Thursday, June 7, 2012

GIST NOTES 22 - SNMP


GIST NOTES 22 - SNMP

[DISCLAIMER: This is solely for non-commercial use. I don't claim ownership of this content. This is a crux of all my readings studies and analysis. Some of them are excerpts from famous books/sources on  the subject. Some of them are my contemplation upon experiments with direct hand coded code samples using IDE or notepad.

I've created this mainly to reduce an entire book into few pages of critical content that we should never forget. Even after years, you don't need to read the entire book again to get back its philosophy. I hope these notes will help you to replay the entire book in your mind once again.]


>SNMP uses MIB
>MIBs use notation defined by ASN.1(Abstract Syntax Notation)

BER
---
>BER(Basic Encoding Rules) of ASN is used
>BER uses notation TLV(Type-Length-Value) form
>Type - 8bits

Type
The type field is an octet specifying the characteristics of the value field.
Type identifier octet
8
7
6
5
4
3
2
1
Class
P/C
Tag Number
If Class is set to Universal, the value is of a type native to ASN.1 (e.g. INTEGER). The Application class is only valid for one specific application. Context-specific depends on the context (such as within a sequence, set or choice) and private can be defined in private specifications.
Class bits in a Type identifier octet
Class
bit 8
bit 7
Universal
0
0
Application
0
1
Context-specific
1
0
Private
1
1
P/C is the primitive/constructed bit; it specifies whether the value is primitive, like an INTEGER, or constructed, which means it again holds TLV values like a SET.
P/C
bit 6
Primitive
0
Constructed
1

Tag Number – specifies standard known data types
>Length - 2 or more bytes(big endian encoded)

Big Endian / Little Endian
--------------------------
>Byte order in a word at hardware level
>BigEndian - stores most significant byte first
>LittleEndian - stores the least significant byte first
>MixedEndian/MiddleEndian - both big and little endians mixed in larger words
>Endianness in networking - based on which byte is sent first; IP uses big endian
------------x-------------
>SNMP agent receives request on UDP port 161
>Manager receives notifications on pot 162(Trap and InformRequests)
>When used with Transport Layer Security or Datagram Transport Layer Security requests are received on port 10161 and traps are sent to port 10162.[3].
>SNMPv1 introduced 5 PDUs
>SNMPv2 added two more(GetBulkRequest and InformRequest)
>SNMPv3 added no new PDUs
All SNMP PDUs are constructed as follows:
IP header
UDP header
version
community
PDU-type
request-id
error-status
error-index
variable bindings
The seven SNMP protocol data units (PDUs) are as follows:
1.       IP Header
2.       UDP Header
3.       Version
4.       Community
5.       PDU type
6.       Request id
7.       Error status
8.       Error index
9.       Variable bindings

GetRequest
A manager-to-agent request to retrieve the value of a variable or list of variables. Desired variables are specified in variable bindings (values are not used). Retrieval of the specified variable values is to be done as an atomic operation by the agent. A Response with current values is returned.

SetRequest
A manager-to-agent request to change the value of a variable or list of variables. Variable bindings are specified in the body of the request. Changes to all specified variables are to be made as an atomic operation by the agent. A Response with (current) new values for the variables is returned.

GetNextRequest
A manager-to-agent request to discover available variables and their values. Returns a Response with variable binding for the lexicographically next variable in the MIB. The entire MIB of an agent can be walked by iterative application of GetNextRequest starting at OID 0. Rows of a table can be read by specifying column OIDs in the variable bindings of the request.

GetBulkRequest
Optimized version of GetNextRequest. A manager-to-agent request for multiple iterations of GetNextRequest. Returns a Response with multiple variable bindings walked from the variable binding or bindings in the request. PDU specific non-repeaters and max-repetitions fields are used to control response behavior. GetBulkRequest was introduced in SNMPv2.

Response
Returns variable bindings and acknowledgement from agent to manager for GetRequest, SetRequest, GetNextRequest, GetBulkRequest and InformRequest. Error reporting is provided by error-status and error-index fields. Although it was used as a response to both gets and sets, this PDU was called GetResponse in SNMPv1.

