Upload
mayank-goyal
View
219
Download
0
Embed Size (px)
Citation preview
8/8/2019 sri_SNMP
1/64
Simple Network Management Protocol
By - Suparna
Sri
8/8/2019 sri_SNMP
2/64
AgendaIntroductionNetwork Level Architecture
Operation of Protocol Applications of ProtocolEvent flowsMessage Formats
Extensions, Performance & Security IssueConclusionReferences
8/8/2019 sri_SNMP
3/64
I n tro du ctio n SNMP is an application layer protocol thatfacilitates the exchange of managementinformation between network devices.It is used for collecting information from, and
configuring, network devices, such as servers,printers, hubs, switches, and routers on anInternet Protocol ( IP) network.SNMP enables network administrators tomanage network performance, find and solvenetwork problems, and plan for networkgrowth.
8/8/2019 sri_SNMP
4/64
B asi c Compo nen t s of SNMP NMS (Network Management Station)
Managed Devices
Agents
MIB (Management Information Base)
8/8/2019 sri_SNMP
5/64
NMS executes applications that monitor and control manageddevices.It executes applications that monitor and control manageddevices. One or more NMSs must exist on any managed
network.NMS is a general purpose computer running special software
8/8/2019 sri_SNMP
6/64
Managed Device is a network node that contains anSNMP agent and that resides on a managed network.Managed devices collect and store management information
and make this information available to NMSs using SNMP.Managed devices, sometimes called network elements, canbe routers and access servers, switches and bridges, hubs,computer hosts, or printers.
8/8/2019 sri_SNMP
7/64
Agents is a network-management software module
that resides in a managed device. An agent has local knowledge of managementinformation and translates that information into aform compatible with SNMP.
8/8/2019 sri_SNMP
8/64
N e twork L evel Ar ch it e ct ure
8/8/2019 sri_SNMP
9/64
MIB St ru ct ureEvery management station or an agent in an SNMParchitecture maintains a local database havinginformation related to the network management.
This virtual information store is called M IB- objectsdatabase
An SNMP M IB contains definitions and information aboutthe properties of managed resources and the servicesthat the agents support. The manageable features of resources, as defined in an SNMP M IB, are calledmanaged objects
8/8/2019 sri_SNMP
10/64
M anagemen t I n fo rma t ion B ase
8/8/2019 sri_SNMP
11/64
MIB obje ct iden t if iersEach object in the M IB has an object identifier (OID)Management station uses OD I to request theobject's value from the agent.
An O ID is a sequence of integers that uniquelyidentifies a managed object by defining a pathto that object through a tree-like structurecalled the O ID tree or registration tree.When an SNMP agent needs to access aspecific managed object, it traverses the O IDtree to find the object.
8/8/2019 sri_SNMP
12/64
SNMP OD I H ierar chy F orma t
8/8/2019 sri_SNMP
13/64
Op era t ion o f P ro t o c ol Read : It is used by an NMS to monitor managed devices.The NMS examines different variables that are
maintained by managed devices .Writ e: It is used by an NMS to control managed devices.The NMS changes the values of variables stored withinmanaged devices.
T r ap : The tr ap command is used by managed devicesto asynchronously report events to the NMS. Whencertain types of events occur, a managed device sends atrap to the NMS.
8/8/2019 sri_SNMP
14/64
Op era t ion o f th e P ro t o c olGetGet nextGet-bulkSetSet responseTrapNotificationInformReport
8/8/2019 sri_SNMP
15/64
ge t and ge t nex t Op era t ionThe get request is initiated by the NMS, which sends therequest to the agent. The agent receives the request and
processes it to best of its ability .
The get command is useful for retrieving a single M IBobject at a time.
The get-next operation lets you issue a sequence of commands to retrieve a group of values from a M IB
8/8/2019 sri_SNMP
16/64
ge t Op era t ion
8/8/2019 sri_SNMP
17/64
ge t bulk opera t ionSNMPv2 defined the get-bulk operation which allows amanagement application to retrieve a large section of a table atonce.The standard get operation can attempt to retrieve more thanone M IB object at once, but message sizes are limited by theagent's capabilities. If the agent can't return all the requestedresponses, it returns an error message with no data.Get bulk command consists of two fields non-repeaters andmax repetitions and these fields are set when issuing a get-bulk command non-repeaters and max-repetitions.
