Simple Network
Management Protocol
Lecture 3
SNMPv1 (RFC 1157)
SNMPv2 (RFC1441-1452 )
(supplementary: Chapter 4 of tutorial slides)
2016/2/23
SNM NCHU
1
SNMPv1 Protocol
 Supported

get, set, trap
 Simplicity


vs. limitations
Not able to change the structure of MIB by adding
or deleting object instances
Access is provided only to leaf objects

2016/2/23
operations
Not able to access entire table or row in single action
SNM NCHU
2
SNMPv1 Operations Support
 Three
general-purpose operations may be
performed on scalar objects：



2016/2/23
Get：A management station retrieves a scalar
object value from a managed station.
Set：A management station updates a scalar
object value in a managed station.
Trap：A managed station sends an unsolicited
scalar object value to management station
SNM NCHU
3
SNMP Protocol –
management relationship
 In

management environment
The management station and managed agent



One-to-many relationship
One station may manage all or a subset of target
The managed system and management station


2016/2/23
One-to-may relationship
Each managed station controls its local MIB and
must be able to control the use of that MIB
SNM NCHU
4
Three Management Services
A
managed station controls its own local MIB
and must be able to control the MIB access
by a number of management stations

Authentication service: The managed station may
wish to limit access to the MIB to authorized
management stations.

Access policy: The managed station may wish to
give different access privileges to different
management stations.

Proxy service: A managed station may act as a
proxy to other managed stations.
2016/2/23
SNM NCHU
5
MIB Access and SNMP Access Mode
2016/2/23
SNM NCHU
6
SNMP Access Policy
2016/2/23
SNM NCHU
7
Concept of Community
 An

A relationship between an SNMP agent and a set
of SNMP managers that defines




2016/2/23
SNMP community is
Authentication, access control and proxy
The managed system establishes one community
for each combination of authentication, access
control and proxy
Each community has a unique “community name”
Management station uses certain community
name in all get and set operations
SNM NCHU
8
Authentication and Access Using
Community
 Authentication

The community name (password)
 Access

Community profile

SNMP MIB view


A subset of MIB objects
SNMP access mode

2016/2/23
policy
READ-ONLY, READ-WRITE
SNM NCHU
9
SNMPv1
 SNMP
Message
Version Identifier
Community Name
Protocol Data Unit



Message ::=
SEQUENCE {
version
INTEGER {version-1(0)},
community OCTET STRING,
data
ANY
}
 The
length of SNMP messages should not
exceed 484 octets.
Version
2016/2/23
Community
SNMP PDU
SNM NCHU
10
SNMP Authentication
 Community

Relationship between an Agent and Managers.
 Community



Name
Used to validate the SNMP messages.
SNMP Password.
Default ‘Get’ community name: “public”.
 Authentication

2016/2/23
Failure
Agent sends “Authentication Failure Trap” to
Manager.
SNM NCHU
11
SNMPv1 PDU
PDU
::= SEQUENCE {
 request-id
INTEGER,
 error-status INTEGER {
Five SNMP PDUs:

noError(0),
GetRquest : [0] PDU

tooBig(1),
GetNextRequest : [1] PDU

noSuchName(2),
GetResponse : [2] PDU

badValue(3),
SetRequest : [3] PDU

readOnly(4)
Trap : [4] Trap-PDU 
genErr(5)},
 error-index INTEGER,
 variable-bindings

