Network Working Group J. Schoenwaelder
Request for Comments: 3430 TU Braunschweig
Category: Experimental December 2002
Network Working Group J. Schoenwaelder
Request for Comments: 3430 TU Braunschweig
Category: Experimental December 2002
Simple Network Management Protocol (SNMP) over Transmission Control Protocol (TCP) Transport Mapping
传输控制协议(TCP)上的简单网络管理协议(SNMP)传输映射
Status of this Memo
本备忘录的状况
This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.
这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
Abstract
摘要
This memo defines a transport mapping for using the Simple Network Management Protocol (SNMP) over TCP. The transport mapping can be used with any version of SNMP. This document extends the transport mappings defined in STD 62, RFC 3417.
此备忘录定义了通过TCP使用简单网络管理协议(SNMP)的传输映射。传输映射可用于任何版本的SNMP。本文件扩展了STD 62、RFC 3417中定义的传输映射。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. SNMP over TCP . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 Serialization . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Well-Known Values . . . . . . . . . . . . . . . . . . . . . . 3
2.3 Connection Management . . . . . . . . . . . . . . . . . . . . 3
2.4 Reliable Transport versus Confirmed Operations . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . 5
4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A. Connection Establishment Alternatives . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 10
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. SNMP over TCP . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 Serialization . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Well-Known Values . . . . . . . . . . . . . . . . . . . . . . 3
2.3 Connection Management . . . . . . . . . . . . . . . . . . . . 3
2.4 Reliable Transport versus Confirmed Operations . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . 5
4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A. Connection Establishment Alternatives . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 10
This memo defines a transport mapping for using the Simple Network Management Protocol (SNMP) [1] over TCP [2]. The transport mapping can be used with any version of SNMP. This document extends the transport mappings defined in STD 62, RFC 3417 [3].
此备忘录定义了通过TCP[2]使用简单网络管理协议(SNMP)[1]的传输映射。传输映射可用于任何版本的SNMP。本文件扩展了STD 62、RFC 3417[3]中定义的传输映射。
The SNMP over TCP transport mapping is an optional transport mapping. SNMP protocol engines that implement the SNMP over TCP transport mapping MUST also implement the SNMP over UDP transport mapping as defined in STD 62, RFC 3417 [3].
SNMP over TCP传输映射是可选的传输映射。实现SNMP over TCP传输映射的SNMP协议引擎还必须实现STD 62、RFC 3417[3]中定义的SNMP over UDP传输映射。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [4].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[4]中的描述进行解释。
SNMP over TCP is an optional transport mapping. It is primarily defined to support more efficient bulk transfer mechanisms within the SNMP framework [5].
TCP上的SNMP是可选的传输映射。它的主要定义是在SNMP框架内支持更高效的批量传输机制[5]。
The originator of a request-response transaction chooses the transport protocol for the entire transaction. The transport protocol MUST NOT change during a transaction.
请求-响应事务的发起人为整个事务选择传输协议。传输协议在事务期间不得更改。
In general, originators of request/response transactions are free to use the transport they assume is the best in a given situation. However, since TCP has a larger footprint on resource usage than UDP, engines using SNMP over TCP may choose to switch back to UDP by refusing new TCP connections whenever necessary (e.g. too many open TCP connections).
一般来说,请求/响应事务的发起人可以自由使用他们认为在给定情况下最好的传输。但是,由于TCP在资源使用方面的占用比UDP更大,因此使用SNMP over TCP的引擎可能会选择在必要时通过拒绝新的TCP连接(例如,打开的TCP连接太多)切换回UDP。
When selecting the transport, it is useful to consider how SNMP interacts with TCP acknowledgments and timers. In particular, infrequent SNMP interactions over TCP may lead to additional IP packets carrying acknowledgments for SNMP responses if there is no chance to piggyback them. Furthermore, it is recommended to configure SNMP retransmission timers to fire later when using SNMP over TCP to avoid application specific timeouts before the TCP timers have expired.
