Policy-driven Management by xiaohuicaicai

VIEWS: 0 PAGES: 170

									                             Internet
                       Network Management
                                     J. Won-Ki Hong
                                       DP&NM Lab.
                       Dept. of Computer Science and Engineering
                                POSTECH, Pohang Korea
                                 Tel: +82-562-279-2244
                             Email: jwkhong@postech.ac.kr
                                http://dpnm.postech.ac.kr/

                                                                   POSTECH
Internet NM Tutorial                      (1)
                                                                   DP&NM Lab.
  Contents
 •   Overview of Network Management
 •   Internet Network Management Framework
 •   ASN.1 & BER
 •   CASE Diagrams
 •   SNMPv1, RMON, SNMPv2, SNMPv3
 •   Summary
 •   References




                                             POSTECH
Internet NM Tutorial      (2)
                                             DP&NM Lab.
Overview of Network Management
  •   Today’s Networks
  •   Network Management Requirements
  •   Network Management Systems
  •   NMS Software Architecture
  •   Distributed Network Management
  •   Proxy Agent
  •   Standard Management Frameworks



                                        POSTECH
Internet NM Tutorial      (3)
                                        DP&NM Lab.
  Today’s Networks
                                                                 Local, Long-distance,
                                                                 Oversea Phone service
             World-Wide Web                                      080, 070, collect-call
             Email, DNS, FTP                                     third-party IN service
             News, Telnet, IRC                                   cellular, C2, PCS, TRS
             RealAudio, RealVideo
             MBone
                                   FDDI                   SDH        Access
                       Token                   ATM                  Networks       PCS
                        Ring
           Fast                       WANs                SS#7         PSDN
                                                                                         PSTN
         Ethernet       Gigabit
                        Ethernet    Ethernet                           ISDN
                                                 B-ISDN   IN/AIN


         Computer Networks                                                    Telecom Networks
          Video Conferencing
          Electronic Commerce
          Internet Phone                                           Video-on-Demand
          Banking, Accounting                                      Tele-conferencing
          Distance Learning                                        Video-conferencing
                                                                   Internet Telephony

                                                                                     POSTECH
Internet NM Tutorial                             (4)
                                                                                     DP&NM Lab.
 NM Users’ Requirements
  • Controlling corporate strategic assets
        – effective control of network & computing resources
  • Controlling complexity
        – continued growth of devices, users, applications & protocols
  • Improving service
        – users expect better service with increased resources
  • Balancing various needs
        – must assign and control resources to balance various needs
  • Reducing downtime
        – more users and applications depend on availability
  • Controlling costs
        – effective resource utilization in order to control costs

                                                                         POSTECH
Internet NM Tutorial                       (5)
                                                                         DP&NM Lab.
 NM Functional Requirements
  • Fault Management
        – detection, isolation and correction of abnormal operations
  • Configuration Management
        – identify managed resources and their connectivity, discovery
  • Accounting Management
        – keep track of usage for charging
  • Performance Management
        – monitor and evaluate the behavior of managed resources
  • Security Management
        – allow only authorized access and control

                                                             POSTECH
Internet NM Tutorial                (6)
                                                             DP&NM Lab.
  Fault Management
 • concerned with:
       – providing a reliable networking environment
       – ensuring that the systems as a whole, and each essential
         component individually, are in proper working order
       – redundant components and routes can be used to increase fault
         tolerance
 • when a fault occurs, the manager should be able to:
       –   determine exactly where the fault (i.e., abnormal condition) is
       –   isolate the rest of the network from failure
       –   reconfigure or modify the network for continued operation
       –   repair or replace the failed components to restore the network

                                                               POSTECH
Internet NM Tutorial                 (7)
                                                               DP&NM Lab.
 Configuration Management
 • concerned with:
       – initializing & shutting down part or all of the network
       – maintaining, adding and updating the relationships among
         components
       – monitoring the status of components during network operation
 • the network manager should be able to:
       – startup and shutdown operations on a network
       – identify the components that comprise the network (discovery)
       – change the connectivity of the components (possibly as a result
         of network upgrade, fault recovery or security checks)
       – detect changes in the network configuration

                                                            POSTECH
Internet NM Tutorial               (8)
                                                            DP&NM Lab.
  Accounting Management
• concerned with:
      – keeping track of the usage of network resources
      – charging the use of network resources
      – monitoring the end-user activities for possible abuse, for
        suggesting better usage to users and for network planning


• the manager should be able to:
      – specify the kinds of accounting information to be recorded at
        various nodes
      – specify the algorithms to be used in calculating the charging
      – generate accounting reports

                                                            POSTECH
Internet NM Tutorial               (9)
                                                            DP&NM Lab.
 Performance Management
 • concerned with:
       – providing an efficient communication environment
       – monitoring and analyzing the performance of the components
       – making proper adjustments to improve network performance
 • the manager should be able to:
       – determine the capacity utilization, throughput, the average and
         worst-case response times
       – monitor and gather data on the activities of components
       – analyze the gathered data and assess performance levels
       – determine the sources of performance problems & fix them
       – use the performance stats for future network planning

                                                            POSTECH
Internet NM Tutorial               (10)
                                                            DP&NM Lab.
  Security Management
 • concerned with:
       – providing a secure networking environment
       – preventing hacking, illegal and unauthorized access
       – managing information protection and access-control facilities
 • the manager should be able to:
       – generate, distribute and store encryption keys
       – maintain and distribute passwords and other authorization or
         access-control information
       – monitor and control access to networks
       – collect, store and examine audit records and security logs
       – enable & disable the logging facilities

                                                            POSTECH
Internet NM Tutorial               (11)
                                                            DP&NM Lab.
 Network Management Systems
 • A network management system (NMS) is a collection
   of tools for network monitoring and control
 • based on the manager-agent paradigm
       – the manager sends mgmt requests to one or more agents
       – an agent performs requested operation and returns results
       – when agents detect faults and they report to the manager
 • NMS typically provides a GUI through which most or
   all management tasks can be performed
 • Many commercial and freely available NMSs exist:
       – HP OpenView, IBM NetView, Sun Net Manager, etc.
       – research prototypes from CMU, MIT, UC Davis, U. of Twente
                                                            POSTECH
Internet NM Tutorial               (12)
                                                            DP&NM Lab.
                          Management Platform

                                                             Collect, organize & interpret
              Administrator
                                                                     Operational Data
              Workstation


                                                         mgmt requests/replies


                       event reports
                                                     Agent    Agent
                                 Agent                                  Agent
                                         Agent Agent         Agent



 Observation
  & Control




                                                                              POSTECH
Internet NM Tutorial                          (13)
                                                                              DP&NM Lab.
 Elements of a NMS
                  Network control                               Server
                  host (manager)                                (agent)


                   NMA                                       NME    Appl

                NME Appl                                       Comm
                 Comm                                           OS
                   OS
                                                                            Router
                                                                            (agent)
     Workstation
      (agent)                       Networks                           NME
                                                                       Comm
 NME     Appl
                                                                           OS
    Comm                     NMA = network management application
                             NME = network management entity
      OS
                             Appl = application
                             Comm = communications software
                             OS   = operating system
                                                                                POSTECH
Internet NM Tutorial                         (14)
                                                                                DP&NM Lab.
 Network Management Entity (NME)
  • NME is a collection of software devoted to the network
    management tasks
  • is typically known as an “management agent”
  • Each NME performs the following tasks
        – collects statistics on network-related activities
        – stores statistics locally
        – responds to commands from the network manager, including
          commands to:
                 transmit collected stats to network manager
                 change an attribute value
                 provide status information
                 generate artificial traffic to perform a test
                                                                  POSTECH
Internet NM Tutorial                     (15)
                                                                  DP&NM Lab.
Network Mgmt Application (NMA)
 • NMA is a collection of software for performing network
   monitoring and control
 • is typically known as “network manager”
 • NMA provides an operator interface to allow an authorized user
   to manage the network
 • NMA responds to user commands by displaying information
   and/or issuing commands to NMEs
 • Standard protocols (e.g., SNMP, CMIP) are used to manage a
   multi-vendor network
 • there may be more than one NMA in a large network which can
   lead to the need of a hierarchy of managers (e.g., top level
   manager, middle level managers, etc.)

                                                        POSTECH
Internet NM Tutorial            (16)
                                                        DP&NM Lab.
NM Software Architecture
 • User Presentation Software
       – interfaces between user and NM software
       – a unified user interface desirable
       – includes graphical tools to display summarized NM information
 • Network Management Software
       – a set of NM applications (configuration, performance, etc.)
       – a set of application elements (alarm handling, logging, etc.)
       – NM data transport service
 • Communication and Database Support Software
       – local Management Information Base (MIB) access module
       – communications protocol stack (e.g., TCP/IP, OSI) to interact with remote
         agents and managers


                                                                         POSTECH
Internet NM Tutorial                     (17)
                                                                         DP&NM Lab.
 Architectural Model of NMS
                                        Unified user interface


                       Presentation of network management information to users


                Network management                                     Network management
                application
                                                  ...                  application

          application element       application element          ...         application element


                          Network management data transport service


                       MIB access                                         Communication
                        module                                            protocol stack



                       Management                                        Managed networks
                       Information
                          Base
                                                                                            POSTECH
Internet NM Tutorial                              (18)
                                                                                            DP&NM Lab.
 Distributed Network Management
 • Resources to be managed are widely distributed
       – widespread use of departmental LANs
       – need for local control & optimization of distributed applications
 • Hierarchical NM architecture desirable
       – distributed NMSs are given limited access for network monitoring and
         control of departmental resources
       – top-level NMS has a global access rights and the ability to manage all
         network resources
 • Benefits of Distributed NM
       – NM traffic overhead is minimized - traffic is localized
       – Dist. mgmt offers greater scalability
       – use of multiple NMSs eliminates the single point of failure


                                                                       POSTECH
Internet NM Tutorial                     (19)
                                                                       DP&NM Lab.
Typical Dist. Mgmt System Architecture
                               Management clients (PCs, workstations)




                                               Network


       Management server                                     Management server
         Management                                            Management
                               MIB                                                MIB
         application                                           application



                                               Network


                                           Element                      Element
                                           manager                      manager




                       Network resources (servers, routers, hosts) with management agents
                                                                                     POSTECH
Internet NM Tutorial                              (20)
                                                                                     DP&NM Lab.
 Proxy Agents
  • Managed resources may have various mgmt interfaces
        – some with different mgmt protocols (e.g., OSI vs. SNMP)
        – some with proprietary mgmt interfaces (e.g., older systems)
        – small systems not capable of possessing NME (e.g., modems)
  • Proxy agents are used to manage these devices
        – managers use standard protocols to communicate with proxies
        – proxy agents use proprietary protocols to communicate with
          proprietary devices
        – proxy agents perform translations between managers and
          proprietary devices
        – an agent to the manager and a manager to proprietary devices

                                                           POSTECH
Internet NM Tutorial               (21)
                                                           DP&NM Lab.
 Proxy Agent Architecture

    Management                                                    Proprietary management
                                    Proxy Agent
     application                                                             interface




        Client                              Client proxy                Server proxy
                           Server stub
        stub                                     stub                        stub




