snmpppt4694
TRANSCRIPT
-
8/11/2019 snmpppt4694
1/30
8: Network Management 1
Chapter 8 Network
Management
networkdata linkphysical
applicationtransportnetworkdata linkphysical
As we have learned thus far, computer networks are complexsystems of numerous hardware and software components.
As such, they are subject to operational problems involvingoutage, malfunction, mis-configuration, poor performance,and other issues. In this final chapter, we will briefly lookat the architecture, protocols and tools available to identifyand solve these problems.
networkdata link
physical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
applicationtransport
networkdata linkphysical
applicationtransport
networkdata linkphysical
-
8/11/2019 snmpppt4694
2/30
8: Network Management 2
Chapter 8: Network Management
Chapter goals: introduction to network management
motivation
major components
Internet network management framework
MIB: management information base
SMI: data definition language
SNMP: protocol for network management security and administration
presentation services: ASN.1
firewalls
-
8/11/2019 snmpppt4694
3/30
8: Network Management 3
Network management motivation
networks are complex autonomous systems Consisting of 100s (or 1000s) of interacting hardware and
software components
"Network managementincludes the deployment, integrationand coordination of the hardware, software, and humanelements to monitor, test, poll, configure, analyze, evaluate,and control the network and element resources to meet thereal-time, operational performance, and Quality of Service
requirements at a reasonable cost."
the network ma
nagement infrastructure does NOT: dictate decision making policies
address resource provisioning/service management issues
-
8/11/2019 snmpppt4694
4/30
8: Network Management 4
Motivation for network management stuffhappens
managed device
managed device
managed device
managed device
performance problems
device faultsconfiguration issues
security problems
software bugs
accounting/billing issues
numerous potential issues/problems to deal with
For example:UTA ACS
Abilene Net
http://www2.uta.edu/userserv/UTAnet.htmhttp://www.abilene.iu.edu/images/logical.pdfhttp://www.abilene.iu.edu/images/logical.pdfhttp://www2.uta.edu/userserv/UTAnet.htm -
8/11/2019 snmpppt4694
5/30
8: Network Management 5
Network management: 4 key goals
Monitor see whats happening host interfaces, traffic levels, service levels,
security, performance, routing table changes,
etc.Analyze
determine what it means
Reactively control
take action based on what is happening Proactively manage
take action based on what current trends tellyou to will happen
-
8/11/2019 snmpppt4694
6/30
8: Network Management 6
Infrastructure for network management
agent data
agent data
agent data
agent data
managed device
managed device
managed device
managed device
managingentity
data
networkmanagement
protocol
definitions:
managed devicescontainmanaged objectswhose
data is gathered into aManagement InformationBase (MIB)
managing entity*
* AKA - Network ManagementStation (NMS)
-
8/11/2019 snmpppt4694
7/30
8: Network Management 7
SNMP Protocol(Commands,
Replies,Traps)
A typical Network Management Systems
NetworkManagement
Console
Network
ManagementMIB
ManagedDevices
-
8/11/2019 snmpppt4694
8/30
8: Network Management 8
Network Management standards
OSI CMIP
Common ManagementInformation Protocol
designed 1980s: theunifying netmanagement standard
too slowlystandardized
SNMP: Simple NetworkManagement Protocol
Internet roots (SGMPISMF)
started simple
deployed, adopted rapidly
growth: size, complexity
currently: SNMP V3(released April 1999)
de factonetworkmanagement standard
-
8/11/2019 snmpppt4694
9/30
8: Network Management 9
SNMP overview: 4 key parts of the
Internet network management frameworkManagement information base (MIB):
distributed information store of networkmanagement data (MIB objects)
Structure of Management Information (SMI): data definition language for MIB objects
SNMP protocol convey managermanaged object info, commands
Security & administration capabilitiesmajor addition in SNMPv3
-
8/11/2019 snmpppt4694
10/30
8: Network Management 10
SMI: data definition language(RFC 2578)
Purpose:syntax, semantics ofmanagement data well-defined, unambiguous
base data types:
straightforward, boring OBJECT-TYPE
data type, status,semantics of managed
object MODULE-IDENTITY
groups related objectsinto MIB module
Basic Data Types
INTEGER
Integer32
Unsigned32
OCTET STRING
OBJECT IDENTIFIER
IPaddress
Counter32
Counter64Guage32
Time Ticks
Opaque
ftp://ftp.isi.edu/in-notes/std/std58.txtftp://ftp.isi.edu/in-notes/std/std58.txtftp://ftp.isi.edu/in-notes/std/std58.txtftp://ftp.isi.edu/in-notes/std/std58.txt -
8/11/2019 snmpppt4694
11/30
-
8/11/2019 snmpppt4694
12/30
8: Network Management 12
SMI: Object, module examples
OBJECT-TYPE:ipInDelivers MODULE-IDENTITY:ipMIB
ipInDelivers OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-onlySTATUS current
DESCRIPTION
The total number of input
datagrams successfully
delivered to IP user-protocols (including ICMP)
::= { ip 9}
ipMIB MODULE-IDENTITY
LAST-UPDATED 941101000Z
ORGANZATION IETF SNPv2
Working GroupCONTACT-INFO
Keith McCloghrie
DESCRIPTION
The MIB module for managing IP
and ICMP implementations, butexcluding their management of
IP routes.
