sri_SNMP

8/8/2019 sri_SNMP

1/64

Simple Network Management Protocol

By - Suparna

Sri

8/8/2019 sri_SNMP

2/64

AgendaIntroductionNetwork Level Architecture

Operation of Protocol Applications of ProtocolEvent flowsMessage Formats

Extensions, Performance & Security IssueConclusionReferences

8/8/2019 sri_SNMP

3/64

I n tro du ctio n SNMP is an application layer protocol thatfacilitates the exchange of managementinformation between network devices.It is used for collecting information from, and

configuring, network devices, such as servers,printers, hubs, switches, and routers on anInternet Protocol ( IP) network.SNMP enables network administrators tomanage network performance, find and solvenetwork problems, and plan for networkgrowth.

8/8/2019 sri_SNMP

4/64

B asi c Compo nen t s of SNMP NMS (Network Management Station)

Managed Devices

Agents

MIB (Management Information Base)

8/8/2019 sri_SNMP

5/64

NMS executes applications that monitor and control manageddevices.It executes applications that monitor and control manageddevices. One or more NMSs must exist on any managed

network.NMS is a general purpose computer running special software

8/8/2019 sri_SNMP

6/64

Managed Device is a network node that contains anSNMP agent and that resides on a managed network.Managed devices collect and store management information

and make this information available to NMSs using SNMP.Managed devices, sometimes called network elements, canbe routers and access servers, switches and bridges, hubs,computer hosts, or printers.

8/8/2019 sri_SNMP

7/64

Agents is a network-management software module

that resides in a managed device. An agent has local knowledge of managementinformation and translates that information into aform compatible with SNMP.

8/8/2019 sri_SNMP

8/64

N e twork L evel Ar ch it e ct ure

8/8/2019 sri_SNMP

9/64

MIB St ru ct ureEvery management station or an agent in an SNMParchitecture maintains a local database havinginformation related to the network management.

This virtual information store is called M IB- objectsdatabase

An SNMP M IB contains definitions and information aboutthe properties of managed resources and the servicesthat the agents support. The manageable features of resources, as defined in an SNMP M IB, are calledmanaged objects

8/8/2019 sri_SNMP

10/64

M anagemen t I n fo rma t ion B ase

8/8/2019 sri_SNMP

11/64

MIB obje ct iden t if iersEach object in the M IB has an object identifier (OID)Management station uses OD I to request theobject's value from the agent.

An O ID is a sequence of integers that uniquelyidentifies a managed object by defining a pathto that object through a tree-like structurecalled the O ID tree or registration tree.When an SNMP agent needs to access aspecific managed object, it traverses the O IDtree to find the object.

8/8/2019 sri_SNMP

12/64

SNMP OD I H ierar chy F orma t

8/8/2019 sri_SNMP

13/64

Op era t ion o f P ro t o c ol Read : It is used by an NMS to monitor managed devices.The NMS examines different variables that are

maintained by managed devices .Writ e: It is used by an NMS to control managed devices.The NMS changes the values of variables stored withinmanaged devices.

T r ap : The tr ap command is used by managed devicesto asynchronously report events to the NMS. Whencertain types of events occur, a managed device sends atrap to the NMS.

8/8/2019 sri_SNMP

14/64

Op era t ion o f th e P ro t o c olGetGet nextGet-bulkSetSet responseTrapNotificationInformReport

8/8/2019 sri_SNMP

15/64

ge t and ge t nex t Op era t ionThe get request is initiated by the NMS, which sends therequest to the agent. The agent receives the request and

processes it to best of its ability .

The get command is useful for retrieving a single M IBobject at a time.

The get-next operation lets you issue a sequence of commands to retrieve a group of values from a M IB

8/8/2019 sri_SNMP

16/64

ge t Op era t ion

8/8/2019 sri_SNMP

17/64

ge t bulk opera t ionSNMPv2 defined the get-bulk operation which allows amanagement application to retrieve a large section of a table atonce.The standard get operation can attempt to retrieve more thanone M IB object at once, but message sizes are limited by theagent's capabilities. If the agent can't return all the requestedresponses, it returns an error message with no data.Get bulk command consists of two fields non-repeaters andmax repetitions and these fields are set when issuing a get-bulk command non-repeaters and max-repetitions.