SEQUENCE OF {

name ObjectName,

value ObjectSyntax
}
2016/2/23
SNM 
NCHU
12
PDU: Protocol Data Unit
 }
SNMPv1 PDU (cont.)
GetRequest, GetNextRequest, SetRequest
PDU type request-id
0
0
GetResponse
PDU type request-id error-status error-index
variable-bindings
variable-bindings
variable-bindings
name
2016/2/23
value
name
value
SNM NCHU
...
name
value
13
Trap-PDU
Enterprise:
Type of Object generating trap.
Agent Address:
Address of object generating trap.
Generic Trap:
Generic trap type.
Specific Trap:
Enterprise specific trap.
Time Stamp:
Time elapsed between the last
initialization of the network entity and
the generation of the trap.
Variable Bindings
“Interesting” information
Trap-PDU ::= [4]
IMPLICIT SEQUENCE {
enterprise
OBJECT IDENTIFIER,
agent-addr
NetworkAddress,
generic-trap INTEGER {
coldStart(0),
warmStart(1),
linkDown(2),
linkUp(3),
authenticationFailure(4),
egpNeighborLoss(5),
enterpriseSpecific(6)},
specific-trap INTEGER,
time-stamp TimeTicks,
variable-bindings VarBindList
}
PDU type enterprise agent-addr generic-trapspecific-traptime-stamp variable-bindings
2016/2/23
SNM NCHU
14
How does a Manager do?
NM
Application
NM
Application
Translates Internal
Data to
ASN.1 Format
Sends Request
PDU to Agent
Translates ASN.1
Package to Internal
Data Format
Received Response
PDU from Agent
Agent
Agent
Manager
2016/2/23
SNM NCHU
15
How does an Agent do?
From
Manager
To
Manager
Received SNMP
Request PDU
from Manager
Translates ASN.1
Structure to
Internal Data
Maps MIB
Variables to
Internal Variables
Sends SNMP
Response PDU
to Manager
Translates Response
PDU to ASN.1
Format
Implement SNMP
Request to Set or
Get MIB Value
Agent
2016/2/23
SNM NCHU
16
Main Loop of Agent (1/2)






Agent waits for an incoming datagram in Port 161
Reads the datagram from UDP and notes the
transport address of the sending entity.
Increments the QUANTUM to keep track of the
logical request-id being processed by agent
De-serializes the datagram into an ASN.1 structure. If
error occurs, log error and discard packet.
The ASN.1 structure is translated into SNMP
message. If error occurs, log error and discard packet.
Check on VERSION-NUMBER field. If error occurs,
log error and discard packet.
2016/2/23
SNM NCHU
17
Main Loop of Agent (2/2)
 Community


name is looked up.
If community is unknown to agent, agent send
authentication trap to Manager station in Port 162; log
error and discard packet.
Agent loops through list of variables in the request.



If no protocol type is found, return a get-response with
error noSuchName and discard package.
Once protocol type is found, operation is checked against
community profile. If mismatch, return get-response with
error noSuchName or readOnly and discard package.
Otherwise, agent invokes access routine to perform the
desired operation.
2016/2/23
SNM NCHU
18
Transmission of an SNMP Message
 Actions




2016/2/23
taken by a Transmitter:
The PDU is constructed, using the ASN.1
structure defined in RFC 1157.
This PDU is then passed to an authentication
service. The authentication service then performs
any required transformation for this exchange.
The protocol entity then constructs a message,
consisting of a version field, the community name,
and the results from the last step.
This new ASN.1 object is then encoded using the
BER and passed to the transport service.
SNM NCHU
19
Receipt of an SNMP Message
 Actions



taken by a Receiver:
It does a basic syntax-check of the message and discards
the message if it fails to parse.
It verifies the version number and discards the message if
there is a mismatch.
The protocol entity then passes the user name, the PDU
portion of the message and the source and destination
transport addresses to an authentication service.