       Protocol             Protocol         Protocol
                                                                        Protocol stack
        stack                 stack            stack




              Standard operations                    Proprietary operations
              and event reports                       and event reports


                                                                                POSTECH
Internet NM Tutorial                          (22)
                                                                                DP&NM Lab.
Standard Mgmt Frameworks
 • Internet Network Management Framework (IETF)
       – SNMPv1, SNMPv2, SNMPv3


 • OSI Network Management Framework (ISO/ITU-T)
       – CMIP (X.700 Series)


 • Telecommunication Management Network (ITU-T)
       – TMN (M.3000 Series)


 • Distributed Management Task Force (DMTF)
       – DMI, CIM, WBEM
                                         POSTECH
Internet NM Tutorial           (23)
                                         DP&NM Lab.
  Summary of NM Overview
 • Network Management Requirements
       – Users’ Requirements
       – Functional Requirements (FCAPS)
 • Network Management Systems
       – Network Management Entity (NME)
       – Network Management Application (NMA)
 •   NMS Software Architecture
 •   Distributed Network Management
 •   Proxy Agent
 •   Standard Management Frameworks
                                                POSTECH
Internet NM Tutorial            (24)
                                                DP&NM Lab.
Intro to Internet Network Management
  • Background
        –   Origins of Internet
        –   Origins of Internet Network Management
        –   Evolution of SNMP
        –   SNMP Standards and RFCs


  • SNMP Basic Concepts
        – Network Management Architecture
        – SNMP Protocol Architecture
        – Proxies

                                                     POSTECH
Internet NM Tutorial               (25)
                                                     DP&NM Lab.
                                                            3
   Internet Network Management
• Also referred to as SNMP-based Network Management
• Simple Network Management Protocol (SNMP) is often
  referred to as the Internet Network Management
  Framework which includes
      –   management architecture
      –   structure of management information
      –   management protocol
      –   plus related concepts...
• Most widely used in computer communication networks
• Internet Engineering Task Force (IETF) is responsible
  for SNMP standardization
                                                POSTECH
Internet NM Tutorial               (26)
                                                DP&NM Lab.
                                                       3
   Origins of Internet
  • ARPANET (formed by US DoD, 1969) connecting
    four geographically separated computers in US
  • 23 computers in ARPANET (1971)
  • Computers in UK and Norway were connected (1973)
  • TCP/IP protocol suite as ARPANET’s standard
    protocol (late 70’s)
  • TCP/IP as NFSNET’s standard protocol (1984)
  • Continued growth throughout the 80’s, 90’s and 00’s
  • Need for the management of rapidly growing Internet!



                                                POSTECH
Internet NM Tutorial       (27)
                                                DP&NM Lab.
                                                       3
  Origins of Internet NM
  • Internet Control Message Protocol (ICMP)
        – until late 70’s, e.g., Ping utility
  • Simple Gateway Monitoring Protocol (SGMP) - 1987
  • High-level Entity Management System (HEMS)
        – generalized version of Host Monitoring Protocol (HMP)
  • SNMP
        – enhanced version of SGMP
        – originally as an interim solution but it has found its place - very widely
          deployed
  • CMIP over TCP/IP (CMOT)
        – long-term solution
        – did not go very far

                                                                         POSTECH
Internet NM Tutorial                        (28)
                                                                         DP&NM Lab.
                                                                                3
  Evolution of SNMP
   • SNMPv1
         – draft came out in 1988 and became full Internet standard in 1990
         – most workstations, bridges, routers, switches and hubs are now equipped
           with SNMP agent
         – many resource MIBs (e.g., systems & applications) have been defined
   • RMON (1995)
         – Remote Monitoring, extends the SNMPv1 MIB and functions
   • SNMPv2
         – attempted to improve the deficiencies of SNMPv1
         – several versions have appeared and became obsolete
         – some RFCs obtained full standard, others will not likely become obsolete
   • SNMPv3
         – internet drafts came out in Feb. 1998
         – currently Draft Standard --- standardization still continues.…
                                                                        POSTECH
Internet NM Tutorial                      (29)
                                                                        DP&NM Lab.
                                                                               3
  IETF Standardization Process
   • IETF forms a working group (WG) for a specific task
         – WG generates one or more internet drafts (ID)
         – ID document can follow one of three tracks
                (1) standards track, (2) informational, (3) experimental
   •   Internet documents are published as RFCs
   •   Internet Proposed Standard
   •   Internet Draft Standard
   •   Internet Full Standard
   •   Other status:
      – Obsolete: a document that is replaced by an updated version
      – Historic: a document that is retired
   • The latest status on IETF NM RFCs can be found from
       http://wwwsnmp.cs.utwente.nl/ietf/rfc/rfcbystatus.shtml


                                                                            POSTECH
Internet NM Tutorial                        (30)
                                                                            DP&NM Lab.
                                                                                   3
    SNMP Protocol RFCs
  Description                   Published RFC Status
  SNMPv1 Protocol               Aug. 1988   1067   Obsoleted by 1098
  SNMPv1 Protocol (republished) Apr. 1989   1098   Obsoleted by 1157
  SNMPv1 Protocol (republished) May 1990    1157   Full Standard
  Secure SNMP Protocol          July 1992   1352   Historic
  SNMPv2 Protocol Operations    May 1993    1448   Obsoleted by 1905
  SNMPv2 Transport Mappings     May 1993    1449   Obsoleted by 1906
  SNMPv2 Protocol Operations    Jan. 1996   1905   Draft
  (updated)
  SNMPv2 Transport Mappings     Jan. 1996   1906   Draft
  (updated)

                                                              POSTECH
Internet NM Tutorial              (31)
                                                              DP&NM Lab.
                                                                     3
    SNMPv1 Standards
          Description            Published RFC       Status
   Structure of Identification
        of Management            May 1990 1155    Full Standard
    Information for TCP/IP-
     based Internets (SMI)
        Simple Network
     Management Protocol         May 1990 1157    Full Standard
            (SNMP)
    Concise MIB Definitions      Mar. 1991 1212   Full Standard
    Management Information
       Base for Network     Mar. 1991 1213        Full Standard
    Management of TCP/IP-
     based Internet: MIB-II

                                                       POSTECH
Internet NM Tutorial              (32)
                                                       DP&NM Lab.
                                                              3
   SNMP NM Architecture
  • The manager resides in Network
                                                         NMS
    Management Station (NMS) while
                                                     MIB
    the agent resides in the managed              Specification
    Network Node
                                                    Manager
  • The manager requests the agent to
    perform Set and Get operations on        SNMP
                                                                SNMP
    the variables in the Management
                                            Agent
    information Base (MIB)
  • By means of traps the agent                                Agent
                                            MIB
    occasionally notifies the manager
                                                               MIB
    about some events related to        Networked Node
    network operation
                                                          Networked Node

                                                            POSTECH
Internet NM Tutorial           (33)
                                                            DP&NM Lab.
                                                                   2
  SNMP Protocol Architecture
                       NMS                                          Host
Network      Manager process                             Agent process User processes
 Admin
                     SNMP             Central               SNMP           FTP, etc
                                       MIB
                       UDP                                   UDP             TCP

                       IP                                            IP
              Network-dependent                          Network-dependent protocols
                  protocols



               Host                                                    Router
  Agent process      User processes                                 Agent process

       SNMP            FTP, etc                                            SNMP

        UDP             TCP
                                          Internetwork                     UDP

                IP                                                           IP
                                                                   Network-dependent
   Network-dependent protocols
                                                                       protocols


                                                                          POSTECH
Internet NM Tutorial                            (34)
                                                                          DP&NM Lab.
                                                                                 2
  The Role of SNMP
           SNMP NMS                                      SNMP agent
                                                     Management resources
     Management application
                                                    SNMP managed objects
                                   Application
                                 manages objects
               SetRequest




                                                             SetRequest
          SNMP manager                                    SNMP agent
                                 SNMP messages
                UDP                                           UDP
                       IP                                            IP
   Network-dependent protocols                     Network-dependent protocols

                                    network or
                                     internet


                                                                          POSTECH
Internet NM Tutorial                    (35)
                                                                          DP&NM Lab.
                                                                                 2
  SNMP Proxy Agent
                                    Proxy agent
  Management station                Mapping function             Proxied device

      Manager process     Agent process                           Management
                                                                    process

           SNMP               SNMP               Protocol
                                             architecture used       Protocol
                                             by proxied device   architecture used
            UDP               UDP
                                                                 by proxied device

              IP               IP

     Network-dependent                                           Network-dependent
                                         Network-dependent
                         Network-dependent
         protocols                                                   protocols
                             protocols       protocols




                                                                       POSTECH
Internet NM Tutorial                      (36)
                                                                       DP&NM Lab.
                                                                              2
  What will be covered next...
  •   Structure of Management Information
  •   Abstract Syntax Notation 1 (ASN.1)
  •   MIB Definitions
  •   Standard SNMP MIBs
  •   SNMP Operations
  •   Developing MIBs
  •   etc.



                                            POSTECH
Internet NM Tutorial        (37)
                                            DP&NM Lab.
                                                   3
  ASN.1 & BER
 • Abstract Syntax Notation One (ASN.1)
       –   Overview
       –   Properties & Restrictions
       –   Type and Value Definitions
       –   ASN.1 Simple Types
       –   ASN.1 Structured Types
       –   ASN.1 Macro Definitions
 • Basic Encoding Rules (BER)
       – Overview
       – Tags, Lengths & Values
       – Encoding Examples
                                          POSTECH
Internet NM Tutorial               (38)
                                          DP&NM Lab.
  Overview of ASN.1
  • a machine independent data description language
  • CCITT (X.208) and ISO (ISO 8824) standard
  • define abstract syntax of application data
  • define the structure of application and presentation
    protocol data units (PDUs)
  • define SNMP and OSI Management Information
    Base (MIB)




                                                   POSTECH
Internet NM Tutorial         (39)
                                                   DP&NM Lab.
   ASN.1 Terminology
 • Abstract Syntax
       – describes the generic structure of data
       – allows data types and values to be defined
 • Data Type
       – a named set of values -- may be simple or structured
 • Encoding
       – sequence of octets used to represent a data value
 • Encoding Rules
       – specifies the mapping from one syntax to another
 • Transfer Syntax
       – describes how data are actually represented in terms of bit patterns
         while in transit

                                                                  POSTECH
Internet NM Tutorial                  (40)
                                                                  DP&NM Lab.
    Abstract & Transfer Syntaxes
                               User                              User


                        user presentation                   user presentation
 Local storage              mapping                             mapping             Local storage
   (e.g, MIB)                                                                         (e.g, MIB)


               local                          Abstract        Application        local
                           Application
              mapping                          Syntax         component         mapping
                           component
                                            (e.g., ASN.1)


                            encoding                           encoding
                              rules                              rules




                           data transfer                       data transfer
                            component        Transfer           component
                          (e.g, TCP, OSI      Syntax          (e.g, TCP, OSI
                             session)       (e.g., BER)          session)


                                                                                    POSTECH
Internet NM Tutorial                            (41)
                                                                                    DP&NM Lab.
     ASN.1 Module Definition

      <modulename> DEFINITIONS ::=
      BEGIN
         EXPORTS
         IMPORTS
         AssignmentList
      END