Non-repeaters tells the get-bulk command that the first Nobjects can be retrieved with a simple get-next operation. Max-repetitions tells the get-bulk command to attempt up to M get-next operations to retrieve the remaining objects
8/8/2019 sri_SNMP
18/64
ge t bulk O pera t ion
8/8/2019 sri_SNMP
19/64
se t O pera t ion
The s et command is used to change the value of amanaged object or to create a new row in a table. Objectsthat are defined in the M IB as read-write or write-only canbe altered or created using this command. It is possiblefor an NMS to set more than one object at a time.
8/8/2019 sri_SNMP
20/64
t rap O pera t ion
T r ap: A trap is a way for an agent to tell the NMS thatsomething bad has happened.The trap originates from the agent and is sent to the trapdestination, as configured within the agent itself. The trapdestination is typically the IP address of the NMS.
8/8/2019 sri_SNMP
21/64
S c enarios wh en t rap o cc urs A network interface on the device (where the agent isrunning) has gone down.
A network interface on the device (where the agent isrunning) has come back up.
An incoming call to a modem rack was unable to
establish a connection to a modem.
The fan on a switch or router has failed.
8/8/2019 sri_SNMP
22/64
G eneri c ty pes o f t rap Col ds ta rt(0) :Indicates that the agent has rebooted. Allmanagement variables will be reset; specifically, Counters andGauges will be reset to zero (0). It can also be used todetermine when new hardware is added to the network.
Wa rm s ta rt(1) :Indicates that the agent has reinitialized itself.None of the management variables will be reset.
Link d ow n(2) : Sent when an interface on a device goes down.The first variable binding identifies which interface went down.
Linku p (3) : Sent when an interface on a device comes back up.
8/8/2019 sri_SNMP
23/64
G eneri c ty pes o f t rap a uth e ntic a tio nF a ilur e (4) :Indicates that someone hastried to query your agent with an incorrect communitystring; useful in determining if someone is trying to gain
unauthorized access to one of your devices.
egpNe ig hb o r lo ss (5) : Indicates that an Exterior GatewayProtocol (E GP) neighbor has gone down.
Ent e r p risespe cific(6) : Indicates that the trap isenterprise-specific which are used by SNMP to definetheir own traps under the private-enterprise branch of theSM I object tree.
8/8/2019 sri_SNMP
24/64
Oth er SNMP opera t ionsS NMP n o tific a tio n : As the PDUs of snmpv1,v2 andv3,notification-type is used as a means of notification for this.
S NMP inf o rm : inform mechanism providescommunication between manager-manager
S NMP r ep o rt : Allows the SNMP engines tocommunicate with each other mainly to report theproblems with processing SNMP messages
8/8/2019 sri_SNMP
25/64
Message Sent Between an SNMP Manager and its Managed Devices
8/8/2019 sri_SNMP
26/64
E vent Flow of SNMP protocol
Represents Interactions and timingof the SNMP protocol between theSNMP manager and the SNMP
agent.Traps are unsolicited messages sentfrom the agent to the manager.There are four functions of SNMP:get request, trap, get next and set
request.
8/8/2019 sri_SNMP
27/64
E vent Flow of SNMP operations
8/8/2019 sri_SNMP
28/64
Network Management System
8/8/2019 sri_SNMP
29/64
SNMPv3 Applications
Five types of application which can be associated with an SNMPengine are described in RFC 2273. These applications are :
- Command generators, which monitor and manipulatemanagement data,
- Command responders, which provide access tomanagement data,- Notification originators, which initiate asynchronous
messages,- Notification receivers, which process asynchronous
messages, and
- Proxy forwarders, which forward messages betweenentities.
