nanog mailing list archives
Re: Writable SNMP
From: Keegan Holley <keegan.holley () sungard com>
Date: Tue, 6 Dec 2011 11:49:05 -0500
2011/12/6 Christopher Morrow <morrowc.lists () gmail com>
On Tue, Dec 6, 2011 at 11:16 AM, Jared Mauch <jared () puck nether net> wrote:On Dec 6, 2011, at 11:07 AM, Keegan Holley wrote:For a few years now I been wondering why more networks do not usewritableSNMP. Most automation solutions actually script a login to the various equipment. This comes with extra code for different vendors, different prompts and any quirk that the developer is aware of and constantpatchesas new ones come up. Writable SNMP seems like an easier way to dealwithscripted configuration changes as well as information gathering. Admittedly, you will have to deal with proprietary mibs and reformat the data once it's returned. Most people consider it insecure, but inrealityit's no worse than any other management protocol. Yes I know netconf is better, but in most circles I'd have problems explaining what netconfis,why it's better and that I'm not making it up. So I'll take what I canget.Some of the problems is the bulk nature of some config changes (ortransactionalnature on those that support atomic operations) have been harder toautomate.Anyone that has spent any quantity of time with ASN.1 generally wouldagree.I recall some bay networks gear you could only program with the properOIDas the cli was basically a SNMP-SET operation on the device.yea... same with cascade devices... icky things (both bay and cascade!)The errors/feedback tends to be very poor over SNMP as well as you mayneedto walk/revisit a large number of elements to make things happenproperly. fun story/fact, you can send an snmp write to the broadcast address of a network of NT (at least, probably also post-nt versions of the OS) machines, and set their default-ttl to some arbitrary number. "Your network is too chatty... not anymore! now your internet is 5 hops across!"
Let's leave the legacy boxes out of this. Remember that SNMP bug that could keel over a cisco router? I forget the details other than the guy who wrote c code at black hat to kill routers after cisco refused to patch.
Have you had a good experience with using SNMP-Write? I have not.long ago, in a network far away (not on the interwebs) we used snmp write to trigger a tftp config load. It worked nicely... I'm fairly certain I'd not do this on an internet connected network today though.
I can see the other comments about interactive commands and bulk read/writes, but what's the harm of doing it on internet connected boxes vs. non-internet boxes. Just about everyone uses snmp reads in the interwebs and as such filters it at their edges and hopefully on each platform. You'd secure it the same way you'd secure readable SNMP I assume.
Also, who tests snmp WRITE in their code? at scale? for daily operations tasks?
lol, that could be a problem.
... (didn't the snmp incident in 2002 teach us something?) Please elaborate.
-chris
Current thread:
- Writable SNMP Keegan Holley (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 07)
- Re: Writable SNMP Christopher Morrow (Dec 07)
- Re: Writable SNMP Keegan Holley (Dec 09)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Dorian Kim (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Wes Hardaker (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 07)