Professional Documents
Culture Documents
SNMP
SNMP
Evolution of SNMP
1983 - TCP/IP replaces ARPANET at U.S. Dept. of Defense, effective birth of Internet First model for net management - HEMS - High-Level Entity Management System 1987 - ISO OSI proposes CMIP - Common Management Information Protocol, and CMOT (CMIP over TCP) for the actual network management protocol for use on the internet Nov. 1987 - SGMP - Simple Gateway Monitoring protocol 1989 - Marshall T. Rose heads up SNMP working group to create a common network management framework to be used by both SGMP and CMOT to allow for transition to CMOT
Evolution of SNMP
Aug. 1989 - Internet-standard Network Management Framework was defined Apr. 1989 - SNMP promoted to recommended status as the de facto TCP/IP network management framework May 1990 - SNMP became a standard protocol with a recommended status Mar. 1991 - format of MIBs and traps defined TCP/IP MIB definition revised to create SNMPv1
SNMP Versions
Two major versions SNMPv1, SNMPv2 are:
1. SNMPv1 is the recommended standard 2. SNMPv2 is divided as :
SNMPv2u - SNMPv2 with user-based security SNMPv2* - SNMPv2 with user-based security and additional features SNMPv2c - SNMPv2 without security
Model of SNMP
SNMP is a client pull and server push model. The management system (client) pulls data from the agent (server) The agent (server) pushes out a trap message to a (client) management system
Transport Mechanism
SNMP uses User Datagram Protocol (UDP) as transport mechanism to transmit messages
UDP Port 161 - SNMP Messages UDP Port 162 - SNMP Trap Messages
Traps
Traps are messages that are asynchronously sent by an agent to a manager Traps are triggered by an event Defined traps include: linkDown: Even that an interface went down coldStart - unexpected restart (i.e., system crash) warmStart - soft reboot linkUp - the opposite of linkDown (SNMP) AuthenticationFailure
SNMP STRUCTURE
MANAGER AGENT
Management Application
MIB
SNMP PDUs
PRINCIPLE OPERATION
ANA ER
N P
A ENT
MIB
PRINCIPLE OPERATION
ANA ER
POLLIN TRAP
A ENT
MIB
PRINCIPLE OPERATION
ANA ER
ET
ET TRAP
A ENT
MIB
PRINCIPLE OPERATION
ANA ER
A ENT
TA LE ARIA LE
Proxy Configuration
MIBS
A MIB specifies the managed objects MIB is a text file that describes managed objects using the syntax of ASN.1 (Abstract Syntax Notation 1) ASN.1 is a formal language for describing data and its properties In Linux, MIB files are in the directory /usr/share/snmp/mibs Multiple MIB files MIB-II (defined in RFC 1213) defines the managed objects of TCP/IP networks
Managed Objects
Each managed object is assigned an object identifier (OID) The OID is specified in a MIB file. An OID can be represented as a sequence of integers separated by decimal points or by a text string: Example: 1.3.6.1.2.1.4.6. iso.org.dod.internet.mgmt.mib-2.ip.ipForwDatagrams When an SNMP manager requests an object, it sends the OID to the SNMP agent.
SNMP Protocol
SNMP manager and an SNMP agent communicate using the SNMP protocol Generally: Manager sends queries and agent responds Exception: Traps are initiated by agent.
get-request get-response
SNMP manager Port 161
SNMP agent
trap
SNMP Protocol
Get-request. Requests the values of one or more objects Get-next-request. Requests the value of the next object, according to a lexicographical ordering of OIDs. Set-request. A request to modify the value of one or more objects Get-response. Sent by SNMP agent in response to a get-request, get-next-request, or set-request message. Trap. An SNMP trap is a notification sent by an SNMP agent to an SNMP manager, which is triggered by certain events at the agent.
SNMP Versions
Three versions are in use today: SNMPv1 (1990) SNMPv2c (1996) Adds GetBulk function and some new types Adds RMON (remote monitoring) capability SNMPv3 (2002) SNMPv3 started from SNMPv1 (and not SNMPv2c) Addresses security Many SNMP agents and managers support all three versions of the protocol.
Cleartext string that is used as a password PDU type, e.g.: 32: SNMPv1 Get 64: SNMPv2 Get Unique ID to match requests with replies Sequence of name-value pairs
SNMP Commands
SNMP has 5 different functions referred to as Protocol Data Units (PDUs), which are: (1) GetRequest, aka Get (2) GetNextRequest, aka GetNext (3) GetResponse, aka Response (4) SetRequest, aka Set (5) Trap
SNMP Security
SNMP Community Strings (like passwords)
- 3 kinds:
- READ-ONLY: You can send out a Get & GetNext to the SNMP agent, and if the agent is using the same read-only string it will process the request. - READ-WRITE: Get, GetNext, and Set. If a MIB object has an ACCESS value of read-write, then a Set PDU can change the value of that object with the correct read-write community string. - TRAP: Allows administrators to cluster network entities into communities. Fairly redundant.
Advantages
Standardized universally supported extendible portable allows distributed management access lightweight protocol
SNMP v1 and v2
SNMPv1 is connectionless since it utilizes UDP (rather than TCP) as the transport layer protocol. SNMPv2 allows the use of TCP for reliable, connection-oriented service.
SNMPv2 PDU
GetRequest GetRequest GetBulkRequest SetRequest InformRequest Response
Direction
Manager to agent Manager to agent Manager to agent Manager to agent Manager to manager Agent to manager or Manage to manager(SNMPv2) Agent to manager
Description
Request value for each listed object Request next value for each listed object Request multiple values Set value for each listed object Transmit unsolicited information Respond to manager request Transmit unsolicited information
Trap
SNMPv2-Trap
SNMPV2
SNMPv2 revised version of SNMPv1 includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. It introduced GetBulkRequest, an alternative to iterative GetNextRequests for retrieving large amounts of management data in a single request.
Bilingual SNMPv2
BilingualSNMPv2 network-management systems support both SNMPv1 and SNMPv2. To support this dual-management environment, a management application in the bilingual NMS must contact an agent. The NMS then examines information stored in a local database to determine whether the agent supports SNMPv1 or SNMPv2. Based on the information in the database, the NMS communicates with the agent using the appropriate version of SNMP.
SNMPv2 Operations
get set
MI
response
manager agent manager
MI
response
agent
get ext
tr p
MI
response
manager agent manager
MI
agent
get
infor
MI
response
manager agent
response
manager
MI
"agent"
Summary of snmpv2
Improved communication model Traps have same format as other pdus Get-bulk pdu Additional error codes for sets Two security models snmpv2c: Community based snmpv2u: User based Independence of underlying transport Additional data types Notifications
SNMPv3
SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2
SNMPv3 Flow
SNMPV3
Command Generator Command Responder Notification Originator Notification Receiver The Proxy Forwarder
SNMP Security
SNMPv1 uses plain text community strings for authentication as plain text without encryption SNMPv2 was supposed to fix security problems, but effort de-railed (The c in SNMPv2c stands for community). SNMPv3 has numerous security features: Ensure that a packet has not been tampered with (integrity), Ensures that a message is from a valid source (authentication) Ensures that a message cannot be read by unauthorized (privacy).
SNMP Security
Security model of SNMPv3 has two components: 1.Instead of granting access rights to a community, SNMPv3 grants access to users. 2. Access can be restricted to sections of the MIB (Version-based Access Control Module (VACM). Access rights can be limited by specifying a range of valid IP addresses for a user or community, or by specifying the part of the MIB tree that can be accessed.
Thank You