                                     POSTECH
Internet NM Tutorial   (42)
                                     DP&NM Lab.
    Lexical Conventions
 • Comments begin with two hyphens (“--”) and terminated either
   by another set (“--”) or the end of line character
 • Identifiers begin with a letter, and may contain letters, digits,
   and hyphens, but may not end with a hyphen or contain two
   consecutive hyphens
 • The type identifier must start with an uppercase letter
 • The value identifier must start with a lowercase letter
 • Reserved keywords are all uppercase
 • Multiple spaces and blank lines can be considered as a single
   space


                                                          POSTECH
Internet NM Tutorial             (43)
                                                          DP&NM Lab.
   Categories of Data Types
 • Simple (Primitive)
       – atomic types, with no components
 • Structured
       – types with components
 • Tagged
       – types derived from other types
 • Other
       – CHOICE or ANY types

 Every ASN.1 data type, with the exception of CHOICE and ANY
   types, has an associated TAG
                                                   POSTECH
Internet NM Tutorial                 (44)
                                                   DP&NM Lab.
   Classes of TAG

 • UNIVERSAL
       – Built-in types, application independent types
 • APPLICATION
       – Application specific types
 • CONTEXT-SPECIFIC
       – limited to a context within an application
 • PRIVATE
       – defined by users and not covered by any standard


                                                            POSTECH
Internet NM Tutorial                  (45)
                                                            DP&NM Lab.
    ASN.1 Simple Types
   • INTEGER
         – the positive and negative whole numbers, including zero
   • OCTET STRING
         – a sequence of zero or more octets (8-bit bytes)
   • OBJECT IDENTIFIER
         – the set of values associated with information objects allocated by the
           standard
   • NULL
         – the single value NULL

   Other ASN.1 simple types include boolean, bit string, real,
     enumerated, PrintableString, etc.

                                                                        POSTECH
Internet NM Tutorial                      (46)
                                                                        DP&NM Lab.
    ASN.1 Structured Types
  • SET
        – a collection of one or more types
  • SET OF
        – a collection of zero or more occurrences of a given type
  • SEQUENCE
        – an ordered collection of one or more types
  • SEQUENCE OF
        – an ordered collection of zero or more occurrences of a given
          type
  • CHOICE
        – a list of alternatives

                                                             POSTECH
Internet NM Tutorial                (47)
                                                             DP&NM Lab.
   ASN.1 Example
  Informal Description of Personnel Record
   Name:                 James W Hong
   Title:                      Associate Professor
   Employee Number:      20292
   Date of Hire:         May 26, 1995
   Name of Spouse:       In-Young B Hong
   Number of Children:   2

   Child Information
     Name:                       Suk D Hong
     Date of Birth:              29 March 1988
   Child Information
     Name:                       Myungdo M Hong
     Date of Birth:              10 August 1994
                                                  POSTECH
Internet NM Tutorial      (48)
                                                  DP&NM Lab.
   ASN.1 Description of the Record Structure
 PersonalRecord ::= [APPLICATION 0] IMPLICIT SET {
    Name,
    title [0] VisibleString,
    number          EmployeeNo,
    dateOfHire [1] Date,
    nameOfSpouse [2] Name,
   children [3] IMPLICIT SEQUENCE OF ChildInfo
                                                     DEFAULT
   {} }
 ChildInfo ::= SET {
   Name,
   dateOfBirth [0] Date}
 Name ::= [APPLICATION 1] IMPLICIT SEQUENCE {
   givenName VisibleString,
   initial     VisibleString,
   familyName VisibleString}
 EmployeeNo ::= [APPLICATION 2] IMPLICIT INTEGER
 Date ::= [APPLICATION 3] IMPLICIT VisibleString

                                                      POSTECH
Internet NM Tutorial            (49)
                                                      DP&NM Lab.
       ASN.1 Description of a Record Value
 {                        {givenName “James”, initial “W”,
                   familyName “Hong”},
     title                “Associate Professor”
     number               20292
     dateOfHire    “19950526”
     nameOfSpouse {givenName “In-Young”, initial “B”,
                            familyName “Hong”},
     children
     {      {                     {givenName “Suk”, initial “D”,
                                  familyName “Hong”},
            dateOfBirth   “19880329”},
            {                     {givenName “Myungdo”, initial “M”,
                                  familyName “Hong”},
            dateOfBirth   “19940810”} } }


                                                              POSTECH
Internet NM Tutorial                (50)
                                                              DP&NM Lab.
   ASN.1 Macro Definitions
 • ASN.1 macro notation can be used to extend the
   syntax of ASN.1 to define new types and values
 • a macro definition is expressed in the macro notation
   and used to define a set of macro instances
 • a macro instance is generated from a macro definition
   by substituting values for variables
 • the macro is used to extend the ASN.1 syntax but does
   not extend the encoding



                                                POSTECH
Internet NM Tutorial       (51)
                                                DP&NM Lab.
    Macro Definition Format
    <macroname> MACRO ::=
    BEGIN
      TYPE NOTATION ::= <new-type-syntax>
      VALUE NOTATION ::= <new-value-syntax>
      <supporting-productions>
    END




                                       POSTECH
Internet NM Tutorial   (52)
                                       DP&NM Lab.
   Macro Definition Example
    OBJECT-TYPE MACRO ::=
    BEGIN
      TYPE NOTATION ::= “SYNTAX” type (TYPE
     ObjectSyntax)
                               “ACCESS” Access
                               “STATUS” Status
      VALUE NOTATION ::= value (VALUE ObjectName)
      Access ::= “read-only” | “read-write” | “write-only” |
                   “not-accessible”
      Status ::= “mandatory” | “optional” | “obsolete”
    END


                                                      POSTECH
Internet NM Tutorial           (53)
                                                      DP&NM Lab.
   Overview of BER
 • an encoding specification
 • CCITT (X.209) and ISO (ISO 8825) standard
 • describes a method for encoding values of each
   ASN.1 type as a string of octets
 • based on the use of a type-length-value (TLV)
   structure

                   Type   Length          Value



              Fields of a BER encoded ASN.1 value
                                                  POSTECH
Internet NM Tutorial               (54)
                                                  DP&NM Lab.
    BER Type Field
                                                                               Class
  BIT       8      7   6      5        4    3     2          1

                                                                               Constructed
           Most significant                Least significant
                                                                               Tag number


          CLASS                   Bit 8         Bit 7 Description
          Universal                0             0           Built-in types

          Application              0             1           SNMP defined types

          Context-Specific 1                     0           Used in context
           Private                 1             1           Not used in the SNMP protocol


                                                                                       POSTECH
Internet NM Tutorial                                  (55)
                                                                                       DP&NM Lab.
   Tag Values for SNMP Types
                       SNMPv1     SNMPv2     ASN.1 Tag        Tag    Tag
  Type
                       protocol   protocol                   Number Value
  INTEGER/Integer32                          UNIVERSAL 2       0x02    0x02

  OCTET STRING                               UNIVERSAL 4       0x04    0x04

  NULL                                       UNIVERSAL 5       0x05    0x05

  OBJECT IDENTIFIER                          UNIVERSAL 6       0x06    0x06

  SEQUENCE                                   UNIVERSAL 16      0x10    0x30
  IpAddress                                  APPLICATION 0     0x00    0x40
  Counter/Counter32                          APPLICATION 1     0x01    0x41

  Gauge/Gauge32                              APPLICATION 2     0x02    0x42

  TimeTicks                                  APPLICATION 3     0x03    0x43
  Opaque                                     APPLICATION 4     0x04    0x44

  Counter64                                  APPLICATION 6     0x06    0x46


                                                                POSTECH
Internet NM Tutorial                 (56)
                                                                DP&NM Lab.
     BER Length Field
 • two forms of length field exist:
       – short form: specified in a single octet

                 Value         0       1   1       0       0       1       1       0   = 102

                                       Short/Long form indicator
       long form: specified in multiple octets
        Value 1        0   0       0   0   0   1       1       0   1   1       1   0   0   1    1

                   0   1   0       1   1   0   0   1           1   0   1       1   0   1   0    1

                 = 7559605                                 Short/Long form indicator
                                                           Length of length
                                                           Length value
                                                                                               POSTECH
Internet NM Tutorial                               (57)
                                                                                               DP&NM Lab.
   BER Examples - Integers
             0       0       0       0       0       0       1       0                0   0    0   0     0   0   0    1
         Tag Universal 2                                                            Length 1
             0       0       0       0       0       0       0       0         What value was encoded?
           Value 0



                 0       0       0       0       0       0       1       0            0   0    0   0     0   0   1    0

            Tag Universal 2                                                         Length 2
                 1       0       0       1       0       1       1       0            1   0    1     1   0   1   0     1

            Value (1 of 2)                                                          Value (2 of 2)

                                         What value was encoded?
                                                                                                                     POSTECH
Internet NM Tutorial                                                         (58)
                                                                                                                     DP&NM Lab.
  BER Example - Octet String
            0    0     0   0   0   1   0   0          0   0   0   0   0   1   0   0
        Tag Universal 4                          Length 4

            1    1     1   0   1   0   1   1          0   0   0   0   0   1   1   0
         1st octet                              2nd octet

            1    0     0   1   1   0   0   1          0   0   1   1   0   1   1   1

         3rd octet                              4th octet
                                                                  Overall Length = 6



     Value of Octet String encoded is ‘EB069937’


                                                                                  POSTECH
Internet NM Tutorial                           (59)
                                                                                  DP&NM Lab.
     BER Example - SEQUENCE
     Message ::= SEQUENCE {
              version INTEGER { version-1(0) },
              community OCTET STRING
      }

     Given the above definition,
     what is the BER encoding of
     sampleMessage ::= { 0, „EB069937‟h } ?


