Sie sind auf Seite 1von 21

SNMP Update

Please see www.snmp.com/jdctutorial.ppt for slides

Topics:
Introduction Differences

between SNMPv1, SNMPv2c, and

SNMPv3

Advantages of SNMPv3 over SNMPv1 and SNMPv2c Disadvantages of SNMPv3

Protocol Versions: Summary Picture


Simple-Based Management SNMPv1
Party-based SNMPv2 Common

SNMPv3
SNMPv2*

SNMPv2

SNMPv2c

SNMPv2u

Management Information Definitions (MIB Documents)

RFC 1155 Format

RFC 1212/1215 Format

RFC 1442-4 Format

RFC 1902-4 Format

RFC 2578-80 Format

New Features of SNMPv2c


Expanded

data types: 64-bit counters Improved efficiency and performance: get-bulk operator Confirmed event notifications: inform operator Richer error handling: errors and exceptions Improved sets: especially row creation/deletion Transport independence: IP, Appletalk, IPX, ... Etc.

New Features of SNMPv3


New

features inherited from SNMPv2c, plus Security and Administration

New Features of SNMPv3 Inherited from SNMPv2c


The

list we just saw

Expanded data types: 64-bit counters Improved efficiency and performance: get-bulk operator Confirmed event notifications: inform operator Richer error handling: errors and exceptions Improved sets: especially row creation/deletion Transport independence: IP, AppleTalk, IPX, ... Etc.
Plus

...
7

Features of SNMPv3: Security and Administrative Framework


Security

authentication privacy

Administration

Authorization and view-based access control Logical contexts Naming of entities, identities, and information People and policies Usernames and key management Notification destinations and proxy relationships Remotely configurable via SNMP operations
8

Security Threats and Mechanisms


Threats

protected against by SNMPv3:

1. Masquerade/data origin authentication: interloper assumes the identity of a sender to gain its privileges. 2. Modification of information/data integrity: alteration of in-transit messages. 3. Message stream modification: messages are reordered, delayed, or replayed 4. Disclosure/data confidentiality: privileged information is obtained via eavesdropping on messages.

Security Mechanisms
SNMPv3

uses MD5 and DES as symmetric, i.e., private key mechanisms (MD5 = Message Digest Algorithm 5, RFC 1321) (DES = Data Encryption Standard)

10

SNMPv3 User-based Authentication Mechanism


Based

on:

MD5 message digest algorithm in HMAC


indirectly provides data origin authentication directly defends against data modification attacks uses private key known by both sender and receiver 16 byte key 128 bit digest (truncated to 96 bits)

SHA an optional alternative algorithm Loosely synchronized monotonically increasing time indicator values

defends against certain message stream modification attacks


11

SNMPv3 User-based Privacy Mechanism


Based

on:

Symmetric encryption used Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode
provides privacy / protection against disclosure uses encryption subject to export and use restrictions in many jurisdictions

16 byte key (8 bytes DES key, 8 byte DES initialization vector) Multiple levels of compliance with respect to DES due to problems associated with international use
12

Advantages of SNMPv3
So What? Who Cares?

Good Things Operators and Administrators will like in SNMPv3


Able

to practice safe sets

Configuration / Control / Provisioning No longer mere monitoring Able to augment or replace proprietary CLI over Telnet Via standards-based solutions providing
Commercial-grade industrial strength security Authentication and Privacy

14

Good Things Operators and Administrators will like in SNMPv3 (Contd)


Now

able to distribute management out to intelligent agents and mid-level managers


Important for scalability Keep local management traffic local Shorter feedback loops with lower latency

15

Good Things Operators and Administrators will like in SNMPv3 (Contd)


Better

Notifications:

Traps
Spray and pray The only option in SNMPv1

Informs
Send, wait for acknowledgement Retry count and retry interval Added in SNMPv2c but with problems Problems fixed in SNMPv3

Standard MIB objects to configure Source-side notification suppression


16

Good Things Operators and Administrators will like in SNMPv3 (Contd)


Source

Side Notification Suppression

Too many resources spent on uninteresting notification messages, e.g., unwanted traps and informs
Notification generation Notification transmission and delivery Notification logging Notification filtering

SNMPv3 allows you to use a standard MIB and standards-based tools to turn unwanted notifications off at the source You will really like this
17

Good Things Operators and Administrators will like in SNMPv3 (Contd)


Better

performance

The Awesome getBulk operator works better with SNMPv3


Less latency and lower overhead through a smaller number of larger packets One to three orders of magnitude faster than SNMPv1 getNext operator (typically two) Negotiates maximum message size correctly

Counter64

No need to poll as often

New

features eliminate need for gross hacks

e.g., logical contexts


18

Good Things Operators and Administrators will like in SNMPv3 (Contd)


Better

error handling:

In a Get Request with 10 items requested and one is unavailable:


In SNMPv1, returns in an error with no partial results In SNMPv2/3, results in 9/10 good values and one exception

In a Set Request, if something fails:


In SNMPv1, results in a No In SNMPv2/3, results in a No-because

19

Disadvantages of SNMPv3
Security

is expensive

More to configure and administer


Unlocked doors are more convenient to use Community strings were relatively easy to administer Off-the-shelf tools help

More overhead
Message headers longer and more complex Cryptographic calculations can increase CPU load approximately 20-ish percent It will run slower, it will run much slower if softwarebased DES is used, especially if implemented in Java

Some machines do not have the hardware assets, but almost all do: NO EXCUSES
20

Disadvantages of SNMPv3 (Contd)


Export

and international usage considerations Incomplete product support


Some vendors claim customers (i.e., you) dont care about security

Agents better than manager stations and applications

SNMPv3 code often less mature and shaken out

21

Conclusion: What is SNMPv3?


Newest

version of the Internet-standard Management Framework What SNMPv2 should have been - builds on the good Compatible with the SMI and MIB you use now Important enabling technology for configuration and control: adds security and administration for safe sets Security: authentication and privacy Administration: logical contexts, view-based access control, remote configuration Available now
22