Non-repeaters tells the get-bulk command that the first Nobjects can be retrieved with a simple get-next operation. Max-repetitions tells the get-bulk command to attempt up to M get-next operations to retrieve the remaining objects

8/8/2019 sri_SNMP

18/64

ge t bulk O pera t ion

8/8/2019 sri_SNMP

19/64

se t O pera t ion

The s et command is used to change the value of amanaged object or to create a new row in a table. Objectsthat are defined in the M IB as read-write or write-only canbe altered or created using this command. It is possiblefor an NMS to set more than one object at a time.

8/8/2019 sri_SNMP

20/64

t rap O pera t ion

T r ap: A trap is a way for an agent to tell the NMS thatsomething bad has happened.The trap originates from the agent and is sent to the trapdestination, as configured within the agent itself. The trapdestination is typically the IP address of the NMS.

8/8/2019 sri_SNMP

21/64

S c enarios wh en t rap o cc urs A network interface on the device (where the agent isrunning) has gone down.

A network interface on the device (where the agent isrunning) has come back up.

An incoming call to a modem rack was unable to

establish a connection to a modem.

The fan on a switch or router has failed.

8/8/2019 sri_SNMP

22/64

G eneri c ty pes o f t rap Col ds ta rt(0) :Indicates that the agent has rebooted. Allmanagement variables will be reset; specifically, Counters andGauges will be reset to zero (0). It can also be used todetermine when new hardware is added to the network.

Wa rm s ta rt(1) :Indicates that the agent has reinitialized itself.None of the management variables will be reset.

Link d ow n(2) : Sent when an interface on a device goes down.The first variable binding identifies which interface went down.

Linku p (3) : Sent when an interface on a device comes back up.

8/8/2019 sri_SNMP

23/64

G eneri c ty pes o f t rap a uth e ntic a tio nF a ilur e (4) :Indicates that someone hastried to query your agent with an incorrect communitystring; useful in determining if someone is trying to gain

unauthorized access to one of your devices.

egpNe ig hb o r lo ss (5) : Indicates that an Exterior GatewayProtocol (E GP) neighbor has gone down.

Ent e r p risespe cific(6) : Indicates that the trap isenterprise-specific which are used by SNMP to definetheir own traps under the private-enterprise branch of theSM I object tree.

8/8/2019 sri_SNMP

24/64

Oth er SNMP opera t ionsS NMP n o tific a tio n : As the PDUs of snmpv1,v2 andv3,notification-type is used as a means of notification for this.

S NMP inf o rm : inform mechanism providescommunication between manager-manager

S NMP r ep o rt : Allows the SNMP engines tocommunicate with each other mainly to report theproblems with processing SNMP messages

8/8/2019 sri_SNMP

25/64

Message Sent Between an SNMP Manager and its Managed Devices

8/8/2019 sri_SNMP

26/64

E vent Flow of SNMP protocol

Represents Interactions and timingof the SNMP protocol between theSNMP manager and the SNMP

agent.Traps are unsolicited messages sentfrom the agent to the manager.There are four functions of SNMP:get request, trap, get next and set

request.

8/8/2019 sri_SNMP

27/64

E vent Flow of SNMP operations

8/8/2019 sri_SNMP

28/64

Network Management System

8/8/2019 sri_SNMP

29/64

SNMPv3 Applications

Five types of application which can be associated with an SNMPengine are described in RFC 2273. These applications are :

- Command generators, which monitor and manipulatemanagement data,

- Command responders, which provide access tomanagement data,- Notification originators, which initiate asynchronous

messages,- Notification receivers, which process asynchronous

messages, and

- Proxy forwarders, which forward messages betweenentities.

