SNMP.ppt

7,149 views
7,007 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
7,149
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
324
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SNMP.ppt

  1. 1. Chapter 8 – Network Management As we have learned thus far, computer networks are complex systems of numerous hardware and software components. As such, they are subject to operational problems involving outage , malfunction , mis-configuration , poor performance , and other issues. In this final chapter, we will briefly look at the architecture, protocols and tools available to identify and solve these problems. network data link physical application transport network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical application transport network data link physical application transport network data link physical
  2. 2. Chapter 8: Network Management <ul><li>Chapter goals: </li></ul><ul><li>introduction to network management </li></ul><ul><ul><li>motivation </li></ul></ul><ul><ul><li>major components </li></ul></ul><ul><li>Internet network management framework </li></ul><ul><ul><li>MIB: management information base </li></ul></ul><ul><ul><li>SMI: data definition language </li></ul></ul><ul><ul><li>SNMP: protocol for network management </li></ul></ul><ul><ul><li>security and administration </li></ul></ul><ul><li>presentation services: ASN.1 </li></ul><ul><li>firewalls </li></ul>
  3. 3. Network management motivation <ul><li>networks are complex autonomous systems </li></ul><ul><ul><li>Consisting of 100s (or 1000s) of interacting hardware and software components </li></ul></ul>&quot; Network management includes the deployment, integration and coordination of the hardware , software , and human elements to monitor, test, poll, configure, analyze, evaluate, and control the network and element resources to meet the real-time, operational performance, and Quality of Service requirements at a reasonable cost.&quot; <ul><li>the network management infrastructure does NOT: </li></ul><ul><ul><li>dictate decision making policies </li></ul></ul><ul><ul><li>address resource provisioning/service management issues </li></ul></ul>
  4. 4. Motivation for network management – “stuff happens” managed device managed device managed device managed device performance problems device faults configuration issues security problems software bugs accounting/billing issues numerous potential issues/problems to deal with… For example: UTA ACS Abilene Net
  5. 5. Network management: 4 key goals <ul><li>Monitor… </li></ul><ul><ul><li>see what’s happening </li></ul></ul><ul><ul><li>host interfaces, traffic levels, service levels, security, performance, routing table changes, etc. </li></ul></ul><ul><li>Analyze… </li></ul><ul><ul><li>determine what it means </li></ul></ul><ul><li>Reactively control… </li></ul><ul><ul><li>take action based on what is happening </li></ul></ul><ul><li>Proactively manage… </li></ul><ul><ul><li>take action based on what current trends tell you to will happen </li></ul></ul>
  6. 6. Infrastructure for network management managed device managed device managed device managed device network management protocol definitions: managed devices contain managed objects whose data is gathered into a Management Information Base (MIB) managing entity * * AKA - Network Management Station (NMS) agent data agent data agent data agent data managing entity data
  7. 7. A typical Network Management Systems Network Management Console Network Management MIB Managed Devices SNMP Protocol (Commands, Replies,Traps)
  8. 8. Network Management standards <ul><li>OSI CMIP </li></ul><ul><li>Common Management Information Protocol </li></ul><ul><li>designed 1980’s: the unifying net management standard </li></ul><ul><li>too slowly standardized </li></ul><ul><li>SNMP: Simple Network Management Protocol </li></ul><ul><li>Internet roots (SGMP… ISMF) </li></ul><ul><li>started simple </li></ul><ul><li>deployed, adopted rapidly </li></ul><ul><li>growth: size, complexity </li></ul><ul><li>currently: SNMP V3 (released April 1999) </li></ul><ul><li>de facto network management standard </li></ul>
  9. 9. SNMP overview: 4 key parts of the Internet network management framework <ul><li>Management information base (MIB): </li></ul><ul><ul><li>distributed information store of network management data (MIB objects) </li></ul></ul><ul><li>Structure of Management Information (SMI): </li></ul><ul><ul><li>data definition language for MIB objects </li></ul></ul><ul><li>SNMP protocol </li></ul><ul><ul><li>convey manager<->managed object info, commands </li></ul></ul><ul><li>Security & administration capabilities </li></ul><ul><ul><li>major addition in SNMPv3 </li></ul></ul>
