Scribd Logo
Upload

Welcome to Scribd!

  • 15 views

    Unit 7 (UandiStar - Org)

    Uploaded by

    Lakshmi V
    The document discusses the Simple Network Management Protocol (SNMP). It describes SNMP as defining a client/server relationship where an SNMP manager makes connections to SNMP agents residing on network devices. The agent serves status information to the manager from its Management Information Base (MIB). SNMP messages use the UDP protocol to request or send configuration, fault, performance, and other types of network management data. The document also covers SNMP traps, proxy/gateway agents, SNMP versions, and security features in SNMPv3.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Unit 7 (UandiStar - Org)

    Uploaded by

    Lakshmi V
    15 views39 pages
    The document discusses the Simple Network Management Protocol (SNMP). It describes SNMP as defining a client/server relationship where an SNMP manager makes connections to SNMP agents residing on network devices. The agent serves status information to the manager from its Management Information Base (MIB). SNMP messages use the UDP protocol to request or send configuration, fault, performance, and other types of network management data. The document also covers SNMP traps, proxy/gateway agents, SNMP versions, and security features in SNMPv3.

    Original Title

    Unit 7 [UandiStar.org]

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses the Simple Network Management Protocol (SNMP). It describes SNMP as defining a client/server relationship where an SNMP manager makes connections to SNMP agents residing on network devices. The agent serves status information to the manager from its Management Information Base (MIB). SNMP messages use the UDP protocol to request or send configuration, fault, performance, and other types of network management data. The document also covers SNMP traps, proxy/gateway agents, SNMP versions, and security features in SNMPv3.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    15 views39 pages

    Unit 7 (UandiStar - Org)

    Uploaded by

    Lakshmi V
    The document discusses the Simple Network Management Protocol (SNMP). It describes SNMP as defining a client/server relationship where an SNMP manager makes connections to SNMP agents residing on network devices. The agent serves status information to the manager from its Management Information Base (MIB). SNMP messages use the UDP protocol to request or send configuration, fault, performance, and other types of network management data. The document also covers SNMP traps, proxy/gateway agents, SNMP versions, and security features in SNMPv3.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 39

    (Unit-7) SNMP slides www.UandiStar.

    org

    Different steps in network management:


    Configuration Management - inventory, configuration, provisioning
    Fault Management - reactive and proactive network fault management
    Performance Management - # of packets dropped, timeouts, collisions, CRC
    errors

    Security Management - SNMP doesn’t provide much here


    Accounting Management - cost management and chargeback assessment
    Asset Management - statistics of equipment, facility, and administration personnel
    Planning Management - analysis of trends to help justify a network upgrade or
    bandwidth increase

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 1


    (Unit-7) SNMP slides www.UandiStar.org

    SNMP is a “client pull” model i.e., The management system (client) “pulls” data
    from the agent (server).
    SNMP is a “server push” model i.e., The agent (server) “pushes” out a trap message
    to a (client) management system
    Advantages of SNMP are: Standardized, universally supported, extendible,
    portable, allows distributed management access and lightweight protocol

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 2


    (Unit-7) SNMP slides www.UandiStar.org

    SNMP defines a client/server relationship. The client program (called the SNMP
    manager) makes connections to a server program (called the SNMP agent) which
    resides on a remote network device, and serves information to the network manager
    regarding the device‘s status. On an abstract level, SNMP can be seen as a service, a
    management application makes use of, to manage distributed objects.
    • The SNMP manager maintains a central database (called the SNMP Management
    Information Base or MIB) that is fed by means of queries to the SNMP agents
    distributed throughout the network. A MIB consists of a standard set of statistical and
    control values defined by various IETF RFCs and can be extended with values specific
    to a particular agent through the use of private or „vendor“ MIBs.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 3


    (Unit-7) SNMP slides www.UandiStar.org

    SNMP is a simple tool for management. It defines a limited, easily implemented MIB
    of scalar variables and two-dimensional tables, and it defines a streamlined protocol
    to enable a manager to get and set MIB variables and to enable an agent to issue
    unsolicited notifications called traps.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 4


    (Unit-7) SNMP slides www.UandiStar.org

    Get and GetNext messages: Manager to request information for a specific


    variable.
    Agent issue a GetResponse message
    Set message: Manager request a change be made to the value of a specific variable
    Trap message: Agent to spontaneously inform the manager of an ‘important’ event.
    (Report alarm)

    SNMP messages are transported using the unreliable UDP protocol. This has the
    advantage that control connections will not hang indefinitely when an SNMP agent
    becomes temporarily unavailable or goes off-line altogether. On the negative side
    messages can get lost, especially in the critical case when networks become
    congested and management information is most needed.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 5


    (Unit-7) SNMP slides www.UandiStar.org

    •Traps are unrequested event reports that are sent to a management system by an
    SNMP agent process
    •When a trappable event occurs, a trap message is generated by the agent and is
    sent to a trap destination (a specific, configured network address)
    •Many events can be configured to signal a trap, like a network cable fault, failing NIC
    or Hard Drive, a “General Protection Fault”, or a power supply failure
    •Traps can also be throttled -- You can limit the number of traps sent per second from
    the agent
    •Traps have a priority associated with them -- Critical, Major, Minor, Warning,
    Marginal, Informational, Normal, Unknown

