SNMP V2 & V3SNMP V2 & V3W.lilakiatsakunW.lilakiatsakun

SNMP V2 ProtocolSNMP V2 Protocol• RFC 3416RFC 3416• 3 types of access to management 3 types of access to management

informationinformation– Manager–agent request-responseManager–agent request-response– Manager-Manager request-response : Manager-Manager request-response :

different from SNMPV1different from SNMPV1– Agent-manager unconfirmed Agent-manager unconfirmed

SNMP V2 Message StructureSNMP V2 Message Structure

SNMPV2 PDU FormatsSNMPV2 PDU Formats

PDU Details (1)PDU Details (1)• request-idrequest-id :unique number to each :unique number to each

outstanding request to the same agentoutstanding request to the same agent• error-statuserror-status:: a non-zero value indicates a non-zero value indicates

that an exception occurredthat an exception occurred• error-indexerror-index: When the error-status field : When the error-status field

is nonzero, the error-index value is nonzero, the error-index value identifies the object that caused the identifies the object that caused the errorerror

PDU Details (2)PDU Details (2)• variable-bindingsvariable-bindings: this field enables a single : this field enables a single

operation to be applied to a group of object operation to be applied to a group of object instances instances – First element is an First element is an OID (Object Identifier)OID (Object Identifier)– Second element can beSecond element can be

• ValueValue – Value associated with each object instances – Value associated with each object instances• unSpecified unSpecified – a – a NULLNULL values is used in retrieval requests values is used in retrieval requests• NoSuchObjectNoSuchObject – indicates agent does not implement the – indicates agent does not implement the

object refered this OID object refered this OID • noSuchInstancenoSuchInstance – indicates that this object instance does – indicates that this object instance does

not exist for this operationnot exist for this operation• endOfMibViewendOfMibView – indicates an attempt to reference an OID – indicates an attempt to reference an OID

that is beyond the end of the MIB at the agentthat is beyond the end of the MIB at the agent

SNMP V2 OperationsSNMP V2 Operations

Comparison of SNMPv1 and Comparison of SNMPv1 and SNMPv2 PDUsSNMPv2 PDUs

Error Status Codes in response-Error Status Codes in response-PDUPDU

Values in Variable Bindings Values in Variable Bindings

GetRequest PDUGetRequest PDU• Same as SNMPv1, it is different only Same as SNMPv1, it is different only the the

way that responses are handledway that responses are handled• SNMP v1 operation is SNMP v1 operation is atomicatomic• SNMP v2 operation prepares variable SNMP v2 operation prepares variable

binding according to following rulesbinding according to following rules1 OID not match – value is set to 1 OID not match – value is set to noSuchObjectnoSuchObject22 Otherwise, but not accessible for operation – Otherwise, but not accessible for operation –

value is set to value is set to noSuchInstancenoSuchInstance33 Otherwise, value is set to the Otherwise, value is set to the value of variablevalue of variable

GetNextRequestPDUGetNextRequestPDU• Same as SNMPv1, it is different only Same as SNMPv1, it is different only the the

way that responses are handledway that responses are handled• SNMP v1 operation is SNMP v1 operation is atomicatomic• SNMP v2 processes as many as possible SNMP v2 processes as many as possible

by the following ruleby the following rule1 the next instance can be retrieved, 1 the next instance can be retrieved, set the set the

name and value in variable-bindingsname and value in variable-bindings2 if no lexicographic successor exists, set the 2 if no lexicographic successor exists, set the

value field value field to endOfMibViewto endOfMibView

GetBulkRequest PDUGetBulkRequest PDU (1)(1)• Its purpose is Its purpose is to minimize the number of to minimize the number of

protocol exchanges required to retrieve a protocol exchanges required to retrieve a large amount of management informationlarge amount of management information

• It uses the same selection principle as the It uses the same selection principle as the GetNextRequest but GetNextRequest but multiple lexicographic multiple lexicographic successor can be selectedsuccessor can be selected

• 2 additional fields 2 additional fields – Non-repeaters – the number of variables that Non-repeaters – the number of variables that

single successor value to be returnedsingle successor value to be returned– Max-repetitions – the number of successor Max-repetitions – the number of successor

value to be returned value to be returned

GetBulkRequest PDUGetBulkRequest PDU (2)(2)

SetRequest PDUSetRequest PDU• The structure is same as SNMPv1The structure is same as SNMPv1• SetRequest PDU for SNMPv1 and SetRequest PDU for SNMPv1 and

