View
227
Download
5
Category
Preview:
Citation preview
1
© From Computer Networking, by Kurose&Ross Network Management 1-1
Managing and Securing Computer Networks
INFO-056 Prof. Guy Leduc
Université de Liège Institut Montefiore, B28
B-4000 Liège 1
Phone: 04 3662698 ou 2696 (secrétariat) Email: Guy.Leduc@uliege.be
URLs: http://progcours.ulg.ac.be/cocoon/cours/INFO0056-1.html http://www.montefiore.ulg.ac.be/~leduc/cours/GSRI.html
© From Computer Networking, by Kurose&Ross Network Management 1-2
Reference Books
(Chapter 8 and sections 4.4, 5.5 and 5.7 of) Computer Networking: A Top-Down Approach, 7th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2016.
Computer Networks and Internets, 6th Edition Douglas E. Comer Pearson Education, 2015 (Chapter 31)
Network Security: PRIVATE Communication in a PUBLIC World, 2nd edition. Charlie Kaufman, Radia Perlman, Mike Speciner Prentice Hall, 2002.
2
© From Computer Networking, by Kurose&Ross Network Management 1-3
Course content
❒ Part 1: Network Management ❒ Part 2: Network Security ❒ One seminar:
❍ IPv6 security, by E. Vyncke, CISCO Systems
© From Computer Networking, by Kurose&Ross Network Management 1-4
Evaluation ❒ Theory - Principles
❍ Oral exam ❍ Weight: 50%
❒ 2 projects ❍ Software-Defined Networks (SDN), start: Feb. 21,
deadline: March 18 ❍ Network security, includes a lab part, deadline: May
❒ Labs ❍ Feb 21: SDN (1/2 day) – preparation of project ❍ Feb 28: Network management with SNMP (2 hours)
❒ Labs and projects ❍ Groups of (up to) 2 students ❍ Weight: 50%
3
© From Computer Networking, by Kurose&Ross Network Management 1-5
Chapter 1: Network Management Chapter goals: ❒ Introduction to network management
❍ motivation ❍ major components
❒ Internet network management framework ❍ MIB: management information base ❍ SMI: data definition language ❍ SNMP: protocol for network management
❒ Presentation services: ASN.1
❒ Kurose & Ross (section 5.7) gives an overview ❒ Slides also cover some material from “SNMP, SNMPv2 and
RMON” by William Stallings, Addison Wesley, 1996.
© From Computer Networking, by Kurose&Ross Network Management 1-6
Chapter 1 outline
❒ What is network management? ❒ Internet-standard management framework
❍ Structure of Management Information: SMI ❍ Management Information Base: MIB ❍ SNMP Protocol Operations and Transport Mappings
❒ ASN.1
4
© From Computer Networking, by Kurose&Ross Network Management 1-7
What is network management?
❒ autonomous systems (aka “network”): 100s or 1000s of interacting hardware/software components
❒ other complex systems requiring monitoring, control: ❍ jet airplane ❍ nuclear power plant ❍ others?
❒ scenarios where network management is useful: ❍ detecting failures of interface cards or links ❍ host monitoring ❍ monitoring traffic ❍ detecting route flapping ❍ monitoring Service Level Agreements (SLAs) ❍ intrusion detection
© From Computer Networking, by Kurose&Ross Network Management 1-8
Management Functional Areas ❒ Performance management
❍ Monitoring: track activities on the network (response time, bottlenecks, …)
❍ Controlling: adjust to improve performance ❒ Fault management
❍ Detection, isolation, and correction of abnormal operation ❍ Fault ≠ Error
❒ Configuration and name management ❍ Initializing a network and gracefully shutting it down ❍ Maintaining, adding, and updating the relationships among
components ❒ Accounting management
❍ Enable charges to be established for the use of resources ❒ Security management
❍ Managing information protection and access-control ❍ Generating, distributing, and storing encryption keys
5
© From Computer Networking, by Kurose&Ross Network Management 1-9
What is network management? (2)
"Network management includes the deployment, integration and coordination of the hardware, software, and human elements to monitor, test, poll, configure, analyze, evaluate, and control the network and element resources to meet the real-time, operational performance, and Quality of Service requirements at a reasonable cost."