  10. 10. SMI: data definition language (RFC 2578) <ul><li>Purpose: syntax, semantics of management data well-defined, unambiguous </li></ul><ul><li>base data types: </li></ul><ul><ul><li>straightforward, boring </li></ul></ul><ul><li>OBJECT-TYPE </li></ul><ul><ul><li>data type, status, semantics of managed object </li></ul></ul><ul><li>MODULE-IDENTITY </li></ul><ul><ul><li>groups related objects into MIB module </li></ul></ul>Basic Data Types INTEGER Integer32 Unsigned32 OCTET STRING OBJECT IDENTIFIER IPaddress Counter32 Counter64 Guage32 Time Ticks Opaque
  11. 11. SNMP MIB OBJECT-TYPE: OBJECT-TYPE: OBJECT-TYPE: objects specified via SMI OBJECT-TYPE construct MIB module specified via SMI MODULE-IDENTITY (100’s of standardized MIBs, more vendor-specific) MODULE
  12. 12. SMI: Object, module examples <ul><li>OBJECT-TYPE: ipInDelivers </li></ul><ul><li>MODULE-IDENTITY: ipMIB </li></ul>ipInDelivers OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION “ The total number of input datagrams successfully delivered to IP user- protocols (including ICMP)” ::= { ip 9} ipMIB MODULE-IDENTITY LAST-UPDATED “941101000Z” ORGANZATION “IETF SNPv2 Working Group” CONTACT-INFO “ Keith McCloghrie ……” DESCRIPTION “ The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes.” REVISION “019331000Z” ……… ::= {mib-2 48} Note: RFC 2011-IP MIB, RFC 2012-TCP MIB , RFC 2013-UDP MIB, …
  13. 13. SNMP Naming (OBJECT IDENTIFIER) <ul><li>question: how to name every possible standard object (protocol, data, more..) in every possible network standard ?? </li></ul><ul><li>answer: ISO Object Identifier tree: </li></ul><ul><ul><li>hierarchical naming of all objects </li></ul></ul><ul><ul><li>each branchpoint has name, number </li></ul></ul>1.3.6.1.2.1.7.1 ISO ISO-ident. Org. US DoD Internet udpInDatagrams UDP MIB2 management
  14. 14. ISO Object Identifier Tree Check out www. alvestrand .no/ harald / objectid /top.html
  15. 15. MIB example: UDP module Object ID Name Type Comments 1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 # UDP datagrams delivered at this node 1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # undeliverable datagrams, no application at port 1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams, all other reasons 1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # UDP datagrams sent 1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port UDP Entry in use by app, gives port # and IP address
  16. 16. SNMP protocol <ul><li>Two ways to convey MIB info, commands: </li></ul>Managed device response Managed device trap msg. request/response mode trap mode agent data managing entity agent data managing entity request
  17. 17. SNMP protocol: message types GetRequest (0) GetNextRequest (1) GetBulkRequest (5) Mgr-to-Agent: “get me data” (instance,next in list, block) Message type Function InformRequest (6) Mgr-to-Mgr: here’s MIB value SetRequest (3) Mgr-to-Agent: set MIB value Response (2) Agent-to-Mgr: value, response to Request Trap (7) Agent-to-Mgr: inform manager of exceptional event
  18. 18. SNMP protocol: message formats Trap messages Get…, Set, Inform, Response messages
  19. 19. SNMP security and administration <ul><li>encryption: DES-encrypt SNMP message </li></ul><ul><li>authentication: compute, send MIC(m,k): compute hash (MIC) over message (m), secret shared key (k) </li></ul><ul><li>protection against playback: use nonce </li></ul><ul><li>view-based access control </li></ul><ul><ul><li>SNMP entity maintains database of access rights, policies for various users </li></ul></ul><ul><ul><li>database itself accessible as managed object! </li></ul></ul>MIC: Message Integrity Code (like a digital signature)
  20. 20. The presentation problem <ul><li>Q: does perfect memory-to-memory copy solve “the communication problem”? </li></ul><ul><li>A: not always! </li></ul>problem: different data format, storage conventions (e.g. big-endian, little-endian) struct { char code; int x; } test; test.x = 259; test.code=‘a’ test.code test.x test.code test.x host 1 format host 2 format a 00000001 00000011 a 00000011 00000001
  21. 21. Solving the presentation problem <ul><li>1. Translate local-host format to host-independent format </li></ul><ul><li>2. Transmit data in host-independent format </li></ul><ul><li>3. Translate host-independent format to remote-host format </li></ul>
  22. 22. ASN.1: Abstract Syntax Notation 1 <ul><li>“The language of standards writers.” </li></ul><ul><li>ISO standard X.680 </li></ul><ul><ul><li>used extensively in Internet </li></ul></ul><ul><li>defined data types , object constructors </li></ul><ul><ul><li>like SMI </li></ul></ul><ul><li>BER: Basic Encoding Rules (ITU-T X.209, X.690 ) </li></ul><ul><ul><li>specify how ASN.1-defined data objects to be transmitted </li></ul></ul><ul><ul><li>each transmitted object has Type, Length, Value (TLV) encoding </li></ul></ul>
