Transcript MIB-II (IP Group)

Common Management
Protocol
W.lilakiatsakun
Topics
• SNMP (Widely used)
• Command Line Interface (CLI)
• Syslog
• Netflow and IP Flow Information Export
(IPFIX)
• Netconf (Recently)
Simple Network Management
Protocol (SNMP)
• SNMP v1 (RFC 1157)
• PDU size 4096Byes (4KB)
• UDP Port 161
• Operation supported by SNMP
– Get: retrieves a scalar object value
– Set: updates a scalar object value
– Trap: sends an unsolicited scalar object value
Community (1)
• 3 aspects to control between SNMP
managers and agents
– Authentication – limit access to the MIB to the
authorized managed stations
– Access control – the managed station may
wish to give different access privileges to
different management stations
– Proxy Service – a managed station may act as
a proxy to other managed stations
Community (2)
• The community concept is a local one
defined at the managed system (device)
• The agent may establish a number of
communities with overlapping management
station membership
• Each community is given a unique
community name
– The management station must employ the
community name in all get/set operation
Authentication Service
• RFC 1157 SNMP provides for only a trivial
scheme for authentication
• Use community name as a password for
get/set operation
• SET operation is sensitive area
• Improved in SNMP v3
Access Policy (1)
• The agent can provide different categories
of MIB access to different management
stations.
– SNMP MIB view – a subset of the objects
within a MIB ,different MIB views may be
defined for each community
– SNMP access mode – an element of the set {
READ-ONLY,READ-WRITE}
• Community profile is the combination of a
MIB view and access mode
Access Policy (2)
Proxy service
• SNMP agent can act as on behalf of other
devices
– Typically, other devices are foreign (do not
support TCP/IP and SNMP)
– In some case, the proxied system may
support SNMP but the proxy is used to
minimize the interaction between the proxied
device and network management system
Administrative concepts
Lexicographical Ordering (1)
• The management station can access
objects without specifying them by name
– It can supply object instance identifier and
ask for the next object in the ordering
• Preorder traversal
– Visit the root
– Traverse the subtrees from left to right
• Fig7-8
Lexicographical Ordering (2)
Fig 7-2
• Table 7.5
Protocol specification – SNMP
format
• Fig7-3
• Table 7.6
Transmission of SNMP Message (1)
1 PDU is constructed using ASN.1 structure
defined in RFC1157
2 This PDU is then passed to an
authentication service together with the
source and destination transport address
and a community name
– Perform any required transformations
(encryption or inclusion of an authentication
code and returns the result)
Transmission of SNMP Message (2)
3 Construct the message consisting of a
version field and community name and the
result from step2
4 This object is then encoded using basic
encoding rule (BER) and passed to the
transport service
Receipt of an SNMP message
1 Basic syntax-check of the message and discards
the message if fails
2 Verify the version number , discard if mismatch
3 authentication check
– If fails generate a trap and discard the message
4 syntax-check of PDU
– If mismatch, discard the PDU
– If match, SNMP access policy is selected and process
accordingly
Variable Binding (1)
• To group same type of operation in a single
message
– Get more than one instance of objects within a
single response
• SNMP PDU include a “variablebindings“ field
• This field consists of a sequence of
references to object instances together with
the value of those objects.
Variable Binding (2)
SNMP PDU Sequences
• Fig 7.5
GetRequest (1)
• The response is either all values are retrieved or
none
– If the responding entity can provide for all values, they
are included in variablebinding field in GetResponse PDU
– If not, no value are returned
– Change to be not atomic operation in SNMPv2
• The following error conditions can occur
– 1 if object named in the variablebinding not match ,
return error-status of noSuchName and a value in the
error-index
GetRequest (2)
• 2 the resulting PDU exceed a local
limitation (484 octets), return error-status
of tooBig
• 3 if cannot supply at least one of the
objects ,return error-status of genErr and
a value in the error-index
GetRequest (3)
• Basically, SNMP does not allow to retrieve
entire row of the entry by referencing the
entry object
• It can be done by using variablebindings
list.
– GetRequest (IpRouteDest.9.1.2.3,
IpRouteMetric1.9.1.2.3,
IpRouteNexthop.9.1.2.3)
GetNextRequest (1)
• Same PDU exchange pattern and same
format as GetRequest PDU
• Only difference is the returned value is the
value of the next object in lexicographical
order
GetNextRequest (2)
• Fig 8-1
Navigation (walk) of a MIB in GetNextRequest)
GetNextRequest (3)
GetNextRequest (4)
• Example - to retrieve data from instance
of scalar objects in udp group
• GetRequest(udpInDatagrams.0,udpNoPort
s.0,udpInerrors.0,udpOutDatagrams.0)
• GetResponse((udpInDatagrams.0=100),(u
dpNoPorts.0=1),(udpInerrors.0=2),(udpO
utDatagrams.0=200))
GetNextRequest (5)
• GetNextRequest(udpInDatagrams,udpNoP
orts,udpInerrors,udpOutDatagrams)
• The next instance of udpInDatagrams is
udpDatagrams.0 ,so
• GetResponse((udpInDatagrams.0=100),(u
dpNoPorts.0=1),(udpInerrors.0=2),(udpO
utDatagrams.0=200))
GetNextRequest (6)
- Accessing Table Values
• GetNextRequest
•
(ipRouteDest,ipRouteMetric1,ipRouteNextHop)
GetResponse
((ipRouteDest.9.1.2.3=9.1.2.3),(ipRouteMetric1.9.