                                              POSTECH
Internet NM Tutorial        (60)
                                              DP&NM Lab.
  ... and its BER encoding is
               0       0   1   1   0   0   0   0             0   0   0   0   1   0     0   1
          Tag universal 16                                Length 9
               0       0   0   0   0   0   1   0             0   0   0   0   0   0     0   1
          Value (1 of 9) integer                          Value (2 of 9) integer
               0       0   0   0   0   0   0   0             0   0   0   0   0     1   0   0
          Value (3 of 9) integer                          Value (4 of 9) OCTET STRING
               0       0   0   0   0   1   0   0             1   1   1   0   1     0   1   1
          Value (5 of 9) OCTET STRING                     Value (6 of 9) OCTET STRING
               0       0   0   0   0   1   1   0             1 0 0 1 1 0 0 1
          Value (7 of 9) OCTET STRING                     Value (8 of 9) OCTET STRING
             0 0 1 1 0 1 1 1
           Value (9 of 9) OCTET STRING

                                                                                       POSTECH
Internet NM Tutorial                               (61)
                                                                                       DP&NM Lab.
     Summary
 • We have covered a subset of ASN.1 and BER which are
   used in SNMP and OSI Management Frameworks
 • ASN.1 is widely used in defining application data and
   protocol data units
 • BER is widely used in defining transfer syntaxes
 • Reference:
       – Stallings, SNMP, SNMPv2, SNMPv3 and RMON 1 and 2, 3rd
         Edition, Addison-Wesley, Appendix B




                                                     POSTECH
Internet NM Tutorial           (62)
                                                     DP&NM Lab.
  SNMP Management Information
  • Structure of Management Information
     – Overview
     – Meanings of MIB
     – SNMP MIB Structure
     – MIB Object Syntax
     – Defining MIB Objects
     – Defining MIB Tables



                                          POSTECH
Internet NM Tutorial     (63)
                                          DP&NM Lab.
     Overview of SNMP SMI
 • Structure of Management Information (SMI)
       – RFC 1155 (Full Standard)
       – defines the general framework for defining SNMP MIBs
       – describes how the managed objects (MOs) can be defined
         in the MIB, data types and values MOs can have and how
         MOs are named
 • SNMP SMI uses a subset of ASN.1 & BER
 • SNMP MIB can store only simple data types
       – scalars
       – 2-dimensional arrays of scalars



                                                      POSTECH
Internet NM Tutorial               (64)
                                                      DP&NM Lab.
    Meanings of MIB
  • a MIB - a single MO definition
  • the MIB - the union of all MO definitions
  • MIB - the actual values of management
    information in a system
                                                                       a system's
       MIB             1                             2             3      MIB
     document                MIB          the MIB
                                                         a   MIB
    a document
                            module
    containing
    definitions of         a module written
    management             in a computer                                  management
    information            parsable form                                  information
                           containing
                           definitions
                                                                   a managed
                                                                     system

                                                                           POSTECH
Internet NM Tutorial                          (65)
                                                                           DP&NM Lab.
    MIB Structure
 • all MOs are structured hierarchically
 • Leaf objects in the tree are real MOs
 • Each MO has an OBJECT IDENTIFIER (OID)
                                            root


                           ccitt(0)        iso(1)               joint-iso-ccitt(2)
                                       org(3)
                       dod(6)
                                                 internet(1)

            mgmt(2)
                                experimental(3)        private(4)   snmpv2(6)

                mib-2(1)                          enterprises(1)
                                                                                 POSTECH
Internet NM Tutorial                            (66)
                                                                                 DP&NM Lab.
  Object Identifier (OID)
  • uniquely identifies an MO in the MIB
     internet OBJECT IDENTIFIER : =
                         { iso(1) org(3) dod(6) 1}
  • can be written as { 1 3 6 1 } or 1.3.6.1
  • OID for tcpConnTable is 1.3.6.1.2.1.6.13
   iso org dod internet mgmt mib-2 tcp tcpConnTable
    1 3 6         1      2       1    6      13
  • What is the OID for the object ifInOctets? (Hint: see
     MIB-II interfaces group)
                                                  POSTECH
Internet NM Tutorial        (67)
                                                  DP&NM Lab.
   Managed Object Syntax
 • ASN.1 notation is used to define MOs and the entire
   MIB structure

  • Universal Types             • Application-wide Types
        –   INTEGER                 –   Networkaddress
        –   OCTET STRING            –   Ipaddress
        –   NULL                    –   Counter
        –   OBJECT IDENTIFIER       –   Gauge
        –   SEQUENCE                –   Timeticks
        –   SEQUENCE-OF             –   Opaque




                                                         POSTECH
Internet NM Tutorial             (68)
                                                         DP&NM Lab.
  Defining Managed Objects
 • the macro definition used for SNMP MIBs was
   initially defined in RFC 1155 (SMI) and later expanded
   in RFC 1212 (Concise MIB Definition)
 • RFC 1155 is used for defining MOs in MIB-I
 • RFC 1212 is used for defining MOs in MIB-II which
   is implemented in most SNMP agents today
 • OBJECT TYPE MACRO definition is used to define
   MOs
       – see Figure 5.3 (Macro for Managed Objects - RFC 1212)
       – see Figure 5.4 (SMI - RFC 1155)


                                                                 POSTECH
Internet NM Tutorial                  (69)
                                                                 DP&NM Lab.
    Defining MO Tables
 • SNMP MIB structure is a simple 2-dimensional table
   with scalar-valued entries
 • A table typically consists of a SEQUENCE OF some
   entry
 • A table entry typically consists of a SEQUENCE that
   includes a number of scalar elements
 • See Figure 5.6 (MIB-II Specification of TCP
   Connection Table - RFC 1213)



                                              POSTECH
Internet NM Tutorial      (70)
                                              DP&NM Lab.
CASE Diagrams & SNMP Standard MIB
  • Case Diagrams
  • MIB-II




                              POSTECH
Internet NM Tutorial   (71)
                              DP&NM Lab.
    CASE Diagrams
 • a useful tool for developing MIBs
 • developed by Jeffrey Case in 1989
 • for many MIB groups, it is necessary to record the
   traffic pattern at a particular protocol layer
 • must make sure that every PDU received at a layer or
   issued from a layer is accounted for, including valid
   PDUs and PDUs with various types of errors
 • Case Diagrams can be used to describe the flow of
   packets within individual layers

                                               POSTECH
Internet NM Tutorial       (72)
                                               DP&NM Lab.
   CASE Diagram Elements
 • a main path in each direction between the layer below
   and a layer above
 • a horizontal line cutting across a main path
   corresponds to a counter that counts all passing PDUs
 • an arrow leaving the main path indicates a counter
   for an error condition or flow that results in PDUs not
   continuing on the main path
 • an arrow into the main path indicates a counter for a
   point where additional PDUs are injected into the main
   path
                                                 POSTECH
Internet NM Tutorial        (73)
                                                 DP&NM Lab.
   Case Diagram - Example
                                     Upper layer
              InDelivers                           OutRequests
           ReasmOKs
  ReasmFails
         ReasmReqds                                FragOKs

                                     ForwPDUs
                       InErrors                    FragCreates

                 InReceives                         OutSends

                                     Lower layer

              additive counters

           subtractive counters

                   filter counters


                                                               POSTECH
Internet NM Tutorial                     (74)
                                                               DP&NM Lab.
 Case Diagram – Example Counters

   InReceives = InErrors + ReasmReqds + ForwPDUs -
     ReasmOKs + InDelivers

   OutSends = OutRequests + ForwPDUs
                  - FragOKs + FragCreates




                                                 POSTECH
Internet NM Tutorial        (75)
                                                 DP&NM Lab.
    MIB-II
  • Internet Full Standard (RFC 1213)
  • a superset of MIB-I (RFC 1156)
  • the most important of the MIB specifications,
    covering a broad range of managed objects
  • consists of 10 groups of objects
  • all objects in MIB-II are mandatory but only
    groups applicable to managed devices need to be
    implemented
     – e.g., bridge or router need not implement the tcp
       group
                                                  POSTECH
Internet NM Tutorial         (76)
                                                  DP&NM Lab.
    MIB-II




                              POSTECH
Internet NM Tutorial   (77)
                              DP&NM Lab.
     MIB-II Groups
Group                  Description
system                 overall information about the system
interfaces             information about the interfaces from the system to a network
at                     description of address translation table for internet-to-subnet
                          address mapping
ip                     information related to IP on this system
icmp                   information related to ICMP on this system
tcp                    information related to TCP on this system
udp                    information related to UDP on this system
egp                    information related to EGP on this system
dot3                   information about the transmission schemes and access protocols
                          at each system interface
snmp                   information related to SNMP on this system
                                                                              POSTECH
Internet NM Tutorial                          (78)
                                                                              DP&NM Lab.
   MIB-II system Group
                       system (mib-2 1)

                                    sysDescr (1)

                                  sysObjectID (2)

                                   sysUpTime (3)

                                   sysContact (4)

                                    sysName (5)

                                  sysLocation (6)

                                  sysServices (7)

                                                    POSTECH
Internet NM Tutorial                 (79)
                                                    DP&NM Lab.
    system Group Objects
Object                 Syntax                Access   Description
sysDescr               DisplayString           RO     A description of the entity, such as
                       (SIZE (0 ... 255))             hardware, operating system, etc.
sysObjectID            OBJECT IDENTIFIER      RO      The vendor’s authoritative identification
                                                      of the network management subsystem
                                                      contained in the entity.
sysUpTime              TimeTicks               RO     The time since the network management
                                                      portion of the system was last reinitalized.
sysContact             DisplayString           RW     The contact information
                       (SIZE (0 ... 255))             of the contact person for this
                                                      managed node.
sysName                DisplayString           RW     An administratively assigned name for
                       (SIZE (0 ... 255))             this managed node.
sysLocation            DisplayString           RW     The physical location of this node
                       (SIZE (0 ... 255))
sysServices            INTEGER (0 ... 127)     RO     A value that indicates the set of services
                                                      this entity primarily offers
                                                                                 POSTECH
Internet NM Tutorial                          (80)
                                                                                 DP&NM Lab.
      sysServices Meanings
          Service           Layer           Value
        Application            7             64
        Transport              4             8
        Network                3             4
        Data-link              2             2
        Physical               1             1

         Examples: repeater (physical device) = 1
                   bridge (data-link device) = 2
                   router (network device) = 2 + 4 = 6
                   W/S host = 64 + 8 = 72
                   PC = 64 + 8 + 4 = 76
                   printer = 64
                                                         POSTECH
Internet NM Tutorial               (81)
                                                         DP&NM Lab.
Case Diagram for MIB-II interfaces Group
                            Upper layer


       ifInUcastPkts +                    ifInUcastPkts +
       ifInNUcastPkts                     ifInNUcastPkts

             ifInDiscards

                                           ifOutErrors
    ifInUnKnownProtos


               ifInErrors                  ipOutDiscards




                             Network

                                                   POSTECH
Internet NM Tutorial           (82)
                                                   DP&NM Lab.
  MIB Compiler & Browser
  • MIB Compiler
  • MIB Browser




                              POSTECH
Internet NM Tutorial   (83)
                              DP&NM Lab.
     What is “MIB Compiler”?
   • Allows a user to compile MIBs using a GUI
   • checks whether the MIBs written in SMIv1 or
     SMIv2 defined correctly
   • Some tools provide MIB editor as well
   • Example tools
         – MG Soft MIB Compiler
                available from http://www.mg-soft.com
         – SMIC (SNMP MIB Compiler)
                written by David Perkins
                Supported on MS-DOS, Windows95, NT, AIX, HP-UX, Linux,
                 Solaris platforms
                available from http://www.snmpinfo.com/sismic.htm
                                                                POSTECH
Internet NM Tutorial                     (84)
                                                                DP&NM Lab.
      What is “MIB Browser”?
     • Allows a user to browse MIBs using a GUI
     • Some browsers can function as an SNMP
       manager
           – send SNMP queries to SNMP agents
           – browse actual MIB in a system
     • Example tool
           – MG Soft MIB Browser
           – Supported on Windows95, NT
           – available from http://www.mg-soft.com/
                                                      POSTECH
Internet NM Tutorial            (85)
                                                      DP&NM Lab.
  Snapshot of MG-SOFT MIB Compiler




                              POSTECH
Internet NM Tutorial   (86)
                              DP&NM Lab.
    Snapshots of MG-SOFT MIB Browser




