Transcript RMON (alarms and filtering)

RMON2
• RFC4502 (2021 Obsolete)
• Remote Monitor are often called “Monitor”
or “Probe”
• Decode packets at layer 3 through 7 of the
OSI Model
– An RMON probe can monitor traffic on the basis
of network-layer protocol
– The probe can record traffic to and from host for
particular applications
Network layer Visibility
• Network Manager can answer these questions
– If there is excessive load on the LAN due to incoming router
traffic, what networks or hosts account for the bulk of incoming
traffic?
– If a router is overloaded because of high amount of outgoing
traffic, what networks or hosts account for the bulk of outgoing
traffic or to what destination networks or hosts is that traffic
directed
– If there is a high load of pass-through traffic (arriving via one
router and departing via another router ), what networks or
hosts are responsible for the bulk of this traffic
Application Level Visibility
• RMON2 probe is capable of seeing above the IP layer
by reading the enclosed higher-level headers such as
TCP/UDP and viewing the headers at the application
protocol level
• This information is useful in controlling load and
maintaining performance
– NMS can be implemented that will generate charts and
graphs depicting traffic percentage by protocols or by
applications
RMON MIB (1&2)
RMON2 MIB (1)
• protocol directory – a master of directory off all protocols
that probe can interpret
• protocol distribution – aggregate statistics on the amount
of traffic generated by each protocol per LAN segment
• address map – match each network address to a specific
MAC level address and port on an attached device and the
physical address on this subnetwork
• network layer host – statistics on the amount of traffic
into and out of hosts on the basis of the network-layer
address
RMON2 MIB (2)
• network-layer matrix – statistics on the amount
of traffic between pairs of hosts on the basis of
network address
• application-layer host - statistics on the amount
of traffic into and out of hosts on the basis of
application-level address
• application-layer matrix - statistics on the
amount of traffic between pairs of hosts on the
basis of application-level address
RMON2 MIB (3)
• User history collection – periodically samples userspecified variables and logs that data based on
user-defined parameters
– Ex. Collect data on a router-to-router connection
• Probe configuration – define standard
configuration parameters for RMON probes
– To solve interoperability problems
New features in RMON2 (1)
• Indexing with external objects
– Reduce control index object in data table
– To access instance of the data entry in RMON 1 Vs
RMON2
• Rm1datavalue.Rm1controlindex.Rm1dataindex
– Rm1datavalue.2.89
– 2 – Rm1controlindex / 89 – Rm1dataindex
• Rm2datavalue.X.Rm2dataindex
– X – the value of index that specifying set of data rows by the Xth
row (external object)
– Rm2datavalue.2.89
– 2 – external object / 89 – Rm2dataindex
New features in RMON2 (2)
• Time filtering Indexing
– Typically, a network management app. is periodically to
poll all probes for the values of objects
– It is desirable to have the probe return values only for
those objects whose value have changed since the last
poll
– No direct way in SNMP, but RMON2 has a mechanism
Example of time filtering
FooTable
fooTable (1)
fooEntry (1)
fooTimeMark (1)
fooIndex (2)
fooCount (3)
EX1. Time filtering (1)
• Suppose fooTable has 2 values of index – 1,2
– If no fooTimeMark , a management station can see
only two counter
– With fooTimeMark, it is possible to request the
values of these counter only if they have been
updated since a given time
EX1. Time filtering (2)
• For example, current value of
– The counter associated with fooIndex = 1 is 5 and
most recently updated at time 6
– The counter associated with fooIndex=2 is 9 and
most recently updated at time 8
– Then, at time 10, a manager issues the request
• GetRequest(fooCounts.7.1, fooCounts.7.2)
• To get the value updated since time 7
• The agent will response fooCounts.7.2=9
EX2. Time Filtering (1)
EX2. Time Filtering (2)
• Assume that basic row 1 (fooIndex=1) was updated as
follows:
sysUptime
fooCount.*.1value
500
1
900
2
2300
3
EX2. Time Filtering (3)
• Assume that basic row 2 (fooIndex=2) was updated as
follows:
sysUptime
fooCount.*.2value
1100
1
1400
2
EX2. Time Filtering (4)
• A manager station polls a probe every 15 seconds (clock nms
records time in hundredths of second)
1 At nms=1000, the manager does the baseline poll to get
everything since the last agent restart (Timefilter =0)
GetRequest (sysUpTime.0,fooCounts.0.1,fooCount.0.2)