SNMPv2 is both atomic operationSNMPv2 is both atomic operation

SNMPv2-Trap PDUSNMPv2-Trap PDU• The format isThe format is different different from SNMPv1 from SNMPv1• It uses the same format as It uses the same format as

GetRequestPDUGetRequestPDU • Using variable bindings field to containUsing variable bindings field to contain

– sysUpTime.0sysUpTime.0– snmpTrapOID.0snmpTrapOID.0- If the OBJECT clause is present in the macro - If the OBJECT clause is present in the macro

NOTIFICATION-TYPE, each variable and its NOTIFICATION-TYPE, each variable and its value are copied to the variable-bindingvalue are copied to the variable-binding

InformRequest PDUInformRequest PDU• New PDU type for SNMPNew PDU type for SNMP• Manager to Manager operationManager to Manager operation• Response by using Response by using Response PDUResponse PDU

SNMPv2 MIB (1)SNMPv2 MIB (1)• System Group : System Group :

include MIB for include MIB for Object Object ResourcesResources– sysORlast sysORlast

changechange– sysORTablesysORTable

SNMPv2 MIB (2)SNMPv2 MIB (2)

System Group of SNMPv2

SNMPv2 MIB (3)SNMPv2 MIB (3)

Revised SNMP Group

SNMPv2 MIB (4)SNMPv2 MIB (4)• MIB Objects GroupMIB Objects Group

– snmpTrapsnmpTrap•snmpTrapOID : OID of trap or notification snmpTrapOID : OID of trap or notification

currently being sentcurrently being sent•snmpTrapEnterprise :OID of enterprise snmpTrapEnterprise :OID of enterprise

associated with the trap currently being sentassociated with the trap currently being sent

SNMPv2 MIB (5)SNMPv2 MIB (5)– snmpSetsnmpSet

•snmpSerialNo : TestAndIncr (INTEGER snmpSerialNo : TestAndIncr (INTEGER 0..2147483647)0..2147483647)

• If the agent receive a set operation for this If the agent receive a set operation for this object with value K then the value is object with value K then the value is incremented to K+1 mod 2incremented to K+1 mod 23131

• If the agent receive a set operation for this If the agent receive a set operation for this object with value not equal to K then the object with value not equal to K then the operation fails with an error of inconsistentValueoperation fails with an error of inconsistentValue

•To solve multiple managers using an agentTo solve multiple managers using an agent

SNMPv2 MIB (6)SNMPv2 MIB (6)• Interfaces Group in RFC1573 : Interfaces Group in RFC1573 :

extension of interface Group in MIB-IIextension of interface Group in MIB-II– ifXTable (Extension Table)ifXTable (Extension Table)– ifStackTable (Stack Table)ifStackTable (Stack Table)– ifTestTable (Test Table)ifTestTable (Test Table)– IfRcvAddressTable (Receive Address IfRcvAddressTable (Receive Address

Table) Table)

SNMPv2 MIB (7)SNMPv2 MIB (7)• ifXTable ifXTable

– This table contains objects that have bee This table contains objects that have bee n added to the Interface MIB as a result o n added to the Interface MIB as a result o

f the Interface Evolution effort, or replace f the Interface Evolution effort, or replace - ments for objects of the original, MIB II, if - ments for objects of the original, MIB II, if

Table that were deprecated because the Table that were deprecated because the semantics of said objects have significan semantics of said objects have significan

tly changed. tly changed.

SNMPv2 MIB (8)SNMPv2 MIB (8)• ifStackTableifStackTable

– This table contains objects that define the relation This table contains objects that define the relation - ships among the sub layers of an interface. - ships among the sub layers of an interface.

• ifTestTableifTestTable – This table contains objects that are used to perfor This table contains objects that are used to perfor

m tests on interfaces. m tests on interfaces.– This table is a generic table. This table is a generic table.– - The designers of media specific MIBs must define - The designers of media specific MIBs must define

exactly how this table applies to their specific MIB. exactly how this table applies to their specific MIB.

SNMPv2 MIB (9)SNMPv2 MIB (9)• ifRcvAddressTable ifRcvAddressTable

– This table contains objects that are used This table contains objects that are used - to define the media level addresses whic - to define the media level addresses whic

h this interface will receive. h this interface will receive.– This table is a generic table. This table is a generic table.– - The designers of media specific MIBs mu - The designers of media specific MIBs mu

st define exactly how this table applies to st define exactly how this table applies to their specific MIB. their specific MIB.

