An Introduction to SNMP & Versions of SNMP

By Dr.R.Lalitha Professor,CSE Sri Muthukumaran Institute of Technology Chennai

Evolution of SNMP
1983 - TCP/IP replaces ARPANET at U.S. Dept. of Defense, effective birth of Internet First model for net management - HEMS - High-Level Entity Management System 1987 - ISO OSI proposes CMIP - Common Management Information Protocol, and CMOT (CMIP over TCP) for the actual network management protocol for use on the internet Nov. 1987 - SGMP - Simple Gateway Monitoring protocol 1989 - Marshall T. Rose heads up SNMP working group to create a common network management framework to be used by both SGMP and CMOT to allow for transition to CMOT

Evolution of SNMP
Aug. 1989 - Internet-standard Network Management Framework was defined Apr. 1989 - SNMP promoted to recommended status as the de facto TCP/IP network management framework May 1990 - SNMP became a standard protocol with a recommended status Mar. 1991 - format of MIBs and traps defined TCP/IP MIB definition revised to create SNMPv1

Functional Areas of Network Management

Configuration Management - configuration provisioning Fault Management - reactive and proactive network fault management Performance Management - # of packets dropped, timeouts, collisions, CRC errors Security Management - SNMP doesnt provide much here Accounting Management - cost management and chargeback assessment Asset Management - statistics of equipment, facility, and administration personnel Planning Management - analysis of trends to help justify a network upgrade or bandwidth increase

SNMP Versions
Two major versions SNMPv1, SNMPv2 are:
1. SNMPv1 is the recommended standard 2. SNMPv2 is divided as :

SNMPv2u - SNMPv2 with user-based security SNMPv2* - SNMPv2 with user-based security and additional features SNMPv2c - SNMPv2 without security

Model of SNMP
SNMP is a client pull and server push model. The management system (client) pulls data from the agent (server) The agent (server) pushes out a trap message to a (client) management system

SNMP & OSI MODEL

7 6 5 4 3 2 1 Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Management & Agent APIs SNMP ASN.1 & BER RPC & NetBIOS TCP & UDP IP & IPX Ethernet, Token Ring & FDDI

Transport Mechanism
SNMP uses User Datagram Protocol (UDP) as transport mechanism to transmit messages
UDP Port 161 - SNMP Messages UDP Port 162 - SNMP Trap Messages

Traps
Traps are messages that are asynchronously sent by an agent to a manager Traps are triggered by an event Defined traps include: linkDown: Even that an interface went down coldStart - unexpected restart (i.e., system crash) warmStart - soft reboot linkUp - the opposite of linkDown (SNMP) AuthenticationFailure

SNMP STRUCTURE
MANAGER AGENT

Management Application
MIB

SNMP PDUs

CONNECTIONLESS TRANSPORT SERVICE PROVIDER UDP

Simple Network Management Protocol

SNMP is a framework that provides facilities for managing and monitoring network resources on the Internet. Components of SNMP: SNMP agents SNMP managers Management Information Bases (MIBs) SNMP protocol itself

Traditional SNMP Manager

Traditional SNMP Agent

PRINCIPLE OPERATION
ANA ER

N P

A ENT

MIB

PRINCIPLE OPERATION
ANA ER

POLLIN TRAP

A ENT

MIB

PRINCIPLE OPERATION
ANA ER

ET

ET TRAP
A ENT

MIB

PRINCIPLE OPERATION
ANA ER

A ENT

TA LE ARIA LE

Simple Network Management Protocol

SNMP agent is software that runs on a piece of network equipment (host, router, printer, or others) and that maintains information about its configuration and current state in a database Information in the database is described by Management Information Bases (MIBs) An SNMP manager is an application program that contacts an SNMP agent to query or modify the database at the agent. SNMP protocol is the application layer protocol used by SNMP agents and managers to send and receive data.

