Simple Network Management Protocol SNMP Sukiswo sukiswokyahoo com

Simple Network Management Protocol (SNMP) Sukiswo sukiswok@yahoo. com Manajemen Jaringan, Sukiswo ST, MT 1

Table of Contents 4 SNMP Operations 4 Protocol Specification 4 Transport-Level Support 4 Limitations of SNMPv 1 Manajemen Jaringan, Sukiswo ST, MT 2

SNMP Operations 4 Operations supported in SNMP are the inspection and modification of variables 4 GET operation – retrieves management information (values of scalar objects) 4 SET operation – updates management information (values on scalar objects) 4 TRAP operation – sends unsolicited scalar object values to notify problems Manajemen Jaringan, Sukiswo ST, MT 3

SNMP Operations (cont’d) 4 Not possible to change the structure of a MIB – cannot add or delete object instances 4 No explicit action is supported 4 Access is provided only to leaf objects in the MIB tree – not possible to access an entire table or a row of a table with a single atomic action 4 These simplify the implementation of SNMP but limit the capability of the NMS Manajemen Jaringan, Sukiswo ST, MT 4

SNMP Security Concepts 4 Authentication service – agent may wish to limit access to the MIB to authorized managers 4 Access policy – agent may wish to give different access privileges to different managers 4 Proxy service – agent may act as a proxy to other managed devices – this may require authentication service and access policy for other managed devices on the proxy 4 SNMP provides only a primitive and limited security capability via the concept of community Manajemen Jaringan, Sukiswo ST, MT 5

SNMP Community 4 is a relationship between an agent and a set of managers that defines authentication, access control & proxy characteristics 4 a community is locally defined by the agent – each community is given a unique community name – an agent may establish a number of communities – the community name is needed for all get and set operations – the same community name may be used by different agents 4 SNMP authentication service – every SNMP message from a manager includes a community name (used as a password) --- very primitive – most agents only allow GET operations Manajemen Jaringan, Sukiswo ST, MT 6

SNMP Community (cont’d) 4 SNMP Access Policy – an agent can provide different categories of MIB access using the following concepts: SNMP MIB View & Access Mode 4 SNMP MIB View – a subset of objects within a MIB – different MIB views may be defined for each community – the set of objects in a view need not belong to a single subtree 4 SNMP Access Mode – an access mode {READ-ONLY, READ-WRITE} is defined for each community – the access mode is applied uniformly to all objects in the MIB view 4 SNMP Community Profile Manajemen Jaringan, Sukiswo ST, MT 7

MIB ACCESS Category vs. SNMP Access Mode Manajemen Jaringan, Sukiswo ST, MT 8

SNMP Administrative Concepts SNMP Access Policy SNMP community (community name) set of SNMP managers SNMP agent SNMP community profile SNMP MIB view Manajemen Jaringan, Sukiswo ST, MT SNMP access mode 9

Object Instance Identification 4 SNMP defines two techniques for identifying a specific object instance – Serial access technique (via lexicographic ordering of objects) – Random access technique 4 Random access technique – objects in MIB tables are referred to as columnar objects – the object identifier is not sufficient to identify the instance – SNMP convention • concatenate the scalar object identifier with the values of INDEX objects, listed in the order which the INDEX objects are defined • see the example in Table 7. 2 on page 169 Manajemen Jaringan, Sukiswo ST, MT 10

Lexicographical Ordering 4 is used for accessing MIB objects serially 4 given the tree structure of a MIB, the OID for a particular object may be derived by tracing a path from the root to the object 4 lexicographical ordering is also referred to as: – preorder traversal (root, left, right) of a tree – depth-first search 4 useful for examining MIBs whose structure is not known to NMS Manajemen Jaringan, Sukiswo ST, MT 11

Lexicographical Ordering Example Start 1 root End 2 2 1 1 1 2 2. 1 1. 2 1 1 2. 1. 1 1. 2. 1 1 2. 1. 1. 1 2 2. 1. 1. 2 Manajemen Jaringan, Sukiswo ST, MT 3 2. 1. 1. 3 12

Protocol Specification SNMP Message Formats 4 SNMP manager and agent exchange requests and management information using SNMP messages 4 SNMP message includes a version number (e. g. , 0 for SNMPv 1, 1 for SNMPv 2), a community name and one of five types of protocol data units (PDUs) 4 PDU Types: Get. Request, Get. Next-Request, Set. Request, Get. Response, Trap Manajemen Jaringan, Sukiswo ST, MT 13

SNMP Message Formats Version Community SNMP PDU (a) SNMP message request PDU 0 0 variablebindings type id (b) Get. Request PDU, Get. Next. Request PDU, and Set. Request PDU request error type id status (c) Get. Response PDU error index variablebindings PDU entertype prise (d) Trap PDU agent addr generic specific trap time stamp variablebindings name 1 name 2 value 2 name. N value 1 . . . (e) variablebindings Manajemen Jaringan, Sukiswo ST, MT 14

