Outline of the SNMP Framework

2 SNMP--A Management Protocol and Framework Rolf Stadler School of Electrical Engineering KTH Royal Institute of Technology stadler@ee.kth.se September 2008 Outline of the SNMP Framework Management Program Manager P M Management Station The framework clarifies: - The functional components (manager, agent) - The operations the manager offers - The protocol between manager and agent - The information model Management Protocol Agent A A A Network Element: Router, bridge, Networked Device: IP phone, printer, Server: Database server, web server, 1

Content 2.1 Characterization of SNMP 2.2 SNMP Management Information 2.3 SNMP Operations 2.4 The SNMP Protocol 2.5 Assessment of SNMP 2.6 Newer Versions of SNMP 2.7 Network Monitoring using RMON 2.8 Other Network Management Protocols 2.9 Assignments What is SNMP? SNMP (Simple Network Management Protocol) is a standard produced by working groups within the IETF (Internet Engineering Task Force). It is published as a set of RFCs. SNMP is more than a protocol. It is a management framework, including an architecture, an information model, management operations, etc. SNMP is the most widely used management framework today, but many other frameworks exist. Virtually all networked devices support SNMP. This presentation refers to SNMP version 1, unless stated otherwise. We will discuss the key extensions in versions 2 and 3. 2

SNMP Management Information Management Information is modeled as (managed) objects and relationships among them. A MIB (Management Information Bases) is a collection of objects, grouped for a specific management purpose. All objects are organized in the global MIB tree. Each MIB represents a sub tree of this global MIB tree. The leaf objects of the tree contain object instances with the state and control variables of the managed system. MIB-II is the most popular MIB. It is implemented in most SNMP-managed devices. Device manufacturers often define their own devicespecific MIBs. The Global MIB Tree iso org dod internet private enterprises mgt mib-2 vendor1 MIB II (RFC 1213) device-specific MIB vendor 1 3

object type numeric (sub)identifier [Stallings], Figure 5.1 The Structure of SNMP Management Information (SMI) SMI, the SNMP management information model, provides guidelines for defining MIBs, object types and object identifiers. These definitions are written in the language ASN.1 (Abstract Syntax Notation 1). ASN.1 includes also rules on how the management information is encoded, i.e., mapped into octet strings. 4

SNMP Object Types Several scalar types: integer, string, IPaddress, counter, gauge, Example: tcpconnlocaladdress One complex type--table: table of scalar objects, constructed as a sequence of records (rows) Example: tcpconntable data type tcpconnlocaladdress OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The local IP address for this TCP connection. In the case of a connection in the listen state which is willing to accept connections for any IP interface associated with the node, the value 0.0.0.0 is used." ::= { tcpconnentry 2 } object type of parent numeric (sub)identifier of this object From RFC 1213 (MIB-II) 5

-- the TCP Connection table -- The TCP connection table contains information about this -- entity's existing TCP connections. tcpconntable OBJECT-TYPE SYNTAX SEQUENCE OF TcpConnEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "A table containing TCP connection-specific information." ::= { tcp 13 } tcpconnentry OBJECT-TYPE SYNTAX TcpConnEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Information about a particular current TCP connection. An object of this type is transient, in that it ceases to exist when (or soon after) the connection makes the transition to the CLOSED state." INDEX { tcpconnlocaladdress, tcpconnlocalport, tcpconnremaddress, tcpconnremport } ::= { tcpconntable 1 } From RFC 1213 (MIB-II) TcpConnEntry ::= SEQUENCE { tcpconnstate INTEGER, tcpconnlocaladdress IpAddress, tcpconnlocalport INTEGER (0..65535), tcpconnremaddress IpAddress, tcpconnremport INTEGER (0..65535) } tcpconnstate OBJECT-TYPE SYNTAX INTEGER { closed(1), listen(2), synsent(3), synreceived(4), established(5), finwait1(6), finwait2(7), closewait(8), lastack(9), closing(10), timewait(11), deletetcb(12) } ACCESS read-write STATUS mandatory DESCRIPTION "The state of this TCP connection " ::= { tcpconnentry 1 } From RFC 1213 (MIB-II) 6

2 5 11 SNMP Object Identifiers (OIDs) An object identifier (OID) uniquely identifies an object on the MIB tree. An OID consists of a sequence of integers, called sub identifiers, which define the position of the object in the MIB tree, by labeling the arcs on the path from the root to the object type. The mapping between the sequence of integers and a sequence of symbolic strings is defined in the object definitions of the MIB. Example: OID of object type TCP Connection table: 1.3.6.1.2.1.6.13 iso.org.dod.internet.mgt.mib-2.tcp.tcpconntable 7

OIDs of Object Instances The OID of an instance of a scalar object type with OID X is denoted by X.0. The OID of a table element in table X is denoted by X.1.column.(i1).(i2)..(in) where X is the identifier of the table object type column is the column number, (i1). (in) is the table index. This index concept is the same as accessing a row in a table in relational databases. Table elements cannot be accessed as X.1.column.row. Representing a Table Object on the MIB Tree 13 tcpconntable 1 tcpconnentry 1 tcpconnstate 2 tcpconnlocaladdress 3 tcpconnlocalport 4 tcpconnremaddress 5 tcpconnremport 1 i n 1 i n 1 i n 1 i n 1 i n tcpconntable 1 tcpconnstate tcpconnlocaladdress tcpconnlocalport tcpconnnremaddress tcpconnnremport i n 8