在选择传输时,考虑SNMP如何与TCP确认和计时器交互是有用的。特别是,TCP上不频繁的SNMP交互可能会导致额外的IP数据包携带SNMP响应的确认信息(如果没有机会携带它们)。此外,建议将SNMP重新传输计时器配置为在以后通过TCP使用SNMP时触发,以避免在TCP计时器过期之前出现特定于应用程序的超时。
Each instance of a message is serialized into a single BER-encoded message, using the algorithm specified in Section 8 of STD 62, RFC 3417 [3]. The BER-encoded message is then sent over a TCP
使用STD 62、RFC 3417[3]第8节规定的算法,将消息的每个实例序列化为单个BER编码消息。然后通过TCP发送BER编码的消息
connection. An SNMP engine MUST NOT interleave SNMP messages within the TCP byte stream.
联系SNMP引擎不得在TCP字节流中交错SNMP消息。
All the bytes of one SNMP message must be sent before any bytes of a different SNMP message.
一条SNMP消息的所有字节必须在另一条SNMP消息的任何字节之前发送。
It is possible to exchange multiple SNMP request/response pairs over a single (persistent) TCP connection. TCP connections are by default full-duplex and data can travel in both directions at different speeds. It is therefore possible to send multiple SNMP messages to a remote SNMP engine before receiving responses from the same SNMP engine. Note that an SNMP engine is not required to return responses in the same order as it received the requests.
可以通过单个(持久)TCP连接交换多个SNMP请求/响应对。TCP连接默认为全双工,数据可以以不同的速度在两个方向上传输。因此,在接收来自同一SNMP引擎的响应之前,可以向远程SNMP引擎发送多条SNMP消息。请注意,SNMP引擎不需要按照接收请求的顺序返回响应。
It is possible that the underlying TCP implementation delivers byte sequences that do not align with SNMP message boundaries. A receiving SNMP engine MUST therefore use the length field in the BER-encoded SNMP message to separate multiple requests sent over a single TCP connection (framing). An SNMP engine which looses framing (for example due to ASN.1 parse errors) SHOULD close the TCP connection. The connection initiator will then be responsible for establishing a new TCP connection.
底层TCP实现可能提供与SNMP消息边界不一致的字节序列。因此,接收SNMP引擎必须使用BER编码的SNMP消息中的长度字段来分隔通过单个TCP连接(帧)发送的多个请求。如果SNMP引擎松动了框架(例如由于ASN.1解析错误),则应关闭TCP连接。然后,连接启动器将负责建立新的TCP连接。
It is RECOMMENDED that administrators configure their SNMP entities containing command responders to listen on TCP port 161 for incoming connections. It is also RECOMMENDED that SNMP entities containing notification receivers be configured to listen on TCP port 162 for connection requests.
建议管理员将其包含命令响应程序的SNMP实体配置为在TCP端口161上侦听传入连接。还建议将包含通知接收器的SNMP实体配置为在TCP端口162上侦听连接请求。
SNMP over TCP transport addresses are identified by using the generic TCP transport domain and address definitions provided by RFC 3419 [6], which cover TCP over IPv4 and IPv6.
TCP上的SNMP传输地址是通过使用RFC 3419[6]提供的通用TCP传输域和地址定义来标识的,该定义涵盖了IPv4和IPv6上的TCP。
When an SNMP entity uses the TCP transport mapping, it MUST be capable of accepting and generating messages that are at least 8192 octets in size. Implementation of larger values is encouraged whenever possible.
当SNMP实体使用TCP传输映射时,它必须能够接受和生成大小至少为8192个八位字节的消息。尽可能鼓励实施更大的价值观。
The use of TCP connections introduces costs [7]. Connection establishment and teardown cause additional network traffic. Furthermore, maintaining open connections binds resources in the network layer of the underlying operating system.
使用TCP连接会带来成本[7]。连接建立和断开会导致额外的网络流量。此外,维护开放连接会绑定底层操作系统的网络层中的资源。
SNMP over TCP is intended to be used when the size of the transferred data is large since TCP offers flow control and efficient segmentation. The transport of large amounts of management data via SNMP over UDP requires many request/response interactions with small-sized SNMP over UDP messages, which causes latency to increase excessively.
