M.

Jeya Pandian
Assistant Professor,
Department of Computer Science and Engineering,
Srinivasa Ramanujan Centre, SASTRA Deemed University, Kumbakonam

[Link] Pandian Unit - 2 IoT System Management

IoT System Management

• Need for IoT System Management

• SNMP

• Network Operator Requirements

• NETCONF

• YANG

• IoT System Management with NETCONF-YANG

[Link] Pandian Unit - 2 IoT System Management

Need for IoT Systems Management
IoT System
• IoT systems can have complex software, hardware and deployment designs including
• Sensors
• Actuators
• Software
• Network resources
• Data collections
• Analytical component
• User Interface
• IoT System has distributed deployments consisting of number of IoT devices
• Devices collect data from sensors and perform actuation

[Link] Pandian Unit - 2 IoT System Management

Need for IoT Systems Management

1. Automating Configuration

2. Monitoring Operational & Statistical Data

3. Improved Reliability

4. System Wide Configurations

5. Multiple System Configurations

6. Retrieving & Reusing Configurations

[Link] Pandian Unit - 2 IoT System Management

SNMP – Simple Network Management Protocol
• Well-known and widely used network protocol that allows
monitoring and configuring network devices
• Routers and Switches
• Servers and Printers
• Firewalls, Load balancers, CCTV cameras, and
• Wireless devices
• SNMP component include
• Network Management Station (NMS)
• Managed Device
• SNMP Agent that runs on the device
• Management Information Base (MIB)

[Link] Pandian Unit - 2 IoT System Management

SNMP – Architecture

[Link] Pandian Unit - 2 IoT System Management

Limitations of SNMP

• SNMP is stateless in nature

• Each SNMP request contains all the information to process the request

• Application needs to be intelligent to manage the device

• SNMP is a connectionless protocol which uses UDP as the transport protocol, making it
unreliable as there was no support for acknowledgement of requests

• MIBs often lack writable objects without which device configuration is not possible
using SNMP

[Link] Pandian Unit - 2 IoT System Management

Limitations of SNMP

• An SNMP vulnerability is a weakness in the handling of Simple Network

Management Protocol (SNMP) requests that attackers can exploit to gain
unauthorized access to network devices, steal sensitive data, or launch denial-
of-service (DoS) attacks.
• It is difficult to differentiate between configuration and state data in MIBs
• Retrieving the current configuration from a device can be difficult with SNMP
• Earlier versions of SNMP did not have strong security features
• It is too simple and does not scale well.

[Link] Pandian Unit - 2 IoT System Management

Network Operator Requirements
• Need to address the limitation of existing network
• Need to plan the future work on network management
• Workshop on network management held in 2002
• Internet Architecture Board (IAB)
• Internet Engineering Task Force (IETF)
• Network operators
• Protocol developers

[Link] Pandian Unit - 2 IoT System Management

Network Operator Requirements
Overview of operator requirements
• Ease of use
• key requirement for any network technology
• Distinction between configuration and state data
• Configuration data
• Set of writable data that is required to transform system from its initial state to its current state
• State data
• Operational data which is collected by system runtime
• System performance
• Fetch configuration and state data separately
• Fetch the data separately from the managed device

[Link] Pandian Unit - 2 IoT System Management

Network Operator Requirements
• Configuration of the network as a whole
• Configure the network as whole rather than individual devices
• Use case: Configure multiple devices within one network
• Configuration transactions across devices
• Configuration transactions across devices should be supported
• Configuration deltas
• Generate the operations necessary for going from one configuration state to another
• Devices should support configuration details with minimum state changes
• Dump and restore configurations
• Configuration validation

[Link] Pandian Unit - 2 IoT System Management

Network Operator Requirements
• Configuration database schemas
• Standardized configuration database scheme or data models
• Comparing configurations
• Use text processing tool such as diff to compare configurations
• Role-based access control
• User is given the minimum access necessary to perform a required task
• Consistency of access control lists
• Multiple configuration sets
• Support for both data-oriented and task oriented access control
• SNMP
• CLI

[Link] Pandian Unit - 2 IoT System Management

 Network Configuration Protocol (NETCONF)
&
YANG

[Link] Pandian Unit - 2 IoT System Management

NETCONF
• Network Configuration Protocol (NETCONF)
• Session based network management protocol
• Allows retrieving state or configuration data and manipulating configuration data on n/w devices

[Link] Pandian Unit - 2 IoT System Management

NETCONF
• Defines one or more configurations
• Configuration store contains all the configuration info to bring the device from its initial
state to operational state
<running> configuration
<startup> and <candidate>
• Connection oriented protocol
• Protocol operations
• For authentication, data integrity and confidentiality
• NETCONF depends on the transport protocol
• SSH
• TLS

[Link] Pandian Unit - 2 IoT System Management

SNMP vs NETCONF
• SNMP cannot distinguish between configuration data and operational data, whereas
NETCONF can.
• SNMP can collect device status but cannot make configuration changes, whereas
NETCONF can make configuration changes.
• SNMP uses JSON to encode data, whereas NETCONF uses XML.