© From Computer Networking, by Kurose&Ross Network Management 1-10
Infrastructure for network management definitions:
managed devices contain
managed objects whose data is gathered into a Management Information Base (MIB)
NOC: Network Operations
Center
managed device managed device
managed device
managed device
managing Entity data
managing entity (NOC)
agent data
agent data
agent data
agent data
Network Management
Protocol managed device
agent data
6
© From Computer Networking, by Kurose&Ross Network Management 1-11
Origin of TCP/IP Network Management ❒ In early days, ICMP (Internet Control Message
Protocol) was used to provide feedback about problems ❍ echo-reply with or without timestamps, source routing,
record routes, … ❍ PING program (1983) ❍ Traceroute program (1987) by Van Jacobson
❒ The Internet growth, with associated management domains for subparts, required a standardized protocol ❍ In 1987, SGMP: Simple Gateway Monitoring Protocol
❒ Need for more general-purpose network management tool
© From Computer Networking, by Kurose&Ross Network Management 1-12
Origin of SNMP ❒ In 1988, the Internet Architecture Board (IAB) approved SNMP
(Simple Network Management Protocol), which had emerged as an enhancement of SGMP ❍ Was considered as just a short-term solution, though!
❒ Competitors were: ❍ HEMS (High-Level Entity Management System), a generalization of
HMP (Host Management Protocol) which was the first network management protocol used in the Internet
• HEMS was more capable than SNMP, but the extra effort for a short-term solution seemed unwarranted
❍ ISO’s CMIP (Common Management Information Protocol) • CMIP over TCP/IP, and then over OSI protocols, was considered as the
long-range solution as it was felt that TCP/IP installations would transition to OSI-based protocols and services !!!
❒ Idea: SNMP and CMIP would use the same data base of managed objects (so-called MIB and SMI, see later) to facilitate the transition towards CMIP
7
© From Computer Networking, by Kurose&Ross Network Management 1-13
The SNMP Evolution ❒ Binding the two protocols at the object level became impractical
❍ In OSI, managed objects are seen as sophisticated entities with attributes, associated procedures, and notification capabilities, and other more complex characteristics based on the object-oriented technology
❍ In SNMP, objects are not really objects at all from the point of view of object-oriented technology
• simply variables with a few basic characteristics, such as data type, read-only or read-write attributes, …
❒ IAB thus relaxed the condition on common SMI and MIB ❍ Progress on SNMP was rapid, and SNMP became widely available on
vendor equipment ❍ SNMP became the network management protocol, just as TCP/IP
became the protocol suite for data transfer ❍ Enhancements to SNMP have been pursued
• e.g. RMON (Remote Monitoring) to monitor LANs as a whole
© From Computer Networking, by Kurose&Ross Network Management 1-14
Network Management standards
ISO’s CMIP ❒ Common Management
Information Protocol ❒ designed 1980’s: the
unifying net management standard
❒ too slowly standardized
SNMP: Simple Network Management Protocol
❒ Internet roots (SGMP) ❒ started simple ❒ deployed, adopted rapidly ❒ growth: size, complexity ❒ currently: SNMP V3 ❒ de facto network
management standard
8
© From Computer Networking, by Kurose&Ross Network Management 1-15
Chapter 1 outline
❒ What is network management? ❒ Internet-standard management framework
❍ Structure of Management Information: SMI ❍ Management Information Base: MIB ❍ SNMP Protocol Operations and Transport Mappings
❒ ASN.1
© From Computer Networking, by Kurose&Ross Network Management 1-16
SNMP overview: 4 key parts
❒ Management Information Base (MIB): ❍ distributed information store of network
management data ❒ Structure of Management Information (SMI):
❍ data definition language for MIB objects ❒ SNMP protocol
❍ convey manager <-> managed object info, commands ❒ security, administration capabilities
❍ major addition in SNMPv3
9
© From Computer Networking, by Kurose&Ross Network Management 1-17
MIB: Management Information Base ❒ The foundation of a network management system is a
data base containing information about the elements to be managed
❒ Each system maintains a MIB that reflects the status of the managed resources at that system
❒ The MIB must meet two objectives: ❍ The object(s) used to represent a particular resource must be
the same at each and every system • Example: A MIB for TCP/IP specifies that the active and passive
open counts be stored for connections, rather than the active ones and the total number
• This allows a simple protocol to be written to access the required information
❍ A common scheme (object identification and definition language) for representation must be used to support interoperability
• SMI
© From Computer Networking, by Kurose&Ross Network Management 1-18
SMI: Structure of Management Information
❒ The SMI ❍ identifies the data types that can be used in the MIB ❍ specifies how resources within the MIB are represented and
named ❒ For simplicity and extensibility within the MIB, the MIB
can store only simple data types: ❍ Scalars, two-dimensional arrays
❒ Interoperability requires that the SMI provides standardized techniques for: ❍ defining the MIB structure ❍ defining individual objects, including the syntax and the value of
each object ❍ encoding object values
10
© From Computer Networking, by Kurose&Ross Network Management 1-19
Object Naming question: how to name every possible standard object
(protocol, data, more…) in every possible network standard?
answer: ISO Object Identifier tree: ❍ hierarchical naming of all objects ❍ each branchpoint has name, number
© From Computer Networking, by Kurose&Ross Network Management 1-20
Check out www.alvestrand.no/objectid/top.html
OSI ObjectIdentifier Tree
11
© From Computer Networking, by Kurose&Ross Network Management 1-21
Object Naming question:
object identifier of udpInDatagrams
(= total # datagrams delivered at this node) ?
answer:
1.3.6.1.2.1.7.1
ISO ISO-ident. Org.
US DoD Internet
udpInDatagrams UDP MIB2 management
© From Computer Networking, by Kurose&Ross Network Management 1-22
SMI: data definition language Purpose: syntax, semantics of
management data well-defined, unambiguous
❒ Basic Data Types: ❍ straightforward, boring
❒ OBJECT-TYPE ❍ data type, status,
semantics of managed object
❒ MODULE-IDENTITY ❍ groups related objects
into MIB module
Basic Data Types INTEGER Integer32
Unsigned32 OCTET STRING
OBJECT IDENTIFIER IPaddress Counter32 Counter64 Gauge32 TimeTick Opaque
12
© From Computer Networking, by Kurose&Ross Network Management 1-23
Basic Data Types
❒ A subset of the ASN.1 notation is used to define : ❍ each individual object ❍ the entire MIB structure
❒ A subset of Universal types is used ❍ e.g. integer, octetstring, object identifier, sequence
❒ Some application-wide types are defined, such as: ❍ IPaddress ❍ Counter32: nonnegative integer that can only be incremented up to
232 -1 and then wraps around (roll over counter) ❍ Gauge32: nonnegative integer that can be incremented up to 232 -1
and decremented. If the value increases beyond the maximum value, it will not roll over, it will remain stuck at its maximum value
❍ TimeTick: nonnegative integer that counts the number of 100th of a second since some identified event. It is thus a relative timer.
© From Computer Networking, by Kurose&Ross Network Management 1-24
MIB
OBJECT-TYPE: OBJECT-TYPE: OBJECT-TYPE:
objects specified via SMI OBJECT-TYPE construct
MIB module specified via SMI MODULE-IDENTITY
(100 standardized MIBs, more vendor-specific)
MODULE
13
© From Computer Networking, by Kurose&Ross Network Management 1-25
SMI: Object, module examples
OBJECT-TYPE: ipInDelivers MODULE-IDENTITY: ipMIB
ipInDelivers OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION “The total number of input datagrams successfully delivered to IP user- protocols (including ICMP)” ::= {ip 9}
ipMIB MODULE-IDENTITY LAST-UPDATED “941101000Z” ORGANIZATION “IETF SNPv2 Working Group” CONTACT-INFO “ Keith McCloghrie …” DESCRIPTION “The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes.” REVISION “019331000Z” ……… ::= {mib-2 48} 1.3.6.1.2.1.4.9
as ip is 1.3.6.1.2.1.4
© From Computer Networking, by Kurose&Ross Network Management 1-26
Defining Objects - Syntax • An object (e.g. tcpMaxConn) is an instance of OBJECT-
TYPE with the following key components:– Syntax: i.e. the abstract syntax of the object, defined in ASN.1– Access: i.e. the way in which the objects may be accessed (e.g. read-only,
read-write, write-only, not-accessible)– Status: the implementation support required for this object (e.g. mandatory,
optional, deprecated: mandatory but likely to be removed soon, obsolete: not needed any more)
– Description (optional): a textual description of the semantics– Reference (optional): a textual cross-reference to an object defined in some
other MIB– Index: used in defining tables. It is present if the object type corresponds to a
conceptual row of a table– Default (optional): default value at object creation– Value Notation: The name used to access this object via SNMP (e.g. {ip 9})
14
© From Computer Networking, by Kurose&Ross Network Management 1-27
MIB example: UDP module Object ID Name Type Comments 1.3.6.1.2.1.7.1 udpInDatagrams Counter32 total # datagrams delivered
at this node
1.3.6.1.2.1.7.2 udpNoPorts Counter32 # undeliverable datagrams
no app at port
1.3.6.1.2.1.7.3 udpInErrors Counter32 # undeliverable datagrams
all other reasons
1.3.6.1.2.1.7.4 udpOutDatagrams Counter32 # datagrams sent
1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port
in use by app, gives port #
and IP address