Protocol context of SNMP

Proxy Configuration

MIBS
A MIB specifies the managed objects MIB is a text file that describes managed objects using the syntax of ASN.1 (Abstract Syntax Notation 1) ASN.1 is a formal language for describing data and its properties In Linux, MIB files are in the directory /usr/share/snmp/mibs Multiple MIB files MIB-II (defined in RFC 1213) defines the managed objects of TCP/IP networks

Organization of managed objects

Managed objects are organized in a tree-like hierarchy and the OIDs reflect the structure of the hierarchy. Each OID represents a node in the tree. The OID 1.3.6.1.2.1 (iso.org.dod.inter net.mgmt.mib-2)

Managed Objects
Each managed object is assigned an object identifier (OID) The OID is specified in a MIB file. An OID can be represented as a sequence of integers separated by decimal points or by a text string: Example: 1.3.6.1.2.1.4.6. iso.org.dod.internet.mgmt.mib-2.ip.ipForwDatagrams When an SNMP manager requests an object, it sends the OID to the SNMP agent.

SNMP Protocol
SNMP manager and an SNMP agent communicate using the SNMP protocol Generally: Manager sends queries and agent responds Exception: Traps are initiated by agent.
get-request get-response
SNMP manager Port 161

get-next-request get-response set-request get-response

Port 162 Port 161 Port 161

SNMP agent

trap

SNMP Protocol
Get-request. Requests the values of one or more objects Get-next-request. Requests the value of the next object, according to a lexicographical ordering of OIDs. Set-request. A request to modify the value of one or more objects Get-response. Sent by SNMP agent in response to a get-request, get-next-request, or set-request message. Trap. An SNMP trap is a notification sent by an SNMP agent to an SNMP manager, which is triggered by certain events at the agent.

SNMP Versions
Three versions are in use today: SNMPv1 (1990) SNMPv2c (1996) Adds GetBulk function and some new types Adds RMON (remote monitoring) capability SNMPv3 (2002) SNMPv3 started from SNMPv1 (and not SNMPv2c) Addresses security Many SNMP agents and managers support all three versions of the protocol.

Format of SNMP Packets

SNMPv1 Get/Set messages:

Cleartext string that is used as a password PDU type, e.g.: 32: SNMPv1 Get 64: SNMPv2 Get Unique ID to match requests with replies Sequence of name-value pairs

SNMP Commands
SNMP has 5 different functions referred to as Protocol Data Units (PDUs), which are: (1) GetRequest, aka Get (2) GetNextRequest, aka GetNext (3) GetResponse, aka Response (4) SetRequest, aka Set (5) Trap

SNMP Commands [Get]

GetRequest [Get]
- Most common PDU. - Used to ask SNMP agent for value of a particular MIB agent. - NMS sends out 1 Get PDU for each instance, which is a unique OID string.

SNMP Commands [GetNext]

GetNextRequest [GetNext]
- NMS application uses GetNext to walk down a table within a MIB. - Designed to ask for the OID and value of the MIB instance that comes after the one asked for. - Once the agent responds the NMS application can increment its count and generate a GetNext. - This can continue until the NMS application detects that the OID has changed, i.e. it has reached the end of the table.

SNMP Commands [GetResponse]

GetResponse [Response]
- Simply a response to a Get, GetNext or Set. - SNMP agent responds to all requests or commands via this PDU.

SNMP Commands [SetRequest]

SetRequest [Set]
- Issued by an NMS application to change a MIB instance to the variable within the Set PDU. - For example, you could issue a - GetRequest against a KDEG server asking for sysLocation.0 and may get ORI as the response. - Then, if the server was moved, you could issue a Set against that KDEG server to change its location to INS. - You must have the correct permissions when using the set PDU.

SNMP Commands [Trap]

Trap - Asynchronous notification. - SNMP agents can be programmed to send a trap when a certain set of circumstances arise. - Circumstances can be view as thresholds, i.e. a trap may be sent when the temperature of the core breaches a predefined level.

SNMP Security
SNMP Community Strings (like passwords)
- 3 kinds:
- READ-ONLY: You can send out a Get & GetNext to the SNMP agent, and if the agent is using the same read-only string it will process the request. - READ-WRITE: Get, GetNext, and Set. If a MIB object has an ACCESS value of read-write, then a Set PDU can change the value of that object with the correct read-write community string. - TRAP: Allows administrators to cluster network entities into communities. Fairly redundant.

Advantages
Standardized universally supported extendible portable allows distributed management access lightweight protocol

SNMP v1 and v2
SNMPv1 is connectionless since it utilizes UDP (rather than TCP) as the transport layer protocol. SNMPv2 allows the use of TCP for reliable, connection-oriented service.

