Simple Network Management Protocol (SNMP) J. Won-Ki Hong Dept. of Computer Science and Engineering POSTECH Tel: 054-279-2244 Email: jwkhong@postech.ac.kr 1 1
Table of Contents SNMP Operations Protocol Specification Transport-Level Support Limitations of SNMPv1 3
SNMP Operations Operations supported in SNMP are the inspection and modification of variables GET operation retrieves management information (values of scalar objects) SET operation updates management information (values on scalar objects) TRAP operation sends unsolicited scalar object values to notify problems 4
SNMP Operations (cont’d) Not possible to change the structure of a MIB cannot add or delete object instances No explicit action is supported Access is provided only to leaf objects in the MIB tree not possible to access an entire table or a row of a table with a single atomic action These simplify the implementation of SNMP but limit the capability of the NMS 4
SNMP Security Concepts Authentication service agent may wish to limit access to the MIB to authorized managers Access policy agent may wish to give different access privileges to different managers Proxy service agent may act as a proxy to other managed devices this may require authentication service and access policy for other managed devices on the proxy SNMP provides only a primitive and limited security capability via the concept of community 4
SNMP Community is a relationship between an agent and a set of managers that defines authentication, access control & proxy characteristics a community is locally defined by the agent each community is given a unique community name an agent may establish a number of communities the community name is needed for all get and set operations the same community name may be used by different agents SNMP authentication service every SNMP message from a manager includes a community name (used as a password) --- very primitive most agents only allow GET operations 4
SNMP Community (cont’d) SNMP Access Policy an agent can provide different categories of MIB access using the following concepts: SNMP MIB View & Access Mode SNMP MIB View a subset of objects within a MIB different MIB views may be defined for each community the set of objects in a view need not belong to a single subtree SNMP Access Mode an access mode {READ-ONLY, READ-WRITE} is defined for each community the access mode is applied uniformly to all objects in the MIB view SNMP Community Profile a combination of a MIB view and an access mode 4
MIB ACCESS Category vs. SNMP Access Mode 4
SNMP Administrative Concepts set of SNMP managers SNMP Access Policy SNMP community (community name) profile SNMP agent MIB view access mode 4
Object Instance Identification SNMP defines two techniques for identifying a specific object instance Serial access technique (via lexicographic ordering of objects) Random access technique objects in MIB tables are referred to as columnar objects the object identifier is not sufficient to identify the instance SNMP convention concatenate the scalar object identifier with the values of INDEX objects, listed in the order which the INDEX objects are defined see the example in Table 7.2 on page 169 4
Lexicographical Ordering is used for accessing MIB objects serially given the tree structure of a MIB, the OID for a particular object may be derived by tracing a path from the root to the object lexicographical ordering is also referred to as: preorder traversal (root, left, right) of a tree depth-first search useful for examining MIBs whose structure is not known to NMS 4
Lexicographical Ordering Example 1 1.2 root 2 2.1 2.1.1 1.1 1.2.1 2.1.1.1 2.1.1.2 2.1.1.3 3 Start End 4
Protocol Specification SNMP Message Formats SNMP manager and agent exchange requests and management information using SNMP messages SNMP message includes a version number (e.g., 0 for SNMPv1, 1 for SNMPv2), a community name and one of five types of protocol data units (PDUs) PDU Types: GetRequest, GetNext-Request, SetRequest, GetResponse, Trap 4
(b) GetRequest PDU, GetNextRequest PDU, and SetRequest PDU SNMP Message Formats Version Community SNMP PDU (a) SNMP message PDU type request id variablebindings (b) GetRequest PDU, GetNextRequest PDU, and SetRequest PDU PDU type request id error status error index variablebindings (c) GetResponse PDU PDU type enter- prise agent addr generic trap specific trap time stamp variablebindings (d) Trap PDU name1 value1 name2 value2 . . . nameN valueN (e) variablebindings 4
SNMP Message Fields 4
SNMP Message Fields (cont’d) 4
