chapter6-snmp-v3_v2_v1 network management

7/22/2019 Chapter6-SNMP-V3_V2_V1 Network Management

1/21

SNMP Update

Please see www.snmp.com/jdctutorial.ppt for slides


2/21

2

Topics:

Introduction Differences between SNMPv1, SNMPv2c, and

SNMPv3

Advantages of SNMPv3 over SNMPv1 and SNMPv2c

Disadvantages of SNMPv3


3/21

3

Protocol Versions:Summary Picture

Simple-Based Management

SNMPv3SNMPv2*

SNMPv2c

Common

SNMPv2uSNMPv2

SNMPv1Party-based

SNMPv2

Management Information Definitions (MIB Documents)

RFC1155

Format

RFC1212/1215

Format

RFC1442-4

Format

RFC1902-4

Format

RFC2578-80

Format


4/21

5

New Features of SNMPv2c

Expanded data types: 64-bit counters Improved efficiency and performance: get-bulk

operator

Confirmed event notifications: inform operator Richer error handling: errors and exceptions

Improved sets: especially row creation/deletion

Transport independence: IP, Appletalk, IPX, ...

Etc.


5/21

6

New Features of SNMPv3

New features inherited from SNMPv2c, plus Security and Administration


6/21

7

New Features of SNMPv3 Inheritedfrom SNMPv2c

The list we just saw Expanded data types: 64-bit counters

Improved efficiency and performance: get-bulkoperator

Confirmed event notifications: inform operator Richer error handling: errors and exceptions

Improved sets: especially row creation/deletion

Transport independence: IP, AppleTalk, IPX, ...

Etc.

Plus ...


7/21

8

Features of SNMPv3: Security andAdministrative Framework

Security authentication

privacy

Administration

Authorization and view-based access control Logical contexts

Naming of entities, identities, and information

People and policies

Usernames and key management Notification destinations and proxy relationships

Remotely configurable via SNMP operations


8/21

9

Security Threats and Mechanisms

Threats protected against by SNMPv3:1. Masquerade/data origin authentication: interloper

assumes the identity of a sender to gain its privileges.

2. Modification of information/data integrity: alteration

of in-transit messages.3. Message stream modification: messages are re-

ordered, delayed, or replayed

4. Disclosure/data confidentiality: privileged

information is obtained via eavesdropping onmessages.


9/21

10

Security Mechanisms

SNMPv3 uses MD5 and DES as symmetric, i.e.,private key mechanisms

(MD5 = Message Digest Algorithm 5,

RFC 1321)

(DES = Data Encryption Standard)


10/21

11

SNMPv3 User-based AuthenticationMechanism

Based on: MD5 message digest algorithm in HMAC

indirectly provides data origin authentication

directly defends against data modification attacks

uses private key known by both sender and receiver 16 byte key

128 bit digest (truncated to 96 bits)

SHA an optional alternative algorithm

Loosely synchronized monotonically increasing timeindicator values

defends against certain message stream modificationattacks


11/21

12

SNMPv3 User-based PrivacyMechanism

Based on: Symmetric encryption used

Data Encryption Standard (DES) Cipher BlockChaining (CBC) mode

provides privacy / protection against disclosure uses encryption

subject to export and use restrictions in manyjurisdictions

16 byte key (8 bytes DES key, 8 byte DES initializationvector)

Multiple levels of compliance with respect to DES dueto problems associated with international use


12/21

Advantages of SNMPv3

So What?

Who Cares?


13/21

14

Good Things Operators andAdministrators will like in SNMPv3

Able to practice safe sets Configuration / Control / Provisioning

No longer mere monitoring

Able to augment or replace proprietary CLI over Telnet

Via standards-based solutions providing

Commercial-grade industrial strength security

Authentication and Privacy


14/21

15

Now able to distribute management out tointelligent agents and mid-level managers

Important for scalability

Keep local management traffic local

Shorter feedback loops with lower latency

Good Things Operators and Administratorswill like in SNMPv3 (Contd)


15/21

16

Better Notifications: Traps

Spray and pray

The only option in SNMPv1

Informs Send, wait for acknowledgement

Retry count and retry interval

Added in SNMPv2c but with problems

Problems fixed in SNMPv3

Standard MIB objects to configure

Source-side notification suppression



16/21

17

Source Side Notification Suppression Too many resources spent on uninteresting notification

messages, e.g., unwanted traps and informs

Notification generation

Notification transmission and delivery Notification logging

Notification filtering

SNMPv3 allows you to use a standard MIB and

standards-based tools to turn unwanted notificationsoff at the source

You will really like this



17/21

18

Better performance The Awesome getBulk operator works better with

SNMPv3 Less latency and lower overhead through a smaller

number of larger packets

One to three orders of magnitude faster than SNMPv1getNext operator (typically two)

Negotiates maximum message size correctly

Counter64

No need to poll as often New features eliminate need for gross hacks

e.g., logical contexts



18/21

19

Better error handling: In a Get Request with 10 items requested and one is

unavailable:

In SNMPv1, returns in an error with no partial results

In SNMPv2/3, results in 9/10 good values and oneexception

In a Set Request, if something fails:

In SNMPv1, results in a No

In SNMPv2/3, results in a No-because



19/21

20

Security is expensive More to configure and administer

Unlocked doors are more convenient to use

Community strings were relatively easy to administer

Off-the-shelf tools help

More overhead Message headers longer and more complex

Cryptographic calculations can increase CPU loadapproximately 20-ish percent

It will run slower, it will run muchslower if software-based DES is used, especially if implemented in Java

Some machines do not have the hardware assets, butalmost all do: NO EXCUSES

Disadvantages of SNMPv3


20/21

21

Export and international usage considerations Incomplete product support

Some vendors claim customers (i.e., you) dont careabout security

Agents better than manager stations and applications

SNMPv3 code often less mature and shaken out

Disadvantages of SNMPv3 (Contd)


21/21

22

Conclusion:What is SNMPv3?

Newest version of the Internet-standardManagement FrameworkWhat SNMPv2 should have been - builds on the

good Compatible with the SMI and MIB you use now Important enabling technology for configuration

and control: adds security and administration forsafe sets

Security: authentication and privacy Administration: logical contexts, view-based

access control, remote configuration Available now