8/8/2019 sri_SNMP

30/64

Flow diagram of Command Generator and Command Responder

8/8/2019 sri_SNMP

31/64

8/8/2019 sri_SNMP

32/64

sendPdu

DISPA T

ACCESSCO N T O L

SUBS YS T EM

MESSAGE

PROCESSINGSUBS YS T EM

SECURI TYSUBS YS T EM

DISPA TCHER

ACCESSCO N TRO L

SUBS YS TEM

APPLICATIONS

MESSAGE

PROCESSINGSUBS YS TEM

SECURI TYSUBS YS TEM

Parameters

transportDoma intransportAddress

messageProcess ingMode l

secur ityMode lsecur ityName

secur ityLeve l

contextEng ineIDcontextName

pduVers ion

PD U

expectResponse

maxS i eResponseScopedPDU

stateReferencestatusInformat ion

sendPduHand le

destTransportDoma indestTransportAddress

outgo ingMessageoutgo ingMessageLength

who leMsg

who leMsgLength

pduType

viewTypeva r iab leName

g lob a lDatamaxMessageS i e

secur ityEng ineID

scopedPDU

secur ityParameterssecur ityStateReference

sendPdu

APPLICATIONS

8/8/2019 sri_SNMP

33/64

prepareOutgoingMessage

A CC ESSCO NT RO L

S S S T EM

APPL ICATIONS

MESS AG EPR OC ESSI NGS S S T EM

SE CU R ITYS UB S Y S T EM D IS P

A TCH E R

A CC ESSCO NT R O L

S UB S Y S T E M

APPL ICAT IONS

MESS AG EPR OC ESSI NGS UB S Y S T EM

SE CU RITYS UB S Y S T EM

Parameters

transportDomaintransportAddress

messageProcessingModel

securityModelsecurityName

securityLevel

contextEngine IDcontextName

pduVersion

PDU

expectResponse

maxSizeResponseScopedPDU

stateReferencestatus Information

sendPduHandle

destTransportDomaindestTransportAddress

outgoingMessageoutgoingMessageLength

wholeMsg

wholeMsgLength

pduType

viewTypevariableName

globalDatamaxMessageSize

securityEngine ID

scopedPDU

securityParameterssecurityStateReference

prepareOutgoingMessage

D IS P A TCH E R

8/8/2019 sri_SNMP

34/64

generateRequestMsg

DISPA TCHER

ACCESSCO N T RO L

SUBS YS T EM

APPLICATIONS


DISPA TCHER

ACCESSCO N TRO L

SUBS YS TEM

APPLICATIONS

MESSAGE



Parameters




secur ityLeve l


pduVers ion

PD U

expectResponse



sendPduHand le



who leMsg

who leMsgLength

pduType



secur ityEng ineID

scopedPDU


g enerateRequestMs g

MESSAGE


8/8/2019 sri_SNMP

35/64

send / receive

A C C ES SCO NT R O L

S U B S Y S T E M

APPL ICA T IONS

MES S A G EPR OC ESSI N GS U B S Y S T E M

SE C U R IT YS U B S Y S T E M D IS P

A TC H E R

A C C ESSC O N T R O L

S U B S Y S T E M

APPL ICAT IONS

MESS AG EPR O C ESSI NGS U B S Y S T E M

SE C U R ITYS U B S Y S T E M

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngine ID

scopedPDU


send and receive

D IS P A TC H E R

8/8/2019 sri_SNMP

36/64

prepareData E lements

D IS P A TCH E R

A CC ESSCO NT RO L

S UB S Y S T EM

APPL ICATIONS


SE CU R ITYS UB S Y S T EM

A CC ESSCO NT R O L

S UB S Y S T EM

APPL ICAT IONS


SE CU RITYS UB S Y S T EM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle



wholeMsgwholeMsgLength

pduType



securityEngine ID

scopedPDU


prepareDataElements

D IS P A TCH E R

8/8/2019 sri_SNMP

37/64

processIncomingMsg

D IS P A TC H E R

A C C ES SCO NT R O L

S U B S Y S T E M

APPL ICA T IONS

MES S A G EPR OC ESSI N GS U B S Y S T E M

SE C U R IT YS U B S Y S T E M D IS P

A TC H E R