8/8/2019 sri_SNMP
30/64
Flow diagram of Command Generator and Command Responder
8/8/2019 sri_SNMP
31/64
8/8/2019 sri_SNMP
32/64
sendPdu
DISPA T
ACCESSCO N T O L
SUBS YS T EM
MESSAGE
PROCESSINGSUBS YS T EM
SECURI TYSUBS YS T EM
DISPA TCHER
ACCESSCO N TRO L
SUBS YS TEM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS TEM
SECURI TYSUBS YS TEM
Parameters
transportDoma intransportAddress
messageProcess ingMode l
secur ityMode lsecur ityName
secur ityLeve l
contextEng ineIDcontextName
pduVers ion
PD U
expectResponse
maxS i eResponseScopedPDU
stateReferencestatusInformat ion
sendPduHand le
destTransportDoma indestTransportAddress
outgo ingMessageoutgo ingMessageLength
who leMsg
who leMsgLength
pduType
viewTypeva r iab leName
g lob a lDatamaxMessageS i e
secur ityEng ineID
scopedPDU
secur ityParameterssecur ityStateReference
sendPdu
APPLICATIONS
8/8/2019 sri_SNMP
33/64
prepareOutgoingMessage
A CC ESSCO NT RO L
S S S T EM
APPL ICATIONS
MESS AG EPR OC ESSI NGS S S T EM
SE CU R ITYS UB S Y S T EM D IS P
A TCH E R
A CC ESSCO NT R O L
S UB S Y S T E M
APPL ICAT IONS
MESS AG EPR OC ESSI NGS UB S Y S T EM
SE CU RITYS UB S Y S T EM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngine IDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatus Information
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngine ID
scopedPDU
securityParameterssecurityStateReference
prepareOutgoingMessage
D IS P A TCH E R
8/8/2019 sri_SNMP
34/64
generateRequestMsg
DISPA TCHER
ACCESSCO N T RO L
SUBS YS T EM
APPLICATIONS
SECURI TYSUBS YS T EM
DISPA TCHER
ACCESSCO N TRO L
SUBS YS TEM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS TEM
SECURI TYSUBS YS TEM
Parameters
transportDoma intransportAddress
messageProcess ingMode l
secur ityMode lsecur ityName
secur ityLeve l
contextEng ineIDcontextName
pduVers ion
PD U
expectResponse
maxS i eResponseScopedPDU
stateReferencestatusInformat ion
sendPduHand le
destTransportDoma indestTransportAddress
outgo ingMessageoutgo ingMessageLength
who leMsg
who leMsgLength
pduType
viewTypeva r iab leName
g lob a lDatamaxMessageS i e
secur ityEng ineID
scopedPDU
secur ityParameterssecur ityStateReference
g enerateRequestMs g
MESSAGE
PROCESSINGSUBS YS T EM
8/8/2019 sri_SNMP
35/64
send / receive
A C C ES SCO NT R O L
S U B S Y S T E M
APPL ICA T IONS
MES S A G EPR OC ESSI N GS U B S Y S T E M
SE C U R IT YS U B S Y S T E M D IS P
A TC H E R
A C C ESSC O N T R O L
S U B S Y S T E M
APPL ICAT IONS
MESS AG EPR O C ESSI NGS U B S Y S T E M
SE C U R ITYS U B S Y S T E M
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngine IDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatus Information
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngine ID
scopedPDU
securityParameterssecurityStateReference
send and receive
D IS P A TC H E R
8/8/2019 sri_SNMP
36/64
prepareData E lements
D IS P A TCH E R
A CC ESSCO NT RO L
S UB S Y S T EM
APPL ICATIONS
MESS AG EPR OC ESSI NGS UB S Y S T EM
SE CU R ITYS UB S Y S T EM
A CC ESSCO NT R O L
S UB S Y S T EM
APPL ICAT IONS
MESS AG EPR OC ESSI NGS UB S Y S T EM
SE CU RITYS UB S Y S T EM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngine IDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatus Information
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngine ID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
D IS P A TCH E R
8/8/2019 sri_SNMP
37/64
processIncomingMsg
D IS P A TC H E R
A C C ES SCO NT R O L
S U B S Y S T E M
APPL ICA T IONS
MES S A G EPR OC ESSI N GS U B S Y S T E M
SE C U R IT YS U B S Y S T E M D IS P
