Presentation is loading. Please wait.

Presentation is loading. Please wait.

SNMP V2 & V3 W.lilakiatsakun. SNMP V2 Protocol RFC 3416 3 types of access to management information – Manager–agent request-response – Manager-Manager.

Published byAnthony Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "SNMP V2 & V3 W.lilakiatsakun. SNMP V2 Protocol RFC 3416 3 types of access to management information – Manager–agent request-response – Manager-Manager."— Presentation transcript:

1 SNMP V2 & V3 W.lilakiatsakun

2 SNMP V2 Protocol RFC 3416 3 types of access to management information – Manager–agent request-response – Manager-Manager request-response : different from SNMPV1 – Agent-manager unconfirmed

3 SNMP V2 Message Structure

4 SNMPV2 PDU Formats

5 PDU Details (1) request-id :unique number to each outstanding request to the same agent error-status: a non-zero value indicates that an exception occurred error-index: When the error-status field is nonzero, the error-index value identifies the object that caused the error

6 PDU Details (2) variable-bindings: this field enables a single operation to be applied to a group of object instances – First element is an OID (Object Identifier) – Second element can be Value – Value associated with each object instances unSpecified – a NULL values is used in retrieval requests NoSuchObject – indicates agent does not implement the object refered this OID noSuchInstance – indicates that this object instance does not exist for this operation endOfMibView – indicates an attempt to reference an OID that is beyond the end of the MIB at the agent

7 SNMP V2 Operations

8 Comparison of SNMPv1 and SNMPv2 PDUs

9 Error Status Codes in response-PDU

10 Values in Variable Bindings

11 GetRequest PDU Same as SNMPv1, it is different only the way that responses are handled SNMP v1 operation is atomic SNMP v2 operation prepares variable binding according to following rules 1 OID not match – value is set to noSuchObject 2 Otherwise, but not accessible for operation – value is set to noSuchInstance 3 Otherwise, value is set to the value of variable

12 GetNextRequestPDU Same as SNMPv1, it is different only the way that responses are handled SNMP v1 operation is atomic SNMP v2 processes as many as possible by the following rule 1 the next instance can be retrieved, set the name and value in variable-bindings 2 if no lexicographic successor exists, set the value field to endOfMibView

13 GetBulkRequest PDU (1) Its purpose is to minimize the number of protocol exchanges required to retrieve a large amount of management information It uses the same selection principle as the GetNextRequest but multiple lexicographic successor can be selected 2 additional fields – Non-repeaters – the number of variables that single successor value to be returned – Max-repetitions – the number of successor value to be returned

14 GetBulkRequest PDU (2)

15 SetRequest PDU The structure is same as SNMPv1 SetRequest PDU for SNMPv1 and SNMPv2 is both atomic operation

16 SNMPv2-Trap PDU The format is different from SNMPv1 It uses the same format as GetRequestPDU Using variable bindings field to contain – sysUpTime.0 – snmpTrapOID.0 - If the OBJECT clause is present in the macro NOTIFICATION-TYPE, each variable and its value are copied to the variable-binding

17 InformRequest PDU New PDU type for SNMP Manager to Manager operation It uses the same format as GetRequestPDU Using variable bindings field to contain – sysUpTime.0 – snmpTrapOID.0 - If the OBJECT clause is present in the macro NOTIFICATION-TYPE, each variable and its value are copied to the variable-binding Response by using Response PDU

18 SNMPv2 MIB (1) System Group : include MIB for Object Resources – sysORlast change – sysORTable

19 SNMPv2 MIB (2) System Group of SNMPv2

20 SNMPv2 MIB (3)

21 Revised SNMP Group

22 SNMPv2 MIB (4) MIB Objects Group – snmpTrap snmpTrapOID : OID of trap or notification currently being sent snmpTrapEnterprise :OID of enterprise associated with the trap currently being sent

23 SNMPv2 MIB (5) – snmpSet snmpSerialNo : TestAndIncr (INTEGER 0..2147483647) If the agent receive a set operation for this object with value K then the value is incremented to K+1 mod 2 31 If the agent receive a set operation for this object with value not equal to K then the operation fails with an error of inconsistentValue To solve multiple managers using an agent

24 SNMPv2 MIB (6) Interfaces Group in RFC1573 : extension of interface Group in MIB-II – ifXTable (Extension Table) – ifStackTable (Stack Table) – ifTestTable (Test Table) – IfRcvAddressTable (Receive Address Table)

25 SNMPv2 MIB (7) ifXTable – This table contains objects that have been added to the Interface MIB as a result of the Interface Evolution effort, or replacements for objects of the original, MIB-II, ifTable that were deprecated because the semantics of said objects have significantly changed.