A C C ESSC O N T R O L

S U B S Y S T E M

APPL ICAT IONS

SE C U R ITYS U B S Y S T E M

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngine ID

scopedPDU


processIncomingMsg

MESS AG EPR O C ESSI NGS U B S Y S T E M

8/8/2019 sri_SNMP

38/64

processPd

DISPA TCHER

ACCESSCO N T RO L

SUBS YS T EM

APPLICATIONS

MESSAGE



ACCESSCO N TRO L

SUBS YS TEM

APPLICATIONS

MESSAGE



Parameters




secur ityLeve l


pduVers ion

PD U

expectResponse



sendPduHand le



who leMsgwho leMsgLength

pduType



secur ityEng ineID

scopedPDU


p rocessPdu

DISPA TCHER

8/8/2019 sri_SNMP

39/64

isAccessAllowed

D I T

O T O

Y T

APPL I A TIO

MESSA G E

PR O ES S I GSUBS Y S T EM

SECUR IT Y

SUBS Y S T EMD ISP A T C H E R

ACCESSC O T R O

S U B S Y S T EM

MESSA G E

PR O CESS I GS U B S Y S T EM

S E C U R I TY

S U B S Y S T EM

Pa r am e te r

tr anspo rt omaintr anspo rt Add r ess

messageP r ocessingModel

secu r it Modelsecu r it ame

secu r it Level

con tex t ngine Icon tex t ame

pduVe r sion

PDU

expec t esponse


s ta teRe f er ences ta tus In f o r ma tion

sendPduHandle

des tTr anspo rtDomaindes tTr anspo rt Add r ess

ou tgoingMessageou tgoingMessageLeng t

oleMsg

wholeMsgLeng th

pduType

viewTypeva r iableName

globalDa ta

maxMessageSize

secu r ityEngine ID

scopedPDU

secu r ityPa r ame ter ssecu r ityS ta teRe f e r ence

isAccessAllowed

APPL I AT IO NS

8/8/2019 sri_SNMP

40/64

returnResponsePdu

DISPA TCHER

ACCESSCO N T RO L

SUBS YS T EM

APPLICATIONS

MESSAGE



DISPA TCHER

ACCESSCO N TRO L

SUBS YS TEM

MESSAGE



Parameters




secur ityLeve l


pduVers ion

PD U

expectResponse



sendPduHand le




pduType



secur ityEng ineID

scopedPDU


returnRes ponsePdu

APPLICATIONS

8/8/2019 sri_SNMP

41/64

prepareResponseMessage

D ISPA T HER

ACCESSC N T R L

SUBS YS T E

APPL I ATI NS

M E SSA E

P R C ES S INSUBS YS T E M

SECUR ITYSUBS YS T E M

ACCESSC N TR L

SUBS YS TE M

APPL I AT I NS

M E SS A E

P R CE SS INSUBS YS TE M

SECUR ITYSUBS YS TE M

Pa r a m e te r s

tr anspo rtDo m aintr anspo rt Add r ess

m essageP r ocess ing ode l

secu rity ode lsecu rityN a m esecu rityLeve l

on tex tEng ine IDcon tex tNa m e

pduVe r s ion

PD U

expec tResponse

m axS i eResponseScopedPDU

s ta teR e f e r ences ta tus In f o r m a tion

sendPduHand le

des tTr anspo rtDo m a indes tTr anspo rt Add r es s

ou tgo ing essageou tgo ing essageLeng th

who le sgwho le sgLeng th

pduType

viewTypeva riab leN a m e

g lob a lDa tam ax essageS i e

secu rityEng ine ID

scopedPDU

secu rityPa r a m e te r ssecu rityS ta teRe f e r ence

p r e pa r eRes ponse essage

D ISPA T HE R

8/8/2019 sri_SNMP

42/64

generateResponseMsg

DISPA TCHER

ACCESSCO N T RO L

SUBS YS T EM

APPLICATIONS

MESSAGE



DISPA TCHER

ACCESSCO N TRO L

SUBS YS TEM

APPLICATIONS


Parameters




secur ityLeve l


pduVers ion

PD U

expectResponse



sendPduHand le




pduType



secur ityEng ineID

scopedPDU


g enerateRes p onseMs g

MESSAGE


8/8/2019 sri_SNMP

43/64

send / receive

DISPA TCHER

ACCESSCO N T RO L

SUBS YS T EM

APPLICATIONS

MESSAGE



ACCESSCO N TRO L

SUBS YS TEM

