEs allow vendors to + define their own structured data elements to supplement standardized + elements. [RFC5675] defines a mapping from SNMP notifications to + + + +Ersue & Claise Informational [Page 15] + +RFC 6632 IETF Management Standards June 2012 + + + syslog messages. [RFC5676] defines an SNMP MIB module to represent + syslog messages for the purpose of sending those syslog messages as + notifications to SNMP notification receivers. [RFC5674] defines the + way alarms are sent in syslog, which includes the mapping of ITU- + perceived severities onto syslog message fields and a number of + alarm-specific definitions from ITU-T X.733 [ITU-X733] and the IETF + Alarm MIB [RFC3877]. + + "Signed Syslog Messages" [RFC5848] defines a mechanism to add origin + authentication, message integrity, replay resistance, message + sequencing, and detection of missing messages to the transmitted + syslog messages to be used in conjunction with the Syslog protocol. + + The Syslog protocol's layered architecture provides support for a + number of transport mappings. For interoperability purposes and + especially in managed networks, where the network path has been + explicitly provisioned for UDP syslog traffic, the Syslog protocol + can be used over UDP [RFC5426]. However, to support congestion + control and reliability, [RFC5426] strongly recommends the use of the + TLS transport. + + Furthermore, the IETF defined the TLS Transport Mapping for syslog in + [RFC5425], which provides a secure connection for the transport of + syslog messages. [RFC5425] describes the security threats to syslog + and how TLS can be used to counter such threats. [RFC6012] defines + the Datagram Transport Layer Security (DTLS) Transport Mapping for + syslog, which can be used if a connectionless transport is desired. + + For information on MIB modules related to syslog, see Section 4.2.1. + +2.3. IP Flow Information eXport (IPFIX) and Packet SAMPling (PSAMP) + Protocols + + "Specification of the IP Flow Information Export (IPFIX) Protocol for + the Exchange of IP Traffic Flow Information" (the IPFIX Protocol) + [RFC5101] defines a push-based data export mechanism for transferring + IP flow information in a compact binary format from an Exporter to a + Collector. + + "Architecture for IP Flow Information Export" (the IPFIX + Architecture) [RFC5470] defines the components involved in IP flow + measurement and reporting of information on IP flows, particularly, a + Metering Process generating Flow Records, an Exporting Process that + sends metered flow information using the IPFIX protocol, and a + Collecting Process that receives flow information as IPFIX Data + Records. + + + + + +Ersue & Claise Informational [Page 16] + +RFC 6632 IETF Management Standards June 2012 + + + After listing the IPFIX requirements in [RFC3917], NetFlow Version 9 + [RFC3954] was taken as the basis for the IPFIX protocol and the IPFIX + architecture. + + IPFIX can run over different transport protocols. The IPFIX Protocol + [RFC5101] specifies Stream Control Transmission Protocol (SCTP) + [RFC4960] as the mandatory transport protocol to implement. Optional + alternatives are TCP [STD07] and UDP [STD06]. + + SCTP is used with its Partial Reliability extension (PR-SCTP) + specified in [RFC3758]. [RFC6526] specifies an extension to + [RFC5101], when using the PR-SCTP [RFC3758]. The extension offers + several advantages over IPFIX export, e.g., the ability to calculate + Data Record losses for PR-SCTP, immediate reuse of Template IDs + within an SCTP stream, reduced likelihood of Data Record loss, and + reduced demands on the Collecting Process. + + IPFIX transmits IP flow information in Data Records containing IPFIX + Information Elements (IEs) defined by the IPFIX Information Model + [RFC5102]. IPFIX IEs are quantities with unit and semantics defined + by the Information Model. When transmitted over the IPFIX protocol, + only their values need to be carried in Data Records. This compact + encoding allows efficient transport of large numbers of measured flow + values. Remaining redundancy in Data Records can be further reduced + by the methods described in [RFC5473] (for further discussion on + IPFIX IEs, see Section 4). + + The IPFIX Information Model is extensible. New IEs can be registered + at IANA (see "IPFIX Information Elements" in [IANA-PROT]). IPFIX + also supports the use of proprietary, i.e., enterprise-specific IEs. + + The PSAMP protocol [RFC5476] extends the IPFIX protocol by means of + transferring information on individual packets. [RFC5475] specifies + a set of sampling and filtering techniques for IP packet selection, + based on the PSAMP Framework [RFC5474]. The PSAMP Information Model + [RFC5477] provides a set of basic IEs for reporting packet + information with the IPFIX/PSAMP protocol. + + The IPFIX model of an IP traffic flow is unidirectional. [RFC5103] + adds means of reporting bidirectional flows to IPFIX, for example, + both directions of packet flows of a TCP connection. + + When enterprise-specific IEs are transmitted with IPFIX, a Collector + receiving Data Records may not know the type of received data and + cannot choose the right format for storing the contained information. + [RFC5610] provides a means of exporting extended type information for + enterprise-specific Information Elements from an Exporter to a + Collector. + + + +Ersue & Claise Informational [Page 17] + +RFC 6632 IETF Management Standards June 2012 + + + Collectors may store received flow information in files. The IPFIX + file format [RFC5655] can be used for storing IP flow information in + a way that facilitates exchange of traffic flow information between + different systems and applications. + + In terms of IPFIX and PSAMP configurations, the Metering and + Exporting Processes are configured out of band. As the IPFIX + protocol is a push mechanism only, IPFIX cannot configure the + Exporter. The actual configuration of selection processes, caches, + Exporting Processes, and Collecting Processes of IPFIX- and PSAMP- + compliant monitoring devices is executed using the NETCONF protocol + [RFC6241] (see Section 2.4.1). The "Configuration Data Model for + IPFIX and PSAMP" (the IPFIX Configuration Data Model) [CONF-MODEL] + has been specified using Unified Modeling Language (UML) class + diagrams. The data model is formally defined using the YANG modeling + language [RFC6020] (see Section 2.4.2). + + At the time of this writing, a framework for IPFIX flow mediation is + in preparation, which addresses the need for mediation of flow + information in IPFIX applications in large operator networks, e.g., + for aggregating huge amounts of flow data and for anonymization of + flow information (see the problem statement in [RFC5982]). + + The IPFIX Mediation Framework [RFC6183] defines the intermediate + device between Exporters and Collectors, which provides an IPFIX + mediation by receiving a record stream from, e.g., a Collecting + Process, hosting one or more Intermediate Processes to transform this + stream, and exporting the transformed record stream into IPFIX + messages via an Exporting Process. + + Examples for mediation functions are flow aggregation, flow + selection, and anonymization of traffic information (see [RFC6235]). + + Privacy, integrity, and authentication of the Exporter and Collector + are important security requirements for IPFIX [RFC3917]. + Confidentiality, integrity, and authenticity of IPFIX data + transferred from an Exporting Process to a Collecting Process must be + ensured. The IPFIX and PSAMP protocols do not define any new + security mechanisms and rely on the security mechanism of the + underlying transport protocol, such as TLS [RFC5246] and DTLS + [RFC6347]. + + The primary goal of IPFIX is the reporting of the flow accounting for + flexible flow definitions and usage-based accounting. As described + in the IPFIX Applicability Statement [RFC5472], there are also other + applications such as traffic profiling, traffic engineering, + intrusion detection, and QoS monitoring, that require flow-based + traffic measurements and can be realized using IPFIX. Furthermore, + + + +Ersue & Claise Informational [Page 18] + +RFC 6632 IETF Management Standards June 2012 + + + the IPFIX Applicability Statement explains the relation of IPFIX to + other framework and protocols such as PSAMP, RMON (Remote Network + Monitoring MIB, Section 4.2.1), and IPPM (IP Performance Metrics, + Section 3.4)). Similar flow information could be also used for + security monitoring. The addition of Performance Metrics in the + IPFIX IANA registry [IANA-IPFIX], will extend the IPFIX use case to + performance management. + + Note that even if the initial IPFIX focus has been around IP flow + information exchange, non-IP-related IEs are now specified in the + IPFIX IANA registration (e.g., MAC (Media Access Control) address, + MPLS (Multiprotocol Label Switching) labels, etc.). At the time of + this writing, there are requests to widen the focus of IPFIX and to + export non-IP related IEs (such as SIP monitoring IEs). + + The IPFIX structured data [RFC6313] is an extension to the IPFIX + protocol, which supports hierarchical structured data and lists + (sequences) of Information Elements in Data Records. This extension + allows the definition of complex data structures such as variable- + length lists and specification of hierarchical containment + relationships between templates. Furthermore, the extension provides + the semantics to express the relationship among multiple list + elements in a structured Data Record. + + For information on data models related to the management of the IPFIX + and PSAMP protocols, see Sections 4.2.1 and 4.2.2. For information + on IPFIX/PSAMP IEs, see Section 4.2.3. + +2.4. Network Configuration + +2.4.1. Network Configuration Protocol (NETCONF) + + The IAB workshop on Network Management [RFC3535] determined advanced + requirements for configuration management: + + o robustness: Minimizing disruptions and maximizing stability, + + o a task-oriented view, + + o extensibility for new operations, + + o standardized error handling, + + o clear distinction between configuration data and operational + state, + + o distribution of configurations to devices under transactional + constraints, + + + +Ersue & Claise Informational [Page 19] + +RFC 6632 IETF Management Standards June 2012 + + + o single- and multi-system transactions and scalability in the + number of transactions and managed devices, + + o operations on selected subsets of management data, + + o dumping and reloading a device configuration in a textual format + in a standard manner across multiple vendors and device types, + + o a human interface and a programmatic interface, + + o a data modeling language with a human-friendly syntax, + + o easy conflict detection and configuration validation, and + + o secure transport, authentication, and robust access control. + + The NETCONF protocol [RFC6241] provides mechanisms to install, + manipulate, and delete the configuration of network devices and aims + to address the configuration management requirements pointed out in + the IAB workshop. It uses an XML-based data encoding for the + configuration data as well as the protocol messages. The NETCONF + protocol operations are realized on top of a simple and reliable + Remote Procedure Call (RPC) layer. A key aspect of NETCONF is that + it allows the functionality of the management protocol to closely + mirror the native command-line interface of the device. + + The NETCONF working group developed the NETCONF Event Notifications + Mechanism as an optional capability, which provides an asynchronous + message notification delivery service for NETCONF [RFC5277]. The + NETCONF notification mechanism enables using general purpose + notification streams, where the originator of the notification stream + can be any managed device (e.g., SNMP notifications). + + The NETCONF Partial Locking specification introduces fine-grained + locking of the configuration datastore to enhance NETCONF for fine- + grained transactions on parts of the datastore [RFC5717]. + + The NETCONF working group also defined the necessary data model to + monitor the NETCONF protocol [RFC6022], by using the modeling + language YANG [RFC6020] (see Section 2.4.2). The monitoring data + model includes information about NETCONF datastores, sessions, locks, + and statistics, which facilitate the management of a NETCONF server. + + NETCONF connections are required to provide authentication, data + integrity, confidentiality, and replay protection. NETCONF depends + on the underlying transport protocol for this capability. For + example, connections can be encrypted in TLS or SSH, depending on the + underlying protocol. + + + +Ersue & Claise Informational [Page 20] + +RFC 6632 IETF Management Standards June 2012 + + + The NETCONF working group defined the SSH transport protocol as the + mandatory transport binding [RFC6242]. Other optional transport + bindings are TLS [RFC5539], Blocks Extensible Exchange Protocol + (BEEP) over TLS [RFC4744], and Simple Object Access Protocol (SOAP) + over HTTP over TLS [RFC4743]. + + The NETCONF Access Control Model (NACM) [RFC6536] provides standard + mechanisms to restrict protocol access to particular users with a + pre-configured subset of operations and content. + +2.4.2. YANG - NETCONF Data Modeling Language + + Following the guidelines of the IAB management workshop [RFC3535], + the NETMOD working group developed a data modeling language defining + the semantics of operational and configuration data, notifications, + and operations [RFC6020]. The new data modeling language, called + YANG, maps directly to XML-encoded content (on the wire) and will + serve as the normative description of NETCONF data models. + + YANG has the following properties addressing specific requirements on + a modeling language for configuration management: + + o YANG provides the means to define hierarchical data models. It + supports reusable data types and groupings, i.e., a set of schema + nodes that can be reused across module boundaries. + + o YANG supports the distinction between configuration and state + data. In addition, it provides support for modeling event + notifications and the specification of operations that extend the + base NETCONF operations. + + o YANG allows the expression of constraints on data models by means + of type restrictions and XML Path Language (XPATH) 1.0 [XPATH] + expressions. XPATH expressions can also be used to make certain + portions of a data model conditional. + + o YANG supports the integration of standard- and vendor-defined data + models. YANG's augmentation mechanism allows the seamless + augmentation of standard data models with proprietary extensions. + + o YANG data models can be partitioned into collections of features, + allowing low-end devices only to implement the core features of a + data model while high-end devices may choose to support all + features. The supported features are announced via the NETCONF + capability exchange to management applications. + + + + + + +Ersue & Claise Informational [Page 21] + +RFC 6632 IETF Management Standards June 2012 + + + o The syntax of the YANG language is compact and optimized for human + readers. An associated XML-based syntax called the YANG + Independent Notation (YIN) [RFC6020] is available to allow the + processing of YANG data models with XML-based tools. The mapping + rules for the translation of YANG data models into Document Schema + Definition Languages (DSDL), of which RELAX NG is a major + component, are defined in [RFC6110]. + + o Devices implementing standard data models can document deviations + from the data model in separate YANG modules. Applications + capable of discovering deviations can make allowances that would + otherwise not be possible. + + A collection of common data types for IETF-related standards is + provided in [RFC6021]. This standard data type library has been + derived to a large extend from common SMIv2 data types, generalizing + them to a less-constrained NETCONF Framework. + + The document "An Architecture for Network Management using NETCONF + and YANG" describes how NETCONF and YANG can be used to build network + management applications that meet the needs of network operators + [RFC6244]. + + The Experimental RFC [RFC6095] specifies extensions for YANG, + introducing language abstractions such as class inheritance and + recursive data structures. + + [RFC6087] gives guidelines for the use of YANG within the IETF and + other standardization organizations. + + Work is underway to standardize a translation of SMIv2 data models + into YANG data models preserving investments into SNMP MIB modules, + which are widely available for monitoring purposes [SMI-YANG]. + + Several independent and open source implementations of the YANG data + modeling language and associated tools are available. + + While YANG is a relatively recent data modeling language, some data + models have already been produced. The specification of the base + NETCONF protocol operations has been revised and uses YANG as the + normative modeling language to specify its operations [RFC6241]. The + IPFIX working group prepared the normative model for configuring and + monitoring IPFIX- and PSAMP-compliant monitoring devices using the + YANG modeling language [CONF-MODEL]. + + + + + + + +Ersue & Claise Informational [Page 22] + +RFC 6632 IETF Management Standards June 2012 + + + At the time of this writing, the NETMOD working group is developing + core system and interface data models. Following the example of the + IPFIX configuration model, IETF working groups will prepare models + for their specific needs. + + For information on data models developed using the YANG modeling + language, see Sections 4.2.1 and 4.2.2. + +3. Network Management Protocols and Mechanisms with Specific Focus + + This section reviews additional protocols the IETF offers for + management and discusses for which applications they were designed + and/or have already been successfully deployed. These are protocols + that have mostly reached Proposed Standard status or higher within + the IETF. + +3.1. IP Address Management + +3.1.1. Dynamic Host Configuration Protocol (DHCP) + + Dynamic Host Configuration Protocol (DHCP) [RFC2131] provides a + framework for passing configuration information to hosts on a TCP/IP + network