simple network management protocol (snmp)
DESCRIPTION
Simple Network Management Protocol (SNMP). J. Won-Ki Hong Dept. of Computer Science and Engineering POSTECH Tel: 054-279-2244 Email: [email protected]. Table of Contents. SNMP Operations Protocol Specification Transport-Level Support Limitations of SNMPv1. SNMP Operations. - PowerPoint PPT PresentationTRANSCRIPT
1
POSTECH DP&NM Lab
Simple Network Management Protocol
(SNMP)J. Won-Ki Hong
Dept. of Computer Science and Engineering
POSTECH
Tel: 054-279-2244
Email: [email protected]
2
POSTECH DP&NM Lab
Table of Contents
• SNMP Operations
• Protocol Specification
• Transport-Level Support
• Limitations of SNMPv1
3
POSTECH DP&NM Lab
SNMP Operations
• Operations supported in SNMP are the inspection and modification of variables
• GET operation– retrieves management information (values of scalar
objects)
• SET operation– updates management information (values on scalar
objects)
• TRAP operation– sends unsolicited scalar object values to notify
problems
4
POSTECH DP&NM Lab
SNMP Operations (cont’d)
• Not possible to change the structure of a MIB– cannot add or delete object instances
• No explicit action is supported• Access is provided only to leaf objects in the
MIB tree– not possible to access an entire table or a row of a
table with a single atomic action
• These simplify the implementation of SNMP but limit the capability of the NMS
5
POSTECH DP&NM Lab
SNMP Security Concepts• Authentication service
– agent may wish to limit access to the MIB to authorized managers
• Access policy– agent may wish to give different access privileges to different
managers
• Proxy service– agent may act as a proxy to other managed devices– this may require authentication service and access policy for other
managed devices on the proxy
• SNMP provides only a primitive and limited security capability via the concept of community
6
POSTECH DP&NM Lab
SNMP Community• is a relationship between an agent and a set of
managers that defines authentication, access control & proxy characteristics
• a community is locally defined by the agent– each community is given a unique community name– an agent may establish a number of communities– the community name is needed for all get and set operations– the same community name may be used by different agents
• SNMP authentication service– every SNMP message from a manager includes a community
name (used as a password) --- very primitive– most agents only allow GET operations
7
POSTECH DP&NM Lab
SNMP Community (cont’d)
• SNMP Access Policy– an agent can provide different categories of MIB access using the f
ollowing concepts: SNMP MIB View & Access Mode
• SNMP MIB View– a subset of objects within a MIB– different MIB views may be defined for each community– the set of objects in a view need not belong to a single subtree
• SNMP Access Mode– an access mode {READ-ONLY, READ-WRITE} is defined for each
community– the access mode is applied uniformly to all objects in the MIB view
• SNMP Community Profile– a combination of a MIB view and an access mode
8
POSTECH DP&NM Lab
MIB ACCESS Category vs. SNMP Access Mode
SNMP Access ModeMIB ACCESS
Category READ-ONLY READ-WRITE
read-only Available for get and trap operations
read-writeAvailable for get and
trap operations
Available for get, set,
and trap operations
write-only
Available for get and
trap operations, but the
value is
implementation-specific
Available for get, set,
and trap operations, but
the value is
implementation-specific
for get and trap
operations.
not
accessibleUnavailable
9
POSTECH DP&NM Lab
SNMP Administrative Concepts
set of SNMP managers
SNMP Access Policy
SNMP community(community name)
SNMP communityprofile
SNMPagent
SNMP MIB view
SNMPaccess mode
10
POSTECH DP&NM Lab
Object Instance Identification
• SNMP defines two techniques for identifying a specific object instance– Serial access technique (via lexicographic ordering of objects)– Random access technique
• Random access technique– objects in MIB tables are referred to as columnar objects– the object identifier is not sufficient to identify the instance– SNMP convention
• concatenate the scalar object identifier with the values of INDEX objects, listed in the order which the INDEX objects are defined
• see the example in Table 7.2 on page 169
11
POSTECH DP&NM Lab
Lexicographical Ordering
• is used for accessing MIB objects serially• given the tree structure of a MIB, the OID for a par
ticular object may be derived by tracing a path from the root to the object
• lexicographical ordering is also referred to as:– preorder traversal (root, left, right) of a tree– depth-first search
• useful for examining MIBs whose structure is not known to NMS
12
POSTECH DP&NM Lab
Lexicographical OrderingExample
1
1.2
root
2
2.1
2.1.1
1.1
1.2.1
2.1.1.1 2.1.1.2 2.1.1.3
1
1 2
1
2
1
1
12
3
Start End
13
POSTECH DP&NM Lab
Protocol SpecificationSNMP Message Formats
• SNMP manager and agent exchange requests and management information using SNMP messages
• SNMP message includes a version number (e.g., 0 for SNMPv1, 1 for SNMPv2), a community name and one of five types of protocol data units (PDUs)
• PDU Types: GetRequest, GetNext-Request, SetRequest, GetResponse, Trap
14
POSTECH DP&NM Lab
SNMP Message Formats
valueNnameN. . .value2name2value1name1
variablebindingstimestamp
specifictrap
generictrap
agentaddr
enter-prise
PDU type
variablebindingserrorindex
errorstatus
requestid
PDU type
variablebindings00requestid
PDU type
SNMP PDUVersion Community
(a) SNMP message
(b) GetRequest PDU, GetNextRequest PDU, and SetRequest PDU
(c) GetResponse PDU
(d) Trap PDU
(e) variablebindings
15
POSTECH DP&NM Lab
SNMP Message FieldsField Description
version SNMP version(RFC 1157 is version 1.)
community A pairing of an SNMP agent with some arbitrary set of
SNMP application entities (the community name acts as
a password to authenticate the SNMP message)
request-id Used to distinguish among outstanding requests by providing
each request with a unique ID.
error-status Used to indicate that an exception occurred while processing a
request; values are noError (0), tooBig (1), noSuchName (2),
badValue (3), readOnly (4), genErr (5)
error-index When error-status is nonzero, may provide additional information
by indicating which variable in a list caused the exception.
