P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET...
Transcript of P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET...
![Page 1: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/1.jpg)
11/14/12
1
Networkcontrolandmanagement
Networkmanagement
Whatisnetworkmanagement??Whyisitneeded?
ManiSubramanian,NetworkManagement:Anintroductiontoprinciplesandpractice,AddisonWesleyLongman,2000
![Page 2: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/2.jpg)
11/14/12
2
Networkmanagement Growthofinternetandlocalnetworkscausedsmallnetworksto
connectintooneLARGEinfrastructure.WithitincreasedtheneedforSISTEMATICmanagementofhardwareandsoftwarecomponentsofthissystem.Frequentquestions:
Whichresourcesareavailableinthenetwork? Howmuchtrafficistravelingthroughacertainnetworkequipment? Whousesnetworkconnectionsthatcausetheirdirectortoreceivehisemailtooslowly? WhycantIsenddatatoacertaincomputer?
Definition:Managinganetworkinvolvesdeployment,integrationandcoordinationofhardware,softwareandhumanresourcesforthepurposeofobservation,testing,configuration,analysisandcontrolofnetworkresources,forwhichwewanttoprovideoperationinreal‐time(oroperationwithappropriatequality‐QoS)atanaffordableprice.
Examplesofmanagementac8vi8es1. detectionoferrorsonthecomputerorrouterinterface:
administratorcanbenotifiedbythesoftwarethattheinterfacehasaproblem(evenbeforeitfails!)
2. controllingcomputeroperationandnetworkanalysis3. controllingnetworktraffic:administratorcanobservefrequent
communicationsanddirectionfindingbottlenecks,
4. detectionofrapidchangesinroutingtables:thisphenomenonmayindicateproblemswithroutingorerrorintherouter,
5. controllinglevelsofserviceprovision:networkserviceprovidersareabletoguaranteeavailability,latencyandcertainservicethroughput;administratorcanmeasureandverify,
6. intrusiondetection:administratorcanbenotifiedifcertaintrafficarrivesfromsuspicioussources;hecanalsodetectaparticulartypeoftraffic(eg,asetofSYNpacketsintendedforonesingleinterface)
Examplesofac8vi8es
controllingcomputeroperationandnetworkanalysis(detectionofnetworktopology)
![Page 3: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/3.jpg)
11/14/12
3
Examplesofac8vi8es
controllingnetworktraffic(profiling)
Examplesofac8vi8es
controllingthelevelofserviceprovision(dataflow)
Examplesofac8vi8es
controllingcomputeroperationandnetworkanalysis(listofIPaddresses)
![Page 4: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/4.jpg)
11/14/12
4
Examplesofac8vi8es
controllingcomputeroperationandnetworkanalysis(diagnosticsandfaultdetection)
Areasofmanagement
UpravljanjezNAPAKAMI
(faultmanagement)
UpravljanjesKONFIGURACIJAMI
(configurationmanagement)
UpravljanjezBELEŽENJEMDOSTOPOV(accountingmanagement)
UpravljanjezVARNOSTJO(security)
UPRAVLJANJE
Managementso>ware CLI(CommandLineInterface):
precisecontrol, possibilityofusingcommandlines(batch),– problemofsyntaxknowledge,storage
configurationsdifficulty,lessgeneral–specifictoaparticularnetworkequipment
GUI(GraphicalUserInterface)applications:
visuallybeautiful,providesanoverviewofthewholesystem/network,usesitsown(concise)protocoltocommunicatewithadevice–speed,
– weloosetheabilityofreadableconfigurationstorage(binary),itcanmaskallconfigurationoptions
![Page 5: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/5.jpg)
11/14/12
5
Managementinfrastructure
agent data
controlled device
operator data
management protocol
agent data
agent dataagent data
controlled device
controlled device
controlled device
Managementsystemcomponents:
operator=entity(application+human),BOSS,
controlleddevice(containsNMAagentandcontrolledOBJECTScontainingcontrolledPARAMETERS),
managementprotocol(eg,SNMP).
OSICMIP CommonManagementInformationProtocol,
ITU‐TX.700standardcreatedin1980:firstmanagementstandard,
standardizedtooslow,neverimplementedinpractice
SNMP SimpleNetworkManagementProtocol,
IETFstandard verysimplefirstversion, rapiddeploymentandexpansioninpractice
currently:SNMPV3(addedsafety!),
defactostandardfornetworkmanagement.
History:managementprotocols
ForeachtypeofcontrolleddevicewehaveourownMIB(ManagementInformationBase)whereinformationregardingmanagedOBJECTSandtheirPARAMETERSisstored.
TheoperatorhashisownMDB(ManagementDatabase),wherehestoresconcretevaluesforMIBobjects/parametersforeachmanageddevice.