26 SNMPv2 MIB (8) ifStackTable – This table contains objects that define the relationships among the sub-layers of an interface. ifTestTable – This table contains objects that are used to perform tests on interfaces. – This table is a generic table. – The designers of media-specific MIBs must define exactly how this table applies to their specific MIB.

27 SNMPv2 MIB (9) ifRcvAddressTable – This table contains objects that are used to define the media-level addresses which this interface will receive. – This table is a generic table. – The designers of media- specific MIBs must define exactly how this table applies to their specific MIB.

28

29 SNMP V3 W.lilakiatsakun

30 Related RFC RFC 3411 — An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks RFC 3411 RFC 3412 — Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC 3412 RFC 3413 — Simple Network Management Protocol (SNMP) Applications RFC 3413 RFC 3414 — User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 3414 RFC 3415 — View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) RFC 3415

31 SNMP v3 Goals (1) Use existing materials as much as possible. – It is heavily based on previous work, informally known as SNMPv2u and SNMPv2*, based in turn on SNMPv2p. Address the need for secure SET support, which is considered the most important deficiency in SNMPv1 and SNMPv2c. Make it possible to move portions of the architecture forward in the standards track, even if consensus has not been reached on all pieces. Define an architecture that allows for longevity of the SNMP Frameworks that have been and will be defined.

32 SNMP v3 Goals (2) Keep SNMP as simple as possible. Make it relatively inexpensive to deploy a minimal conforming implementation. Make it possible to upgrade portions of SNMP as new approaches become available, without disrupting an entire SNMP framework. Make it possible to support features required in large networks, but make the expense of supporting a feature directly related to the support of the feature.

33 Security Requirement (1) Modification of Information – Some unauthorized entity may alter in-transit SNMP messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object. Masquerade – Management operations not authorized for some principal may be attempted by assuming the identity of another principal that has the appropriate authorizations.

34 Security Requirement (2) Message Stream Modification – Messages may be maliciously re-ordered, delayed or replayed to an extent which is greater than can occur through the natural operation of a subnetwork service, in order to effect unauthorized management operations. Disclosure – Eavesdropping on the exchanges between SNMP engines. – Protecting against this threat may be required as a matter of local policy.

35 Not in Security requirement Denial of Service – Indeed, such denial-of-service attacks are in many cases indistinguishable from the type of network failures with which any viable management protocol must cope as a matter of course. Traffic Analysis – Many traffic patterns are predictable - entities may be managed on a regular basis by a relatively small number of management stations - and therefore there is no significant advantage afforded by protecting against traffic analysis.

36 SNMP Entity

37 SNMP engine An SNMP engine provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects. – a Dispatcher – a Message Processing Subsystem – a Security Subsystem – an Access Control Subsystem.

38 Dispatcher It allows for concurrent support of multiple versions of SNMP messages in the SNMP engine. It does so by: – sending and receiving SNMP messages to/from the network, – determining the version of an SNMP message and interacting with the corresponding Message Processing Model – providing an abstract interface to SNMP applications for delivery of a PDU to an application. – providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity.

39 Message Processing Subsystem The Message Processing Subsystem is responsible for preparing messages for sending, and extracting data from received messages.

40 Security Subsytem The Security Subsystem provides security services such as the authentication and privacy of messages and potentially contains multiple Security Models * User-Based Security (RFC 3414)

41 Security Model A Security Model specifies the threats against which it protects, the goals of its services, and the security protocols used to provide security services such as authentication and privacy. A Security Protocol specifies the mechanisms, procedures, and MIB objects used to provide a security service such as authentication or privacy.

42 Access Control Subsytem The Access Control Subsystem provides authorization services by means of one or more (*) Access Control Models. * View-Based Access Control (RFC 3415)

43 Application There are several types of applications, including: – Command generators, which monitor and manipulate management data – Command responders, which provide access to management data – Notification originators, which initiate asynchronous messages – Notification receivers, which process asynchronous messages, and – Proxy forwarders, which forward messages between entities.

44 SNMP Manager An SNMP entity containing one or more command generator and/or notification receiver applications (along with their associated SNMP engine) has traditionally been called an SNMP manager

45 SNMP Traditional Manager

46 SNMP Agent An SNMP entity containing one or more command responder and/or notification originator applications (along with their associated SNMP engine) has traditionally been called an SNMP agent

47 SNMP Traditional Agent

48 SNMP Process

49 SNMP Security Function (1) User-based security (RFC3414) – Encryption : DES (Data Encryption Standard) in CBC (Cipher Block Chaining) mode – Authentication :Combine the use of a hash function with a secret key to provide both authentication and protection against tampering :HMAC (Hashed Message Authentication Codes) [RFC2104] the HMAC-MD5-96 authentication protocol. the HMAC-SHA-96 authentication protocol.

50 SNMP Security Function (2) Protection against playback – The receiver requires that the sender include a value in each message that is based on a counter in the receiver. – This counter which functions as a nonce – RFC3414 for details Access Control : VBAC (View-Based Access Control) [RFC3415] – It Controls which network management information can be queried and/or set by which users. – An SNMP entity retains information about access rights and policies in a Local Configuration Datastore (LCD)

51 VBAC (View-Based Access Control) Access ‘s right will be given by – The read-view represents the set of object instances authorized for the group when reading objects. – The write-view represents the set of object instances authorized for the group when writing objects. – The notify-view represents the set of object instances authorized for the group when sending objects in a notification, such as when sending a notification

52 VBAC (View-Based Access Control)

Download ppt "SNMP V2 & V3 W.lilakiatsakun. SNMP V2 Protocol RFC 3416 3 types of access to management information – Manager–agent request-response – Manager-Manager."

Similar presentations

Chapter 6 SNMPv2 6-1 Network Management: Principles and Practice

Chapter 6 SNMPv2 6-1 Network Management: Principles and Practice
Chapter 19: Network Management Business Data Communications, 5e.

Chapter 19: Network Management Business Data Communications, 5e.
CIS 203 17 : Network Management. Introduction Network, associated resources and distributed applications indispensable Complex systems —More things can.

CIS : Network Management. Introduction Network, associated resources and distributed applications indispensable Complex systems —More things can.
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
Manajemen Jaringan dan Network Security Pertemuan 26 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.

Manajemen Jaringan dan Network Security Pertemuan 26 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.

TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
SNMPv2 OVERVIEW: LIMITATIONS OF SNMPv1 HISTORY OF SNMPv2 HIERARCHIES SECURITY SNMPv2 PROTOCOL OPERATIONS TRANSPORT INDEPENDENCE RFCs Copyright © 2001 by.

SNMPv2 OVERVIEW: LIMITATIONS OF SNMPv1 HISTORY OF SNMPv2 HIERARCHIES SECURITY SNMPv2 PROTOCOL OPERATIONS TRANSPORT INDEPENDENCE RFCs Copyright © 2001 by.
MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.

MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.
Management Architecture and Standards II IACT 418 IACT 918 Corporate Network Planning Gene Awyzio Spring 2001.

Management Architecture and Standards II IACT 418 IACT 918 Corporate Network Planning Gene Awyzio Spring 2001.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim 04.19.2010.

CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
Pertemuan 10 Perbedaan antar versi SNMP

Pertemuan 10 Perbedaan antar versi SNMP
NS-H0503-02/11041 SNMP. NS-H0503-02/11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.

NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
1 SNMP Simple Network Management Protocol. 2 SNMP Overview Define mechanism for remote management of network devices (routers, bridges, etc.) Fundamental.

1 SNMP Simple Network Management Protocol. 2 SNMP Overview Define mechanism for remote management of network devices (routers, bridges, etc.) Fundamental.
1 Pertemuan 26 Manajemen Jaringan dan Network Security Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 26 Manajemen Jaringan dan Network Security Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.
This presentation is based on the slides listed in references.

This presentation is based on the slides listed in references.
EE579T/10 #1 Spring 2005 © 2000-2005, Richard A. Stanley EE579T Network Security 10: An Overview of SNMP Prof. Richard A. Stanley.

EE579T/10 #1 Spring 2005 © , Richard A. Stanley EE579T Network Security 10: An Overview of SNMP Prof. Richard A. Stanley.
COMP4690, by Dr Xiaowen Chu, HKBU

COMP4690, by Dr Xiaowen Chu, HKBU
EE579T/9 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 9: An Overview of SNMP Prof. Richard A. Stanley.

EE579T/9 #1 Spring 2003 © , Richard A. Stanley EE579T Network Security 9: An Overview of SNMP Prof. Richard A. Stanley.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

Similar presentations

Ads by Google