Hi David, Nelson, David wrote: > Let's assume, for the sake of discussion, that SNMP must always work > across Firewalls and NATs. The original objection to the proposed > charter was that it did not include support for "Call Home" > functionality. First, let's be clear that nobody is suggesting that all connections should be turned, but that sufficient flexibility must be available to maneuver through firewalls and NATs. But let me take this opportunity to more clearly state why it is the functionality needs to work *both* ways. A basic tenet of scalable fault management is something known as trap-based polling. That is, don't poll excessively (only a periodic single heartbeat query) until some event event happens and then query as much as necessary to determine more information. So for instance, every five minutes or so a query is made of the device and sysUptime. But then at some point an RMON event is triggered indicating that a particular ifOperStatus has changed to down. At that point the management station might query for additional error counts off of the IF-MIB, perhaps a SONET or ETHERLIKE mib, and perhaps other related functions, the idea being to isolate the problem (and this probably is not limited to a single device). The problem is this: if a non-participating firewall or a NAT is in place anywhere between the management station and the device, the management station will either receive the trap but be unable to query or only be able to query and NOT receive the trap. The reason CH fixes this problem is that one way or another prior to a failure, one can be assured that the management station and agent are able to communicate both because connection direction is the same for both functions. > > I can see how Call Home would solve the NAT problem, at least on a > sporadic basis. The managed entity could initiate an "outgoing" NAT > session to the management station, and the management station could use > that connection as needed. I don't see how this allows the management > station to later initiate an "incoming" connection to the NAT'ed managed > entity. Nor do I see how it would enable firewalls to safely pass > through only the desired SNMP traffic. So, as described above, a management station would not initiate an incoming connection to a managed entity but the other way around. As to your other question, this solution addresses the case where the firewall is not capable of such functions. This is the case for most commercial firewalls today. > Clarification would be helpful. Thanks. HTH, Eliot _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf