1. Simple Network Management Protocol By - Suparna Sri

2. Agenda Introduction Network Level Architecture Operation of Protocol Applications of Protocol Event flows Message Formats Extensions, Performance & Security Issue Conclusion References

3. Introduction SNMP is an application layer protocol that facilitates the exchange of management information between network devices. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

4. Basic Components of SNMP NMS (Network Management Station) Managed Devices Agents MIB (Management Information Base)

5. NMS executes applications that monitor and control managed devices. It executes applications that monitor and control managed devices. One or more NMS’s must exist on any managed network. NMS is a general purpose computer running special software

6. Managed Device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, hubs, computer hosts, or printers.

7. Agents is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP.

8. Network Level Architecture

9. MIB Structure Every management station or an agent in an SNMP architecture maintains a local database having information related to the network management. This virtual information store is called MIB- objects database An SNMP MIB contains definitions and information about the properties of managed resources and the services that the agents support. The manageable features of resources, as defined in an SNMP MIB, are called managed objects

10. Management Information Base

11. MIB object identifiers Each object in the MIB has an object identifier (OID) Management station uses ODI to request the object's value from the agent. An OID is a sequence of integers that uniquely identifies a managed object by defining a path to that object through a tree-like structure called the OID tree or registration tree. When an SNMP agent needs to access a specific managed object, it traverses the OID tree to find the object.

12. SNMP ODI Hierarchy Format

13. Operation of Protocol Read: It is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices. Write: It is used by an NMS to control managed devices. The NMS changes the values of variables stored within managed devices. Trap : The trap command is used by managed devices to asynchronously report events to the NMS. When certain types of events occur, a managed device sends a trap to the NMS.

14. Operation of the Protocol Get Get next Get-bulk Set Set response Trap Notification Inform Report

15. ‘get’ and ‘getnext’ Operation The get request is initiated by the NMS, which sends the request to the agent. The agent receives the request and processes it to best of its ability. The get command is useful for retrieving a single MIB object at a time. The get-next operation lets you issue a sequence of commands to retrieve a group of values from a MIB

16. ‘get’ Operation

17. ‘get bulk’ operation SNMPv2 defined the get-bulk operation which allows a management application to retrieve a large section of a table at once. The standard get operation can attempt to retrieve more than one MIB object at once, but message sizes are limited by the agent's capabilities. If the agent can't return all the requested responses, it returns an error message with no data. Get bulk command consists of two fields non-repeaters and max – repetitions and these fields are set when issuing a get- bulk command non-repeaters and max-repetitions. Non-repeaters tells the get-bulk command that the first N objects can be retrieved with a simple get-next operation. Max- repetitions tells the get-bulk command to attempt up to M get- next operations to retrieve the remaining objects

18. ‘get bulk’ Operation

19. ‘set’ Operation The set command is used to change the value of a managed object or to create a new row in a table. Objects that are defined in the MIB as read-write or write-only can be altered or created using this command. It is possible for an NMS to set more than one object at a time.

20. ‘trap’ Operation Trap: A trap is a way for an agent to tell the NMS that something bad has happened. The trap originates from the agent and is sent to the trap destination, as configured within the agent itself. The trap destination is typically the IP address of the NMS.

21. Scenarios when ‘trap’ occurs A network interface on the device (where the agent is running) has gone down. A network interface on the device (where the agent is running) has come back up. An incoming call to a modem rack was unable to establish a connection to a modem. The fan on a switch or router has failed.

22. Generic types of ‘trap’ Coldstart(0) :Indicates that the agent has rebooted. All management variables will be reset; specifically, Counters and Gauges will be reset to zero (0). It can also be used to determine when new hardware is added to the network. Warmstart(1):Indicates that the agent has reinitialized itself. None of the management variables will be reset. Linkdown(2): Sent when an interface on a device goes down. The first variable binding identifies which interface went down. Linkup(3): Sent when an interface on a device comes back up.

23. Generic types of ‘trap’ authenticationFailure(4):Indicates that someone has tried to query your agent with an incorrect community string; useful in determining if someone is trying to gain unauthorized access to one of your devices. egpNeighborloss(5): Indicates that an Exterior Gateway Protocol (EGP) neighbor has gone down. Enterprisespecific(6): Indicates that the trap is enterprise-specific which are used by SNMP to define their own traps under the private-enterprise branch of the SMI object tree.

24. Other SNMP operations SNMP notification: As the PDUs of snmpv1,v2 and v3,notification-type is used as a means of notification for this. SNMP inform: inform mechanism provides communication between manager-manager SNMP report: Allows the SNMP engines to communicate with each other mainly to report the problems with processing SNMP messages

25. Message Sent Between an SNMP Manager and its Managed Devices

26. Event Flow of SNMP protocol Represents Interactions and timing of the SNMP protocol between the SNMP manager and the SNMP agent. Traps are unsolicited messages sent from the agent to the manager. There are four functions of SNMP: get request, trap, get next and set request.

27. Event Flow of SNMP operations

28. Network Management System

29. SNMPv3 Applications Five types of application which can be associated with an SNMP engine are described in RFC 2273. These applications are : - Command generators, which monitor and manipulate management data, - Command responders, which provide access to management data, - Notification originators, which initiate asynchronous messages, - Notification receivers, which process asynchronous messages, and - Proxy forwarders, which forward messages between entities.

30. Flow diagram of Command Generator and Command Responder

31. PRIMITIVES BETWEEN MODULES

32. sendPdu

33. prepareOutgoingMessage

34. generateRequestMsg

35. send / receive

36. prepareDataElements

37. processIncomingMsg

38. processPd

39. isAccessAllowed

40. returnResponsePdu

41. prepareResponseMessage

42. generateResponseMsg

43. send / receive

44. prepareDataElements

45. processIncomingMsg

46. processResponsePdu

47. Five areas of network management Performance management : to quantify, measure, report, analyze and control the performance of network components. Fault management : to detect, log, notify users of, and (to the extent possible) automatically fix network problems to keep the network running effectively. Configuration management : to monitor network and system configuration information so that the effects on network operation of various versions of hardware and software elements can be tracked and managed. Accounting management : to measure network utilization parameters so that individual or group uses on the network can be regulated appropriately. Security management : to control access to network resources according to local guidelines so that the network cannot be sabotaged and sensitive information cannot be accessed by those without appropriate authorization.

48. SNMP Message Format UDP/TCP Port 161 – SNMP Request/Response Messages UDP/TCP Port 162 - SNMP Trap Messages SNMP uses two well-known ports to operate: Ethernet Frame IP Packet UDP Datagram SNMP Message CRC SNMPv3 defines a security capability to be used in conjunction with SNMPv1 (runs over UDP) or SNMPv2 (also runs over TCP)

49. SNMP General Message Format Table 211: SNMP Variable Binding Format Subfield NameSyntaxSize (bytes)Description Object Name Sequence of Integer Variable Object Name: The numeric object identifier of the MIB object, specified as a sequence of integers. For example, the object sysLocation has the object identifier 1.3.6.1.2.1.1.6, so it would be specified as “1 3 6 1 2 1 1 6” using ASN.1 Object ValueVariable Object Value: In any type of “get” request, this subfield is a “placeholder”; it is structured using the appropriate syntax for the object but has no value (since the “get” request is asking for that value!) In a “set” request (SetRequest-PDU) or in a reply message carrying requested data (GetResponse-PDU or Response-PDU), the value of the object is placed here.