1.2.3=3),(ipRouteNextHop.9.1.2.3=99.0.0.3))
GetNextRequest (7)
• Retrieve the second row
• GetNextRequest
(ipRouteDest.9.1.2.3,ipRouteMetric1.9.1.2.3
,ipRouteNextHop.9.1.2.3)
• GetResponse
((ipRouteDest.10.0.0.51=10.0.0.51),(ipRout
eMetric10.0.0.51=5),(ipRouteNextHop.10.0.
0.51=89.1.1.42))
Row-by row navigation of a MIB
with GET-NEXT
• Fig 8-2
SetRequest (1)
• Agent responds to SetRequest PDU with a
GetResponse PDU containing the same
request-id
• Atomic operation as same as GetRequest
– Do all or none
– Change to be not atomic operation in SNMPv2
SetRequest (2)
• Updating table
– For the existing table
• SetRequest (ipRouteMetric1.9.1.2.3 = 9)
• GetResponse (ipRouteMetric1.9.1.2.3 =9)
– Add new row
• SetRequest
(ipRouteDest.11.3.3.12=11.3.3.12,ipRouteMetric1.
11.3.3.12=9,ipRouteNextHop.11.3.3.12=91.0.0.5)
SetRequest (3)
- Problems
• The value of ipRouteDest is the index value
still unknown to the agent
• RFC1212 indicate 3 ways to handle
1 the agent could reject operation and return
error-status of noSuchName
2 the agent could accept operation but return
error-status of badValue
3 the agent could accept the operation and create
a new row
SetRequest (3)
• Row deletion
– SetRequest (ipRouteType.7.3.5.3 = invalid)
– GetResponse (ipRouteDest.7.3.5.3 = invalid)
• Performing an Action – an object can be used to
represent a command so that a specific action is
taken if the object is set to a specific value
– Example : a reBoot obect – initial value is 0 if a
management station set the object value to 1 the
agent system reboots and resets th object value to 0
– Ping/Trace Route/Look up Operation MIB (RFC2925)
SetRequest (4)
-Deleting/Nullifying Row in MIB-2
Tables
• table7.8
SetRequest (5)
• Fig 8-3
Ping MIB operation
SetRequest (5)
Ping object in MIB
TRAP (1)
• It is used to provide management station
with notification of some significant events
• PDU fields
– PDU Type : Trap PDU
– Enterprise: identifiy the system that generated
the trap (sysObjectID)
– Agent-addr: IP address of the object generating
the trap
TRAP (2)
– Generic-trap: predefined trap types
– Specific-trap: more specifically the nature of
the trap
– Time-stamp: the time that issued the trap
(sysUptime when the trap is generated)
– Variablebindings : addition information
relating to the trap (implementation-specific)
TRAP (3)
• Who is emitting the trap
– enterprise field: value is taken from sysObjectID
– address field: IP address
• What occurred
– Generic–trap field/Specific-trap field:
• When it occurred
– time-stamp field: time between the last initialization
and he generation of the trap
• Additional information
– variablebindings field:
Trap (4)
• Generic-trap
– coldStart (0): unexpected restart due to a crash or
major fault
– warmStart(1): routine restart
– linkDown(2): signal failure in one of
communication links of the agent (the first
element in the variablebindings field is the name
and value of the ifIndex instance for the
referenced interface)
Trap (5)
• Generic-trap (cont’)
– linkUp(3): signal that one of the communication
links of the agent has come up (the first element in
the variablebindings field is the name and value of
the ifIndex instance for the referenced interface)
– authenticationFailure (4): receive a protocol
message that has failed authentication
– egpNeighborLoss(5): EGP neighbor has been mark
downed and the peer relationship no longer exists
– enterpriseSpecific(6): specific for enterprise
Transport level support
• Connectionless Transport Service
– UDP(TCP/IP) Port 161
– CLTS (OSI)
• The management application has to deal
with the loss of message
– Time out
– Periodic query
* Loss of Trap message is difficult to detect
Polling Frequency
• N <= T/∆
• N = number of agents
• T = desired polling interval
• ∆ = average time to perform a single poll
– Network delay
– Processing time
Limitation of SNMP(1)
• SNMP may not be suitable for the truly large
network
– Results in large volumes of routine messages
• SNMP is not well suited for retrieving large
•
•
volume of data (limited by size of PDU)
SNMP traps are unacknowledged, so the critical
message can not be sure that it arrive
SNMP provide only trivial authentication, better
for monitoring than control
Limitation of SNMP(2)
• SNMP does not support imperative command,
indirect way to command the agent through SET
operation
• SNMP does not readily support application to
query based on object values or types
• SNMP does not support manager-to manager
communication
* Many of these deficiencies are addressed in
SNMP v2
SNMP Group (1)
• Under MIB-II Node
SNMP Group (2)
SNMP Group (3)