TCP上的SNMP旨在在传输数据的大小较大时使用,因为TCP提供了流量控制和有效的分段。通过SNMP over UDP传输大量管理数据需要与小型SNMP over UDP消息进行许多请求/响应交互,这会导致延迟过度增加。
TCP connections are established on behalf of the SNMP applications which initiate a transaction. In particular, command generator applications are responsible for opening TCP connections to command responder applications and notification originator applications are responsible for initiating TCP connections to notification receiver applications, which are selected as described in Section 3 of STD 62, RFC 3413 [8]. If the TCP connection cannot be established, then the transaction is aborted and reported to the application as a timeout error condition. Alternative connection establishment procedures are discussed in Appendix A but are not part of this specification.
TCP连接是代表启动事务的SNMP应用程序建立的。特别是,命令生成器应用程序负责打开与命令响应程序应用程序的TCP连接,而通知发起者应用程序负责启动与通知接收器应用程序的TCP连接,如STD 62、RFC 3413[8]第3节所述进行选择。如果无法建立TCP连接,则事务将中止并作为超时错误条件报告给应用程序。备选连接建立程序在附录A中讨论,但不属于本规范的一部分。
All SNMP entities (whether in an agent role or manager role) can close TCP connections at any point in time. This ensures that SNMP entities can control their resource usage and shut down TCP connections that are not used. Note that SNMP engines are not required to process SNMP messages if the incoming half of the TCP connection is closed while the outgoing half remains open.
所有SNMP实体(无论是代理角色还是管理角色)都可以在任何时间点关闭TCP连接。这确保了SNMP实体可以控制其资源使用并关闭未使用的TCP连接。请注意,如果TCP连接的传入部分关闭,而传出部分保持打开状态,则不需要SNMP引擎来处理SNMP消息。
The processing of any outstanding SNMP requests when both sides of the TCP connection have been closed is implementation dependent. The sending SNMP entity SHOULD therefore not make assumptions about the processing of outstanding SNMP requests once a TCP connection is closed. A timeout error condition SHOULD be signaled for confirmed operations if the TCP connection is closed before a response has been received.
TCP连接双方都已关闭时,任何未完成的SNMP请求的处理取决于实现。因此,一旦TCP连接关闭,发送SNMP实体不应假设处理未完成的SNMP请求。如果TCP连接在收到响应之前已关闭,则应为确认操作发出超时错误条件信号。
The transport of SNMP messages over TCP results in a reliable exchange of SNMP messages between SNMP engines. In particular, TCP guarantees (in the absence of security attacks) that the delivered data is not damaged, lost, duplicated, or delivered out of order [2].
通过TCP传输SNMP消息可以在SNMP引擎之间可靠地交换SNMP消息。特别是,TCP保证(在没有安全攻击的情况下)交付的数据不会损坏、丢失、复制或无序交付[2]。
The SNMP protocol has been designed to support confirmed as well as unconfirmed operations [9]. The inform-request protocol operation is an example for a confirmed operation while the snmpV2-trap operation is an example for an unconfirmed operation.
SNMP协议旨在支持已确认和未确认的操作[9]。通知请求协议操作是确认操作的示例,而snmpV2陷阱操作是未确认操作的示例。
There is an important difference between an unconfirmed protocol operation sent over a reliable transport and a confirmed protocol operation. A reliable transport such as TCP only guarantees that delivered data is not damaged, lost, duplicated, or delivered out of order. It does not guarantee that the delivered data was actually processed in any way by the application process. Furthermore, even a reliable transport such as TCP cannot guarantee that data sent to a remote system is eventually delivered on the remote system. Even a graceful close of the TCP connection does not guarantee that the receiving TCP engine has actually delivered all the data to an application process.
通过可靠传输发送的未确认协议操作与确认协议操作之间存在重要区别。可靠的传输(如TCP)只能保证传输的数据不会损坏、丢失、复制或无序传输。它不保证交付的数据实际上是由应用程序进程以任何方式处理的。此外,即使像TCP这样的可靠传输也不能保证发送到远程系统的数据最终在远程系统上传输。即使顺利关闭TCP连接也不能保证接收TCP引擎已将所有数据实际交付给应用程序进程。
With a confirmed SNMP operation, the receiving SNMP engine acknowledges that the data was actually received. Depending on the SNMP protocol operation, a confirmation may indicate that further processing was done. For example, the response to an inform-request protocol operation indicates to the notification originator that the notification passed the transport, the security model and that it was queued for delivery to the notification receiver application. Similarly, the response to a set-request indicates that the data passed the transport, the security model and that the write request was actually processed by the command responder.
