Chapter 8 Network ManagementAs we have learned thus far, computer networks are complex systems of numerous hardware and software components. As such, they are subject to operational problems involving outage, malfunction, mis-configuration, poor performance, and other issues. In this final chapter, we will briefly look at the architecture, protocols and tools available to identify and solve these problems.

Chapter 8: Network ManagementChapter goals: introduction to network managementmotivationmajor componentsInternet network management frameworkMIB: management information baseSMI: data definition languageSNMP: protocol for network managementsecurity and administrationpresentation services: ASN.1firewalls

Network management motivationnetworks are complex autonomous systems

Consisting of 100s (or 1000s) of interacting hardware and software components"Network management includes the deployment, integration and coordination of the hardware, software, and human elements to monitor, test, poll, configure, analyze, evaluate, and control the network and element resources to meet the real-time, operational performance, and Quality of Service requirements at a reasonable cost." the network management infrastructure does NOT:dictate decision making policiesaddress resource provisioning/service management issues

Motivation for network management stuff happens

managed devicemanaged devicemanaged devicemanaged deviceperformance problems device faultsconfiguration issuessecurity problems software bugs accounting/billing issues numerous potential issues/problems to deal withFor example:UTA ACSAbilene Net

Network management: 4 key goalsMonitorsee whats happening host interfaces, traffic levels, service levels, security, performance, routing table changes, etc. Analyzedetermine what it meansReactively controltake action based on what is happeningProactively managetake action based on what current trends tell you to will happen

Infrastructure for network management

managed devicemanaged devicemanaged devicemanaged devicenetworkmanagementprotocoldefinitions:managed devices containmanaged objects whose data is gathered into aManagement InformationBase (MIB) managing entity** AKA - Network Management Station (NMS)

A typical Network Management Systems

NetworkManagementConsoleNetworkManagementMIBManagedDevices

Network Management standardsOSI CMIPCommon Management Information Protocoldesigned 1980s: the unifying net management standardtoo slowly standardized

SNMP: Simple Network Management ProtocolInternet roots (SGMP ISMF)started simpledeployed, adopted rapidlygrowth: size, complexitycurrently: SNMP V3 (released April 1999)de facto network management standard

SNMP overview: 4 key parts of the Internet network management frameworkManagement information base (MIB):distributed information store of network management data (MIB objects)Structure of Management Information (SMI):data definition language for MIB objectsSNMP protocolconvey managermanaged object info, commandsSecurity & administration capabilitiesmajor addition in SNMPv3

SMI: data definition language (RFC 2578) Purpose: syntax, semantics of management data well-defined, unambiguousbase data types: straightforward, boringOBJECT-TYPEdata type, status, semantics of managed objectMODULE-IDENTITYgroups related objects into MIB module

Basic Data TypesINTEGERInteger32Unsigned32OCTET STRINGOBJECT IDENTIFIERIPaddressCounter32Counter64Guage32Time TicksOpaque

SNMP MIB

OBJECT-TYPE:OBJECT-TYPE:OBJECT-TYPE:objects specified via SMIOBJECT-TYPE construct

MIB module specified via SMI MODULE-IDENTITY(100s of standardized MIBs, more vendor-specific)

SMI: Object, module examplesOBJECT-TYPE: ipInDeliversMODULE-IDENTITY: ipMIBipInDelivers OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION The total number of input datagrams successfully delivered to IP user- protocols (including ICMP)::= { ip 9}ipMIB MODULE-IDENTITY LAST-UPDATED 941101000Z ORGANZATION IETF SNPv2 Working Group CONTACT-INFO Keith McCloghrie DESCRIPTION The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes. REVISION 019331000Z ::= {mib-2 48}Note: RFC 2011-IP MIB, RFC 2012-TCP MIB, RFC 2013-UDP MIB,

SNMP Naming (OBJECT IDENTIFIER)question: how to name every possible standard object (protocol, data, more..) in every possible network standard??answer: ISO Object Identifier tree: hierarchical naming of all objectseach branchpoint has name, number

1.3.6.1.2.1.7.1ISOISO-ident. Org.US DoDInternetudpInDatagramsUDPMIB2management

ISO Object Identifier TreeCheck out www.alvestrand.no/harald/objectid/top.html

MIB example: UDP moduleObject ID Name Type Comments1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 # UDP datagrams delivered at this node1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # undeliverable datagrams, no application at port1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams, all other reasons1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # UDP datagrams sent1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port UDP Entry in use by app, gives port # and IP address

SNMP protocolTwo ways to convey MIB info, commands:

Managed deviceresponse

Managed devicetrap msg.request/response modetrap mode

SNMP protocol: message types

GetRequest (0)GetNextRequest (1)GetBulkRequest (5)Mgr-to-Agent: get me data(instance,next in list, block)Message typeFunctionInformRequest (6)Mgr-to-Mgr: heres MIB valueSetRequest (3)Mgr-to-Agent: set MIB valueResponse (2)Agent-to-Mgr: value, response to RequestTrap (7)Agent-to-Mgr: inform managerof exceptional event

SNMP protocol: message formats

TrapmessagesGet,Set,Inform,Responsemessages

SNMP security and administrationencryption: DES-encrypt SNMP message authentication: compute, send MIC(m,k): compute hash (MIC) over message (m), secret shared key (k)protection against playback: use nonceview-based access controlSNMP entity maintains database of access rights, policies for various usersdatabase itself accessible as managed object!