and, as such, enables autoconfiguration in IP networks. In + addition to IP address management, DHCP can also provide other + configuration information, such as default routers, the IP addresses + of recursive DNS servers, and the IP addresses of NTP servers. As + described in [RFC6272], DHCP can be used for IPv4 and IPv6 Address + Allocation and Assignment as well as for Service Discovery. + + There are two versions of DHCP: one for IPv4 (DHCPv4) [RFC2131] and + one for IPv6 (DHCPv6) [RFC3315]. DHCPv4 was defined as an extension + to BOOTP (Bootstrap Protocol) [RFC0951]. DHCPv6 was subsequently + defined to accommodate new functions required by IPv6 such as + assignment of multiple addresses to an interface and to address + limitations in the design of DHCPv4 resulting from its origins in + BOOTP. While both versions bear the same name and perform the same + functionality, the details of DHCPv4 and DHCPv6 are sufficiently + different that they can be considered separate protocols. + + In addition to the assignment of IP addresses and other configuration + information, DHCP options like the Relay Agent Information option + (DHCPv4) [RFC3046] and, the Interface-Id Option (DHCPv6) [RFC3315] + are widely used by ISPs. + + DHCPv6 includes Prefix Delegation [RFC3633], which is used to + provision a router with an IPv6 prefix for use in the subnetwork + supported by the router. + + + + +Ersue & Claise Informational [Page 23] + +RFC 6632 IETF Management Standards June 2012 + + + The following are examples of DHCP options that provide configuration + information or access to specific servers. A complete list of DHCP + options is available at [IANA-PROT]. + + o "DNS Configuration options for Dynamic Host Configuration Protocol + for IPV6 (DHCPv6)" [RFC3646] describes DHCPv6 options for passing + a list of available DNS recursive name servers and a domain search + list to a client. + + o "DHCP Options for Service Location Protocol" [RFC2610] describes + DHCPv4 options and methods through which entities using the + Service Location Protocol can find out the address of Directory + Agents in order to transact messages and how the assignment of + scope for configuration of Service Location Protocol (SLP) User + and Service Agents can be achieved. + + o "Dynamic Host Configuration Protocol (DHCPv6) Options for Session + Initiation Protocol (SIP) Servers" [RFC3319] specifies DHCPv6 + options that allow SIP clients to locate a local SIP server that + is to be used for all outbound SIP requests, a so-called "outbound + proxy server". + + o "Dynamic Host Configuration Protocol (DHCP) Options for Broadcast + and Multicast Control Servers" [RFC4280] defines DHCPv6 options to + discover the Broadcast and Multicast Service (BCMCS) controller in + an IP network. + + Built directly on UDP and IP, DHCP itself has no security provisions. + There are two different classes of potential security issues related + to DHCP: unauthorized DHCP Servers and unauthorized DHCP Clients. + The recommended solutions to these risks generally involve providing + security at lower layers, e.g., careful control over physical access + to the network, security techniques implemented at Layer 2 but also + IPsec at Layer 3 can be used to provide authentication. + +3.1.2. Ad Hoc Network Autoconfiguration + + Ad hoc nodes need to configure their network interfaces with locally + unique addresses as well as globally routable IPv6 addresses, in + order to communicate with devices on the Internet. The IETF AUTOCONF + working group developed [RFC5889], which describes the addressing + model for ad hoc networks and how nodes in these networks configure + their addresses. + + The ad hoc nodes under consideration are expected to be able to + support multi-hop communication by running MANET (Mobile Ad Hoc + Network) routing protocols as developed by the IETF MANET working + group. + + + +Ersue & Claise Informational [Page 24] + +RFC 6632 IETF Management Standards June 2012 + + + From the IP layer perspective, an ad hoc network presents itself as a + Layer 3 multi-hop network formed over a collection of links. The + addressing model aims to avoid problems for parts of the system that + are ad hoc unaware, such as standard applications running on an ad + hoc node or regular Internet nodes attached to the ad hoc nodes. + +3.2. IPv6 Network Operations + + The IPv6 Operations (V6OPS) working group develops guidelines for the + operation of a shared IPv4/IPv6 Internet and provides operational + guidance on how to deploy IPv6 into existing IPv4-only networks, as + well as into new network installations. + + o "Basic Transition Mechanisms for IPv6 Hosts and Routers" [RFC4213] + specifies IPv4 compatibility mechanisms for dual-stack and + configured tunneling that can be implemented by IPv6 hosts and + routers. "Dual stack" implies providing complete implementations + of both IPv4 and IPv6, and configured tunneling provides a means + to carry IPv6 packets over unmodified IPv4 routing + infrastructures. + + o "Transition Scenarios for 3GPP Networks" [RFC3574] lists different + scenarios in 3GPP defined packet network that would need IPv6 and + IPv4 transition, where "Analysis on IPv6 Transition in Third + Generation Partnership Project (3GPP) Networks" [RFC4215] does a + more detailed analysis of the transition scenarios that may come + up in the deployment phase of IPv6 in 3GPP packet networks. + + o "Scenarios and Analysis for Introducing IPv6 into ISP Networks" + [RFC4029] describes and analyzes different scenarios for the + introduction of IPv6 into an ISP's existing IPv4 network. "IPv6 + Deployment Scenarios in 802.16 Networks" [RFC5181] provides a + detailed description of IPv6 deployment, integration methods, and + scenarios in wireless broadband access networks (802.16) in + coexistence with deployed IPv4 services. [RFC4057] describes the + scenarios for IPv6 deployment within enterprise networks. + + o "Application Aspects of IPv6 Transition" [RFC4038] specifies + scenarios and application aspects of IPv6 transition considering + how to enable IPv6 support in applications running on IPv6 hosts, + and giving guidance for the development of IP-version-independent + applications. + + o "IANA-Reserved IPv4 Prefix for Shared Address Space" [RFC6598] + updates RFC 5735 and requested the allocation of an IPv4/10 + address block to be used as "Shared Carrier-Grade Network Address + + + + + +Ersue & Claise Informational [Page 25] + +RFC 6632 IETF Management Standards June 2012 + + + Translation (CGN) Space" by Service Providers to number the + interfaces that connect CGN devices to Customer Premises Equipment + (CPE). + +3.3. Policy-Based Management + +3.3.1. IETF Policy Framework + + The IETF specified a general policy framework [RFC2753] for managing, + sharing, and reusing policies in a vendor-independent, interoperable, + and scalable manner. [RFC3460] specifies the Policy Core Information + Model (PCIM) as an object-oriented information model for representing + policy information. PCIM has been developed jointly in the IETF + Policy Framework (POLICY) working group and the Common Information + Model (CIM) activity in the Distributed Management Task Force (DMTF). + PCIM has been published as extensions to CIM [DMTF-CIM]. + + The IETF Policy Framework is based on a policy-based admission + control specifying two main architectural elements: the Policy + Enforcement Point (PEP) and the Policy Decision Point (PDP). For the + purpose of network management, policies allow an operator to specify + how the network is to be configured and monitored by using a + descriptive language. Furthermore, it allows the automation of a + number of management tasks, according to the requirements set out in + the policy module. + + The IETF Policy Framework has been accepted by the industry as a + standard-based policy management approach and has been adopted by + different SDOs, e.g., for 3GGP charging standards. + +3.3.2. Use of Common Open Policy Service (COPS) for Policy Provisioning + (COPS-PR) + + [RFC3159] defines the Structure of Policy Provisioning Information + (SPPI), an extension to the SMIv2 modeling language used to write + Policy Information Base (PIB) modules. COPS-PR [RFC3084] uses the + Common Open Policy Service (COPS) protocol [RFC2748] for the + provisioning of policy information. COPS provides a simple client/ + server model for supporting policy control over QoS signaling + protocols. The COPS-PR specification is independent of the type of + policy being provisioned (QoS, security, etc.) but focuses on the + mechanisms and conventions used to communicate provisioned + information between policy-decision-points (PDPs) and policy + enforcement points (PEPs). Policy data is modeled using PIB modules. + + COPS-PR has not been widely deployed, and operators have stated that + its use of binary encoding for management data makes it difficult to + develop automated scripts for simple configuration management tasks + + + +Ersue & Claise Informational [Page 26] + +RFC 6632 IETF Management Standards June 2012 + + + in most text-based scripting languages. In the IAB Workshop on + Network Management [RFC3535], the consensus of operators and protocol + developers indicated a lack of interest in PIB modules for use with + COPS-PR. + + As a result, even if COPS-PR and the Structure of Policy Provisioning + Information (SPPI) were initially approved as Proposed Standards, the + IESG has not approved any PIB modules as Proposed Standard, and the + use of COPS-PR is not recommended. + +3.4. IP Performance Metrics (IPPM) + + The IPPM working group has defined metrics for accurately measuring + and reporting the quality, performance, and reliability of Internet + data delivery. The metrics include connectivity, one-way delay and + loss, round-trip delay and loss, delay variation, loss patterns, + packet reordering, bulk transport capacity, and link bandwidth + capacity. + + These metrics are designed for use by network operators and their + customers, and they provide unbiased quantitative measures of + performance. The IPPM metrics have been developed inside an active + measurement context, that is, the devices used to measure the metrics + produce their own traffic. However, most of the metrics can be used + inside a passive context as well. At the time of this writing, there + is no work planned in the area of passive measurement. + + As a property, individual IPPM performance and reliability metrics + need to be well defined and concrete: thus, implementable. + Furthermore, the methodology used to implement a metric needs to be + repeatable with consistent measurements. + + IPPMs have been adopted by different organizations, e.g., the Metro + Ethernet Forum. + + Note that this document does not aim to cover OAM technologies on the + data-path and, as such, the discussion of IPPM-based active versus + passive monitoring as well as the data plane measurement and its + diagnostics is rather incomplete. For a detailed overview and + discussion of IETF OAM standards and IPPM measurement mechanisms, the + reader is referred to the documents listed at the end of Section 1.2 + ("Related Work") but especially to [OAM-OVERVIEW]. + + + + + + + + + +Ersue & Claise Informational [Page 27] + +RFC 6632 IETF Management Standards June 2012 + + + The following are essential IPPM documents: + + o "Framework for IP Performance Metrics" [RFC2330] defines a general + framework for particular metrics developed by the IPPM working + group, and it defines the fundamental concepts of 'metric' and + 'measurement methodology'. It also discusses the issue of + measurement uncertainties and errors as well as introduces the + notion of empirically defined metrics and how metrics can be + composed. + + o "A One-way Delay Metric for IPPM" [RFC2679] defines a metric for + the one-way delay of packets across Internet paths. It builds on + notions introduced in the IPPM Framework document. + + o "A Round-trip Delay Metric for IPPM" [RFC2681] defines a metric + for the round-trip delay of packets across network paths and + closely follows the corresponding metric for one-way delay. + + o "IP Packet Delay Variation Metric for IP Performance Metrics + (IPPM)" [RFC3393] refers to a metric for variation in the delay of + packets across network paths and is based on the difference in the + one-way-delay of selected packets called "IP Packet Delay + Variation (ipdv)". + + o "A One-way Packet Loss Metric for IPPM" [RFC2680] defines a metric + for one-way packet loss across Internet paths. + + o "A One-Way Packet Duplication Metric" [RFC5560] defines a metric + for the case where multiple copies of a packet are received, and + it discusses methods to summarize the results of streams. + + o "Packet Reordering Metrics" [RFC4737] defines metrics to evaluate + whether a network has maintained packet order on a packet-by- + packet basis and discusses the measurement issues, including the + context information required for all metrics. + + o "IPPM Metrics for Measuring Connectivity" [RFC2678] defines a + series of metrics for connectivity between a pair of Internet + hosts. + + o "Framework for Metric Composition" [RFC5835] describes a detailed + framework for composing and aggregating metrics. + + o "Guidelines for Considering New Performance Metric Development" + [BCP170] describes the framework and process for developing + Performance Metrics of protocols and applications transported over + IETF-specified protocols. + + + + +Ersue & Claise Informational [Page 28] + +RFC 6632 IETF Management Standards June 2012 + + + To measure these metrics, two protocols and a sampling method have + been standardized: + + o "A One-way Active Measurement Protocol (OWAMP)" [RFC4656] measures + unidirectional characteristics such as one-way delay and one-way + loss between network devices and enables the interoperability of + these measurements. OWAMP is discussed in more detail in + [OAM-OVERVIEW]. + + o "A Two-Way Active Measurement Protocol (TWAMP)" [RFC5357] adds + round-trip or two-way measurement capabilities to OWAMP. TWAMP is + discussed in more detail in [OAM-OVERVIEW]. + + o "Network performance measurement with periodic streams" [RFC3432] + describes a periodic sampling method and relevant metrics for + assessing the performance of IP networks, as an alternative to the + Poisson sampling method described in [RFC2330]. + + For information on MIB modules related to IP Performance Metrics see + Section 4.2.4. + +3.5. Remote Authentication Dial-In User Service (RADIUS) + + "Remote Authentication Dial In User Service (RADIUS)" [RFC2865] + describes a client/server protocol for carrying authentication, + authorization, and configuration information between a Network Access + Server (NAS), which desires to authenticate its links, and a shared + authentication server. The companion document "Radius Accounting" + [RFC2866] describes a protocol for carrying accounting information + between a NAS and a shared accounting server. [RFC2867] adds + required new RADIUS accounting attributes and new values designed to + support the provision of tunneling in dial-up networks. + + The RADIUS protocol is widely used in environments like enterprise + networks, where a single administrative authority manages the network + and protects the privacy of user information. RADIUS is deployed in + the networks of fixed broadband access provider as well as cellular + broadband operators. + + RADIUS uses attributes to carry the specific authentication, + authorization, information, and configuration details. RADIUS is + extensible with a known limitation of a maximum of 255 attribute + codes and 253 octets as attribute content length. RADIUS has Vendor- + Specific Attributes (VSAs), which have been used both for vendor- + specific purposes (as an addition to standardized attributes) as well + as to extend the limited attribute code space. + + + + + +Ersue & Claise Informational [Page 29] + +RFC 6632 IETF Management Standards June 2012 + + + The RADIUS protocol uses a shared secret along with the MD5 hash + algorithm to secure passwords [RFC1321]. Based on the known threads, + additional protection like IPsec tunnels [RFC4301] are used to + further protect the RADIUS traffic. However, building and + administering large IPsec-protected networks may become a management + burden, especially when the IPsec-protected RADIUS infrastructure + should provide inter-provider connectivity. Moving towards TLS-based + security solutions [RFC5246] and establishing dynamic trust + relationships between RADIUS servers has become a trend. Since the + introduction of TCP transport for RADIUS [RFC6613], it became natural + to have TLS support for RADIUS. An ongoing work is "Transport Layer + Security (TLS) encryption for RADIUS" [RFC6614]. + + "RADIUS Attributes for Tunnel Protocol Support" [RFC2868] defines a + number of RADIUS attributes designed to support the compulsory + provision of tunneling in dial-up network access. Some applications + involve compulsory tunneling, i.e., the tunnel is created without any + action from the user and without allowing the user any choice in the + matter. In order to provide this functionality, specific RADIUS + attributes are needed to carry the tunneling information from the + RADIUS server to the tunnel end points. "Signalling Connection + Control Part User Adaptation Layer (SUA)" [RFC3868] defines the + necessary attributes, attribute values, and the required IANA + registries. + + "RADIUS and IPv6" [RFC3162] specifies the operation of RADIUS over + IPv6 and the RADIUS attributes used to support the IPv6 network + access. "RADIUS Delegated-IPv6-Prefix Attribute" [RFC4818] describes + how to transport delegated IPv6 prefix information over RADIUS. + + "RADIUS Attributes for Virtual LAN and Priority Support" [RFC4675] + defines additional attributes for dynamic Virtual LAN assignment and + prioritization, for use in provisioning of access to IEEE 802 local + area networks usable with RADIUS and diameter. + + "Common Remote Authentication Dial In User Service (RADIUS) + Implementation Issues and Suggested Fixes" [RFC5080] describes common + issues seen in RADIUS implementations and suggests some fixes. Where + applicable, unclear statements and errors in previous RADIUS + specifications are clarified. People designing extensions to RADIUS + protocol for various deployment cases should get familiar with + "RADIUS