Response(sysUpTime.0=600,fooCounts.0.1=1,fooCount.0.2=0)
2 At nms=2500 (15 second later), the manager get an update on all
changes since the last report (agent time=600)
GetRequest (sysUpTime.0, fooCounts.600.1, fooCount.600.2)
Response(sysUpTime.0=2100,fooCounts.600.1=2,fooCount.600.2=2)
EX2. Time Filtering (5)
The agent received the request at a local time of 2100 ; a
counter 1 was incremented at time 900 counter 2 was
incremented at 1100 and 1400
3 At
nms=4000, the manager get an update on all
changes since the last report (agent time=2100)
GetRequest (sysUpTime.0, fooCounts.2100.1, fooCount.2100.2)
Response(sysUpTime.0=3600,fooCounts.2100.1=3)
A counter 1 was incremented at time 2300 counter 2 has
not changed since 2100 , so no value returned
EX2. Time Filtering (6)
4 At
nms=5500, the manager get an update on all
changes since the last report (agent time=3600)
GetRequest (sysUpTime.0, fooCounts.3600.1, fooCount.3600.2)
Response(sysUpTime.0=5500,)
Neither counter has been updated since time 3600 , so no
value returned
Protocol Directory Group
• It provides a single central point for storing information
about types of protocols
• One entry in the table for each protocol for which the
probe can decode and count protocol data unit (PDU)
• One scalar objects
– protocolDirLastChange which contains the time of the last table
change
• One columnar object (Table)
– protocolDirTable
– The table covers MAC, network and higher layer protocols
protocolDirTable
• Fig 10.5
Protocol identification
• protocolDirID object contains a unique octet
string for a specific protocol.
• Octet string identifiers for protocols are arranged
in a tree structured hierarchy.
– Each layer is identified by 32 bit value which is
encoded as dot decimal format [a.b.c.d]
– EX. Ethernet is hexadecimal 1 which is encoded as
[0.0.0.1] and referred to symbolically as ether2
Protocol Assignments
• Each layer is identified by a 32 bit number (four octets)
• For MAC level protocols
–
–
–
–
–
ether2 = 1 [0.0.0.1]
llc = 2 [0.0.0.2]
snap = 3 [0.0.0.3]
vsnap = 4 [0.0.0.4]
ianaAssigned = 5 [0.0.0.5]
• Protocol consideration
– network layer, use type field of Ethernet frame (IP =0.0.8.0)
– transport layer, use protocol field of IP header (UDP = 0.0.0.17)
– application layer, use port field of UDP/TCP header (0.0.0.161)
Entry in protocolDirEntry (1)
• EX. Identification of SNMP running over UDP/IP on
Ethernet
– 16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161
– 16 : the number of octets to follow
• So, for previous example the probe is capable of
– Interpreting all incoming Ethernet frames
– Looking past the Ethernet header and trailer and interpreting
the encapsulated IP datagram
– Looking past the IP header and interpreting the encapsulated
UDP segment
– Looking past the UDP header and interpreting the encapsulated
SNMP PDU
Entry in protocolDirEntry (2)
• A separate entry is needed for each protocol that the
probe can interpret and count
• Then the four entries are needed in protocolDirEntry
and the protocolDirID values would be
–
–
–
–
Ether2 (4.0.0.0.1)
Ether2.ip (8.0.0.1.0.0.8.0)
Ether2.ip.udp (12.0.0.0.1.0.0.8.0.0.0.0.17)
Ether2.ip.udp.snmp (16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161)
Format of index values for
protocolDirTable
Protocol parameter (1)
• The second index object for protocolDirTable is
protocolDirParameters
• This object instance contains information about the
probe’s capability with the respect to a particular
protocol
• The value is structured as a one-octet count field
followed by a set of N-octet parameters, one for each
protocol layer in protocolDirID
• Each bit in the parameter octet is encoded separately to
define a particular capability
Protocol parameter (2)
• 2 LSB are reserved for all protocols
– CountFragment (bit0) : Higher-layer protocols encapsulated
within this protocol will be counted correctly even if this
protocol fragments the upper-layer PDUs into multiple
fragments
– tracksSessions (bit1) :Correctly attributes all packets of a portmapped protocol, that is a protocol start session on a wellknown port or socket and then transfer them to dynamically
assigned ports or sockets for the duration of the session
• TFTP (Trivial File Transfer Protocol)
Protocol parameter (3)
• SNMP running over UDP/IP/Ethernet with
fragments counted correctly for IP or above,
the following encoding is for the two objects
(protocolDirID, protocolDirParameter)
16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161.4.0.1.0.0
Protocol Directory Table (1)
• protocolDirType This object describes 2 attributes
of this protocol directory entry.
• SYNTAX – Bits {extensible(0) ,
addressRecognitionCapable(1) }
Protocol Directory Table (2)
• protocolDirType
– extensible(0) if the agent or manager may extend this
table by creating entries that are children of this
protocol
• An example of an entry that will often allow extensibility
is'ip.udp'. The probe may automatically populate some
children of this node, such as 'ip.udp.snmp' and 'ip.udp.dns'.
– addressRecognitionCapable(1) If this bit is set, the
agent will recognize network-layer addresses for this
protocol and populate the network- and applicationlayer host and matrix tables with these protocols.
Protocol Directory Table (3)
• protocolDirAddressMapConfig
• SYNTAX – Integer {notSupported(1) , supportedOff(2
supportedOn(3)}
• This object describes and configures the probe's
support for address mapping for this protocol.
– notSupported(1) : if not capable of performing address
mapping
– If capable then the value may be set to supportedOff(2) or
supportedOn(3)
Protocol Directory Table (4)
• protocolDirHostConfig
• SYNTAX – Integer {notSupported(1) , supportedOff(2
supportedOn(3)}
• This object describes and configures the probe's support
for the network-layer and application-layer host tables for
this protocol.
– If the value of this object is notSupported(1), the probe will
not track the nlHostTable or alHostTable for this protocol
– If the value of this object is supportedOn(3), the probe
supports tracking of the nlHostTable and alHostTable for this
protocol and is configured to track both tables for this
protocol for all control entries and all interfaces.
Protocol Directory Table (5)
• protocolDirMatrixConfig
• SYNTAX – Integer {notSupported(1) , supportedOff(2
supportedOn(3)}
• This object describes and configures the probe's
support for the network-layer and application-layer
matrix tables for this protocol.
– If the value of this object is notSupported(1), the probe will
not track either of the nlMatrixTables or the alMatrixTables
– If the value of this object is supportedOn(3), the probe
supports tracking of both of the nlMatrixTables and (if
implemented) both of the alMatrixTables for this protocol
and is configured to track these tables for this protocol for
all control entries and all interfaces.
Protocol Distribution Group (1)
• It summarizes how many octets and packets have
been sent from each of the protocols supported
• protocolDistControlTable – controls collection of
basic statistics for all supported protocols
• protocolDistStatsTable – records the data
Protocol Distribution Group (2)
• Each row in protocolDistControlTable refers to
a unique network interface for this probe and
controls a number of rows of
protocolDistStatsTable, one for each protocol
recognized on that interface
Protocol Distribution Group (3)
• protocolDistControlTable consists of
– protocolDistControlIndex : an integer that uniquely
identifies a row in the protocolDistControlTable
– protocolDistControlDatasource : identifies the interface
that is th source of the data for this row
– protocolDistControlDroppedFrames : total number of
received frames for this interface that the probe chose not
to count (out of resources)
– protocolDistControlCreateTime : the value of sysUptime
when this control entry was activated
Protocol Distribution Group (4)
• The protocolDistStatsTable includes one row
for each protocol in protocolDirTable for which
at least one packet has been seen
• It is indexed by protocolDistControlIndex and
by protocolDirLocalIndex
Protocol Distribution Group (5)
• protocolDistStatsTable consists of
– protocolDistStatsPkts: the number of packets
received for this protocol
– protocolDistStatsOctets: the number of octets
transmitted to this address since it was added to
nlHostTable
Address Map Group (1)
• It matches each network address to a specific
MAC-level address
• It is helpful in node discovery and network
topology applications for pinpointing the specific
path of the network traffic
• 3 scalars objects, one control table
(addressMapControlTable) and one data table
(addressMapTable)
Address Map Group (1)
• 3 scalar objects are
– addressMapInserts : the number of times an addressmapping entry has been inserted into the data table
– addressMapDeletes: the number of times an addressmapping entry has been deleted into the data table
