Simple Network Management Protocol Chu-Sing Yang Department of Electrical Engineering National Cheng Kung University
Outlines Basic Concepts Protocol Specification Transport-Level Support SNMP Group Practical Issues
Operations Supported by SNMP RFC-1157 (May, 1990) Alteration and inspection of variables Get, set, and trap It is not possible to change the structure of a MIB by adding or deleting object instances Access is provided only to leaf objects It is not possible to access an entire table or a row of a table with one atomic action Simplify the implementation of SNMP, but limit the capability of the NMS
Operations Supported by SNMP Get A management station retrieves a scalar object value from a managed station Set A management station updates a scalar object value in a managed station Trap A managed station sends an unsolicited scalar object value to a management station
Network Management A distributed application A number of application entities (management station and agent applications) supported by an application protocol A one-to-many relationship between a management station and a set of managed stations A one-to-many relationship between a managed station and a set of management stations Each managed station control its own local MIB Be able to control the use of the MIB by a number of management stations Authentication service, access policy, and proxy service
Communities and Community Names An SNMP community Is a relationship between an SNMP agent and a set of SNMP managers that defines authentication, access control, and proxy characteristics Defined locally at the managed system Each community is given a unique name in the agent, but the same name may be used by different agents The managed system establishes one community for each desired combination of authentication, access control, and proxy characteristics The agent may establish a number of communities, with overlapping management station membership
Authentication Service Assure that the recipient message is from the source which it claims to be SNMP provides a trivial scheme for authentication Include community name in each message from a management station to an agent The community name functions as a password Many network managers will be reluctant to allow anything other than network monitoring The community name could be used to trigger an authentication procedure, with the name functioning simply as an initial password-screening device.
Access Policy Managers belong to different communities have different categories of MIB access Two aspects to the access control SNMP MIB view A subset of the objects within a MIB Different MIB views may be defined for each community Objects in a view need not belong to a single subtree of the MIB SNMP access mode READ-ONLY or READ-WRITE An access mode is defined for each community
Access Policy (cont.) SNMP community profile The combination of a MIB view and an access mode A defined subset of the MIB at the agent + an access mode for those objects SNMP community SNMP agent Set of SNMP managers SNMP access policy The combination of an SNMP community and an SNMP community profile
Proxy services A proxy is an SNMP agent that acts on behalf of other devices Don t support TCP/IP and SNMP Proxied system supports SNMP but the proxy is used to minimize the interaction between the proxied device and the NMS
Instance Identification -Columnar Objects Every object in a MIB has a unique OID Columnar objects Objects appeared in tables Each row contains the same set of scalar object types, or columnar objects SNMP defines two techniques for identifying a specific object instance for SNMP Serial access Based on a lexicographic ordering of objects in the MIB structure Random access
Instance Identification -Columnar Objects (cont.) Random access Each columnar object has a unique object identifier that is the same in each row Object ID for a columnar object + one set of the values of INDEX objects = a particular scalar object in a particular row of the table Concatenate the scalar object ID with the values of the INDEX objects
.1
Instance Identifiers for MIB-II Table Entries
Instance Identification -Conversion How is the value of an object instance converted into one or more subidentifiers Integer-valued: String-valued, fixed-length: a single subidentifier n subidentifiers String-valued, variable length: n+1 subidentifiers Object-identifier-valued: IpAddress-valued: n+1 subidentifiers 4 subidentifiers
Instance Identification -Ambiguous Row References Two or more rows have the same values of INDEX objects Primary row: subidentifier 1 Secondary row: subidentifier 2 Avoid the definition of tables that can not be unambigously referenced
Instance Identification Conceptual Table & Scalar Objects Table and row object No instance identifier Not-acceptable Scalar objects nontabular Only one object instance for each scalar object type Instance identifier = OID + 0
Lexicographical Ordering Can traverse the structure of a MIB Can ask for the object instance that occurs next in the ordering