APPLICATIONS

MESSAGE



Parameters




secur ityLeve l


pduVers ion

PD U

expectResponse



sendPduHand le




pduType



secur ityEng ineID

scopedPDU


send and rece iv e

DISPA TCHER

8/8/2019 sri_SNMP

44/64

prepareData E lements

ACCESSC N T R L

SUBS YS T E M

APPL I ATI NS

M E SSA E

P R C ES S INSUBS YS T E M

SECUR ITYSUBS YS T E M

D ISPA T HE R

ACCESSC N TR L

SUBS YS TE M

APPL I AT I NS

M E SS A E

P R CE SS INSUBS YS TE M

SECUR ITYSUBS YS TE M

Pa r a m e te r s

tr anspo rtDo m aintr anspo rt Add r ess

m essageP r ocess ing ode l

secu rity ode lsecu rityN a m e

secu rityLeve l

on tex tEng ine IDcon tex tNa m e

pduVe r s ion

PD U

expec tResponse

m axS i eResponseScopedPDU

s ta teR e f e r ences ta tus In f o r m a tion

sendPduHand le

des tTr anspo rtDo m a indes tTr anspo rt Add r es s

ou tgo ing essageou tgo ing essageLeng th

who le sgwho le sgLeng th

pduType

viewTypeva riab leN a m e

g lob a lDa tam ax essageS i e

secu rityEng ine ID

scopedPDU

secu rityPa r a m e te r ssecu rityS ta teRe f e r ence

p r e p a r eDa t aE l emen t

D ISPA T HER

8/8/2019 sri_SNMP

45/64

processIncomingMsg

DI PATCH R

AC CCONTROUB Y T M

APPLICA TIONS

SE CURITYS UB S YS T E M DI

S PATCH E R

ACC ESSCONTRO

S UB S YS TE M

APPLICA TIONS

MESS AG EPROC ES S INGS UB S YS TE M

SE CURITYS UB S YS TE M

Pa r am e te rs

tr an s po rtDoma intr an s po rt Add r ess

me ss ageP r oc e ssi ngMode l

s e curit Mode ls e curit Name

s e curit Leve l

con tex t ng ineIDcon tex tName

pduVe rsion

PDU

expe ctRe s pon s e

maxS izeR e s po n s eS c opedPDU

st a teR e f er en c est a tu s In f o r ma tion

s endPduHand le

de stTr an s po rtDoma inde stTr an s po rt Add r e ss

ou tgo ingMe ss ageou tgo ingMe ss ageLeng th

who leM s gwho leM s gLeng th

pdu T pe

view T peva riab leName

g lob a lDa tamaxMe ss ageS iz e

s e curit ng ineID

sc opedPDU

s e curit Pa r ame te rss e curit S ta teRe f e r en c e

p r I i M

MES S AG EPROC ES S INGS UB S YS T E M

8/8/2019 sri_SNMP

46/64

processResponsePdu

ACCESSC O T R O

SUBS Y S T EM

APPL I A TIO NS

MESSA G E

PR O C E S S I GSUBS Y S T EM

SECUR IT Y

SUBS Y S T EMD ISP A T C H E R

ACCESSC O T R O

S U B S Y S T EM

APPL I AT IO NS

MESSA G E

PR O CESS I GS U B S Y S T EM

S E C U R I TY

S U B S Y S T EM

Pa r am e te r s

tr anspo rtDomaintr anspo rt Add r ess

messageP r ocessingModel

secu r ityModelsecu r ityName

secu r ityLevel

con tex tEngine IDcon tex tName

pduVe r sion

PDU

expec tResponse


s ta teRe f er ences ta tus In f o r ma tion

sendPduHandle

des tTr anspo rtDomaindes tTr anspo rt Add r ess

ou tgoingMessageou tgoingMessageLeng th

wholeMsgwholeMsgLeng th

pduType

viewTypeva r iableName

globalDa ta

maxMessageSize

secu r ityEngine ID

scopedPDU

secu r ityPa r ame ter ssecu r ityS ta teRe f e r ence

p r ocessRes p onsePdu

D ISP A T CHER

8/8/2019 sri_SNMP

47/64

Five areas of network management

Performance management : to quantify, measure, report, analyze andcontrol the performance of network components.F ault management : to detect, log, notify users of, and (to the extent