Design Guidelines" [RFC6158] in order to avoid, e.g., known + interoperability challenges. + + "RADIUS Extension for Digest Authentication" [RFC5090] defines an + extension to the RADIUS protocol to enable support of Digest + Authentication, for use with HTTP-style protocols like the Session + Initiation Protocol (SIP) and HTTP. + + + +Ersue & Claise Informational [Page 30] + +RFC 6632 IETF Management Standards June 2012 + + + "Carrying Location Objects in RADIUS and DIAMETER" [RFC5580] + describes procedures for conveying access-network ownership and + location information based on civic and geospatial location formats + in RADIUS and diameter. + + "Remote Authentication Dial-In User Service (RADIUS) Authorization + for Network Access Server (NAS) Management" [RFC5607] specifies + required RADIUS attributes and their values for authorizing a + management access to a NAS. Both local and remote management are + supported, with access rights and management privileges. Specific + provisions are made for remote management via Framed Management + protocols, such as SNMP and NETCONF, and for management access over a + secure transport protocol. + + "RADIUS (Remote Authentication Dial In User Service) Support For + Extensible Authentication Protocol (EAP)" [RFC3579] describes how to + use RADIUS to convey an EAP [RFC3748] payload between the + authenticator and the EAP server using RADIUS. RFC 3579 is widely + implemented, for example, in WLAN and 802.1 X environments. "IEEE + 802.1X Remote Authentication Dial In User Service (RADIUS) Usage + Guidelines" [RFC3580] describes how to use RADIUS with IEEE 802.1X + authenticators. In the context of 802.1X and EAP-based + authentication, the VSAs described in [RFC2458] have been widely + accepted by the industry. "RADIUS Extensions" [RFC2869] is another + important RFC related to EAP use. RFC 2869 describes additional + attributes for carrying AAA information between a NAS and a shared + accounting server using RADIUS. It also defines attributes to + encapsulate EAP message payload. + + There are different MIB modules defined for multiple purposes to use + with RADIUS (see Sections 4.2.3 and 4.2.5). + +3.6. Diameter Base Protocol (Diameter) + + Diameter [RFC3588] provides an Authentication, Authorization, and + Accounting (AAA) framework for applications such as network access or + IP mobility. Diameter is also intended to work in local AAA and in + roaming scenarios. Diameter provides an upgrade path for RADIUS but + is not directly backwards compatible. + + Diameter is designed to resolve a number of known problems with + RADIUS. Diameter supports server failover, reliable transport over + TCP and SCTP, well-documented functions for proxy, redirect and relay + agent functions, server-initiated messages, auditability, and + capability negotiation. Diameter also provides a larger attribute + space for Attribute-Value Pairs (AVPs) and identifiers than RADIUS. + Diameter features make it especially appropriate for environments, + + + + +Ersue & Claise Informational [Page 31] + +RFC 6632 IETF Management Standards June 2012 + + + where the providers of services are in different administrative + domains than the maintainer (protector) of confidential user + information. + + Other notable differences to RADIUS are as follows: + + o Network and Transport Layer Security (IPsec or TLS), + + o Stateful and stateless models, + + o Dynamic discovery of peers (using DNS Service Record (SRV) and + Naming Authority Pointer (NAPTR)), + + o Concept of an application that describes how a specific set of + commands and Attribute-Value Pairs (AVPs) are treated by diameter + nodes. Each application has an IANA-assigned unique identifier, + + o Support of application layer acknowledgements, failover methods + and state machines, + + o Basic support for user-sessions and accounting, + + o Better roaming support, + + o Error notification, and + + o Easy extensibility. + + The Diameter protocol is designed to be extensible to support, e.g., + proxies, brokers, mobility and roaming, Network Access Servers + (NASREQ), and Accounting and Resource Management. Diameter + applications extend the Diameter base protocol by adding new commands + and/or attributes. Each application is defined by a unique IANA- + assigned application identifier and can add new command codes and/or + new mandatory AVPs. + + The Diameter application identifier space has been divided into + Standards Track and 'First Come First Served' vendor-specific + applications. The following are examples of Diameter applications + published at IETF: + + o Diameter Base Protocol Application [RFC3588]: Required support + from all Diameter implementations. + + o Diameter Base Accounting Application [RFC3588]: A Diameter + application using an accounting protocol based on a server- + directed model with capabilities for real-time delivery of + accounting information. + + + +Ersue & Claise Informational [Page 32] + +RFC 6632 IETF Management Standards June 2012 + + + o Diameter Mobile IPv4 Application [RFC4004]: A Diameter application + that allows a Diameter server to authenticate, authorize, and + collect accounting information for Mobile IPv4 services rendered + to a mobile node. + + o Diameter Network Access Server Application (NASREQ, [RFC4005]): A + Diameter application used for AAA services in the NAS environment. + + o Diameter Extensible Authentication Protocol Application [RFC4072]: + A Diameter application that carries EAP packets between a NAS and + a back-end authentication server. + + o Diameter Credit-Control Application [RFC4006]: A Diameter + application that can be used to implement real-time credit-control + for a variety of end-user services such as network access, Session + Initiation Protocol (SIP) services, messaging services, and + download services. + + o Diameter Session Initiation Protocol Application [RFC4740]: A + Diameter application designed to be used in conjunction with SIP + and provides a Diameter client co-located with a SIP server, with + the ability to request the authentication of users and + authorization of SIP resources usage from a Diameter server. + + o Diameter Quality-of-Service Application [RFC5866]: A Diameter + application allowing network elements to interact with Diameter + servers when allocating QoS resources in the network. + + o Diameter Mobile IPv6 IKE (MIP6I) Application [RFC5778]: A Diameter + application that enables the interaction between a Mobile IP home + agent and a Diameter server and is used when the mobile node is + authenticated and authorized using IKEv2 [RFC5996]. + + o Diameter Mobile IPv6 Auth (MIP6A) Application [RFC5778]: A + Diameter application that enables the interaction between a Mobile + IP home agent and a Diameter server and is used when the mobile + node is authenticated and authorized using the Mobile IPv6 + Authentication Protocol [RFC4285]. + + The large majority of Diameter applications are vendor-specific and + mainly used in various SDOs outside the IETF. One example SDO using + diameter extensively is 3GPP (e.g., 3GPP 'IP Multimedia Subsystem' + (IMS) uses diameter-based interfaces (e.g., Cx) [3GPPIMS]). + Recently, during the standardization of the '3GPP Evolved Packet + Core' [3GPPEPC], diameter was chosen as the only AAA signaling + protocol. + + + + + +Ersue & Claise Informational [Page 33] + +RFC 6632 IETF Management Standards June 2012 + + + One part of diameter's extensibility mechanism is an easy and + consistent way of creating new commands for the need of applications. + RFC 3588 proposed to define diameter command code allocations with a + new RFC. This policy decision caused undesired use and redefinition + of existing command codes within SDOs. Diverse RFCs have been + published as simple command code allocations for other SDO purposes + (see [RFC3589], [RFC5224], [RFC5431], and [RFC5516]). [RFC5719] + changed the command code policy and added a range for vendor-specific + command codes to be allocated on a 'First Come First Served' basis by + IANA. + + The implementation and deployment experience of diameter has led to + the ongoing development of an update of the base protocol [DIAMETER], + which introduces TLS as the preferred security mechanism and + deprecates the in-band security negotiation for TLS. + + Some Diameter protocol enhancements and clarifications that logically + fit better into [DIAMETER], are also needed on the existing + deployments based on RFC 3588. Therefore, protocol extensions + specifically usable in large inter-provider roaming network scenarios + are made available for RFC 3588. Two currently existing + specifications are mentioned below: + + o "Clarifications on the Routing of Diameter Requests Based on the + Username and the Realm" [RFC5729] defines the behavior required + for Diameter agents to route requests when the User-Name AVP + contains a NAI formatted with multiple realms. These multi-realm + Network Access Identifiers are used in order to force the routing + of request messages through a predefined list of mediating realms. + + o "Diameter Straightforward-Naming Authority Pointer (S-NAPTR) + Usage" [RFC6408] describes an improved DNS-based dynamic Diameter + agent discovery mechanism without having to do diameter capability + exchange beforehand with a number of agents. + + There have been a growing number of Diameter Framework documents from + the IETF that basically are just a collection of AVPs for a specific + purpose or a system architecture with semantic AVP descriptions and a + logic for "imaginary" applications. From a standardization point of + view, this practice allows the development of larger system + architecture documents that do not need to reference AVPs or + application logic outside the IETF. Below are examples of a few + recent AVP and Framework documents: + + + + + + + + +Ersue & Claise Informational [Page 34] + +RFC 6632 IETF Management Standards June 2012 + + + o "Diameter Mobile IPv6: Support for Network Access Server to + Diameter Server Interaction" [RFC5447] describes the bootstrapping + of the Mobile IPv6 framework and the support of interworking with + existing AAA infrastructures by using the diameter NAS-to-home-AAA + server interface. + + o "Traffic Classification and Quality of Service (QoS) Attributes + for Diameter" [RFC5777] defines a number of Diameter AVPs for + traffic classification with actions for filtering and QoS + treatment. + + o "Diameter Proxy Mobile IPv6: Mobile Access Gateway and Local + Mobility Anchor Interaction with Diameter Server" [RFC5779] + defines AAA interactions between Proxy Mobile IPv6 (PMIPv6) + entities (MAG and LMA) and a AAA server within a PMIPv6 Domain. + + For information on MIB modules related to diameter, see + Section 4.2.5. + +3.7. Control and Provisioning of Wireless Access Points (CAPWAP) + + Wireless LAN (WLAN) product architectures have evolved from single + autonomous Access Points to systems consisting of a centralized + Access Controller (AC) and Wireless Termination Points (WTPs). The + general goal of centralized control architectures is to move access + control, including user authentication and authorization, mobility + management, and radio management from the single access point to a + centralized controller, where an Access Point pulls the information + from the AC. + + Based on "Architecture Taxonomy for Control and Provisioning of + Wireless Access Points (CAPWAP)" [RFC4118], the CAPWAP working group + developed the CAPWAP protocol [RFC5415] to facilitate control, + management, and provisioning of WTPs specifying the services, + functions, and resources relating to 802.11 WLAN Termination Points + in order to allow for interoperable implementations of WTPs and ACs. + The protocol defines the CAPWAP control plane, including the + primitives to control data access. The protocol document also + specifies how configuration management of WTPs can be done and + defines CAPWAP operations responsible for debugging, gathering + statistics, logging, and managing firmware as well as discusses + operational and transport considerations. + + The CAPWAP protocol is prepared to be independent of Layer 2 + technologies, and meets the objectives in "Objectives for Control and + Provisioning of Wireless Access Points (CAPWAP)" [RFC4564]. Separate + + + + + +Ersue & Claise Informational [Page 35] + +RFC 6632 IETF Management Standards June 2012 + + + binding extensions enable the use with additional wireless + technologies. [RFC5416] defines the CAPWAP Protocol Binding for IEEE + 802.11. + + CAPWAP Control messages, and optionally CAPWAP Data messages, are + secured using DTLS [RFC6347]. DTLS is used as a tightly integrated, + secure wrapper for the CAPWAP protocol. + + For information on MIB modules related to CAPWAP, see Section 4.2.2. + +3.8. Access Node Control Protocol (ANCP) + + The Access Node Control Protocol (ANCP) [RFC6320] realizes a control + plane between a service-oriented Layer 3 edge device, the NAS and a + Layer 2 Access Node (AN), e.g., Digital Subscriber Line Access Module + (DSLAM). As such, ANCP operates in a multi-service reference + architecture and communicates QoS-, service-, and subscriber-related + configuration and operation information between a NAS and an AN. + + The main goal of this protocol is to configure and manage access + equipment and allow them to report information to the NAS in order to + enable and optimize configuration. + + The framework and requirements for an AN control mechanism and the + use cases for ANCP are documented in [RFC5851]. + + ANCP offers authentication and authorization between AN and NAS nodes + and provides replay protection and data-origin authentication. The + ANCP solution is also robust against Denial-of-Service (DoS) attacks. + Furthermore, the ANCP solution is recommended to offer + confidentiality protection. Security Threats and Security + Requirements for ANCP are discussed in [RFC5713]. + +3.9. Application Configuration Access Protocol (ACAP) + + The Application Configuration Access Protocol (ACAP) [RFC2244] is + designed to support remote storage and access of program option, + configuration, and preference information. The datastore model is + designed to allow a client relatively simple access to interesting + data, to allow new information to be easily added without server + reconfiguration, and to promote the use of both standardized data and + custom or proprietary data. Key features include "inheritance", + which can be used to manage default values for configuration settings + and access control lists that allow interesting personal information + to be shared and group information to be restricted. + + + + + + +Ersue & Claise Informational [Page 36] + +RFC 6632 IETF Management Standards June 2012 + + + ACAP's primary purpose is to allow applications access to their + configuration data from multiple network-connected computers. Users + can then use any network-connected computer, run any ACAP-enabled + application, and have access to their own configuration data. To + enable wide usage client simplicity has been preferred to server or + protocol simplicity whenever reasonable. + + The ACAP 'authenticate' command uses Simple Authentication and + Security Layer (SASL) [RFC4422] to provide basic authentication, + authorization, integrity, and privacy services. All ACAP + implementations are required to implement the CRAM-MD5 (Challenge- + Response Authentication Mechanism) [RFC2195] for authentication, + which can be disabled based on the site security policy. + +3.10. XML Configuration Access Protocol (XCAP) + + The Extensible Markup Language (XML) Configuration Access Protocol + (XCAP) [RFC4825] has been designed for and is commonly used with SIP- + based solutions, in particular, for instant messages, presence, and + SIP conferences. XCAP is a protocol that allows a client to read, + write, and modify application configuration data stored in XML format + on a server, where the main functionality is provided by so-called + "XCAP Application Usages". + + XCAP is a protocol that can be used to manipulate per-user data. + XCAP is a set of conventions for mapping XML documents and document + components into HTTP URIs, rules for how the modification of one + resource affects another, data validation constraints, and + authorization policies associated with access to those resources. + Because of this structure, normal HTTP primitives can be used to + manipulate the data. Like ACAP, XCAP supports the configuration + needs for a multiplicity of applications. + + All XCAP servers are required to implement HTTP Digest Authentication + [RFC2617]. Furthermore, XCAP servers are required to implement HTTP + over TLS (HTTPS) [RFC2818]. It is recommended that administrators + use an HTTPS URI as the XCAP root URI, so that the digest client + authentication occurs over TLS. + + The following list summarizes important XCAP application usages: + + o XCAP server capabilities [RFC4825] can be read by clients to + determine which extensions, application usages, or namespaces a + server supports. + + o A resource lists application is any application that needs access + to a list of resources, identified by a URI, to which operations, + such as subscriptions, can be applied [RFC4826]. + + + +Ersue & Claise Informational [Page 37] + +RFC 6632 IETF Management Standards June 2012 + + + o A Resource List Server (RLS) Services application is a SIP + application, where a server receives SIP SUBSCRIBE requests for + resources and generates subscriptions towards the resource list + [RFC4826]. + + o A Presence Rules application uses authorization policies, also + known as authorization rules, to specify what presence information + can be given to which watchers, and when [RFC4827]. + + o A 'pidf-manipulation' application defines how XCAP is used to + manipulate the contents of PIDF-based presence documents + [RFC4827]. + +4. Network Management Data Models + + This section provides two complementary overviews for the network + management data models standardized at IETF. The first subsection + focuses on a broader view of models classified into categories such + as generic and infrastructure data models as well as data models + matched to different layers. The second subsection is structured + following the management application view and focuses mainly on the + data models for the network management tasks fault, configuration, + accounting, performance, and