SNMP V3SNMP V3W.lilakiatsakunW.lilakiatsakun

SNMP v3 Goals (1)SNMP v3 Goals (1)• Use Use existing materialsexisting materials as much as possible. as much as possible.

– It is heavily based on previous work, informally known It is heavily based on previous work, informally known as SNMPv2u and SNMPv2*, based in turn on SNMPv2p. as SNMPv2u and SNMPv2*, based in turn on SNMPv2p.

• Address the need for Address the need for secure SET supportsecure SET support, which , which is considered the most important deficiency in is considered the most important deficiency in SNMPv1 and SNMPv2c. SNMPv1 and SNMPv2c.

• Make it Make it possible to move portionspossible to move portions of the of the architecture forward in the standards track, even architecture forward in the standards track, even if consensus has not been reached on all pieces. if consensus has not been reached on all pieces.

• Define an architecture that allows forDefine an architecture that allows for longevity longevity of the SNMP Frameworks that have been and will of the SNMP Frameworks that have been and will be defined. be defined.

SNMP v3 Goals (2)SNMP v3 Goals (2)• Keep SNMP as Keep SNMP as simplesimple as possible. as possible. • Make it relatively Make it relatively inexpensiveinexpensive to deploy a to deploy a

minimal conforming implementation. minimal conforming implementation. • Make it possible to Make it possible to upgrade portionsupgrade portions of SNMP of SNMP

as new approaches become available, without as new approaches become available, without disrupting an entire SNMP framework. disrupting an entire SNMP framework.

• Make it possible to Make it possible to support featuressupport features required required in large networks, but make the expense of in large networks, but make the expense of supporting a feature directly related to the supporting a feature directly related to the support of the feature. support of the feature.

Security RequirementSecurity Requirement (1)(1)• Modification of Information Modification of Information

– SS -ome unauthorized entity may alter in tran -ome unauthorized entity may alter in tran sit SNMP messages generated on behalf of sit SNMP messages generated on behalf of an authorized principal in such a way as to an authorized principal in such a way as to

effect unauthorized management operation effect unauthorized management operation s, including falsifying the value of an object. s, including falsifying the value of an object.

• MasqueradeMasquerade – MM anagement operations not authorized for anagement operations not authorized for

some principal may be attempted by assum some principal may be attempted by assum ing the identity of another principal that has ing the identity of another principal that has the appropriate authorizations. the appropriate authorizations.

Security RequirementSecurity Requirement (2)(2)• Message Stream Modification Message Stream Modification

– MM - essages may be maliciously re ordered, delaye - essages may be maliciously re ordered, delaye d or replayed to an extent which is greater than c d or replayed to an extent which is greater than c

an occur through the natural operation of a subn an occur through the natural operation of a subn etwork service, in order to effect unauthorized m etwork service, in order to effect unauthorized m

anagement operations. anagement operations.• DisclosureDisclosure

– EE avesdropping on the exchanges between SNMP avesdropping on the exchanges between SNMP engines. engines.

– Protecting against this threat may be required as Protecting against this threat may be required as a matter of local policy. a matter of local policy.

Not in Security requirement Not in Security requirement • Denial of Service Denial of Service

– - - Indeed, such denial of service attacks are in man - - Indeed, such denial of service attacks are in man y cases indistinguishable from the type of networ y cases indistinguishable from the type of networ k failures with which any viable management pro k failures with which any viable management pro

tocol must cope as a matter of course. tocol must cope as a matter of course.• Traffic Analysis Traffic Analysis

– - Many traffic patterns are predictable entities m - Many traffic patterns are predictable entities m ay be managed on a regular basis by a relatively ay be managed on a regular basis by a relatively

- small number of management stations and ther - small number of management stations and ther efore there is no significant advantage afforded efore there is no significant advantage afforded

by protecting against traffic analysis. by protecting against traffic analysis.

SNMP Entity SNMP Entity

SNMP engineSNMP engine

• An SNMP engine provides services for se An SNMP engine provides services for se nding and receiving messages, authenti nding and receiving messages, authenti cating and encrypting messages, and co cating and encrypting messages, and co

ntrolling access to managed objects. ntrolling access to managed objects.– a Dispatcher a Dispatcher– a Message Processing Subsystem a Message Processing Subsystem– a Security Subsystem a Security Subsystem– an Access Control Subsystem an Access Control Subsystem . .