Trap
Asynchronous notification from agent to manager. Includes current sysUpTime value, an OID identifying the type of trap and optional variable bindings. Destination addressing for traps is determined in an application-specific manner typically through trap configuration variables in the MIB. The format of the trap message was changed in SNMPv2 and the PDU was renamed SNMPv2-Trap.

InformRequest
Acknowledged asynchronous notification manager to manager[4] or agent to manager. Manager-to-manager notifications were already possible in SNMPv1 (using a Trap), but as SNMP commonly runs over UDP where delivery is not assured and dropped packets are not reported, delivery of a Trap was not guaranteed. InformRequest fixes this by sending back an acknowledgement on receipt. Receiver replies with Response parroting all information in the InformRequest. This PDU was introduced in SNMPv2.[5]

>SNMPv2 added party based security to v1 but was not agreed widely, instead community based v2c became de-facto standard as SNMPv2c

>SNMPv2 and SNMPv1 are not compatible with each other due to PDU format change and additional two requests in SNMPv2

Interoperability between different versions of SNMP -> http://tools.ietf.org/html/rfc3584
Proxy Agent: Translates between SNMPv1 and SNMPv2
Bilingual NMS: Talks both SNMPv1 and SNMPv2 as per the device capability. Identifies the agent version by examining certain basic info from the local database or device.

SNMPv3: Makes no changes to the protocol except for the addition of cryptographic security; adds security and remote configuration enhancements to SNMP; it adds encryption/confidentiality, integrity/message integrity and authentication/source validation;
Resource Indexing: Certain devices might change indices (of the device resources) in the MIB entries between device reboots; for such devices, NMS should re-poll the data upon receiving cold-restart trap from the agent

Security Implications:
1.       SNMPv1 and SNMPv2 send community string as clear text hence prone to attack using packet sniffers
2.       All versions of SNMP are subject to brute force and dictionary attacks for guessing the community strings, authentication strings, authentication keys, encryption strings, or encryption keys, because they do not implement a challenge-response handshake.
3.       Although SNMP works over TCP and other protocols, it is most commonly used over UDP that is connectionless and vulnerable to IP spoofing attacks. Thus, all versions are subject to bypassing device access lists that might have been implemented to restrict SNMP access, though SNMPv3's other security mechanisms should prevent a successful attack.
4.       Auto Discovery – trying to discover local network devices by broadcasting community strings might pose security threat in a shared data centers or commercial networks

SMIv1 – used by SNMPv1
SMIv2 – used by SNMPv2 and SNMPv3

>SNMP is an internet standard protocol

>SGMP(Simple Gateway Management Protocol) is the predecessor to SNMP
>Host Resources MIB implements disk space , running processes and such things on Windows or Linux system

>An agent usually implements multiple MIBs; from standard MIBs to proprietary MIBs

>MIB-II defines standard management information and interface details for a typical device

>RMON – Remote Monitoring; data collector for a network without NMS; NMS can later poll the RMON probe data collector to retrieve complete management polled data for the remote network; RMON probe can also send traps to NMS upon certain critical condition on monitored network

>Some standard MIBs: ATM MIB, Frame Relay DTE Interface Type MIB, BGP MIB, RDBMS MIB, Radius Auth Server MIB, Mail Monitoring MIB, DNS Server MIB

>SMI(Structure of Management Information) tells how to define managed objects and properties

>MIB is a definition of management data for a device using SMI notations

>Network Management mainly focuses on FCAPS(defined by ISO)

>FCAPS: Fault, Configuration, Accounting, Performance, Security

Fault Management: detect, log and report faults in the devices and networks; 1)isolate the problem;

2)resolve the problem, 3)record the process used to detect and resolve the problems

Configuration Management: Monitor and Change certain information in devices that would change the behavior of the device in some way.

Accounting Management: Tracking network resource utilization by all groups and individuals to ensure fair usage and capacity sharing

Performance Management: 1. Performance data is gathered, 2. Baseline levels are established based on data gathered, 3. Performance thresholds are established, and when the thresholds are exceeded, alert is raised to indicate the problems.

Security Management: 1. Control access to resources such as devices, services and networks, 2. Detect and prevent attacks that can compromise networks and hosts. Not only network security but also physical security; todays security tools and systems are:- 1. Firewalls, 2. Intrusion Detection Systems(IDS), 3. Intrusion Prevention Systems(IPS), 4. Antivirus Systems, 5. Policy Management and Enforcement System.