– addressMapMaxDesiredEntries : the desired maximum
number of entries in addressMapTable (if this value is set
to -1, the probe may create any number of entries in
addressMapTable)
Data table size = addressMapInserts - addressMapDeletes
Address Map Group (2)
• The addressMapControlTable consists of
– addressMapControlIndex: an integer that uniquely
identifies a row in the addressMapControlTable
– addressMapcontrolDatasource : identifies the interface
that is the source of the data for this row and that this row
is configured to analyze
– addressMapControlDroppedFrames: total number of
received frame for this interface that the probe chose not
to count (out of resources)
Address Map Group (3)
• The addressMapTable will collect address mapping
based on source MAC and network addresses seen in
error-free MAC frames
• The table will create entries for all protocols in the
protocol directory table whose value of
protocolDirAddressMapConfig is equal to
supportedOn(3)
Address Map Group (4)
• The addressMapTable consists of
– addressMapTimeMark : a time filter for this entry
– addressMapNetworkAddress : the network address for this
entry
– addressMapSource : the last interface which the
associated network address was seen
– addressMapPhysicalAddress : the last source MAC address
on which the associated network address was seen
– addressMapLastChange : the value of sysUpTime at the
time this entry was most recently updated
Network-layer Host Group (1)
• nlHost group enables users to decode packets
based on their network-layer address
• This group consists of 2 Tables
– nlHostControlTable : control table
– nlHostTable : data table
Network-layer Host Group (2)
• Each row in control table refers to a unique interface
of the monitor
• nlHostControlTable
– nlhostControlIndex : an integer that uniquely identifies a
row in the nlHostControlTable
– nlHostControlDataSource : identifies the interface that is
the source of the data for the data tableentries defined by
this row
– nlHostControlNlDroppedFrames : total number of received
frames for this interface that the probe chose not to count
for the associated nlHost entries
Network-layer Host Group (3)
– nlHostControlNlInserts : the number of times an
nlHost entry has been inserted into the
nlHostTable data table
– nlHostControlNldeletes : the number of times an
nlHost entry has been deleted from the
nlHostTable data table
– nlhostControlNlMaxDesiredEntries : the desired
maximum number of entries in nlHostTable
Network-layer Host Group (4)
– nlHostControlAlDroppedFrames : total number of received
frames for this interface that the probe chose not to count
for the associated alHost entries
– nlHostControlAlInserts : the number of times an alHost
entry has been inserted into the alHostTable data table
– nlHostControlAldeletes : the number of times an alHost
entry has been deleted from the alHostTable data table
– nlhostControlAlMaxDesiredEntries : the desired maximum
number of entries in alHostTable
Network-layer Host Group (5)
• nlHostTable will create entries for all network-layer
protocols in the protocol directory table whose value
of protocolDirNlHostConfig is equal to
supportedOn(3)
• nlHostTable
– nlHostTimeMark : a time filter for this entry
– nlHostAddress : the network address for this entry
– nlHostInPackets : the number of error-free packets
transmitted to this address since it was added to the table
Network-layer Host Group (6)
– nlHostOutPackets : the number of error-free
packets transmitted from this address since it was
added to the table
– nlHostInOctets : the number of octets (error-free
packets) transmitted to this address since it was
added to the table
– nlHostOutOctets : the number of octets (errorfree packets) transmitted from this address since
it was added to the table
Network-layer Host Group (7)
– nlHostCreateTime : the value of sysUpTime when
this control entry was activated
– nlHostOutMacNonUnicastPkts : the number of
packets transmitted by this address that were
directed to the MAC broadcast address or ti any
MAC multicast address since this entry was added
to the table
Network-layer Host Group (7)
• nlHostTable is indexed by four objects:
– nlHostControlIndex : define interface
– nlHostTimeMark : a time filter
– protocolDirLocalIndex : the identity of the
protocol
– nlHostAddress : the network address
