SNMPv2 Network Management Spring 2014 Bahador Bakhshi CE & IT Department, Amirkabir University of...
-
Upload
aileen-davisson -
Category
Documents
-
view
215 -
download
1
Transcript of SNMPv2 Network Management Spring 2014 Bahador Bakhshi CE & IT Department, Amirkabir University of...
SNMPv2
Network Management
Spring 2014
Bahador Bakhshi
CE & IT Department, Amirkabir University of Technology
This presentation is based on the slides listed in references.
Outline
Introduction
SNMPv2 Architecture
SNMPv2 SMI
SNMPv2 MIB
SNMPv2 Protocol
Conclusion
2
Outline
Introduction
SNMPv2 Architecture
SNMPv2 SMI
SNMPv2 MIB
SNMPv2 Protocol
Conclusion
3
SNMPv1 Summary Organizational model
Manager – agent hierarchy Information model
MIB, SMI and basic encoding rules (BER) SMI uses a subset of ASN.1
Communication model Five message types
Request-and-response TRAP based notification – no confirmation
UDP based – no acknowledgement Security model
Very limited community based Works well only if there is not any attacker!!!
4
Why SNMPv2?
Limitations of SNMPv1 SNMPv2
Why so many limitations in SNMPv1? SNMPv1 was intended as an interim network
management protocol while waiting for OSI network management protocols to mature
CMOT which is CMIP over TCP/IP was created but did not do well
When the industry realized that CMOT would not overtake SNMP focus was on enhancing SNMPv1
5
Limitations of SNMPv1
Limited error codes & error handling genErr is a catch-all
Simple data types Only scalar types Table manipulation is tedious New data types can not be defined
Limited notification Unacknowledged Agent does not know if critical notifications
(traps) have reached the manager
6
Limitations of SNMPv1 (cont’d)Limited performance
GET only get one scalar at a time Not suitable for large network
Transport dependency UPD not reliable
Lack of hierarchies Only Manager-Agent, no Manager-Manager
Lack of security Minimum authentication & authorization
7
SNMPv2 Birth
Performance & Security problems of SNMPv1
Secure SNMP was proposed (July 1992) to solve this problem in SNMP
Simple Management Protocol (SMP) was also proposed (July 1992) to extend the SNMP functionality
secure SNMP + SMP = SNMPv2 (March 1993)
A major security flaw was detected in this proposal and the security aspects were dropped and the result is community-based SNMPv2c (Jan. 1996)
8
Key Changes in SNMPv2 Bulk data transfer & Better error handling
To improve performance
Manager-to-manager message For hierarchal network management
Textual conventions To define new data types
Conformance & Capability statements To formally specify agent capabilities
Row creation and deletion in table More complex information modeling
MIB enhancements New MIBs and drop unused complex MIBs
Transport mappings Transport protocols other than UDP
9
Outline
Introduction
SNMPv2 Architecture
SNMPv2 SMI
SNMPv2 MIB
SNMPv2 Protocol
Conclusion
10
SNMPv2 Architecture
Two key enhancements on SNMPv1 architecture
1) Eight messages instead of five, new msg.: Get-bulk-request Inform-request Report
2) Two manager applications communication Hierarchal and distributed network management
11
SNMPv2 Messages
inform-request (new) manager-to-manager with acknowledgement
get-bulk-request (new) Transfer of large data (e.g., multiple rows of a table)
report (new) Not used currently
response is the get-responseSNMPv2-Trap is the trap with modified PDUget-request, get-next-request, and set-request are the same as SNMPv1
12
SNMPv2 Architecture
13
SNMP ManagerApplication
resp
onse
get-
bulk
-req
uest
get-
next
-req
uest
set-
requ
est
snm
pV2-
trap
SNMP Manager
SNMP
UDP
IP
DLC
PHY
Physical Medium
get-
requ
est
info
rm-r
eque
st
SNMP AgentApplication
resp
onse
get-
bulk
-req
uest
get-
next
-req
uest
set-
requ
est
snm
pV2-
trap
SNMP Agent
SNMP
UDP
IP
DLC
PHY
get-
requ
est
SNMP ManagerApplication
resp
onse
get-
bulk
-req
uest
get-
next
-req
uest
