Simple Network Management Protocol Lecture 3 SNMPv1 (RFC 1157) SNMPv2 (RFC1441-1452 ) (supplementary: Chapter 4 of tutorial slides) 2016/2/23 SNM NCHU 1 SNMPv1 Protocol Supported get, set, trap Simplicity vs. limitations Not able to change the structure of MIB by adding or deleting object instances Access is provided only to leaf objects 2016/2/23 operations Not able to access entire table or row in single action SNM NCHU 2 SNMPv1 Operations Support Three general-purpose operations may be performed on scalar objects: 2016/2/23 Get:A management station retrieves a scalar object value from a managed station. Set:A management station updates a scalar object value in a managed station. Trap:A managed station sends an unsolicited scalar object value to management station SNM NCHU 3 SNMP Protocol – management relationship In management environment The management station and managed agent One-to-many relationship One station may manage all or a subset of target The managed system and management station 2016/2/23 One-to-may relationship Each managed station controls its local MIB and must be able to control the use of that MIB SNM NCHU 4 Three Management Services A managed station controls its own local MIB and must be able to control the MIB access by a number of management stations Authentication service: The managed station may wish to limit access to the MIB to authorized management stations. Access policy: The managed station may wish to give different access privileges to different management stations. Proxy service: A managed station may act as a proxy to other managed stations. 2016/2/23 SNM NCHU 5 MIB Access and SNMP Access Mode 2016/2/23 SNM NCHU 6 SNMP Access Policy 2016/2/23 SNM NCHU 7 Concept of Community An A relationship between an SNMP agent and a set of SNMP managers that defines 2016/2/23 SNMP community is Authentication, access control and proxy The managed system establishes one community for each combination of authentication, access control and proxy Each community has a unique “community name” Management station uses certain community name in all get and set operations SNM NCHU 8 Authentication and Access Using Community Authentication The community name (password) Access Community profile SNMP MIB view A subset of MIB objects SNMP access mode 2016/2/23 policy READ-ONLY, READ-WRITE SNM NCHU 9 SNMPv1 SNMP Message Version Identifier Community Name Protocol Data Unit Message ::= SEQUENCE { version INTEGER {version-1(0)}, community OCTET STRING, data ANY } The length of SNMP messages should not exceed 484 octets. Version 2016/2/23 Community SNMP PDU SNM NCHU 10 SNMP Authentication Community Relationship between an Agent and Managers. Community Name Used to validate the SNMP messages. SNMP Password. Default ‘Get’ community name: “public”. Authentication 2016/2/23 Failure Agent sends “Authentication Failure Trap” to Manager. SNM NCHU 11 SNMPv1 PDU PDU ::= SEQUENCE { request-id INTEGER, error-status INTEGER { Five SNMP PDUs: noError(0), GetRquest : [0] PDU tooBig(1), GetNextRequest : [1] PDU noSuchName(2), GetResponse : [2] PDU badValue(3), SetRequest : [3] PDU readOnly(4) Trap : [4] Trap-PDU genErr(5)}, error-index INTEGER, variable-bindings SEQUENCE OF { name ObjectName, value ObjectSyntax } 2016/2/23 SNM NCHU 12 PDU: Protocol Data Unit } SNMPv1 PDU (cont.) GetRequest, GetNextRequest, SetRequest PDU type request-id 0 0 GetResponse PDU type request-id error-status error-index variable-bindings variable-bindings variable-bindings name 2016/2/23 value name value SNM NCHU ... name value 13 Trap-PDU Enterprise: Type of Object generating trap. Agent Address: Address of object generating trap. Generic Trap: Generic trap type. Specific Trap: Enterprise specific trap. Time Stamp: Time elapsed between the last initialization of the network entity and the generation of the trap. Variable Bindings “Interesting” information Trap-PDU ::= [4] IMPLICIT SEQUENCE { enterprise OBJECT IDENTIFIER, agent-addr NetworkAddress, generic-trap INTEGER { coldStart(0), warmStart(1), linkDown(2), linkUp(3), authenticationFailure(4), egpNeighborLoss(5), enterpriseSpecific(6)}, specific-trap INTEGER, time-stamp TimeTicks, variable-bindings VarBindList } PDU type enterprise agent-addr generic-trapspecific-traptime-stamp