Comparison of SNMPv1 and SNMPv2

SNMPv1 PDU
GetRequest GetRequest -----SetRequest -----GetResponse

SNMPv2 PDU
GetRequest GetRequest GetBulkRequest SetRequest InformRequest Response

Direction
Manager to agent Manager to agent Manager to agent Manager to agent Manager to manager Agent to manager or Manage to manager(SNMPv2) Agent to manager

Description
Request value for each listed object Request next value for each listed object Request multiple values Set value for each listed object Transmit unsolicited information Respond to manager request Transmit unsolicited information

Trap

SNMPv2-Trap

SNMPv1 Community Facility

SNMP Community Relationship between an SNMP agent and SNMP managers. Three aspect of agent control:
Authentication service Access policy Proxy service

SNMPv1 Administrative Concepts

SNMPV2
SNMPv2 revised version of SNMPv1 includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. It introduced GetBulkRequest, an alternative to iterative GetNextRequests for retrieving large amounts of management data in a single request.

SNMPv1 & V2 interoperability

SNMPv2 is incompatible with SNMPv1 in two key areas: message formats protocol operations. SNMPv2c messages use different header and protocol data unit (PDU) formats from SNMPv1 messages. SNMPv2c also uses two protocol operations that are not specified in SNMPv1.

SNMPv2 Proxy Agent

A SNMPv2 agent can act as a proxy agent on behalf of SNMPv1 managed devices, as follows: A SNMPv2 NMS issues a command intended for a SNMPv1 agent. The NMS sends the SNMP message to the SNMPv2 proxy agent. The proxy agent forwards Get, GetNext, and Set messages to the SNMPv1 agent unchanged. GetBulk messages are converted by the proxy agent to GetNext messages and then are forwarded to the SNMPv1 agent. The proxy agent maps SNMPv1 trap messages to SNMPv2 trap messages and then forwards them to the NMS.

Bilingual SNMPv2
BilingualSNMPv2 network-management systems support both SNMPv1 and SNMPv2. To support this dual-management environment, a management application in the bilingual NMS must contact an agent. The NMS then examines information stored in a local database to determine whether the agent supports SNMPv1 or SNMPv2. Based on the information in the database, the NMS communicates with the agent using the appropriate version of SNMP.

SNMPv2 Operations
get set

MI
response
manager agent manager

MI
response
agent

get ext

tr p

MI
response
manager agent manager

MI
agent

get

infor

MI
response
manager agent

response
manager

MI
"agent"

Summary of snmpv2
Improved communication model Traps have same format as other pdus Get-bulk pdu Additional error codes for sets Two security models snmpv2c: Community based snmpv2u: User based Independence of underlying transport Additional data types Notifications

SNMPv3
SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2

SNMPv3 Flow

SNMP3 Message Format with User Security Model (USM)

User Security Model (USM)

Designed to secure against:
Modification of information Masquerade Message stream modification Disclosure

Not intended to secure against:

Denial of Service (DoS attack) Traffic analysis

SNMPV3
Command Generator Command Responder Notification Originator Notification Receiver The Proxy Forwarder

SNMP Security
SNMPv1 uses plain text community strings for authentication as plain text without encryption SNMPv2 was supposed to fix security problems, but effort de-railed (The c in SNMPv2c stands for community). SNMPv3 has numerous security features: Ensure that a packet has not been tampered with (integrity), Ensures that a message is from a valid source (authentication) Ensures that a message cannot be read by unauthorized (privacy).

SNMP Security
Security model of SNMPv3 has two components: 1.Instead of granting access rights to a community, SNMPv3 grants access to users. 2. Access can be restricted to sections of the MIB (Version-based Access Control Module (VACM). Access rights can be limited by specifying a range of valid IP addresses for a user or community, or by specifying the part of the MIB tree that can be accessed.

Security levels in SNMPv2

SNMP has three security levels: noAuthNoPriv: Authentication with matching a user name. authNoPriv: Authentication with MD5 or SHA message digests. authPriv: Authentication with MD5 or SHA message digests, and encryption with DES encryption

Thank You