set-
requ
est
snm
pV2-
trap
SNMP Manager
SNMP
UDP
IP
DLC
PHY
get-
requ
est
info
rm-r
eque
st
SNMP PDU
ApplicationPDU
Physical Medium
ApplicationPDU
SNMP PDU
Outline
Introduction
SNMPv2 Architecture
SNMPv2 SMI
SNMPv2 MIB
SNMPv2 Protocol
Conclusion
14
SNMPv2 SMI (SMIv2)
Major changes in SMIv2 are
1) New object definition macros New macros replaced SNMPv1 macros
We have discussed in SNMPv1
2) Textual convention
3) Table modification
4) Conformance and Agent capabilities
15
SMIv2: Textual Convention
Enables defining new data types Creates new data types using existing ones and
applies restrictions to them
Makes semantics of data types consistent and human readable
Using the TEXTUAL-CONVENTION macro
Some textual conventions in SNMPv2 MacAddress, TimeStamp, DateandTime, and RowStatus
16
Textual Convention Example
17
DisplayString ::= TEXTUAL-CONVENTION DISPLAY-HINT "255a" STATUS current
DESCRIPTION "Represents textual information taken from the NVT ASCII character set, as defined in pages 4, 10-11 of RFC 854"
SYNTAX OCTET STRING (SIZE (0..255) )
SMIv2: Tables
Static Tables Table structure is defined in MIB development time Access is read-only and read-write Useful when the number of rows corresponds to a fixed
attribute (e.g., # physical interfaces) or a quantity controlled only by agent
Vendors can add new columns to existence columns (new)
Dynamic Table Allows row creation/deletion by a manager
At run/operation time Access includes read, write and create/delete privileges
18
Why Table Modification?
Application 1 Standard MIBs define a set of parameters for NIC (e.g.,
type, MTU, MAC) Vendor needs additional parameters (e.g., Serial #, Power
Consumption) In SNMPv1, the vendors should define a separated new
table for the parameters Two tables (different set of OIDs) to manage NICs
In SNMPv2, these new parameters can be added to the existence table Single table for NIC parameters (much easier)
Table Augmentation
19
Why Table Modification?
Application 2 Firewall rules (typically) are specified as a table
(src IP, dst IP, src port, dst port, proto, action)
Rules are not fixed; are changed over the time Manager want to manage the firewall using SNMP SNMPv1 cannot be used
It is not possible to create or delete rows SNMPv2 dynamic tables is the solution
Rules can be added/deleted Existing rules can be modified
20
Changing Columns: Table Augmentation
Adding new columnar objects (augmented table) to an existing table (base table) Old base table is compiled & running in agent The MIB of the new table is defined The MIB is compiled & added to the agent The agent treats both tables as a single table
Using the following assumptions One to one correspondence between rows of tables
Number of rows is not affected INDEX of the second table is the same as the first table
21
Table Augmentation (cont’d)
22
T1.E1.C1.1
table1(T1)
table1Entry(E1)
T1.E1.C2.1 T1.E1.C3.1
T1.E1.C1.2 T1.E1.C2.2 T1.E1.C3.2
T1.E1.C1.3 T1.E1.C2.3 T1.E1.C3.3
T1.E1.C1.4 T1.E1.C2.4 T.E1.C3.4
table 2(T2)
table2Entry(E2)
T2.E2.C4.1 T2.E2.C5.1
T2.E2.C4.2 T2.E2.C5.2
T2.E2.C4.3 T2.E2.C5.3
T2.E2.C4.4 T2.E2.C5.4
Index: First columnar object in Table 1
Table 1 Table 2Base table Dependent table
Table Augmentation (cont’d)
23
table1 OBJECT-TYPE SYNTAX SEQUENCE OF table1Entry MAX-ACCESS not-accessible STATUS current DESCRIPTION “Table 1 under T” ::= {table 1} table1Entry OBJECT-TYPE SYNTAX Table1Entry MAX-ACCESS not-accessible STATUS current DESCRIPTION “An entry (conceptual row) in Table 1” INDEX {T1.E1.C1} ::= {table1 1}
table2 OBJECT-TYPE SYNTAX SEQUENCE OF table2Entry MAX-ACCESS not-accessible STATUS current DESCRIPTION “Table 2 under T” ::= {table 2} table2Entry OBJECT-TYPE SYNTAX Table2Entry MAX-ACCESS not-accessible STATUS current DESCRIPTION “An entry (conceptual row) in Table 2” AUGMENTS {table1Entry} ::= {table2 1}
