Network Management - Department of Computer Science, HKBU

Download Report

Transcript Network Management - Department of Computer Science, HKBU 

Network Management
Chapter 3
SNMP and MIB
COMP4690, by Dr Xiaowen Chu, HKBU
Outline




SNMPv1: Simple Network Management
Protocol
SMI: Structure of Management Information
MIB: Management Information Base
SNMPv3
COMP4690, by Dr Xiaowen Chu, HKBU
SNMPv1 Packet

SNMPv1 packet has the form
Version

Protocol Data Unit (PDU)
Version  the version of SNMP


Community Name
SNMPv1 is “0” in version field
Community name  like a password


Agent can control who can access what
Sent as plaintext, so not secure

Improved by SNMPv3
COMP4690, by Dr Xiaowen Chu, HKBU
SNMPv1 PDU


SNMP has different types of packets, each with
different format.
PDU for Get-Request, Get-Next-Request and SetRequest has fields:
Request
ID



Error
Status
Error
Index
VarBindList
Request ID  an integer, like a sequence number
Error status  error in Get-Response
Error index  an integer which identifies the first
variable in VarBindList that caused error
COMP4690, by Dr Xiaowen Chu, HKBU
SNMPv1 PDU

Error status






0 = noError
1 = tooBig (PDU has too many bytes)
2 = noSuchName (no object with requested name)
3 = badValue (invalid no. for PDU type)
4 = readOnly (incorrect implementation of SNMP)
5 = genErr (any other error)
COMP4690, by Dr Xiaowen Chu, HKBU
SNMPv1 PDU

VarBindList  a list of Variable ID and
Variable Value:
Variable ID


Variable Value
Variable ID  Object Identifier of the
variable defined in SMI specification
Variable Value  actual value, which could
be integer, IP address, etc.
COMP4690, by Dr Xiaowen Chu, HKBU
SNMP Commands

SNMPv1 commands (numbered 0 thru 4)






Get-Request  request value(s) from agent MIB
Get-Next-Request  request next MIB element (based
on object identifier) in lexicographic order
 Can use this to “walk” the MIB tree
Get-Response  response from agent
Set-Request  write a value in agent’s MIB
Trap  unsolicited message from agent, to inform the
managing entity of exceptional events
SNMPv2 has two more commands:


Get-Bulk-Request  get values in large block of data
Inform-Request  used by a managing entity to notify
another managing entity of MIB information
COMP4690, by Dr Xiaowen Chu, HKBU
SNMP Trap

Trap PDU is of the form
Enterprise






Agent
Address
Generic
Trap
Number
Specific
Trap
Number
Time
Stamp
VarBindList
Enterprise  Object Identifier for device that
created trap message
Agent address  IP address of device
Generic trap number  7 categories
Specific trap number  code number
Time stamp  time since device initialized
VarBindList  same as defined previously
COMP4690, by Dr Xiaowen Chu, HKBU
SMI & MIB



The agent needs to find the “Variable Value”
based on the “Variable ID”.
It’s better to define a data structure.
Object Identifier mapped to value stored on
subsystem

E.g., NIC is a subsystem, its MAC address could
be the desired value
COMP4690, by Dr Xiaowen Chu, HKBU
SMI & MIB

Each object in the MIB has a name


Each object has a type


For example, “integer”
Types can be



Groups of related objects also defined
Simple  a single value
Constructed  multiple objects of simple type
SMI: Structure of Management Information


RFC 1155
The language used to define MIBs
COMP4690, by Dr Xiaowen Chu, HKBU
SMI

SMI specification uses subset of Abstract Syntax
Notation One (ASN.1)


Formal specification of MIB objects
ASN.1 used to specify




Name of object
Type of object
Read, read-write, or not accessible
Brief description of object
COMP4690, by Dr Xiaowen Chu, HKBU
Data types of SMI (RFC 2578)








INTEGER
Interger32
Unsigned32
OCTET STRING
IPaddress
Counter32
Counter64
Etc.
COMP4690, by Dr Xiaowen Chu, HKBU
Higher-Level Constructs

OBJECT-TYPE


To specify the data type, status, and semantics of
a managed object
Four clauses




SYNTAX: specify the basic data type
MAX-ACCESS: whether the object can be read &
written, created, etc.
STATUS: valid, obsolete, or deprecated
DESCRIPTION: human-readable textual definition
COMP4690, by Dr Xiaowen Chu, HKBU
Higher-Level Constructs

MODULE-IDENTITY


Allow related objects to be grouped together
within a “module”
E.g., RFC2012 defines the MIB module for TCP,
RFC2013 defines the MIB module for UDP,
RFC2021 defines the MIB module for RMON
COMP4690, by Dr Xiaowen Chu, HKBU
MIB:
Management Information Base



A virtual information store, holding managed
objects whose values collectively reflect the
current “state” of the network.
The values may be queried and/or set by a
managing entity by SNMP messages.
Managed objects are specified using the
OBJECT-TYPE SMI construct, and gathered
into MIB modules using the MODULEIDENTITY construct.
COMP4690, by Dr Xiaowen Chu, HKBU
Object Identifier Tree


0 is the root
Example:
Object ID of
tcp is
1.3.6.1.2.1.6
COMP4690, by Dr Xiaowen Chu, HKBU
Object Identifier Tree



MIB objects identified as on previous slide
Tree can be arbitrarily deep
MIB-2 defined with 10 groups



System, interfaces, address translation, IP, ICMP, TCP,
UDP, EGP, transmission, SNMP
Later added 13 more groups (extensions)
Group can contain many objects, and these objects can be
“constructed” type
COMP4690, by Dr Xiaowen Chu, HKBU
Proprietary MIBs and RMON

If not enough groups in MIB-2…


Proprietary MIBs are listed under enterprise


…can create a proprietary MIB
Enterprise is a sub-node of private (4)
RMON



Remote Monitoring Standard
An extension of MIB-2
Deals with traffic on a network segment
COMP4690, by Dr Xiaowen Chu, HKBU
Security

We mentioned previously the SNMP method of
authentication



A community name acts like a password
More than one mgmt station may have access
Authorization is also a concern


Assuming that you have access…
…then what are you allowed to do?
COMP4690, by Dr Xiaowen Chu, HKBU
Security

SNMP security features
Au thentication
 Community
Name
Au th orization (Righ ts)
 SNMP Access Mode 
 Read-Only

 Read-Write


 MIB View
 Object
 Object 2
MIB Access
read-only
read-write
write-only
not -accessible




Object N
SNMP community profile


Access mode specifies type of access
MIB view specifies access or not
COMP4690, by Dr Xiaowen Chu, HKBU
SNMPv3


SNMPv3 can be thought of as SNMPv2 with
additional security and administration
capabilities.
SNMP applications



Command generator: generates GetRequest,
GetNextRequest, SetRequest, etc.
Notification generator: generates Traps
Proxy forwarder: forwards request, notification,
and response
COMP4690, by Dr Xiaowen Chu, HKBU
SNMPv3


A PDU sent by and SNMP application next
passes through the SNMP Engine.
A security module is provided by SNMPv3





User-based security: RFC3414
Encryption
Authentication
Protection against playback attacks: RFC3414
Access control: RFC3415
COMP4690, by Dr Xiaowen Chu, HKBU
SNMPv3
COMP4690, by Dr Xiaowen Chu, HKBU