  23. 23. ASN.1: Abstract Syntax Notation 1 <ul><li>Encoding Rules </li></ul><ul><li>BER - for management of the Internet, exchange of electronic mail, control of telephone/computer interactions </li></ul><ul><li>DER - specialized form of BER that is used in security-conscious applications </li></ul><ul><li>CER – another specialized form of BER that is meant for use with huge messages </li></ul><ul><li>PER - recent version with more efficient algorithms that result in faster and more compact encodings; used in applications that are bandwidth or CPU starved, such as air traffic control and audio-visual telecommunications </li></ul>
  24. 24. TLV Encoding <ul><li>Idea: transmitted data is self-identifying </li></ul><ul><ul><li>T : data type, one of ASN.1-defined types </li></ul></ul><ul><ul><li>L : length of data in bytes </li></ul></ul><ul><ul><li>V : value of data, encoded according to ASN.1 standard </li></ul></ul>1 2 3 4 5 6 9 Boolean Integer Bit String Octet string Null Object Identifier Real Tag Value Type
  25. 25. TLV encoding: example V alue, 5 octets (chars) L ength, 5 bytes T ype=4, octet string V alue, 259 L ength, 2 bytes T ype=2, integer
  26. 26. TLV encoding - another example: A Personnel Record: Name: John P Smith Date of Birth: 17 July 1959 (other data) The ASN.1 description of a personnel record (the standard) might be: PersonnelRecord ::= [APPLICATION 0] IMPLICIT SET { Name, title [0] VisibleString, dateOfBirth [1] Date, (other types defined) } Name ::= [APPLICATION 1] IMPLICIT SEQUENCE { givenName VisibleString, initial VisibleString, familyName VisibleString } The application maps the personnel data into the personnel record structure (ASN.1 data format), and then applies the Basic Encoding Rules (BER) to the ASN.1 data : Personnel Record Length Contents 60 8185 Name Length Contents 61 10 VisibleString Length Contents 1A 04 &quot;John&quot; VisibleString Length Contents 1A 01 &quot;P&quot; VisibleString Length Contents 1A 05 &quot;Smith&quot; DateofBirth Length Contents A0 0A Date Length Contents 43 08 &quot;19590717&quot; Finally, what gets transmitted (sent as application data to the layer below in the protocol stack)would be: 60 81 85 61 10 1A 04 ……………
  27. 27. Firewalls <ul><li>Two firewall types: </li></ul><ul><ul><li>packet filter </li></ul></ul><ul><ul><li>application gateway </li></ul></ul><ul><li>To prevent denial of service attacks: </li></ul><ul><ul><li>SYN flooding: attacker establishes many bogus TCP connections. Attacked host allocates TCP buffers for bogus connections, none left for “real” connections . </li></ul></ul><ul><li>To prevent illegal modification of internal data. </li></ul><ul><ul><li>e.g., attacker replaces CIA’s homepage with something else </li></ul></ul><ul><li>To prevent intruders from obtaining secret info. </li></ul>isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall
  28. 28. Packet Filtering <ul><li>Internal network is typically connected to Internet through a router. </li></ul><ul><li>Router manufacturer provides options for filtering packets, based on (for example): </li></ul><ul><ul><li>source IP address </li></ul></ul><ul><ul><li>destination IP address </li></ul></ul><ul><ul><li>TCP/UDP source and destination port numbers </li></ul></ul><ul><ul><li>ICMP message type </li></ul></ul><ul><ul><li>TCP SYN and ACK bits </li></ul></ul><ul><li>Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or destination port = 23. </li></ul><ul><ul><li>All incoming and outgoing UDP flows and telnet connections are blocked. </li></ul></ul><ul><li>Example 2: Block inbound TCP segments with ACK bit=0. </li></ul><ul><ul><li>Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. </li></ul></ul>
  29. 29. Application gateways <ul><li>Filters packets on application data as well as on IP/TCP/UDP fields. </li></ul><ul><li>Example: allow select internal users to telnet outside. </li></ul>1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter
  30. 30. Limitations of firewalls and gateways <ul><li>IP spoofing: router can’t know if data “really” comes from claimed source </li></ul><ul><li>If multiple app’s. need special treatment, each has own app. gateway. </li></ul><ul><li>Client software must know how to contact gateway. </li></ul><ul><ul><li>e.g., must set IP address of proxy in Web browser </li></ul></ul><ul><li>Filters often use all or nothing policy for UDP. </li></ul><ul><li>Tradeoff: degree of communication with outside world, level of security </li></ul><ul><li>Many highly protected sites still suffer from attacks. </li></ul>

×