                                  POSTECH
Internet NM Tutorial   (87)
                                  DP&NM Lab.
 Remote SNMP Agent Discovery window
                                           Info window monitoring (using the
 on a given IP range, Community string
                                           default OID set to monitor)
 and SNMP port number.
                                                                   POSTECH
Internet NM Tutorial                (88)
                                                                   DP&NM Lab.
                                                Tringer-SNMP Trap Notification
  Setting value in a Remote SNMP Agent
                                                console.
                                                                       POSTECH
Internet NM Tutorial                     (89)
                                                                       DP&NM Lab.
   SNMPv1 (RFC 1157)
  •   SNMP Operations
  •   Protocol Specification
  •   Transport-Level Support
  •   Limitations of SNMPv1




                                POSTECH
Internet NM Tutorial   (90)
                                DP&NM Lab.
   SNMP Operations
 • Operations supported in SNMP are the inspection
   and modification of variables
 • GET operation
       – retrieves management information (values of scalar objects)
 • SET operation
       – updates management information (values on scalar objects)
 • TRAP operation
       – sends unsolicited scalar object values to notify problems



                                                             POSTECH
Internet NM Tutorial               (91)
                                                             DP&NM Lab.
   SNMP Operations (cont’d)
 • Not possible to change the structure of a MIB
       – cannot add or delete object instances
 • No explicit action is supported
 • Access is provided only to leaf objects in the
   MIB tree
       – not possible to access an entire table or a row of a
         table with a single atomic action
 • These simplify the implementation of SNMP
   but limit the capability of the NMS
                                                       POSTECH
Internet NM Tutorial            (92)
                                                       DP&NM Lab.
   SNMP Security Concepts
 • Authentication service
       – agent may wish to limit access to the MIB to authorized managers
 • Access policy
       – agent may wish to give different access privileges to different managers
 • Proxy service
       – agent may act as a proxy to other managed devices
       – this may require authentication service and access policy for other
         managed devices on the proxy
 • SNMP provides only a primitive and limited
   security capability via the concept of community


                                                                       POSTECH
Internet NM Tutorial                     (93)
                                                                       DP&NM Lab.
   SNMP Community
• is a relationship between an agent and a set of
  managers that defines authentication, access control
  & proxy characteristics
• a community is locally defined by the agent
      –   each community is given a unique community name
      –   an agent may establish a number of communities
      –   the community name is needed for all get and set operations
      –   the same community name may be used by different agents
• SNMP authentication service
      – every SNMP message from a manager includes a community name (used
        as a password) --- very primitive
      – most agents only allow GET operations


                                                                        POSTECH
Internet NM Tutorial                     (94)
                                                                        DP&NM Lab.
  SNMP Community (cont’d)
 • SNMP Access Policy
       – an agent can provide different categories of MIB access
         using the following concepts: SNMP MIB View & Access
         Mode
       – SNMP MIB View
              a subset of objects within a MIB
              different MIB views may be defined for each community
              the set of objects in a view need not belong to a single subtree
       – SNMP Access Mode
              an access mode {READ-ONLY, READ-WRITE} is defined for each
               community
              the access mode is applied uniformly to all objects in the MIB view
       – SNMP Community Profile
              a combination of a MIB view and an access mode

                                                                          POSTECH
Internet NM Tutorial                       (95)
                                                                          DP&NM Lab.
   MIB ACCESS Category vs. SNMP
   Access Mode
    MIB ACCESS                        SNMP Access Mode
     Category               READ-ONLY                        READ-WRITE
       read-only             Available for get and trap operations
                        Available for get and          Available for get, set,
      read-write
                          trap operations               and trap operations
                                                      Available for get, set,
                         Available for get and       and trap operations, but
                       trap operations, but the            the value is
      write-only
                              value is               implementation-specific
                       implementation-specific           for get and trap
                                                           operations.
         not
                                               Unavailable
      accessible

                                                                        POSTECH
Internet NM Tutorial                    (96)
                                                                        DP&NM Lab.
   SNMP Administrative Concepts

                        SNMP Access Policy

     SNMP community                       SNMP community
     (community name)                         profile


  set of SNMP          SNMP            SNMP         SNMP
    managers           agent          MIB view   access mode


                                                    POSTECH
Internet NM Tutorial           (97)
                                                    DP&NM Lab.
   Object Instance Identification
 • SNMP defines two techniques for identifying a
   specific object instance
       – Serial access technique (via lexicographic ordering of objects)
       – Random access technique
 • Random access technique
       – objects in MIB tables are referred to as columnar objects
       – the object identifier is not sufficient to identify the instance
       – SNMP convention
              concatenate the scalar object identifier with the values of INDEX
               objects, listed in the order which the INDEX objects are defined
              see the example in Table 7.2 on page 169


                                                                     POSTECH
Internet NM Tutorial                     (98)
                                                                     DP&NM Lab.
    Lexicographical Ordering
   • is used for accessing MIB objects serially
   • given the tree structure of a MIB, the OID for a
     particular object may be derived by tracing a path from
     the root to the object
   • lexicographical ordering is also referred to as:
      – preorder traversal (root, left, right) of a tree
      – depth-first search
   • useful for examining MIBs whose structure is not
     known to NMS


                                                  POSTECH
Internet NM Tutorial         (99)
                                                  DP&NM Lab.
   Lexicographical Ordering Example
                               Start                           End
                                          root
                                 1                   2

                       1                                        2
                                                                           1
             1             2
                                                                                   2.1
                           1.2
         1.1
                                     1                                         1
                                                                     2.1.1
                                  1.2.1                    1                         3
                                                                       2
                                                 2.1.1.1         2.1.1.2                 2.1.1.3


                                                                                         POSTECH
Internet NM Tutorial                         (100)
                                                                                         DP&NM Lab.
    SNMP Protocol Specification
 • SNMP manager and agent exchange requests and
   management information using SNMP messages
 • SNMP message includes a version number (e.g., 0
   for SNMPv1, 1 for SNMPv2), a community name
   and one of five types of protocol data units (PDUs)
 • PDU Types: GetRequest, GetNext-Request,
   SetRequest, GetResponse, Trap




                                               POSTECH
Internet NM Tutorial       (101)
                                               DP&NM Lab.
   SNMP Message Formats
      Version          Community                           SNMP PDU
   (a) SNMP message

    PDU     request    0       0             variablebindings
     type      id
   (b) GetRequest PDU, GetNextRequest PDU, and SetRequest PDU

    PDU     request error            error                  variablebindings
     type      id   status          index
   (c) GetResponse PDU

    PDU      enter-        agent   generic specific          time     variablebindings
     type     prise        addr     trap     trap           stamp
   (d) Trap PDU

   name1         value1    name2   value2            ...    nameN         valueN
   (e) variablebindings
                                                                            POSTECH
Internet NM Tutorial                         (102)
                                                                            DP&NM Lab.
    SNMP Message Fields
    Field              Description
 version               SNMP version(RFC 1157 is version 1.)


 community             A pairing of an SNMP agent with some arbitrary set of
                       SNMP application entities (the community name acts as
                       a password to authenticate the SNMP message)


 request-id            Used to distinguish among outstanding requests by providing
                       each request with a unique ID.

 error-status          Used to indicate that an exception occurred while processing a
                       request; values are noError (0), tooBig (1), noSuchName (2),
                       badValue (3), readOnly (4), genErr (5)


 error-index           When error-status is nonzero, may provide additional information
                       by indicating which variable in a list caused the exception.
                       (A variable is an instance of a managed object.)
                                                                              POSTECH
Internet NM Tutorial                          (103)
                                                                              DP&NM Lab.
  SNMP Message Fields (cont’d)
      Field            Description
   variablebindings    A list of variable names and corresponding values (In
                       some cases, such as Getrequest PDU, the values are null.)


   enterprise          Type of object generating trap; based on sysObjectID


   agent-addr          Address of object generating trap


   generic-trap        Generic trap type; values are coldStart (0), warmStart (1),
                       linkDown (2), linkUp (3), authentication failure (4),
                       egpNeighborLoss (5), enterprise Specific (6).


   specific-trap       Specific trap code

   time-stamp          Time elapsed between the last (re)initialization of the
                       network entity and the generation of the trap;
                       contains the value of sysUpTime.
                                                                        POSTECH
Internet NM Tutorial                  (104)
                                                                        DP&NM Lab.
   Transmission of SNMP Message
 1. The PDU is constructed using ASN.1
 2. This PDU is passed to an authentication service with
    a community name and source & destination transport
    addresses passed
       – the authentication service performs any required transformations such as
         encryption or the inclusion of an authentication code
 3. The protocol entity then constructs a message,
    consisting of a version field, the community name,
    and the result from step 2
 4. This new ASN.1 object is then encoded using BER and
    passed to the transport service
                                                                      POSTECH
Internet NM Tutorial                    (105)
                                                                      DP&NM Lab.
   Receipt of SNMP Message
 1. The SNMP entity performs basic syntax-check of the
    message and discards it if it fails to parse
 2. It verifies the version number and discards it if there
    is a mismatch
 3. It then passes the community name, the PDU portion of
    the message and the source/destination transport
    address to an authentication service
       – if authentication fails, the message is discarded
       – if authentication succeeds, the authentication service returns a PDU
         in the form of an ASN.1 object
 4. If the PDU passes a basic syntax-check, the appropriate
    SNMP access policy is selected and the PDU is
    processed accordingly
                                                                   POSTECH
Internet NM Tutorial                   (106)
                                                                   DP&NM Lab.
   SNMP PDU Sequences
                                                   Manager              Agent
           Manager                 Agent




                  (a) Get values                     (b) Get next values

           Manager             Agent               Manager              Agent




                  (c) Set values                        (d) Send trap

                                                                                POSTECH
Internet NM Tutorial                       (107)
                                                                                DP&NM Lab.
     GetRequest PDU
 • is issued by an SNMP manager on behalf of NMS to
   retrieve information from an agent
 • includes PDU type, request-id & variablebindings
 • GetResponse PDU containing the same request-id is
   used for the reply
 • operation is atomic (all values are returned or none is)
 • possible error-status:
       – noSuchName: object instance cannot be found or it is an aggregate type
       – tooBig: the size of resulting values exceed a local limitation
       – genErr: may not be able to supply a value for at least one of the objects
         for some other reason

                                                                       POSTECH
Internet NM Tutorial                     (108)
                                                                       DP&NM Lab.
   GetNextRequest PDU
   • is also issued by an SNMP manager on behalf of
     NMS to retrieve information from an agent
   • the PDU is the same as GetRequest PDU except:
         – In the GetRequest PDU, each variable in the variablebindings list refers
           to an object instance whose value is to be returned
         – In the GetNextRequest PDU, for each variable in the
           variablebindings, the value of the object instance that is
           next in lexicographic order is returned
   • allows NMS to discover the structure of a MIB view
     dynamically
   • provides an efficient mechanism for searching a table
     whose entries are unknown

                                                                       POSTECH
Internet NM Tutorial                     (109)
                                                                       DP&NM Lab.
    SetRequest PDU
 • is issued by an SNMP manager on behalf of NMS to
   modify information in an agent
 • the operation is also atomic
       – if any one of the values can’t be set, then the whole operation fails
 • GetResponse PDU containing the same request-id is
   used for the reply
       – if the operation succeeds, a GetResponse PDU is returned with the same
         variablebindings as in the original SetRequest PDU
 • possible error-status:
       – noSuchName, tooBig, genErr plus
       – badValue: PDU contains at least one pair of variable name and value that
         is inconsistent
                                                                         POSTECH
Internet NM Tutorial                      (110)
                                                                         DP&NM Lab.
   Trap PDU
  • is issued by an SNMP agent to notify NMS of some
    significant event
  • Trap PDU does not require a response and is not
    acknowledged -- can get lost
  • Generic Trap types:
        –   coldStart (0): unexpected restart due to a crash or major fault
        –   warmStart (1): routine restart
        –   linkDown (2): a communication link is inoperational
        –   linkUp (3): the link is back in operation
        –   authenticationFailure (4): received authentication-failed message
        –   egpNeighborLoss (5): EGP neighbor is down
        –   enterpriseSpecific (6): some enterprise-specific event occurred
                                                                         POSTECH
Internet NM Tutorial                       (111)
                                                                         DP&NM Lab.
  Transport-Level Support
   • SNMP requires the use of a transport service for the
     delivery of SNMP messages.
         – SNMP makes no assumption about whether the underlying service is
           reliable or unreliable, connectionless or connection-oriented
   • Most SNMP implementations use UDP
   • It is possible to use CLTS
   • UDP
         – Unreliable, connectionless transport service in Internet
   • CLTS
         – Unreliable, connectionless transport service in the OSI architecture


                                                                        POSTECH
Internet NM Tutorial                      (112)
                                                                        DP&NM Lab.
    Issues in using UDP
 • since UDP provides unreliable transport service,
   SNMP messages can get lost
 • What happens if a GetRequest or
   GetNextRequest message is lost?
 • What happens if a SetRequest message is lost?
 • What happens if a Trap message is lost?