If authentication fails, the authentication service signals the
SNMP protocol entity, witch generates a trap and discards the
message.
If authentication succeeds, the authentication service returns a
PDU in the form of an ASN.1 object.
The protocol entity does a basic syntax-check of the PDU
and using the named community, the appropriate SNMP
access policy is selectedSNM
and
the PDU is processed.
2016/2/23
NCHU

20
What's New in SNMPv2

No more Trap PDU, 3 New PDUs:
 getBulkReq, InformReq, SNMPv2-Trap
Added Security
 18 Error Status Values (versus 6 in SNMPv1)
 SNMPv2 SMI / SNMPv2 MIB
 M-to-M Communications
 Enhanced Table Operations
 ...
(details until we talk about SNMPv3)

2016/2/23
SNM NCHU
21
SNMPv2 macro for object definition (1/2)
OBJECT-TYPE MACRO ::= BEGIN
TYPE NOTATION ::=
"SYNTAX" Syntax
UnitsPart
"MAX-ACCESS" Access
"STATUS" Status
"DESCRIPTION" Text
ReferPart
IndexPart
DefValPart
VALUE NOTATION ::= value(VALUE ObjectName)
Syntax ::= -- Must be one of the following:
-- a base type (or its refinement),
-- a textual convention (or its refinement), or
-- a BITS pseudo-type
type (ObjectSyntax) | "BITS" "{" NamedBits "}“
NamedBits ::= NamedBit | NamedBits "," NamedBit
NamedBit ::= identifier "(" number ")" -- number is
nonnegative
UnitsPart ::= "UNITS" Text | empty
2016/2/23
SNM NCHU
22
SNMPv2 macro for object definition (2/2)
Access ::= "not-accessible“ | "accessible-for-notify“ | "read-only“ | "read-write“ |
"read-create“
Status ::= "current“ | "deprecated“ | "obsolete“
ReferPart ::= "REFERENCE" Text | empty
IndexPart ::= "INDEX" "{" IndexTypes "}“ | "AUGMENTS" "{" Entry "}“ | empty
IndexTypes ::= IndexType | IndexTypes "," IndexType
IndexType ::= "IMPLIED" Index | Index
Index ::= -- use the SYNTAX value of the
-- correspondent OBJECT-TYPE invocation
value(ObjectName)
Entry ::= -- use the INDEX value of the
-- correspondent OBJECT-TYPE invocation
value(ObjectName)
DefValPart ::= "DEFVAL" "{" Defvalue "}“ | empty
Defvalue ::= -- must be valid for the type specified in
-- SYNTAX clause of same OBJECT-TYPE macro
value(ObjectSyntax) | "{" BitsValue "}“
BitsValue ::= BitNames | empty
BitNames ::= BitName | BitNames "," BitName
BitName ::= identifier
Text ::= value(IA5String)
END
2016/2/23
SNM NCHU
23
ObjectName and ObjectSyntax (1/3)
ObjectName ::= OBJECT IDENTIFIER
NotificationName ::= OBJECT IDENTIFIER
-- syntax of objects
-- the "base types" defined here are:
-- 3 built-in ASN.1 types: INTEGER, OCTET STRING, OBJECT IDENTIFIER
-- 8 application-defined types: Integer32, IpAddress, Counter32,
-- Gauge32, Unsigned32, TimeTicks, Opaque, and Counter64
ObjectSyntax ::= CHOICE {
simple SimpleSyntax,
-- note that SEQUENCEs for conceptual tables and
-- rows are not mentioned here...
application-wide ApplicationSyntax }
-- built-in ASN.1 types
SimpleSyntax ::= CHOICE {
-- INTEGERs with a more restrictive range
-- may also be used
integer-value
-- includes Integer32
INTEGER (-2147483648..2147483647),
-- OCTET STRINGs with a more restrictive size
-- may also be used
string-value OCTET STRING (SIZE (0..65535)),
objectID-value OBJECT IDENTIFIER }
2016/2/23
SNM NCHU
24
ObjectName and ObjectSyntax (2/3)
-- indistinguishable from INTEGER, but never needs more than
-- 32-bits for a two's complement representation
Integer32 ::= INTEGER (-2147483648..2147483647)
-- application-wide types
ApplicationSyntax ::= CHOICE {
ipAddress-value IpAddress,
counter-value Counter32,
timeticks-value TimeTicks,
arbitrary-value Opaque,
big-counter-value Counter64,
unsigned-integer-value -- includes Gauge32 Unsigned32 }
-- in network-byte order
-- (this is a tagged type for historical reasons)
IpAddress ::= [APPLICATION 0] IMPLICIT OCTET STRING (SIZE (4))
-- this wraps
Counter32 ::= [APPLICATION 1] IMPLICIT INTEGER (0..4294967295)
-- this doesn't wrap
Gauge32 ::= [APPLICATION 2] IMPLICIT INTEGER (0..4294967295)
2016/2/23
SNM NCHU
25
SNMP v2 Messages and Operations
(Please refer to the lecture 6 and supplementary materials)
2016/2/23
SNM NCHU
26
ObjectName and ObjectSyntax (3/3)
-- an unsigned 32-bit quantity
-- indistinguishable from Gauge32
Unsigned32 ::=
[APPLICATION 2] IMPLICIT INTEGER (0..4294967295)
-- hundredths of seconds since an epoch
TimeTicks ::=
[APPLICATION 3] IMPLICIT INTEGER (0..4294967295)
-- for backward-compatibility only
Opaque ::=
[APPLICATION 4] IMPLICIT OCTET STRING
-- for counters that wrap in less than one hour with only 32 bits
Counter64 ::=
[APPLICATION 6] IMPLICIT INTEGER (0..18446744073709551615)
2016/2/23
SNM NCHU
27
APPENDIX:
Abstract Syntax Notation One (ASN.1)