50. SNMP V1 General Message Format Table 212: SNMP Version 1 (SNMPv1) General Message Format Field NameSyntaxSize (bytes)Description VersionInteger4 Version Number: Describes the SNMP version number of this message; used for ensuring compatibility between versions. For SNMPv1, this value is actually 0, not 1. CommunityOctet StringVariable Community String: Identifies the SNMP community in which the sender and recipient of this message are located. This is used to implement the simple SNMP. PDU—Variable Protocol Data Unit: The PDU being communicated as the body of the message. General Message Format

51. SNMP v1 PDU Format Table 213: SNMP Version 1 (SNMPv1) Common PDU Format Field Name Syntax Size (bytes) Description PDU Type Integer (Enumerated) 4 Request ID Integer4 Request Identifier: A number used to match requests with replies. It is generated by the device that sends a request and copied into this field in a GetResponse-PDU by the responding SNMP entity. Error Status Integer (Enumerated) 4 Error Index Integer4 Error Index: When Error Status is non- zero, this field contains a pointer that specifies which object generated the error. Always zero in a request. Variable Bindings Variable Variable Bindings: A set of name- value pairs identifying the MIB objects in the PDU, and in the case of a SetRequest-PDU or GetResponse- PDU, containing their values.. PDU Format

52. Table 214: SNMP Version 1 (SNMPv1) Trap-PDU FormatSNMP Field NameSyntaxSize (bytes)Description PDU Type Integer (Enumerated) 4 PDU Type: An integer value that indicates the PDU type, which is 4 for a Trap-PDU message. Enterprise Sequence of Integer Variable Enterprise: An object identifier for a group, which indicates the type of object that generated the trap. Agent AddrNetworkAddress4 Agent Address: The IP address of the SNMP agent that generated the trap. This is of course also in the IP header at lower levels but inclusion in the SNMP message format allows for easier trap logging within SNMP. Also, in the case of a multihomed host, this specifies the preferred address. Generic Trap Integer (Enumerated) 4 Generic Trap Code: A code value specifying one of a number of predefined “generic” trap types. Specific TrapInteger4 Specific Trap Code: A code value indicating an implementation-specific trap type.code Time StampTimeTicks4 Time Stamp: The amount of time since the SNMP entity sending this message last initialized or reinitialized. Used to time stamp traps for logging purposes. Variable Bindings Variable Variable Bindings: A set of name-value pairs identifying the MIB objects in the PDU. Trap-PDU Format SNMP V1 Trap- PDU Format

53. SNMP v2 Message Format SNMPv2 Get, GetNext, Inform, Response, Set, and Trap PDUs Contain the Same Fields The SNMPv2 GetBulk PDU

54. SNMP v3 General Message Format

55. Table 221: SNMP Version 3 (SNMPv3) General Message Format Field Name Syntax Size (bytes) Description Msg Version Integer4 Message Version Number: Describes the SNMP version number of this message; used for ensuring compatibility between versions. For SNMPv3, this value is 3. Msg IDInteger4 Message Identifier: A number used to identify an SNMPv3 message and to match response messages to request messages. The use of this field is similar to that of the Request ID field in the PDU format, but they are not identical. This field was created to allow matching at the message processing level regardless of the contents of the PDU, to protect against certain security attacks. Thus, Msg ID and Request ID are used independently. Msg Max Size Integer4 Maximum Message Size: The maximum size of message that the sender of this message can receive. Minimum value of this field is 484. Msg Flags Octet String 1 Msg Security Model Integer4 Message Security Model: An integer value indicating which security model was used for this message. For the user-based security model (the default in SNMPv3) this value is 3. Msg Security Paramete rs —Variable Message Security Parameters: A set of fields that contain parameters required to implement the particular security model used for this message. The contents of this field are specified in each document describing an SNMPv3 security model. For example, the parameters for the user-based model are in RFC 3414. Scoped PDU —Variable

56. Security services Data Integrity is provision of the property that data or data sequences has not been altered or destroyed in an unauthorized manner. Data Origin Authentication is the provision of the property that the claimed identity of the user on whose behalf received data was originated is corroborated. Data Confidentiality is the provision of the property that information is not made available or disclosed to unauthorized individuals, entities, entities, or processes. Message timeliness and limited replay protection is the provision of the property that a message whose generation time is outside of a specified time window is not accepted.