A TC H E R
A C C ESSC O N T R O L
S U B S Y S T E M
APPL ICAT IONS
SE C U R ITYS U B S Y S T E M
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngine IDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatus Information
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngine ID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESS AG EPR O C ESSI NGS U B S Y S T E M
8/8/2019 sri_SNMP
38/64
processPd
DISPA TCHER
ACCESSCO N T RO L
SUBS YS T EM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS T EM
SECURI TYSUBS YS T EM
ACCESSCO N TRO L
SUBS YS TEM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS TEM
SECURI TYSUBS YS TEM
Parameters
transportDoma intransportAddress
messageProcess ingMode l
secur ityMode lsecur ityName
secur ityLeve l
contextEng ineIDcontextName
pduVers ion
PD U
expectResponse
maxS i eResponseScopedPDU
stateReferencestatusInformat ion
sendPduHand le
destTransportDoma indestTransportAddress
outgo ingMessageoutgo ingMessageLength
who leMsgwho leMsgLength
pduType
viewTypeva r iab leName
g lob a lDatamaxMessageS i e
secur ityEng ineID
scopedPDU
secur ityParameterssecur ityStateReference
p rocessPdu
DISPA TCHER
8/8/2019 sri_SNMP
39/64
isAccessAllowed
D I T
O T O
Y T
APPL I A TIO
MESSA G E
PR O ES S I GSUBS Y S T EM
SECUR IT Y
SUBS Y S T EMD ISP A T C H E R
ACCESSC O T R O
S U B S Y S T EM
MESSA G E
PR O CESS I GS U B S Y S T EM
S E C U R I TY
S U B S Y S T EM
Pa r am e te r
tr anspo rt omaintr anspo rt Add r ess
messageP r ocessingModel
secu r it Modelsecu r it ame
secu r it Level
con tex t ngine Icon tex t ame
pduVe r sion
PDU
expec t esponse
maxSizeResponseScopedPDU
s ta teRe f er ences ta tus In f o r ma tion
sendPduHandle
des tTr anspo rtDomaindes tTr anspo rt Add r ess
ou tgoingMessageou tgoingMessageLeng t
oleMsg
wholeMsgLeng th
pduType
viewTypeva r iableName
globalDa ta
maxMessageSize
secu r ityEngine ID
scopedPDU
secu r ityPa r ame ter ssecu r ityS ta teRe f e r ence
isAccessAllowed
APPL I AT IO NS
8/8/2019 sri_SNMP
40/64
returnResponsePdu
DISPA TCHER
ACCESSCO N T RO L
SUBS YS T EM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS T EM
SECURI TYSUBS YS T EM
DISPA TCHER
ACCESSCO N TRO L
SUBS YS TEM
MESSAGE
PROCESSINGSUBS YS TEM
SECURI TYSUBS YS TEM
Parameters
transportDoma intransportAddress
messageProcess ingMode l
secur ityMode lsecur ityName
secur ityLeve l
contextEng ineIDcontextName
pduVers ion
PD U
expectResponse
maxS i eResponseScopedPDU
stateReferencestatusInformat ion
sendPduHand le
destTransportDoma indestTransportAddress
outgo ingMessageoutgo ingMessageLength
who leMsgwho leMsgLength
pduType
viewTypeva r iab leName
g lob a lDatamaxMessageS i e
secur ityEng ineID
scopedPDU
secur ityParameterssecur ityStateReference
returnRes ponsePdu
APPLICATIONS
8/8/2019 sri_SNMP
41/64
prepareResponseMessage
D ISPA T HER
ACCESSC N T R L
SUBS YS T E
APPL I ATI NS
M E SSA E
P R C ES S INSUBS YS T E M
SECUR ITYSUBS YS T E M
ACCESSC N TR L
SUBS YS TE M
APPL I AT I NS
M E SS A E
P R CE SS INSUBS YS TE M
SECUR ITYSUBS YS TE M
Pa r a m e te r s
tr anspo rtDo m aintr anspo rt Add r ess
m essageP r ocess ing ode l
secu rity ode lsecu rityN a m esecu rityLeve l
on tex tEng ine IDcon tex tNa m e
pduVe r s ion
PD U
expec tResponse
m axS i eResponseScopedPDU
s ta teR e f e r ences ta tus In f o r m a tion
sendPduHand le
des tTr anspo rtDo m a indes tTr anspo rt Add r es s
ou tgo ing essageou tgo ing essageLeng th
who le sgwho le sgLeng th
pduType
viewTypeva riab leN a m e
g lob a lDa tam ax essageS i e
secu rityEng ine ID
scopedPDU
secu rityPa r a m e te r ssecu rityS ta teRe f e r ence
