Management Architecture and Standards

Download Report

Transcript Management Architecture and Standards

Management Architecture and Standards II IACT 418 IACT 918 Corporate Network Planning Gene Awyzio Spring 2001

SNMP - the Management Protocol Used for TCP/IP SNMP includes the following key capabilities:  Get   Set Trap The standards do not specify  The number of management stations  The ratio of management stations to agents

SNMP - the Management Protocol Used for TCP/IP In general, it is prudent to have at least two systems capable of performing the management station functions As SNMP is simple it can handle many agents SNMP is designed to be an application-level protocol that is part of the TCP/IP protocol suite which operates over the user datagram protocol (UDP)

SNMP - the Management Protocol Used for TCP/IP

SNMP - the Management Protocol Used for TCP/IP

SNMP - the Management Protocol Used for TCP/IP From a management station, three types of SNMP messages are issued on behalf of a management application:    GetRequest GetNextRequest SetRequest

SNMP - the Management Protocol Used for TCP/IP The first two are two variations of the get function All three messages are acknowledged by the agent in the form of a GetResponse message, which is passed up to the management application

SNMP - the Management Protocol Used for TCP/IP An agent may issue a trap message in response to an event that affects the MIB and the underlying managed resources - this is received by the manager SNMP relies on UDP, which is connectionless so SNMP is itself connectionless ie each exchange is a separate transaction between a management station and an agent

Trap - Directed Polling Preferred strategy is:    A management station can poll all of the agents it knows for some key information Once the baseline is established, the management station refrains from polling Each agent is responsible for notifying the management station of any unusual event

Trap - Directed Polling These events are communicated in SNMP messages known as traps Once a management station is alerted to an exception condition, it chooses to take the appropriate action

Trap - Directed Polling Trap-directed polling can result in substantial savings of   Network capacity Agent processing time Reduces unnecessary polling of agents by managers thus reducing management induced network traffic

Limitations of SNMP SNMP may not be suitable for the management of very large networks  Each agent needs to be polled and generates trap traffic  SNMP is not suited to retrieving large volumes of data such as a entire routing table SNMP traps are unacknowledged meaning the agent generating the trap does not know if the manager received it

Limitations of SNMP Basic SNMP standard only provides trivial authentication SNMP does not directly support imperative commands with parameters, conditions, status and results

Limitations of SNMP SNMP MIB model is limited not supporting sophisticated management queries based on object values or types SNMP does not support manager to manager communications ie no mechanism for one manager to find out about another network managers, managed network elements

SNMPv2 :1991/1992 Networks grow larger and larger  SNMPv1 became more and more inadequate  OSI implementations and standardization were still not ready Network managers recognised this, so the call went out for an extension to SNMP  in the mean time till OSI’s CMIP became available

SNMPv2 :1991/1992 One major flaw  SNMPv1 did not have any security facilities For this reason SNMPv1 network human managers often disabled the ‘set’ PDU crippling the network management facility

Adding Security To address this problem a set of RFC’s called ‘secure SNMP’ was issued as proposed in July 1992  secure SNMP did not address other deficiencies related to performance and functionality of SNMPv1 SMP was also issued in July 1992 as a set of 8 documents, they were not RFC’s  They constituted a private proposal to the internet community to upgrade SNMPv1

SMP The proposed extensions defined in SMP fell into three categories    Scope Size, speed, and efficiency Security and privacy

SMP and Secure SNMP The ‘Internet community’ came to the consensus that there should be a second generation SNMP that would   include both security and functional enhancements enable users and vendors to make a smooth transition from SNMPv1 to what becomes known as SNMPv2

Adding Security Two working groups were formed:   one for security aspects one for all other aspects such as protocol and management information Work began in October 1992 to be completed March 1993, but was completed by end of 1992

Adding Security The work of the two groups was combined and published as proposed internet standards in March 1993 SNMPv2 was revised in 1996 by an IETF task Force  New RFC’s contained no security!

The rest of the standard experienced minor changes

Community The standard SNMPv2 makes use of the SNMPv1 message wrapper, with its use of the community concept  This “administrative framework” for SNMPv2 is termed “community based snmpv2” or SNMPv2c

Community In SNMPv1 an SNMP community is a relationship between   A SNMP agent A set of SNMP managers That defines authentication, access control, and proxy characteristics

Community In SNMPv1  Communities are defined locally within the agent  Each community is given a unique (within the agent) community name   The management station must keep track of and store all the community names of each of its managed agents  The management stations within the community are provided with and must use this community name in all set and get operations with this agent There is no reason why the same name may not be used by different agents - as the agent uses this name locally

Community The SNMPv2 message is wrapped with a PDU in a SNMPv1 format   including a version number A community name

What Happened to the Security? Little enthusiasm among vendors and users for the way in which security was specified in the 1993 documents When the work began on the 1996 documents, it was hoped that some minor tune-ups to the security portion would suffice As the effort was nearing completion it was shown that the security portion of snmpv2 was fatally flawed!

What Happened to the Security? To make a long story short, there was an extension of the deadline for completing the new snmpv2 documents to allow time for a new consensus to develop on a new security specification  Deadlock occurred    No consensus reached Time ran out Then the plug was pulled on the process and the new snmpv2 was issued without security enhancements

What Happened to the Security? This decision had the advantage of solidifying the specification of the many functional enhancements found in snmpv2, but leads onto the need for another version of SNMP (version 3)

Standards

RFC 1901 1902 1903 1904 1905 1906 1907 1908 Title

Introduction to community-based SNMPv2 Structure of management information for SNMPv2 Textual conventions for SNMPv2 Conformance statements for SNMPv2 Protocol operations for SNMPv2 Transport mappings for SNMPv2 Management information base for SNMPv2 Coexistence between version 1 and version 2 of the internet-standard network management framework

SNMPv2 Enhancements An overall change implemented in SNMPv2 is that it can support either a highly centralized network management strategy or a distributed one For distributed some systems can operate as both a manager and a agent

SNMPv2 Enhancements For a system acting in dual modes of agent and manager it:   accepts commands from a superior management system it can also issue trap messages to the superior manager

SNMPv2 Enhancements The key enhancements to SNMP that are provided in SNMPv2 fall into the following categories:    Structure of management information (SMI) Manager-to-manager capability Protocol operations

SNMPv2 Protocol operations enhancements (over SNMPv1) The most noticeable change in protocol operations is the inclusion of two new PDUs:  GetBulkRequest PDU : enables the manager to retrieve large blocks of data efficiently --- it is well suited to retrieving multiple rows in a table eg routing table.

 InformRequest PDU : enables one manager to send trap type of information to another manager.

SNMPv1 and SNMPv2 coexistence SNMPv2 was designed to co-exist with SNMPv1 This involved two areas of the standards:  management information  protocol operations protocol operations  Two approaches are described in the standard:   use of proxy agents use of bilingual managers

For the proxy agent:

For the proxy agent: The main point here is that GetBulkRequest is converted to a GetNextRequest with only the first “row” of the table or variables being accessible (but the device is SNMPv1 enabled so its expecting that this is the norm)

For the bilingual manager:

For the bilingual manager: This setup requires the manager to be able to handle both protocols and manager SNMPv1 and SNMPv2 agents While SNMPv2 provided enhancements in functionality, especially in the manager to manager functions, the lack of security still inhibits the secure use of SNMP on managed networks.