© From Computer Networking, by Kurose&Ross Network Management 1-28
Defining table objects ❒ SMI supports only one form of structuring of
data: ❍ A simple two-dimensional table with scalar-valued entries ❍ The definition involves the SEQUENCE (OF) ASN.1 type
and the IndexPart of the OBJECT-TYPE macro ❒ Example: tcpConnTable
tcpConnTable OBJECT-TYPESYNTAX SEQUENCE OF tcpConnEntryACCESS not-accessibleSTATUS mandatoryDESCRIPTION "A table containing TCP connection-specific info"::= {tcp 13}
1.3.6.1.2.1.6.13as tcp is 1.3.6.1.2.1.6
15
© From Computer Networking, by Kurose&Ross Network Management 1-29
Defining table objects (2) tcpConnEntry OBJECT-TYPE
SYNTAX TCPConnEntryACCESS not-accessibleSTATUS mandatoryDESCRIPTION "Info about a particular TCP connection. An object of
this type is transient, in that it ceases to exist when (orsoon after) the connection makes the transition to theCLOSED state"
INDEX {tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort}
-- These 4 items are necessary and sufficient to distinguish a row::= {tcpConnTable 1}
TCPConnEntry ::= SEQUENCE { tcpConnState INTEGER,tcpConnLocalAddress IpAddress,tcpConnLocalPort INTEGER (0..65535),tcpConnRemAddress IpAddress,tcpConnRemPort INTEGER (0..65535)}
--Only these 5 are visible to network management
1.3.6.1.2.1.6.13.1
1.3.6.1.2.1.6.13.1.11.3.6.1.2.1.6.13.1.2…
© From Computer Networking, by Kurose&Ross Network Management 1-30
Chapter 1 outline
❒ What is network management? ❒ Internet-standard management framework
❍ Structure of Management Information: SMI ❍ Management Information Base: MIB ❍ SNMP Protocol Operations and Transport Mappings
❒ ASN.1
16
© From Computer Networking, by Kurose&Ross Network Management 1-31
SNMP Protocol
❒ Basic Concepts: ❍ SNMP in the protocol stack ❍ Operations supported by SNMP ❍ Communities and Community Names ❍ Instance Identification ❍ Lexicographical Ordering
© From Computer Networking, by Kurose&Ross Network Management 1-32
SNMP in the protocol stack
Management station
Manager process
SNMP
UDP
IP
Network-dependentprotocols
Host
Agent process
SNMP
UDP
User processes
HTTP, …
TCP
IP
Network-dependent protocols
Agent process
SNMP
UDP
IP
Network-dependentprotocols
Router
Networkmanager
Central MIB
17
© From Computer Networking, by Kurose&Ross Network Management 1-33
SNMP Proxies
Manager process
SNMP
UDP
IP
Network-dependentprotocols
Management station
Proxy
Agent process
SNMP
UDP
IP
Network-dependentprotocols
Protocolarchitecture
used by proxieddevice
Network-dependentprotocols
Mapping functionManagement
process
Protocolarchitecture
used by proxieddevice
Network-dependentprotocols
Proxied device
Network Network
© From Computer Networking, by Kurose&Ross Network Management 1-34
Operations supported by SNMP Two ways to convey MIB info, commands:
request/response mode trap mode Port 161
Port 162
agent data
managed device
managing entity
agent data
managed device
managing entity
trap msg request
response
18
© From Computer Networking, by Kurose&Ross Network Management 1-35
SNMP protocol: message types
GetRequest GetNextRequest GetBulkRequest
Mgr-to-agent: “get me data” (instance, next in list, block)
Message type Function
InformRequest Mgr-to-Mgr: here’s MIB value
SetRequest Mgr-to-agent: set MIB value
Response Agent-to-mgr: value, response to Request
Trap Agent-to-mgr: inform manager of exceptional event
© From Computer Networking, by Kurose&Ross Network Management 1-36
SNMP protocol: message formats
…. PDU type (0-3)
Request ID
Error Status (0-5)
Error Index Name Value Name Value
…. PDU type
4 Enterprise Agent
Addr
Trap Type (0-7)
Specific code
Time stamp Name Value
Get/set header Variables to get/set
Trap header Trap info
SNMP PDU
19
© From Computer Networking, by Kurose&Ross Network Management 1-37
SNMP PDU fields ❒ request-id: used to distinguish among outstanding requests by
providing each request with a unique ID ❒ error-status: used to indicate that an error occurred while
processing the request ❍ noError, noSuchName, badValue, readOnly, …
❒ error-index: when error-status is different from noError, it may provide additional information by indicating which variable in a list caused the exception