A clause used to increase the number of columns in a table w/out rewriting the table definition
The resulting table is therefore treated the same way as if it was defined in a single table definition
Table Augmentation (cont’d)
What happen if
1) New table row # > Base table row # Dense dependent table is added to base table
2) New table row # < Base table row # Sparse dependent table
More details in the text book
24
Dynamic Tables
Table rows can be modified at the run-time using set-requests to create or delete rows No new MIB is defined & compiled & installed
25
State / Command
Enumeration
Description
active 1 Row exists and is operationalnotInService 2 Operation on the row is suspended
notReady 3 Row does not have all the columnar objects neededcreateAndGo 4 This is a one-step process of creation of a row;
immediately goes into active statecreateAndWait 5 Row is under creation and should not be
commissioned into servicedestroy 6 Same as Invalid in EntryStatus. Row should be deleted
Row Creation and Deletion Example
26
Row to be created / deleted
entry1
status.1
table1
index.1 data.1
status.2
status.3
index.2
index.3
data.2
data.3
Column Object for row modification, Syntax is RowStatus
Create-and-Go Row Creation
Manager initiates a SetRequest-PDU to create a new row status = 4, i.e., create and go
Agent interacts with the management entity and successfully create an instance; subsequently a response is transmitted to the manager status = 1, indicates that the row is active
27
SetRequest ( status.3 = 4, index.3 = 3,data.3 = DefData)
Response ( status.3 = 1,index.3 = 3,data.3 = DefData)
ManagerProcess
AgentProcess
ManagedEntity
Create Instance
Instance Created
Create-and-Wait Row Creation
28
ManagerProcess
AgentProcess
SetRequest (status.3 = 5,index.3 = 3 ) Create and wait, no default
data specifiedResponse (status.3 = 3,index.3 = 3)
Agent responds with “notReady”(no default value)
GetRequest (data.3 )
Get the data for the row
Response (data.3 = noSuchInstance)Data value is missing
SetRequest (data.3 = DefData) Value of data is sent
Response (status.3 = 2data.3 = DefData)
Agent responds with notInServcie
SetRequest (status.3 = 1) Manager requests to activate
the rowResponse (status.3 = 1)Row activated
Row Deletion
29
SetRequest (status.3 = 6 )
Response ( status.3 = 6 )
ManagerProcess
AgentProcess
ManagedEntity
Delete Instance
Instance Deleted
SMIv2: Conformance & Capability
Recent NM protocols provide mechanisms To specify what agent implements
To allow manager to know what agent can do
SNMP provide two mechanisms: Similar to each other Use similar facilities
1) Module compliance MIB developer specifies what should be implemented
2) Agent capabilities Agent developer specifies what it implements
30
Object GroupsOBJECT-GROUP macro
Specifies objects in a MIB that are part of the conformance group compliance
NOTIFICATION-GROUP macro Identifies a group of notifications required for conformance
purposes
MANDATORY-GROUPS The required object and notification groups that must be
implemented by agent to comply the standard
GROUP Optional object and notification groups that my be
implemented by agent
31
Conformance Module
MODULE-COMPLIANCE macro Defines compliance requirement for an agent in
terms of MIB modules
AGENT-CAPABILITIES macro Defines the capabilities of the agent
33
Outline
Introduction
SNMPv2 Architecture
SNMPv2 SMI
SNMPv2 MIB
SNMPv2 Protocol
Conclusion
34
SNMPv2 Internet Group
Additional SNMPv2 group added Security group is a placeholder
Objects added to System groupExtensive modification of the SNMP group
35
mgmt(2)
directory(1)
experimental(3)
private(4)
Internet{1 3 6 1}
security(5)
snmpv2(6)
SNMPv2
SNMPv2 MIB
36
mgmt(2)
directory(1)
experimental(3)
private(4)
Internet{1 3 6 1}
security(5)
snmpv2(6)
snmpModules(3)
snmpMIB(1)
mib-2(1)
system(1)
snmp(11)
snmpMIBConformance(2)
snmpMIBObjects(1)
SNMPv2 MIB-2
New protocols and technologies
37
mgmt(2)
