COMP4690, by Dr Xiaowen Chu, HKBU Network Management Chapter 3 SNMP and MIB

COMP4690, by Dr Xiaowen Chu, HKBU

Network Management

Chapter 3

SNMP and MIB


Outline

SNMPv1: Simple Network Management Protocol

SMI: Structure of Management Information MIB: Management Information Base SNMPv3


SNMPv1 Packet SNMPv1 packet has the form

Version Community Name Protocol Data Unit (PDU)

Version the version of SNMP SNMPv1 is “0” in version field

Community name like a password Agent can control who can access what Sent as plaintext, so not secure

Improved by SNMPv3


SNMPv1 PDU SNMP has different types of packets, each with different format. PDU for Get-Request, Get-Next-Request and Set-Request

has fields:

Request ID an integer, like a sequence number Error status error in Get-Response Error index an integer which identifies the first

variable in VarBindList that caused error

Request Error Error VarBindList ID Status Index


SNMPv1 PDU

Error status 0 = noError 1 = tooBig (PDU has too many bytes) 2 = noSuchName (no object with requested name) 3 = badValue (invalid no. for PDU type) 4 = readOnly (incorrect implementation of SNMP) 5 = genErr (any other error)


SNMPv1 PDU

VarBindList a list of Variable ID and Variable Value:

Variable ID Object Identifier of the variable defined in SMI specification

Variable Value actual value, which could be integer, IP address, etc.

Variable ID Variable Value


SNMP Commands SNMPv1 commands (numbered 0 thru 4)

Get-Request request value(s) from agent MIB Get-Next-Request request next MIB element (based

on object identifier) in lexicographic orderCan use this to “walk” the MIB tree

Get-Response response from agent Set-Request write a value in agent’s MIB Trap unsolicited message from agent, to inform the

managing entity of exceptional events SNMPv2 has two more commands:

Get-Bulk-Request get values in large block of data Inform-Request used by a managing entity to notify

another managing entity of MIB information


SNMP Trap Trap PDU is of the form

Enterprise Object Identifier for device that created trap message

Agent address IP address of device Generic trap number 7 categories Specific trap number code number Time stamp time since device initialized VarBindList same as defined previously

Enterprise Agent Generic Specific Time VarBindList Address Trap Trap Stamp Number Number


SMI & MIB

The agent needs to find the “Variable Value” based on the “Variable ID”.

It’s better to define a data structure. Object Identifier mapped to value stored on

subsystem E.g., NIC is a subsystem, its MAC address could

be the desired value


SMI & MIB

Each object in the MIB has a name Groups of related objects also defined

Each object has a type For example, “integer”

Types can be Simple a single value Constructed multiple objects of simple type

SMI: Structure of Management Information RFC 1155 The language used to define MIBs


SMI

SMI specification uses subset of Abstract Syntax Notation One (ASN.1) Formal specification of MIB objects

ASN.1 used to specify Name of object Type of object Read, read-write, or not accessible Brief description of object


Data types of SMI (RFC 2578)

INTEGER Interger32 Unsigned32 OCTET STRING IPaddress Counter32 Counter64 Etc.


Higher-Level Constructs

OBJECT-TYPE To specify the data type, status, and semantics of

a managed object Four clauses

SYNTAX: specify the basic data type MAX-ACCESS: whether the object can be read &

written, created, etc. STATUS: valid, obsolete, or deprecated DESCRIPTION: human-readable textual definition


Higher-Level Constructs

MODULE-IDENTITY Allow related objects to be grouped together

within a “module” E.g., RFC2012 defines the MIB module for TCP,

RFC2013 defines the MIB module for UDP, RFC2021 defines the MIB module for RMON


MIB:Management Information Base

A virtual information store, holding managed objects whose values collectively reflect the current “state” of the network.

The values may be queried and/or set by a managing entity by SNMP messages.

Managed objects are specified using the OBJECT-TYPE SMI construct, and gathered into MIB modules using the MODULE-IDENTITY construct.


Object Identifier Tree

0 is the root Example:

Object ID of tcp is 1.3.6.1.2.1.6


Object Identifier Tree

MIB objects identified as on previous slide Tree can be arbitrarily deep MIB-2 defined with 10 groups

System, interfaces, address translation, IP, ICMP, TCP, UDP, EGP, transmission, SNMP

Later added 13 more groups (extensions) Group can contain many objects, and these objects can be

“constructed” type


Proprietary MIBs and RMON

If not enough groups in MIB-2… …can create a proprietary MIB

Proprietary MIBs are listed under enterprise Enterprise is a sub-node of private (4)

RMON Remote Monitoring Standard An extension of MIB-2 Deals with traffic on a network segment


Security

We mentioned previously the SNMP method of authentication A community name acts like a password More than one mgmt station may have access

Authorization is also a concern Assuming that you have access… …then what are you allowed to do?


Security SNMP security features

Authentication Authorization (Rights) MIB Access Community

Name SNMP Access Mode

Read-Only Read-Write

read-only read-write write-only not-accessible

MIB View Object Object 2 Object N

SNMP community profile Access mode specifies type of access MIB view specifies access or not


SNMPv3

SNMPv3 can be thought of as SNMPv2 with additional security and administration capabilities.

SNMP applications Command generator: generates GetRequest,

GetNextRequest, SetRequest, etc. Notification generator: generates Traps Proxy forwarder: forwards request, notification,

and response


SNMPv3

A PDU sent by and SNMP application next passes through the SNMP Engine.

A security module is provided by SNMPv3 User-based security: RFC3414 Encryption Authentication Protection against playback attacks: RFC3414 Access control: RFC3415


SNMPv3

Documents

COMP4690, by Dr Xiaowen Chu, HKBU Network Management Chapter 3 SNMP and MIB