DispatcherDispatcher• It allows for It allows for concurrent support of multiple v concurrent support of multiple v

ersions of SNMP messages ersions of SNMP messages in the SNMP engin in the SNMP engin e. e.

• It does so by: It does so by:– sending and receiving SNMP messages to/from th sending and receiving SNMP messages to/from th

e network, e network,– determining the version of an SNMP message and determining the version of an SNMP message and

interacting with the corresponding Message Proce interacting with the corresponding Message Proce ssing Model ssing Model

– providing an abstract interface to SNMP applicatio providing an abstract interface to SNMP applicatio ns for delivery of a PDU to an application. ns for delivery of a PDU to an application.

– providing an abstract interface for SNMP applicati providing an abstract interface for SNMP applicati ons that allows them to send a PDU to a remote S ons that allows them to send a PDU to a remote S NMP entity. NMP entity.

Message Processing Message Processing SubsystemSubsystem• The Message Processing Subsystem is The Message Processing Subsystem is

responsible for preparing messages responsible for preparing messages fo fo r sending, and extracting data from re r sending, and extracting data from re

ceived messages. ceived messages.

Security SubsytemSecurity Subsytem• The Security Subsystem provides The Security Subsystem provides secusecu

rity services rity services such as the authenticatio such as the authenticatio n and privacy of messages and potenti n and privacy of messages and potenti

ally contains multiple Security Models ally contains multiple Security Models

* User-Based Security (RFC 3414)

Access Control SubsytemAccess Control Subsytem• The Access Control Subsystem provide The Access Control Subsystem provide

s s authorization services authorization services by means of o by means of o ne or more (*) Access Control Models. ne or more (*) Access Control Models.

* View-Based Access Control (RFC 3415)

Application Application • There are several types of applications, includi There are several types of applications, includi

ng:ng:– CC ommand generators ommand generators , which monitor and manipula , which monitor and manipula

te management data te management data– CC ommand responders ommand responders , which provide access to ma , which provide access to ma

nagement data nagement data– NN otification originators otification originators , which initiate asynchronou , which initiate asynchronou

s messages s messages– NN otification receivers otification receivers , which process asynchronous , which process asynchronous

messages, and messages, and– PP roxy forwarders roxy forwarders , which forward messages betwee , which forward messages betwee

n entities. n entities.

SNMP ManagerSNMP Manager• An SNMP entity An SNMP entity containing one or mor containing one or mor

e command generator and/or notificat e command generator and/or notificat ion receiver applications ion receiver applications (along with t (along with t heir associated SNMP engine) has tra heir associated SNMP engine) has tra

ditionally been called an ditionally been called an SNMP manag SNMP managerer

SNMP Traditional Manager

SNMP AgentSNMP Agent• An SNMP entity An SNMP entity containing one or mor containing one or mor

e command responder and/or notifica e command responder and/or notifica tion originator applications tion originator applications (along wit (along wit

h their associated SNMP engine) has t h their associated SNMP engine) has t raditionally been called an raditionally been called an SNMP age SNMP age

ntnt

SNMP Traditional Agent

SNMP ProcessSNMP Process

SNMP Security Function (1)SNMP Security Function (1)• User-based security (RFC3414)User-based security (RFC3414)

– Encryption : Encryption : DES (Data Encryption DES (Data Encryption Standard)Standard) in CBC (Cipher Block Chaining) in CBC (Cipher Block Chaining) modemode

– Authentication :Combine the use of a hash Authentication :Combine the use of a hash function with a secret key to provide both function with a secret key to provide both authentication and protection against authentication and protection against tampering :tampering :HMAC (Hashed Message HMAC (Hashed Message Authentication Codes) [RFC2104]Authentication Codes) [RFC2104]

SNMP Security Function (2)SNMP Security Function (2)• Protection against playbackProtection against playback

– The receiver requires that the sender include a The receiver requires that the sender include a value in each message that is based on a counter in value in each message that is based on a counter in the receiver.the receiver.

– This counter which functions as a nonceThis counter which functions as a nonce– RFC3414 for detailsRFC3414 for details

• Access Control : VBAC (View-Based Access Access Control : VBAC (View-Based Access Control) [RFC3415]Control) [RFC3415] – It Controls which network management information It Controls which network management information

can be queried and/or set by which users.can be queried and/or set by which users.– An SNMP entity retains information about access An SNMP entity retains information about access

rights and policies in a Local Configuration rights and policies in a Local Configuration Datastore (LCD) Datastore (LCD)