MIC: Message Integrity Code (like a digital signature)

The presentation problemQ: does perfect memory-to-memory copy solve the communication problem?A: not always!problem: different data format, storage conventions (e.g. big-endian, little-endian)struct { char code; int x; } test;test.x = 259;test.code=atest.codetest.xtest.code

test.xhost 1 formathost 2 format

Solving the presentation problem1. Translate local-host format to host-independent format2. Transmit data in host-independent format3. Translate host-independent format to remote-host format

ASN.1: Abstract Syntax Notation 1The language of standards writers.ISO standard X.680used extensively in Internetdefined data types, object constructors like SMIBER: Basic Encoding Rules (ITU-T X.209, X.690)specify how ASN.1-defined data objects to be transmittedeach transmitted object has Type, Length, Value (TLV) encoding

ASN.1: Abstract Syntax Notation 1Encoding RulesBER - for management of the Internet, exchange of electronic mail, control of telephone/computer interactions DER - specialized form of BER that is used in security-conscious applications CER another specialized form of BER that is meant for use with huge messagesPER - recent version with more efficient algorithms that result in faster and more compact encodings; used in applications that are bandwidth or CPU starved, such as air traffic control and audio-visual telecommunications

TLV EncodingIdea: transmitted data is self-identifyingT: data type, one of ASN.1-defined typesL: length of data in bytesV: value of data, encoded according to ASN.1 standard

1234569BooleanIntegerBit StringOctet stringNullObject IdentifierReal Tag Value Type

TLV encoding: exampleValue, 5 octets (chars)Length, 5 bytesType=4, octet stringValue, 259Length, 2 bytesType=2, integer

TLV encoding - another example:A Personnel Record:

Name: John P Smith Date of Birth: 17 July 1959 (other data) The ASN.1 description of a personnel record (the standard) might be:

PersonnelRecord ::= [APPLICATION 0] IMPLICIT SET { Name, title [0] VisibleString, dateOfBirth [1] Date, (other types defined) }

Name ::= [APPLICATION 1] IMPLICIT SEQUENCE { givenName VisibleString, initial VisibleString, familyName VisibleString } The application maps the personnel data into the personnel record structure (ASN.1 data format), and then applies the Basic Encoding Rules (BER) to the ASN.1 data:

Personnel Record Length Contents 60 8185 Name Length Contents 61 10 VisibleString Length Contents 1A 04 "John" VisibleString Length Contents 1A 01 "P" VisibleString Length Contents 1A 05 "Smith" DateofBirth Length Contents A0 0A Date Length Contents 43 08 "19590717" Finally, what gets transmitted (sent as application data to the layer below in the protocol stack)would be:

60 81 85 61 10 1A 04

Firewalls

Two firewall types:packet filterapplication gateway

To prevent denial of service attacks:SYN flooding: attacker establishes many bogus TCP connections. Attacked host allocates TCP buffers for bogus connections, none left for real connections.

To prevent illegal modification of internal data.e.g., attacker replaces CIAs homepage with something else

To prevent intruders from obtaining secret info.isolates organizations internal net from larger Internet, allowing some packets to pass, blocking others.

Packet FilteringInternal network is typically connected to Internet through a router.Router manufacturer provides options for filtering packets, based on (for example):source IP addressdestination IP addressTCP/UDP source and destination port numbersICMP message typeTCP SYN and ACK bits

Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or destination port = 23.All incoming and outgoing UDP flows and telnet connections are blocked.Example 2: Block inbound TCP segments with ACK bit=0.Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

Application gatewaysFilters packets on application data as well as on IP/TCP/UDP fields.Example: allow select internal users to telnet outside.

1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections3. Router filter blocks all telnet connections not originating from gateway.

Limitations of firewalls and gatewaysIP spoofing: router cant know if data really comes from claimed sourceIf multiple apps. need special treatment, each has own app. gateway.Client software must know how to contact gateway.e.g., must set IP address of proxy in Web browser

Filters often use all or nothing policy for UDP.Tradeoff: degree of communication with outside world, level of securityMany highly protected sites still suffer from attacks.