通过确认的SNMP操作,接收SNMP引擎确认数据已实际接收。根据SNMP协议的操作,确认可能表示已完成进一步的处理。例如,对通知请求协议操作的响应向通知发起人指示通知已通过传输、安全模型,并且已排队等待传递到通知接收方应用程序。类似地,对set请求的响应表明数据通过了传输、安全模型,并且写请求实际上是由命令响应程序处理的。
A reliable transport is thus only a poor approximation for confirmed operations. Applications that need confirmation of delivery or processing are encouraged to use the confirmed operations, such as the inform-request, rather than using unconfirmed operations, such as snmpV2-trap, over a reliable transport.
因此,对于已确认的操作而言,可靠的传输只是一个很差的近似值。鼓励需要确认交付或处理的应用程序在可靠传输上使用确认的操作(如通知请求),而不是使用未确认的操作(如snmpV2陷阱)。
It is RECOMMENDED that implementors consider the security features as provided by the SNMPv3 framework in order to provide SNMP security. Specifically, the use of the User-based Security Model STD 62, RFC 3414 [10] and the View-based Access Control Model STD 62, RFC 3415 [11] is RECOMMENDED.
建议实现者考虑SNMPv3框架提供的安全特性,以便提供SNMP安全性。具体而言,建议使用基于用户的安全模型STD 62、RFC 3414[10]和基于视图的访问控制模型STD 62、RFC 3415[11]。
It is then a customer/user responsibility to ensure that the SNMP entity giving access to a MIB is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change) them.
然后,客户/用户有责任确保对访问MIB的SNMP实体进行了正确配置,以便仅向那些拥有确实获取或设置(更改)对象的合法权限的主体(用户)授予对象访问权限。
The SNMP over TCP transport mapping does not have any impact on the security mechanisms provided by SNMPv3. However, SNMP over TCP may introduce new vulnerabilities to denial of service attacks (such as TCP syn flooding) that do not exist in this form in other transport mappings.
SNMP over TCP传输映射对SNMPv3提供的安全机制没有任何影响。但是,TCP上的SNMP可能会为拒绝服务攻击(如TCP syn洪泛)引入新的漏洞,这些漏洞在其他传输映射中不以这种形式存在。
This document is the result of discussions within the Network Management Research Group (NMRG) of the Internet Research Task Force[12] (IRTF). Special thanks to Luca Deri, Jean-Philippe Martin-Flatin, Aiko Pras, Ron Sprenkels, and Bert Wijnen for their comments and suggestions.
本文件是互联网研究工作组[12](IRTF)网络管理研究组(NMRG)内部讨论的结果。特别感谢Luca Deri、Jean-Philippe Martin Flatin、Aiko Pras、Ron Sprenkels和Bert Wijnen的评论和建议。
Additional useful comments have been made by Mike Ayers, Jeff Case, Mike Daniele, David Harrington, Lauren Heintz, Keith McCloghrie, Olivier Miakinen, and Dave Shield.
迈克·艾尔斯、杰夫·凯斯、迈克·达涅利、大卫·哈林顿、劳伦·海因茨、基思·麦克洛赫里、奥利维尔·米亚基宁和戴夫·希尔德发表了其他有用的评论。
Luca Deri, Wes Hardaker, Bert Helthuis, and Erik Schoenfelder helped to create prototype implementations. The SNMP over TCP transport mapping is currently supported by the NET-SNMP package[13] and the Linux CMU SNMP package[14].
Luca Deri、Wes Hardaker、Bert Helthuis和Erik Schoenfelder帮助创建了原型实现。NET-SNMP包[13]和Linux CMU SNMP包[14]当前支持SNMP over TCP传输映射。
References
工具书类
[1] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002.
