Internet DRAFT - draft-schoenw-opsawg-nm-srv
draft-schoenw-opsawg-nm-srv
Internet Engineering Task Force J. Schoenwaelder
Internet-Draft Jacobs University Bremen
Intended status: Informational T. Tsou
Expires: September 13, 2012 C. Zhou
Huawei Technologies
March 12, 2012
DNS SRV Resource Records for Network Management Protocols
draft-schoenw-opsawg-nm-srv-03
Abstract
This document specifies how to use Domain Name Service (DNS) SRV
Resource Records (RRs) to locate network management services.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Schoenwaelder, et al. Expires September 13, 2012 [Page 1]
Internet-Draft Network Management SRV Records March 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Service Names . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. SYSLOG . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. NETCONF . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Security Considerations . . . . . . . . . . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Normative References . . . . . . . . . . . . . . . . . . . 8
5.2. Informative References . . . . . . . . . . . . . . . . . . 9
Appendix A. Open Issues . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Schoenwaelder, et al. Expires September 13, 2012 [Page 2]
Internet-Draft Network Management SRV Records March 2012
1. Introduction
This document specifies how to use Domain Name Service (DNS) SRV
Resource Records (RRs) [RFC2782] to locate network management
services. The use of SRV RRs can be useful in network bootstrapping
scenarios or in zero-configuration network scenarios (e.g., home
networks).
The network management DNS SRV RRs defined in this memo may be used
for different purposes:
o Manageable devices announce their management interfaces using a
multicast DNS service [I-D.cheshire-dnsext-multicastdns]. A
management system discovers the devices and initiates management
interactions with them.
o Devices discover destinations for event notifications or logging
services by looking up (statically) configured SRV RRs in the DNS.
The DNS SRV RRs defined in this memo address some gaps identified for
the automated configuration of large IP networks
[I-D.ietf-opsawg-automated-network-configuration].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Service Names
IANA maintains the registry for service names and port numbers
[RFC6335]. The service names maintained in this registry can be used
with DNS SRV records. In addition, these service names can be used
for dynamic service discovery as defined in
[I-D.cheshire-dnsext-dns-sd].
2.1. SYSLOG
The Reliable Delivery of syslog specification [RFC3195] already
mentions the usage of DNS SRV RRs to locate SYSLOG collectors. The
more recent SYSLOG protocol specification [RFC5424] and the
associated transport mappings ([RFC5425], [RFC5426], [RFC6012]) do
not discuss the usage of SRV RRs to locate SYSLOG collectors. This
specification takes the service label definition from [RFC3195] and
makes it applicable to structured SYSLOG as defined in [RFC5424]:
Schoenwaelder, et al. Expires September 13, 2012 [Page 3]
Internet-Draft Network Management SRV Records March 2012
_syslog Identifies a SYSLOG collector. This SRV RR is primarily
for discovery of SYSLOG collectors by SYSLOG originators
or relays.
Example: service records
_syslog._tcp SRV 0 1 6514 syslog.example.com.
_syslog._udp SRV 0 1 514 syslog.example.com.
A SYSLOG originator may need additional information to send SYSLOG
messages to a SYSLOG collector. How this information is derived is
not specified and implementation dependent.
Note that the IANA service names and port number registry defines the
following service names and default port numbers:
+-------------+------+-------+-------------------------+-----------+
| Name | Port | Proto | Description | Reference |
+-------------+------+-------+-------------------------+-----------+
| syslog | 514 | udp | Syslog over UDP | [RFC5426] |
| syslog-conn | 601 | tcp | Reliable Syslog Service | [RFC3195] |
| syslog-conn | 601 | udp | Reliable Syslog Service | [RFC3195] |
| syslog-tls | 6514 | tcp | Syslog over TLS | [RFC5425] |
| syslog-tls | 6514 | udp | Syslog over DTLS | [RFC5425] |
| syslog-tls | 6514 | dccp | Syslog over DTLS | [RFC5425] |
+-------------+------+-------+-------------------------+-----------+
Table 1: SYSLOG Service Names and Port Numbers
[[SYSLOG-Q1: Shall we suggest that implementations MUST or SHOULD use
only the syslog service name for discovery? This way, it is not
necessary to start a discovery for multiple service names. Of
course, we also loose some context information (e.g., that TLS is to
be used, which might matter if non-default port numbers are used).
