tsin02 - internetworking · 2007-03-19 · tsin02 - internetworking 8 snmp at a glance introduced...
TRANSCRIPT
![Page 1: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/1.jpg)
TSIN02 - Internetworking
© 2004 Image Coding Group, Linköpings Universitet
Lecture 11: SNMP and AAA
Literature:● Forouzan, chapter 21● Diameter next generation's AAA protocol by Håkan Ventura,
sections 2- 3.3.6● RFC2881 (optional extra material)● RFC2905 (optional extra material)● RFC2903 (optional extra material)
![Page 2: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/2.jpg)
TSIN02 - Internetworking
2
Lecture 10: SNMP and AAA
Outline:
● SNMP
● AAA introduction
● AAA in Network Access Servers
● DIAMETER, an AAA compliant protocol
![Page 3: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/3.jpg)
TSIN02 - Internetworking
3
Network management framework
● Management Information Base (MIB)● Structure of Management Information (SMI)● SNMP● Security and Administration● ASN1
![Page 4: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/4.jpg)
TSIN02 - Internetworking
4
Why network management?
Complex systems are difficult to manage. Too much happens in too many places. Information has to be pooled to be possible to overview.
● All large systems need to be managed systematically– Industrial chemical processes– Large organizations– Electrical power system
![Page 5: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/5.jpg)
TSIN02 - Internetworking
5
Network management
● Device Management– Checking the state of a device– Changing configuration of a device– Activating or turning of a device– Monitoring a software
● Network Management– Properties of the network as a whole
![Page 6: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/6.jpg)
TSIN02 - Internetworking
6
Examples of managing tasks– Shutting down a network interface on a router– Checking the speed of an Ethernet interface– Monitoring the temperature on a switch, and
sending a warning if it gets too high– Checking the state of a web server (the software)– Collecting statistics about link usage
![Page 7: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/7.jpg)
TSIN02 - Internetworking
7
InfrastructureManaged devices contain objects
whose data is gathered into aManagement Information Base
Data
Data Data
Data
Data
DataAgent
Agent
Agent
AgentAgent
Managingentity
NetworkManagementProtocol
![Page 8: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/8.jpg)
TSIN02 - Internetworking
8
SNMP at a glance
● Introduced in 1988– To meet the need for a standard for managing IP
devices.● Replaced SGMP
– Simple Gateway Management Protocol was used for managing Internet routers
● Latest version is v3
![Page 9: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/9.jpg)
TSIN02 - Internetworking
9
SNMP parts
● SMI – Structure of Management Information– The language for defining MIB objects
● MIB – Management Information Base– Defines a set of objects, similar to a database
● SNMP– Application program that allows the manager to
retrieve and store object values in agents, and agents to send alarm messages to the manager
● Security– The main addition from v2 to v3
![Page 10: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/10.jpg)
TSIN02 - Internetworking
10
SMI – Object Attributes
Figure from Forouzan
![Page 11: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/11.jpg)
TSIN02 - Internetworking
11
SMI Naming– A tree structure is the basis for SNMP naming– Each tree node is described by dot-separated
numbers/names Root
ccitt(0) iso(1) joint(2)
Org(3)
dod(6)
internet(1)
directory(1) mgmt(2) experimental(3) private(4)
mib-2(1)1.3.6.1.2.1
sys(1) if(2) at(3)
iicmp(5) tcp(6) udp(7) egp(8) trans(11) snmp(12)ip(4)
UdpIn Datagrams(1) UdpNo Ports(2) UdpIn Errors(3) UdpOut Datagrams(4) udpTable(5)
![Page 12: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/12.jpg)
TSIN02 - Internetworking
12
SMI type and syntax
● Managed agents are heterogenous and may represent data in many different ways
● There is a need for a well-defined and machine-independent syntax
● Solution: ASN.1● Simple datatypes are offered (signed and
unsigned integers, strings, etc)● Structured types can be built from simple types
![Page 13: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/13.jpg)
TSIN02 - Internetworking
13
Abstract Syntax Notation One (ASN.1)
● ISO standard, defines data types in a machine independent way
● Intermediate format for data type definitions on different machines
Data in machine 1,represented in its
internal representation
Encoder
Data type description in abstract,machine independent form
Decoder
Data in machine 2,represented in its
internal representation
![Page 14: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/14.jpg)
TSIN02 - Internetworking
14
Data Types
Figure from Forouzan
![Page 15: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/15.jpg)
TSIN02 - Internetworking
15
SMI Encoding - BER
● ASN.1 is not enough for transmission, since it only makes an abstract definition of data types
● We need a standardized way of encoding data for transmission
● The solution for this is Basic Encoding Rules● Tag-Length-Value
![Page 16: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/16.jpg)
TSIN02 - Internetworking
16
Encoding Format
Figure from Forouzan
Format
0 – Simple1 - Structured
Tag
00 – ASN.101 – SMI extensions10 – context-specific11 – private (vendor specific)
![Page 17: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/17.jpg)
TSIN02 - Internetworking
17
Length Format
Figure from Forouzan
![Page 18: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/18.jpg)
TSIN02 - Internetworking
18
Examples
Figure from Forouzan
![Page 19: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/19.jpg)
TSIN02 - Internetworking
19
Management Information Base (v2)
● Each agent has its own MIB● The collection of objects that are managed● The objects are sorted into the groups under
1.3.6.1.2.1 (mib-2)● Only leaves in the tree are accessible● The objects are accessed using SNMP