[Link] Pandian Unit - 2 IoT System Management

YANG
• Data modeling language
• Model configuration and state data manipulated by the NETCONF
• YANG modules
• Definitions of configuration data
• State data
• RPC calls
• Defines the data exchanged between the NETCONF client and server
• Tree structure
• Import definition from other modules
• YANG defines four types of nodes

[Link] Pandian Unit - 2 IoT System Management

YANG RPC methods

[Link] Pandian Unit - 2 IoT System Management

YANG node types

[Link] Pandian Unit - 2 IoT System Management

Visual Representation of the Toaster YANG Module

[Link] Pandian Unit - 2 IoT System Management

IoT System Management with NETCONF-YANG

[Link] Pandian Unit - 2 IoT System Management

YANG Components
• Management System
• Operator uses management system to send NETCONF messages
• To configure the IoT device and receives state information and notifications from the device
as NETCONF messages
• Management API
• Applications to start NETCONF sessions, read and write configuration data, read state data,
retrieve configurations and invoke RPCs
• Transaction Manager
• Executes all the NETCONF transactions and ensures that the ACID
• Atomicity, consistency, Isolation, Durability

[Link] Pandian Unit - 2 IoT System Management

YANG Components

• Atomicity – Ensures that a transaction is executed either completely or not at all

• Consistency – Ensures the transaction brings the device configuration from one valid
state to another

• Isolation – Ensures that concurrent execution of transaction results in the same device
configuration as if transactions were executed serially in order

• Durability – Ensures that a transaction once committed will persist

[Link] Pandian Unit - 2 IoT System Management

YANG Components
• Rollback Manager
• Responsible for generating all the transactions necessary to rollback a current configuration
to its original state
• Data Model Manager
• Keeps track of all the YANG data models and the corresponding managed objects
• Keeps track of the application which provide data for each part of data model
• Configuration Validator
• Validator checks if the resulting configuration after applying a transaction would be a valid
configuration
• Configuration Database
• Contains both the configuration and operational data

[Link] Pandian Unit - 2 IoT System Management

YANG Components
• Configuration API
• Applications on the IoT device can read configuration data from the configuration data store
• write operational data to the operational data store
• Data Provider API
• Applications on the IoT device can register for call backs for various events using the Data
Provider API
• Applications can report statistics and operational data

[Link] Pandian Unit - 2 IoT System Management

NETOPEER

• Open source NETCONF tools

built on the Libnetconf library

[Link] Pandian Unit - 2 IoT System Management

NETOPEER
NETOPEER-Server
• NETCONF protocol server that runs on the managed device
• Provides an environment for configuring the device using NETCONF RPC operations
• Retrieving the state data from the device
• NETOPEER-agent
• NETCONF protocol agent running as a SSH/TLS subsystem
• Accepts incoming NETCONF connection and pass the NETCONF RPC operations received
from the NETCONF client to the NETOPEER-server

[Link] Pandian Unit - 2 IoT System Management

NETOPEER
NETOPEER-cli:
• NETCONF client that provides a command line interface for interacting with the device running
NETOPEER-server
• Operator can use the NETOPEER-cli from the gateway management system to send NETCONF RPC
operations for configuring the device and retrieving the state information
NETOPEER-Manager:
• NETOPEER-manager allows managing the YANG and Libnetconf Transaction API (TransAPI)
modules on the server
• With NETOPEER-manager modules can be loaded or removed from the server
NETOPEER-Configurator:
• NETOPEER-configurator is a tool that be used to configure the NETOPEER-server

[Link] Pandian Unit - 2 IoT System Management

Steps for IoT device management with NETCONF-YANG

1) Create a YANG model of the system that defines the configuration and state data of the
system
2) Complete the YANG model with the ’Inctool’ which comes with Libnetconf
• Libnetconf provides a framework called Transaction API(TransAPI)
• It provides a mechanism of reflecting the changes in the configuration file in the actual device
• ‘Inctool’ generates a TransAPI module
• Whenever a change in the configuration file using the NETCONF operations, the corresponding
callback function is called
3) Fill in the IoT device management code in the TransAPI module
4) Build the callbacks C file to generate the library file (.so)

[Link] Pandian Unit - 2 IoT System Management

Steps for IoT device management with NETCONF-YANG

5. Load the YANG module and the TransAPImodule into the NETOPEER server using
NETOPEER manager tool
6. Operator can now connect from the management system to the NETOPEER server
using the NETOPEER cli
7. Operator can issue NETCONF commands from the NETCONF cli
Command can be issued to change the configuration data, get operational data or
execute an RPC on the IoT device

[Link] Pandian Unit - 2 IoT System Management