SNMPv3

Video Links
› https://www.youtube.com/watch?v=YZ5gBrA0B0U
(Courtesy: CBT Nuggets)
› https://www.youtube.com/watch?v=hP5yA3hJlAc
(Courtesy: CBT Nuggets)
› https://www.youtube.com/watch?v=L2taU_x_gzc
(Courtesy: FLAMINGO Project)
 › Key Features
› Documentation Architecture
OUTLINES
› Architecture
› Application – SNMPv3
› MIB – SNMPv3
› Security
› User Based Security Model
› Access Control
Key Features
SNMPv3 – Key Features
› Modularization
– Modularization of architecture and documentation
– It integrated SNMPv1 & SNMPv2 specifications with SNMPv3
› SNMP Engine
– Includes explicit subsystems such as dispatcher and message
processing function
– Application services and primitives have been explicitly define
› Security
– Configured remotely with secure communication or encryption
schemes and also protected against the malicious attacks
› VACM (View based Access Control Model)
– It is defined to specify the type of access (read, write, create, notify
is allowed on particular object or not
Document Architecture
Document Architecture – SNMPv1
Document Architecture - SNMP v3
Architecture
Architecture
› It consists of several nodes, each having SNMP entity in it
› They interact with each other to monitor and manage the
network and resources
› SNMP Entity is define as,
– Element of entity
– Names associated with them
› Three kinds of naming are
1. naming of entities
2. naming of identifiers
3. naming of management information
ARCHITECTURE -
ELEMENTS OF
ENTITY
Elements of architecture
associated with an SNMP entity
SNMP engine (smpEngineID)
consists of
Dispatcher
Message Processing sub-system
Security sub-system
Access Control sub-system
Architecture - Element of Entity –
SNMP Engine
› An SNMP entity has one SNMP engine, uniquely identified as
snmpEngineID
› snmpEngineID is made up of octet string (variable length)
Architecture - Element of Entity -
SNMP Engine - Dispatcher (1)
› One dispatcher in an SNMP engine, it handles multiple
versions of SNMP messages.
› It has three modules to perform the functions
› Transport Mapper
– It send messages to and receives messages from the network
– Deliver the message over the appropriate transport protocol of the
network
› Message Dispatcher
– It determine the version of the message and correspond with the
appropriate module
– Routes the outgoing and incoming messages to the appropriate
module of the message processor
Architecture - Element of Entity -
SNMP Engine - Dispatcher (2)
› PDU Dispatcher
– It provides an abstract interface to SNMP application to deliver
incoming PDU to the local application
– To send a PDU from the local application to a remote entity
– It handles the traffic routing of PDUs between applications and the
Message Processor Model
Architecture - Element of Entity
› Message Processing Subsystem
– Interacts with dispatcher to handle version specific SNMP messages
– Contains one or more MPMs (Message Processing Module)
– Version is identified by the version field in the header
› Security and Access Control System
– Security sub-system provides security services at the message level,
in terms of authentication and privacy protection
– Access control provides authorization service
› Application Module
– This module is made up of one or more applications such as
notification receiver, proxy forwarder etc.
Architecture - Names - Identity
› SNMPv3 specifications are name of entity, identity and
management information
› Name of entity as snmpEngineID
› Two names are associated with identity are:
– Principal: “Who” is requesting for service (person or application)
– SecurityName: Human readable string presenting a principal
Architecture – Names – Management Entity
› Management entity is responsible for more than one managed
objects
› Each object is termed context and has a contextID and
contextName.
› When there is a one-to-one relationship between management
entity and managed object, contextID is snmpEngineID
› A scopedPDU is a block of data containing contextID,
contextName and PDU
› For example
– An SNMP agent in the hub is accessed to managed the interfaces of the
hub, then each interface with contextID and agent with snmpEngineID
– If each interface is managed individually then each interface contextID
same as snmpEngineID
Abstract Service Interfaces (1)
› A subsystem in an SNMP entity communicate with each other
across an interface, either providing a service or using a
service
› An interface between two nodes is define in such a way that
it is generic and independent of specific implementation, it
become a conceptual interface termed as abstract service
interface
› These abstract services are defined by the set of primitives
that define the service
Abstract Service Interfaces (2)
› Subsystem A is sending a request for service using the
primitive “primitiveAB” to subsystem B.
› “primitiveAB” is associate with the receiving subsystem B,
that is providing a service
› For example
– Primitive has IN & OUT as operands or parameters, which are data
values, represented as a1, a2, & b1, b2 respectively
– a1 and a2 are the input values to called subsystem, from a calling
subsystem, calling for a service (Get-Request)
– b1 and b2 are the responses expected from the called subsystem,
towards the calling subsystem (Get-Response)
Abstract Service Interfaces (3)
› When calling subsystem is expecting a response from the
called subsystem, there is directed message and bi-
directional arrow is used.
SNMPv3
Applications
Application Types
› Formally, defines 5 types of information
– Command Generator: to generate get-request, get-next-request,
get-bulk and set-request message
– Command Responder: It perform the appropriate action of get or set
on the network element, prepares a get-response message, and
send it to the remote entity that made the request
– Notification Originator: generates either a trap or an inform
message
– Notification Receiver: It receives SNMP notification messages,
– Proxy Forwarder: An application that forwards SNMP requests,
notification and responses without regard of what managed objects
are contained
COMMAND
GENERATOR
APPLICATION
COMMAND
RESPONDER
APPLICATION
Notification Originator
› Generates trap or inform message
› It’s working is similar to command responder except the
following information
– Where to send the message
– What SNMP version to use
– Security parameters
– contextID
– Name of the context
› These information can be found, using newly created MIB in
SNMPv3
SNMP Receiver & Proxy Forwarder
› SNMP Receiver
– Receive SNMP notification messages
– Must be registered with snmpEngine to receive get or set messages
› Proxy Forwarder
– Forwards SNMP requests, notification and responses without regard
of what managed objects are contained
– It uses translation tables in proxy group MIB created for this purpose
SNMPv3 - MIB
SNMPv3 - MIB
› 10: Describes SNMP management architecture
› 11: Identifies objects in MPM and dis-patching module
› 12: Remotely configure the parameters
› 13: MIB objects and notification generation
› 14: Concerned with objects in proxy forwarding application
› 15 & 16: For security and access control