possible) automatically fix network problems to keep the network

running effectively.C onfiguration management : to monitor network and systemconfiguration information so that the effects on network operation of various versions of hardware and software elements can be tracked andmanaged.A ccounting management : to measure network utilization parametersso that individual or group uses on the network can be regulatedappropriately.S ecurity management : to control access to network resourcesaccording to local guidelines so that the network cannot be sabotagedand sensitive information cannot be accessed by those withoutappropriate authorization.

8/8/2019 sri_SNMP

48/64

SNMP Message Format

UDP/TCP Port 161 SNMP Request/Response Messages

UDP/TCP Port 162 - SNMP Trap Messages

SNMP uses two well-known ports to operate:

Eth e rn e t Fr a m e

IPPa ck e t

U DPDa tag r a m

S NMP MessageC RC

SNMPv3 defines a security capability to beused in conjunction with SNMPv1 (runsover UDP) or SNMPv2 (also runs over TCP)

8/8/2019 sri_SNMP

49/64

SNMP General Message Format T a b le 211 : S NMP Va ria b le B in d in g Fo rm a t S ubfi e ld Na m e Sy nt ax S ize (b ytes ) Des cri p tio n

Object NameSequence of

I nteger Variable

Object Name: The numericobject identifier of theMIB object, specified asa sequence of integers.For example, the objectsysLocation has theobject identifier 1.3.6.1.2.1.1.6, so itwould be specified as 13 6 1 2 1 1 6 using

ASN.1

Object Value Variable Variable

Object Value: In any type of get request, thissubfield is aplaceholder; it isstructured using theappropriate syntax for the object but has novalue (since the getrequest is asking for thatvalue!)

In a set request(SetRequest-PDU) or ina reply messagecarrying requested data(GetResponse-PDU or Response-PDU), thevalue of the object isplaced here.

NAM

1 VALUE 1 NAME 2 VALUE 2 NAMEn VALUE n

PDU TYPE* ERROR

VARIABLE BINDINGSSTATUSREQUEST

IDERRORINDEX

VERSION COMMUNITY SNMP PDU

variable bindings:

SNMP PDU:

SNMP message:

8/8/2019 sri_SNMP

50/64

SNMP V1 General Message Format

T a b le 212 : S NMP Ve r s io n 1 (S NMPv 1) G e n e r a l Message Fo rm a t

Fie ld Na m e Sy nt ax S ize (b ytes ) Des cri p tio n

Version I nteger 4

Version Number: Describes theSNMP version number of thismessage; used for ensuringcompatibility between versions.For SNMPv1, this value isactually 0 , not 1.

Community Oc tet String Variable

Community String: Identifies theSNMP community in which thesender and recipient of thismessage are located. This isused to implement the simpleSNMP.

PDU VariableProtocol Data Unit: The PDU being

communicated as the body of the message.

General Message Format

8/8/2019 sri_SNMP

51/64

SNMP v1 PDU Format

T a b le 213 : S NMP Ve r s io n 1 (S NMPv 1) Co mm o n PD U Fo rm a t

Fie ldNa m e

Sy nt axS ize

(b ytes )Des cri p tio n

PDU TypeI nteger

(Enumerated)4

R equest ID

I nteger 4

R equest Identifier: A number used tomatch requests with replies. It isgenerated by the device that sends arequest and copied into this field in aG etRe spo ns e-PDU by the respondingSNMP entity.

Error Status

I nteger (Enumerated)

4

Error Index

I nteger 4

Error Index: When Err or Statu s is non-zero, this field contains a pointer thatspecifies which object generated theerror. Always zero in a request.