Internet{1 3 6 1}
mib-2(1)
system(1)
inerfaces(2)
addr trans(3)
ip(4)
icmp(5)
tcp(6)
udp(7)
egp(8)
oim(9)
character(19)
decnet(18)
bridge(17)
rmon(16)
bgp(15)
ospf(14)
appletalk(13)
genericIF(12)
snmp(11)
transmission(10)
SNMPv2 System Group Table sysORTable
List of resources that the agent controls
38
sysORLastChange (8)
sysServices (7)
sysDescr (1)
system(mib-2 1)
sysObjectId (2)
sysUpTime (3) sysLocation (6)
sysContact (4) sysName (5)
sysORTable (9)
sysOREntry (1)
sysORIndex (1) sysORUpTime (4)
sysORID (2) sysORDescr (3)
SNMPv1 SNMP MIB
SNMP MIB was very complex in SNMPv1 Some object are very rarely used
39
snmp(mib-2 11)
snmpInPkts(1)
snmpOutPkts (2) snmpInBadVersions (3)
snmpInCommunityNames (4) snmpInBadCommunityUses (5)
snmpInASNParseErrors (6) -- not used (7)
snmpInTooBigs (8) snmpInNoSuchNames (9)
snmpInBadValues (10) snmpInReadOnlys (11)
snmpEnableAuthenTraps (30)
snmpOutTraps (29) snmpOutGetResponses (28)
snmpOutSetRequests (27) snmpOutGetNexts (26)
snmpOutGetRequests (25) snmpOutGenErrs (24)
-- not used (23) snmpOutBadValues (22)
snmpOutNoSuchNames (21) snmpOutTooBigs (20)
snmpInGenErrs (12) snmpInTotalReqVars (13)
snmpInTotalSetVars (14) snmpInGetRequests (15)
snmpInTraps (19) snmpInGetResponses
(18) snmpInSetRequests (17)
snmpInGetNexts (16)
SNMPv2 SNMP MIB (cont’d)
SNMP MIB in SNMPv2 is simplified
40
snmp(mib-2 11)
snmpInPkts(1)
snmpInBadVersions (3) snmpInBadCommunityNames (4)
snmpInBadCommunityUses (5)
snmpProxyDrops (32)
snmpSilentDrops (31)
snmpEnableAuthenTraps (30)
snmpInASNParseErrors (6)
Outline
Introduction
SNMPv2 Architecture
SNMPv2 SMI
SNMPv2 MIB
SNMPv2 Protocol
Conclusion
42
SNMPv2 Protocol Overall, 8 messages with almost common message format
To improve the efficiency and performance Significant improvement is that trap message has the same format
43
variable-bindings00requestid
PDU type
(a) GetRequest, GetNextRequest, SetRequest, SNMPv2-Trap, InformRequest
variable-bindingserrorindex
errorstatus
requestid
PDU type
(b) Response-PDU
variable-bindingsmax-
repetitionsnon-
repeatersrequest
idPDU type
(c) GetBulkRequest-PDU
PDUcommunityversion
Better Error Handling
SNMPv1 error codes (error-status) are very limited More specific (informational) codes in SNMPv2
SNMPv2 Error Status
44
noError tooBig noSuchName badValue readOnly genErr wrongType wrongLength wrongEncoding
wrongValue noCreation inconsistentValue resourceUnavailable commitFailed undoFailed authorizationError notWritable inconsistentName
Better Error Handling (cont’d)
SNMPv1 operations are atomic: Either all values are returned or none!
error-status = 0 All are valid error-status ≠ 0 None is valid
SNMPv2 can handle up to one error If one variable is failed
Error-status and error-index are set, this index is ignored, others are valid
If multiple variables are failed Only error-status is set (error-index is not set), all variables are
ignored (we don’t know the failed one)
45
Better Error Handling: Exceptions Besides errors, SNMPv2 defines three exceptions
noSuchObject OID is not found noSuchInstance OID is valid but is not accessible endOfMibView No next OID exists
Used in GetNext & GetBulk
Exceptions do not raise error They are encoded in variable binding
Better performance, for example 10 OID is requested 2 OID is wrong SNMPv1 Whole operation fails with error-status = noSuchName SNMPv2 8 valid values are returned, wrong OID’s value =
noSuchObject
46
SNMPv2 GetBulkRequest PDU
Enables the retrieval of data in bulk, both A variable binding list (similar to GetNextRequest) Given # of successive objects of OIDs (another variable
binding list) Series of GetNexRequest (new)
Error status field replaced by Non-repeaters The number of scalar field values requested
Error index field replaced by Max repetitions The maximum number of table rows requested
47
PDUType
RequestIDNon-
RepeatersMax
RepetitionsVarBind 1
nameVarBind 1
value...