Most of today’s network security systems can integrate with NMS through SNMP.

Alarm Correlation or RCA(Root Cause Analysis): Alarm correlation deals with narrowing down many alerts and events into a single alert or several events that depict the real problem.



Getting More Information
Getting a handle on SNMP may seem like a daunting task. The RFCs provide the
official definition of the protocol, but they were written for software developers, not
network administrators, so it can be difficult to extract the information you need
from them. Fortunately, many online resources are available. A good place to look is
is another good site for information. The Simple Times, an online publication
devoted to SNMP and network management, is also useful. You can find all the
issues ever published* at http://www.simple-times.org. SNMP Research is a commercial
SNMP vendor. Aside from selling advanced SNMP solutions, its web site contains
a good amount of free information about SNMP. The company’s web site is
* At this writing, the current issue is quite old, published in December 2002.
This is the Title of the Book, eMatter Edition
Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
18 | Chapter 1: Introduction to SNMP and Network Management
Another great resource is Usenet news. The newsgroup most people frequent is
comp.dcom.net-management. Another good newsgroup is comp.protocols.snmp.
Groups such as these promote a community of information sharing, allowing seasoned
professionals to interact with individuals who are not as knowledgeable about
SNMP or network management. Google has a great interface for searching Usenet
news group at http://groups.google.com.
There is an SNMP FAQ, available in two parts at http://www.faqs.org/faqs/snmp-faq/part1/ and http://www.faqs.org/faqs/snmp-faq/part2/.
Cisco has some very good papers on network management, including “Network
Management Basics” (http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/nmbasics.htm) and “Change Management,” from which Figure 1-2 and Figure 1-3
were drawn. Also, Douglas W. Stevenson’s article, “Network Management: What It
Is and What It Isn’t,” available at http://www.itmweb.com/essay516.htm, provides
important background material for all students of network management.

>SNMP uses UDP
>UDP is defined in RFC 768
>UDP was chosen over TCP(Transmission Control Protocol) because it is connectionless.
>Hence, an NMS should resend the datagram after a timeout assuming it is lost in the transit. No.of retries is configurable
>SNMP is an application layer protocol
>Due to this unreliable UDP, NMS may not get traps sometimes from agents, if the trap datagram is lost in between
>At the same time, the unreliable UDP puts less load on the network performance
>SNMP has been implemented
over TCP, but this is more for special-case situations in which someone is developing
an agent for a proprietary piece of equipment. In a heavily congested and managed
network, SNMP over TCP is a bad idea. It’s also worth realizing that TCP isn’t
magic and that SNMP is designed for working with networks that are in trouble—if
your network never failed, you wouldn’t need to monitor it. When a network is failing,
a protocol that tries to get the data through but gives up if it can’t is almost certainly
a better design choice than a protocol that floods the network with
retransmissions in its attempt to achieve reliability.

>>SNMP community modes: read-only, read-write and trap communities
>Among other things, authentication-failure traps can be very useful in determining when an intruder might be trying to gain access to your network.

>The definition of managed objects can be broken down into three attributes:

Name
The name, or object identifier (OID), uniquely defines a managed object. Names
commonly appear in two forms: numeric and “human readable.” In either case,
the names are long and inconvenient. In SNMP applications, a lot of work goes
into helping you navigate through the namespace conveniently.

Type and syntax
A managed object’s datatype is defined using a subset of Abstract Syntax Notation
One (ASN.1). ASN.1 is a way of specifying how data is represented and
transmitted between managers and agents, within the context of SNMP. The
nice thing about ASN.1is that the notation is machine independent. This means
that a PC running Windows 2000 can communicate with a Sun SPARC machine
and not have to worry about things such as byte ordering.
This is the Title of the Book, eMatter Edition
Encoding
A single instance of a managed object is encoded into a string of octets using
the Basic Encoding Rules (BER). BER defines how the objects are encoded and
decoded so that they can be transmitted over a transport medium such as
Ethernet.

