IPMI v2 Improves Server Manageability

A seemingly obscure technical announcement from the Intel Developer Forum earlier this year is likely to have a significant impact on the way servers are managed in the very near future. What's more, it could also provide the spark needed to get some of your slow-moving customers to finally upgrade their older systems. If that sounds surprising, then you probably haven't been following IPMI very closely.

IPMI stands for the Intelligent Platform Management Interface, which is a collection of tightly integrated hardware interfaces and network protocols that cumulatively provide a variety of network-enabled system-management hooks. As long as the target system's IPMI network interface is operational, an administrator can connect to the management interface across a network, redirect the server's console to a local management station, collect sampling data and reboot the server, even if there is no operating system loaded on the target server.

Although some of this functionality was previously available as vendor-specific extensions, they have since been incorporated into the v2 specification of IPMI as central elements, allowing for much better interoperability across vendor lines. In addition, IPMI v2 also adds several new security controls, making remote management across public networks much more viable.

"IPMI support should be a checklist requirement for IT managers when evaluating server infrastructure," maintains a recent Aberdeen Group white paper. VARs should translate that directly into an expectation for customer demand. Furthermore, organizations that are eager to take advantage of the increased productivity returns available from the improved remote-management features may also be eager to upgrade some of their older systems.

According to Intel, more than 160 vendors have announced their intention to offer compliant systems. The list of participating vendors includes Intel, Dell, Hewlett-Packard and NEC (all of whom are sponsors of the specification), dozens of other PC and component vendors, as well as non-PC vendors such as Sun Microsystems and LANDesk. The list even includes some companies that are looking to expand IPMI's reach into secondary systems, such as SAN cabinets and infrastructure devices. The first generation of IPMI v2 products was expected to arrive last month, and it appears likely that the market for offerings will continue expanding for quite some time.

Focus On Hardware

IPMI is somewhat different from most other monitoring and management services in that it provides an inside view of the host hardware, rather than a layered view of a complete system. For example, management services, such as the Simple Network Management Protocol (SNMP), usually provide information like the number of requests a particular application has processed in a given period of time. IPMI is geared more toward monitoring the historical temperature and voltage fluctuations of the system CPUs, revolutions-per-minute of the on-board cooling fans and other hardware-level data that is not typically provided over other channels.

At the heart of the IPMI model is an on-board management card called the Baseboard Management Controller (BMC), which runs independently from the other system components but monitors and interacts with those components via in-band and out-of-band connections. In this arrangement, a BMC can monitor the system hardware, report on the status of those components and even affect the operation of some devices if needed (such as manually deactivating a fan).

All of this can be done via local management software, but it can also be done from a remote-management station by way of the IPMI management protocol, which is part and parcel of the core specification. If the BMC and its network interface are operational, a remote-management station can connect to the BMC over the network, pull down historical logging data, reconfigure the system BIOS, reboot the computer and monitor the new configuration using off-the-shelf management software from any compliant vendor.

Security Enhancements

The first version of IPMI was published in 1998, but provided only a limited amount of management data and service over a local serial port. Then came IPMI v1.5, which allowed management data to be published over a local Ethernet connection. However, it did not provide much in the way of security, limiting its potential usefulness to relatively secure networks. The IPMI v2 specification mainly looks to address these concerns, but also adds several new features and functions that address overall consistency.

The principal security features in IPMI v2 are authentication and encryption controls that work at the session layer. However, the spec also details consistent support for VLAN-based tagging, a "firmware firewall" mechanism and role-based logins, all of which allow different kinds of management data and tasks to be restricted to specific networks and users. When these features are combined with the improved access controls, it becomes possible to perform such tasks as publishing read-only data to specific agents on a public network, while limiting remote management to administrators on a private management network. These capabilities also allow for scenarios where one blade server in a rack has an entirely separate management network and user base than the other blades in that same rack.

Layered Applications

The IPMI management protocol has also been enhanced in this latest specification with the capability to carry multiple types of enhanced "payload" data. In this model, vendor extensions to IPMI can be clearly tagged and identified as a specific type of data, thereby allowing the security controls to be applied to future types of management information.

IPMI v2, however, does not solve every management demand. Tasks such as redirecting GUI screens across a network or reading application data with SNMP still require additional technology. In this regard, IPMI should mostly be considered as complementary to other management technologies, rather than as a replacement.

Still, IPMI is also potentially useful for other kinds of tasks besides systems management. For example, at least one vendor is promoting the use of IPMI for monitoring the performance of cluster nodes for the purpose of load-balancing. Since IPMI is hardware-based and independent of the operating system, such a capability would theoretically allow for the creation of mixed-platform clusters, with a load-balancer being able to direct traffic to the least-stressed node via existing interfaces.

Written by Eric A. Hall.
Copyright © 2004 CMP Media, Inc. Used with permission.