Application-Layer Host Group (1)
• The nlHostControlTable also controls alHostTable
• Only alHostTable in application-layer host group
• alHostTable will create entries for all application-level
protocols in the protocol directory table whose value
of protocolDirALHostConfig is equal to
supportedOn(3)
Application-Layer Host Group (2)
• alHostTable
– alHostTimeMark : a time filter for this entry
– alHostInPackets : the number of error-free packets
of this protocol type transmitted to this address
since it was added to the table
– alHostOutPackets : the number of error-free
packets of this protocol type transmitted from this
address since it was added to the table
Application-Layer Host Group (3)
– alHostInOctets : the number of octets (error-free
packets) of this protocol type transmitted to this
address since it was added to the table
– alHostOutOctets : the number of octets (errorfree packets) of this protocol type transmitted
from this address since it was added to the table
– alHostCreateTime : the value of sysUpTime when
this control entry was activated
Application-Layer Host Group (4)
• alHostTable is indexed by five objects:
– nlHostControlIndex : define interface
– alHostTimeMark : a time filter
– protocolDirLocalIndex : the identity of the
network layer protocol
– nlHostAddress : the network address
– protocolDirLocalIndex : the identity of the
application layer protocol
Network Layer Matrix Group (1)
• It gathers statistics based on source and destination
network-layer address
• For network layer statistic consists of one control table
and 2 data tables
– nlMatrixControlTable : control table for network layer matrix
group and application layer matrix group
– nlMatrixSDTable : stores statistics on traffic from a particular
source network-layer address to a number of destinations
– nlMatrixDSTable : stores statistics on traffic to a particular
destination network-layer address from a number of sources
Network Layer Matrix Group (2)
• The nlMatrixSDTable is indexed
–
–
–
–
the row of nlMatrixControlTable that control it then
by a time filter: nlMatrixSDTimeMark then
by the network-layer protocol : protocolDirLocalIndex then
by the network layer source address :
nlMatrixSDSourceAddress then
– by the network layer destination address :
nlMatrixSDDestAddress
Network Layer Matrix Group (3)
• The nlMatrixDSTable is indexed
–
–
–
–
the row of nlMatrixControlTable that control it then
by a time filter: nlMatrixDSTimeMark then
by the network-layer protocol : protocolDirLocalIndex then
by the network layer destination address :
nlMatrixDSDestAddress
– by the network layer source address :
nlMatrixDSSourceAddress then
Network-Layer TopN Statistics (1)
• To determine which pairs of hosts rank in the
top N according to some metric
• One control table and one datatable
– nlMatrixTopNControlTable
– nlMatrixTopNTaable
Network-Layer TopN Statistics (2)
• nlMatrixTopNControlTable
– nlMatrixTopNRateBase : specifies one of two
variables (nlMatrixTopNPackets(1)
/nlMatrixTopNOctets(2) )
– nlMatrixTopNRequestedSize: the maximum
number of matrix entries requested for the topN
table
Network-Layer TopN Statistics (3)
• nlMatrixTopNtable
– nlMatrixTopNPktRate – the number of packets seen from
source host to destination host during this sampling
interval
– nlMatrixTopNReversePktRate – same as above (but
destination to source)
– nlMatrixTopNOctetRate – the number of octets seen from
source host to destination host during this sampling
interval
– nlMatrixTopNReverseOctetRate – same as above (but
destination to source)
Network-Layer TopN Statistics (4)
• The nlMatrixTopNTable is indexed by
– nlMatrixTopNControlIndex
– nlMatrixTopNIndex
Application-Layer Matrix Group (1)
• Statistical collection of information based on
source and destination application address (port
number)
• This group consists of 3 data tables and 1 control
table
– alMatrixSDTable
– alMatrixDSTable
– alMatrixTopNControlTable
– alMatrixTopNTable
alMatrix Group (2)
• Fig 10.15
Application-Layer Matrix Group (2)
• The alMatrixSDTable (alMatrixDSTable) is indexed by
–
–
–
–
nlMatrixControlIndex : that identifies a unique subnetwork
nlMatrixSDTimeMark : time filter
protocolDirLocalIndex : the network-layer protocol
nlMatrixSDSourceAddress : the network layer source
address
– nlMatrixSDDestAddress : the network layer destination