>1.3.6.1 – internet OID

>private enterprises space, e.g iso.org.dod.internet.private.enterprises.cisco, or 1.3.6.1.4.1.9.
OID and data types

-------------------------
>IpAddress represents 32bit value (both SMIv1 and SMIv2 do not talk about IPv6 addressing)
>Gauge moves between min and max value but never exceeds max(interface speed)
>Counter – ever increasing count tracker, can wrap around and start over from 0
>OBJECT IDENTIFIER represents a MIB Object
>TimeTicks – represents time to .01sec precision
>Opaque Allows any other ASN.1 encoding to be stuffed into an OCTET STRING.
>SEQUENCE Defines lists that contain zero or more other ASN.1 datatypes.
SEQUENCE OF Defines a managed object that is made up of a SEQUENCE of ASN.1 types.

>MIB is a logical grouping of managed objects as they pertain to a specific management
task, vendor, etc. The MIB can be thought of as a specification that defines
the managed objects a vendor or device supports.
>After the OIDs are defined, we get to the actual object definitions. Every object definition
has the following format:
OBJECT-TYPE
SYNTAX
ACCESS
STATUS
DESCRIPTION
"Textual description describing this particular managed object."
::= { }


The first managed object in our subset of the MIB-II definition is ifTable, which represents
a table of network interfaces on a managed device (note that object names are
defined using mixed case, with the first letter in lowercase). Here is its definition
using ASN.1 notation:
This is the Title of the Book, eMatter Edition
Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
ifTable OBJECT-TYPE
SYNTAX SEQUENCE OF IfEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"A list of interface entries. The number of entries is given by
the value of ifNumber."
::= { interfaces 2 }


The SYNTAX of ifTable is SEQUENCE OF IfEntry. This means that ifTable is a table containing
the columns defined in IfEntry. The object is not-accessible, which means
that there is no way to query an agent for this object’s value. Its status is mandatory,
which means an agent must implement this object in order to comply with the MIBII
specification. The DESCRIPTION describes exactly what this object is. The unique
OID is 1.3.6.1.2.1.2.2, or iso.org.dod.internet.mgmt.mib-2.interfaces.2.
Let’s now look at the SEQUENCE definition from the MIB file earlier in this section,
which is used with the SEQUENCE OF type in the ifTable definition:


IfEntry ::=
SEQUENCE {
ifIndex
INTEGER,
ifDescr
DisplayString,
ifType
INTEGER,
ifMtu
INTEGER,
.
.
.
ifSpecific
OBJECT IDENTIFIER
}




Table 2-2. New datatypes for SMIv2
------------------------------------------------
Datatype Description
Integer32 Same as an INTEGER.
Counter32 Same as a Counter.
Gauge32 Same as a Gauge.
Unsigned32 Represents decimal values in the range of 0 to 232 - 1, inclusive.
Counter64 Similar to Counter32, but its maximum value is 18,446,744,073,709,551,615. Counter64 is ideal
for situations in which a Counter32 may wrap back to 0 in a short amount of time.
BITS An enumeration of nonnegative named bits.

Table 2-5. Brief description of the MIB-II groups
Subtree name OID Description
system 1.3.6.1.2.1.1 Defines a list of objects that pertain to system operation, such as the system
uptime, system contact, and system name.
interfaces 1.3.6.1.2.1.2 Keeps track of the status of each interface on a managed entity. The interfaces
group monitors which interfaces are up or down and tracks such things as octets
sent and received, errors and discards, etc.
at 1.3.6.1.2.1.3 The address translation (at) group is deprecated and is provided only for backward
compatibility.
ip 1.3.6.1.2.1.4 Keeps track of many aspects of IP, including IP routing.
icmp 1.3.6.1.2.1.5 Tracks things such as ICMP errors, discards, etc.
tcp 1.3.6.1.2.1.6 Tracks, among other things, the state of the TCP connection (e.g., closed, listen,
synSent, etc.).
udp 1.3.6.1.2.1.7 Tracks UDP statistics, datagrams in and out, etc.
Root-Node
ccitt(0) iso(1) joint(2)
org(3)
dod(6)
internet(1)
directory(1) mgmt(2) experimental(3) private(4)
mib-2(1)
system(1) interfaces(2) at(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) transmission(10) snmp(11)
This is the Title of the Book, eMatter Edition
Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
>snmpwalk is nothing but a form of snmpgetnext command