                                           POSTECH
Internet NM Tutorial     (113)
                                           DP&NM Lab.
  Limitations of SNMPv1
  • SNMP may not be suitable for the mgmt of truly large networks
    because of the performance limitations of polling
  • SNMP is not well suited for retrieving large volumes of data,
    such as an entire routing table
  • SNMP traps are unacknowledged & may not be delivered
  • SNMP provides only trivial authentication
  • SNMP does not support explict actions
  • SNMP MIB model is limited (does not support mgmt queries
    based on object types or values)
  • SNMP does not support manager-to-manager communications
        Many of these problems are addressed in SNMPv2!

                                                       POSTECH
Internet NM Tutorial            (114)
                                                       DP&NM Lab.
Remote Network Monitoring (RMON)
  •   Basic Concepts
  •   RMON Goals
  •   RMON MIB Table Management
  •   RMON MIB Groups
  •   RMON2




                                  POSTECH
Internet NM Tutorial   (115)
                                  DP&NM Lab.
       RMON Basic Concepts
 • Extends the SNMP functionality without changing the
   protocol
 • Allows the monitoring of remote networks
   (internetwork management)
 • MAC-layer (layer 2 in OSI) monitoring
 • Defines a Remote MONitoring (RMON) MIB that
   supplements MIB-II
       – with MIB-II, the manager can obtain information on individual devices
         only
       – with RMON MIB, the manager can obtain information on the LAN as a
         whole
 • called network monitors, analyzers or probes

                                                                    POSTECH
Internet NM Tutorial                   (116)
                                                                    DP&NM Lab.
      RMON RFCs
 RFC              Date         Title
 1513             Sept. 1993   Token Ring Extensions to the
                               Remote Network Monitoring MIB
 1757             Feb. 1995    Remote Network Monitoring
                               Management Information Base
                               (RMON MIB)

 2021             Jan. 1997    Remote Network Monitoring
                               Management Information Base
                               Version 2 using SMIv2 (RMON MIB2)

                                                             POSTECH
Internet NM Tutorial                   (117)
                                                             DP&NM Lab.
        RMON Goals
 • Monitoring subnetwork-wide behavior
 • Reducing the burden on agents and managers
 • Continuous off-line monitoring in the presence of
   failures (in network or manager)
 • Proactive monitoring
    – perform some of the manager functions (e.g.,
      diagnostics)
 • Problem detection and reporting
 • Provide value-added (analyzed) data
 • Support multiple managers
                                              POSTECH
Internet NM Tutorial      (118)
                                              DP&NM Lab.
   Example Configuration for Remote
   Monitoring
                                              Management console
                                               with RMON probe
                                                                        Ethernet
                                           Central Site
                                 Router                        Router

   Local management
      console with                                             Router
      RMON probe        Router
                                                Ethernet

                                                                                        PC with
                 FDDI backbone             Bridge                                     RMON probe


                Router with
               RMON probe
                                                    Ethernet
                          Token Ring LAN
                                                                          PC with
                                                                         RMON probe



                                                                                   POSTECH
Internet NM Tutorial                           (119)
                                                                                   DP&NM Lab.
Example of RMON with two interfaces

                       agent      agent            agent
                         a          b                c

                                                           Subnetwork
                                                               X
                                          Interface 1
                               RMON
                               probe
                                          Interface 2
                                                           Subnetwork
                                                               Y

                       agent                 agent
                         d                     e


                                                                  POSTECH
Internet NM Tutorial                       (120)
                                                                  DP&NM Lab.
   Control of Remote Monitors
 • RMON MIB contains features that support extensive
   control from NMS
       – Configuration control
       – Action Invocation
 • RMON MIB is organized into a number of functional
   groups
 • Each group may contain one or more control tables
   and one or more data tables
 • Control table (typically read-write) contains
   parameters that describe the data in a data table
   (typically read-only)
                                              POSTECH
Internet NM Tutorial             (121)
                                              DP&NM Lab.
   Configuration Control
 • At configuration time, NMS sets the appropriate
   control parameters to configure the remote monitor
   to collect the desired data
       – the parameters are set by adding a new row to the control table or by
         modifying an existing row
       – a control table may contain objects that specify the source of data to be
         collected, the type of data, the collection timing, etc.
 • To modify or disable a particular data collection
   function:
       – it is necessary first to invalidate the control row
       – this causes the deletion of that row and the deletion of all associated rows
         in data tables
       – NMS can create a new control row with the modified parameters
                                                                         POSTECH
Internet NM Tutorial                      (122)
                                                                         DP&NM Lab.
   RMON MIB Table Mgmt (1)
 • The RMON specification includes a set of textual
   conventions and procedural rules for row addition
   and deletion
 • Textual conventions
             OwnerString ::= DisplayString
             EntryStatus ::= INTEGER {
                                   valid (1),
                                   createRequest (2),
                                   underCreation (3),
                                   invalid (4)
                               }
                                                  POSTECH
Internet NM Tutorial           (123)
                                                  DP&NM Lab.
   RMON MIB Table Mgmt (2)
• Row Addition
      – is achieved by using the SNMP SetRequest PDU
        which includes instance objects and their values
• Row Deletion
      – is achieved by setting the status object for that row
        to invalid
• Row Modification
      – is achieved by first invalidating the row and then
        adding the row with new object instance values

                                                      POSTECH
Internet NM Tutorial            (124)
                                                      DP&NM Lab.
    Example Control & Data Tables
                                           rm1ControlTable
                       rmlControlIndex rmlControlParameter rmlControlOwner             rmlControlStatus
                             1                 5                       monitor                valid (1)

                             2                 26                    manager alpha            valid (1)

                             3                 19                    manager beta             valid (1)


                                                    rm1DataTable
                              rmlDataControlIndex           rmlDataIndex             rmlDataValue
                                      1                          1                       46
                                      2                          1                       96
                                      2                          2                       85

                                      2                          3                       77
                                      2                          4                       27
                                      2                          5                       92
                                      3                          1                       86
                                      3                          2                       26

                                                                                                  POSTECH
Internet NM Tutorial                                (125)
                                                                                                  DP&NM Lab.
Transitions of EntryStatus State


 non-                   create              under     valid
 existent              Request             Creation




            performed by manager            invalid
            performed by agent



                                                      POSTECH
Internet NM Tutorial               (126)
                                                      DP&NM Lab.
      RMON MIB
                       rmon (mib-2 16)

                                             statistics (1)

                                                 history (2)

                                                  alarm (3)

                                                  host (4)

                                             hostTopN (5)

                                                 matrix (6)

                                                  filter (7)

                                                 capture (8)

                                                  event (9)

                                            tokenRing (10)

                                                               POSTECH
Internet NM Tutorial                     (127)
                                                               DP&NM Lab.
    RMON MIB Groups
 1. statistics: maintains MAC-level utilization and error stats
 2. history: records periodic statistical samples from the stats group
 3. alarm: allows NMS to set sampling interval & alarm threshold
 4. host: contains counters for traffic from hosts on the subnetwork
 5. hostTopN: contains sorted host stats that top a list based on
    some parameter in the host table
 6. matrix: shows utilization and error stats in matrix for host pairs
 7. filter: allows the monitor to observe packets that match a filter
 8. capture: specifies how data is sent to NMS
 9. event: specifies events to be generated by the RMON probe
 10. tokenRing: maintains stats & config info for token ring subnet
                                                            POSTECH
Internet NM Tutorial              (128)
                                                            DP&NM Lab.
     RMON MIB2
 • RMON MIB monitors MAC-level subnet traffic
 • RMON MIB2 can monitor traffic of packets at
   layers 3 to 7 of the OSI Reference Model
 • Provides Network-layer Visibility
       – can distinguish between local LAN and remote LAN traffic
 • Provides Application-layer Visibility
       – can analyze traffic to and from hosts for particular applications
       – can determine which applications are putting the load on the net
 • RMON MIB2 is basically an extension of RMON
   MIB

                                                                       POSTECH
Internet NM Tutorial                     (129)
                                                                       DP&NM Lab.
     RMON MIB2
   rmon (mib-2 16)

                        statistics (1)
                                                 protocolDir (11)
                         history (2)
                                                 protocolDist (12)
                         alarm (3)
                                                 addressMap (13)
                          host (4)
                                                    nlHost (14)
                       hostTopN (5)

                         matrix (6)                nlMatrix (15)

                          filter (7)                alHost (16)

                        capture (8)                alMatrix (17)

                          event (9)               usrHistory (18)

                       tokenRing (10)            probeConfig (19)

                         RMON 1                      RMON 2

                                                          POSTECH
Internet NM Tutorial                     (130)
                                                          DP&NM Lab.
  RMON MIB2 Groups
 11. protocolDir: a master directory of all of the protocols that the
    probe can interpret
 12. protocolDist: aggregate stats on the amount of traffic generated
    by each protocol, per LAN segment
 13. addressMap: contains MAC and port addresses of the devices
 14. nlHost: network layer traffic stats per host
 15. nlMatrix: network layer traffic stats per pairs of hosts
 16. alHost: application layer traffic stats per host
 17. alMatrix: application layer traffic stats per pairs of hosts
 18. userHistory: periodically samples and logs user-defined data
 19. probeConfig: defines standard configuration parameters for
    RMON probes

