The Internet Activities Board is expected to endorse a new, secure version of the Simple Network Management Protocol over the next couple of weeks, and the decision may signal a period of upheaval for users and vendors alike since Secure SNMP is incompatible with the existing standard. Potential changes do not stop there, as a group of influential US Internet people is working on a further refinement to SNMP – dubbed simply the Simple Management Protocol – which is designed to cope with complex networks where multiple network management stations need to interact.

Outstripped

While SNMP has outstripped its Open Systems Interconnection competitor Common Management Information Protocol in terms of popularity, it has its problems. Chief among these is its inability to authenticate the source of management messages. Because of this shortcoming, any miscreant can wreak havoc by reconfiguring network devices. As a defence, many vendors and users have chosen not to implement the SNMP ‘Set’ command, effectively crippling the management suite by reducing it to a monitoring facility. Secure-SNMP (S-SNMP) is the Internet Engineering Task Force’s approach to solving the problem – an approach based on a system of keys to ensure that only authorised devices can implement changes. The Task Force’s chosen methodology is to combine any management message with the user’s unique key and a time-stamp to produce a message digest – the exact algorithm is called MD-5. The managed device uses the same algorithm and key to extract the message. As a result, it is possible to ensure that the management command has neither been altered, forged nor reproduced from an earlier message. Unfortunately, it also means that the header information in Secure-SNMP packets is different from and fundamentally incompatible with existing SNMP implementations. Events have been watched with mixed feelings by the Network Management Forum – which has, over the past two years dropped the letters ‘OSI’ from its name, partly in recognition of SNMP’s strength in the market. Bruce Murrill, the Forum’s Technical Director, says that he is concerned that Secure SNMP appears to cover ground already covered by existing standards such as CMOL, Common Management Over LLC, Link-Layer Control. We are fairly neutral at the moment, but since we are trying to reconcile a number of separate management systems at the moment my question is why do we need a fourth? We are going to face a transition over the next 18 months to two years agrees Chris Gahan, market development manager with 3Com Corp. In general, he believes that the change should not be too traumatic – although SNMP and S-SNMP are incompatible, they can co-exist on the same network, and as long as the network management station supports both, agents on network devices can be swapped over as required. However, Gahan believes that the writers of network management programs in general will have to come to grips with the new standard to make the most of it. As an illustration, 3Com’s own ISOview program supports five levels of security, ranging from the ability to monitor network statistics to the rights needed to re-configure any device. Meanwhile work is ongoing to enhance SNMP yet further. Four Internet gurus, Jeffrey Case, SNMP Research, Keith McCloghrie of Hughes Lan Systems, Marshall Rose of Dover Beach Consulting and Steve Waldbusser of Carnegie Mellon University have got together to propose the Simple Management Protocol. Their work, said Marshall in a message posted to the Internet, is a response to calls from the Internet Activities Board for a better management framework. Because the proposal is founded on the SNMP Security work, yet contains many other extensions, we chose the name SMP. We could not use a name containing SNMP, of course, because SNMP belongs to the community, not the four of us. At present, the details are sketchy, but it is understood that one of the goals is a system that enables separate network management stations to interwork and share data, currently outside the scope of SNMP. As for

timescales, he says that basic interoperability testing should be completed by the end of the month, at which time documents will be issued – to be formally introduced to the Internet Engineering Task Force this month. In the meantime, the four have gone into purdha and are refusing to answer questions, other than to say that the new framework is being engineered to minimise its impact on existing systems.