ASN.1:


Abstract Syntax:


Use a syntax to define data/data structure
independent of machine-oriented
structures and restrictions.
Use in SNMP


2016/2/23
ISO/ITU-T Standards: ISO 8824/ITU-T X.208
Define SNMP PDU format
Define management information (MIB)
SNM NCHU
28
What are defined using ASN.1

Types:



Values:



2016/2/23
data structures
e.g. Counter, Gauge, IpAddess, ...
instances (variables) of a type
e.g. sysContact, ifTable, ifSpeed, ...
Macros:

used to change the actual grammar of ASN.1

e.g. OBJECT-TYPE, ACCESS, ...
SNM NCHU
29
Modules


Module: A collection of ASN.1 descriptions
Module Structure


<module name> DEFINITION ::=
BEGIN
<module body>
END
Example

2016/2/23
EmptyModule DEFINITION ::=
BEGIN
…
END
SNM NCHU
30
Tags and Types (1)
 Tags


Every type defined in ASN.1 is assigned a tag
Tag = Class + P/C + Number

Class:






2016/2/23
(Bit 8,7 in BER tag)
Universal
Application
Context-specific
Private
0
0
1
1
0
1
0
1
P/C: primitive or constructed ASN.1 type
Number: non-negative Integer
SNM NCHU
BER: Basic Encoding Rules
31
Tags and Types (2)
Universal Tag
1
2
3
4
5
6
7
8
9
10
12-15
16
17
2016/2/23
 Universal Tag
ASN.1 Type
18
BOOLEAN
19
INTEGER
20
BIT STRING
21
OCTET STRING
22
NULL
23
OBJECT IDENTIFIER
24
ObjectDescriptor
25
EXTERNAL
26
REAL
27
ENUMERATED
28
Reserved
SEQUENCE, SEQUENCE OF 29-...
SET, SET OF
SNM NCHU
ASN.1 Type
NumericString
PrintableString
TeletexString
VediotextString
IA5String
UTCTime
GeneralizeTime
GraphicString
VisssibleString
GeneralString
CharacterString
Reserved
32
Tags and Types (3)
An ASN.1 type is either primitive or constructed
 If it is a primitive type, it may be sent either in a
primitive form (encoded in a single collection of octets)
or in a constructed form (a resulting octet-encoding is
sent).
 If it is a constructed type, it is always sent in a
constructed form. In most cases, SEQUENCE and
SEQUENCE OF are two typical constructed types.