VariableBindings Variable Variable

Variable Bindings: A set of name-value pairs identifying the M IB objectsin the PDU, and in the case of aSetReque s t-PDU or G etRe spo ns e-PDU , containing their values..

PDU Format

8/8/2019 sri_SNMP

52/64

T a b le 214 : S NMP Ve r s io n 1 (S NMPv 1) Trap-PDU Fo rm a t

Fie ld Na m e Sy nt ax S ize (b ytes ) Des cri p tio n

PDU TypeI nteger

(Enumerated)4 PDU Type: An integer value that indicates the PDU

type, which is 4 for a T ra p-PDU message.

Enterprise Sequence of I nteger

VariableEnterprise: An object identifier for a group, which

indicates the type of object that generated thetrap.

Agent Addr N etw orkAddre ss 4

Agent Address: The IP address of the SNMP agentthat generated the trap. This is of course alsoin the IP header at lower levels but inclusion inthe SNMP message format allows for easier trap logging within SNMP. Also, in the case of a multihomed host, this specifies the preferredaddress.

Generic TrapI nteger

(Enumerated)4 Generic Trap Code: A code value specifying one of a

number of predefined generic trap types.

Specific Trap I nteger 4Specific Trap Code: A code value indicating an

implementation-specific trap type.

Time Stamp T ime T i c k s 4

Time Stamp: The amount of time since the SNMP

entity sending this message last initialized or reinitialized. Used to time stamp traps for logging purposes.

VariableBindings

Variable VariableVariable Bindings: A set of name-value pairs

identifying the M IB objects in the PDU.

Trap-PDU Format

SNMP V1 Trap- PDU Format

8/8/2019 sri_SNMP

53/64

SNMP v2 Message Format

SNMPv2 Get, GetNext, Inform, Response, Set,and Trap PDUs Contain the Same Fields

The SNMPv2 GetBulk PDU

8/8/2019 sri_SNMP

54/64

SNMP v3 G eneral M essage F orma t

8/8/2019 sri_SNMP

55/64

SNMP v3 General Message Format

Table 221: SNMP Version 3 (SNMPv3) General Message Format

FieldName

SyntaxSize

(bytes)Description

Msg Version

I nteger 4 Message Version Number: Describes the SNMP versionnumber of this message; used for ensuring compatibility

between versions. For SNMPv3, this value is 3.

Msg ID I nteger 4

Message Identifier: A number used to identify an SNMPv3message and to match response messages to requestmessages. The use of this field is similar to that of the R equest ID field in the PDU format, but they are notidentical. This field was created to allow matching at themessage processing level regardless of the contents of thePDU, to protect against certain security attacks. Thus, M sg IDand Request ID are used independently.

Msg Max Size

I nteger 4 Maximum Message Size: The maximum size of message thatthe sender of this message can receive. Minimum value of this field is 484 .

Msg Flags

O ctet S tring

1

Msg Security Model

I nteger 4 Message Security Model: An integer value indicating whichsecurity model was used for this message. For the user-basedsecurity model (the default in SNMPv3) this value is 3.

Msg Security

Parameters

Variable

Message Security Parameters: A set of fields that contain parameters required to implement the particular securitymodel used for this message. The contents of this field arespecified in each document describing an SNMPv3 securitymodel. For example, the parameters for the user-based modelare in RFC 3 4 14 .

Scoped PDU

Variable

8/8/2019 sri_SNMP

56/64

Security services

Data Integrity is provision of the property that data or data sequenceshas not been altered or destroyed in an unauthorized manner.Data Origin Authentication is the provision of the property that the

claimed identity of the user on whose behalf received data wasoriginated is corroborated.Data Confidentiality is the provision of the property that informationis not made available or disclosed to unauthorized individuals, entities,entities, or processes.Message timeliness and limited replay protection is the provision of the property that a message whose generation time is outside of aspecified time window is not accepted.

