Sie sind auf Seite 1von 39

(Unit-7) SNMP slides

Different steps in network management:


Configuration Management - inventory, configuration, provisioning
Fault Management - reactive and proactive network fault management
Performance Management - # of packets dropped, timeouts, collisions, CRC
errors

Security Management - SNMP doesn’t provide much here


Accounting Management - cost management and chargeback assessment
Asset Management - statistics of equipment, facility, and administration personnel
Planning Management - analysis of trends to help justify a network upgrade or
bandwidth increase

Mukesh Chinta,Asst Prof, VNRVJIET 1


(Unit-7) SNMP slides

SNMP is a “client pull” model i.e., The management system (client) “pulls” data
from the agent (server).
SNMP is a “server push” model i.e., The agent (server) “pushes” out a trap message
to a (client) management system
Advantages of SNMP are: Standardized, universally supported, extendible,
portable, allows distributed management access and lightweight protocol

Mukesh Chinta,Asst Prof, VNRVJIET 2


(Unit-7) SNMP slides

SNMP defines a client/server relationship. The client program (called the SNMP
manager) makes connections to a server program (called the SNMP agent) which
resides on a remote network device, and serves information to the network manager
regarding the device‘s status. On an abstract level, SNMP can be seen as a service, a
management application makes use of, to manage distributed objects.
• The SNMP manager maintains a central database (called the SNMP Management
Information Base or MIB) that is fed by means of queries to the SNMP agents
distributed throughout the network. A MIB consists of a standard set of statistical and
control values defined by various IETF RFCs and can be extended with values specific
to a particular agent through the use of private or „vendor“ MIBs.

Mukesh Chinta,Asst Prof, VNRVJIET 3


(Unit-7) SNMP slides

SNMP is a simple tool for management. It defines a limited, easily implemented MIB
of scalar variables and two-dimensional tables, and it defines a streamlined protocol
to enable a manager to get and set MIB variables and to enable an agent to issue
unsolicited notifications called traps.

Mukesh Chinta,Asst Prof, VNRVJIET 4


(Unit-7) SNMP slides

Get and GetNext messages: Manager to request information for a specific


variable.
Agent issue a GetResponse message
Set message: Manager request a change be made to the value of a specific variable
Trap message: Agent to spontaneously inform the manager of an ‘important’ event.
(Report alarm)

SNMP messages are transported using the unreliable UDP protocol. This has the
advantage that control connections will not hang indefinitely when an SNMP agent
becomes temporarily unavailable or goes off-line altogether. On the negative side
messages can get lost, especially in the critical case when networks become
congested and management information is most needed.

Mukesh Chinta,Asst Prof, VNRVJIET 5


(Unit-7) SNMP slides

•Traps are unrequested event reports that are sent to a management system by an
SNMP agent process
•When a trappable event occurs, a trap message is generated by the agent and is
sent to a trap destination (a specific, configured network address)
•Many events can be configured to signal a trap, like a network cable fault, failing NIC
or Hard Drive, a “General Protection Fault”, or a power supply failure
•Traps can also be throttled -- You can limit the number of traps sent per second from
the agent
•Traps have a priority associated with them -- Critical, Major, Minor, Warning,
Marginal, Informational, Normal, Unknown

Mukesh Chinta,Asst Prof, VNRVJIET 6


(Unit-7) SNMP slides

Proxy & Gateway Agents extend the capabilities of SNMP by allowing it to:
•Manage a device that cannot support an SNMP agent
•Manage a device that supports a non-SNMP management agent
•Allow a non-SNMP management system to access an SNMP agent
•Provide firewall-type security to other SNMP agents (UDP packet filtering)
•Translate between different formats of SNMP messages (v1 and v2)
•Consolidate multiple managed nodes into a single network address (also to provide
a single trap destination)

Mukesh Chinta,Asst Prof, VNRVJIET 7


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 8


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 9


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 10


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 11


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 12


(Unit-7) SNMP slides

Inform command has the advantage that it can be used to construct a configuration
in which multiple managers cooperate to share management responsibility in a large
network.
GetBulk command is designed for the transmission of entire tables with one
command.
For SNMPv1, the get command is rejected even if atleast one of the object does not
exist at the agent, where as partial results may be returned for SNMPv2

Mukesh Chinta,Asst Prof, VNRVJIET 13


(Unit-7) SNMP slides

The manager “manages” a number of agents. Each agent controls its own local MIB
and must be able to control the use of that MIB by a number of managers.
Authentication service: The agent may wish to limit access to the MIB to authorized
managers.
. Access policy: The agent may wish to give different access privileges to different
managers.
. Proxy service: An agent may act as proxy to other agents. This may involve
implementing the authentication service and/or access policy for the other agents on
the proxy system.

Mukesh Chinta,Asst Prof, VNRVJIET 14


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 15


(Unit-7) SNMP slides

The combination of an MIB view and access mode is referred to as an SNMP


community profile. Thus, a community profile consists of a defined subset of the MIB
at the agent, plus an access mode for those objects. The SNMP access mode is
applied uniformly to all of the objects in the MIB view. Thus, if the access mode
READ-ONL Y is selected, it applies to all of the objects in the view and limits managers
access of this view to read-only operations. A community profile is associated with
each community defined by an agent; the combination of an SNMP community and
an SNMP community profile is referred to as an SNMP access policy.

Mukesh Chinta,Asst Prof, VNRVJIET 16


(Unit-7) SNMP slides

In 1998, the IETF SNMPv3 working group produced a set of Proposed Internet
standards, currently RFCs 2570 through 2576. This document set defines a framework
for incorporating security features into an overall capability that includes either
SNMPv1 or SNMPv2 functionality. In addition, the documents define a specific set of
capabilities for network security and access control.
RFC 2571 describes an architecture within which all current and future versions of
SNMP fit. RFC 2575 describes an access control facility, which is intended to operate
independently of the core SNMPv3 capability.

Mukesh Chinta,Asst Prof, VNRVJIET 17


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 18


(Unit-7) SNMP slides

Both the SNMP engine and the applications it supports are defined as a collection of
discrete modules. An SNMP engine implements functions for sending and receiving
messages, authenticating and encrypting/decrypting messages, and controlling
access to managed objects. These functions are provided as services to one or more
applications that are configured with the SNMP engine to form an SNMP entity.

Mukesh Chinta,Asst Prof, VNRVJIET 19


(Unit-7) SNMP slides

A traditional SNMP manager interacts with SNMP agents by issuing commands (get,
set) and by receiving trap messages; the manager may also
interact with other managers by issuing Inform Request PDUs, which provide alerts,
and by receiving Inform Response PDUs, which acknowledge Inform Requests.

Mukesh Chinta,Asst Prof, VNRVJIET 20


(Unit-7) SNMP slides

The Command Generator Applications monitor and manipulate management data at


remote agents; they make use of SNMPv1 and/or SNMPv2
PDUs, including Get, GetNext, GetBulk, and Set. A Notification Originator Application
initiates asynchronous messages; in the case of a traditional manager, the
InformRequest PDU is used for this application. A Notification Receiver Application
processes incoming asynchronous messages; these include InformRequest, SNMPv2-
Trap, and SNMPv1 Trap PDUs. In the case of an incoming InformRequest PDU, the
Notification Receiver Application will respond with a Response PDU.

Mukesh Chinta,Asst Prof, VNRVJIET 21


(Unit-7) SNMP slides

For incoming PDU’s, the Dispatcher accepts PDUs from applications and passes it onto
appropriate message processing module in the message processing subsystem, which returns
a message containing the PDU with appropriate message headers. Then the dispatcher
passes this message to the transport layer for transmission. For incoming messages, the
Dispatcher accepts messages from the transport layer and routes each message to the
appropriate message processing module. Subsequently, the Message Processing Subsystem
returns the PDU contained in the message which is then passed to the appropriate
application. The Message Processing Subsystem accepts outgoing PDUs from the Dispatcher
and prepares these for transmission by wrapping them in the appropriate message header
and returning them to the Dispatcher. The Message Processing Subsystem also accepts
incoming messages from the Dispatcher, processes each message header, and returns the
enclosed PDU to the Dispatcher. An implementation of the Message Processing Subsystem
may support a single message format corresponding to a single version of SNMP (SNMPv1,
SNMPv2c, SNMPv3), or it may contain a number of modules, each supporting a different
version of SNMP. The Security subsystem performs authentication and encryption functions.
Each outgoing message is passed to the Security Subsystem from the Message Processing
Subsystem. Depending on the services required, the Security Subsystem may encrypt the
enclosed PDU and possibly some fields in the message header, and it may generate an
authentication code and insert it into the message header. The processed message is then
returned to the Message Processing Subsystem. Similarly, each incoming message is passed
to the Security Subsystem from the Message Processing Subsystem. If required, the Security
Subsystem checks the authentication code and performs decryption. It then returns the
processed message to the Message Processing Subsystem. An implementation of the
Security Subsystem may support one or more distinct security models. So far, the only
defined security model is the User-Based Security Model (USM) for SNMPv3, specified in RFC
2574.

Mukesh Chinta,Asst Prof, VNRVJIET 22


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 23


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 24


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 25


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 26


(Unit-7) SNMP slides

Message processing involves a general-purpose message processing model and a


specific security model. The first five fields are generated by the message processing
model on outgoing messages and processed by the message processing model on
incoming messages. The next six fields show security parameters used by USM.
Finally, the PDU, together with the contextEngineID and contextName, constitutes a
scoped PDU, used for PDU processing.

Mukesh Chinta,Asst Prof, VNRVJIET 27


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 28


(Unit-7) SNMP slides

For HMAC-MD5-96, HMAC is used with MD5 as the underlying hash function. A 16-
octet (128-bit) authKey is used as input to the HMAC algorithm. The algorithm
produces a 128-bit output, which is truncated to 12 octets (96 bits). For HMACSHA-
96, the underling hash function is SHA-l. The authKey is 20 octets in length. The
algorithm produces a 20-octet output, which is again truncated to 12 octets. USM
uses the cipher block chaining (CBC) mode of the Data Encryption Standard (DES) for
encryption. A 16-octet privKey is provided as input to the encryption protocol. The
first 8 octets (64 bits) of this privKey are used as a DES key. Because DES only requires
a 56-bit key, the least significant bit of each octet
is ignored. For CBC mode, a 64-bit initialization vector (IV) is required. The last 8
octets of the privKey contain a value that is used to generate this IV.

Mukesh Chinta,Asst Prof, VNRVJIET 29


(Unit-7) SNMP slides

Timeliness:- When an authoritative engine sends a message (Trap, Response, Report),


it contains the current value of its clock, so that the
nonauthoritative recipient can synchronize on that clock. When a nonauthoritative
engine sends a message (Get, GetNext, GetBulk, Set, Inform), it includes its current
estimate of the time value at the destination, allowing the destination to assess the
message's timeliness.
Key Localization:-A key localization process, enables a single principal to own. keys
stored in multiple engines; these keys are localized to the authoritative engine in such
a way that the principal is responsible for a single key but avoids the security risk of
storing multiple copies of the same key in a distributed network.
It makes sense to designate the receiver of Command Generator and
Inform PDUs as the authoritative engine, and therefore responsible for checking
message timeliness. If a response or trap is delayed or replayed, little harm should
occur. However, Command Generator and, to some extent, Inform PDUs result in
management operations, such as reading or setting MIE objects. Thus, it is important
to guarantee
that such PDUs are not delayed or replayed, which could cause undesired effects.

Mukesh Chinta,Asst Prof, VNRVJIET 30


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 31


(Unit-7) SNMP slides

For message transmission, encryption is performed first, if needed. The scoped PDU
is encrypted and placed in the message payload, and the msgPrivacyParameters value
is set to the value needed to generate the IV. Then authentication is performed, if
needed. The entire message, including the scoped PDU is input to HMAC, and the
resulting authentication code is placed in msgAuthenticationParameters. For
incoming messages, authentication is performed first if needed. USM first checks the
incoming MAC against a MAC that it ca1culated; if the two values match, then the
message is assumed to be authentic (comes from the alleged source and has not
been altered in transmission). Then USM checks whether the message is within a
valid time window. If the message is not timely, it is discarded as not authentic.
Finally, if the scoped PDU has been encrypted, USM performs a decryption and
returns the plaintext.

Mukesh Chinta,Asst Prof, VNRVJIET 32


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 33


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 34


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 35


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 36


(Unit-7) SNMP slides

A group is defined as a set of zero or more <securityModel, securityName> tuples


on whose behalf SNMP management objects can be accessed. A securityName refers
to a principal, and access rights for aH principals in a given group are identical. A
unique groupName is associated with each group. The group concept is a useful tool
for categorizing managers with respect to access rights. Any given combination of
securityModel and securityName can belong to at most one group.

Access determination depends on the following factors: principal, security level,


security model, MIB context, object instance and type of access.

Mukesh Chinta,Asst Prof, VNRVJIET 37


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 38


(Unit-7) SNMP slides

Mukesh Chinta,Asst Prof, VNRVJIET 39