operations● Lots of standard objects; and extended by
vendor specific ones
![Page 20: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/20.jpg)
TSIN02 - Internetworking
20
MIB-2
Figure from Forouzan
![Page 21: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/21.jpg)
TSIN02 - Internetworking
21
UDP Group
Figure from Forouzan
![Page 22: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/22.jpg)
TSIN02 - Internetworking
22
UDP Variables and Tables
Figure from Forouzan
![Page 23: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/23.jpg)
TSIN02 - Internetworking
23
Indexes for UDP Table
Figure from Forouzan
![Page 24: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/24.jpg)
TSIN02 - Internetworking
24
Lexicographic Ordering
Figure from Forouzan
![Page 25: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/25.jpg)
TSIN02 - Internetworking
25
SNMP Operations
Figure from Forouzan
![Page 26: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/26.jpg)
TSIN02 - Internetworking
26
SNMP PDU Format
Figure from Forouzan
![Page 27: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/27.jpg)
TSIN02 - Internetworking
27
SNMP Message Format
Figure from Forouzan
![Page 28: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/28.jpg)
TSIN02 - Internetworking
28
Example: GetRequest Message
Figure from Forouzan
![Page 29: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/29.jpg)
TSIN02 - Internetworking
29
Example: GetRequest Message
Figure from Forouzan
![Page 30: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/30.jpg)
TSIN02 - Internetworking
30
Example: GetRequest Message
Interpretation help: SNMP message types
Table from Forouzan
![Page 31: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/31.jpg)
TSIN02 - Internetworking
31
Example: GetRequest Message
Interpretation help: Data types
Table from Forouzan
![Page 32: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/32.jpg)
TSIN02 - Internetworking
32
Example: GetRequest Message
Interpretation help: MIB2 tree
Figure from Forouzan
![Page 33: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/33.jpg)
TSIN02 - Internetworking
33
UDP Ports
Figure from Forouzan
![Page 34: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/34.jpg)
TSIN02 - Internetworking
34
AAA Introduction
● Authentication– Validate user identity.
● Authorization– Check which services the user is allowed access
to.● Accounting
– Store information about use of a service, e.g. for billing purposes.
![Page 35: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/35.jpg)
TSIN02 - Internetworking
35
Authentication
● Validate the identity of a user● Used for
– Access control– Authorization decisions– Accounting records
![Page 36: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/36.jpg)
TSIN02 - Internetworking
36
Authentication techniques
● Providing some credential that proves a claimed identity– ID– Smart card– SIM – Certificate– Biometrics– Password– Public – Secret Key pair
![Page 37: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/37.jpg)
TSIN02 - Internetworking
37
Authentication Basics
● Something you have● Something you know● Something you are
![Page 38: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/38.jpg)
TSIN02 - Internetworking
38
Authentication protocol
Example:
If A wants to contact B through the Internet, how can A prove his/her identity?
![Page 39: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/39.jpg)
TSIN02 - Internetworking
39
Authorization
● Policy– Identity– Current actions– Outside state–
● Allowing access to services to authenticated users
![Page 40: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/40.jpg)
TSIN02 - Internetworking
40
Accounting
● Tracking the usage of resources for– Billing– Management– Planning– Auditing–
![Page 41: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/41.jpg)
TSIN02 - Internetworking
41
Protocols for AAA● RADIUS
–
● TACACS
–
● COPS
–
● DIAMETER
–
![Page 42: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/42.jpg)
TSIN02 - Internetworking
42
Network Access Server
A Network Access Server (NAS) is often the initial entry point to a network.
A NAS is a gateway between the users and a network, supplying one or more ways to connect, e.g.:
– Dial-up – direct network access (eg. through SLIP or PPP)– asynchronous terminal services (eg. telnet)– tunneling
The NAS contacts an AAA server to see if the user is authorized to access the network. This communication needs a protocol!
![Page 43: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/43.jpg)
TSIN02 - Internetworking
43
DIAMETER
The Diameter Base Protocol is intended to provide an Authentication, Authorization and Accounting framework for applications such as network access and IP mobility.
![Page 44: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/44.jpg)
TSIN02 - Internetworking
44
DIAMETER FacilitiesThe Diameter Base Protocol provides the following facilities:
● Delivery of attribute value pairs (AVPs)
● Capabilities negotiation
● Error notification
● Extendability, through addition of new commands and AVPs
● Basic services necessary for applications, such as handling of user sessions or accounting
The Diameter Base Protocol provides the minimum requirements needed for an AAA-protocol, as defined in RFC2989
![Page 45: TSIN02 - Internetworking · 2007-03-19 · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP](https://reader034.vdocument.in/reader034/viewer/2022050508/5f98f28c58b9c924082e4a60/html5/thumbnails/45.jpg)
TSIN02 - Internetworking
45
DIAMETER FeaturesAll data delivered by the protocol is in the form of an AVP. These
are used by the base protocol to support the following features:
● Transporting of user authentication information, for the purpose of enabling the Diameter server to authenticate the user.
● Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access should be granted.
● Exchanging resource usage information, which may be used for accounting purposes, capacity planning etc.
● Relaying, proxying and redirecting of Diameter messages through a server hierarchy.