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 6


    (Unit-7) SNMP slides www.UandiStar.org

    Proxy & Gateway Agents extend the capabilities of SNMP by allowing it to:
    •Manage a device that cannot support an SNMP agent
    •Manage a device that supports a non-SNMP management agent
    •Allow a non-SNMP management system to access an SNMP agent
    •Provide firewall-type security to other SNMP agents (UDP packet filtering)
    •Translate between different formats of SNMP messages (v1 and v2)
    •Consolidate multiple managed nodes into a single network address (also to provide
    a single trap destination)

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 7


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 8


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 9


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 10


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 11


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 12


    (Unit-7) SNMP slides www.UandiStar.org

    Inform command has the advantage that it can be used to construct a configuration
    in which multiple managers cooperate to share management responsibility in a large
    network.
    GetBulk command is designed for the transmission of entire tables with one
    command.
    For SNMPv1, the get command is rejected even if atleast one of the object does not
    exist at the agent, where as partial results may be returned for SNMPv2

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 13


    (Unit-7) SNMP slides www.UandiStar.org

    The manager “manages” a number of agents. Each agent controls its own local MIB
    and must be able to control the use of that MIB by a number of managers.
    Authentication service: The agent may wish to limit access to the MIB to authorized
    managers.
    . Access policy: The agent may wish to give different access privileges to different
    managers.
    . Proxy service: An agent may act as proxy to other agents. This may involve
    implementing the authentication service and/or access policy for the other agents on
    the proxy system.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 14


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 15


    (Unit-7) SNMP slides www.UandiStar.org

    The combination of an MIB view and access mode is referred to as an SNMP


    community profile. Thus, a community profile consists of a defined subset of the MIB
    at the agent, plus an access mode for those objects. The SNMP access mode is
    applied uniformly to all of the objects in the MIB view. Thus, if the access mode
    READ-ONL Y is selected, it applies to all of the objects in the view and limits managers
    access of this view to read-only operations. A community profile is associated with
    each community defined by an agent; the combination of an SNMP community and
    an SNMP community profile is referred to as an SNMP access policy.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 16


    (Unit-7) SNMP slides www.UandiStar.org

    In 1998, the IETF SNMPv3 working group produced a set of Proposed Internet
    standards, currently RFCs 2570 through 2576. This document set defines a framework
    for incorporating security features into an overall capability that includes either
    SNMPv1 or SNMPv2 functionality. In addition, the documents define a specific set of
    capabilities for network security and access control.
    RFC 2571 describes an architecture within which all current and future versions of
    SNMP fit. RFC 2575 describes an access control facility, which is intended to operate
    independently of the core SNMPv3 capability.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 17


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 18


    (Unit-7) SNMP slides www.UandiStar.org

    Both the SNMP engine and the applications it supports are defined as a collection of
    discrete modules. An SNMP engine implements functions for sending and receiving
    messages, authenticating and encrypting/decrypting messages, and controlling
    access to managed objects. These functions are provided as services to one or more
    applications that are configured with the SNMP engine to form an SNMP entity.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 19


    (Unit-7) SNMP slides www.UandiStar.org

    A traditional SNMP manager interacts with SNMP agents by issuing commands (get,
    set) and by receiving trap messages; the manager may also
    interact with other managers by issuing Inform Request PDUs, which provide alerts,
    and by receiving Inform Response PDUs, which acknowledge Inform Requests.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 20


    (Unit-7) SNMP slides www.UandiStar.org

    The Command Generator Applications monitor and manipulate management data at


    remote agents; they make use of SNMPv1 and/or SNMPv2
    PDUs, including Get, GetNext, GetBulk, and Set. A Notification Originator Application
    initiates asynchronous messages; in the case of a traditional manager, the
    InformRequest PDU is used for this application. A Notification Receiver Application
    processes incoming asynchronous messages; these include InformRequest, SNMPv2-
    Trap, and SNMPv1 Trap PDUs. In the case of an incoming InformRequest PDU, the
    Notification Receiver Application will respond with a Response PDU.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 21