Table 2-8. Generic traps
Generic trap name and number Definition

coldStart (0) Indicates that the agent has rebooted. All management variables will be reset;
specifically, Counters and Gauges will be reset to zero (0). One nice thing about
the coldStart trap is that it can be used to determine when new hardware is
added to the network. When a device is powered on, it sends this trap to its trap
destination. If the trap destination is set correctly (i.e., to the IP address of your
NMS), the NMS can receive the trap and determine whether it needs to manage
the device.

warmStart (1) Indicates that the agent has reinitialized itself. None of the management variables
will be reset.

linkDown (2) Sent when an interface on a device goes down. The first variable binding identifies
the index in the interfaces table for the interface that went down.

linkUp (3) Sent when an interface on a device comes back up. The first variable binding identifies
which interface came back up.

authenticationFailure (4) Indicates that someone has tried to query your agent with an incorrect community
string; useful in determining if someone is trying to gain unauthorized access to
one of your devices.

egpNeighborLoss (5) Indicates that an EGP neighbor has gone down.

enterpriseSpecific (6) Indicates that the trap is enterprise-specific. SNMP vendors and users define their
own traps under the private-enterprise branch of the SMI object tree. To process
this trap properly, the NMS has to decode the specific trap number that is part of
the SNMP message.This is the Title of the Book, eMatter Edition
Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
--
RDBMS MIB. One of the traps
defined by this MIB is rdbmsOutOfSpace:
rdbmsOutOfSpace TRAP-TYPE
ENTERPRISE rdbmsTraps
VARIABLES { rdbmsSrvInfoDiskOutOfSpaces }
DESCRIPTION
"An rdbmsOutOfSpace trap signifies that one of the database
servers managed by this agent has been unable to allocate
space for one of the databases managed by this agent. Care
should be taken to avoid flooding the network with these traps."
::= 2
--

The most important change is that Version 3 abandons the notion of managers and
agents. Both managers and agents are now called SNMP entities. Each entity consists
of an SNMP engine and one or more SNMP applications, which are discussed in
the following sections. These new concepts are important because they define an
architecture rather than simply a set of messages; the architecture helps to separate
different pieces of the SNMP system in a way that makes a secure implementation
possible.
--


The SNMPv3 Engine
The engine is composed of four pieces: the Dispatcher, the Message Processing Subsystem,
the Security Subsystem, and the Access Control Subsystem. The Dispatcher’s
job is to send and receive messages. It tries to determine the version of each
received message (i.e., v1, v2, or v3) and, if the version is supported, hands the message
off to the Message Processing Subsystem. The Dispatcher also sends SNMP
messages to other entities.


The Message Processing Subsystem prepares messages to be sent and extracts data
from received messages. A Message Processing Subsystem can contain multiple message
processing modules. For example, a subsystem can have modules for processing
SNMPv1, SNMPv2, and SNMPv3 requests. It may also contain a module for
other processing models that are yet to be defined.


The Security Subsystem provides authentication and privacy services. Authentication
uses either community strings (SNMP v1and v2) or SNMPv3 user-based
authentication. User-based authentication uses the MD5 or SHA algorithms to
authenticate users without sending a password in the clear. The privacy service uses
the DES algorithm to encrypt and decrypt SNMP messages. Currently, DES is the
only algorithm used, though others may be added in the future.


The Access Control Subsystem is responsible for controlling access to MIB objects.
You can control what objects a user can access as well what operations she is
allowed to perform on those objects. For example, you might want to limit a user’s
read-write access to certain parts of the mib-2 tree while allowing read-only access to
the entire tree.


SNMPv3 Applications
Version 3 divides most of what we have come to think of as SNMP into a number of
applications:


Command generator
Generates get, getnext, getbulk, and set requests and processes the responses.
This application is implemented by an NMS, so it can issue queries and set
requests against entities on routers, switches, Unix hosts, etc.


Command responder
Responds to get, getnext, getbulk, and set requests. This application is implemented
by an entity on a Cisco router or Unix host. (For versions 1and 2, the
command responder is implemented by the SNMP agent.)