VarBind nname
VarBind nvalue
GetBulkRequest Selection principle is the same as GetNextRequest
the next object instance in lexicographic order
Includes a list of (N + R) variable names in the variable-bindings list the first N variables for retrieving single values the next R variables for retrieving multiple values
non-repeaters = N Next objects of N given object are asked
max-repetition = M At most M successive (next lexicographical) object instances of each R repetitive objects are asked
48
Get-Bulk-Request Example
49
T ZA B
1.1
E
1.2
1.3
1.4
2.1
2.2
2.3
2.4
3.1
3.2
3.3
3.4
Get-Next-Request Operation
50
T.E.1.1 T.E.2.1 T.E.3.1
T.E.1.2 T.E.2.2 T.E.3.2
E
T
Z
A
B
T.E.1.3 T.E.2.3 T.E.3.3
T.E.1.4 T.E.2.4 T.E.3.4
GetRequest ( A,B )
GetNextRequest (T.E.1.T.E.2,T.E.3)
GetResponse (T.E.1.1,T.E.2.1,T.E.3.1)
GetNextRequest (T.E.1.1,T.E.2.1,T.E.3.1)
GetResponse (T.E.1.2,T.E.2.2,T.E.3.2)
GetResponse (T.E.1.3,T.E.2.3,T.E.3.3)
GetNextRequest (T.E.1.3,T.E.2.3,T.E.3.3)
GetResponse (T.E.1.4,T.E.2.4,T.E.3.4)
GetResponse (T.E.2.1,T.E.3.1,Z)
ManagerProcess
AgentProcessGetResponse (A,B)
GetNextRequest (T.E.1.4,T.E.2.4,T.E.3.4)
GetNextRequest (T.E.1.2,T.E.2.2,T.E.3.2)
51
Get-Bulk-Request Operation
T.E.1.1 T.E.2.1 T.E.3.1
T.E.1.2 T.E.2.2 T.E.3.2
E
T
Z
A
B
GetBulkRequest (1, 3,A,T.E.1, T.E.2, T.E.3 )
Response (B,T.E.1.1, T.E.2.1, T.E.3.1T.E.1.2, T.E.2.2, T.E.3.2
T.E.1.3, T.E.2.3, T.E.3.3 )
GetBulkRequest ( 0,3,T.E.1.3, T.E.2.3, T.E.3.3 )
Response (T.E.1.4, T.E.2.1, T.E.2.2T.E.2.4, T.E.3.1, T.E.3.2,T.E.3.4, Z , "endOfMibView")
T.E.1.3 T.E.2.3 T.E.3.3
T.E.1.4 T.E.2.4 T.E.3.4
ManagerProcess
AgentProcess
SNMPv2-trap & Inform-request
Both use the same PDU
Positions 1 and 2 in VarBindList are sysUpTime and snmpTrapOID, respectively
Both packets are used to send unsolicited messages
Trap for agent-to-manage, but Inform for manager-to-manger messages
No acknowledge for trap, but response for inform
52
PDUType
RequestIDError
StatusErrorIndex
VarBind 1sysUpTime
VarBind 1value
...
VarBind 2snmpTrapOID
VarBind 2value
SNMPv2 PDU Sequences
53
getNext
response
MIB
manager agent
set
response
MIB
manager agent
get
response
MIB
manager agent
getBulk
response
MIB
manager agent
trap
MIB
manager agent
response
inform
MIB
manager "agent"
SNMPv2 Summary
Key enhancements in SNMPv2 New messages
Manager-to-Manager communication Bulk information transfer TRAPS have same format as other PDUs
Better error handling including exceptions Table modification, Textual conventions & Conformance MIB improvements
More powerful but more complex than SNMPv1
SNMPv2 failed to improve on security
55
References Reading Assignment: Chapter 6 of “Mani Subramanian,
‘Network Management: Principles and Practice’, Pearson Education, 2012”
R. Dssouli, “Advanced Network Management,” Concordia Institute for Information Systems Engineering, http://users.encs.concordia.ca/~dssouli/INSE 7120.html
Nhut Nguyen, “Telecommunications Network Management,” University of Texas at Dallas, www.utdallas.edu/~nhutnn/cs6368/
J. Won-Ki Hong, “Network Management System,” PosTech University, dpnm.postech.ac.kr/cs607/
56