Network Management Chapter 3 SNMP and MIB COMP
Network Management Chapter 3 SNMP and MIB COMP 4690, by Dr Xiaowen Chu, HKBU
Outline l l SNMPv 1: Simple Network Management Protocol SMI: Structure of Management Information MIB: Management Information Base SNMPv 3 COMP 4690, by Dr Xiaowen Chu, HKBU
SNMPv 1 Packet l SNMPv 1 packet has the form l Version the version of SNMP l l SNMPv 1 is “ 0” in version field Community name like a password l l Agent can control who can access what Sent as plaintext, so not secure l Improved by SNMPv 3 COMP 4690, by Dr Xiaowen Chu, HKBU
SNMPv 1 PDU l l l SNMP has different types of packets, each with different format. PDU for Get-Request, Get-Next-Request and Set. Request has fields: Request ID an integer, like a sequence number Error status error in Get-Response Error index an integer which identifies the first variable in Var. Bind. List that caused error COMP 4690, by Dr Xiaowen Chu, HKBU
SNMPv 1 PDU l Error status l l l 0 = no. Error 1 = too. Big (PDU has too many bytes) 2 = no. Such. Name (no object with requested name) 3 = bad. Value (invalid no. for PDU type) 4 = read. Only (incorrect implementation of SNMP) 5 = gen. Err (any other error) COMP 4690, by Dr Xiaowen Chu, HKBU
SNMPv 1 PDU l Var. Bind. List a list of Variable ID and Variable Value: l l Variable ID Object Identifier of the variable defined in SMI specification Variable Value actual value, which could be integer, IP address, etc. COMP 4690, by Dr Xiaowen Chu, HKBU
SNMP Commands l SNMPv 1 commands (numbered 0 thru 4) l l l Get-Request request value(s) from agent MIB Get-Next-Request request next MIB element (based on object identifier) in lexicographic order l Can use this to “walk” the MIB tree Get-Response response from agent Set-Request write a value in agent’s MIB Trap unsolicited message from agent, to inform the managing entity of exceptional events SNMPv 2 has two more commands: l l Get-Bulk-Request get values in large block of data Inform-Request used by a managing entity to notify another managing entity of MIB information COMP 4690, by Dr Xiaowen Chu, HKBU
SNMP Trap l Trap PDU is of the form l l l Enterprise Object Identifier for device that created trap message Agent address IP address of device Generic trap number 7 categories Specific trap number code number Time stamp time since device initialized Var. Bind. List same as defined previously COMP 4690, by Dr Xiaowen Chu, HKBU
SMI & MIB l l l The agent needs to find the “Variable Value” based on the “Variable ID”. It’s better to define a data structure. Object Identifier mapped to value stored on subsystem l E. g. , NIC is a subsystem, its MAC address could be the desired value COMP 4690, by Dr Xiaowen Chu, HKBU
SMI & MIB l Each object in the MIB has a name l l Each object has a type l l For example, “integer” Types can be l l l Groups of related objects also defined Simple a single value Constructed multiple objects of simple type SMI: Structure of Management Information l l RFC 1155 The language used to define MIBs COMP 4690, by Dr Xiaowen Chu, HKBU
SMI l SMI specification uses subset of Abstract Syntax Notation One (ASN. 1) l l Formal specification of MIB objects ASN. 1 used to specify l l Name of object Type of object Read, read-write, or not accessible Brief description of object COMP 4690, by Dr Xiaowen Chu, HKBU
Data types of SMI (RFC 2578) l l l l INTEGER Interger 32 Unsigned 32 OCTET STRING IPaddress Counter 32 Counter 64 Etc. COMP 4690, by Dr Xiaowen Chu, HKBU
Higher-Level Constructs l OBJECT-TYPE l l To specify the data type, status, and semantics of a managed object Four clauses l l SYNTAX: specify the basic data type MAX-ACCESS: whether the object can be read & written, created, etc. STATUS: valid, obsolete, or deprecated DESCRIPTION: human-readable textual definition COMP 4690, by Dr Xiaowen Chu, HKBU
Higher-Level Constructs l MODULE-IDENTITY l l Allow related objects to be grouped together within a “module” E. g. , RFC 2012 defines the MIB module for TCP, RFC 2013 defines the MIB module for UDP, RFC 2021 defines the MIB module for RMON COMP 4690, by Dr Xiaowen Chu, HKBU
MIB: Management Information Base l l l A virtual information store, holding managed objects whose values collectively reflect the current “state” of the network. The values may be queried and/or set by a managing entity by SNMP messages. Managed objects are specified using the OBJECT-TYPE SMI construct, and gathered into MIB modules using the MODULEIDENTITY construct. COMP 4690, by Dr Xiaowen Chu, HKBU
Object Identifier Tree l l 0 is the root Example: Object ID of tcp is 1. 3. 6. 1. 2. 1. 6 COMP 4690, by Dr Xiaowen Chu, HKBU
Object Identifier Tree l l l MIB objects identified as on previous slide Tree can be arbitrarily deep MIB-2 defined with 10 groups l l l System, interfaces, address translation, IP, ICMP, TCP, UDP, EGP, transmission, SNMP Later added 13 more groups (extensions) Group can contain many objects, and these objects can be “constructed” type COMP 4690, by Dr Xiaowen Chu, HKBU
Proprietary MIBs and RMON l If not enough groups in MIB-2… l l Proprietary MIBs are listed under enterprise l l …can create a proprietary MIB Enterprise is a sub-node of private (4) RMON l l l Remote Monitoring Standard An extension of MIB-2 Deals with traffic on a network segment COMP 4690, by Dr Xiaowen Chu, HKBU
Security l We mentioned previously the SNMP method of authentication l l l A community name acts like a password More than one mgmt station may have access Authorization is also a concern l l Assuming that you have access… …then what are you allowed to do? COMP 4690, by Dr Xiaowen Chu, HKBU
Security l SNMP security features l SNMP community profile l l Access mode specifies type of access MIB view specifies access or not COMP 4690, by Dr Xiaowen Chu, HKBU
SNMPv 3 l l SNMPv 3 can be thought of as SNMPv 2 with additional security and administration capabilities. SNMP applications l l l Command generator: generates Get. Request, Get. Next. Request, Set. Request, etc. Notification generator: generates Traps Proxy forwarder: forwards request, notification, and response COMP 4690, by Dr Xiaowen Chu, HKBU
SNMPv 3 l l A PDU sent by and SNMP application next passes through the SNMP Engine. A security module is provided by SNMPv 3 l l l User-based security: RFC 3414 Encryption Authentication Protection against playback attacks: RFC 3414 Access control: RFC 3415 COMP 4690, by Dr Xiaowen Chu, HKBU
SNMPv 3 COMP 4690, by Dr Xiaowen Chu, HKBU
- Slides: 23