SNMP versions 2 and 3: Skip the sequels –

In Internet time, anything that happened way back in the 1980s is considered ancient history. However, while a lot of network technologies from that era are, in fact, obsolete today, that isn't necessarily the case for network management.

The RFC set that spawned the Simple Network Management Protocol was finalized in 1988. Even the authors -- who included such flamboyant characters as Marshall Rose and Jeff Case -- didn't anticipate how big a hit SNMP would be. Within a few years, vendors had implemented an SNMP agent within every network device that could be managed. This meant that such devices could be interrogated via IP from any SNMP-based management software.

The overnight success of SNMP was due to four factors:

  • SNMP was, well, simple, and easy for vendors to implement. The sum total of all the main RFC documents (numbers 1155, 1157, 1212, and 1213) amounted to only 143 pages. By contrast, specifications for other protocols can be thousands of pages long. After a short while, early interoperability issues were eliminated.

  • SNMP was an IETF standard, and therefore free -- there was no cost to license the technology.

  • An agent implementation consumed minimal resources, so an SNMP-managed router wouldn't bog down when responding to SNMP management queries.

  • The protocol was easily extensible, which meant that vendors could tailor some aspects of the way their products were managed and address new and unique product attributes.

SNMP was a tough act to follow. However, the original protocol's lax security prompted various IETF groups over the years to try to revamp the protocol. So far, those rewrite attempts -- including the latest, SNMP version 3 -- have ended up as dismal failures.

Many enterprise network managers are dutifully including in their RFPs the requirement that SNMP versions 2 and 3 be supported in any new network gear their departments procure. In doing so, however, they unknowingly -- and unnecessarily -- limit their choices.

The SNMP version 2 effort, while attempting to develop bulletproof security for SNMP, ended up producing just some minor tweaks to the protocol -- adding a few new error codes and a more efficient method of retrieving SNMP data. But SNMP v2c, as it is known, never made it as an IETF standard, and few vendors figured it was worth overhauling their SNMP agents to add its enhancements. It is nice, and perhaps even useful, if a managed device supports SNMP v2c; a couple of leading SNMP management platforms -- including Hewlett-Packard's OpenView -- do support it. But enterprise network managers are ill-advised to make it mandatory.

Now, after years of effort, there is an SNMP version 3, and it is crawling along on the IETF's standards track. But you should wait before mandating this in RFPs.

Most of SNMP version 3 has been documented and available for some time now, but I've yet to see network products that embrace or implement it. Vendors I've talked to are in general agreement that SNMP version 3 can, if everything goes okay, add a substantial layer of security to a network. But they all lament that the specifications are too voluminous and complex to consider implementing.

SNMP version 3 has too many pieces to it. It lacks backward compatibility with the tried and true original SNMP. There's been no real progress at documenting interoperability between different vendors' implementations. And except for the few specialized software vendors who, along with several academics, actually created the mountain of new SNMP version 3 specifications, few vendors have bothered to implement it. HP does not support SNMP version 3 in OpenView.

Today, network managers are better off looking at other ways to secure their network management communications. Consider out-of-band SNMP access to your routers and the judicious use of VPN products as two viable alternatives.

SNMP version 1, like the proverbial Timex watch, just keeps on ticking. It's interesting to note that, even with the trend towards Web- and Java-based management software, the most successful and effective Java-based network management packages that I've seen use SNMP version 1 implemented as Java applets as the underlying management protocol.

In Hollywood, the sequels seldom outperform the original. And so it is with SNMP.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon