Contents

1. NMS Overview 2. SMI or How a MIB is written 3. MIB II 4. SNMP Operations: Get, GetNext, Set.. 5. SNMPv3

Version 1.0

Overview of Network Management Systems

Version 1.0

NMS - Overview

Communication Networks Vary in Nature, Complexity and Size In addition, each Equipment vendor brings in his own proprietary implementations Effective Network Management thus is a critical component for Network operators and Service Providers to run their business Service providers face a huge challenge in managing the Network and ensuring the availability of Services

Version 1.0

NMS - Overview

IETF is standards body for IP networks which use SNMP Standardization for Telecom Network is driven by ITU which uses TMN Network Management Proxies are for converging different Network Management Standardizations

Version 1.0

NMS - Overview
Manager Agent Model
Manager: The entity that does the communicating with the agent

management

functions

by

Agent: The entity that represents part of the network being managed. Agent provides communication with the manager and executes the instructions received. Preferred Architecture : Hierarchical Manager Agent Model

Version 1.0

Workbook 1

Version 1.0

Workbook 1 ..
Look at the pictures in the previous slide. Which of them will have agents and which can have managers? Group these devices into categories. Arrange in a Network Management heirarchy. You can have as many copies of each device as you like.

Version 1.0

Network Management Style

POLLING
Request and get information Overall picture available Non Real time information Higher Bandwidth need Real time information Exceptions reported Interrupt driven process Lower Bandwidth

TRAPS

Preferred Solution : Trap directed Polling.

Version 1.0

Workbook 2

Version 1.0

Workbook 2
Look at the diagram in the previous slide What parameters will you poll and what traps and alarms will you capture

Version 1.0

10

NMS Functional Overview

Network Management consists of:

Fault Management Configuration Management Accounting Management Performance Management Security Management

Version 1.0

11

Fault Management

Fault Management :

Alarm Handling Trouble Detection Trouble Correction Test and Acceptance Network Recovery

Version 1.0

12

Alarms
Alarms should contain the following information: 1. Originating resource (network element, facilities, element management system, Performance Monitoring, etc.) 2. Trouble explanation (e.g., defined alarm code) 3. Severity code 4. Date and time alarm condition occurred 5. Duration of alarm condition 6. Status of alarm (e.g., active, cleared, acknowledged, etc.)

Version 1.0

13

Configuration Management
Configuration Management :

System Boot Up Function Network Provisioning Auto Discovery Backup and Restore Database Handling

Version 1.0

14

Accounting Management
Accounting Management consists of:

Track Service Usage Bill For Usage

Version 1.0

15

Performance Management
Performance Management entails:

Data Collection Report Generation Data Analysis

Version 1.0

16

Security Management
Security Management involves:

Control Device Access Enable Device functions Access Logs Authentication Authorization Encryption

Version 1.0

17

Some Network Management Protocols

SNMP - SIMPLE NETWORK MANAGEMENT PROTOCOL v1: First Version v2: Enhanced, Supports Large Data Handling v3: Enhanced Security and Access Control TL 1 - TRANSACTION LANGUAGE 1 CMIP - COMMON MANAGEMENT INFORMATION PROTOCOL TMN SPECIFIED

Version 1.0

18

Functional View of NMS

Business Mgmt Layer Service Mgmt Layer Network Mgmt Layer Element Mgmt Layer

Adaptation Layer

External Interfaces

PBX, Switches, ATM, Broadband, Access nodes, Transmission Nodes, Frame Relay

OSS Interfaces

Network

Call Control Billing Modules

Version 1.0

19

NMS - Overview In a nutshell, Network Management is:

o o

The monitoring of Managed Resources The controlling of Managed Resources

Version 1.0

20

NMS - Overview
What is a Managed Resource ?

A component in your network May be a physical device workstation network element circuit pack ... May be a logical entity session connection software ...