2016/2/23
SNM NCHU
33
Tags and Types (4)




If the length of the encoding is known, it is termed the
definite form. Primitive encoding always uses definite
form for primitive types.
If the length isn’t known ahead of time and that the
receiving process should look for a special sequence of
octets, end-of-contents, to detect the end of value, it is
in indefinite form.
2nd way to calculate the length is to make two passes
through the data, which could be inefficient.
If the value is less than 128, one octet is used to encode
the length. If the length is longer, the msb of the first
octet is set to 1, and remaining 7 bits indicates how
many octets follow in the length field.
2016/2/23
SNM NCHU
34
Values in ASN.1

General format of a value assignment


<valuereference> <type> ::= <value>
Examples:

BOOLEAN



INTEGER



2016/2/23
Married ::= BOOLEAN
currentStatus Married ::= FALSE
Color ::= INTEGER{red (0), blue (1), yellow (2)}
defaultColor Color ::= 1
defaultColor Color ::= blue
SNM NCHU
35
Basic Encode Rules (BER)
An ASN.1 encoding rule
ISO/ITU-T Standards: ISO 8825/ITU-T X.209
Values from any abstract syntax defined using
ASN.1 can be encoded with BER
BER uses Tag, Length, Value (TLV) encoding





Tag: “identifier”, Length: length of content, Value:
“contents”
Each value may itself be made up of one or
more TLV-encoded values

T
L
T
L
V
T
L
V
V
2016/2/23
SNM NCHU
36
BER Numeric and Tag Representations
 Integer

2’s complement for positive & negative


The first 9 bits can’t be all 0- or all 1- filled.
Unsigned presentation for non-negative
integers


Representations
The first 9 bits can’t be all 0- or all 1- filled.
There are four classes of tags in ASN.1:



universal tags, application tags, context-specific
tags, and private-use tags
If an ASN.1 type is primitive, it may be sent either
in primitive form or in constructed form.
If the ASN.1 type is constructed, then it is always
sent in constructed form.
37
BER Tag and Length Representations

Tag Encoding

2 bits for class field


1 bit for primitive or constructed type


0 for primitive and 1 for constructed (SEQUENCE, SEQUENCE OF)
5 bits for non-negative tag number



(0,0) for universal, (0,1) for application-wide, (1,0) for context-specific,
(1,1) for private-use
If the number is less than 31, then it is simply encoded
If it is larger than 31, then the 5 bits are set to all ones, 7 bits are
used in the rest octets. The most significant bit 0 indicates the last
octet.
Length Encoding



If the length is less than 128, then one octet is used.
If the length is longer, then more than one octet is used, and
the first octet has the high-order bit set to 1, and the following
7 bits for length.
Two-pass length determination

The first to calculate the length, and the second to do the actual
encoding (Or, backward calculation of length field)
38
BER Value Representations (1/2)

Simple Types

INTEGER


BIT STRING




The first octet indicates how many bits are unused in the
final content octet.
If no bits are presented in the BIT STRING value, then the
single octet is encoded with value 0.
OCTET STRING
NULL


Using 2’s complement in primitive form
A zero contents octet is encoded.
OBJECT IDENTIFIER

40*x + y is the first sub-identifier, for example, 1.0.8571.5.1
is encoded with 40, 8571, 5, and 1. Except the first two ids,
all others are treated as unsigned int.
39
BER Value Representations (2/2)

Constructed Types

SEQUENCE


SEQUENCE OF


00-1-16 for the initial tag octet
00-1-16 for the initial tag octet
Tagged Types

For example, SomeType :: = [APPLICATION 7] OtherType
is encoded as
01-1-7 in the first tag octet
40
Basic Encode Rules --- Example
 BER


deficiencies
Problem of processing efficiency
Increase the load of managed node
 Example
1 (from simple book)
Example 2 (from W. Stallings)
(Refer the simple book, p.310)
41