[1] Case,J.,Mundy,R.,Partain,D.和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 3410,2002年12月。
[2] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, September 1981.
[2] 《传输控制协议》,标准7,RFC 793,1981年9月。
[3] Presuhn, R., Ed., "Transport Mappings for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3417, December 2002.
[3] Presohn,R.,Ed.“简单网络管理协议(SNMP)的传输映射”,STD 62,RFC 34172002年12月。
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[4] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[5] Sprenkels, R. and J. Martin-Flatin, "Bulk Transfers of MIB Data", Simple Times 7(1), March 1999.
[5] Sprenkels,R.和J.Martin Flatin,“MIB数据的批量传输”,《简单时代》第7(1)期,1999年3月。
[6] Daniele, M. and J. Schoenwaelder, "Textual Conventions for Transport Addresses", RFC 3419, December 2002.
[6] Daniele,M.和J.Schoenwaeld,“运输地址的文本约定”,RFC 3419,2002年12月。
[7] Kastenholz, F., "SNMP Communications Services", RFC 1270, October 1991.
[7] Kastenholz,F.,“SNMP通信服务”,RFC 1270,1991年10月。
[8] Levi, D., Meyer, P. and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002.
[8] Levi,D.,Meyer,P.和B.Stewart,“简单网络管理协议(SNMP)应用”,STD 62,RFC 3413,2002年12月。
[9] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.
[9] Harrington,D.,Presohn,R.和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。
[10] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[10] Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)第3版的基于用户的安全模型(USM)”,STD 62,RFC 3414,2002年12月。
[11] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002.
[11] Wijnen,B.,Presohn,R.和K.McCloghrie,“用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”,STD 62,RFC 3415,2002年12月。
[12] <http://www.irtf.org/>
[12] <http://www.irtf.org/>
[13] <http://net-snmp.sourceforge.net/>
[13] <http://net-snmp.sourceforge.net/>
[14] <http://www.gaertner.de/snmp/>
[14] <http://www.gaertner.de/snmp/>
This memo defines a simple connection establishment scheme where the notification originator or command generator application is responsible for establishing TCP connections to notification receiver or command responder applications. The purpose of this section is to document variations or alternatives of this scheme which have been discussed during the development of this specification. The discussion below focuses on notification originator applications since this is case where people seem to have diverging viewpoints. The discussion below also assumes that the reader is familiar with the SNMPv3 notification forwarding model as defined in STD 62, RFC 3413 [8].
此备忘录定义了一个简单的连接建立方案,其中通知发起人或命令生成器应用程序负责建立到通知接收方或命令响应者应用程序的TCP连接。本节旨在记录本规范制定过程中讨论过的本方案的变更或替代方案。下面的讨论集中在通知发起人应用程序上,因为在这种情况下,人们似乎有不同的观点。下面的讨论还假设读者熟悉STD 62、RFC 3413[8]中定义的SNMPv3通知转发模型。
The variations that have been discussed are basically driven by the idea of providing fallback mechanisms in cases where TCP connection establishment from the notification originator to the notification receiver fails. The approach specified in this memo simply drops notifications if the TCP connection cannot be established. This implies that notification originators which need reliable notification delivery must implement a local notification log in order to keep a history of notifications that could not be delivered.
所讨论的变化基本上是由在从通知发起人到通知接收方的TCP连接建立失败的情况下提供回退机制的想法驱动的。如果无法建立TCP连接,则此备忘录中指定的方法只会删除通知。这意味着需要可靠通知传递的通知发起人必须实现本地通知日志,以便保留无法传递的通知的历史记录。
Another option is to deliver notifications via UDP in case TCP connection establishment fails. This might require augmenting the snmpTargetTable with columns that provide information about the alternate UDP transport domain and address. In general, this approach only helps to deliver notifications in cases where the notification receiver is unable to accept more TCP connections. In other fault scenarios (e.g. routing problems in the network), the UDP packet would have no or only marginally better chances to reach the notification receiver. This implies that notification originators which need reliable notification delivery still need to implement a local notification log in order to keep a history of notifications in case the UDP packets do not reach the destination.