❒ variablebindings: a list of names and corresponding values ❍ except for GetRequest where the values are null
❒ enterprise: type of object generating trap ❒ agent-addr: address of object generating trap ❒ trap type: generic trap type
❍ linkdown, linkup, authentication-Failure, … ❒ time-stamp: time elapsed between the last (re)initialization of the
network entity and the generation of the trap
© From Computer Networking, by Kurose&Ross Network Management 1-38
Trap-directed polling ❒ Problem with a large number of agents ❒ In essence, the network is not made to carry management
information that the manager does not need, and agents are not made to respond to frequent requests for uninteresting information
❒ The preferred strategy is: ❍ At initialization time (and perhaps at infrequent intervals), a
management station can poll all of the agents it knows for some key information (e.g. interface characteristics, baseline performance statistics)
❍ Each agent is responsible for notifying the management station of any unusual event (e.g. agent has crashed and is rebooted, a link fails, an overload). Agents report these events by the trap message
❍ When alerted, a management station may choose to take some action. Typically to direct polls to the agent and perhaps some nearby agents in order to diagnose any problem
❒ This trap-directed polling can result in substantial savings of network capacity and agent processing time
20
© From Computer Networking, by Kurose&Ross Network Management 1-39
Communities
❒ A management station usually manages several objects
❒ But an object may be managed by several management stations ❍ Each managed station must be able to control the use of
its MIB by a number of distinct management stations ❍ There are two aspects in this control:
• Authentication service: authentication of manager • Access policy: different privileges to different managers
❍ These aspects relate to security for which SNMP (v1 and v2) provides only a primitive and limited capacity, namely the concept of a community
© From Computer Networking, by Kurose&Ross Network Management 1-40
Communities and Community Names ❒ A SNMP community is a relationship between an SNMP
agent and a set of SNMP managers that define authentication and access control characteristics
❒ The community concept is a local one defined at the managed system
❒ The managed system establishes one community for each desired combination of authentication and access control characteristics
❒ Each community is given a unique (within this agent) community name ❍ The same name may be used by different managed agents with
different meanings ❒ The management stations are provided with and must
employ the community name in all get and set operations ❍ A management station must keep track of the community name(s)
associated with each of the agents that it wishes to access
Version Community SNMP PDUSNMP message:
21
© From Computer Networking, by Kurose&Ross Network Management 1-41
Authentication service
❒ SNMP (v1 and v2) provides for only a trivial scheme for authentication
❒ Every message from a management station includes a community name ❍ It functions as a password
❒ With this limited form of authentication, many network managers have been reluctant to allow anything other than network monitoring (get and trap)
❒ Network control is clearly a more sensitive area
© From Computer Networking, by Kurose&Ross Network Management 1-42
Access Policy ❒ Two aspects
❍ SNMP MIB view: a subset of the objects within a MIB • Different MIB views may be defined for each community • The set of objects in a view need not belong to a single subtree
of the MIB ❍ SNMP access mode: an element of the set {READ-ONLY,
READ-WRITE} • An access mode is defined for each community
❒ The combination of a MIB view and an access mode is called a community profile ❍ A community profile thus consists of a defined subset of the
MIB at the agent, plus an access mode ❒ Recall also that each MIB object has its own ACCESS
clause ❒ How can we reconcile these restrictions?