p r e pa r eRes ponse essage
D ISPA T HE R
8/8/2019 sri_SNMP
42/64
generateResponseMsg
DISPA TCHER
ACCESSCO N T RO L
SUBS YS T EM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS T EM
SECURI TYSUBS YS T EM
DISPA TCHER
ACCESSCO N TRO L
SUBS YS TEM
APPLICATIONS
SECURI TYSUBS YS TEM
Parameters
transportDoma intransportAddress
messageProcess ingMode l
secur ityMode lsecur ityName
secur ityLeve l
contextEng ineIDcontextName
pduVers ion
PD U
expectResponse
maxS i eResponseScopedPDU
stateReferencestatusInformat ion
sendPduHand le
destTransportDoma indestTransportAddress
outgo ingMessageoutgo ingMessageLength
who leMsgwho leMsgLength
pduType
viewTypeva r iab leName
g lob a lDatamaxMessageS i e
secur ityEng ineID
scopedPDU
secur ityParameterssecur ityStateReference
g enerateRes p onseMs g
MESSAGE
PROCESSINGSUBS YS TEM
8/8/2019 sri_SNMP
43/64
send / receive
DISPA TCHER
ACCESSCO N T RO L
SUBS YS T EM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS T EM
SECURI TYSUBS YS T EM
ACCESSCO N TRO L
SUBS YS TEM
APPLICATIONS
MESSAGE
PROCESSINGSUBS YS TEM
SECURI TYSUBS YS TEM
Parameters
transportDoma intransportAddress
messageProcess ingMode l
secur ityMode lsecur ityName
secur ityLeve l
contextEng ineIDcontextName
pduVers ion
PD U
expectResponse
maxS i eResponseScopedPDU
stateReferencestatusInformat ion
sendPduHand le
destTransportDoma indestTransportAddress
outgo ingMessageoutgo ingMessageLength
who leMsgwho leMsgLength
pduType
viewTypeva r iab leName
g lob a lDatamaxMessageS i e
secur ityEng ineID
scopedPDU
secur ityParameterssecur ityStateReference
send and rece iv e
DISPA TCHER
8/8/2019 sri_SNMP
44/64
prepareData E lements
ACCESSC N T R L
SUBS YS T E M
APPL I ATI NS
M E SSA E
P R C ES S INSUBS YS T E M
SECUR ITYSUBS YS T E M
D ISPA T HE R
ACCESSC N TR L
SUBS YS TE M
APPL I AT I NS
M E SS A E
P R CE SS INSUBS YS TE M
SECUR ITYSUBS YS TE M
Pa r a m e te r s
tr anspo rtDo m aintr anspo rt Add r ess
m essageP r ocess ing ode l
secu rity ode lsecu rityN a m e
secu rityLeve l
on tex tEng ine IDcon tex tNa m e
pduVe r s ion
PD U
expec tResponse
m axS i eResponseScopedPDU
s ta teR e f e r ences ta tus In f o r m a tion
sendPduHand le
des tTr anspo rtDo m a indes tTr anspo rt Add r es s
ou tgo ing essageou tgo ing essageLeng th
who le sgwho le sgLeng th
pduType
viewTypeva riab leN a m e
g lob a lDa tam ax essageS i e
secu rityEng ine ID
scopedPDU
secu rityPa r a m e te r ssecu rityS ta teRe f e r ence
p r e p a r eDa t aE l emen t
D ISPA T HER
8/8/2019 sri_SNMP
45/64
processIncomingMsg
DI PATCH R
AC CCONTROUB Y T M
APPLICA TIONS
SE CURITYS UB S YS T E M DI
S PATCH E R
ACC ESSCONTRO
S UB S YS TE M
APPLICA TIONS
MESS AG EPROC ES S INGS UB S YS TE M
SE CURITYS UB S YS TE M
Pa r am e te rs
tr an s po rtDoma intr an s po rt Add r ess
me ss ageP r oc e ssi ngMode l
s e curit Mode ls e curit Name
s e curit Leve l
con tex t ng ineIDcon tex tName
pduVe rsion
PDU
expe ctRe s pon s e
maxS izeR e s po n s eS c opedPDU
st a teR e f er en c est a tu s In f o r ma tion
s endPduHand le
de stTr an s po rtDoma inde stTr an s po rt Add r e ss
ou tgo ingMe ss ageou tgo ingMe ss ageLeng th
who leM s gwho leM s gLeng th
pdu T pe
view T peva riab leName
g lob a lDa tamaxMe ss ageS iz e
s e curit ng ineID
sc opedPDU
s e curit Pa r ame te rss e curit S ta teRe f e r en c e
p r I i M
MES S AG EPROC ES S INGS UB S YS T E M
8/8/2019 sri_SNMP
46/64
processResponsePdu
ACCESSC O T R O
SUBS Y S T EM
APPL I A TIO NS
MESSA G E
PR O C E S S I GSUBS Y S T EM
SECUR IT Y
SUBS Y S T EMD ISP A T C H E R
ACCESSC O T R O
