Chapter6-SNMP-V3_V2_V1 Network Management
Transcript of Chapter6-SNMP-V3_V2_V1 Network Management
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
1/21
SNMP Update
Please see www.snmp.com/jdctutorial.ppt for slides
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
2/21
2
Topics:
Introduction Differences between SNMPv1, SNMPv2c, and
SNMPv3
Advantages of SNMPv3 over SNMPv1 and SNMPv2c
Disadvantages of SNMPv3
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
3/21
3
Protocol Versions:Summary Picture
Simple-Based Management
SNMPv3SNMPv2*
SNMPv2c
Common
SNMPv2uSNMPv2
SNMPv1Party-based
SNMPv2
Management Information Definitions (MIB Documents)
RFC1155
Format
RFC1212/1215
Format
RFC1442-4
Format
RFC1902-4
Format
RFC2578-80
Format
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
4/21
5
New Features of SNMPv2c
Expanded data types: 64-bit counters Improved efficiency and performance: get-bulk
operator
Confirmed event notifications: inform operator Richer error handling: errors and exceptions
Improved sets: especially row creation/deletion
Transport independence: IP, Appletalk, IPX, ...
Etc.
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
5/21
6
New Features of SNMPv3
New features inherited from SNMPv2c, plus Security and Administration
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
6/21
7
New Features of SNMPv3 Inheritedfrom SNMPv2c
The list we just saw Expanded data types: 64-bit counters
Improved efficiency and performance: get-bulkoperator
Confirmed event notifications: inform operator Richer error handling: errors and exceptions
Improved sets: especially row creation/deletion
Transport independence: IP, AppleTalk, IPX, ...
Etc.
Plus ...
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
7/21
8
Features of SNMPv3: Security andAdministrative Framework
Security authentication
privacy
Administration
Authorization and view-based access control Logical contexts
Naming of entities, identities, and information
People and policies
Usernames and key management Notification destinations and proxy relationships
Remotely configurable via SNMP operations
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
8/21
9
Security Threats and Mechanisms
Threats protected against by SNMPv3:1. Masquerade/data origin authentication: interloper
assumes the identity of a sender to gain its privileges.
2. Modification of information/data integrity: alteration
of in-transit messages.3. Message stream modification: messages are re-
ordered, delayed, or replayed
4. Disclosure/data confidentiality: privileged
information is obtained via eavesdropping onmessages.
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
9/21
10
Security Mechanisms
SNMPv3 uses MD5 and DES as symmetric, i.e.,private key mechanisms
(MD5 = Message Digest Algorithm 5,
RFC 1321)
(DES = Data Encryption Standard)
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
10/21
11
SNMPv3 User-based AuthenticationMechanism
Based on: MD5 message digest algorithm in HMAC
indirectly provides data origin authentication
directly defends against data modification attacks
uses private key known by both sender and receiver 16 byte key
128 bit digest (truncated to 96 bits)
SHA an optional alternative algorithm
Loosely synchronized monotonically increasing timeindicator values
defends against certain message stream modificationattacks
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
11/21
12
SNMPv3 User-based PrivacyMechanism
Based on: Symmetric encryption used
Data Encryption Standard (DES) Cipher BlockChaining (CBC) mode
provides privacy / protection against disclosure uses encryption
subject to export and use restrictions in manyjurisdictions
16 byte key (8 bytes DES key, 8 byte DES initializationvector)
Multiple levels of compliance with respect to DES dueto problems associated with international use
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
12/21
Advantages of SNMPv3
So What?
Who Cares?
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
13/21
14
Good Things Operators andAdministrators will like in SNMPv3
Able to practice safe sets Configuration / Control / Provisioning
No longer mere monitoring
Able to augment or replace proprietary CLI over Telnet
Via standards-based solutions providing
Commercial-grade industrial strength security
Authentication and Privacy
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
14/21
15
Now able to distribute management out tointelligent agents and mid-level managers
Important for scalability
Keep local management traffic local
Shorter feedback loops with lower latency
Good Things Operators and Administratorswill like in SNMPv3 (Contd)
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
15/21
16
Better Notifications: Traps
Spray and pray
The only option in SNMPv1
Informs Send, wait for acknowledgement
Retry count and retry interval
Added in SNMPv2c but with problems
Problems fixed in SNMPv3
Standard MIB objects to configure
Source-side notification suppression
Good Things Operators and Administratorswill like in SNMPv3 (Contd)
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
16/21
17
Source Side Notification Suppression Too many resources spent on uninteresting notification
messages, e.g., unwanted traps and informs
Notification generation
Notification transmission and delivery Notification logging
Notification filtering
SNMPv3 allows you to use a standard MIB and
standards-based tools to turn unwanted notificationsoff at the source
You will really like this
Good Things Operators and Administratorswill like in SNMPv3 (Contd)
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
17/21
18
Better performance The Awesome getBulk operator works better with
SNMPv3 Less latency and lower overhead through a smaller
number of larger packets
One to three orders of magnitude faster than SNMPv1getNext operator (typically two)
Negotiates maximum message size correctly
Counter64
No need to poll as often New features eliminate need for gross hacks
e.g., logical contexts
Good Things Operators and Administratorswill like in SNMPv3 (Contd)
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
18/21
19
Better error handling: In a Get Request with 10 items requested and one is
unavailable:
In SNMPv1, returns in an error with no partial results
In SNMPv2/3, results in 9/10 good values and oneexception
In a Set Request, if something fails:
In SNMPv1, results in a No
In SNMPv2/3, results in a No-because
Good Things Operators and Administratorswill like in SNMPv3 (Contd)
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
19/21
20
Security is expensive More to configure and administer
Unlocked doors are more convenient to use
Community strings were relatively easy to administer
Off-the-shelf tools help
More overhead Message headers longer and more complex
Cryptographic calculations can increase CPU loadapproximately 20-ish percent
It will run slower, it will run muchslower if software-based DES is used, especially if implemented in Java
Some machines do not have the hardware assets, butalmost all do: NO EXCUSES
Disadvantages of SNMPv3
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
20/21
21
Export and international usage considerations Incomplete product support
Some vendors claim customers (i.e., you) dont careabout security
Agents better than manager stations and applications
SNMPv3 code often less mature and shaken out
Disadvantages of SNMPv3 (Contd)
-
7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management
21/21
22
Conclusion:What is SNMPv3?
Newest version of the Internet-standardManagement FrameworkWhat SNMPv2 should have been - builds on the
good Compatible with the SMI and MIB you use now Important enabling technology for configuration
and control: adds security and administration forsafe sets
Security: authentication and privacy Administration: logical contexts, view-based
access control, remote configuration Available now