22
© From Computer Networking, by Kurose&Ross Network Management 1-43
Relationship Between MIB ACCESS Category and SNMP ACCESS Mode
SNMP Access ModeMIB ACCESS
Category READ-ONLY READ-WRITE
read-only
write-only
not accessible
Available for get and trap operations
Available for get and trapoperations
Available for get, set, and trapoperations
Available for get and trap operations, but the value is
implementation-specific
Available for get, set, and trapoperations, but the value is
implementation-specificfor get and trap operations
Unavailable
read-write
© From Computer Networking, by Kurose&Ross Network Management 1-44
Administrative concepts
❒ The combination of a SNMP community and a SNMP community profile is an SNMP access policy
SNMPagent
set of SNMPmanagers
SNMP MIBview
SNMPaccess mode
SNMP community(community name)
SNMP communityprofile
SNMP access policy
23
© From Computer Networking, by Kurose&Ross Network Management 1-45
Object Instance Identification ❒ We know that every object in the MIB has a unique object
identifier, which is defined by the position of the object in the tree-structured MIB
❒ However, when an access is made to a MIB, via SNMP or some other means, it is a specific instance of an object that is wanted, not an object type
❒ This distinction is essential for objects that appear in tables ❍ Called columnar objects ❍ For them the object identifier alone does not suffice to identify
the instance • There is one instance of each object for every row in the table • Therefore we need some convention by which a specific instance of an
object within a table may be identified ❒ Reference to object instances is protocol-specific
❍ It is not defined in the MIB ❍ We’ll consider SNMP specific instance identification
© From Computer Networking, by Kurose&Ross Network Management 1-46
Instance Identification in SNMP
❒ Two techniques: ❍ Serial-access technique
• Based on a lexicographic ordering of objects – The lexicographical order is defined later
• Useful to access object instances sequentially – Get-next request
❍ Random-access technique • Direct access to object instance
24
© From Computer Networking, by Kurose&Ross Network Management 1-47
Random Access
❒ An instance of a scalar object of a particular row of a table is the concatenation of ❍ the object type identifier of the table object ❍ the suffix that identifies a row object ❍ the suffix that identifies the scalar element in
that row ❍ one set of values of the INDEX objects
© From Computer Networking, by Kurose&Ross Network Management 1-48
Example: connection state tcpConnEntry OBJECT-TYPE
SYNTAX TCPConnEntryACCESS not-accessibleSTATUS mandatoryDESCRIPTION "Info about a particulat TCP connection. An object of
this type is transient, in that it ceases to exist when (orsoon after) the connection makes the transition to theCLOSED state"
INDEX {tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort}
::= {tcpConnTable 1}
TCPConnEntry ::= SEQUENCE { tcpConnState INTEGER,tcpConnLocalAddress IpAddress,tcpConnLocalPort INTEGER (0..65535),tcpConnRemAddress IpAddress,tcpConnRemPort INTEGER (0..65535)}
1.3.6.1.2.1.6.13.1
1.3.6.1.2.1.6.13.1.11.3.6.1.2.1.6.13.1.2…
The connection state of the connection indexed by (10.0.0.99, 12, 9.1.2.3, 15)will be identified by 1.3.6.1.2.1.6.13.1.1.10.0.0.99.12.9.1.2.3.15
25
© From Computer Networking, by Kurose&Ross Network Management 1-49
Random access to other objects
❒ For table and row objects, no instance identifier is defined ❍ They are not leaf objects ❍ Their ACCESS characteristic is listed as "not-accessible"
❒ For scalar objects, there is no ambiguity between the object type and an instance of that object (one-to-one relationship) ❍ For consistency with tabular objects, and to distinguish