SNMP Formats 5 types of PDUs Transmission of an SNMP message Construct the PDU according to RFC 1157 Authentication service Source and destination transport addresses Community name Construct an SNMP message Encoded using the basic encoding rules and passed to the transport service
ASN.1 data items BER encoding format for ASN.1 data items SNMP Message Type Specify if the data type is simple or constructed SNMP Message Length The number of octets in the Value field SNMP Message Value
SNMP formats (RFC 1157)
Transmission of an SNMP Message Using the ASN.1 structure to construct PDU Passes the PDU to an authentication service, together with the source and destination transport addresses and a community name Constructs a message Consists of a version field, the community name, and the result from step2 Using BER encodes the new ASN.1 object and passes to the transport service
Receipt of an SNMP Message Check syntax of the SNMP message Verify the version number Pass the following to an authentication service User name, PDU portion of the message Source and the destination transport addresses If failure, generate a trap and discard the message If success, return the PDU Check syntax of the PDU, SNMP access policy
Variable Bindings Group a number of operations of the same type (get, set, trap) into a single message Multiple-object exchanges
GetRequest PDU Fields PDU type, request-id, variablebindings request-id Numbers assigned by the sending entity Each outstanding request to the same agent is uniquely identified SNMP application correlate incoming responses with outstanding requests Identify duplicated PDUs Either all requested values are returned or none is Error conditions nosuchname, toobig, generr
GetRequest PDU (cont.) An entire row of a table can be retrieved at a time simply by including each object instance of the table in the variablebindings list GetRequest (iproutedest.9.1.2.3, iproutemetric1.9.1.2.3, iproutenexthop.9.1.2.3) Tradeoff The number of variables in a GetRequest PDU
GetNextRequest PDU For each variable, the respondent is to return the value of the next object instance in lexicographical order, not just the next object Either all requested values are returned or none is Allow a network management station to discover the structure of a MIB view dynamically Be able to search a table whose entries are unknown
GetNextRequest PDU- Retrieve a Simple Object Value GetRequest (udpindatagrams.0, udpnoports.0, udpinerrors.0, udpoutdatagrams.0) GetResponse ((udpindatagrams.0 = 100), (udpnoports.0 = 1), (udpinerrors.0 = 2), (udpoutdatagrams.0 = 200)) GetNextRequest (udpindatagrams, udpnoports, udpinerrors, udpoutdatagrams) GetResponse ((udpindatagrams.0 = 100), (udpnoports.0 = 1), (udpinerrors.0 = 2), (udpoutdatagrams.0 = 200)) GetResponse ((udpindatagrams.0 = 100), (udpinerrors.0 = 2), (udpinerrors.0 = 2), (udpoutdatagrams.0 = 200))
GetNextRequest PDU-Retrieve a Simple Object Value For unavailable objects, the next object instance value in order is returned Ways to retrieve a set of object values when some might be missing GetNextRequest is better than GetRequest
GetNextRequest PDU- Retrieving Unknown Objects GetNextRequest (udpindatagrams.2) GetResponse (udpnpports.0) Agents do not check the validity of the supplied identifier A management station can use the GetNextRequest PDU to probe a MIB view and discover its structure
GetNextRequest PDU -Accessing Table Values GetNextRequest (iproutedest, iproutemetric1, iproutenexthop) GetResponse ((iproutedest.9.1.2.3=9.1.2.3), (iproutemetric1.9.1.2.3 =3), (iproutenexthop.9.1.2.3=99.0.0.3)) GetNextRequest (iproutedest.9.1.2.3, iproutemetric1.9.1.2.3, iproutenexthop.9.1.2.3) GetResponse ((iproutedest.10.0.0.51= 10.0.0.51), (iproutemetric1.10.0.0.51 =5), (iproutenexthop.10.0.0.51=89.1.1.42))
GetNextRequest PDU -Accessing Table Values GetNextRequest (iproutedest.10.0.0.51, iproutemetric1.10.0.0.51, iproutenexthop.10.0.0.51) GetResponse ((iproutedest.10.0.0.99= 10.0.0.99), (iproutemetric1.10.0.0.99=5), (iproutenexthop.10.0.0.99=89.1.1.42)) GetNextRequest (iproutedest.10.0.0.99, iproutemetric1.10.0.0.99, iproutenexthop.10.0.0.99) GetResponse ( (iproutemetric1.9.1.2.3=3), (iproutenexthop.9.1.2.3=99.0.0.3), (ipnettomediaifindex.1.3=1)) Reaches the end of the routing table
SetRequest PDU The receiving SNMP entity responds to a SetRequest PDU with a GetResponse PDU containing the same request-id Either all of the variables are updated or none is Error conditions nosuchname, toobig, generr badvalue Type, length, actual value of the supplied value
SetRequest PDU -Updating a Table SetRequest (iproutemetric1.9.1.2.3 = 9) GetResponse (iproutemetric1.9.1.2.3 = 9) Add a new row to the table SetRequest ((iproutedest.11.3.3.12= 11.3.3.12), (iproutemetric1.11.3.3.12=9, (iproutenexthop.11.3.3.12=91.0.0.5) iproutedest.11.3.3.12 (index) is currently unknown Three ways to handle the request Reject and return nosuchname Attempt to accept the operation and return badvalue Accept the operation
SetRequest PDU -Updating a Table (cont.) SetRequest (iproutedest.11.3.3.12= 11.3.3.12) Add a new row and supply the default values for the columnar objects not listed in the SetRequest Reject the operation Which action will be taken? A policy and implementation matter