Notification originator
Generates SNMP traps and notifications. This application is implemented by an
entity on a router or Unix host. (For versions 1and 2, the notification originator
is part of an SNMP agent. Freestanding utilities for generating traps are also
available.)


Notification receiver
Receives traps and inform messages. This application is implemented by an
NMS.


Proxy forwarder
Facilitates message passing between entities.




SNMPv3 Textual Conventions
SNMPv3 defines a number of additional textual conventions, outlined in Table 3-2.


The next two sections will look at the USM and VACM in a little more detail.


Figure 3-1. SNMPv3 entity
Table 3-2. SNMPv3 textual conventions


Textual convention Description


snmpEngineID An administratively unique identifier for an SNMP engine. Objects of this type
are for identification, not for addressing, even though an address can be used in
the generation of a specific value. RFC 3411 provides a detailed discussion of
how snmpEngineIDs are created.


snmpSecurityModel An SNMP securityModel (SNMPv1, SNMPv2, or USM). USM stands for Userbased
Security Model, which is the security method used in SNMPv3.


snmpMessageProcessingModel A message processing model used by the Message Processing Subsystem.


snmpSecurityLevel The level of security at which SNMP messages can be sent, or the level of security
at which operations are being processed. Possible values are


noAuthNoPriv (without authentication and without privacy), authNoPriv
(with authentication but without privacy), and authPriv (with authentication
and with privacy). These three values are ordered such that


noAuthNoPriv is less than authNoPriv and authNoPriv is less than
authPriv.


snmpAdminString An octet string containing administrative information, preferably in humanreadable
form. The string can be up to 255 bytes long.


snmpTagValue An octet string containing a tag value. Tag values are preferably in human-readable
form. According to RFC 3413, valid example tags include acme, router,
and host.


snmpTagList An octet string containing a list of tag values. Tag values are preferably in
human-readable form. According to RFC 3413, valid examples of a tag list are
the empty string, acme router, and host managerStation.


KeyChange An object used to change authentication and privacy keys.

------------------x---------------x--------------

Network Technology

Network nodes:  switches, bridges, routers or gateways

Network Links: Local Area Network(LAN), Wide Area Network(WAN), Access Networks, Customer
Premises Equipment(CPE)/Home Networks

Fiber Distributed Data Interface (FDDI) – Token Ring based architecture in fiber optic environment

VLAN – virtual LAN

WLAN – wireless LAN

DTE – Data Terminal Equipment

LAN configured in: bus, ring, star topologies

Hub – is a pseudo topology that combines a star topology with either of the other two
Star topology is used for hub implementations or for WLAN using an access point (AP)

DTE – each device that is connected in a LAN

WAN – uses either mesh or tree topology

Mesh topology – is most common form for Internet routing
Tree topology is employed using brouters.

Brouters – bridged routers that do the routing function at OSI layer 2(also known as spanning tree configuration)

Ethernet is specified by IEEE 802.3 standard.

IBM uses Token-Ring.

Token-Ring: Whoever holds the token can transmit data. After done with token, it passes to the downstream neighbor thus creating round-robin situation. Hence Token ring is bandwidth efficient

Flooding – a node receiving the same packet multiple times

Looping – a packet going around nodes in a loop

Mesh topology is implemented using switches and routers.

>>SNMPv1 get/set PDU

PDUType|RequestID|ErrorStatus|ErrorIndex|Varbind1 Name|Varbind1 Value|…..|Varbindn Name|Varbindn Value|

>>SNMPv1 Trap PDU

PDUType|enterprise|agent IP|Speficif Trap Type|Generic Trap Type|TimeStamp|Varbinds…..

>>SNMPv2 doesn’t have separate PDU for traps. It unified all PDUs into one format except for

SNMPBulk request which is also a new PDU introduced in SNMPv2

>>SNMPv2 get/set/trap/inform/getnext/getresponse PDU format(for trap PDU, varbind1 has
sysUpTime and varbind2 has snmpTrapOID)

PDUType|RequestID|ErrorStatus|ErrorIndex|varbinds…..

>>SNMPv2 GetBulk PDU format

PDUType|RequestID|NonRepeaters|MaxRepetitions|varbinds…

>>ErrorIndex – tells you which varbind caused the error

No comments:

Post a Comment