variable-bindings 2016/2/23 SNM NCHU 14 How does a Manager do? NM Application NM Application Translates Internal Data to ASN.1 Format Sends Request PDU to Agent Translates ASN.1 Package to Internal Data Format Received Response PDU from Agent Agent Agent Manager 2016/2/23 SNM NCHU 15 How does an Agent do? From Manager To Manager Received SNMP Request PDU from Manager Translates ASN.1 Structure to Internal Data Maps MIB Variables to Internal Variables Sends SNMP Response PDU to Manager Translates Response PDU to ASN.1 Format Implement SNMP Request to Set or Get MIB Value Agent 2016/2/23 SNM NCHU 16 Main Loop of Agent (1/2) Agent waits for an incoming datagram in Port 161 Reads the datagram from UDP and notes the transport address of the sending entity. Increments the QUANTUM to keep track of the logical request-id being processed by agent De-serializes the datagram into an ASN.1 structure. If error occurs, log error and discard packet. The ASN.1 structure is translated into SNMP message. If error occurs, log error and discard packet. Check on VERSION-NUMBER field. If error occurs, log error and discard packet. 2016/2/23 SNM NCHU 17 Main Loop of Agent (2/2) Community name is looked up. If community is unknown to agent, agent send authentication trap to Manager station in Port 162; log error and discard packet. Agent loops through list of variables in the request. If no protocol type is found, return a get-response with error noSuchName and discard package. Once protocol type is found, operation is checked against community profile. If mismatch, return get-response with error noSuchName or readOnly and discard package. Otherwise, agent invokes access routine to perform the desired operation. 2016/2/23 SNM NCHU 18 Transmission of an SNMP Message Actions 2016/2/23 taken by a Transmitter: The PDU is constructed, using the ASN.1 structure defined in RFC 1157. This PDU is then passed to an authentication service. The authentication service then performs any required transformation for this exchange. The protocol entity then constructs a message, consisting of a version field, the community name, and the results from the last step. This new ASN.1 object is then encoded using the BER and passed to the transport service. SNM NCHU 19 Receipt of an SNMP Message Actions taken by a Receiver: It does a basic syntax-check of the message and discards the message if it fails to parse. It verifies the version number and discards the message if there is a mismatch. The protocol entity then passes the user name, the PDU portion of the message and the source and destination transport addresses to an authentication service. If authentication fails, the authentication service signals the SNMP protocol entity, witch generates a trap and discards the message. If authentication succeeds, the authentication service returns a PDU in the form of an ASN.1 object. The protocol entity does a basic syntax-check of the PDU and using the named community, the appropriate SNMP access policy is selectedSNM and the PDU is processed. 2016/2/23 NCHU 20 What's New in SNMPv2 No more Trap PDU, 3 New PDUs: getBulkReq, InformReq, SNMPv2-Trap Added Security 18 Error Status Values (versus 6 in SNMPv1) SNMPv2 SMI / SNMPv2 MIB M-to-M Communications Enhanced Table Operations ... (details until we talk about SNMPv3) 2016/2/23 SNM NCHU 21 SNMPv2 macro for object definition (1/2) OBJECT-TYPE MACRO ::= BEGIN TYPE NOTATION ::= "SYNTAX" Syntax UnitsPart "MAX-ACCESS" Access "STATUS" Status "DESCRIPTION" Text ReferPart IndexPart DefValPart VALUE NOTATION ::= value(VALUE ObjectName) Syntax ::= -- Must be one of the following: -- a base type (or its refinement), -- a textual convention (or its refinement), or -- a BITS pseudo-type type (ObjectSyntax) | "BITS" "{" NamedBits "}“ NamedBits ::= NamedBit | NamedBits "," NamedBit NamedBit ::= identifier "(" number ")" -- number is nonnegative UnitsPart ::= "UNITS" Text | empty 2016/2/23 SNM NCHU 22 SNMPv2 macro for object definition (2/2) Access ::= "not-accessible“ | "accessible-for-notify“ | "read-only“ | "read-write“ | "read-create“ Status ::= "current“ | "deprecated“ | "obsolete“ ReferPart ::= "REFERENCE" Text | empty IndexPart ::= "INDEX" "{" IndexTypes "}“ | "AUGMENTS" "{" Entry "}“ | empty IndexTypes ::= IndexType | IndexTypes "," IndexType IndexType ::= "IMPLIED" Index | Index Index ::= -- use the SYNTAX value of the -- correspondent OBJECT-TYPE invocation value(ObjectName) Entry ::= -- use the INDEX value of the -- correspondent OBJECT-TYPE invocation value(ObjectName) DefValPart ::= "DEFVAL" "{" Defvalue "}“ | empty Defvalue ::= -- must be valid for the type specified in -- SYNTAX clause of same OBJECT-TYPE macro value(ObjectSyntax) | "{" BitsValue "}“ BitsValue ::= BitNames | empty BitNames ::= BitName | BitNames "," BitName BitName ::= identifier Text ::= value(IA5String) END 2016/2/23 SNM NCHU 23 ObjectName and ObjectSyntax (1/3) ObjectName ::= OBJECT IDENTIFIER NotificationName ::= OBJECT IDENTIFIER -- syntax of objects -- the "base types" defined here are: -- 3 built-in ASN.1 types: INTEGER, OCTET STRING, OBJECT IDENTIFIER -- 8 application-defined types: Integer32, IpAddress, Counter32, -- Gauge32, Unsigned32, TimeTicks, Opaque, and Counter64 ObjectSyntax ::= CHOICE { simple SimpleSyntax, -- note that SEQUENCEs for conceptual tables and -- rows are not mentioned here... application-wide ApplicationSyntax } -- built-in ASN.1 types SimpleSyntax ::= CHOICE { -- INTEGERs with a more restrictive range -- may also be used integer-value -- includes Integer32 INTEGER (-2147483648..2147483647), -- OCTET STRINGs with a more restrictive size -- may also be used string-value OCTET STRING (SIZE (0..65535)), objectID-value OBJECT IDENTIFIER } 2016/2/23 SNM NCHU 24 ObjectName and ObjectSyntax (2/3) -- indistinguishable from INTEGER, but never needs more than -- 32-bits for a two's complement representation Integer32 ::= INTEGER (-2147483648..2147483647) -- application-wide types ApplicationSyntax ::= CHOICE { ipAddress-value IpAddress, counter-value Counter32, timeticks-value TimeTicks, arbitrary-value Opaque, big-counter-value Counter64, unsigned-integer-value -- includes Gauge32 Unsigned32 } -- in network-byte order -- (this is a tagged type for historical reasons) IpAddress ::= [APPLICATION 0] IMPLICIT OCTET STRING (SIZE (4)) -- this wraps Counter32 ::= [APPLICATION 1] IMPLICIT INTEGER (0..4294967295) -- this doesn't wrap Gauge32 ::= [APPLICATION 2] IMPLICIT INTEGER (0..4294967295) 2016/2/23 SNM NCHU 25 SNMP v2 Messages and Operations (Please refer to the lecture 6 and supplementary materials) 2016/2/23 SNM NCHU 26 ObjectName and ObjectSyntax (3/3) -- an unsigned 32-bit quantity -- indistinguishable from Gauge32 Unsigned32 ::= [APPLICATION 2] IMPLICIT INTEGER (0..4294967295) -- hundredths of seconds since an epoch TimeTicks ::= [APPLICATION 3] IMPLICIT INTEGER (0..4294967295) -- for backward-compatibility only Opaque ::= [APPLICATION 4] IMPLICIT OCTET STRING -- for counters that wrap in less than one hour with only 32 bits Counter64 ::= [APPLICATION 6] IMPLICIT INTEGER (0..18446744073709551615) 2016/2/23 SNM NCHU 27 APPENDIX: Abstract Syntax Notation One (ASN.1) ASN.1: Abstract Syntax: Use a syntax to define data/data structure independent of machine-oriented structures and restrictions. Use in SNMP 2016/2/23 ISO/ITU-T Standards: ISO 8824/ITU-T X.208 Define SNMP PDU format Define management information (MIB) SNM NCHU 28 What are defined using ASN.1 Types: Values: 2016/2/23 data structures e.g. Counter, Gauge, IpAddess, ... instances (variables) of a type e.g. sysContact, ifTable, ifSpeed, ... Macros: used to change the actual grammar of ASN.1 e.g. OBJECT-TYPE, ACCESS, ... SNM NCHU 29 Modules Module: A collection of ASN.1 descriptions Module Structure <module name> DEFINITION ::= BEGIN <module body> END Example 2016/2/23 EmptyModule DEFINITION ::= BEGIN … END SNM NCHU 30 Tags and Types (1) Tags Every type defined in ASN.1 is assigned a tag Tag = Class + P/C + Number Class: 2016/2/23 (Bit 8,7 in BER tag) Universal Application Context-specific Private 0 0 1 1 0 1 0 1 P/C: primitive or constructed ASN.1 type Number: non-negative Integer SNM NCHU BER: Basic Encoding Rules 31 Tags and Types (2) Universal Tag 1 2 3 4 5 6 7 8 9 10 12-15 16 17 2016/2/23 Universal Tag ASN.1 Type 18 BOOLEAN 19 INTEGER 20 BIT STRING 21 OCTET STRING 22 NULL 23 OBJECT IDENTIFIER 24 ObjectDescriptor 25 EXTERNAL 26 REAL 27 ENUMERATED 28 Reserved SEQUENCE, SEQUENCE OF 29-... SET, SET OF SNM NCHU ASN.1 Type NumericString PrintableString TeletexString VediotextString IA5String UTCTime GeneralizeTime GraphicString VisssibleString GeneralString CharacterString Reserved 32 Tags and Types (3) An ASN.1 type is either primitive or constructed If it is a primitive type, it may be sent either in a primitive form (encoded in a single collection of octets) or in a constructed form (a resulting octet-encoding is sent). If it is a constructed type, it is always sent in a constructed form. In most cases, SEQUENCE and SEQUENCE OF are two typical constructed types. 