--JS]]
[[SYSLOG-Q2: What is the future of Reliable Syslog? Can we expect
this to be retired so that we can choose to ignore it? --JS]]
[[SYSLOG-Q3: What to do with SYSLOG over DTLS/DCCP? Section 7 of the
multicast service discovery document suggests that applications using
transport protocols different from UDP and TCP should all use the
_udp protocol label. Its unclear whether this is generally accepted
common practice for SRV records or only a specific recommendation for
service discovery. --JS]]
[[SYSLOG-Q4: SYSLOG over plain TCP is forthcoming. At the time of
this writing, the specification is with the IESG. --JS]]
Schoenwaelder, et al. Expires September 13, 2012 [Page 4]
Internet-Draft Network Management SRV Records March 2012
2.2. SNMP
The Simple Network Management Protocol (SNMP) [RFC3410] distinguishes
between SNMP entities containing command responder and notification
originator applications (traditionally called agents) and SNMP
entities containing command generator and/or notification receiver
applications (traditionally called managers) [RFC3411]. This
specification defines two new SRV service labels for SNMP:
_snmp Identifies an SNMP entity containing a command responder
application. This record is primarily for discovery of
SNMP agents that announce their presence using multicast
DNS protocols.
_snmp-trap Identifies an SNMP entity containing a notification
receiver application. This SRV RR is primarily for
discovery of SNMP notification sinks by SNMP notification
generator applications.
Example: service records
_snmp._udp SRV 0 1 161 device.example.com.
_snmp-trap._udp SRV 0 1 162 nms.example.com.
An SNMP engine containing a command generator application needs
additional information to send SNMP messages to a SNMP engine
containing a command responder application. How this information is
derived is not specified and implementation dependent. Similarily,
an SNMP engine containing a notification originator application needs
additional information to send SNMP messages to a SNMP engine
containing a notification receiver application. How this information
is derived is not specified and implementation dependent.
Note that the IANA service names and port number registry defines the
following service names and default port numbers:
Schoenwaelder, et al. Expires September 13, 2012 [Page 5]
Internet-Draft Network Management SRV Records March 2012
+--------------+-------+-------+----------------------+-----------+
| Name | Port | Proto | Description | Reference |
+--------------+-------+-------+----------------------+-----------+
| snmp | 161 | udp | SNMP over UDP | [RFC3430] |
| snmp | 161 | tcp | SNMP over TCP | [RFC3417] |
| snmp-trap | 162 | udp | SNMP traps over UDP | [RFC3430] |
| snmp-trap | 162 | tcp | SNMP traps over TCP | [RFC3417] |
| snmpssh | 5161 | tcp | SNMP over SSH | [RFC5592] |
| snmpssh-trap | 5162 | tcp | SNMP traps over SSH | [RFC5592] |
| snmptls | 10161 | tcp | SNMP over TLS | [RFC6353] |
| snmpdtls | 10161 | udp | SNMP over DTLS | [RFC6353] |
| snmptls-trap | 10162 | tcp | SNMP traps over TLS | [RFC6353] |
| snmptls-trap | 10162 | udp | SNMP traps over DTLS | [RFC6353] |
+--------------+-------+-------+----------------------+-----------+
Table 2: SNMP Service Names and Port Numbers
[[SNMP-Q1: Shall we suggest that implementations MUST or SHOULD use
only the snmp and snmp-trap service names for discovery? This way,
it is not necessary to start a discovery for multiple service names.
Of course, we also loose some context information (e.g., that TLS is
to be used, which might matter if non-default port numbers are used).
--JS]]
2.3. NETCONF
The NECONF protocol [RFC6241] provides mechanisms to install,
manipulate, and delete the configuration of network devices. The
mandatory to implement transport uses the Secure Shell (SSH) protocol
[RFC6242]. SSH sessions are initiated by the NETCONF client. This
specification adds a new SRV service label for NETCONF:
_netconf Identifies a NETCONF server. This record is primarily
for discovery of NETCONF servers that announce their
presence using multicast DNS protocols.
Example: service records
_netconf._tcp SRV 0 1 830 device.example.com.
A NETCONF client needs additional information in order to establish a
session with a NETCONF server. How this information is derived is
not specified and implementation dependent.
Note that the IANA service names and port number registry defines the
following service names and default port numbers:
Schoenwaelder, et al. Expires September 13, 2012 [Page 6]
Internet-Draft Network Management SRV Records March 2012
+-----------------+------+-------+----------------------+-----------+
| Name | Port | Proto | Description | Reference |
+-----------------+------+-------+----------------------+-----------+
| netconf-ssh | 830 | tcp | NETCONF over SSH | [RFC6242] |
| netconf-beep | 831 | tcp | NETCONF over BEEP | [RFC4744] |
| netconfsoaphttp | 832 | tcp | NETCONF over | [RFC4743] |
| | | | SOAP/HTTP | |
| netconfsoapbeep | 833 | tcp | NETCONF over | [RFC4743] |
| | | | SOAP/BEEP | |
| netconf-tls | 6513 | tcp | NETCONF over TLS | [RFC5539] |
+-----------------+------+-------+----------------------+-----------+
Table 3: NETCONF Service Names and Port Numbers
[[NETCONF-Q1: Shall we suggest that implementations MUST or SHOULD
use only the netconf service name for discovery? This way, it is not
necessary to start a discovery for multiple service names. Of
course, we also loose some context information (e.g., that TLS or SSH
is to be used, which might matter if non-default port numbers are
used). --JS]]
[[NETCONF-Q2: There is discussion to retire NETCONF over SOAP and
NETCONF over BEEP which may simplify this a bit. --JS]]
3. Security Considerations
The security considerations spelled out in the DNS SRV specification
[RFC2782] apply. In general, the usage of DNSSEC [RFC4033] is
recommended in environments where DNS cannot be trusted.