SetRequest PDU -Row Deletion Set command can be used to delete a row of a table logically SetRequest (iproutetype.7.3.5.3=invalid) GetResponse (iproutedest.7.3.5.3=invalid) Whether the row is physically deleted from the agent s MIB or simply marked as null is implementation-specific ipnettomediatable ipnettomediatype=invalid
SetRequest PDU-Row Deletion
SetRequest PDU -Performing an Action Use the set capability to issue a command An object can be used to represent a command A specific action is taken if the object is set to a specific value Reboot action vs. object value
SetRequest PDU -Curious Case of readonly One of the error-status value that may be returned in a SetResponse PDU is readonly If a Set operation is attempted against a read-only object (RFC 1157) If the object is not in the MIB view of the manager Return sosuchname Whether the error code refers to a missing object or a readonly object If the object is in the MIB view of the manager but is readonly Return sosuchname
SetRequest PDU -Curious Case of readonly The explanation for the use of readonly error code was omitted in RFC 1157 Not use the readonly error code so as to compliant with standard notwritable A new error code defined in SNMPv2
Trap PDU Asynchronous notification of significant events Fields PDU type Indicates a Trap PDU enterprise Identify the network management subsystem that generated trap Taken from sysobjectid in the System group agent-addr: IP address of the object generating the trap generic-trap: one of the predefined trap types specific-trap: indicate more specifically the nature of the trap time-stamp: the time between the last (re)initialization and the generation of trap variablebindings: additional information relating to the trap
generic-trap Trap PDU (cont.) coldstar (0) warmstar (1) linkdown (2) Linkup (3) authenticationfailure (4) egpneighborloss (5) enterprisespecific (6)
Transport-Level Support SNMP requires the transport service to deliver of SNMP messages The protocol makes no assumptions about whether the underlying service is Connectionless Connection-oriented
Connectionless Transport Service User Datagram Protocol (UDP) Port 161: agents listen for incoming GetRequest, GetNextRequest, SetRequest Port 162: management stations listen for incoming Trap Connectionless Transport Service (CLTS) Transport Service Access Points (TSAP) address Network layer address TSAP identifier (selector) RFC 1283 TSAP selector snmp : like port 161 TSAP selector snmp-trap: like port 162
Connectionless Transport Service (cont.) Loss of a PDU The burden to cope with a lost PDU is with the application that is using SNMP The recovery actions are NOT covered in the standard GetRequest, GetNextRequest, GetResponse Loss: timeout and retransmission Duplication: request-id SetRequest: testing the object with a GetRequest Trap No ack is provided Provide early warning of a significant event The manager should periodically poll the agent for the relevant status
Connection-Oriented Transport Service No provision has been made for the use of SNMP over TCP RFC 1283 Prescribes conventions for SNMP over the ISO connection-oriented transport service (COTS) Supported by 5 transport protocols Class 0 and Class 1: X.25 Class 2 through 4: the same sectors used for CLTS are used for COTS
SNMP Group All of the objects are read-only counters except the last object snmpenableauthentraps
Differences in SNMP Support Community name public Unrestricted access to the entire MIB The MIB view consists of the entire agent MIB Trap-directed polling vs. scheduled polling coldstar Objects not supported An implementation claims support for a group Support all of the objects in a group A return of zero for counter Count or not? nosuchname instead
Selection of a Network Management Station Conformance to standards Extended MIB support Intuitive interface Automatic discovery Programmable events Advanced network control Object-oriented management Custom icons
Polling Frequency Assume manager can handle only one agent at a time N<=T/delta N = number of agents T = desired polling interval delta = average time required to perform Processing time to generate a request at the management station Network delay from manager to agent Processing time at the agent to interpret message Processing time at the agent to generate response Network delay from agent to manager Processing time at manager to receive and interpret response Number of request/response exchanges to obtain all information
Polling Frequency (cont.) The number of agents The processing time for a request or a response The network delay The polling interval The load of the polling traffic imposes on the network
Limitations of SNMP Not be suitable for managing a truly large network Not well suitable for retrieving large volumes of data SNMP traps are unacknowledged Provide only trivial authentication Not directly support imperative commands The SNMP model is limited and does not support applications that make sophisticated management queries Not support manager-to-manager communications