另一种选择是在TCP连接建立失败时通过UDP发送通知。这可能需要使用提供有关备用UDP传输域和地址的信息的列来扩充snmpTargetTable。通常,这种方法仅在通知接收方无法接受更多TCP连接的情况下才有助于发送通知。在其他故障情况下(例如,网络中的路由问题),UDP数据包到达通知接收器的机会将不会或只是稍微好一点。这意味着需要可靠通知传递的通知发起人仍然需要实现本地通知日志,以便在UDP数据包未到达目的地的情况下保留通知的历史记录。
A generalization of this approach leads to the idea of a sparse augmentation of the snmpTargetTable which lists alternate fallback transport endpoints of arbitrary transport domains. Multiple fallbacks may be possible by using a tag list approach. This provides a generic transport independent fallback mechanism which is independent of the TCP transport mapping defined in this memo.
这种方法的推广导致了snmpTargetTable的稀疏扩充,它列出了任意传输域的备用回退传输端点。使用标记列表方法可能会出现多个回退。这提供了一种通用的独立于传输的回退机制,该机制独立于本备忘录中定义的TCP传输映射。
Another alternative is to make the notification originator responsible for retrying connection establishment. This could be accomplished by augmenting the snmpTargetTable with additional columns that specify retry counts and timeouts or by adapting the existing snmpTargetAddrTimeout and snmpTargetAddrRetryCount columns in the snmpTargetTable. But even this approach requires a local notification log in order to handle situations where all retries have failed.
另一种选择是让通知发起人负责重试连接建立。这可以通过使用指定重试计数和超时的附加列来扩充snmpTargetTable来实现,或者通过调整snmpTargetTable中现有的snmpTargetAddrTimeout和snmpTargetAddrRetryCount列来实现。但即使是这种方法也需要一个本地通知日志来处理所有重试都失败的情况。
A fundamentally different approach is to make the notification receiver responsible for establishing the TCP connection to the notification originator. This approach has the advantage that the notification originator does not necessarily need a list of pre-configured notification receiver transport addresses. The current notification forwarding model however relies on the snmpTargetTable to identify notification targets. So the question comes up whether (a) new entries are added to the snmpTargetTable when a connection is established or whether (b) connections are only accepted if they match pre-configured snmpTargetTable entries. Note that the target selection logic relies on a tag list which can not be reasonably populated when a connection is accepted. So only option (b) seems to be compliant with the current notification forwarding logic. Another issue to consider is the vulnerability to denial of service attacks. A notification originator can be easily attacked by syn-flooding attacks if it listens for incoming TCP connections. Finally, in order to let notification originator and notification receiver applications coexist easily on a single system, it would be necessary to assign new default port numbers on which notification originators listen for incoming TCP connections.
一种根本不同的方法是让通知接收方负责建立与通知发起人的TCP连接。这种方法的优点是通知发起人不一定需要预先配置的通知接收方传输地址列表。然而,当前的通知转发模型依赖snmpTargetTable来识别通知目标。因此,问题出现了:(a)在建立连接时是否将新条目添加到snmpTargetTable,或者(b)连接是否仅在匹配预配置的snmpTargetTable条目时才被接受。请注意,目标选择逻辑依赖于标记列表,当接受连接时,无法合理填充该列表。因此,只有选项(b)似乎符合当前的通知转发逻辑。另一个要考虑的问题是拒绝服务攻击的脆弱性。如果通知发起人侦听传入的TCP连接,则它很容易受到syn泛洪攻击。最后,为了让通知发起者和通知接收者应用程序在单个系统上轻松共存,有必要分配新的默认端口号,通知发起者将在其上侦听传入的TCP连接。
Author's Address
作者地址
Juergen Schoenwaelder TU Braunschweig Bueltenweg 74/75 38106 Braunschweig Germany Phone: +49 531 391-3283 EMail: schoenw@ibr.cs.tu-bs.de
Juergen Schoenwaelder TU Braunchweig Bueltenweg 74/75 38106 Braunchweig Germany电话:+49 531 391-3283电子邮件:schoenw@ibr.cs.tu-理学士
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。