(A variable is an instance of a managed object.)
16
POSTECH DP&NM Lab
SNMP Message Fields (cont’d)
Field Description
variablebindings A list of variable names and corresponding values (In
some cases, such as Getrequest PDU, the values are null.)
enterprise Type of object generating trap; based on sysObjectID
agent-addr Address of object generating trap
generic-trap Generic trap type; values are coldStart (0), warmStart (1),
linkDown (2), linkUp (3), authentication failure (4),
egpNeighborLoss (5), enterprise Specific (6).
specific-trap Specific trap code
time-stamp Time elapsed between the last (re)initialization of the
network entity and the generation of the trap;
contains the value of sysUpTime.
17
POSTECH DP&NM Lab
Transmission of SNMP Message1. The PDU is constructed using ASN.1
2. This PDU is passed to an authentication service with a community name and source & destination transport addresses passed– the authentication service performs any required transformations
such as encryption or the inclusion of an authentication code
3. The protocol entity then constructs a message, consisting of a version field, the community name, and the result from step 2
4. This new ASN.1 object is then encoded using BER and passed to the transport service
18
POSTECH DP&NM Lab
Receipt of SNMP Message1. The SNMP entity performs basic syntax-check
of the message and discards it if it fails to parse2. It verifies the version number and discards it if
there is a mismatch3. It then passes the community name, the PDU
portion of the message and the source/destination transport address to an authentication service– if authentication fails, the message is discarded– if authentication succeeds, the authentication service returns
a PDU in the form of an ASN.1 object
4. If the PDU passes a basic syntax-check, the appropriate SNMP access policy is selected and the PDU is processed accordingly
19
POSTECH DP&NM Lab
SNMP PDU Sequences
Manager Agent
GetRequest PDU
GetResponse PDU
Manager Agent
SetRequest PDU
GetResponse PDU
Manager Agent
GetNextRequest PDU
GetResponse PDU
Manager Agent
Trap PDU
(a) Get values (b) Get next values
(c) Set values (d) Send trap
20
POSTECH DP&NM Lab
GetRequest PDU
• is issued by an SNMP manager on behalf of NMS to retrieve information from an agent
• includes PDU type, request-id & variablebindings• GetResponse PDU containing the same request-i
d is used for the reply• operation is atomic (all values are returned or none is)
• possible error-status:– noSuchName: object instance cannot be found or it is an aggrega
te type– tooBig: the size of resulting values exceed a local limitation– genErr: may not be able to supply a value for at least one of the o
bjects for some other reason
21
POSTECH DP&NM Lab
GetNextRequest PDU
• is also issued by an SNMP manager on behalf of NMS to retrieve information from an agent
• the PDU is the same as GetRequest PDU except: – In the GetRequest PDU, each variable in the variablebindings list r
efers to an object instance whose value is to be returned
– In the GetNextRequest PDU, for each variable in the variablebindings, the value of the object instance that is next in lexicographic order is returned
• allows NMS to discover the structure of a MIB view dynamically
• provides an efficient mechanism for searching a table whose entries are unknown
22
POSTECH DP&NM Lab
SetRequest PDU
• is issued by an SNMP manager on behalf of NMS to modify information in an agent
• the operation is also atomic– if any one of the values can’t be set, then the whole operation fails
• GetResponse PDU containing the same request-id is used for the reply– if the operation succeeds, a GetResponse PDU is returned with th
e same variablebindings as in the original SetRequest PDU
• possible error-status:– noSuchName, tooBig, genErr plus– badValue: PDU contains at least one pair of variable name and va
lue that is inconsistent
23
POSTECH DP&NM Lab
Trap PDU
• is issued by an SNMP agent to notify NMS of some significant event
• Trap PDU does not require a response and is not acknowledged can get lost
• Generic Trap types:– coldStart (0): unexpected restart due to a crash or major fault– warmStart (1): routine restart– linkDown (2): a communication link is inoperational– linkUp (3): the link is back in operation– authenticationFailure (4): received authentication-failed message– egpNeighborLoss (5): EGP neighbor is down– enterpriseSpecific (6): some enterprise-specific event occurred
24
POSTECH DP&NM Lab
Transport-Level Support
• SNMP requires the use of a transport service for the delivery of SNMP messages.– SNMP makes no assumption about whether the underlying
service is reliable or unreliable, connectionless or connection-oriented
• Most SNMP implementations use UDP• It is possible to use CLTS • UDP
– Unreliable, connectionless transport service in Internet
• CLTS– Unreliable, connectionless transport service in the OSI
architecture
25
POSTECH DP&NM Lab
Issues in using UDP• Since UDP provides unreliable transport servi
ce, SNMP messages can get lost
• What happens if a GetRequest or GetNextRequest message is lost?
• What happens if a SetRequest message is lost?
• What happens if a Trap message is lost?
26
POSTECH DP&NM Lab
Limitations of SNMP• SNMP may not be suitable for the mgmt of truly large netw
orks because of the performance limitations of polling• SNMP is not well suited for retrieving large volumes of dat
a, such as an entire routing table• SNMP traps are unacknowledged & may not be delivered• SNMP provides only trivial authentication• SNMP does not support explict actions• SNMP MIB model is limited (does not support mgmt querie
s based on object types or values)• SNMP does not support manager-to-manager communicat
ions
Many of these problems are addressed in SNMPv2!