S U B S Y S T EM
APPL I AT IO NS
MESSA G E
PR O CESS I GS U B S Y S T EM
S E C U R I TY
S U B S Y S T EM
Pa r am e te r s
tr anspo rtDomaintr anspo rt Add r ess
messageP r ocessingModel
secu r ityModelsecu r ityName
secu r ityLevel
con tex tEngine IDcon tex tName
pduVe r sion
PDU
expec tResponse
maxSizeResponseScopedPDU
s ta teRe f er ences ta tus In f o r ma tion
sendPduHandle
des tTr anspo rtDomaindes tTr anspo rt Add r ess
ou tgoingMessageou tgoingMessageLeng th
wholeMsgwholeMsgLeng th
pduType
viewTypeva r iableName
globalDa ta
maxMessageSize
secu r ityEngine ID
scopedPDU
secu r ityPa r ame ter ssecu r ityS ta teRe f e r ence
p r ocessRes p onsePdu
D ISP A T CHER
8/8/2019 sri_SNMP
47/64
Five areas of network management
Performance management : to quantify, measure, report, analyze andcontrol the performance of network components.F ault management : to detect, log, notify users of, and (to the extent
possible) automatically fix network problems to keep the network
running effectively.C onfiguration management : to monitor network and systemconfiguration information so that the effects on network operation of various versions of hardware and software elements can be tracked andmanaged.A ccounting management : to measure network utilization parametersso that individual or group uses on the network can be regulatedappropriately.S ecurity management : to control access to network resourcesaccording to local guidelines so that the network cannot be sabotagedand sensitive information cannot be accessed by those withoutappropriate authorization.
8/8/2019 sri_SNMP
48/64
SNMP Message Format
UDP/TCP Port 161 SNMP Request/Response Messages
UDP/TCP Port 162 - SNMP Trap Messages
SNMP uses two well-known ports to operate:
Eth e rn e t Fr a m e
IPPa ck e t
U DPDa tag r a m
S NMP MessageC RC
SNMPv3 defines a security capability to beused in conjunction with SNMPv1 (runsover UDP) or SNMPv2 (also runs over TCP)
8/8/2019 sri_SNMP
49/64
SNMP General Message Format T a b le 211 : S NMP Va ria b le B in d in g Fo rm a t S ubfi e ld Na m e Sy nt ax S ize (b ytes ) Des cri p tio n
Object NameSequence of
I nteger Variable
Object Name: The numericobject identifier of theMIB object, specified asa sequence of integers.For example, the objectsysLocation has theobject identifier 1.3.6.1.2.1.1.6, so itwould be specified as 13 6 1 2 1 1 6 using
ASN.1
Object Value Variable Variable
Object Value: In any type of get request, thissubfield is aplaceholder; it isstructured using theappropriate syntax for the object but has novalue (since the getrequest is asking for thatvalue!)
In a set request(SetRequest-PDU) or ina reply messagecarrying requested data(GetResponse-PDU or Response-PDU), thevalue of the object isplaced here.
NAM
1 VALUE 1 NAME 2 VALUE 2 NAMEn VALUE n
PDU TYPE* ERROR
VARIABLE BINDINGSSTATUSREQUEST
IDERRORINDEX
VERSION COMMUNITY SNMP PDU
variable bindings:
SNMP PDU:
SNMP message:
8/8/2019 sri_SNMP
50/64
SNMP V1 General Message Format
T a b le 212 : S NMP Ve r s io n 1 (S NMPv 1) G e n e r a l Message Fo rm a t
Fie ld Na m e Sy nt ax S ize (b ytes ) Des cri p tio n
Version I nteger 4
Version Number: Describes theSNMP version number of thismessage; used for ensuringcompatibility between versions.For SNMPv1, this value isactually 0 , not 1.
Community Oc tet String Variable
Community String: Identifies theSNMP community in which thesender and recipient of thismessage are located. This isused to implement the simpleSNMP.
PDU VariableProtocol Data Unit: The PDU being
communicated as the body of the message.