between an object type and an object instance, SNMP dictates that the instance identifier of a scalar object consists of its object identifier concatenated with 0
© From Computer Networking, by Kurose&Ross Network Management 1-50
Lexicographical Ordering ❒ An object identifier is a sequence of integers that reflects a
hierarchical or tree structure of the objects in the MIB ❒ Sequences of integers exhibit a lexicographical ordering ❒ That ordering corresponds to traversing the tree of objects
identifiers in depth-first mode with child nodes of a common parent depicted in ascending numerical order
❒ This ordering extends to object instance identifiers ❒ An ordering is important when the manager does not know the exact
makeup of the MIB view that an agent presents to it ❍ By using the get-next operation, the SNMP management station can ask
the next object in that ordering ❍ It works even if the supplied identifier is not valid, i.e. does not exist in
the MIB • In that case, this is the next valid identifier that is returned
❍ Also useful to access tables row by row
26
© From Computer Networking, by Kurose&Ross Network Management 1-51
SNMP security and administration
❒ View-based access control ❍ SNMP entity maintains database of access rights,
policies for various users ❍ this database is itself accessible as managed object!
❒ In SNMP v3: ❍ community-based “security model” NOT used ❍ encryption: DES-encrypt SNMP message, needs shared
secret key ❍ authentication: compute, send MIC(m,k): compute hash
(MIC = Message Integrity Code) over the concatenation of message (m) and secret shared key (k)
❍ protection against playback: use nonce
© From Computer Networking, by Kurose&Ross Network Management 1-52
Chapter 1 outline
❒ What is network management? ❒ Internet-standard management framework
❍ Structure of Management Information: SMI ❍ Management Information Base: MIB ❍ SNMP Protocol Operations and Transport Mappings
❒ The presentation problem: ASN.1
27
© From Computer Networking, by Kurose&Ross Network Management 1-53
The presentation problem Q: does perfect memory-to-memory copy
solve “the communication problem”? A: not always!
problem: different data format, storage conventions
struct { char code; int x; } test; test.x = 259; test.code=‘a’
a 00000001 00000011
a
00000011 00000001
test.code test.x
test.code
test.x
host 1 format host 2 format
© From Computer Networking, by Kurose&Ross Network Management 1-54
A real-life presentation problem:
aging 60’s hippie
2018 teenager grandma
Groovy!
? ?
? ? ? ?
? ?
28
© From Computer Networking, by Kurose&Ross Network Management 1-55
Presentation problem: potential solutions
1. Sender learns receiver’s format. Sender translates into receiver’s format. Sender sends.
– real-world analogy? – pros and cons?
2. Sender sends. Receiver learns sender’s format. Receiver translate into receiver-local format
– real-world-analogy? – pros and cons?
3. Sender translates to host-independent format. Sends. Receiver translates to receiver-local format.
– real-world analogy? – pros and cons?
❍ Needs machine-independent, OS-independent, language-independent method for describing data types!
© From Computer Networking, by Kurose&Ross Network Management 1-56
Solving the presentation problem 1. Translate local-host format to host-independent format 2. Transmit data in host-independent format 3. Translate host-independent format to remote-host
format
2018 teenager aging 60’s hippie
grandma
presentation service
presentation service
presentation service
“Groovy!”
“It is pleasing to me!”
“It is pleasing to me!”
“Cat’s pajamas!” “Awesome, dude!”
! !
! !
! !
! !
29
© From Computer Networking, by Kurose&Ross Network Management 1-57
ASN.1: Abstract Syntax Notation 1 ❒ ISO standard X.680
❍ used extensively in Internet ❍ like eating vegetables, knowing this “good for you”!