SNMP Operations Operations: get X get instance of object with OID X (X must be a leaf) get-next Y get next* instance of object Y set X a set instance of object X to a (X must be a leaf) trap send event to management station Remarks: *Object instances are ordered based on the lexicographical ordering of OIDs. get-next allows to list the elements of a table or of the leaf objects of a MIB. Set is rarely used in SNMP version 1, due to the weak security of version 1. Although SNMP has tabular objects, operations are defined only for scalar objects. Operations on tables are performed as operations on elements. The syntax above is simplified. E.g., Operations support a list of OIDs. Lexicographical Ordering of MIB Elements depth-first traversal sub identifier OID OID of leaf node [Stallings], Figure 7.8 9

Reading an SNMP table using get-next table_element table [1..n][1..m]; OID table_oid; int row_max, column_max; read_table (table_oid, table, &row_max, &column_max){ OID oid; int row=1, column=1; (oid, value)=get_next(table_oid); while (oid is of form [table_oid.1.*]) { if (oid is of form [table_oid.1.column+1.*]) column++; row=1; } table [row][column]=value; row++; (oid, value)= get_next (oid); }; The function read_table () runs on an SNMP manager. It reads from an agent an SNMP table with OID table_oid. Its output are the table (table) and the dimensions (row_max, column_max). We assume that the SNMP table is well-built and not empty. OID is of the form [s1.s2.s3..], where si are sub identifiers. The SNMP table is traversed column by column, starting with row 1 column 1. } row_max =row -1; column_max = column; SNMP in the Internet Protocol Architecture SNMP defines message formats (PDUs) and how this data is exchanged between an SNMP agent and a manager, e.g., a management station. SNMP is an application protocol in the Internet protocol architecture (Figure 4.2). It runs on top of UDP, a connectionless transport protocol that does not provide reliable transmission. 10

[Stallings], Figure 4.2 SNMP PDU Sequences Model of Interaction (a), (b), (c): Polling (d): Event Reporting [Stallings], Figure 7.5 11

SNMP PDU Formats [Stallings], Figure 7.3 Strong Points of SNMP Simplicity: Simple data model; only four operations; simple interaction model; connectionless transport. Low complexity on agent side: SNMP agents are low in complexity and can be run on small devices. Ubiquity: (Almost) every networked device has an SNMP agent. Experience: SNMP version 1 (ca. 1990) and many SNMP implementations have been well tested. 12

Limitations of SNMP (Version 1) Limited expressiveness: Management commands have to be expressed as reading and writing single (scalar) object values. Limited Scalability: In large networks, the polling model of interaction can lead to high load on management station, high management traffic, long execution time. Weak Security Model: Authentication in version 1 based on unencrypted password (community string). As a result, SNMP is primarily used for monitoring, even today. Key Extensions to SNMP Version 1 Support for requesting large data sets in SNMP Version 2 (ca. 1996) GetBulkRequest X m gives the values of the m lexicographical successors to X. This allows, for instance, to read a table by sending a single request. Stronger Security model in SNMP version 3 (ca. 1999) Support for origin authentification, data integrity, data confidentiality Support for view-based access control Views are subtrees or partial trees of a MIB, for which read and write privileges can be defined. 13

Network Monitoring using RMON RMON (Remote Network Monitoring) is an SNMP based standard for LAN monitoring. Its main component is the RMON MIB. It contains objects, such as, Hosts on a subnet, traffic statistics on MAC layer (RMON1) and higher layers (RMON2). Control parameters and filters for collecting traffic statistics, capture packets or generating alarms. An agent with an RMON MIB is called an RMON probe. It typically runs on a PC. Other Network Management Protocols CLI (command-line interface) command-line interface for networking devices used by network administrators for provisioning and configuration not standardized; each vendor supports its own language Syslog similar to print statements in a program supports event-based monitoring is being standardized by IETF Netconf designed for configuration management configurations are written in XML IETF standard Netflow/IPFIX allows for flow monitoring and accounting Netflow is a Cisco-proprietary protocol, IPFIX the IETF standard version; both are similar. 14

Assignment 2.1 Read [Stallings], chapters 4-7. The text explains SNMP from the point of view of the various RFCs that make up the SNMP standard. It complements the perspective given in the lectures, which focuses more on concepts than details of the standard. Specifically, study the MIB II iproutetable object. You will work with this table in the SNMP project. Assignment 2.2 Reading an SNMP table from a manager 1. Write a function that reads an SNMP table column by column, one column at the time. (use get-bulk) 2. Write a function that reads an SNMP table row by row, one row at the time. (use get-next) 3. Write a function that reads an SNMP table with a minimum number of SNMP operations. 4. Evaluate your functions by giving the number of SNMP operations used, the number and sizes of the SNMP messages exchanged between manager and agent (assume an SNMP response fits into a single PDU). 5. Perform the same evaluation for the function presented in class (reading a table column by column, one element at the time) and compare with your solutions. 15