General Message Format
8/8/2019 sri_SNMP
51/64
SNMP v1 PDU Format
T a b le 213 : S NMP Ve r s io n 1 (S NMPv 1) Co mm o n PD U Fo rm a t
Fie ldNa m e
Sy nt axS ize
(b ytes )Des cri p tio n
PDU TypeI nteger
(Enumerated)4
R equest ID
I nteger 4
R equest Identifier: A number used tomatch requests with replies. It isgenerated by the device that sends arequest and copied into this field in aG etRe spo ns e-PDU by the respondingSNMP entity.
Error Status
I nteger (Enumerated)
4
Error Index
I nteger 4
Error Index: When Err or Statu s is non-zero, this field contains a pointer thatspecifies which object generated theerror. Always zero in a request.
VariableBindings Variable Variable
Variable Bindings: A set of name-value pairs identifying the M IB objectsin the PDU, and in the case of aSetReque s t-PDU or G etRe spo ns e-PDU , containing their values..
PDU Format
8/8/2019 sri_SNMP
52/64
T a b le 214 : S NMP Ve r s io n 1 (S NMPv 1) Trap-PDU Fo rm a t
Fie ld Na m e Sy nt ax S ize (b ytes ) Des cri p tio n
PDU TypeI nteger
(Enumerated)4 PDU Type: An integer value that indicates the PDU
type, which is 4 for a T ra p-PDU message.
Enterprise Sequence of I nteger
VariableEnterprise: An object identifier for a group, which
indicates the type of object that generated thetrap.
Agent Addr N etw orkAddre ss 4
Agent Address: The IP address of the SNMP agentthat generated the trap. This is of course alsoin the IP header at lower levels but inclusion inthe SNMP message format allows for easier trap logging within SNMP. Also, in the case of a multihomed host, this specifies the preferredaddress.
Generic TrapI nteger
(Enumerated)4 Generic Trap Code: A code value specifying one of a
number of predefined generic trap types.
Specific Trap I nteger 4Specific Trap Code: A code value indicating an
implementation-specific trap type.
Time Stamp T ime T i c k s 4
Time Stamp: The amount of time since the SNMP
entity sending this message last initialized or reinitialized. Used to time stamp traps for logging purposes.
VariableBindings
Variable VariableVariable Bindings: A set of name-value pairs
identifying the M IB objects in the PDU.
Trap-PDU Format
SNMP V1 Trap- PDU Format
8/8/2019 sri_SNMP
53/64
SNMP v2 Message Format
SNMPv2 Get, GetNext, Inform, Response, Set,and Trap PDUs Contain the Same Fields
The SNMPv2 GetBulk PDU
8/8/2019 sri_SNMP
54/64
SNMP v3 G eneral M essage F orma t
8/8/2019 sri_SNMP
55/64
SNMP v3 General Message Format
Table 221: SNMP Version 3 (SNMPv3) General Message Format
FieldName
SyntaxSize
(bytes)Description
Msg Version
I nteger 4 Message Version Number: Describes the SNMP versionnumber of this message; used for ensuring compatibility
between versions. For SNMPv3, this value is 3.
Msg ID I nteger 4
Message Identifier: A number used to identify an SNMPv3message and to match response messages to requestmessages. The use of this field is similar to that of the R equest ID field in the PDU format, but they are notidentical. This field was created to allow matching at themessage processing level regardless of the contents of thePDU, to protect against certain security attacks. Thus, M sg IDand Request ID are used independently.
Msg Max Size
I nteger 4 Maximum Message Size: The maximum size of message thatthe sender of this message can receive. Minimum value of this field is 484 .
Msg Flags
O ctet S tring
1
Msg Security Model
I nteger 4 Message Security Model: An integer value indicating whichsecurity model was used for this message. For the user-basedsecurity model (the default in SNMPv3) this value is 3.
Msg Security
Parameters
Variable
Message Security Parameters: A set of fields that contain parameters required to implement the particular securitymodel used for this message. The contents of this field arespecified in each document describing an SNMPv3 securitymodel. For example, the parameters for the user-based modelare in RFC 3 4 14 .
Scoped PDU
Variable
8/8/2019 sri_SNMP
56/64
Security services
Data Integrity is provision of the property that data or data sequenceshas not been altered or destroyed in an unauthorized manner.Data Origin Authentication is the provision of the property that the
claimed identity of the user on whose behalf received data wasoriginated is corroborated.Data Confidentiality is the provision of the property that informationis not made available or disclosed to unauthorized individuals, entities,entities, or processes.Message timeliness and limited replay protection is the provision of the property that a message whose generation time is outside of aspecified time window is not accepted.