    (Unit-7) SNMP slides www.UandiStar.org

    For incoming PDU’s, the Dispatcher accepts PDUs from applications and passes it onto
    appropriate message processing module in the message processing subsystem, which returns
    a message containing the PDU with appropriate message headers. Then the dispatcher
    passes this message to the transport layer for transmission. For incoming messages, the
    Dispatcher accepts messages from the transport layer and routes each message to the
    appropriate message processing module. Subsequently, the Message Processing Subsystem
    returns the PDU contained in the message which is then passed to the appropriate
    application. The Message Processing Subsystem accepts outgoing PDUs from the Dispatcher
    and prepares these for transmission by wrapping them in the appropriate message header
    and returning them to the Dispatcher. The Message Processing Subsystem also accepts
    incoming messages from the Dispatcher, processes each message header, and returns the
    enclosed PDU to the Dispatcher. An implementation of the Message Processing Subsystem
    may support a single message format corresponding to a single version of SNMP (SNMPv1,
    SNMPv2c, SNMPv3), or it may contain a number of modules, each supporting a different
    version of SNMP. The Security subsystem performs authentication and encryption functions.
    Each outgoing message is passed to the Security Subsystem from the Message Processing
    Subsystem. Depending on the services required, the Security Subsystem may encrypt the
    enclosed PDU and possibly some fields in the message header, and it may generate an
    authentication code and insert it into the message header. The processed message is then
    returned to the Message Processing Subsystem. Similarly, each incoming message is passed
    to the Security Subsystem from the Message Processing Subsystem. If required, the Security
    Subsystem checks the authentication code and performs decryption. It then returns the
    processed message to the Message Processing Subsystem. An implementation of the
    Security Subsystem may support one or more distinct security models. So far, the only
    defined security model is the User-Based Security Model (USM) for SNMPv3, specified in RFC
    2574.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 22


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 23


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 24


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 25


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 26


    (Unit-7) SNMP slides www.UandiStar.org

    Message processing involves a general-purpose message processing model and a


    specific security model. The first five fields are generated by the message processing
    model on outgoing messages and processed by the message processing model on
    incoming messages. The next six fields show security parameters used by USM.
    Finally, the PDU, together with the contextEngineID and contextName, constitutes a
    scoped PDU, used for PDU processing.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 27


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 28


    (Unit-7) SNMP slides www.UandiStar.org

    For HMAC-MD5-96, HMAC is used with MD5 as the underlying hash function. A 16-
    octet (128-bit) authKey is used as input to the HMAC algorithm. The algorithm
    produces a 128-bit output, which is truncated to 12 octets (96 bits). For HMACSHA-
    96, the underling hash function is SHA-l. The authKey is 20 octets in length. The
    algorithm produces a 20-octet output, which is again truncated to 12 octets. USM
    uses the cipher block chaining (CBC) mode of the Data Encryption Standard (DES) for
    encryption. A 16-octet privKey is provided as input to the encryption protocol. The
    first 8 octets (64 bits) of this privKey are used as a DES key. Because DES only requires
    a 56-bit key, the least significant bit of each octet
    is ignored. For CBC mode, a 64-bit initialization vector (IV) is required. The last 8
    octets of the privKey contain a value that is used to generate this IV.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 29


    (Unit-7) SNMP slides www.UandiStar.org

    Timeliness:- When an authoritative engine sends a message (Trap, Response, Report),


    it contains the current value of its clock, so that the
    nonauthoritative recipient can synchronize on that clock. When a nonauthoritative
    engine sends a message (Get, GetNext, GetBulk, Set, Inform), it includes its current
    estimate of the time value at the destination, allowing the destination to assess the
    message's timeliness.
    Key Localization:-A key localization process, enables a single principal to own. keys
    stored in multiple engines; these keys are localized to the authoritative engine in such
    a way that the principal is responsible for a single key but avoids the security risk of
    storing multiple copies of the same key in a distributed network.
    It makes sense to designate the receiver of Command Generator and
    Inform PDUs as the authoritative engine, and therefore responsible for checking
    message timeliness. If a response or trap is delayed or replayed, little harm should
    occur. However, Command Generator and, to some extent, Inform PDUs result in
    management operations, such as reading or setting MIE objects. Thus, it is important
    to guarantee
    that such PDUs are not delayed or replayed, which could cause undesired effects.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 30


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 31


    (Unit-7) SNMP slides www.UandiStar.org

    For message transmission, encryption is performed first, if needed. The scoped PDU
    is encrypted and placed in the message payload, and the msgPrivacyParameters value
    is set to the value needed to generate the IV. Then authentication is performed, if
    needed. The entire message, including the scoped PDU is input to HMAC, and the
    resulting authentication code is placed in msgAuthenticationParameters. For
    incoming messages, authentication is performed first if needed. USM first checks the
    incoming MAC against a MAC that it ca1culated; if the two values match, then the
    message is assumed to be authentic (comes from the alleged source and has not
    been altered in transmission). Then USM checks whether the message is within a
    valid time window. If the message is not timely, it is discarded as not authentic.
    Finally, if the scoped PDU has been encrypted, USM performs a decryption and
    returns the plaintext.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 32


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 33


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 34


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 35


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 36


    (Unit-7) SNMP slides www.UandiStar.org

    A group is defined as a set of zero or more <securityModel, securityName> tuples


    on whose behalf SNMP management objects can be accessed. A securityName refers
    to a principal, and access rights for aH principals in a given group are identical. A
    unique groupName is associated with each group. The group concept is a useful tool
    for categorizing managers with respect to access rights. Any given combination of
    securityModel and securityName can belong to at most one group.

    Access determination depends on the following factors: principal, security level,


    security model, MIB context, object instance and type of access.

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 37


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 38


    (Unit-7) SNMP slides www.UandiStar.org

    Mukesh Chinta,Asst Prof, VNRVJIET www.UandiStar.org 39

    You might also like