Transmission of SNMP Message 1. The PDU is constructed using ASN.1 2. This PDU is passed to an authentication service with a community name and source & destination transport addresses passed the authentication service performs any required transformations such as encryption or the inclusion of an authentication code 3. The protocol entity then constructs a message, consisting of a version field, the community name, and the result from step 2 4. This new ASN.1 object is then encoded using BER and passed to the transport service 4
Receipt of SNMP Message 1. The SNMP entity performs basic syntax-check of the message and discards it if it fails to parse 2. It verifies the version number and discards it if there is a mismatch 3. It then passes the community name, the PDU portion of the message and the source/destination transport address to an authentication service if authentication fails, the message is discarded if authentication succeeds, the authentication service returns a PDU in the form of an ASN.1 object 4. If the PDU passes a basic syntax-check, the appropriate SNMP access policy is selected and the PDU is processed accordingly 4
SNMP PDU Sequences Manager Agent GetNextRequest PDU GetRequest PDU GetResponse PDU SetRequest PDU GetNextRequest PDU Trap PDU (a) Get values (b) Get next values (c) Set values (d) Send trap 4
GetRequest PDU is issued by an SNMP manager on behalf of NMS to retrieve information from an agent includes PDU type, request-id & variablebindings GetResponse PDU containing the same request-id is used for the reply operation is atomic (all values are returned or none is) possible error-status: noSuchName: object instance cannot be found or it is an aggregate type tooBig: the size of resulting values exceed a local limitation genErr: may not be able to supply a value for at least one of the objects for some other reason 4
GetNextRequest PDU is also issued by an SNMP manager on behalf of NMS to retrieve information from an agent the PDU is the same as GetRequest PDU except: In the GetRequest PDU, each variable in the variablebindings list refers to an object instance whose value is to be returned In the GetNextRequest PDU, for each variable in the variablebindings, the value of the object instance that is next in lexicographic order is returned allows NMS to discover the structure of a MIB view dynamically provides an efficient mechanism for searching a table whose entries are unknown 4
SetRequest PDU is issued by an SNMP manager on behalf of NMS to modify information in an agent the operation is also atomic if any one of the values can’t be set, then the whole operation fails GetResponse PDU containing the same request-id is used for the reply if the operation succeeds, a GetResponse PDU is returned with the same variablebindings as in the original SetRequest PDU possible error-status: noSuchName, tooBig, genErr plus badValue: PDU contains at least one pair of variable name and value that is inconsistent 4
Trap PDU is issued by an SNMP agent to notify NMS of some significant event Trap PDU does not require a response and is not acknowledged can get lost Generic Trap types: coldStart (0): unexpected restart due to a crash or major fault warmStart (1): routine restart linkDown (2): a communication link is inoperational linkUp (3): the link is back in operation authenticationFailure (4): received authentication-failed message egpNeighborLoss (5): EGP neighbor is down enterpriseSpecific (6): some enterprise-specific event occurred 4
Transport-Level Support SNMP requires the use of a transport service for the delivery of SNMP messages. SNMP makes no assumption about whether the underlying service is reliable or unreliable, connectionless or connection-oriented Most SNMP implementations use UDP It is possible to use CLTS UDP Unreliable, connectionless transport service in Internet CLTS Unreliable, connectionless transport service in the OSI architecture 4
Issues in using UDP Since UDP provides unreliable transport service, SNMP messages can get lost What happens if a GetRequest or GetNextRequest message is lost? What happens if a SetRequest message is lost? What happens if a Trap message is lost? 4
Many of these problems are addressed in SNMPv2! Limitations of SNMP SNMP may not be suitable for the mgmt of truly large networks because of the performance limitations of polling SNMP is not well suited for retrieving large volumes of data, such as an entire routing table SNMP traps are unacknowledged & may not be delivered SNMP provides only trivial authentication SNMP does not support explict actions SNMP MIB model is limited (does not support mgmt queries based on object types or values) SNMP does not support manager-to-manager communications Many of these problems are addressed in SNMPv2! 4
READING Read Chapter 7 of Stallings 3