security management (see [FCAPS]). + + Note that the IETF does not use the FCAPS view as an organizing + principle for its data models. However, the FCAPS view is used + widely outside of the IETF for the realization of management tasks + and applications. Section 4.2 aims to address the FCAPS view to + enable people outside of the IETF to understand the relevant data + models in the IETF. + + The different data models covered in this section are MIB modules, + IPFIX Information Elements, Syslog Structured Data Elements, and YANG + modules. There are many technology-specific IETF data models, such + as transmission and protocol MIBs, which are not mentioned in this + document and can be found at [RFCSEARCH]. + + This section gives an overview of management data models that have + reached Draft or Proposed Standard status at the IETF. In + exceptional cases, important Informational RFCs are referenced. The + advancement process for management data models beyond Proposed + Standard status, has been defined in [BCP027] with a more pragmatic + approach and special considerations on data model specification + interoperability. However, most IETF management data models never + advanced beyond Proposed Standard. + + + + + + +Ersue & Claise Informational [Page 38] + +RFC 6632 IETF Management Standards June 2012 + + +4.1. IETF Network Management Data Models + + The data models defined by the IETF can be broadly classified into + the following categories depicted in Figure 1. + + +-----------+ +-------------------------------+ +-----------+ + | | | application-layer data models | | network | + | generic | +-------------------------------+ | management| + | infra- | | transport-layer data models | | infra- | + | structure | +-------------------------------+ | structure | + | data | | network-layer data models | | data | + | models | +-------------------------------+ | models | + | | | link-layer data models | | | + +-----------+ +-------------------------------+ +-----------+ + + Figure 1: Categories of Network Management Data Models + + Each of the categories is briefly described below. Note that the + classification used here is intended to provide orientation and + reflects how most data models have been developed in the IETF by the + various working groups. This classification does not aim to classify + correctly all data models that have been defined by the IETF so far. + The network layering model in the middle of Figure 1 follows the + four-layer model of the Internet as defined in [RFC1021]. + + The network management object identifiers for use with IETF MIB + modules defined in the IETF can be found under the IANA registry at + [SMI-NUMBERS]. + +4.1.1. Generic Infrastructure Data Models + + Generic infrastructure data models provide core abstractions that + many other data models are built upon. The most important example is + the interfaces data model defined in the IF-MIB [RFC2863]. It + provides the basic notion of network interfaces and allows expressing + stacking/layering relationships between interfaces. The interfaces + data model also provides basic monitoring objects that are widely + used for performance and fault management. + + The second important infrastructure data model is defined in the + Entity MIB [RFC4133]. It exports the containment hierarchy of the + physical entities (slots, modules, ports) that make up a networking + device and, as such, it is a key data model for inventory management. + Physical entities can have pointers to other data models that provide + more specific information about them (e.g., physical ports usually + point to the related network interface). Entity MIB extensions exist + for physical sensors such as temperature sensors embedded on line + cards or sensors that report fan rotation speeds [RFC3433]. The + + + +Ersue & Claise Informational [Page 39] + +RFC 6632 IETF Management Standards June 2012 + + + Entity State MIB [RFC4268] models states and alarms of physical + entities. Some vendors have extended the basic Entity MIB with + several proprietary data models. + +4.1.2. Link-Layer Data Models + + A number of data models exist in the form of MIB modules covering the + link layers IP runs over, such as Asymmetric Bit-Rate DSL (ADSL) + [RFC4706], Very high bit-rate Digital Subscriber Line (VDSL) + [RFC5650], GMPLS [RFC4803], ISDN [RFC2127], ATM [RFC2515] [RFC3606], + Cable Modems [RFC4546], or Ethernet [RFC4188] [RFC4318] [RFC4363]. + These so-called transmission data models typically extend the generic + network interfaces data model with interface type specific + information. Most of the link-layer data models focus on monitoring + capabilities that can be used for performance and fault management + functions and, to some lesser extent, for accounting and security + management functions. Meanwhile, the IEEE has taken over the + responsibility to maintain and further develop data models for the + IEEE 802 family of protocols [RFC4663]. The cable modem industry + consortium DOCSIS is working with the IETF to publish data models for + cable modem networks as IETF Standards Track specifications. + +4.1.3. Network-Layer Data Models + + There are data models in the form of MIB modules covering IP/ICMP + [RFC4293] [RFC4292] network protocols and their extensions (e.g., + Mobile IP), the core protocols of the Internet. In addition, there + are data models covering popular unicast routing protocols (OSPF + [RFC4750], IS-IS [RFC4444], BGP-4 [RFC4273]) and multicast routing + protocols (PIM [RFC5060]). + + Detailed models also exist for performance measurements in the form + of IP Performance Metrics [RFC2330] (see Section 3.4). + + The necessary data model infrastructure for configuration data models + covering network layers are currently being defined using NETCONF + [RFC6242] and YANG [RFC6020]. + +4.1.4. Transport-Layer Data Models + + There are data models for the transport protocols TCP [RFC4022], UDP + [RFC4113], and SCTP [RFC3873]. For TCP, a data model providing + extended statistics is defined in [RFC4898]. + + + + + + + + +Ersue & Claise Informational [Page 40] + +RFC 6632 IETF Management Standards June 2012 + + +4.1.5. Application-Layer Data Models + + Some data models have been developed for specific application + protocols (e.g., SIP [RFC4780]). In addition, there are data models + that provide a generic infrastructure for instrumenting applications + in order to obtain data useful primarily for performance management + and fault management [RFC2287] [RFC2564]. In general, however, + generic application MIB modules have been less successful in gaining + widespread deployment. + +4.1.6. Network Management Infrastructure Data Models + + A number of data models are concerned with the network management + system itself. This includes, in addition to a set of SNMP MIB + modules for monitoring and configuring SNMP itself [RFC3410], some + MIB modules providing generic functions such as the calculation of + expressions over MIB objects, generic functions for thresholding and + event generation, event notification logging functions, and data + models to represent alarms [RFC2981] [RFC2982] [RFC3014] [RFC3877]. + + In addition, there are data models that allow the execution of basic + reachability and path discovery tests [RFC4560]. Another collection + of MIB modules provides remote monitoring functions, ranging from the + data link layer up to the application layer. This is known as the + "RMON family of MIB modules" [RFC3577]. + + The IPFIX Protocol [RFC5101] (Section 2.3) is used to export + information about network flows collected at so-called Observation + Points (typically, a network interface). The IEs [RFC5102] carried + in IPFIX cover the majority of the network and transport layer header + fields and a few link-layer-specific fields. Work is underway to + further extend the standardized information that can be carried in + IPFIX. + + The Syslog Protocol document [RFC5424] (Section 2.2) defines an + initial set of Structured Data Elements (SDEs) that relate to content + time quality, content origin, and meta-information about the message, + such as language. Proprietary SDEs can be used to supplement the + IETF-defined SDEs. + +4.2. Network Management Data Models - FCAPS View + + This subsection follows the management application view and aims to + match the data models to network management tasks for fault, + configuration, accounting, performance, and security management + ([FCAPS]). As OAM is a general term that refers to a toolset, which + can be used for fault detection, isolation, and performance + measurement, aspects of FCAPS in the context of the data path, such + + + +Ersue & Claise Informational [Page 41] + +RFC 6632 IETF Management Standards June 2012 + + + as fault and performance management, are also discussed in "An + Overview of Operations, Administration, and Maintenance (OAM) + Mechanisms" [OAM-OVERVIEW]. + + Some of the data models do not fit into one single FCAPS category per + design but span multiple areas. For example, there are many + technology-specific IETF data models, such as transmission and + protocol MIBs, which cover multiple FCAPS categories, and therefore + are not mentioned in this subsection and can be found at [RFCSEARCH]. + +4.2.1. Fault Management + + Fault management encloses a set of functions to detect, isolate, + notify, and correct faults encountered in a network as well as to + maintain and examine error logs. The data models below can be + utilized to realize a fault management application. + + [RFC3418], part of SNMPv3 standard [STD62], is a MIB module + containing objects in the system group that are often polled to + determine if a device is still operating, and sysUpTime can be used + to detect if the network management portion of the system has + restarted and counters have been re-initialized. + + [RFC3413], part of SNMPv3 standard [STD62], is a MIB module including + objects designed for managing notifications, including tables for + addressing, retry parameters, security, lists of targets for + notifications, and user customization filters. + + The Interfaces Group MIB [RFC2863] builds on the old standard for MIB + II [STD17] and is used as a primary MIB module for managing and + monitoring the status of network interfaces. The Interfaces Group + MIB defines a generic set of managed objects for network interfaces, + and it provides the infrastructure for additional managed objects + specific to particular types of network interfaces, such as Ethernet. + + [RFC4560] defines a MIB module for performing ping, traceroute, and + lookup operations at a host. For troubleshooting purposes, it is + useful to be able to initiate and retrieve the results of ping or + traceroute operations when they are performed at a remote host. + + The RMON (Remote Network Monitoring) MIB [STD59] can be configured to + recognize conditions on existing MIB variables (most notably error + conditions) and continuously check for them. When one of these + conditions occurs, the event may be logged, and management stations + may be notified in a number of ways (for further discussion on RMON, + see Section 4.2.4). + + + + + +Ersue & Claise Informational [Page 42] + +RFC 6632 IETF Management Standards June 2012 + + + DISMAN-EVENT-MIB in [RFC2981] and DISMAN-EXPRESSION-MIB in [RFC2982] + provide a superset of the capabilities of the RMON alarm and event + groups. These modules provide mechanisms for thresholding and + reporting anomalous events to management applications. + + The Alarm MIB in [RFC3877] and the Alarm Reporting Control MIB in + [RFC3878] specify mechanisms for expressing state transition models + for persistent problem states. Alarm MIB defines the following: + + o a mechanism for expressing state transition models for persistent + problem states, + + o a mechanism to correlate a notification with subsequent state + transition notifications about the same entity/object, and + + o a generic alarm reporting mechanism (extends ITU-T work on X.733 + [ITU-X733]). + + In particular, [RFC3878] defines objects for controlling the + reporting of alarm conditions and extends ITU-T work on M.3100 + Amendment 3 [ITU-M3100]. + + Other MIB modules that may be applied to fault management with SNMP + include: + + o NOTIFICATION-LOG-MIB [RFC3014] describes managed objects used for + logging SNMP Notifications. + + o ENTITY-STATE-MIB [RFC4268] describes extensions to the Entity MIB + to provide information about the state of physical entities. + + o ENTITY-SENSOR-MIB [RFC3433] describes managed objects for + extending the Entity MIB to provide generalized access to + information related to physical sensors, which are often found in + networking equipment (such as chassis temperature, fan RPM, power + supply voltage). + + The Syslog protocol document [RFC5424] defines an initial set of SDEs + that relate to content time quality, content origin, and meta- + information about the message, such as language. Proprietary SDEs + can be used to supplement the IETF-defined SDEs. + + The IETF has standardized MIB Textual-Conventions for facility and + severity labels and codes to encourage consistency between syslog and + MIB representations of these event properties [RFC5427]. The intent + is that these textual conventions will be imported and used in MIB + modules that would otherwise define their own representations. + + + + +Ersue & Claise Informational [Page 43] + +RFC 6632 IETF Management Standards June 2012 + + + An IPFIX MIB module [RFC5815] has been defined for monitoring IPFIX + Meters, Exporters, and Collectors (see Section 2.3). The ongoing + work on the PSAMP MIB module extends the IPFIX MIB modules by managed + objects for monitoring PSAMP implementations [PSAMP-MIB]. + + The NETCONF working group defined the data model necessary to monitor + the NETCONF protocol [RFC6022] with the modeling language YANG. The + monitoring data model includes information about NETCONF datastores, + sessions, locks, and statistics, which facilitate the management of a + NETCONF server. The NETCONF monitoring document also defines methods + for NETCONF clients to discover the data models supported by a + NETCONF server and defines the operation to retrieve + them. + +4.2.2. Configuration Management + + Configuration management focuses on establishing and maintaining + consistency of a system and defines the functionality to configure + its functional and physical attributes as well as operational + information throughout its life. Configuration management includes + configuration of network devices, inventory management, and software + management. The data models below can be used to utilize + configuration management. + + MIB modules for monitoring of network configuration (e.g., for + physical and logical network topologies) already exist and provide + some of the desired capabilities. New MIB modules might be developed + for the target functionality to allow operators to monitor and modify + the operational parameters, such as timer granularity, event + reporting thresholds, target addresses, etc. + + [RFC3418], part of [STD62], contains objects in the system group + useful, e.g., for identifying the type of device and the location of + the device, the person responsible for the device. The SNMPv3 + standard [STD62] furthermore includes objects designed for + configuring principals, access control rules, notification + destinations, and for configuring proxy-forwarding SNMP agents, which + can be used to forward messages through firewalls and NAT devices. + + The Entity MIB [RFC4133] supports mainly inventory management and is + used for managing multiple logical and physical entities matched to a + single SNMP agent. This module provides a useful mechanism for + identifying the entities comprising a system and defines event + notifications for configuration changes that may be useful to + management applications. + + [RFC3165] defines a set of managed objects that enable the delegation + of management scripts to distributed managers. + + + +Ersue & Claise Informational [Page 44] + +RFC 6632 IETF Management Standards June 2012 + + + For configuring IPFIX and PSAMP devices, the IPFIX working group + developed the IPFIX Configuration Data Model [CONF-MODEL], by using + the YANG modeling language and in close collaboration with the NETMOD + working group (see Section 2.4.2). The model specifies the necessary + data for configuring and monitoring Selection Processes, caches, + Exporting Processes, and Collecting Processes of IPFIX- and PSAMP- + compliant monitoring devices. + + At the time of this writing, the NETMOD working group is developing + core system and interface models in YANG. + + The CAPWAP protocol exchanges message elements using the Type-Length- + Value (TLV) format. The base TLVs are specified in [RFC5415], while + the TLVs for IEEE 802.11 are specified in [RFC5416]. The CAPWAP Base + MIB [RFC5833] specifies managed objects for the modeling the CAPWAP + protocol and provides configuration and WTP status-monitoring aspects + of CAPWAP, where the CAPWAP Binding MIB [RFC5834] defines managed + objects for the modeling of the CAPWAP protocol for IEEE 802.11 + wireless binding. + Note: RFC 5833 and RFC 5834 have been published as Informational RFCs + to provide the basis for future work on a SNMP management of the + CAPWAP protocol. + +4.2.3. Accounting Management + + Accounting management collects usage information of network + resources. Note that the IETF does not define any mechanisms related + to billing and charging. Many technology-specific MIBs (link layer, + network layer, transport layer, or application layer) contain + counters but are not primarily targeted for accounting and, + therefore, are not included in this section. + + "RADIUS Accounting Client MIB for IPv6" [RFC4670] defines RADIUS + Accounting Client MIB objects that support version-neutral IP + addressing formats. + + "RADIUS Accounting Server MIB for IPv6" [RFC4671] defines RADIUS + Accounting Server MIB objects that support version-neutral IP + addressing formats. + + IPFIX/PSAMP Information Elements: + + As expressed in Section 2.3, the IPFIX Architecture [RFC5470] defines + components involved in IP flow measurement and reporting of + information on IP flows. As such, IPFIX records provide fine-grained + measurement data for flexible and detailed usage reporting and enable + usage-based accounting. + + + + +Ersue & Claise Informational [Page 45] + +RFC 6632 IETF Management Standards June 2012 + + + The IPFIX Information Elements (IEs) have been initially defined in + the IPFIX Information Model [RFC5102] and registered with IANA + [IANA-IPFIX]. The IPFIX IEs are composed of two types: + + o IEs related to identification of IP flows such as header + information, derived packet properties, IGP and BGP next-hop IP + address, BGP AS, etc., and + + o IEs related to counter and timestamps, such as per-flow counters + (e.g., octet count, packet count), flow start times, flow end + times, and flow duration, etc. + + The Information Elements specified in the IPFIX Information Model + [RFC5102] are used by the PSAMP protocol where applicable. PSAMP + Parameters defined in the PSAMP protocol specification are registered + at [IANA-PSAMP]. An additional set of PSAMP Information Elements for + reporting packet information with the IPFIX/PSAMP protocol such as + Sampling-related IEs are specified in the PSAMP Information Model + [RFC5477]. These IEs fulfill the requirements on reporting of + different sampling and filtering techniques specified in [RFC5475]. + +4.2.4. Performance Management + + Performance management covers a set of functions that evaluate and + report the performance of network elements and the network, with the + goal to maintain the overall network performance at a defined level. + Performance management functionality includes monitoring and + measurement of network performance parameters, gathering statistical + information, maintaining and examining activity logs. The data + models below can be used for performance management tasks. + + The RMON (Remote Network Monitoring) MIB [STD59] defines objects for + collecting data related to network performance and traffic from + remote monitoring devices. An organization may employ many remote + monitoring probes, one per network segment, to monitor its network. + These devices may be used by a network service provider to access a + (distant) client network. Most of the objects in the RMON MIB module + are suitable for the monitoring of any type of network, while some of + them are specific to the monitoring of Ethernet networks. + + RMON allows a probe to be configured to perform diagnostics and to + collect network statistics continuously, even when communication with + the management station may not be possible or efficient. The alarm + group periodically takes statistical samples from variables in the + probe and compares them to previously configured thresholds. If the + monitored variable crosses a threshold, an event is generated. + + + + + +Ersue & Claise Informational [Page 46] + +RFC 6632 IETF Management Standards June 2012 + + + "Introduction to the Remote Monitoring (RMON) Family of MIB Modules" + [RFC3577] describes the documents associated with the RMON Framework + and how they relate to each other. + + The RMON-2 MIB [RFC4502] extends RMON by providing RMON analysis up + to the application layer and defines performance data to monitor. + The SMON MIB [RFC2613] extends RMON by providing RMON analysis for + switched networks. + + "Remote Monitoring MIB Extensions for High Capacity Alarms" [RFC3434] + describes managed objects for extending the alarm thresholding + capabilities found in the RMON MIB and provides similar threshold + monitoring of objects based on the Counter64 data type. + + "Remote Network Monitoring Management Information Base for High + Capacity Networks" [RFC3273] defines objects for managing RMON + devices for use on high-speed networks. + + "Remote Monitoring MIB Extensions for Interface Parameters + Monitoring" [RFC3144] describes an extension to the RMON MIB with a + method of sorting the interfaces of a monitored device according to + values of parameters specific to this interface. + + [RFC4710] describes Real-Time Application Quality of Service + Monitoring (RAQMON), which is part of the RMON protocol family. + RAQMON supports end-to-end QoS monitoring for multiple concurrent + applications and does not relate to a specific application transport. + RAQMON is scalable and works well with encrypted payload and + signaling. RAQMON uses TCP to transport RAQMON PDUs. + + [RFC4711] proposes an extension to the Remote Monitoring MIB [STD59] + and describes managed objects used for RAQMON. [RFC4712] specifies + two transport mappings for the RAQMON information model using TCP as + a native transport and SNMP to carry the RAQMON information from a + RAQMON Data Source (RDS) to a RAQMON Report Collector (RRC). + + "Application Performance Measurement MIB" [RFC3729] uses the + architecture created in the RMON MIB and defines objects by providing + measurement and analysis of the application performance as + experienced by end-users. [RFC3729] enables the measurement of the + quality of service delivered to end-users by applications. + + "Transport Performance Metrics MIB" [RFC4150] describes managed + objects used for monitoring selectable Performance Metrics and + statistics derived from the monitoring of network packets and sub- + application level transactions. The metrics can be defined through + reference to existing IETF, ITU, and other SDOs' documents. + + + + +Ersue & Claise Informational [Page 47] + +RFC 6632 IETF Management Standards June 2012 + + + The IPPM working group has defined "IP Performance Metrics (IPPM) + Metrics Registry" [RFC4148]. Note that with the publication of + [RFC6248], [RFC4148] and the corresponding IANA registry for IPPM + metrics have been declared Obsolete and shouldn't be used. + + The IPPM working group defined the "Information Model and XML Data + Model for Traceroute Measurements" [RFC5388], which defines a common + information model dividing the IEs into two semantically separated + groups (configuration elements and results elements) with an + additional element to relate configuration elements and results + elements by means of a common unique identifier. Based on the + information model, an XML data model is provided to store the results + of traceroute measurements. + + "Session Initiation Protocol Event Package for Voice Quality + Reporting" [RFC6035] defines a SIP event package that enables the + collection and reporting of metrics that measure the quality for + Voice over Internet Protocol (VoIP) sessions. + +4.2.5. Security Management + + Security management provides the set of functions to protect the + network and system from unauthorized access and includes functions + such as creating, deleting, and controlling security services and + mechanisms, key management, reporting security-relevant events, and + authorizing user access and privileges. Based on their support for + authentication and authorization, RADIUS and diameter are seen as + security management protocols. The data models below can be used to + utilize security management. + + [RFC3414], part of [STD62], specifies the procedures for providing + SNMPv3 message-level security and includes a MIB module for remotely + monitoring and managing the configuration parameters for the USM. + + [RFC3415], part of [STD62], describes the procedures for controlling + access to management information in the SNMPv3 architecture and + includes a MIB module, which defines managed objects to access + portions of an SNMP engine's Local Configuration Datastore (LCD). As + such, this MIB module enables remote management of the configuration + parameters of the VACM. + + The NETCONF Access Control Model (NACM) [RFC6536] addresses the need + for access control mechanisms for the operation and content layers of + NETCONF, as defined in [RFC6241]. As such, the NACM proposes + standard mechanisms to restrict NETCONF protocol access for + particular users to a pre-configured subset of all available NETCONF + protocol operations and content within a particular server. + + + + +Ersue & Claise Informational [Page 48] + +RFC 6632 IETF Management Standards June 2012 + + + There are numerous MIB modules defined for multiple purposes to use + with RADIUS: + + o "RADIUS Authentication Client MIB for IPv6" [RFC4668] defines + RADIUS Authentication Client MIB objects that support version- + neutral IP addressing formats and defines a set of extensions for + RADIUS authentication client functions. + + o "RADIUS Authentication Server MIB for IPv6" [RFC4669] defines + RADIUS Authentication Server MIB objects that support version- + neutral IP addressing formats and defines a set of extensions for + RADIUS authentication server functions. + + o "RADIUS Dynamic Authorization Client MIB" [RFC4672] defines the + MIB module for entities implementing the client side of the + Dynamic Authorization Extensions to RADIUS [RFC5176]. + + o "RADIUS Dynamic Authorization Server MIB" [RFC4673] defines the + MIB module for entities implementing the server side of the + Dynamic Authorization Extensions to RADIUS [RFC5176]. + + The MIB Module definitions in [RFC4668], [RFC4669], [RFC4672], + [RFC4673] are intended to be used only for RADIUS over UDP and do not + support RADIUS over TCP. There is also a recommendation that RADIUS + clients and servers implementing RADIUS over TCP should not reuse + earlier listed MIB modules to perform statistics counting for RADIUS- + over-TCP connections. + + Currently, there are no standardized MIB modules for diameter + applications, which can be considered as a lack on the management + side of diameter nodes. + +5. Security Considerations + + This document gives an overview of IETF network management standards + and summarizes existing and ongoing development of IETF Standards + Track network management protocols and data models. As such, it does + not have any security implications in or of itself. + + For each specific technology discussed in the document a summary of + its security usage has been given in corresponding chapters. In a + few cases, e.g., for SNMP, a detailed description of developed + security mechanisms has been provided. + + The attention of the reader is particularly drawn to the security + discussion in following document sections: + + o SNMP Security and Access Control Models in Section 2.1.4.1, + + + +Ersue & Claise Informational [Page 49] + +RFC 6632 IETF Management Standards June 2012 + + + o User-based Security Model (USM) in Section 2.1.4.2, + + o View-based Access Control Model (VACM) in Section 2.1.4.3, + + o SNMP Transport Security Model in Section 2.1.5.1, + + o Secure syslog message delivery in Section 2.2, + + o Use of secure NETCONF message transport and the NETCONF Access + Control Model (NACM) in Section 2.4.1, + + o Message authentication for Dynamic Host Configuration Protocol + (DHCP) in Section 3.1.1, + + o Security for Remote Authentication Dial-In User Service (RADIUS) + in conjunction with EAP and IEEE 802.1X authenticators in + Section 3.5, + + o Built-in and transport security for the Diameter Base Protocol in + Section 3.6, + + o Transport security for Control And Provisioning of Wireless Access + Points (CAPWAP) in Section 3.7, + + o Built-in security for Access Node Control Protocol (ANCP) in + Section 3.8, + + o Security for Application Configuration Access Protocol (ACAP) in + Section 3.9, + + o Security for XML Configuration Access Protocol (XCAP) in + Section 3.10, and + + o Data models for Security Management in Section 4.2.5. + + The authors would also like to refer to detailed security + consideration sections for specific management standards described in + this document, which contain comprehensive discussion of security + implications of the particular management protocols and mechanisms. + Among others, security consideration sections of following documents + should be carefully read before implementing the technology. + + o For SNMP security in general, subsequent security consideration + sections in [STD62], which includes RFCs 3411-3418, + + o Security considerations section in Section 8 of [BCP074] for the + coexistence of SNMP versions 1, 2, and 3, + + + + +Ersue & Claise Informational [Page 50] + +RFC 6632 IETF Management Standards June 2012 + + + o Security considerations for the SNMP Transport Security Model in + Section 8 of [RFC5591], + + o Security considerations for the Secure Shell Transport Model for + SNMP in Section 9 of [RFC5592], + + o Security considerations for the TLS Transport Model for SNMP in + Section 9 of [RFC6353], + + o Security considerations for the TLS Transport Mapping for syslog + in Section 6 of [RFC5425], + + o Security considerations for the IPFIX Protocol Specification in + Section 11 of [RFC5101], + + o Security considerations for the NETCONF protocol in Section 9 of + [RFC6241] and the SSH transport in Section 6 of [RFC6242], + + o Security considerations for the NETCONF Access Control Model + (NACM) in Section 3.7 of [RFC6536], + + o Security considerations for DHCPv4 and DHCPv6 in Section 7 of + [RFC2131] and Section 23. of [RFC3315], + + o Security considerations for RADIUS in Section 8 of [RFC2865], + + o Security considerations for diameter in Section 13 of [RFC3588], + + o Security considerations for the CAPWAP protocol in Section 12 of + [RFC5415], + + o Security considerations for the ANCP protocol in Section 11 of + [RFC6320], and + + o Security considerations for the XCAP protocol in Section 14 of + [RFC4825]. + +6. Contributors + + Following persons made significant contributions to and reviewed this + document: + + o Ralph Droms (Cisco) - revised the section on IP Address Management + and DHCP. + + o Jouni Korhonen (Nokia Siemens Networks) - contributed the sections + on RADIUS and diameter. + + + + +Ersue & Claise Informational [Page 51] + +RFC 6632 IETF Management Standards June 2012 + + + o Al Morton (AT&T) - contributed to the section on IP Performance + Metrics. + + o Juergen Quittek (NEC) - contributed the section on IPFIX/PSAMP. + + o Juergen Schoenwaelder (Jacobs University Bremen) - contributed the + sections on IETF Network Management Data Models and YANG. + +7. Acknowledgements + + The editor would like to thank Fred Baker, Alex Clemm, Miguel A. + Garcia, Simon Leinen, Christopher Liljenstolpe, Tom Petch, Randy + Presuhn, Dan Romascanu, Juergen Schoenwaelder, Tina Tsou, and Henk + Uijterwaal for their valuable suggestions and comments in the OPSAWG + sessions and on the mailing list. + + The editor would like to especially thank Dave Harrington, who + created the document "Survey of IETF Network Management Standards" a + few years ago, which has been used as a starting point and enhanced + with a special focus on the description of the IETF network + management standards and management data models. + +8. Informative References + + [3GPPEPC] 3GPP, "Access to the 3GPP Evolved Packet Core (EPC) + via non-3GPP access networks", December 2010, + . + + [3GPPIMS] 3GPP, "Release 10, IP Multimedia Subsystem (IMS); + Stage 2", September 2010, + . + + [BCP027] O'Dell, M., Alvestrand, H., Wijnen, B., and S. + Bradner, "Advancement of MIB specifications on the + IETF Standards Track", BCP 27, RFC 2438, + October 1998. + + [BCP074] Frye, R., Levi, D., Routhier, S., and B. Wijnen, + "Coexistence between Version 1, Version 2, and + Version 3 of the Internet-standard Network Management + Framework", BCP 74, RFC 3584, August 2003. + + [BCP170] Clark, A. and B. Claise, "Guidelines for Considering + New Performance Metric Development", BCP 170, + RFC 6390, October 2011. + + + + + + +Ersue & Claise Informational [Page 52] + +RFC 6632 IETF Management Standards June 2012 + + + [CONF-MODEL] Muenz, G., Claise, B., and P. Aitken, "Configuration + Data Model for IPFIX and PSAMP", Work in Progress, + July 2011. + + [DIAMETER] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, + "Diameter Base Protocol", Work in Progress, + April 2012. + + [DMTF-CIM] DMTF, "Common Information Model Schema, Version + 2.27.0", November 2010, + . + + [EMAN-WG] IETF, "EMAN Working Group", + . + + [FCAPS] International Telecommunication Union, "X.700: + Management Framework For Open Systems Interconnection + (OSI) For CCITT Applications", September 1992, + . + + [IANA-AAA] Internet Assigned Numbers Authority, "Authentication, + Authorization, and Accounting (AAA) Parameters", + February 2012, + . + + [IANA-IPFIX] Internet Assigned Numbers Authority, "IP Flow + Information Export (IPFIX) Entities", May 2012, + . + + [IANA-PROT] Internet Assigned Numbers Authority, "Protocol + Registries", . + + [IANA-PSAMP] Internet Assigned Numbers Authority, "Packet Sampling + (PSAMP) Parameters", April 2009, + . + + [IETF-WGS] IETF, "IETF Working Groups", + . + + [ITU-M3100] International Telecommunication Union, "M.3100: + Generic network information model", January 2006, + . + + [ITU-X680] International Telecommunication Union, "X.680: + Abstract Syntax Notation One (ASN.1): Specification + of basic notation", July 2002, . + + + + +Ersue & Claise Informational [Page 53] + +RFC 6632 IETF Management Standards June 2012 + + + [ITU-X733] International Telecommunication Union, "X.733: + Systems Management: Alarm Reporting Function", + October 1992, + . + + [MPLSTP-MIB] King, D. and V. Mahalingam, "Multiprotocol Label + Switching Transport Profile (MPLS-TP) MIB-based + Management Overview", Work in Progress, April 2012. + + [OAM-ANALYSIS] Sprecher, N. and L. Fang, "An Overview of the OAM + Tool Set for MPLS based Transport Networks", Work + in Progress, April 2012. + + [OAM-OVERVIEW] Mizrahi, T., Sprecher, N., Bellagamba, E., and Y. + Weingarten, "An Overview of Operations, + Administration, and Maintenance (OAM) Mechanisms", + Work in Progress, March 2012. + + [PSAMP-MIB] Dietz, T., Claise, B., and J. Quittek, "Definitions + of Managed Objects for Packet Sampling", Work + in Progress, October 2011. + + [RELAX-NG] OASIS, "RELAX NG Specification, Committee + Specification 3 December 2001", December 2001, . + + [RFC0951] Croft, B. and J. Gilmore, "Bootstrap Protocol", + RFC 951, September 1985. + + [RFC1021] Partridge, C. and G. Trewitt, "High-level Entity + Management System (HEMS)", RFC 1021, October 1987. + + [RFC1155] Rose, M. and K. McCloghrie, "Structure and + identification of management information for TCP/ + IP-based internets", STD 16, RFC 1155, May 1990. + + [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, + "Simple Network Management Protocol (SNMP)", STD 15, + RFC 1157, May 1990. + + [RFC1212] Rose, M. and K. McCloghrie, "Concise MIB + definitions", STD 16, RFC 1212, March 1991. + + [RFC1215] Rose, M., "Convention for defining traps for use with + the SNMP", RFC 1215, March 1991. + + + + + +Ersue & Claise Informational [Page 54] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", + RFC 1321, April 1992. + + [RFC1470] Enger, R. and J. Reynolds, "FYI on a Network + Management Tool Catalog: Tools for Monitoring and + Debugging TCP/IP Internets and Interconnected + Devices", RFC 1470, June 1993. + + [RFC1901] Case, J., McCloghrie, K., McCloghrie, K., Rose, M., + and S. Waldbusser, "Introduction to Community-based + SNMPv2", RFC 1901, January 1996. + + [RFC2026] Bradner, S., "The Internet Standards Process -- + Revision 3", BCP 9, RFC 2026, October 1996. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2127] Roeck, G., "ISDN Management Information Base using + SMIv2", RFC 2127, March 1997. + + [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", + RFC 2131, March 1997. + + [RFC2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP + AUTHorize Extension for Simple Challenge/Response", + RFC 2195, September 1997. + + [RFC2244] Newman, C. and J. Myers, "ACAP -- Application + Configuration Access Protocol", RFC 2244, + November 1997. + + [RFC2287] Krupczak, C. and J. Saperia, "Definitions of System- + Level Managed Objects for Applications", RFC 2287, + February 1998. + + [RFC2330] Paxson, V., Almes, G., Mahdavi, J., and M. Mathis, + "Framework for IP Performance Metrics", RFC 2330, + May 1998. + + [RFC2458] Lu, H., Krishnaswamy, M., Conroy, L., Bellovin, S., + Burg, F., DeSimone, A., Tewani, K., Davidson, P., + Schulzrinne, H., and K. Vishwanathan, "Toward the + PSTN/Internet Inter-Networking --Pre-PINT + Implementations", RFC 2458, November 1998. + + [RFC2515] Tesink, K., "Definitions of Managed Objects for ATM + Management", RFC 2515, February 1999. + + + +Ersue & Claise Informational [Page 55] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC2564] Kalbfleisch, C., Krupczak, C., Presuhn, R., and J. + Saperia, "Application Management MIB", RFC 2564, + May 1999. + + [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Structure of Management + Information Version 2 (SMIv2)", STD 58, RFC 2578, + April 1999. + + [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Textual Conventions for SMIv2", + STD 58, RFC 2579, April 1999. + + [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Conformance Statements for SMIv2", STD 58, RFC 2580, + April 1999. + + [RFC2610] Perkins, C. and E. Guttman, "DHCP Options for Service + Location Protocol", RFC 2610, June 1999. + + [RFC2613] Waterman, R., Lahaye, B., Romascanu, D., and S. + Waldbusser, "Remote Network Monitoring MIB Extensions + for Switched Networks Version 1.0", RFC 2613, + June 1999. + + [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., + Lawrence, S., Leach, P., Luotonen, A., and L. + Stewart, "HTTP Authentication: Basic and Digest + Access Authentication", RFC 2617, June 1999. + + [RFC2678] Mahdavi, J. and V. Paxson, "IPPM Metrics for + Measuring Connectivity", RFC 2678, September 1999. + + [RFC2679] Almes, G., Kalidindi, S., and M. Zekauskas, "A One- + way Delay Metric for IPPM", RFC 2679, September 1999. + + [RFC2680] Almes, G., Kalidindi, S., and M. Zekauskas, "A One- + way Packet Loss Metric for IPPM", RFC 2680, + September 1999. + + [RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round- + trip Delay Metric for IPPM", RFC 2681, + September 1999. + + [RFC2748] Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan, + R., and A. Sastry, "The COPS (Common Open Policy + Service) Protocol", RFC 2748, January 2000. + + + + +Ersue & Claise Informational [Page 56] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC2753] Yavatkar, R., Pendarakis, D., and R. Guerin, "A + Framework for Policy-based Admission Control", + RFC 2753, January 2000. + + [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. + + [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces + Group MIB", RFC 2863, June 2000. + + [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, + "Remote Authentication Dial In User Service + (RADIUS)", RFC 2865, June 2000. + + [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. + + [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS + Accounting Modifications for Tunnel Protocol + Support", RFC 2867, June 2000. + + [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., + Holdrege, M., and I. Goyret, "RADIUS Attributes for + Tunnel Protocol Support", RFC 2868, June 2000. + + [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS + Extensions", RFC 2869, June 2000. + + [RFC2981] Kavasseri, R., "Event MIB", RFC 2981, October 2000. + + [RFC2982] Kavasseri, R., "Distributed Management Expression + MIB", RFC 2982, October 2000. + + [RFC3014] Kavasseri, R., "Notification Log MIB", RFC 3014, + November 2000. + + [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", + RFC 3046, January 2001. + + [RFC3084] Chan, K., Seligson, J., Durham, D., Gai, S., + McCloghrie, K., Herzog, S., Reichmeyer, F., Yavatkar, + R., and A. Smith, "COPS Usage for Policy Provisioning + (COPS-PR)", RFC 3084, March 2001. + + [RFC3144] Romascanu, D., "Remote Monitoring MIB Extensions for + Interface Parameters Monitoring", RFC 3144, + August 2001. + + + + + + +Ersue & Claise Informational [Page 57] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC3159] McCloghrie, K., Fine, M., Seligson, J., Chan, K., + Hahn, S., Sahita, R., Smith, A., and F. Reichmeyer, + "Structure of Policy Provisioning Information + (SPPI)", RFC 3159, August 2001. + + [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and + IPv6", RFC 3162, August 2001. + + [RFC3164] Lonvick, C., "The BSD Syslog Protocol", RFC 3164, + August 2001. + + [RFC3165] Levi, D. and J. Schoenwaelder, "Definitions of + Managed Objects for the Delegation of Management + Scripts", RFC 3165, August 2001. + + [RFC3195] New, D. and M. Rose, "Reliable Delivery for syslog", + RFC 3195, November 2001. + + [RFC3273] Waldbusser, S., "Remote Network Monitoring Management + Information Base for High Capacity Networks", + RFC 3273, July 2002. + + [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, + C., and M. Carney, "Dynamic Host Configuration + Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. + + [RFC3319] Schulzrinne, H. and B. Volz, "Dynamic Host + Configuration Protocol (DHCPv6) Options for Session + Initiation Protocol (SIP) Servers", RFC 3319, + July 2003. + + [RFC3393] Demichelis, C. and P. Chimento, "IP Packet Delay + Variation Metric for IP Performance Metrics (IPPM)", + RFC 3393, November 2002. + + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, + "Introduction and Applicability Statements for + Internet-Standard Management Framework", RFC 3410, + December 2002. + + [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network Management + Protocol (SNMP) Management Frameworks", STD 62, + RFC 3411, December 2002. + + [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network + Management Protocol (SNMP) Applications", STD 62, + RFC 3413, December 2002. + + + +Ersue & Claise Informational [Page 58] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security + Model (USM) for version 3 of the Simple Network + Management Protocol (SNMPv3)", STD 62, RFC 3414, + December 2002. + + [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View- + based Access Control Model (VACM) for the Simple + Network Management Protocol (SNMP)", STD 62, + RFC 3415, December 2002. + + [RFC3417] Presuhn, R., "Transport Mappings for the Simple + Network Management Protocol (SNMP)", STD 62, + RFC 3417, December 2002. + + [RFC3418] Presuhn, R., "Management Information Base (MIB) for + the Simple Network Management Protocol (SNMP)", + STD 62, RFC 3418, December 2002. + + [RFC3430] Schoenwaelder, J., "Simple Network Management + Protocol Over Transmission Control Protocol Transport + Mapping", RFC 3430, December 2002. + + [RFC3432] Raisanen, V., Grotefeld, G., and A. Morton, "Network + performance measurement with periodic streams", + RFC 3432, November 2002. + + [RFC3433] Bierman, A., Romascanu, D., and K. Norseth, "Entity + Sensor Management Information Base", RFC 3433, + December 2002. + + [RFC3434] Bierman, A. and K. McCloghrie, "Remote Monitoring MIB + Extensions for High Capacity Alarms", RFC 3434, + December 2002. + + [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference + between Information Models and Data Models", + RFC 3444, January 2003. + + [RFC3460] Moore, B., "Policy Core Information Model (PCIM) + Extensions", RFC 3460, January 2003. + + [RFC3535] Schoenwaelder, J., "Overview of the 2002 IAB Network + Management Workshop", RFC 3535, May 2003. + + [RFC3574] Soininen, J., "Transition Scenarios for 3GPP + Networks", RFC 3574, August 2003. + + + + + +Ersue & Claise Informational [Page 59] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC3577] Waldbusser, S., Cole, R., Kalbfleisch, C., and D. + Romascanu, "Introduction to the Remote Monitoring + (RMON) Family of MIB Modules", RFC 3577, August 2003. + + [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote + Authentication Dial In User Service) Support For + Extensible Authentication Protocol (EAP)", RFC 3579, + September 2003. + + [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. + Roese, "IEEE 802.1X Remote Authentication Dial In + User Service (RADIUS) Usage Guidelines", RFC 3580, + September 2003. + + [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and + J. Arkko, "Diameter Base Protocol", RFC 3588, + September 2003. + + [RFC3589] Loughney, J., "Diameter Command Codes for Third + Generation Partnership Project (3GPP) Release 5", + RFC 3589, September 2003. + + [RFC3606] Ly, F., Noto, M., Smith, A., Spiegel, E., and K. + Tesink, "Definitions of Supplemental Managed Objects + for ATM Interface", RFC 3606, November 2003. + + [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for + Dynamic Host Configuration Protocol (DHCP) version + 6", RFC 3633, December 2003. + + [RFC3646] Droms, R., "DNS Configuration options for Dynamic + Host Configuration Protocol for IPv6 (DHCPv6)", + RFC 3646, December 2003. + + [RFC3729] Waldbusser, S., "Application Performance Measurement + MIB", RFC 3729, March 2004. + + [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., + and H. Levkowetz, "Extensible Authentication Protocol + (EAP)", RFC 3748, June 2004. + + [RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P. + Conrad, "Stream Control Transmission Protocol (SCTP) + Partial Reliability Extension", RFC 3758, May 2004. + + + + + + + +Ersue & Claise Informational [Page 60] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC3868] Loughney, J., Sidebottom, G., Coene, L., Verwimp, G., + Keller, J., and B. Bidulock, "Signalling Connection + Control Part User Adaptation Layer (SUA)", RFC 3868, + October 2004. + + [RFC3873] Pastor, J. and M. Belinchon, "Stream Control + Transmission Protocol (SCTP) Management Information + Base (MIB)", RFC 3873, September 2004. + + [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management + Information Base (MIB)", RFC 3877, September 2004. + + [RFC3878] Lam, H., Huynh, A., and D. Perkins, "Alarm Reporting + Control Management Information Base (MIB)", RFC 3878, + September 2004. + + [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, + "Requirements for IP Flow Information Export + (IPFIX)", RFC 3917, October 2004. + + [RFC3954] Claise, B., "Cisco Systems NetFlow Services Export + Version 9", RFC 3954, October 2004. + + [RFC4004] Calhoun, P., Johansson, T., Perkins, C., Hiller, T., + and P. McCann, "Diameter Mobile IPv4 Application", + RFC 4004, August 2005. + + [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, + "Diameter Network Access Server Application", + RFC 4005, August 2005. + + [RFC4006] Hakala, H., Mattila, L., Koskinen, J-P., Stura, M., + and J. Loughney, "Diameter Credit-Control + Application", RFC 4006, August 2005. + + [RFC4022] Raghunarayan, R., "Management Information Base for + the Transmission Control Protocol (TCP)", RFC 4022, + March 2005. + + [RFC4029] Lind, M., Ksinant, V., Park, S., Baudot, A., and P. + Savola, "Scenarios and Analysis for Introducing IPv6 + into ISP Networks", RFC 4029, March 2005. + + [RFC4038] Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and + E. Castro, "Application Aspects of IPv6 Transition", + RFC 4038, March 2005. + + + + + +Ersue & Claise Informational [Page 61] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC4057] Bound, J., "IPv6 Enterprise Network Scenarios", + RFC 4057, June 2005. + + [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter + Extensible Authentication Protocol (EAP) + Application", RFC 4072, August 2005. + + [RFC4113] Fenner, B. and J. Flick, "Management Information Base + for the User Datagram Protocol (UDP)", RFC 4113, + June 2005. + + [RFC4118] Yang, L., Zerfos, P., and E. Sadot, "Architecture + Taxonomy for Control and Provisioning of Wireless + Access Points (CAPWAP)", RFC 4118, June 2005. + + [RFC4133] Bierman, A. and K. McCloghrie, "Entity MIB (Version + 3)", RFC 4133, August 2005. + + [RFC4148] Stephan, E., "IP Performance Metrics (IPPM) Metrics + Registry", BCP 108, RFC 4148, August 2005. + + [RFC4150] Dietz, R. and R. Cole, "Transport Performance Metrics + MIB", RFC 4150, August 2005. + + [RFC4188] Norseth, K. and E. Bell, "Definitions of Managed + Objects for Bridges", RFC 4188, September 2005. + + [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition + Mechanisms for IPv6 Hosts and Routers", RFC 4213, + October 2005. + + [RFC4215] Wiljakka, J., "Analysis on IPv6 Transition in Third + Generation Partnership Project (3GPP) Networks", + RFC 4215, October 2005. + + [RFC4221] Nadeau, T., Srinivasan, C., and A. Farrel, + "Multiprotocol Label Switching (MPLS) Management + Overview", RFC 4221, November 2005. + + [RFC4268] Chisholm, S. and D. Perkins, "Entity State MIB", + RFC 4268, November 2005. + + [RFC4273] Haas, J. and S. Hares, "Definitions of Managed + Objects for BGP-4", RFC 4273, January 2006. + + + + + + + +Ersue & Claise Informational [Page 62] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC4280] Chowdhury, K., Yegani, P., and L. Madour, "Dynamic + Host Configuration Protocol (DHCP) Options for + Broadcast and Multicast Control Servers", RFC 4280, + November 2005. + + [RFC4285] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. + Chowdhury, "Authentication Protocol for Mobile IPv6", + RFC 4285, January 2006. + + [RFC4292] Haberman, B., "IP Forwarding Table MIB", RFC 4292, + April 2006. + + [RFC4293] Routhier, S., "Management Information Base for the + Internet Protocol (IP)", RFC 4293, April 2006. + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, December 2005. + + [RFC4318] Levi, D. and D. Harrington, "Definitions of Managed + Objects for Bridges with Rapid Spanning Tree + Protocol", RFC 4318, December 2005. + + [RFC4363] Levi, D. and D. Harrington, "Definitions of Managed + Objects for Bridges with Traffic Classes, Multicast + Filtering, and Virtual LAN Extensions", RFC 4363, + January 2006. + + [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication + and Security Layer (SASL)", RFC 4422, June 2006. + + [RFC4444] Parker, J., "Management Information Base for + Intermediate System to Intermediate System (IS-IS)", + RFC 4444, April 2006. + + [RFC4502] Waldbusser, S., "Remote Network Monitoring Management + Information Base Version 2", RFC 4502, May 2006. + + [RFC4546] Raftus, D. and E. Cardona, "Radio Frequency (RF) + Interface Management Information Base for Data over + Cable Service Interface Specifications (DOCSIS) 2.0 + Compliant RF Interfaces", RFC 4546, June 2006. + + [RFC4560] Quittek, J. and K. White, "Definitions of Managed + Objects for Remote Ping, Traceroute, and Lookup + Operations", RFC 4560, June 2006. + + + + + + +Ersue & Claise Informational [Page 63] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC4564] Govindan, S., Cheng, H., Yao, ZH., Zhou, WH., and L. + Yang, "Objectives for Control and Provisioning of + Wireless Access Points (CAPWAP)", RFC 4564, + July 2006. + + [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., + and M. Zekauskas, "A One-way Active Measurement + Protocol (OWAMP)", RFC 4656, September 2006. + + [RFC4663] Harrington, D., "Transferring MIB Work from IETF + Bridge MIB WG to IEEE 802.1 WG", RFC 4663, + September 2006. + + [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for + IPv6", RFC 4668, August 2006. + + [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for + IPv6", RFC 4669, August 2006. + + [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", + RFC 4670, August 2006. + + [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", + RFC 4671, August 2006. + + [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS + Dynamic Authorization Client MIB", RFC 4672, + September 2006. + + [RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS + Dynamic Authorization Server MIB", RFC 4673, + September 2006. + + [RFC4675] Congdon, P., Sanchez, M., and B. Aboba, "RADIUS + Attributes for Virtual LAN and Priority Support", + RFC 4675, September 2006. + + [RFC4706] Morgenstern, M., Dodge, M., Baillie, S., and U. + Bonollo, "Definitions of Managed Objects for + Asymmetric Digital Subscriber Line 2 (ADSL2)", + RFC 4706, November 2006. + + [RFC4710] Siddiqui, A., Romascanu, D., and E. Golovinsky, + "Real-time Application Quality-of-Service Monitoring + (RAQMON) Framework", RFC 4710, October 2006. + + + + + + +Ersue & Claise Informational [Page 64] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC4711] Siddiqui, A., Romascanu, D., and E. Golovinsky, + "Real-time Application Quality-of-Service Monitoring + (RAQMON) MIB", RFC 4711, October 2006. + + [RFC4712] Siddiqui, A., Romascanu, D., Golovinsky, E., Rahman, + M., and Y. Kim, "Transport Mappings for Real-time + Application Quality-of-Service Monitoring (RAQMON) + Protocol Data Unit (PDU)", RFC 4712, October 2006. + + [RFC4737] Morton, A., Ciavattone, L., Ramachandran, G., + Shalunov, S., and J. Perser, "Packet Reordering + Metrics", RFC 4737, November 2006. + + [RFC4740] Garcia-Martin, M., Belinchon, M., Pallares-Lopez, M., + Canales-Valenzuela, C., and K. Tammi, "Diameter + Session Initiation Protocol (SIP) Application", + RFC 4740, November 2006. + + [RFC4743] Goddard, T., "Using NETCONF over the Simple Object + Access Protocol (SOAP)", RFC 4743, December 2006. + + [RFC4744] Lear, E. and K. Crozier, "Using the NETCONF Protocol + over the Blocks Extensible Exchange Protocol (BEEP)", + RFC 4744, December 2006. + + [RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., + and