                                                          POSTECH
Internet NM Tutorial             (131)
                                                          DP&NM Lab.
   Summary
 • RMON extends the SNMP functionality without
   changing the protocol
 • RMON can monitor information on a whole
   subnetwork
 • RMON is used extensively in analyzing network traffic
   for problem detection and network planning
 • RMON2 allows monitoring of traffic at layers 3 to 7
   in the OSI Model
 • RMON2 can be used to analyze network traffic more
   accurately even to the application level
                                               POSTECH
Internet NM Tutorial       (132)
                                               DP&NM Lab.
  SNMPv2
  •   The Birth of SNMPv2
  •   SNMPv2 RFCs
  •   SNMPv2 Enhancements
  •   SNMPv2 Protocol Operations
  •   SNMPv2 Coexistence with SNMPv1




                                       POSTECH
Internet NM Tutorial   (133)
                                       DP&NM Lab.
   The Birth of SNMPv2
 • a major problem with SNMP is the lack of security
 • secure SNMP was proposed (July 1992) to solve this
   problem in SNMP
 • Simple Management Protocol (SMP) was also
   proposed (July 1992) to extend the SNMP
   functionality
 • secure SNMP + SMP = SNMPv2 (March 1993)
 • a major security flaw was detected in this proposal and
   the security aspects were dropped and the result is
   community-based SNMPv2 (Jan. 1996)
                                                  POSTECH
Internet NM Tutorial        (134)
                                                  DP&NM Lab.
   SNMPv2 RFCs
 • RFC 1901 (experimental)
       – Introduction to Community-based SNMPv2
 • RFC 1902 (draft)
       – Structure of Management Information for SNMPv2 (SMIv2)
 • RFC 1903 (draft)
       – Textual Conventions for SNMPv2
 • RFC 1904 (draft)
       – Conformance Statements for SNMPv2



                                                      POSTECH
Internet NM Tutorial            (135)
                                                      DP&NM Lab.
  SNMPv2 RFCs (cont’d)
 • RFC 1905 (draft)
       – Protocol Operations for SNMPv2
 • RFC 1906 (draft)
       – Transport Mappings for SNMPv2
 • RFC 1907 (draft)
       – Management Information Base for SNMPv2
 • RFC 1908 (draft)
       – Coexistence between Version 1 and Version 2 of the
         Internet-standard Network Management Framework


                                                         POSTECH
Internet NM Tutorial              (136)
                                                         DP&NM Lab.
   SNMPv2 Key Enhancements
   • SMIv2 (a superset of SMIv1)
         – provides more elaborate specification and documentation of managed
           objects and MIB modules
                  object type macros expanded (see Fig. 11.1, 11.2 & Table 11.2)
                  creating and deleting conceptual rows in a table (as used in RMON)
                  notification definitions
                  information modules
         – new SNMP MIB definitions are defined using SMIv2
   • Manager-to-Manager Capability
         – for managing large, distributed networks
   • Protocol Operations
         – bulk management information retrieval
         – manager-to-manager communication

                                                                          POSTECH
Internet NM Tutorial                        (137)
                                                                          DP&NM Lab.
   Comparison of Data Types
    Data Type           SNMPv1      SNMPv2
    INTEGER                     X     X
    Unsigned32                        X
    Counter32                   X     X
    Counter64                         X
    Gauge32                     X     X
    TimeTicks                   X     X
    OCTET STRING                X     X
    IpAddress                   X     X
    OBJECT IDENTIFIER           X     X
    Opaque                      X     X


                                          POSTECH
Internet NM Tutorial    (138)
                                          DP&NM Lab.
    Notification Type MACRO
     NOTIFICATION-TYPE MACRO ::= BEGIN

     TYPE NOTATION ::= ObjectsPart
                        “STATUS” Status
                        “DESCRIPTION” Text
                        ReferPart

     VALUE NOTATION ::= value (VALUE NotificationName)
     ObjectsPart ::= “OBJECTS” “{“ Objects “}” | empty
     Objects ::= Object | Objects “,” Object
     Object ::= value (Name ObjectName)
     Status ::= “current” | “deprecated” | “obsolete”
     ReferPart ::= “REFERENCE” Text | empty
     Text ::= “““ string “““

     END
                                                         POSTECH
Internet NM Tutorial            (139)
                                                         DP&NM Lab.
  Notification Type Example
 coldStart NOTIFICATION-TYPE
        STATUS current
        DESCRIPTION
           "A coldStart trap signifies that the
           SNMPv2 entity, acting in an agent role, is
           reinitializing itself and that its
           configuration may have been altered."
   ::= { snmpTraps 1 }

 -- From RFC 1907

                                              POSTECH
Internet NM Tutorial      (140)
                                              DP&NM Lab.
  Module Identity MACRO
  MODULE-IDENTITY MACRO ::= BEGIN

  TYPE NOTATION ::= “LAST-UPDATED” value (Update UTCTime)
                     “ORGANIZATION” Text
                     “CONTACT-INFO” Text
                     “DESCRIPTION” Text
                      RevisionPart

  VALUE NOTATION ::= value (VALUE OBJECT IDENTIFIER)
  RevisionPart ::= Revisions | empty
  Revisions ::= Revision | Revisions Revision
  Revision ::= “REVISION” value (Update UTCTime)
                   “DESCRIPTION” Text
  Text ::= “““ string “““
  END
                                                   POSTECH
Internet NM Tutorial         (141)
                                                   DP&NM Lab.
 Module Identity Example
  rmon MODULE-IDENTITY
    LAST-UPDATED "9605270000Z"
    ORGANIZATION "IETF RMON MIB Working Group"
    CONTACT-INFO
        "Steve Waldbusser (WG Editor)
        Postal: International Network Services
                650 Castro Street, Suite 260
                Mountain View, CA 94041
        Phone: +1 415 254 4251
        Email: waldbusser@ins.com
        DESCRIPTION
           "The MIB module for managing remote monitoring
            device implementations. This MIB module augments
            the original RMON MIB as specified in RFC 1757."
    ::= { mib-2 16 }
                                                         POSTECH
Internet NM Tutorial            (142)
                                                         DP&NM Lab.
  Object Identity MACRO
 OBJECT-IDENTITY MACRO ::= BEGIN

 TYPE NOTATION ::= “STATUS” Status
                    “DESCRIPTION” Text
                    ReferPart

 VALUE NOTATION ::= value (VALUE OBJECT IDENTIFIER)
 Status ::= “current” | “deprecated” | “obsolete”
 ReferPart ::= “REFERENCE” Text | empty
 Text ::= “““ string “““

 END



                                               POSTECH
Internet NM Tutorial       (143)
                                               DP&NM Lab.
  Object Identity Example
  snmpUDPDomain OBJECT-IDENTITY
    STATUS current
    DESCRIPTION
      "The SNMPv2 over UDP transport domain.
       The corresponding transport address
       is of type SnmpUDPAddress."

       ::= { snmpDomains 1 }

  -- from RFC 1906

                                        POSTECH
Internet NM Tutorial       (144)
                                        DP&NM Lab.
   SNMPv2 MIB Access
    MIB ACCESS               SNMPv2 Access Mode
       Value             READ-ONLY     READ-WRITE
          read-only        Available for get and trap operations
                         Available for get    Available for get, set,
         read-write
                        and trap operations    and trap operations
                                              Available for get, set,
                         Available for get
        read-create                               trap and create
                        and trap operations
                                                     operations
      accessible-for-
                                Available for trap operations
          notify
      not accessible                        Unavailable
                                                                POSTECH
Internet NM Tutorial                (145)
                                                                DP&NM Lab.
    SNMPv2 Operations
   •   GetRequest - get the value for each listed object
   •   GetNextRequest - get next value for each listed object
   •   GetBulkRequest - get multiple values
   •   Response - respond to manager request
   •   SetRequest - set value for each listed object
   •   InformRequest - send unsolicited information from a
       manager to another
   • SNMPv2-Trap - send unsolicited information from an agent
       to a manager

                                                        POSTECH
Internet NM Tutorial             (146)
                                                        DP&NM Lab.
   SNMPv2 PDU Formats
      version (1)        community                 PDU             SNMPv2 Message


   PDU      request    0          0          variable-bindings
   type        id
    (a) GetRequest-PDU, GetNextRequest-PDU, SetRequest-PDU,
                SNMPv2-Trap-PDU, InformRequest-PDU
    PDU    request   error            error              variable-bindings
    type      id    status           index
    (b) Response-PDU

   PDU     request   non-       max-
   type       id                                         variable-bindings
                   repeaters repetitions
    (c) GetBulkRequest-PDU

  name1         value1   name2   value2           ...    nameN        valueN

    (d) variable-bindings
                                                                             POSTECH
Internet NM Tutorial                      (147)
                                                                             DP&NM Lab.
      GetBulkRequest
• used to minimize the exchanges required to retrieve a
  large amount of information
• selection principle is the same as GetNextRequest
      – the next object instance in lexicographic order
• includes a list of (N + R) variable names in the variable-
  bindings list
      – the first N variables for retrieving single values
      – the next R variables for retrieving multiple values
• non-repeaters and max-repetition fields are used to
  indicate the number of N and R variables

                                                              POSTECH
Internet NM Tutorial               (148)
                                                              DP&NM Lab.
 Interpretation of GetBulkRequest Fields

  name1 name2          ....   nameN     nameN+1   ....   nameN+R

     For first N variables:             For last R variables:
    provide one value each             provide M values each
(first lexicographic successor) (first M lexicographic successors)

        L = number of names in variable-bindings field
        N = MAX [ MIN (non-repeaters, L), 0 ]
        M = MAX [ max-repetitions, 0 ]
        R = L- N

                                                            POSTECH
Internet NM Tutorial                  (149)
                                                            DP&NM Lab.
  GetBulkRequest Example
                       GetBulkRequest (non-repeaters = 2,
                          max-repeaters = 6, X, Y, TA, TB, TC)
Manager issues request with six variable
names; for the first two variable (non-repeaters=2),            Agent
a single value is requested; for the remaining variables     (e.g, router)
six successive values (max-repeaters=6) are requested.
                                                                              x     Y


                                                                                 Table a
                                                                              TA   TB      TC
             NMS                                     Agent returns single
                                                    value for X, Y, and six
                                                        rows of table a
     Response [X, Y, TA(1), TB(1), TC(1),
                     TA(2), TB(2), TC(2),
                     TA(3), TB(3), TC(3),
                     TA(4), TB(4), TC(4),
                     TA(5), TB(5), TC(5),
                     TA(6), TB(6), TC(6) ]
                                                                                    POSTECH
Internet NM Tutorial                               (150)
                                                                                    DP&NM Lab.
  SNMPv2-Trap and InformRequest
 • SNMPv2-Trap
       – is sent from an agent to a manager when an unusual event
         occurs
       – no response is required
 • InformRequest
       – is sent from a manager for passing information to an
         application running in another manager
       – Response PDU is used to acknowledge the request
       – for hierarchical or distributed management where multiple
         managers are involved

                                                           POSTECH
Internet NM Tutorial              (151)
                                                           DP&NM Lab.
  SNMPv2 PDU Sequences
   Manager             Agent   Manager            Agent    Manager         Agent




   Manager             Agent   Manager                     Manager         Agent
                                                 Manager