2016/2/23 SNM NCHU 33 Tags and Types (4) If the length of the encoding is known, it is termed the definite form. Primitive encoding always uses definite form for primitive types. If the length isn’t known ahead of time and that the receiving process should look for a special sequence of octets, end-of-contents, to detect the end of value, it is in indefinite form. 2nd way to calculate the length is to make two passes through the data, which could be inefficient. If the value is less than 128, one octet is used to encode the length. If the length is longer, the msb of the first octet is set to 1, and remaining 7 bits indicates how many octets follow in the length field. 2016/2/23 SNM NCHU 34 Values in ASN.1 General format of a value assignment <valuereference> <type> ::= <value> Examples: BOOLEAN INTEGER 2016/2/23 Married ::= BOOLEAN currentStatus Married ::= FALSE Color ::= INTEGER{red (0), blue (1), yellow (2)} defaultColor Color ::= 1 defaultColor Color ::= blue SNM NCHU 35 Basic Encode Rules (BER) An ASN.1 encoding rule ISO/ITU-T Standards: ISO 8825/ITU-T X.209 Values from any abstract syntax defined using ASN.1 can be encoded with BER BER uses Tag, Length, Value (TLV) encoding Tag: “identifier”, Length: length of content, Value: “contents” Each value may itself be made up of one or more TLV-encoded values T L T L V T L V V 2016/2/23 SNM NCHU 36 BER Numeric and Tag Representations Integer 2’s complement for positive & negative The first 9 bits can’t be all 0- or all 1- filled. Unsigned presentation for non-negative integers Representations The first 9 bits can’t be all 0- or all 1- filled. There are four classes of tags in ASN.1: universal tags, application tags, context-specific tags, and private-use tags If an ASN.1 type is primitive, it may be sent either in primitive form or in constructed form. If the ASN.1 type is constructed, then it is always sent in constructed form. 37 BER Tag and Length Representations Tag Encoding 2 bits for class field 1 bit for primitive or constructed type 0 for primitive and 1 for constructed (SEQUENCE, SEQUENCE OF) 5 bits for non-negative tag number (0,0) for universal, (0,1) for application-wide, (1,0) for context-specific, (1,1) for private-use If the number is less than 31, then it is simply encoded If it is larger than 31, then the 5 bits are set to all ones, 7 bits are used in the rest octets. The most significant bit 0 indicates the last octet. Length Encoding If the length is less than 128, then one octet is used. If the length is longer, then more than one octet is used, and the first octet has the high-order bit set to 1, and the following 7 bits for length. Two-pass length determination The first to calculate the length, and the second to do the actual encoding (Or, backward calculation of length field) 38 BER Value Representations (1/2) Simple Types INTEGER BIT STRING The first octet indicates how many bits are unused in the final content octet. If no bits are presented in the BIT STRING value, then the single octet is encoded with value 0. OCTET STRING NULL Using 2’s complement in primitive form A zero contents octet is encoded. OBJECT IDENTIFIER 40*x + y is the first sub-identifier, for example, 1.0.8571.5.1 is encoded with 40, 8571, 5, and 1. Except the first two ids, all others are treated as unsigned int. 39 BER Value Representations (2/2) Constructed Types SEQUENCE SEQUENCE OF 00-1-16 for the initial tag octet 00-1-16 for the initial tag octet Tagged Types For example, SomeType :: = [APPLICATION 7] OtherType is encoded as 01-1-7 in the first tag octet 40 Basic Encode Rules --- Example BER deficiencies Problem of processing efficiency Increase the load of managed node Example 1 (from simple book) Example 2 (from W. Stallings) (Refer the simple book, p.310) 41