REVISION 019331000Z
::= {mib-2 48}Note: RFC 2011-IP MIB, RFC 2012-
TCP MIB, RFC 2013-UDP MIB,
ftp://ftp.isi.edu/in-notes/rfc2012.txtftp://ftp.isi.edu/in-notes/rfc2012.txtftp://ftp.isi.edu/in-notes/rfc2012.txtftp://ftp.isi.edu/in-notes/rfc2012.txtftp://ftp.isi.edu/in-notes/rfc2012.txt -
8/11/2019 snmpppt4694
13/30
8: Network Management 13
SNMP Naming (OBJECT IDENTIFIER)
question:how to name every possible standardobject (protocol, data, more..) in everypossible network standard??
answer:ISO Object Identifier tree: hierarchical naming of all objects
each branchpoint has name, number
1.3.6.1.2.1.7.1
ISOISO-ident. Org.
US DoDInternet
udpInDatagramsUDPMIB2management
-
8/11/2019 snmpppt4694
14/30
8: Network Management 14
Check out www.alvestrand.no/harald/objectid/top.html
ISO
ObjectIdentifierTree
http://www.alvestrand.no/harald/objectid/top.htmlhttp://www.alvestrand.no/harald/objectid/top.html -
8/11/2019 snmpppt4694
15/30
8: Network Management 15
MIB example: UDP module
Object ID Name Type Comments
1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 # UDP datagrams delivered
at this node
1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # undeliverable datagrams,
no application at port
1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams,
all other reasons
1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # UDP datagrams sent
1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port
UDP Entry in use by app, gives port #
and IP address
-
8/11/2019 snmpppt4694
16/30
8: Network Management 16
SNMP protocol
Two ways to convey MIB info, commands:
agent data
Managed device
managingentity
response
agent
data
Managed device
managingentity
trap msg.request
request/response mode trap mode
-
8/11/2019 snmpppt4694
17/30
8: Network Management 17
SNMP protocol: message types
GetRequest (0)GetNextRequest (1)GetBulkRequest (5)
Mgr-to-Agent: get me data(instance,next in list, block)
Message type
Function
InformRequest (6) Mgr-to-Mgr: heres MIB value
SetRequest (3) Mgr-to-Agent: set MIB value
Response (2) Agent-to-Mgr: value, response toRequest
Trap (7) Agent-to-Mgr: inform managerof exceptional event
-
8/11/2019 snmpppt4694
18/30
8: Network Management 18
SNMP protocol: message formats
Trapmessages
Get,Set,
Inform,Responsemessages
-
8/11/2019 snmpppt4694
19/30
8: Network Management 19
SNMP security and administration
encryption:DES-encrypt SNMP message
authentication:compute, send MIC(m,k):compute hash (MIC) over message (m),
secret shared key (k) protection against playback:use nonce
view-based access control
SNMP entity maintains database of accessrights, policies for various users
database itself accessible as managed object!
MIC: Message Integrity Code (like a digital signature)
-
8/11/2019 snmpppt4694
20/30
8: Network Management 20
The presentation problem
Q:does perfect memory-to-memory copysolve the communication problem?
A:not always!
problem:different data format, storage conventions(e.g. big-endian, little-endian)
struct {
char code;
int x;
} test;
test.x = 259;
test.code=a
a
00000001
00000011
a
00000011
00000001
test.code
test.x
test.code
test.x
host 1 format host 2 format
-
8/11/2019 snmpppt4694
21/30
8: Network Management 21
Solving the presentation problem
1.Translate local-host format to host-independent format2.Transmit data in host-independent format
3.Translate host-independent format to remote-hostformat
-
8/11/2019 snmpppt4694
22/30
8: Network Management 22
ASN.1: Abstract Syntax Notation 1
The language of standards writers.