❒ defined data types, object constructors ❍ like SMI
❒ BER: Basic Encoding Rules ❍ specify how ASN.1-defined data objects to be
transmitted ❍ each transmitted object has Type, Length, Value
(TLV) encoding
© From Computer Networking, by Kurose&Ross Network Management 1-58
Abstract Syntax - Example
EmployeeRecord ::=
[APPLICATION 0] SET {[0] name ISO646STRING [1] address ISO646STRING [2] idNumber EmployeeNoType}
EmployeeNoType ::= INTEGER
Tags (see later)
30
© From Computer Networking, by Kurose&Ross Network Management 1-59
ASN.1 Compilers ❒ ASN.1 compilers translate ASN.1 into classical
programming languages: C, C++, Java, … ❒ Packet formats and data types are specified in
ASN.1 ❍ MIB objects are also specified in ASN.1
❒ The ASN.1 compiler generates: ❍ One programming language type per ASN.1 type ❍ Encoding/decoding functions:
• Mapping local representation into a commonly agreed transfer syntax
• Applies the Basic Encoding Rules (BER)
© From Computer Networking, by Kurose&Ross Network Management 1-60
Role of tags ❒ ASN.1 uses tags to remove ambiguities on type
components ❍ Tags also used later by languages such as XML
❒ Example: EmployeeRecord ::= SET { name ISO646STRING
address ISO646STRING idNumber EmployeeNoType}
EmployeeNoType ::= INTEGER
❒ Without tags, it would be impossible to discriminate the name and address fields in an 'EmployeeRecord'
❒ All types get a tag
31
© From Computer Networking, by Kurose&Ross Network Management 1-61
Classes of tags ❒ A tag is composed of two parts: its class and its number ❒ Classes of tags:
❍ UNIVERSAL class • Universal types • 1: BOOLEAN, 2: INTEGER, 3: BITSTRING, 4: OCTETSTRING, 6:
Object-Identifier, 9: REAL, 10: ENUMERATED TYPE, 12: SEQUENCE (OF), 13: SET (OF), 23,24: TIME
❍ APPLICATION class • The numbers are assigned by the standards that describe the
protocols • Their semantics are local to an application
❍ CONTEXT class • Used to remove ambiguities in the types
❍ PRIVATE class
© From Computer Networking, by Kurose&Ross Network Management 1-62
Implicit tags EmployeeRecord ::=
[APPLICATION 0] IMPLICIT SET { [0] name ISO646STRING[1] address ISO646STRING[2] idNumber EmployeeNoType}
EmployeeNoType ::= INTEGER
CONTEXT tagAPPLICATION tag
(Implicit) UNIVERSAL tag
❒ APPLICATION 0 identifies the EmployeeRecord type and its constructor (SET)
❒ However this constructor (SET) has a (universal) tag too, which is now redundant
❒ To avoid the encoding of the two tags (APPLICATION 0 and SET), ASN.1 uses the keyword IMPLICIT ❍ Only the APPLICATION 0 tag will be part of the encoding
❒ For CONTEXT tags, the class is not explicitly written ❒ UNIVERSAL tags are implicit
32
© From Computer Networking, by Kurose&Ross Network Management 1-63
TLV Encoding Idea: transmitted data is self-identifying
❍ T: data type, one of ASN.1-defined types • This actually means the tag
❍ L: length of data in bytes ❍ V: value of data, encoded according to ASN.1 standard
• If T is structured, then V is a set of component types (all encoded recursively in the TLV style)
Class:00: UNIVERSAL01: APPLICATION10: CONTEXT11: PRIVATE
0: simple type1: structured type
Number
If tag number ≥ 31, then number is set to 31 and the next bytes contain the actual tag number (length + value)
© From Computer Networking, by Kurose&Ross Network Management 1-64
TLV encoding: example
Length, 5 bytes Type=4, octet string
Length, 2 bytes Type=2, integer
lastname ::= OCTET STRING weight ::= INTEGER
{weight, 259} {lastname, “smith”}
module of data type declarations written
in ASN.1
instances of data type specified in module
Basic Encoding Rules (BER)
3 1 2 2 h t i
m s 5 4
transmitted byte stream Value, 5 octets (chars)
Value, 259
33
© From Computer Networking, by Kurose&Ross Network Management 1-65
Network Management: summary ❒ network management
❍ extremely important: 80% of network “cost” ❍ ASN.1 for data description ❍ SNMP protocol as a tool for conveying
information ❒ Network management: more art than science
❍ what to measure/monitor? ❍ how to respond to failures? ❍ alarm correlation/filtering?
Recommended