F. Baker, "OSPF Version 2 Management Information + Base", RFC 4750, December 2006. + + [RFC4780] Lingle, K., Mule, J-F., Maeng, J., and D. Walker, + "Management Information Base for the Session + Initiation Protocol (SIP)", RFC 4780, April 2007. + + [RFC4789] Schoenwaelder, J. and T. Jeffree, "Simple Network + Management Protocol (SNMP) over IEEE 802 Networks", + RFC 4789, November 2006. + + [RFC4803] Nadeau, T. and A. Farrel, "Generalized Multiprotocol + Label Switching (GMPLS) Label Switching Router (LSR) + Management Information Base", RFC 4803, + February 2007. + + [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6- + Prefix Attribute", RFC 4818, April 2007. + + [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) + Configuration Access Protocol (XCAP)", RFC 4825, + May 2007. + + + +Ersue & Claise Informational [Page 65] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC4826] Rosenberg, J., "Extensible Markup Language (XML) + Formats for Representing Resource Lists", RFC 4826, + May 2007. + + [RFC4827] Isomaki, M. and E. Leppanen, "An Extensible Markup + Language (XML) Configuration Access Protocol (XCAP) + Usage for Manipulating Presence Document Contents", + RFC 4827, May 2007. + + [RFC4898] Mathis, M., Heffner, J., and R. Raghunarayan, "TCP + Extended Statistics MIB", RFC 4898, May 2007. + + [RFC4960] Stewart, R., "Stream Control Transmission Protocol", + RFC 4960, September 2007. + + [RFC5060] Sivaramu, R., Lingard, J., McWalter, D., Joshi, B., + and A. Kessler, "Protocol Independent Multicast MIB", + RFC 5060, January 2008. + + [RFC5080] Nelson, D. and A. DeKok, "Common Remote + Authentication Dial In User Service (RADIUS) + Implementation Issues and Suggested Fixes", RFC 5080, + December 2007. + + [RFC5085] Nadeau, T. and C. Pignataro, "Pseudowire Virtual + Circuit Connectivity Verification (VCCV): A Control + Channel for Pseudowires", RFC 5085, December 2007. + + [RFC5090] Sterman, B., Sadolevsky, D., Schwartz, D., Williams, + D., and W. Beck, "RADIUS Extension for Digest + Authentication", RFC 5090, February 2008. + + [RFC5101] Claise, B., "Specification of the IP Flow Information + Export (IPFIX) Protocol for the Exchange of IP + Traffic Flow Information", RFC 5101, January 2008. + + [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and + J. Meyer, "Information Model for IP Flow Information + Export", RFC 5102, January 2008. + + [RFC5103] Trammell, B. and E. Boschi, "Bidirectional Flow + Export Using IP Flow Information Export (IPFIX)", + RFC 5103, January 2008. + + [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and + B. Aboba, "Dynamic Authorization Extensions to Remote + Authentication Dial In User Service (RADIUS)", + RFC 5176, January 2008. + + + +Ersue & Claise Informational [Page 66] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC5181] Shin, M-K., Han, Y-H., Kim, S-E., and D. Premec, + "IPv6 Deployment Scenarios in 802.16 Networks", + RFC 5181, May 2008. + + [RFC5224] Brenner, M., "Diameter Policy Processing + Application", RFC 5224, March 2008. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer + Security (TLS) Protocol Version 1.2", RFC 5246, + August 2008. + + [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event + Notifications", RFC 5277, July 2008. + + [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and + J. Babiarz, "A Two-Way Active Measurement Protocol + (TWAMP)", RFC 5357, October 2008. + + [RFC5388] Niccolini, S., Tartarelli, S., Quittek, J., Dietz, + T., and M. Swany, "Information Model and XML Data + Model for Traceroute Measurements", RFC 5388, + December 2008. + + [RFC5415] Calhoun, P., Montemurro, M., and D. Stanley, "Control + And Provisioning of Wireless Access Points (CAPWAP) + Protocol Specification", RFC 5415, March 2009. + + [RFC5416] Calhoun, P., Montemurro, M., and D. Stanley, "Control + and Provisioning of Wireless Access Points (CAPWAP) + Protocol Binding for IEEE 802.11", RFC 5416, + March 2009. + + [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, + March 2009. + + [RFC5425] Miao, F., Ma, Y., and J. Salowey, "Transport Layer + Security (TLS) Transport Mapping for Syslog", + RFC 5425, March 2009. + + [RFC5426] Okmianski, A., "Transmission of Syslog Messages over + UDP", RFC 5426, March 2009. + + [RFC5427] Keeni, G., "Textual Conventions for Syslog + Management", RFC 5427, March 2009. + + [RFC5431] Sun, D., "Diameter ITU-T Rw Policy Enforcement + Interface Application", RFC 5431, March 2009. + + + + +Ersue & Claise Informational [Page 67] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, + C., and K. Chowdhury, "Diameter Mobile IPv6: Support + for Network Access Server to Diameter Server + Interaction", RFC 5447, February 2009. + + [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. + Quittek, "Architecture for IP Flow Information + Export", RFC 5470, March 2009. + + [RFC5472] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, + "IP Flow Information Export (IPFIX) Applicability", + RFC 5472, March 2009. + + [RFC5473] Boschi, E., Mark, L., and B. Claise, "Reducing + Redundancy in IP Flow Information Export (IPFIX) and + Packet Sampling (PSAMP) Reports", RFC 5473, + March 2009. + + [RFC5474] Duffield, N., Chiou, D., Claise, B., Greenberg, A., + Grossglauser, M., and J. Rexford, "A Framework for + Packet Selection and Reporting", RFC 5474, + March 2009. + + [RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., + and F. Raspall, "Sampling and Filtering Techniques + for IP Packet Selection", RFC 5475, March 2009. + + [RFC5476] Claise, B., Johnson, A., and J. Quittek, "Packet + Sampling (PSAMP) Protocol Specifications", RFC 5476, + March 2009. + + [RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and + G. Carle, "Information Model for Packet Sampling + Exports", RFC 5477, March 2009. + + [RFC5516] Jones, M. and L. Morand, "Diameter Command Code + Registration for the Third Generation Partnership + Project (3GPP) Evolved Packet System (EPS)", + RFC 5516, April 2009. + + [RFC5539] Badra, M., "NETCONF over Transport Layer Security + (TLS)", RFC 5539, May 2009. + + [RFC5560] Uijterwaal, H., "A One-Way Packet Duplication + Metric", RFC 5560, May 2009. + + + + + + +Ersue & Claise Informational [Page 68] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC5580] Tschofenig, H., Adrangi, F., Jones, M., Lior, A., and + B. Aboba, "Carrying Location Objects in RADIUS and + Diameter", RFC 5580, August 2009. + + [RFC5590] Harrington, D. and J. Schoenwaelder, "Transport + Subsystem for the Simple Network Management Protocol + (SNMP)", RFC 5590, June 2009. + + [RFC5591] Harrington, D. and W. Hardaker, "Transport Security + Model for the Simple Network Management Protocol + (SNMP)", RFC 5591, June 2009. + + [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure + Shell Transport Model for the Simple Network + Management Protocol (SNMP)", RFC 5592, June 2009. + + [RFC5607] Nelson, D. and G. Weber, "Remote Authentication + Dial-In User Service (RADIUS) Authorization for + Network Access Server (NAS) Management", RFC 5607, + July 2009. + + [RFC5608] Narayan, K. and D. Nelson, "Remote Authentication + Dial-In User Service (RADIUS) Usage for Simple + Network Management Protocol (SNMP) Transport Models", + RFC 5608, August 2009. + + [RFC5610] Boschi, E., Trammell, B., Mark, L., and T. Zseby, + "Exporting Type Information for IP Flow Information + Export (IPFIX) Information Elements", RFC 5610, + July 2009. + + [RFC5650] Morgenstern, M., Baillie, S., and U. Bonollo, + "Definitions of Managed Objects for Very High Speed + Digital Subscriber Line 2 (VDSL2)", RFC 5650, + September 2009. + + [RFC5655] Trammell, B., Boschi, E., Mark, L., Zseby, T., and A. + Wagner, "Specification of the IP Flow Information + Export (IPFIX) File Format", RFC 5655, October 2009. + + [RFC5674] Chisholm, S. and R. Gerhards, "Alarms in Syslog", + RFC 5674, October 2009. + + [RFC5675] Marinov, V. and J. Schoenwaelder, "Mapping Simple + Network Management Protocol (SNMP) Notifications to + SYSLOG Messages", RFC 5675, October 2009. + + + + + +Ersue & Claise Informational [Page 69] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC5676] Schoenwaelder, J., Clemm, A., and A. Karmakar, + "Definitions of Managed Objects for Mapping SYSLOG + Messages to Simple Network Management Protocol (SNMP) + Notifications", RFC 5676, October 2009. + + [RFC5706] Harrington, D., "Guidelines for Considering + Operations and Management of New Protocols and + Protocol Extensions", RFC 5706, November 2009. + + [RFC5713] Moustafa, H., Tschofenig, H., and S. De Cnodder, + "Security Threats and Security Requirements for the + Access Node Control Protocol (ANCP)", RFC 5713, + January 2010. + + [RFC5717] Lengyel, B. and M. Bjorklund, "Partial Lock Remote + Procedure Call (RPC) for NETCONF", RFC 5717, + December 2009. + + [RFC5719] Romascanu, D. and H. Tschofenig, "Updated IANA + Considerations for Diameter Command Code + Allocations", RFC 5719, January 2010. + + [RFC5729] Korhonen, J., Jones, M., Morand, L., and T. Tsou, + "Clarifications on the Routing of Diameter Requests + Based on the Username and the Realm", RFC 5729, + December 2009. + + [RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., + Jones, M., and A. Lior, "Traffic Classification and + Quality of Service (QoS) Attributes for Diameter", + RFC 5777, February 2010. + + [RFC5778] Korhonen, J., Tschofenig, H., Bournelle, J., + Giaretta, G., and M. Nakhjiri, "Diameter Mobile IPv6: + Support for Home Agent to Diameter Server + Interaction", RFC 5778, February 2010. + + [RFC5779] Korhonen, J., Bournelle, J., Chowdhury, K., Muhanna, + A., and U. Meyer, "Diameter Proxy Mobile IPv6: Mobile + Access Gateway and Local Mobility Anchor Interaction + with Diameter Server", RFC 5779, February 2010. + + [RFC5815] Dietz, T., Kobayashi, A., Claise, B., and G. Muenz, + "Definitions of Managed Objects for IP Flow + Information Export", RFC 5815, April 2010. + + + + + + +Ersue & Claise Informational [Page 70] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC5833] Shi, Y., Perkins, D., Elliott, C., and Y. Zhang, + "Control and Provisioning of Wireless Access Points + (CAPWAP) Protocol Base MIB", RFC 5833, May 2010. + + [RFC5834] Shi, Y., Perkins, D., Elliott, C., and Y. Zhang, + "Control and Provisioning of Wireless Access Points + (CAPWAP) Protocol Binding MIB for IEEE 802.11", + RFC 5834, May 2010. + + [RFC5835] Morton, A. and S. Van den Berghe, "Framework for + Metric Composition", RFC 5835, April 2010. + + [RFC5848] Kelsey, J., Callas, J., and A. Clemm, "Signed Syslog + Messages", RFC 5848, May 2010. + + [RFC5851] Ooghe, S., Voigt, N., Platnic, M., Haag, T., and S. + Wadhwa, "Framework and Requirements for an Access + Node Control Mechanism in Broadband Multi-Service + Networks", RFC 5851, May 2010. + + [RFC5866] Sun, D., McCann, P., Tschofenig, H., Tsou, T., Doria, + A., and G. Zorn, "Diameter Quality-of-Service + Application", RFC 5866, May 2010. + + [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding + Detection (BFD)", RFC 5880, June 2010. + + [RFC5889] Baccelli, E. and M. Townsley, "IP Addressing Model in + Ad Hoc Networks", RFC 5889, September 2010. + + [RFC5982] Kobayashi, A. and B. Claise, "IP Flow Information + Export (IPFIX) Mediation: Problem Statement", + RFC 5982, August 2010. + + [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, + "Internet Key Exchange Protocol Version 2 (IKEv2)", + RFC 5996, September 2010. + + [RFC6012] Salowey, J., Petch, T., Gerhards, R., and H. Feng, + "Datagram Transport Layer Security (DTLS) Transport + Mapping for Syslog", RFC 6012, October 2010. + + [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for + the Network Configuration Protocol (NETCONF)", + RFC 6020, October 2010. + + [RFC6021] Schoenwaelder, J., "Common YANG Data Types", + RFC 6021, October 2010. + + + +Ersue & Claise Informational [Page 71] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC6022] Scott, M. and M. Bjorklund, "YANG Module for NETCONF + Monitoring", RFC 6022, October 2010. + + [RFC6035] Pendleton, A., Clark, A., Johnston, A., and H. + Sinnreich, "Session Initiation Protocol Event Package + for Voice Quality Reporting", RFC 6035, + November 2010. + + [RFC6065] Narayan, K., Nelson, D., and R. Presuhn, "Using + Authentication, Authorization, and Accounting + Services to Dynamically Provision View-Based Access + Control Model User-to-Group Mappings", RFC 6065, + December 2010. + + [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of + YANG Data Model Documents", RFC 6087, January 2011. + + [RFC6095] Linowski, B., Ersue, M., and S. Kuryla, "Extending + YANG with Language Abstractions", RFC 6095, + March 2011. + + [RFC6110] Lhotka, L., "Mapping YANG to Document Schema + Definition Languages and Validating NETCONF Content", + RFC 6110, February 2011. + + [RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines", + BCP 158, RFC 6158, March 2011. + + [RFC6183] Kobayashi, A., Claise, B., Muenz, G., and K. + Ishibashi, "IP Flow Information Export (IPFIX) + Mediation: Framework", RFC 6183, April 2011. + + [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization + Support", RFC 6235, May 2011. + + [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. + Bierman, "Network Configuration Protocol (NETCONF)", + RFC 6241, June 2011. + + [RFC6242] Wasserman, M., "Using the NETCONF Protocol over + Secure Shell (SSH)", RFC 6242, June 2011. + + [RFC6244] Shafer, P., "An Architecture for Network Management + Using NETCONF and YANG", RFC 6244, June 2011. + + [RFC6248] Morton, A., "RFC 4148 and the IP Performance Metrics + (IPPM) Registry of Metrics Are Obsolete", RFC 6248, + April 2011. + + + +Ersue & Claise Informational [Page 72] + +RFC 6632 IETF Management Standards June 2012 + + + [RFC6272] Baker, F. and D. Meyer, "Internet Protocols for the + Smart Grid", RFC 6272, June 2011. + + [RFC6313] Claise, B., Dhandapani, G., Aitken, P., and S. Yates, + "Export of Structured Data in IP Flow Information + Export (IPFIX)", RFC 6313, July 2011. + + [RFC6320] Wadhwa, S., Moisand, J., Haag, T., Voigt, N., and T. + Taylor, "Protocol for Access Node Control Mechanism + in Broadband Networks", RFC 6320, October 2011. + + [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport + Layer Security Version 1.2", RFC 6347, January 2012. + + [RFC6353] Hardaker, W., "Transport Layer Security (TLS) + Transport Model for the Simple Network Management + Protocol (SNMP)", RFC 6353, July 2011. + + [RFC6371] Busi, I. and D. Allan, "Operations, Administration, + and Maintenance Framework for MPLS-Based Transport + Networks", RFC 6371, September 2011. + + [RFC6408] Jones, M., Korhonen, J., and L. Morand, "Diameter + Straightforward-Naming Authority Pointer (S-NAPTR) + Usage", RFC 6408, November 2011. + + [RFC6410] Housley, R., Crocker, D., and E. Burger, "Reducing + the Standards Track to Two Maturity Levels", BCP 9, + RFC 6410, October 2011. + + [RFC6526] Claise, B., Aitken, P., Johnson, A., and G. Muenz, + "IP Flow Information Export (IPFIX) Per Stream + Control Transmission Protocol (SCTP) Stream", + RFC 6526, March 2012. + + [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration + Protocol (NETCONF) Access Control Model", RFC 6536, + March 2012. + + [RFC6598] Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, + C., and M. Azinger, "IANA-Reserved IPv4 Prefix for + Shared Address Space", BCP 153, RFC 6598, April 2012. + + [RFC6613] DeKok, A., "RADIUS over TCP", RFC 6613, May 2012. + + [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. + Wierenga, "Transport Layer Security (TLS) Encryption + for RADIUS", RFC 6614, May 2012. + + + +Ersue & Claise Informational [Page 73] + +RFC 6632 IETF Management Standards June 2012 + + + [RFCSEARCH] RFC Editor, "RFC Index Search Engine", + . + + [SMI-NUMBERS] IANA, "Network Management Parameters - SMI OID List", + May 2012, + . + + [SMI-YANG] Schoenwaelder, J., "Translation of SMIv2 MIB Modules + to YANG Modules", Work in Progress, April 2012. + + [STD06] Postel, J., "User Datagram Protocol", STD 6, RFC 768, + August 1980. + + [STD07] Postel, J., "Transmission Control Protocol", STD 7, + RFC 793, September 1981. + + [STD16] Rose, M. and K. McCloghrie, "Structure and + identification of management information for TCP/ + IP-based internets", STD 16, RFC 1155, May 1990. + + Rose, M. and K. McCloghrie, "Concise MIB + definitions", STD 16, RFC 1212, March 1991. + + [STD17] McCloghrie, K. and M. Rose, "Management Information + Base for Network Management of TCP/IP-based + internets:MIB-II", STD 17, RFC 1213, March 1991. + + [STD58] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Structure of Management + Information Version 2 (SMIv2)", STD 58, RFC 2578, + April 1999. + + McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Textual Conventions for SMIv2", + STD 58, RFC 2579, April 1999. + + McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Conformance Statements for + SMIv2", STD 58, RFC 2580, April 1999. + + [STD59] Waldbusser, S., "Remote Network Monitoring Management + Information Base", STD 59, RFC 2819, May 2000. + + + + + + + + + +Ersue & Claise Informational [Page 74] + +RFC 6632 IETF Management Standards June 2012 + + + [STD62] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network Management + Protocol (SNMP) Management Frameworks", STD 62, + RFC 3411, December 2002. + + Case, J., Harrington, D., Presuhn, R., and B. Wijnen, + "Message Processing and Dispatching for the Simple + Network Management Protocol (SNMP)", STD 62, RFC + 3412, December 2002. + + Levi, D., Meyer, P., and B. Stewart, "Simple Network + Management Protocol (SNMP) Applications", STD 62, RFC + 3413, December 2002. + + Blumenthal, U. and B. Wijnen, "User-based Security + Model (USM) for version 3 of the Simple Network + Management Protocol (SNMPv3)", STD 62, RFC 3414, + December 2002. + + Wijnen, B., Presuhn, R., and K. McCloghrie, "View- + based Access Control Model (VACM) for the Simple + Network Management Protocol (SNMP)", STD 62, RFC + 3415, December 2002. + + Presuhn, R., Ed., "Version 2 of the Protocol + Operations for the Simple Network Management Protocol + (SNMP)", STD 62, RFC 3416, December 2002. + + Presuhn, R., Ed., "Transport Mappings for the Simple + Network Management Protocol (SNMP)", STD 62, RFC + 3417, December 2002. + + Presuhn, R., Ed., "Management Information Base (MIB) + for the Simple Network Management Protocol (SNMP)", + STD 62, RFC 3418, December 2002. + + [STD66] Berners-Lee, T., Fielding, R., and