ISO standardX.680 used extensively in Internet
defined data types, object constructors like SMI
BER: Basic Encoding Rules (ITU-T X.209, X.690)
specify how ASN.1-defined data objects to betransmitted
each transmitted object has Type, Length, Value(TLV) encoding
http://www.itu.int/ITU-T/studygroups/com17/languages/X.680_1297.pdfhttp://www.itu.int/ITU-T/studygroups/com17/languages/X.690_1297.pdfhttp://www.itu.int/ITU-T/studygroups/com17/languages/X.690_1297.pdfhttp://www.itu.int/ITU-T/studygroups/com17/languages/X.680_1297.pdf -
8/11/2019 snmpppt4694
23/30
8: Network Management 23
ASN.1: Abstract Syntax Notation 1
Encoding Rules BER- for management of the Internet, exchange
of electronic mail, control of telephone/computerinteractions
DER- specialized form of BER that is used insecurity-conscious applications CERanother specialized form of BER that is
meant for use with huge messages PER- recent version with more efficient
algorithms that result in faster and more compactencodings; used in applications that are bandwidthor CPU starved, such as air traffic control andaudio-visual telecommunications
-
8/11/2019 snmpppt4694
24/30
8: Network Management 24
TLV Encoding
Idea:transmitted data is self-identifying T:data type, one of ASN.1-defined types
L:length of data in bytes
V:value of data, encoded according to ASN.1standard
1
2
34
5
6
9
Boolean
Integer
Bit StringOctet string
Null
Object Identifier
Real
Tag
Value Type
-
8/11/2019 snmpppt4694
25/30
8: Network Management 25
TLVencoding:example
Value, 5 octets (chars)Length, 5 bytes
Type=4, octet string
Value, 259Length, 2 bytesType=2, integer
TLV d
-
8/11/2019 snmpppt4694
26/30
8: Network Management 26
TLV encoding -another example:
A Personnel Record:
Name: John P Smith
Date of Birth: 17 July 1959
(other data)
The ASN.1 description of a personnel record(the standard) might be:
PersonnelRecord ::= [APPLICATION 0] IMPLICITSET {
Name,
title [0] VisibleString,
dateOfBirth [1] Date,
(other types defined) }
Name ::= [APPLICATION 1] IMPLICIT SEQUENCE {
givenName VisibleString,
initial VisibleString,
familyName VisibleString }
The application maps the personnel data into thepersonnel record structure (ASN.1 data format), and thenapplies the Basic Encoding Rules (BER) to the ASN.1 data:
Personnel
Record Length Contents
60 8185
Name Length Contents
61 10
VisibleString LengthContents
1A 04
"John"
VisibleString Length
Contents
1A 01 "P"
VisibleString Length
Contents
1A 05
"Smith"
Finally, what gets transmitted(sent as application data to thelayer below in the protocolstack)would be:
60 81 85 61 10 1A 04
-
8/11/2019 snmpppt4694
27/30
8: Network Management 27
Firewalls
Two firewall types:
packet filter
application gateway
To prevent denial of serviceattacks:
SYN flooding: attackerestablishes many bogusTCP connections.Attacked host allocatesTCP buffers for bogus
connections, none leftfor real connections.
To prevent illegal modificationof internal data.
e.g., attacker replaces
CIAs homepage withsomething else
To prevent intruders fromobtaining secret info.
isolates organizations internalnet from larger Internet,allowing some packets to pass,blocking others.
firewall
-
8/11/2019 snmpppt4694
28/30
8: Network Management 28
Packet Filtering
Internal network istypically connected toInternet through arouter.
Router manufacturerprovides options for
filtering packets, basedon (for example): source IP address
destination IP address
TCP/UDP source and
destination portnumbers
ICMP message type
TCP SYN and ACK bits
Example 1: block incomingand outgoing datagramswith IP protocol field = 17and with either source ordestination port = 23. All incoming and outgoing
UDP flows and telnetconnections are blocked.
Example 2: Block inboundTCP segments with ACKbit=0.
Prevents external clientsfrom making TCPconnections with internalclients, but allows internalclients to connect tooutside.
-
8/11/2019 snmpppt4694
29/30
8: Network Management 29
Application gateways
Filters packets onapplication data as wellas on IP/TCP/UDP fields.
Example:allow select
internal users to telnetoutside.
host-to-gatewaytelnet session
gateway-to-remotehost telnet session
applicationgateway
router and filter
1.Require all telnet users to telnet through gateway.
2.For authorized users, gateway sets up telnet connection todest host. Gateway relays data between 2 connections
3.Router filter blocks all telnet connections not originatingfrom gateway.
-
8/11/2019 snmpppt4694
30/30
8: Network Management 30
Limitations of firewalls and gateways
IP spoofing:routercant know if datareally comes fromclaimed source
If multiple apps. needspecial treatment, eachhas own app. gateway.
Client software must
know how to contactgateway. e.g., must set IP address
of proxy in Webbrowser
Filters often use all ornothing policy for UDP.
Tradeoff: degree ofcommunication with
outside world, level ofsecurity
Many highly protectedsites still suffer from
attacks.