tsin02 - internetworking · 2007-03-19 · tsin02 - internetworking 8 snmp at a glance introduced...

TSIN02 - Internetworking

© 2004 Image Coding Group, Linköpings Universitet

Lecture 11: SNMP and AAA

Literature:● Forouzan, chapter 21● Diameter next generation's AAA protocol by Håkan Ventura,

sections 2- 3.3.6● RFC2881 (optional extra material)● RFC2905 (optional extra material)● RFC2903 (optional extra material)


2

Lecture 10: SNMP and AAA

Outline:

● SNMP

● AAA introduction

● AAA in Network Access Servers

● DIAMETER, an AAA compliant protocol


3

Network management framework

● Management Information Base (MIB)● Structure of Management Information (SMI)● SNMP● Security and Administration● ASN1


4

Why network management?

Complex systems are difficult to manage. Too much happens in too many places. Information has to be pooled to be possible to overview.

● All large systems need to be managed systematically– Industrial chemical processes– Large organizations– Electrical power system


5

Network management

● Device Management– Checking the state of a device– Changing configuration of a device– Activating or turning of a device– Monitoring a software

● Network Management– Properties of the network as a whole


6

Examples of managing tasks– Shutting down a network interface on a router– Checking the speed of an Ethernet interface– Monitoring the temperature on a switch, and

sending a warning if it gets too high– Checking the state of a web server (the software)– Collecting statistics about link usage


7

InfrastructureManaged devices contain objects

whose data is gathered into aManagement Information Base

Data

Data Data

Data

Data

DataAgent

Agent

Agent

AgentAgent

Managingentity

NetworkManagementProtocol


8

SNMP at a glance

● Introduced in 1988– To meet the need for a standard for managing IP

devices.● Replaced SGMP

– Simple Gateway Management Protocol was used for managing Internet routers

● Latest version is v3


9

SNMP parts

● SMI – Structure of Management Information– The language for defining MIB objects

● MIB – Management Information Base– Defines a set of objects, similar to a database

● SNMP– Application program that allows the manager to

retrieve and store object values in agents, and agents to send alarm messages to the manager

● Security– The main addition from v2 to v3


10

SMI – Object Attributes

Figure from Forouzan


11

SMI Naming– A tree structure is the basis for SNMP naming– Each tree node is described by dot-separated

numbers/names Root

ccitt(0) iso(1) joint(2)

Org(3)

dod(6)

internet(1)

directory(1) mgmt(2) experimental(3) private(4)

mib-2(1)1.3.6.1.2.1

sys(1) if(2) at(3)

iicmp(5) tcp(6) udp(7) egp(8) trans(11) snmp(12)ip(4)

UdpIn Datagrams(1) UdpNo Ports(2) UdpIn Errors(3) UdpOut Datagrams(4) udpTable(5)


12

SMI type and syntax

● Managed agents are heterogenous and may represent data in many different ways

● There is a need for a well-defined and machine-independent syntax

● Solution: ASN.1● Simple datatypes are offered (signed and

unsigned integers, strings, etc)● Structured types can be built from simple types


13

Abstract Syntax Notation One (ASN.1)

● ISO standard, defines data types in a machine independent way

● Intermediate format for data type definitions on different machines

Data in machine 1,represented in its

internal representation

Encoder

Data type description in abstract,machine independent form

Decoder

Data in machine 2,represented in its

internal representation


14

Data Types



15

SMI Encoding - BER

● ASN.1 is not enough for transmission, since it only makes an abstract definition of data types

● We need a standardized way of encoding data for transmission

● The solution for this is Basic Encoding Rules● Tag-Length-Value


16

Encoding Format


Format

0 – Simple1 - Structured

Tag

00 – ASN.101 – SMI extensions10 – context-specific11 – private (vendor specific)


17

Length Format



18

Examples



19

Management Information Base (v2)

● Each agent has its own MIB● The collection of objects that are managed● The objects are sorted into the groups under

1.3.6.1.2.1 (mib-2)● Only leaves in the tree are accessible● The objects are accessed using SNMP

operations● Lots of standard objects; and extended by

vendor specific ones


20

MIB-2



21

UDP Group



22

UDP Variables and Tables



23

Indexes for UDP Table



24

Lexicographic Ordering



25

SNMP Operations



26

SNMP PDU Format



27

SNMP Message Format



28

Example: GetRequest Message



29




30


Interpretation help: SNMP message types

Table from Forouzan


31


Interpretation help: Data types

Table from Forouzan


32


Interpretation help: MIB2 tree



33

UDP Ports



34

AAA Introduction

● Authentication– Validate user identity.

● Authorization– Check which services the user is allowed access

to.● Accounting

– Store information about use of a service, e.g. for billing purposes.


35

Authentication

● Validate the identity of a user● Used for

– Access control– Authorization decisions– Accounting records


36

Authentication techniques

● Providing some credential that proves a claimed identity– ID– Smart card– SIM – Certificate– Biometrics– Password– Public – Secret Key pair


37

Authentication Basics

● Something you have● Something you know● Something you are


38

Authentication protocol

Example:

If A wants to contact B through the Internet, how can A prove his/her identity?


39

Authorization

● Policy– Identity– Current actions– Outside state–

● Allowing access to services to authenticated users


40

Accounting

● Tracking the usage of resources for– Billing– Management– Planning– Auditing–


41

Protocols for AAA● RADIUS

–

● TACACS

–

● COPS

–

● DIAMETER

–


42

Network Access Server

A Network Access Server (NAS) is often the initial entry point to a network.

A NAS is a gateway between the users and a network, supplying one or more ways to connect, e.g.:

– Dial-up – direct network access (eg. through SLIP or PPP)– asynchronous terminal services (eg. telnet)– tunneling

The NAS contacts an AAA server to see if the user is authorized to access the network. This communication needs a protocol!


43

DIAMETER

The Diameter Base Protocol is intended to provide an Authentication, Authorization and Accounting framework for applications such as network access and IP mobility.


44

DIAMETER FacilitiesThe Diameter Base Protocol provides the following facilities:

● Delivery of attribute value pairs (AVPs)

● Capabilities negotiation

● Error notification

● Extendability, through addition of new commands and AVPs

● Basic services necessary for applications, such as handling of user sessions or accounting

The Diameter Base Protocol provides the minimum requirements needed for an AAA-protocol, as defined in RFC2989


45

DIAMETER FeaturesAll data delivered by the protocol is in the form of an AVP. These

are used by the base protocol to support the following features:

● Transporting of user authentication information, for the purpose of enabling the Diameter server to authenticate the user.

● Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access should be granted.

● Exchanging resource usage information, which may be used for accounting purposes, capacity planning etc.

● Relaying, proxying and redirecting of Diameter messages through a server hierarchy.

tsin02 - internetworking · 2007-03-19 · tsin02 - internetworking 8 snmp at a glance introduced...

Documents