The usage of multicast DNS protocols to discover network management
services potentially introduces new security risks since such
protocols usually assume cooperating participants. In an environment
where antagonistic participants exists, it is necessary to deploy
additional security mechanism such as DNSSEC to securely discover
network management services.
4. IANA Considerations
TBD
5. References
Schoenwaelder, et al. Expires September 13, 2012 [Page 7]
Internet-Draft Network Management SRV Records March 2012
5.1. Normative References
[I-D.cheshire-dnsext-dns-sd]
Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", draft-cheshire-dnsext-dns-sd-11 (work in
progress), December 2011.
[I-D.cheshire-dnsext-multicastdns]
Cheshire, S. and M. Krochmal, "Multicast DNS",
draft-cheshire-dnsext-multicastdns-15 (work in progress),
December 2011.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[RFC3195] New, D. and M. Rose, "Reliable Delivery for syslog",
RFC 3195, November 2001.
[RFC3417] Presuhn, R., "Transport Mappings for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3417,
December 2002.
[RFC3430] Schoenwaelder, J., "Simple Network Management Protocol
Over Transmission Control Protocol Transport Mapping",
RFC 3430, December 2002.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4743] Goddard, T., "Using NETCONF over the Simple Object Access
Protocol (SOAP)", RFC 4743, December 2006.
[RFC4744] Lear, E. and K. Crozier, "Using the NETCONF Protocol over
the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744,
December 2006.
[RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.
[RFC5425] Miao, F., Ma, Y., and J. Salowey, "Transport Layer
Security (TLS) Transport Mapping for Syslog", RFC 5425,
March 2009.
[RFC5426] Okmianski, A., "Transmission of Syslog Messages over UDP",
Schoenwaelder, et al. Expires September 13, 2012 [Page 8]
Internet-Draft Network Management SRV Records March 2012
RFC 5426, March 2009.
[RFC5539] Badra, M., "NETCONF over Transport Layer Security (TLS)",
RFC 5539, May 2009.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009.
[RFC6012] Salowey, J., Petch, T., Gerhards, R., and H. Feng,
"Datagram Transport Layer Security (DTLS) Transport
Mapping for Syslog", RFC 6012, October 2010.
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
Bierman, "Network Configuration Protocol (NETCONF)",
RFC 6241, June 2011.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, June 2011.
[RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
Cheshire, "Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry", BCP 165,
RFC 6335, August 2011.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)",
RFC 6353, July 2011.
5.2. Informative References
[I-D.ietf-opsawg-automated-network-configuration]
Tsou, T., Schoenwaelder, J., Shi, Y., Taylor, T., and G.
Yang, "Problem Statement for the Automated Configuration
of Large IP Networks",
draft-ietf-opsawg-automated-network-configuration-03 (work
in progress), March 2012.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
Schoenwaelder, et al. Expires September 13, 2012 [Page 9]
Internet-Draft Network Management SRV Records March 2012
Appendix A. Open Issues
1. draft-hallambaker-esrv-01 proposes a RRs to store additional
information in so called General Service Description (GSRV) and
Extended Service Description (ESRV) records (e.g., which security
protocol to use). This is traditionally done using TXT records.
2. draft-kwatsen-reverse-ssh-00 proposes a mechanism which allows an
SSH server to establish the TCP connection to an SSH client; if
this moves forward NETCONF servers may want to discover NETCONF
clients.
Authors' Addresses
Juergen Schoenwaelder
Jacobs University Bremen
Campus Ring 1
Bremen 28759
Germany
Email: j.schoenwaelder@jacobs-university.de
Tina Tsou
Huawei Technologies
Bantian, Longgang District
Shenzhen 518129
P.R. China
Email: tena@huawei.com
Cathy Zhou
Huawei Technologies
Bantian, Longgang District
Shenzhen 518129
P.R. China
Email: cathyzhou@huawei.com
Schoenwaelder, et al. Expires September 13, 2012 [Page 10]