57. Performance and Security Issues Modification of Information The modification threat is the danger that some unauthorized entity may alter in-transit SNMP messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object. Masquerade The masquerade threat is the danger that management operations not authorized for some user may be attempted by assuming the identity of another user that has the appropriate authorizations. Disclosure The disclosure threat is the danger of eavesdropping on the exchanges between managed agents and a management station. Protecting against this threat may be required as a matter of local policy. Message Stream Modification The SNMP protocol is typically based upon a connection-less transport service which may operate over any sub-network service. The re-ordering, delay or replay of messages can and does occur through the natural operation of many such sub-network services. The message stream modification threat is the danger that messages may altered, in order to effect unauthorized management operations.

58. Extensions (SNMPv2 protocol) SNMPv2 Two new protocol operations have been added in SNMPv2. “Get-bulk-request” supports efficient transfer of large amount of MIB data, and “Inform-request” enables a manager to inform another manager of significant events. SNMPv1 SNPM v2 The main problems of the SNMPv1 are the authentication of the message source, protecting these message from disclosure and placing access controls on MIB database. Those problems are solved in SNPM v2 by changing the format of SNMP PDUs. SNMPv1SNMPv2 In SNMPv1, traps had a different format than all of the other PDUs. SNMPv2 simplify traps by giving them the same format as the get and set PDUs. SNMPv1 SNMPv2 In SNMPv1, if too much data are asked in an ordinary get-request you receive a message "too big" error message without data. In SNMPv2 “Get-bulk-request” allows you to retrieve a lot of information and will receive as much data as it is possible in your response message. SNMPv2 SNMPv1 In SNMPv2, if a multiple requested value, in a get-request, one is not valid or does not exist, there will be answers for the other request that have been well dealt. Whereas for SNMPv1, no response at all was given, only the error message. SNMPv2 SNMPv1 SNMPv2 security framework deals with the problem of the authentication of the message sender, its contents and the eavesdropper problems. It also supports the use of authentication protocol to identify the sources reliability and to prevent message modification. It also supports the use of encryption to keep messages privacy. SNMPv1 don’t have all these security features.

59. SNMP Security Security in SNMP versions SNMPv1 uses plain text community strings for authentication as plain text without encryption SNMPv2 was supposed to fix security problems, but effort de-railed. SNMPv3 has numerous security features: Ensure that a packet has not been tampered with (integrity), Ensures that a message is from a valid source (authentication) Ensures that a message cannot be read by unauthorized (privacy). SNMP has three security levels for: Monitoring ( no authentication / no privacy) : Authentication with matching a user name Control (authentication / no privacy) : Authentication with MD5 or SHA message digests. Downloading secrets (authentication / privacy) : Authentication with MD5 or SHA message digests, and encryption with DES encryption.

60. SNMP GUI OpenView Severity Levels Severity Color ------------------------------------------------------------------- Unknown Blue Normal Green Warning Cyan Minor Yellow Major Orange Critical Red

61. Conclusions Standardized universally supported extendible portable allows distributed management access lightweight protocol

62. Review Questions 1. What are the components in network management architecture and define them? slide 5-7 2. What are MIBs, and how are they accessed? slide 9 3. What are the types of messages between SNMP manager and agent? slide 25

63. References http://www.faqs.org/rfcs/ http://www.ietf.org/rfcs/ http://www.icg.isy.liu.se/courses/tsin02- ici/slides/11_Snmp-v3.pdf http://www.icg.isy.liu.se/courses/tsin02- ici/slides/11_Snmp-v3.pdf http://www.dpstele.com/layers/l2/snmp_l2_ tut_part1.html http://www.dpstele.com/layers/l2/snmp_l2_ tut_part1.html http://www.cisco.com/warp/public/535/3.ht ml http://www.cisco.com/warp/public/535/3.ht ml

64. THANK YOU