L. Masinter, + "Uniform Resource Identifier (URI): Generic Syntax", + STD 66, RFC 3986, January 2005. + + [XPATH] World Wide Web Consortium, "XML Path Language (XPath) + Version 1.0", November 1999, + . + + + + + + + + +Ersue & Claise Informational [Page 75] + +RFC 6632 IETF Management Standards June 2012 + + + [XSD-1] Beech, D., Thompson, H., Maloney, M., Mendelsohn, N., + and World Wide Web Consortium Recommendation REC- + xmlschema-1-20041028, "XML Schema Part 1: Structures + Second Edition", October 2004, + . + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Ersue & Claise Informational [Page 76] + +RFC 6632 IETF Management Standards June 2012 + + +Appendix A. High-Level Classification of Management Protocols and Data + Models + + The following subsections aim to guide the reader for the fast + selection of the management standard in interest and can be used as a + dispatcher to forward to the appropriate chapter. The subsections + below classify the protocols on one hand according to high-level + criteria such as push versus pull mechanism, and passive versus + active monitoring. On the other hand, the protocols are categorized + concerning the network management task they address or the data model + extensibility they provide. Based on the reader's requirements, a + reduced set of standard protocols and associated data models can be + selected for further reading. + + As an example, someone outside of IETF typically would look for the + TWAMP protocol in the Operations and Management Area working groups + as it addresses performance management. However, the protocol TWAMP + has been developed by the IPPM working group in the Transport Area. + + Note that not all protocols have been listed in all classification + sections. Some of the protocols, especially the protocols with + specific focus in Section 3 cannot be clearly classified. Note also + that COPS and COPS-PR are not listed in the tables, as COPS-PR is not + recommended to use (see Section 3.3). + +A.1. Protocols Classified by Standards Maturity in the IETF + + This section classifies the management protocols according their + standard maturity in the IETF. The IETF standard maturity levels + Proposed, Draft, or Internet Standard, are defined in [RFC2026] (as + amended by [RFC6410]). An Internet Standard is characterized by a + high degree of technical maturity and by a generally held belief that + the specified protocol or service provides significant benefit to the + Internet community. + + The table below covers the standard maturity of the different + protocols listed in this document. Note that only the main protocols + (and not their extensions) are noted. An RFC search tool listing the + current document status is available at [RFCSEARCH]. + + + + + + + + + + + + +Ersue & Claise Informational [Page 77] + +RFC 6632 IETF Management Standards June 2012 + + + +---------------------------------------------+---------------------+ + | Protocol | Maturity Level | + +---------------------------------------------+---------------------+ + | SNMP [STD62][RFC3411] (Section 2.1) | Internet Standard | + | | | + | Syslog [RFC5424] (Section 2.2) | Proposed Standard | + | | | + | IPFIX [RFC5101] (Section 2.3) | Proposed Standard | + | | | + | PSAMP [RFC5476] (Section 2.3) | Proposed Standard | + | | | + | NETCONF [RFC6241] (Section 2.4.1) | Proposed Standard | + | | | + | DHCP for IPv4 [RFC2131] (Section 3.1.1) | Draft Standard | + | | | + | DHCP for IPv6 [RFC3315] (Section 3.1.1) | Proposed Standard | + | | | + | OWAMP [RFC4656] (Section 3.4) | Proposed Standard | + | | | + | TWAMP [RFC5357] (Section 3.4) | Proposed Standard | + | | | + | RADIUS [RFC2865] (Section 3.5) | Draft Standard | + | | | + | Diameter [RFC3588] (Section 3.6) | Proposed Standard | + | | | + | CAPWAP [RFC5416] (Section 3.7) | Proposed Standard | + | | | + | ANCP [RFC6320] (Section 3.8) | Proposed Standard | + | | | + | Ad hoc network configuration [RFC5889] | Informational | + | (Section 3.1.2) | | + | | | + | ACAP [RFC2244] (Section 3.9) | Proposed Standard | + | | | + | XCAP [RFC4825] (Section 3.10) | Proposed Standard | + +---------------------------------------------+---------------------+ + + Table 1: Protocols Classified by Standard Maturity in the IETF + + + + + + + + + + + + + +Ersue & Claise Informational [Page 78] + +RFC 6632 IETF Management Standards June 2012 + + +A.2. Protocols Matched to Management Tasks + + This subsection classifies the management protocols matching to the + management tasks for fault, configuration, accounting, performance, + and security management. + + +------------+------------+-------------+--------------+------------+ + | Fault Mgmt | Config. | Accounting | Performance | Security | + | | Mgmt | Mgmt | Mgmt | Mgmt | + +------------+------------+-------------+--------------+------------+ + | SNMP | SNMP | SNMP | SNMP | | + | notif. | config. | monitoring | monitoring | | + | with trap | with set | with get | with get | | + | operation | operation | operation | operation | | + | (S. 2.1.1) | (S. 2.1.1) | (S. 2.1.1) | (S. 2.1.1) | | + | | | | | | + | IPFIX | CAPWAP | IPFIX | IPFIX | | + | (S. 2.3) | (S. 3.7) | (S. 2.3) | (S. 2.3) | | + | | | | | | + | PSAMP | NETCONF | PSAMP | PSAMP | | + | (S. 2.3) | (S. 2.4.1) | (S. 2.3) | (S. 2.3) | | + | | | | | | + | Syslog | ANCP | RADIUS | | RADIUS | + | (S. 2.2) | (S. 3.8) | Accounting | | Authent.& | + | | | (S. 3.5) | | Authoriz. | + | | | | | (S. 3.5) | + | | | | | | + | | AUTOCONF | Diameter | | Diameter | + | | (S. 3.1.2) | Accounting | | Authent.& | + | | | (S. 3.6) | | Authoriz. | + | | | | | (S. 3.6) | + | | | | | | + | | ACAP | | | | + | | (S. 3.9) | | | | + | | | | | | + | | XCAP | | | | + | | (S. 3.10) | | | | + | | | | | | + | | DHCP | | | | + | | (S. 3.1.1) | | | | + +------------+------------+-------------+--------------+------------+ + + Table 2: Protocols Matched to Management Tasks + + Note: Corresponding section numbers are given in parentheses. + + + + + + +Ersue & Claise Informational [Page 79] + +RFC 6632 IETF Management Standards June 2012 + + +A.3. Push versus Pull Mechanism + + A pull mechanism is characterized by the Network Management System + (NMS) pulling the management information out of network elements, + when needed. A push mechanism is characterized by the network + elements pushing the management information to the NMS, either when + the information is available or on a regular basis. + + Client/Server protocols, such as DHCP, ANCP, ACAP, and XCAP are not + listed in Table 3. + + +---------------------------------+---------------------------------+ + | Protocols supporting the Pull | Protocols supporting the Push | + | mechanism | mechanism | + +---------------------------------+---------------------------------+ + | SNMP (except notifications) | SNMP notifications | + | (Section 2.1) | (Section 2.1) | + | NETCONF (except notifications) | NETCONF notifications | + | (Section 2.4.1) | (Section 2.4.1) | + | CAPWAP (Section 3.7) | Syslog (Section 2.2) | + | | IPFIX (Section 2.3) | + | | PSAMP (Section 2.3) | + | | RADIUS accounting | + | | (Section 3.5) | + | | Diameter accounting | + | | (Section 3.6) | + +---------------------------------+---------------------------------+ + + Table 3: Protocol Classification by Push versus Pull Mechanism + +A.4. Passive versus Active Monitoring + + Monitoring can be divided into two categories: passive and active + monitoring. Passive monitoring can perform the network traffic + monitoring, monitoring of a device, or the accounting of network + resource consumption by users. Active monitoring, as used in this + document, focuses mainly on active network monitoring and relies on + the injection of specific traffic (also called "synthetic traffic"), + which is then monitored. The monitoring focus is indicated in the + table below as "network", "device", or "accounting". + + This classification excludes non-monitoring protocols, such as + configuration protocols: Ad hoc network autoconfiguration, ANCP, and + XCAP. Note that some of the active monitoring protocols, in the + context of the data path, e.g., ICMP Ping and Traceroute [RFC1470], + Bidirectional Forwarding Detection (BFD) [RFC5880], and PWE3 Virtual + Circuit Connectivity Verification (VCCV) [RFC5085] are covered in + [OAM-OVERVIEW]. + + + +Ersue & Claise Informational [Page 80] + +RFC 6632 IETF Management Standards June 2012 + + + +---------------------------------+---------------------------------+ + | Protocols supporting passive | Protocols supporting active | + | monitoring | monitoring | + +---------------------------------+---------------------------------+ + | IPFIX (network) (Section 2.3) | OWAMP (network) (Section 3.4) | + | PSAMP (network) (Section 2.3) | TWAMP (network) (Section 3.4) | + | SNMP (network and device) | | + | (Section 2.1) | | + | NETCONF (device) | | + | (Section 2.4.1) | | + | RADIUS (accounting) | | + | (Section 3.5) | | + | Diameter (accounting) | | + | (Section 3.6) | | + | CAPWAP (device) (Section 3.7) | | + +---------------------------------+---------------------------------+ + + Table 4: Protocols for Passive and Active Monitoring and Their + Monitoring Focus + + The application of SNMP to passive traffic monitoring (e.g., with + RMON-MIB) or active monitoring (with IPPM MIB) depends on the MIB + modules used. However, the SNMP protocol itself does not have + operations, which support active monitoring. NETCONF can be used for + passive monitoring, e.g., with the NETCONF Monitoring YANG module + [RFC6022] for the monitoring of the NETCONF protocol. CAPWAP + monitors the status of a Wireless Termination Point. + + RADIUS and diameter are considered passive monitoring protocols as + they perform accounting, i.e., counting the number of packets/bytes + for a specific user. + +A.5. Supported Data Model Types and Their Extensibility + + The following table matches the protocols to the associated data + model types. Furthermore, the table indicates how the data model can + be extended based on the available content today and whether the + protocol contains a built-in mechanism for proprietary extensions of + the data model. + + + + + + + + + + + + +Ersue & Claise Informational [Page 81] + +RFC 6632 IETF Management Standards June 2012 + + + +-------------+---------------+------------------+------------------+ + | Protocol | Data Modeling | Data Model | Proprietary Data | + | | | Extensions | Modeling | + | | | | Extensions | + +-------------+---------------+------------------+------------------+ + | SNMP | MIB modules | New MIB modules | Enterprise- | + | (S. 2.1) | defined with | specified in new | specific MIB | + | | SMI | RFCs | modules | + | | (S. 2.1.3) | | | + | | | | | + | Syslog | Structured | With the | Enterprise- | + | (S. 2.2) | Data Elements | procedure to add | specific SDEs | + | | (SDEs) | Structured Data | | + | | (S. 4.2.1) | ID in [RFC5424] | | + | | | | | + | IPFIX | IPFIX | With the | Enterprise- | + | (S. 2.3) | Information | procedure to add | specific | + | | Elements, | Information | Information | + | | IPFIX IANA | Elements | Elements | + | | registry at | specified in | [RFC5101] | + | | [IANA-IPFIX] | [RFC5102] | | + | | (S. 2.3) | | | + | | | | | + | PSAMP | PSAMP | With the | Enterprise- | + | (S. 2.3) | Information | procedure to add | specific | + | | Elements, as | Information | Information | + | | an extension | Elements | Elements | + | | to IPFIX | specified in | [RFC5101] | + | | [IANA-IPFIX], | [RFC5102] | | + | | and PSAMP | | | + | | IANA registry | | | + | | at | | | + | | [IANA-PSAMP] | | | + | | (S. 2.3) | | | + | | | | | + | NETCONF | YANG modules | New YANG modules | Enterprise- | + | (S. 2.4.1) | (S. 2.4.2) | specified in new | specific YANG | + | | | RFCs following | modules | + | | | the guideline in | | + | | | [RFC6087] | | + | | | | | + | IPPM OWAMP/ | IPPM metrics | New IPPM metrics | Not applicable | + | TWAMP | (*) (S. 3.4) | (S. 3.4) | | + | (S. 3.4) | | | | + + + + + + + +Ersue & Claise Informational [Page 82] + +RFC 6632 IETF Management Standards June 2012 + + + | | | | | + | RADIUS | TLVs | RADIUS-related | Vendor-Specific | + | (S. 3.5) | | registries at | Attributes | + | | | [IANA-AAA] and | [RFC2865] | + | | | [IANA-PROT] | | + | | | | | + | Diameter | AVPs | Diameter-related | Vendor-Specific | + | (S. 3.6) | | registry at | Attributes | + | | | [IANA-AAA] | [RFC2865] | + | | | | | + | CAPWAP | TLVs | New bindings | Vendor-specific | + | (S. 3.7) | | specified in new | TLVs | + | | | RFCs | | + +-------------+---------------+------------------+------------------+ + + Table 5: Data Models and Their Extensibility + + (*): With the publication of [RFC6248], the latest IANA registry for + IPFIX metrics has been declared Obsolete. + +Appendix B. New Work Related to IETF Management Standards + +B.1. Energy Management (EMAN) + + Energy management is becoming an additional requirement for network + management systems due to several factors including the rising and + fluctuating energy costs, the increased awareness of the ecological + impact of operating networks and devices, and government regulation + on energy consumption and production. + + The basic objective of energy management is operating communication + networks and other equipment with a minimal amount of energy while + still providing sufficient performance to meet service-level + objectives. Today, most networking and network-attached devices + neither monitor nor allow controlled energy usage as they are mainly + instrumented for functions such as fault, configuration, accounting, + performance, and security management. These devices are not + instrumented to be aware of energy consumption. There are very few + means specified in IETF documents for energy management, which + includes the areas of power monitoring, energy monitoring, and power + state control. + + A particular difference between energy management and other + management tasks is that in some cases energy consumption of a device + is not measured at the device itself but reported by a different + place. For example, at a Power over Ethernet (PoE) sourcing device + or at a smart power strip, where one device is effectively metering + another remote device. This requires a clear definition of the + + + +Ersue & Claise Informational [Page 83] + +RFC 6632 IETF Management Standards June 2012 + + + relationship between the reporting devices and identification of + remote devices for which monitoring information is provided. Similar + considerations will apply to power state control of remote devices, + for example, at a PoE sourcing device that switches on and off power + at its ports. Another example scenario for energy management is a + gateway to low resourced and lossy network devices in wireless a + building network. Here the energy management system talks directly + to the gateway but not necessarily to other devices in the building + network. + + At the time of this writing, the EMAN working group is working on the + management of energy-aware devices, covered by the following items: + + o The requirements for energy management, specifying energy + management properties that will allow networks and devices to + become energy aware. In addition to energy awareness + requirements, the need for control functions will be discussed. + Specifically, the need to monitor and control properties of + devices that are remote to the reporting device should be + discussed. + + o The energy management framework, which will describe extensions to + the current management framework, required for energy management. + This includes: power and energy monitoring, power states, power + state control, and potential power state transitions. The + framework will focus on energy management for IP-based network + equipment (routers, switches, PCs, IP cameras, phones and the + like). Particularly, the relationships between reporting devices, + remote devices, and monitoring probes (such as might be used in + low-power and lossy networks) need to be elaborated. For the case + of a device reporting on behalf of other devices and controlling + those devices, the framework will address the issues of discovery + and identification of remote devices. + + o The Energy-aware Networks and Devices MIB document, for monitoring + energy-aware networks and devices, will address devices + identification, context information, and potential relationship + between reporting devices, remote devices, and monitoring probes. + + o The Power and Energy Monitoring MIB document will document + defining managed objects for the monitoring of power states and + energy consumption/production. The monitoring of power states + includes the following: retrieving power states, properties of + power states, current power state, power state transitions, and + power state statistics. The managed objects will provide means of + reporting detailed properties of the actual energy rate (power) + and of accumulated energy. Further, they will provide information + on electrical power quality. + + + +Ersue & Claise Informational [Page 84] + +RFC 6632 IETF Management Standards June 2012 + + + o The Battery MIB document will define managed objects for battery + monitoring, which will provide means of reporting detailed + properties of the actual charge, age, and state of a battery and + of battery statistics. + + o The applicability statement will describe the variety of + applications that can use the energy framework and associated MIB + modules. Potential examples are building networks, home energy + gateway, etc. Finally, the document will also discuss + relationships of the framework to other architectures and + frameworks (such as Smart Grid). The applicability statement will + explain the relationship between the work in this WG and other + existing standards, e.g., from the IEC, ANSI, DMTF, etc. Note + that the EMAN WG will be looking into existing standards such as + those from the IEC, ANSI, DMTF and others, and reuse existing work + as much as possible. + + The documents of the EMAN working group can be found at [EMAN-WG]. + +Authors' Addresses + + Mehmet Ersue (editor) + Nokia Siemens Networks + St.-Martin-Strasse 53 + Munich 81541 + Germany + + EMail: mehmet.ersue@nsn.com + + + Benoit Claise + Cisco Systems, Inc. + De Kleetlaan 6a b1 + Diegem 1831 + Belgium + + EMail: bclaise@cisco.com + + + + + + + + + + + + + + +Ersue & Claise Informational [Page 85] + -- cgit v1.2.3