8/8/2019 sri_SNMP

57/64

Performance and Security Issues

Modification of InformationThe modification threat is the danger that some unauthorized entity may alter in-transitSNMP messages generated on behalf of an authorized principal in such a way as toeffect unauthorized management operations, including falsifying the value of an object.MasqueradeThe masquerade threat is the danger that management operations not authorized for some user may be attempted by assuming the identity of another user that has theappropriate authorizations.DisclosureThe disclosure threat is the danger of eavesdropping on the exchanges between managedagents and a management station. Protecting against this threat may be required as amatter of local policy.Message Stream ModificationThe SNMP protocol is typically based upon a connection-less transport service whichmay operate over any sub-network service. The re-ordering, delay or replay of messagescan and does occur through the natural operation of many such sub-network services.The message stream modification threat is the danger that messages may altered, inorder to effect unauthorized management operations.

8/8/2019 sri_SNMP

58/64

E xtensions (SNMPv2 protocol)

Two new protocol operations have been added in SNMPv2SNMPv2. Get-bulk-request supportsefficient transfer of large amount of MIB data, and Inform-request enables a manager to inform another manager of significant events.The main problems of the SNMPv1SNMPv1 are the authentication of the message source,

protecting these message from disclosure and placing access controls on MIB database.Those problems are solved in SNPM v2SNPM v2 by changing the format of SNMP PDUs.

In SNMPv1 SNMPv1, traps had a different format than all of the other PDUs. SNMPv2 SNMPv2simplify traps by giving them the same format as the get and set PDUs. In SNMPv1 SNMPv1, if too much data are asked in an ordinary get-request you receive amessage "too big" error message without data. In SNMPv2 SNMPv2 Get-bulk-request allows

you to retrieve a lot of information and will receive as much data as it is possible in your response message. In SNMPv2 SNMPv2, if a multiple requested value, in a get-request, one is not valid or does not exist, there will be answers for the other request that have been well dealt. Whereas

for SNMPv1 SNMPv1, no response at all was given, only the error message. SNMPv2 SNMPv2 security framework deals with the problem of the authentication of themessage sender, its contents and the eavesdropper problems. It also supports the useof authentication protocol to identify the sources reliability and to prevent messagemodification.

It also supports the use of encryption to keep messages privacy. SNMPv1 SNMPv1 dont haveall these security features.

8/8/2019 sri_SNMP

59/64

SNMP SecuritySecurity in SNMP versions

SNMPv1 uses plain text community strings for authentication as plain textwithout encryptionSNMPv2 was supposed to fix security problems, but effort de-railed.SNMPv3 has numerous security features:

E nsure that a packet has not been tampered with ( integrity ),E nsures that a message is from a valid source ( authentication )E nsures that a message cannot be read by unauthorized ( privacy ).

SNMP has three security levels for:Monitoring ( no authentication / no privacy) : Authentication with matching

a user nameControl (authentication / no privacy) : Authentication with MD5 or SHAmessage digests.Downloading secrets (authentication / privacy) : Authentication with MD5

or SHA message digests, and encryption with D E S encryption.

8/8/2019 sri_SNMP

60/64

SNMP GUI OpenView Severity Levels

Severity Color-------------------------------------------------------------------

Unknown Blue Normal GreenWarning CyanMinor YellowMajor Orange

Critical Red

8/8/2019 sri_SNMP

61/64

Conclusions

Standardizeduniversally supportedextendible

portableallows distributed management accesslightweight protocol

8/8/2019 sri_SNMP

62/64

Review Questions

1. Wh at are t h e components in network management arc h itecture and define t h em?

slide 5-7

2. Wh at are MIB s, and h ow are t h ey accessed? slide 9

3. Wh at are t h e types of messages between SNM P manager and agent? slide 25

8/8/2019 sri_SNMP

63/64

References

http://www.faqs.org/rfcs/http://www.ietf.org/rfcs/

http://www.icg.isy.liu.se/courses/tsin02-ici/slides/11_Snmp-v3.pdf http://www.dpstele.com/layers/l2/snmp_l2_ tut_part1.htmlhttp://www.cisco.com/warp/public/535/3.html

8/8/2019 sri_SNMP

64/64

T H ANK YOU

Documents

sri_SNMP