8/8/2019 sri_SNMP
57/64
Performance and Security Issues
Modification of InformationThe modification threat is the danger that some unauthorized entity may alter in-transitSNMP messages generated on behalf of an authorized principal in such a way as toeffect unauthorized management operations, including falsifying the value of an object.MasqueradeThe masquerade threat is the danger that management operations not authorized for some user may be attempted by assuming the identity of another user that has theappropriate authorizations.DisclosureThe disclosure threat is the danger of eavesdropping on the exchanges between managedagents and a management station. Protecting against this threat may be required as amatter of local policy.Message Stream ModificationThe SNMP protocol is typically based upon a connection-less transport service whichmay operate over any sub-network service. The re-ordering, delay or replay of messagescan and does occur through the natural operation of many such sub-network services.The message stream modification threat is the danger that messages may altered, inorder to effect unauthorized management operations.
8/8/2019 sri_SNMP
58/64
E xtensions (SNMPv2 protocol)
Two new protocol operations have been added in SNMPv2SNMPv2. Get-bulk-request supportsefficient transfer of large amount of MIB data, and Inform-request enables a manager to inform another manager of significant events.The main problems of the SNMPv1SNMPv1 are the authentication of the message source,
protecting these message from disclosure and placing access controls on MIB database.Those problems are solved in SNPM v2SNPM v2 by changing the format of SNMP PDUs.
In SNMPv1 SNMPv1, traps had a different format than all of the other PDUs. SNMPv2 SNMPv2simplify traps by giving them the same format as the get and set PDUs. In SNMPv1 SNMPv1, if too much data are asked in an ordinary get-request you receive amessage "too big" error message without data. In SNMPv2 SNMPv2 Get-bulk-request allows
you to retrieve a lot of information and will receive as much data as it is possible in your response message. In SNMPv2 SNMPv2, if a multiple requested value, in a get-request, one is not valid or does not exist, there will be answers for the other request that have been well dealt. Whereas
for SNMPv1 SNMPv1, no response at all was given, only the error message. SNMPv2 SNMPv2 security framework deals with the problem of the authentication of themessage sender, its contents and the eavesdropper problems. It also supports the useof authentication protocol to identify the sources reliability and to prevent messagemodification.
It also supports the use of encryption to keep messages privacy. SNMPv1 SNMPv1 dont haveall these security features.
8/8/2019 sri_SNMP
59/64
SNMP SecuritySecurity in SNMP versions
SNMPv1 uses plain text community strings for authentication as plain textwithout encryptionSNMPv2 was supposed to fix security problems, but effort de-railed.SNMPv3 has numerous security features:
E nsure that a packet has not been tampered with ( integrity ),E nsures that a message is from a valid source ( authentication )E nsures that a message cannot be read by unauthorized ( privacy ).
SNMP has three security levels for:Monitoring ( no authentication / no privacy) : Authentication with matching
a user nameControl (authentication / no privacy) : Authentication with MD5 or SHAmessage digests.Downloading secrets (authentication / privacy) : Authentication with MD5
or SHA message digests, and encryption with D E S encryption.
8/8/2019 sri_SNMP
60/64
SNMP GUI OpenView Severity Levels
Severity Color-------------------------------------------------------------------
Unknown Blue Normal GreenWarning CyanMinor YellowMajor Orange
Critical Red
8/8/2019 sri_SNMP
61/64
Conclusions
Standardizeduniversally supportedextendible
portableallows distributed management accesslightweight protocol
8/8/2019 sri_SNMP
62/64
Review Questions
1. Wh at are t h e components in network management arc h itecture and define t h em?
slide 5-7
2. Wh at are MIB s, and h ow are t h ey accessed? slide 9
3. Wh at are t h e types of messages between SNM P manager and agent? slide 25
8/8/2019 sri_SNMP
63/64
References
http://www.faqs.org/rfcs/http://www.ietf.org/rfcs/
http://www.icg.isy.liu.se/courses/tsin02-ici/slides/11_Snmp-v3.pdf http://www.dpstele.com/layers/l2/snmp_l2_ tut_part1.htmlhttp://www.cisco.com/warp/public/535/3.html
8/8/2019 sri_SNMP
64/64
T H ANK YOU