Version 1.0

21

Introduction to SMI

Version 1.0

22

Introduction To SNMP

SNMP stands for Simple Network Management Protocol Makes use of UDP/IP protocol stack for communication

SNMP models each device for the purpose of managing it

Version 1.0

23

SNMP Components
SNMP Protocol Defines format of messages exchanged by management systems and agents. Specifies the Get, GetNext, Set, and Trap operations Structure of Management Information(SMI) Rules specifying format used to define objects managed on network that SNMP protocol accesses Uses Abstract Syntax Notation One (ASN.1) Management Information Base(MIB) Collection of information organized hierarchically

Version 1.0

24

SNMP Object Modelling

In order to manage a network it is essential to Model the network One way (the best way) to model the network is by making use of Object oriented methodology SNMP also defines objects (Not really objects but attributes by making use of ASN.1 Macros)

Version 1.0

25

SMI, SNMP & MIB

In order to define objects in uniform and consistent fashion, a framework is defined The framework is referred to as SMI (Structure of Management Information) SMIv1 is defined by IETF (RFC 1155) SNMPv1 in RFC1157 MIB-II is defined in RFC 1213 SNMPv2c RFCs defined in RFC 1902-1908 SNMPv3 RFCs defined in RFC 3411-3418

Version 1.0

26

SNMP SMI

Managed objects (network components) are accessed through virtual information store called Management Information Base (MIB) Each object type has name, syntax and encoding

The name of the object is represented by OBJECT IDENTIFIER (ASN.1

type)

The syntax of the object defines abstract data structure

Represented as an ASN.1 data type

The

encoding of the object is done by any of the standard encoding techniques BER (Basic Encoding Rule)

Version 1.0

27

SNMP Object Naming

The Object Identifier is a sequence of numbers that traverse a Tree structure Typically a label (textual name) is associated with the number Example: ccitt (0), iso (1)

internet OBJECT IDENTIFIER ::= {iso org(3) dod(6) 1} directory OBJECT IDENTIFIER ::= {internet 1}

mgmt OBJECT IDENTIFIER ::= {internet 2} experimental OBJECT IDENTIFIER ::= {internet 3}

Version 1.0

28

ISO OID Tree

root
ccitt (0) iso (1) joint-iso-ccitt (2)

stnd (0)

reg-auth (1)

mb (2)

org (3)

dod (6) internet (1)

directory (1)

mngt (2) mgmt

experimental (3)

private (4) enterprises (1)

security (5)

snmpV2 (6)

mib-2 (1)
Version 1.0

snmpDomains (1) snmpProxys (2) snmpModules (3)

29

Workbook 3: MIB tree

Version 1.0

30

Workbook 3 ..
Open the AdventNet MIB Browser as shown in the previous slide. Load RFC1213 MIB. Examine from the root of the ISO OID MIB Tree. What do you observe?

Version 1.0

31

Primitive ASN.1 Data Types

The 4 in built or primitive ASN.1 data types are: 1. INTEGER 2. OCTET STRING 3. OBJECT IDENTIFIER 4. NULL

Version 1.0

32

SMIv1 - Object Types

Apart from the ASN.1 data types, SMIv1 defines application wide data types like:

Network Address A choice type to choose from family of addresses IP Address Octet String of length 4 Counter A non-negative integer that increases to a Max. value and resets to zero Gauge Integer value, that increase or decrease, but latches at Max (Min) value. Opaque A container type (OCTET STRING) for any ASN.1 type TimeTicks Integer each unit representing 1/100th of sec.

Version 1.0

33

Quick Quiz
IP Address type object will be found in Counter type object will be found in .. Gauge type object example is . Table type object example is OCTET STRING example is . NULL object example is OPAQUE object example is Time Ticks Object is found in ..

Version 1.0

34

SMIv1 and SMIv2 Data Types

SM Iv1
S IMP LE T YP E S: INT E GE R O CT ET ST R IN G O BJE CT ID EN T IF IE R A P PLICA T IO N-W ID E T Y P ES : G auge C ounter T im eTicks IpA ddress O paque N etw orkAddress -

SM Iv2
IN TE GE R OC TE T S T RING OB JEC T IDE NT IFIER Integer32 Unsigned32 Gauge32 Counter32 Counter64 TimeT icks IpA ddress Opaque BIT S
35

P S EU D O T Y PE S :
Version 1.0

OBJECT-TYPE Definition
OBJECT-TYPE:
INTEGER OCTET STRING OBJECT IDENTIFIER BITS IpAddress Integer32 Counter32 Counter64 Gauge32 TimeTicks Opaque New Type read-only read-write read-create accessible-for-notify not-accessible current deprecated obsolete ""
36

SYNTAX

MAX-ACCESS

STATUS DESCRIPTION
Version 1.0

OBJECT-TYPE Scalar Definition Example

Definition of address
address SYNTAX MAX-ACCESS STATUS DESCRIPTION ::= {NEW-MIB 1} OBJECT-TYPE IpAddress read-write current "The Internet address of this system"

Version 1.0

37

Workbook 4
Examine the RFC 1213 MIB file and locate an OBJECT TYPE definition for a scalar Locate OBJECT IDENTIFIER definitions and look at the definitions.

Version 1.0

38

Definition of Non Leaf Objects

info OBJECT IDENTIFIER ::= {NEW-MIB 2} ALTERNATIVE CONSTRUCT: OBJECT IDENTITY

EXAMPLE:
info STATUS DESCRIPTION OBJECT-IDENTITY current "The node under which future scalar objects should be registered " ::= {NEW-MIB 2}

Version 1.0

39

Definition of a MIB
NEW-MIB DEFINITIONS ::= BEGIN import statement(s) module identity definition definition of all node and leaf objects definition of implementation requirements END

Version 1.0

40

MODULE IDENTITY Example

newMibModule MODULE-IDENTITY LAST-UPDATED "200104041200Z" ORGANIZATION "UT-TMG" CONTACT-INFO " University of Twente The Netherlands Email: simpleweb@simpleweb.org " DESCRIPTION "Experimental MIB for demo purposes" ::= { enterprises ut(785) 7 }

Version 1.0

41

Imports Statement Example

IMPORTS MODULE-IDENTITY, TimeTicks, enterprises FROM SNMPv2-SMI; OBJECT-TYPE,

Version 1.0

42

An Example MIB
WIN-MIB DEFINITIONS ::= BEGIN IMPORTS RowStatus, DisplayString FROM SNMPv2-TC OBJECT-TYPE, MODULE-IDENTITY, enterprises, Integer32 FROM SNMPv2-SMI; winSystem MODULE-IDENTITY LAST-UPDATED "200210110900Z" ORGANIZATION "jay Inc." CONTACT-INFO "jay Inc. Web site: www.wipro.com Email: jaya.venu@wipro.com" DESCRIPTION "The MIB module for managing winsys Info" ::= { enterprises jay(5000) 10 }

Version 1.0

43

MIB example(contd)
mySysObjects OBJECT IDENTIFIER ::= { winSystem 1 } mySystemName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "System name" ::= { mySysObjects 1 } mySystemDir OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "System directory" ::= { mySysObjects 2 } END

Version 1.0

44

Workbook 5
Locate a MIB file with a MIB MODULE definitions with IMPORTS and MODULE-IDENTITY. Can you follow how the module is organized? What do you think is the advantage of this approach?

Version 1.0

45

IndexPart in Object Definition

The INDEX can be a comma separated list of Object Identifiers, one for simple index and many for composite index. IndexSyntax ::= CHOICE { number string object ipAddress } INTEGER (0..MAX),

OCTET STRING, OBJECT IDENTIFIER, IpAddress

Version 1.0

46

SNMP MIB Example Scalar

udpInDatagrams OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION The total number of UDP datagrams delivered to UDP users ::= {udp 1}

Version 1.0

47

SNMP MIB Example Table Definition

tcpConnTable OBJECT-TYPE SYNTAX SEQUENCE OF TcpConnEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION A table containing TCP connection specific information ::= {tcp 13} tcpConnEntry SYNTAX MAX-ACCESS STATUS DESCRIPTION INDEX OBJECT-TYPE TcpConnEntry not-accessible current Information about particular tcp connection {tcpConnLocaladdress, tcpConnLocalPort, tcpConnRemoteaddress, tcpConnRemotePort } ::= {tcpConnTable 1}

Version 1.0

48

MIB Example Table Definition

TcpConnEntry ::= SEQUENCE { tcpConnState INTEGER, tcpConnLocalAddress IpAddress, tcpConnLocalPort INTEGER (0..65535), tcpConnRemAddress IpAddress, tcpConnRemPort INTEGER (0..65535) }

Version 1.0

49

Workbook 6
Look at the Table Definition of any table object in RFC 1213 MIB like ipRouteTable What are the various components of a table definition?

Version 1.0

50

Examples of Indexes in MIB-II

In MIB-II, the following INDEX clauses are used Objects ifEntry ipRouteEntry tcpConnEntry INDEX { ifIndex } { ipRouteDest } { tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemoteAddress, tcpConnRemotePort } { udpLocalAddress, udpLocalPort }

udpEntry

Version 1.0

51

Workbook 7: Writing a MIB

Pick your problem for MIB generation Link in your own organization subtree in the MIB tree under enterprises. Write your scalars and tables for describing your organization and products. Use a MODULE-IDENTITY definition for your MIB including scalars and table objects. Load your MIB and debug all errors until success.

Version 1.0

52

MIB II

Version 1.0

53

SNMP Some Object Groups

System Group provides general information about the managed system SYSTEM

sysDescr sysObjectId sysUpTime sysContact sysName sysLocation

Version 1.0

54

SNMP Interface Object Groups

Interface Group :-

Interfaces

contains information about the physical interfaces of the entity, including configuration and statistics of events occurring on the interface

ifNumber ifTable
ifIndex ifDescr ifType ifSpeed ifMtu

Version 1.0

55

Management Information Base

MIB is a standard that specifies the data items that a host or gateway must keep and the operations allowed on each

MIB category system interfaces ip icmp tcp, udp, egp snmp

Includes information about The host/gateway operating system Individual network interfaces Internet protocol software Internet control message protocol Transport and routing Snmp related objects

Version 1.0

56

MIB-II Interfaces Group

Version 1.0

57

MIB-II IP Group

Version 1.0

58

MIB-II TCP Group

Version 1.0

59

SNMP Operations

Version 1.0

60

SNMP Communication Model

Host A Host B

SNMP MANAGER
UDP / IP

SNMP AGENT
UDP / IP

Data Link

Data Link

Physical

Physical

Version 1.0

61

SNMP Protocol

The network devices are managed by the management station Devices run agent software and management station run manager software The Manager learns about the network device through the agent Hence, both the agent and manager need to share the same Information model to work together Agent interact with the Device (back end) to retrieve values

Version 1.0

62

SNMP Protocol

The management station and the network device use SLEEK UDP protocol to send and receive messages Management station will not instantiate the MIB, it retrieves the instance from the agent The manager and the agent use simple interaction: Manager sends a request message when it wants to retrieve objects and agent replies Agent on its own reports any trouble it notices on the device or TRAPS to the manager

Version 1.0

63

How SNMPv1 Messages Function

Version 1.0

64

SNMP Message Format

------------------------------------------------------| version | community | SNMP PDU | ------------------------------------------------------ version - specifies the SNMP version number community is OCTET STRING, serves retrieving/modifying data SNMP PDU specifies operation

as

password

for

Version 1.0

65

SNMP Protocol Interaction Get Operation

The Manager sends GET Request to retrieve objects from the agent. In order to get the objects, the manager needs to specify object name The agent responds to GET request by sending to the manager GETRESPONSE message with:

list of requested objects (names) with their values known as var binding list

In case of error, the index indicates object which caused the error

Version 1.0

66

SNMP Protocol Interaction Get Operation

In order to retrieve scalar objects from the agent, manager has to send object name suffixed with value ZERO: eg: sysUpTime.0 In order to retrieve values from a table, the object name is suffixed with the index value If the agent doesnt find the object with the name supplied by the manager it returns noSuchObject , or noSuchInstance if no instance of object found in the value field of the variable for SNMPv2.

Version 1.0

67

Protocol Operation - GET

Management Station
PDU Type Req id 0 0 Variable Bindings (names)

Device
Agent Process
PDU Type Req id 0 0 Name Variable 1 1

MIB

Management process

Name n

Variable n

Response - No Error

PDU Format GetRequest/Response

PDU Type
Version 1.0

Request

id

Error Status ErrorIndex

Variable Bindings
68

Protocol Operation GET (toobig error)

Management Station
PDU Type Req id 0 0 Variable Bindings (names)

Device
Agent Process
PDU Type Req id

MIB

Management Process

toobig

NULL

Response Error too big- message size Exceeds max size PDU Format GetRequest/Response
PDU Type
Version 1.0

Request id

Error Status

Error Index

Variable Bindings
69

Protocol Operation GET (generror error)

Management Station
PDU Type Req id 0 0 Variable Bindings (names) PDU Type Req id

Device
generror
Index Of problem object

MIB

Management Process
Agent Process

Variable Bindings (names)

Response Error generror- processing of Variable name fails PDU Format GetRequest/Response
PDU Type Request id Error Status Error Index Variable Bindings

Version 1.0

70

Error Status for SNMPv1

Values for error status are:
noError (0) request was successfully processed tooBig (1) Agent could not fit results of request into single SNMP message. Min Size :484 bytes. Max. size 1500 bytes for Ethernet Networks

Version 1.0

71

Error Status
noSuchName(2)
Object specified which agent did not know based on specified community. Most common source is reading objects that do not exist.

badValue(3) a set value tried to modify an object with invalid or inconsistent

value.

readOnly (4) defined in v1 to indicate that a set operation tried to modify a

variable that according to community profile cannot be written into. In reality this isnt used as if you try to set a read-only object noSuchName error status is returned

genErr (5) any other error

Version 1.0

72

SNMPv2 to SNMPv1 Error Mapping

SNMPv2 Error Status noError tooBig noSuchName badValue readOnly genErr wrongValue wrongEncoding wrongType wrongLength Inconsistent Value noAccess notWritable noCreation SNMPv1 Error Status noError tooBig noSuchName badValue readOnly genErr badValue badValue badValue badValue badValue noSuchName noSuchName noSuchName

Version 1.0

73

SNMPv2 Exceptions
For SNMP GET requests we can get back noSuchObject and noSuchInstance Exception For SNMP GETNEXT requests we can get back endOfMibView. For SNMP SET requests we cannot get back any exceptions. For SNMP GETBULK requests we can get back endOfMibView

Version 1.0

74

SNMP Protocol Interaction SNMP Table

The SNMP table is represented as ASN.1 SEQUENCE OF type. Each table has an Entry which is SEQUENCE Type. Each column in the table entry is identified by the object identifier Each row is identified by the index value In order to retrieve values from a table, the object name is suffixed with the index value The agent need to create the rows in the table either during start up or when the manager sends a SET request to the agent

Version 1.0

75

SNMP Protocol Interaction Get Next Operation

Get Next operation is similar to Get Request. However, Get Next operation retrieves the - next lexicographically ordered object Get Next operation allows the manager to search through the table, without having to know the index value

Version 1.0

76

Get Request
Consider following MIB table a subset of ifTable Instance 1 2 3 4 5 6 ifIndex 1 2 3 4 5 6 ifDescr ethernet ethernet serial ppp ethernet ethernet ifType 6 6 22 23 6 6

Version 1.0

77

Get Request Illustration

If a mangement station issues a: GetRequest(sysUpTime.0, ifIndex.1,ifDescr.2, ifType.4) The agent will respond typically with: sysUptime.0 287231 ifIndex.1 1 ifDescr.2 ethernet ifTypes.4 23 GetRequest can query scalars & objects from diff. rows

Version 1.0

78

Get Next Request

Consider this table: ifIndex ifInOctets ifInUcastPkts ifInNUcastPkts 1 200123 560 912 2 4587213 8876 1780 3 755943 8761 1020 4 8837722 110211 4390 5 398765321 301392159 3259 6 983141 65211 3251

Version 1.0

79

GetNextRequest Illustration
Issue a GetNextRequest(ifInOctets, ifInUcastPkts, ifInNUcastPkts) Response will be: ifInOctets.1 200123 ifInUcastPkts.1 560 ifInNUcastPkts.1 912 GetNestRequest automatically returns the queried columns of the first row. The response will also have the index of the first row instance, i.e 1 in example

Version 1.0

80

GetNextRequest Illustration
Issue a GetNextRequest(ifInOctets.1, ifInUcastPkts.1, ifInNUcastPkts.1) using index of first row. Response will be fields of next row: ifInOctets.2 4587213 ifInUcastPkts.2 8876 ifInNUcastPkts.2 1780

Version 1.0

81

Protocol Operation Getbulk

Management Station
PDU Type Req id Nonrepeaters Maxrepetitions Variable Bindings

Device
Agent Process
PDU Type Req id Nonrepeaters

MIB
Maxrepetitions Variable Bindings

Management Process

PDU Format for getbulk

PDU Type
Version 1.0

Request nonmaxid repeaters repetitions

Variable Bindings
82

GetBulkRequest

Version 1.0

83

SNMP Protocol Interaction SET Operation

Manager sends Set Request to set value of objects. In order to set object values, manager need to specify both the object name and the value Agent responds to the SET request with same PDU as GET-RESPONSE PDU

Version 1.0

84

Protocol Operation - SET

PDU Type

Management Station Req 0 0 Name Variable Name Variable n id 1 1 n Management Process

Device
Agent Process

MIB
Name Variable n n

PDU Type

Req 0 id

0 Name Variable 1 1

If no Validation error Phase-2 : If no updation error The values are set PDU Format SetRequest/Response
PDU Type
Version 1.0

Request id

Error Status

Error Index

Variable Bindings
85

Protocol Operation Trapv2

Management Station
PDU type Req Id

Device
00 Variable Bind List MIB

Management process
Agent Process

Trap PDU GeneratedUnusual Event occurrence PDU Format for Trap

PDU Type
Version 1.0

Request id

Error Status

Error Index

Variable Bindings
86

Trap PDU
Format for SNMPv2 Trap PDU
----------------------------------------------------------| 0xA7 | reqid | 0 | 0 | variable bindings | ----------------------------------------------------------PDU format identical to Get, GetNext or Set .Info about trap embedded in variable bindings. First variable provides agents value of sysUpTime when Trap generated. Next variable is snmpTrapOID.0 which identifies what type of trap it is

Version 1.0

87

NOTIFICATION-TYPE
SNMPv2 Traps are defined by this macro.
linkDown NOTIFICATION-TYPE OBJECTS { ifIndex, ifAdminStatus , ifOperStatus} STATUS current DESCRIPTION A linkdown trap . ::= { snmpTraps 3}

Version 1.0

88

SNMPv1 Trap PDU

Trap message is sent by agent to manager at UDP port 162 whereas GetRequest and GetResponse goes to UDP port 161. Format of SNMPv1 Trap PDU:
-----------------------------------------------------------------| 0xA4 | ent. | addr | gen. | spec. | ts | var bind | ------------------------------------------------------------------

Version 1.0

89

Generic Traps
Six Generic Traps are defined: coldStart (0) warmStart (1) linkDown(2) linkUp (3) authenticationFailure(4) egpNeighbourLoss(5)

Version 1.0

90

Informs
Informs are like SNMPv2 Traps but they are acknowledged. InformsRequest PDU is: ----------------------------------------------------------| 0xA6 | reqid | 0 | 0 | variable bindings | ---------------------------------------------------------- Type Value of 0xA6 indicates it is an Informs message. This can also be sent from one manager to another.

Version 1.0

91

Workbook 8
Explore the AdventNet Manager and access the agent on Linux machine and see how the manager and agent interact. Capture in Ethereal the exchange between manager and agent and note the port number used by manager and agent and also the various filelds in the SNMP message. Use snmpget, snmpgetnext, snmpbulkget for accessing MIB objects both scalars and table objects. Use snmptrap to generate traps which can be seen on AdventNet Trap Viewer.

Version 1.0

92

SNMP Message BER Encoding Example

Version 1.0

93

SNMP Message BER Encoding Example..

Version 1.0

94

Workbook 9
Make an SNMP request to the agent from your manager and trace byte wise the SNMP request and response in Ethereal.

Version 1.0

95

Introduction to SNMP v3

Version 1.0

96

SNMPv3 Architecture

Version 1.0

97

SNMP Entity, Applications and Engine

SNMP Entity

SNMP Applications

SNMP Engine Implements functions to provide services to applications

Version 1.0

98

SNMPv3 Agent Architecture

Version 1.0

99

Functions of SNMP Engine

1. Accepts outgoing PDUs. Does the following Encryption Insert authentication code Encapsulation of PDUs in messages

2. Accepts incoming PDUs. Does the following Authentication Decryption Extraction of PDUs from messages

Version 1.0

100

SNMP v3 Message Structure

msgVersion msgID msgMaxSize msgFlags msgSecurityModel msgSecurityParameters contextEngineID contextName PDU
Version 1.0

snmpv3

Used by message processing subsystem

reportable, priv,auth

1,2,3 Used by security and access control

101

Functions of Access Control Subsystem

1. Authorization services to control access to MIBs for reading and setting of managed objects. Operates on SNMP PDUs. 2. So far the only defined model is View Based Access Control Model. Security Subsystem: privacy and authentication, works on SNMP messages Access Control: authorized access, works on PDUs

Version 1.0

102

SNMPv3 Access Control

Version 1.0

103

A MIB View

Version 1.0

104

VACM

OID security name vacmSecurityToGroupTable groupName MIB View security model vacmAccessTable

vacmViewTree FamilyTable

security level

context name

mess type(read,write , notify)

Version 1.0

105

SNMP v3 Message Structure

Version 1.0

106

USM Message Structure

Version 1.0

107

USM Message Parameters

1.msgAuthoritativeEngineID: snmpEngineID of the source for a Trap, Response or Report and of the destination for a Get, GetNext, GetBulk, Set, Informs 2. msgAuthoritativeEngineBoots: snmpEngineBoots value which represents the number of times SNMP engine has reinitialized itself since its initial configuration 3. msgAuthoritativeEngineTime: snmpEngineTime represents number of seconds since SNMP Engine last incremented the snmpEngineBoots object. 4. msgUserName: user on whose behalf message is exchanged. 5. msgAuthenticationParameters: HMAC message code 6. msgPrivacyParameters: initial value of DES CBC algoritham

Version 1.0

108

Authentication
There are three goals in authentication: (1) to verify that the user is really who he says he is (2) to verify the user's message was not changed during transport (3) to verify that the message is not being replayed (copy the message and play it over again in the future). Authentication is optional in SNMPv3. There may be situations where the users are trusted and/or the data is not sensitive. In these cases, the organization may not want to incur the overhead of using authentication. This is referred to as noauth/nopriv.

Version 1.0

109

Authentication
Sending an authenticated SNMPv3 packet:
1. The entire packet is created. The authentication flag is turned on in the msgFlags, and the msgAuthenticationParameters is zeroed out. 2. A message digest is computed of the packet using the secret authentication key for the user specified in msgUserName. The algorithm used HMAC (MD5 or SHA )is determined by the authentication protocol specified for the user. 3. The computed message digest is inserted in the message. 4. The packet is sent.

Version 1.0

110

Privacy with DES

The SNMPv3 USM privacy facility enables managers and agents to encrypt messages to prevent eavesdropping by third parties. Manager entity and agent entity must share a secret key. When privacy is invoked between a principal and a remote engine, all traffic between them is encrypted using the Data Encryption Standard (DES). The cipher-block-chaining (CBC) mode of DES is used by USM.

Version 1.0

111

Workbook 10
Observe the demo for configuring an SNMPv3 Agent. Implement View Based Access Control on the v3 Agent in your system and test it out.

Version 1.0

112

SNMP V1 and V2 Comparison

SNMP V1 The Trap PDU independently was defined

SNMP V2
Trap PDU redefined to be same as that of GetRequest Get Bulk operation was defined Inform Request PDU was defined for an acknowledged trap & to exchange info between mgmt stations

The operation Get Bulk was never defined Inform Request was not defined

Version 1.0

113