SNMP Message Fields Manajemen Jaringan, Sukiswo ST, MT 15

SNMP Message Fields (cont’d) Manajemen Jaringan, Sukiswo ST, MT 16

Transmission of SNMP Message 1. The PDU is constructed using ASN. 1 2. This PDU is passed to an authentication service with a community name and source & destination transport addresses passed – the authentication service performs any required transformations such as encryption or the inclusion of an authentication code 3. The protocol entity then constructs a message, consisting of a version field, the community name, and the result from step 2 4. This new ASN. 1 object is then encoded using BER and passed to the transport service Manajemen Jaringan, Sukiswo ST, MT 17

Receipt of SNMP Message 1. The SNMP entity performs basic syntax-check of the message and discards it if it fails to parse 2. It verifies the version number and discards it if there is a mismatch 3. It then passes the community name, the PDU portion of the message and the source/destination transport address to an authentication service – if authentication fails, the message is discarded – if authentication succeeds, the authentication service returns a PDU in the form of an ASN. 1 object 4. If the PDU passes a basic syntax-check, the appropriate SNMP access policy is selected and the PDU is processed accordingly Manajemen Jaringan, Sukiswo ST, MT 18

SNMP PDU Sequences Manager Agent Manager Get. Next Reques t PDU Get. Requ est PDU Get. R e PDU U se PD n o p s e pons et. Res G (b) Get next values (a) Get values Manager Agent Manager Set. Requ est PDU onse p s e t. R Agent Trap PDU Ge (d) Send trap (c) Set values Manajemen Jaringan, Sukiswo ST, MT 19

Get. Request PDU 4 is issued by an SNMP manager on behalf of NMS to 4 4 retrieve information from an agent includes PDU type, request-id & variablebindings Get. Response PDU containing the same request-id is used for the reply operation is atomic (all values are returned or none is) possible error-status: – no. Such. Name: object instance cannot be found or it is an aggregate type – too. Big: the size of resulting values exceed a local limitation – gen. Err: may not be able to supply a value for at least one of the objects for some other reason Manajemen Jaringan, Sukiswo ST, MT 20

Get. Next. Request PDU 4 is also issued by an SNMP manager on behalf of NMS to retrieve information from an agent 4 the PDU is the same as Get. Request PDU except: – In the Get. Request PDU, each variable in the variablebindings list refers to an object instance whose value is to be returned – In the Get. Next. Request PDU, for each variable in the variablebindings, the value of the object instance that is next in lexicographic order is returned 4 allows NMS to discover the structure of a MIB view dynamically 4 provides an efficient mechanism for searching a table whose entries are unknown Manajemen Jaringan, Sukiswo ST, MT 21

Set. Request PDU 4 is issued by an SNMP manager on behalf of NMS to modify information in an agent 4 the operation is also atomic – if any one of the values can’t be set, then the whole operation fails 4 Get. Response PDU containing the same request-id is used for the reply – if the operation succeeds, a Get. Response PDU is returned with the same variablebindings as in the original Set. Request PDU 4 possible error-status: – no. Such. Name, too. Big, gen. Err plus – bad. Value: PDU contains at least one pair of variable name and value that is inconsistent Manajemen Jaringan, Sukiswo ST, MT 22

Trap PDU 4 is issued by an SNMP agent to notify NMS of some significant event 4 Trap PDU does not require a response and is not acknowledged can get lost 4 Generic Trap types: – cold. Start (0): unexpected restart due to a crash or major fault – warm. Start (1): routine restart – link. Down (2): a communication link is inoperational – link. Up (3): the link is back in operation – authentication. Failure (4): received authentication-failed message – egp. Neighbor. Loss (5): EGP neighbor is down – enterprise. Specific (6): some enterprise-specific event occurred Manajemen Jaringan, Sukiswo ST, MT 23

Transport-Level Support 4 SNMP requires the use of a transport service for the 4 4 delivery of SNMP messages. – SNMP makes no assumption about whether the underlying service is reliable or unreliable, connectionless or connection-oriented Most SNMP implementations use UDP It is possible to use CLTS UDP – Unreliable, connectionless transport service in Internet CLTS – Unreliable, connectionless transport service in the OSI architecture Manajemen Jaringan, Sukiswo ST, MT 24

Issues in using UDP 4 Since UDP provides unreliable transport service, SNMP messages can get lost 4 What happens if a Get. Request or Get. Next. Request message is lost? 4 What happens if a Set. Request message is lost? 4 What happens if a Trap message is lost? Manajemen Jaringan, Sukiswo ST, MT 25

Limitations of SNMP 4 SNMP may not be suitable for the mgmt of truly large 4 4 4 networks because of the performance limitations of polling SNMP is not well suited for retrieving large volumes of data, such as an entire routing table SNMP traps are unacknowledged & may not be delivered SNMP provides only trivial authentication SNMP does not support explict actions SNMP MIB model is limited (does not support mgmt queries based on object types or values) SNMP does not support manager-to-manager communications Many of these problems are addressed in SNMPv 2! Manajemen Jaringan, Sukiswo ST, MT 26

READING 4 Read Chapter 7 of Stallings Manajemen Jaringan, Sukiswo ST, MT 27