address
– protocolDirLocalIndex : the application-layer protocol
Application-Layer Matrix Group (3)
• alMatrixTopNControlTable has the same
structure as the nlMatrixTopNControlTable
• Only difference is the definition of the rate
base object: alMatrixTopNRateBase
• alMatrixTopNTerminalsPkts(1) count only protocol
packets (no child protocol)
• alMatrixTopNTerminalsOctets(2) count only protocol
octets
(no child protocol)
• alMatrixTopNAllPkts(3)
• alMatrixTopNAllOctets(4 )
Application-Layer Matrix Group (4)
• alMatrixTopNtable
– alMatrixTopNPktRate – the number of packets
seen from source host to destination host during
this sampling interval
– alMatrixTopNReversePktRate – same as above
(Destination to source)
User history collection group (1)
• User history collection group
• Collect particular statistics and variables then logs that data
based on user-defined parameters
• User history collection group consists of
usrHistoryControlTable, usrHistoryObjectTable,
User history
collection group
(2)
User history collection group (3)
• userControlTable
– usrHistoryControlIndex
– usrHistoryControlObjects
– usrHistoryControlBucketsRequested
– usrHistoryControlBucketsGranted
– usrHistoryControlInterval
– usrHistoryControlOwner
– usrHistoryControlStatus
User history collection group (4)
• UsrHistoryObjectTable
– usrHistoryObjectIndex
– usrHistoryObjectVariable : Identify Variable to be
collected
– usrHistoryObjectSampleType : absolute or delta
value
User history collection group (5)
• UsrHistoryTable
– usrHistorySampleIndex
– usrHistoryIntervalStart
– usrHistoryIntervalEnd
– usrHistoryAbsValue
– usrHistoryValStatus
User history collection group (3)
Probe configuration group
• Probe configuration group
– To solve interoperability among RMON probe and
managers
Security Consideration (1)
• The usrHistoryGroup periodically samples the
values of user-specified variables on the probe
and stores them in another table.
– The agent MUST ensure that
usrHistoryObjectVariable is not writable in MIB
views that don't already have read access to the
entire agent. Because the access control
configuration can change over time, information
could later be deemed sensitive that would still be
accessible to this function.
Security Consideration (2)
• A probe implementing this MIB is likely to also
implement RMON [RFC2819], which includes
functions for returning the contents of
captured packets, potentially including
sensitive user data or passwords.
– It is recommended that SNMP access to these
functions be restricted
Security Consideration (3)
• There are a number of management objects
defined in this MIB that have a MAX-ACCESS
clause of read-write and/or read-create.
– Such objects may be considered sensitive or
vulnerable in some network environments.
– The support for SET operations in a non-secure
environment without proper protection can have
a negative effect on network operations.
Security Consideration (4)
• Some of the readable objects in this MIB
module (i.e., objects with a MAX-ACCESS
other than not-accessible) may be considered
sensitive or vulnerable in some network
environments.
– It is thus important to control even GET and/or
NOTIFY access to these objects and possibly to
even encrypt the values of these objects when
sending them over the network via SNMP.
Security Consideration (5)
• SNMP versions prior to SNMPv3 did not include
adequate security.
• Even if the network itself is secure (for example by
using IPSec), even then, there is no control as to
who on the secure network is allowed to access
and GET/SET (read/change/create/delete) the
objects in this MIB module.
• It is RECOMMENDED that implementers consider
the security features as provided by the SNMPv3
framework (see [RFC3410], section 8), including
full support for the SNMPv3 cryptographic
mechanisms (for authentication and privacy).
Security Consideration (6)
• Deployment of SNMP versions prior to SNMPv3 is
NOT RECOMMENDED.
• Instead, it is RECOMMENDED to deploy SNMPv3
and to enable cryptographic security. It is then a
customer/operator responsibility to ensure that
the SNMP entity giving access to an instance of
this MIB module is properly configured to give
access to the objects only to those principals
(users) that have legitimate rights to indeed GET
or SET (change/create/delete) them.
Practical Issues