                                                                     POSTECH
Internet NM Tutorial                     (152)
                                                                     DP&NM Lab.
  PDU Comparisons
  SNMPv1               SNMPv2          Direction          Description
  GetRequest           GetRequest      Manager to agent   Request value for each listed object
  GetNextRequest       GetNextRequest Manager to agent    Request next value for each listed object
  -----                GetBulkRequest Manager to agent    Request multiple values
  SetRequest           SetRequest      Manager to agent   Set value for each listed object
  -----                InformRequest   Manager to managerTransmit unsolicited information
  GetResponse          Response        Agent to manager
                                       or manager to      Response to manager request
                                       manager(SNMPv2)
  Trap                 SNMPv2-Trap     Agent to manager Transmit unsolicited information
                                                                                     POSTECH
Internet NM Tutorial                          (153)
                                                                                     DP&NM Lab.
  Transport Mappings
  • RFC 1906 specifies the mapping of SNMPv2 onto the
    following transport protocols
        –   User Datagram Protocol (UDP)
        –   OSI Connectionless-Mode Network Service (CLNS)
        –   OSI Connection-Oriented Network Service (CONS)
        –   Novell Internetwork Packet Exchange (IPX)
        –   Appletalk

  • The SNMPv2 document states that UDP is the
    preferred mapping


                                                      POSTECH
Internet NM Tutorial             (154)
                                                      DP&NM Lab.
 Coexistence by Means of Proxy Agent
                SNMPv2 environment                    SNMPv1 environment
                       GetRequest                                  GetRequest

                GetNextRequest                                     GetNextRequest

                       SetRequest                                  SetRequest
                GetBulkRequest                                     GetNextRequest

                   SNMPv2 manager-to-agent             SNMPv1 manager-to-agent
                           PDUs                                PDUs
      SNMPv2                                 Proxy                              SNMPv1
      manager                                Agent        SNMPv1 agent-to-       agent
                         SNMPv2 agent-to-
                          manager PDUs                     manager PDUs
                       Response                                    GetResponse

                  SNMPv2-Trap                                      Trap



                                                                                 POSTECH
Internet NM Tutorial                          (155)
                                                                                 DP&NM Lab.
  Coexistence - Bilingual Manager

     SNMPv2
     manager

                                   GetRequest, GetNextRequest,
                                          SetRequest
                       Bilingual
                                                           SNMPv1
                       manager
                                                            agent
                        (v1, v2)
                                       GetResponse, Trap



      SNMPv2
       agent




                                                                 POSTECH
Internet NM Tutorial       (156)
                                                                 DP&NM Lab.
  SNMPv2 Summary
 • SNMPv2 is a natural extension of SNMPv1
 • Key enhancements in SNMPv2 are:
       – more elaborate MIB specification capability (SMIv2)
       – Manager-to-Manager communication
       – Bulk information transfer
 • SNMPv2 failed to improve on security
 • More powerful but more complex than SNMPv1
 • SNMPv3 work is currently underway, which promises
   to improve on security


                                                          POSTECH
Internet NM Tutorial              (157)
                                                          DP&NM Lab.
  SNMPv3
  • The Birth of SNMPv3
  • SNMPv3 Security Models and Levels
  • Comparison with SNMPv1 & SNMPv2




                                        POSTECH
Internet NM Tutorial   (158)
                                        DP&NM Lab.
 The Birth of SNMPv3
 • SNMPv1 & SNMPv2 both lack strong security features
 • Internet being open environment, how to provide secure
   access between manager and managed devices has been
   a big concern
    – SNMPv3 was born to solve this problem

 • Security features provided in SNMPv3
       – Authentication: determining a message is from a valid source
       – Encryption: scrambling the contents of a packet prevents it
         from being seen by an unauthorized source


                                                           POSTECH
Internet NM Tutorial               (159)
                                                           DP&NM Lab.
 Recall Internet NM Framework
 • Basically, SNMPv3 is a natural extension of SNMPv1 &
   SNMPv2
 • Internet NM Framework consists of
       1. Manager-agent interaction model
       2. a data definition language
       3. definitions of management information (MIB)
       4. management protocol
       5. security and administration
 • SNMPv3 inherited 1, 2, 3 & 4 from SNMPv2 and added
   new set of documents for 5

                                                        POSTECH
Internet NM Tutorial              (160)
                                                        DP&NM Lab.
SNMP Security Models & Levels (1)
• SNMPv3 provides for both security models & levels
      – Security model: an authentication strategy that is set up for a
        user and the group in which the user resides
      – Security level: the permitted level of security within a model
• Three security models available - SNMPv1, SNMPv2,
  SNMPv3
• Three security levels available - noauth, auth, priv
      – Authenticates a packet by using
         noauth: a string match of the user name
         auth: either the HMAC MD5 or SHA algorithms
         priv: either HMAC MD5 or SHA algorithms and encrypts
          the packet using the CBC-DES(DES-56) algorithm

                                                              POSTECH
Internet NM Tutorial                (161)
                                                              DP&NM Lab.
SNMP Security Models & Levels (2)
  Model        Level         Authentication Encryption   What Happens
  SNMPv1       noAuthNoPriv Community       No           Uses a community sting match for
                            string                       authentication.
  SNMPv2       noAuthNoPriv Community       No           Uses a community sting match for
                            string                       authentication.
  SNMPv3       noAuthNoPriv Username        No           Uses a username match for
                                                         authentication.
  SNMPv3        authNoPriv   MD5 or SHA     No           Provides authentication based on the
                                                         HMAC-MD5 or HMAC-SHA
                                                         algorithm.
  SNMPv3        authPriv     MD5 or SHA     DES          Provides authentication based on the
                                                         HMAC-MD5 or HMAC-SHA
                                                         algorithm. Also provides DES 56-bit
                                                         encryption based on the CBC-DES
                                                         (DES-56) standard.

   DES (Data Encryption Standard)
   MD5 & SHA-1 Secure Hash Function
   HMAC : Message Authentication Code
                                                                               POSTECH
Internet NM Tutorial                        (162)
                                                                               DP&NM Lab.
 SNMPv1 vs. SNMPv3
                       SNMP       Authentication Access control
                       entities   service

   SNMPv1 - Application - Community - SNMP            MIB
            entities       string          View
          - Protocol
            entities
   SNMPv3 - applications - Strong        - Similar concept
          - engines        authentication called     veiw-
                         - privacy         based

                                                          POSTECH
Internet NM Tutorial                (163)
                                                          DP&NM Lab.
 SNMPv2 vs. SNMPv3
 • RFCs 1902-1907 is incomplete in that it does not meet
   the original design goals of SNMPv2
 • The unmet goals include provision of “commercial
   grade” security
       – authentication: origin identification, message integrity, replay
         protection
       – privacy: confidentiality
       – authorization and access control
       – suitable remote configuration and administration capabilities
         for these features
 • SNMPv3 attempts to provide these

                                                              POSTECH
Internet NM Tutorial                (164)
                                                              DP&NM Lab.
 SNMPv3 Documents
• RFC 2570 : "Introduction to version 3 of the Internet-standard Network
  Management Framework," provides an overview of SNMPv3.
• RFC 2571 : "An Architecture for Describing SNMP Management
  Frameworks," describes the overall architecture with special emphasis on the
  architecture for security and administration.
• RFC 2572 : "Message Processing and Dispatching for the Simple Network
  Management Protocol (SNMP)," describes the possibly multiple message
  processing models and the dispatcher portion that can be a part of an SNMP
  protocol engine.
• RFC 2573 : "SNMPv3 Applications," describes the five types of applications
  that can be associated with an SNMPv3 engine and their elements of procedure.
• RFC 2574 : "The User-Based Security Model for Version 3 of the Simple
  Network Management Protocol (SNMPv3)," describes the threats, mechanisms,
  protocols, and supporting data used to provide SNMP message-level security.
• RFC 2575 : "View-based Access Control Model (VACM) for the Simple
  Network Management Protocol (SNMP)," describes the VACM for use in the
  SNMP architecture.
                                                                  POSTECH
Internet NM Tutorial                 (165)
                                                                  DP&NM Lab.
  Overall Summary
    •   Overview of Network Management
    •   Internet Network Management Framework
    •   ASN.1 & BER
    •   CASE Diagrams
    •   SNMPv1, RMON, SNMPv2, SNMPv3
    •   Related to Internet Network Management
          – Web-based Network Management




                                                 POSTECH
Internet NM Tutorial            (166)
                                                 DP&NM Lab.
  References (1)
  • Useful Web Sites for Internet Network Management
        –   http://wwwsnmp.cs.utwente.nl/
        –   http://dpnm.postech.ac.kr/mgmt
        –   http://www.snmp.com
        –   http://www.simple-times.org
        –   http://www.snmpinfo.com


  • SNMPv1
        – RFC 1155, “Structure and Identification of Management Information for
          TCP/IP-based Internets”
        – RFC 1157, “A Simple Network Management Protocol (SNMP)”
        – RFC 1212, “Concise MIB Definitions”
        – RFC 1213, “Management Information Base for Network Management of
          TCP/IP-based internets: MIB-II”
        – http://www.sei.cmu.edu/str/indexes/references/SNMPv1_Specs.html
                                                                   POSTECH
Internet NM Tutorial                     (167)
                                                                   DP&NM Lab.
  References (2)
  • SNMPv2
        – RFC 1901, “Introduction to Community-based SNMPv2”
        – RFC 1905, “Protocol Operations for Version 2 of the Simple Network
          Management Protocol (SNMPv2)”
        – RFC 1906, “Transport Mappings for Version 2 of the Simple Network
          Management Protocol (SNMPv2)”
        – RFC 1907, “Management Information Base for Version 2 of the Simple Network
          Management Protocol (SNMPv2)”
        – RFC 1908, “Coexistence between Version 1 and Version 2 of the Internet-
          standard Network Management Framework”
        – RFC 1909, “User-based Security Model for SNMPv2”
        – RFC 1910, “An Administrative Infrastructure for SNMPv2”
        – RFC 2098, “Mapping SNMPv2 onto SNMPv1 within a bi-lingual SNMP agent”
        – http://www.ietf.org/proceedings/95jul/charters/snmpv2-charter.html
        – http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm
        – http://www.sei.cmu.edu/str/indexes/references/SNMPv2_Specs.html


                                                                       POSTECH
Internet NM Tutorial                     (168)
                                                                       DP&NM Lab.
  References (3)
  • SNMPv3
        – RFC 2570, “Introduction to version 3 of the Internet-standard Network
          Management Framework”
        – RFC 2571, “An Architecture for Describing SNMP Management
          Frameworks”
        – RFC 2572, “Message Processing and Dispatching for the Simple Network
          Management Protocol (SNMP)”
        – RFC 2573, “SNMP Applications”
        – RFC 2574, “User-based Security Model (USM) for version 3 of the
          Simple Network Management Protocol (SNMPv3)”
        – RFC 2575, “View-based Access Control Model (VACM) for the Simple
          Network Management Protocol (SNMP)”
        – http://www.snmp.com/snmpv3/v3white.html
        – http://www.ibr.cs.tu-bs.de/ietf/snmpv3/
        – http://www.ietf.org/html.charters/snmpv3-charter.html

                                                                           POSTECH
Internet NM Tutorial                       (169)
                                                                           DP&NM Lab.
                       Q&A




                                POSTECH
Internet NM Tutorial    (170)
                                DP&NM Lab.

								
To top