AlanguagethatdefineshowOBJECTSandPARAMETERSarewrittenisneeded:SMI(StructureofManagementInformation)
Managementdata
![Page 6: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/6.jpg)
11/14/12
6
basicdatatypes:INTEGER,Integer32,Unsigned32,OCTETSTRING,OBJECTIDENTIFIED,IPaddress,Counter32,Counter64,Gauge32,TimeTicks,Opaque
structureddatatypes: OBJECT‐TYPE MODULE‐TYPE
SMI:languagefordefiningobjectsinMIB
objectdefinition:itcontainsdatatype,status,andmeaningdescription
ipSystemStatsInDelivers OBJECT TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current
DESCRIPTION “The total number of input datagrams successfully delivered to IP user-protocols (including ICMP)” ::= { ip 9}
SMI:objectdefini8on
MODULE:content‐relatedgroupofobjects
ipMIB MODULE-IDENTITY LAST-UPDATED “941101000Z” ORGANZATION “IETF SNPv2 Working Group” CONTACT-INFO “ Keith McCloghrie ……” DESCRIPTION “The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes.” REVISION “019331000Z” ::= {mib-2 48}
SMI:groupingobjectsintomodules
OBJECT TYPE: OBJECT TYPE: OBJECT TYPE:
MODULE
![Page 7: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/7.jpg)
11/14/12
7
MODULES: “standardized”, vendor‐specific
IETF(InternetEngineeringTaskForce)responsibleforstandardizationofMIBmodulesforrouters,interfacesandothernetworkequipment ‐>naming(labeling)ofstandardcomponentsisrequired! ISOASN.1(AbstractSyntaxNotation1)designationisused
MIBmodules:standardiza8on
hierarchicalarrangementofobjectswithtreeidentifiers
eachobjecthasanameconsistingofasequenceofnumberidentifiersfromthetreeroottoaleaf example:1.3.6.1.2.1.7meansUDPprotocol
challenge:whatisonthesecondandthirdlevelofthetreeidentifiers?
MIBmodules:standardizationstandardizationcompanies
controlledobjects/parameters
Example: 1.3.6.1.2.1.7providesprotocolUDP 1.3.6.1.2.1.7.*providestheobservedparametersoftheUDPprotocol
MIB:naming,example
1.3.6.1.2.1.7.1ISO
ISO‐ident.Org.USDoDInternet
udpInDatagramsUDPMIB2management
![Page 8: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/8.jpg)
11/14/12
8
MIB:naming,example
Object ID Name Type Comments
1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered at this node
1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams no app at portl
1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams all other reasons
1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent
1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port in use by app, gives port # and IP address
SNMPprotocol
SimpleNetworkManagementProtokol protocolforexchangingcontrolinformationbetweentheoperator
andmonitoredobjects. informationofcontrolledobjectsisbeingtransferredbetween
controlledequipmentandtheoperatorwithaccordancetotheMIBdefinition.
Twooperatingmodes: request‐response:readingandsettingvalues trapmessage:thedeviceinformstheoperatorabouttheevent
![Page 9: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/9.jpg)
11/14/12
9
SNMPprotocol
twooperatingmodes
SNMP:messagetypes
Message Direc+on Meaning
GetRequestGetNextRequestGetBulkRequest
operator‐>agent"givemeinforma8on"(value,nextinlist,datablock‐table)
InformRequest operator‐>operatormutualtransmissionofvaluesfromMIB
SetRequest operator‐>agent setthevalueinMIB
Response agent‐>operator"hereisthevalue",responsetoRequest
Trap agent‐>operatorno8fica8ontooperatorabouttheincident
SNMPprotocol
challenge:findRFCdocumentsaboutSNMPandfinddifferencesbetweenthem
SNMPusesUDPtransportprotocol port161:“general"SNMPport,wheredeviceslistenforSNMPrequests port162:notificationsport(traps),usuallywheresystemslistenforcontroland
managementofanetwork
SNMPimplementationmustaddressthefollowingproblems: packagesize:SNMPpacketscancontainextensiveinformationaboutobjectsin
MIB,UDPontheotherhandhasanupperlimitforthesizeofthesegment(TCPdoesn't),
resending:sinceUDPisused,deliveryandconfirmationisnotguaranteed.DeliverycontrolshouldthereforebeaddressedatahigherOSIlevel.
problemwithlostnotifications:ifanotificationislostduringtransfer,thesenderdoesn'tknowanythingaboutit;therecipientalsodoesn'treceiveit
challenge:howdoesSNMPv3addresstheseproblems?
![Page 10: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/10.jpg)
11/14/12
10
SNMP:messageform
Verzija SNMPprotocolversion
DestinationParty Recipientidentifier
SourceParty Senderidentifier
Context DefinesasetofMIBobjectsthatentitycanobtain
PDU Maincontentofthemessage,datafromtheMIB
PDU(protocoldataunit)
head
SNMP:request‐responsemessagetype
RequestID IntegerNumberthatrelatesarequestwithresponse.Adevicethatanswers,whenitstoresintoapackageofResponsetype.Itisalsousedforartificialcontrolofreceivedpackets(SNMPusesUDPtransportprotocolwhichdoesn'tprovidethis!)
ErrorStatus IntegerErrorcodewhichagentforwardswithaResponsetypepackage.Value0meansthattherewasnoerrorandanyothervaluedefinesaspecificerror.
challenge:lookatdifferenttypesoferrors
ErrorIndex Integer Iftherewasanerror,thisvalueistheindexofanobjectthatcausedtheerror.
VariableBindings Variable Name‐valuepairs,thatdefineobjectsandtheirvalues.
SNMP:no8fica8ontypemessage
PDUType Integer Valuethatdefinesthetypeofmessage.Value4/7meansnotification(trapmessage).
Enterprise SequenceofInteger Groupidentifier.
AgentAddress NetworkAddress IPaddressoftheagentthatgeneratedanotification.
GenericTrapCode Integer Generalerrorcode–frompredefinedcoding.
SpecificTrapCode Integer Specificerrorcode(dependsonthemanufacturerequipment)
TimeStamp TimeTicks Timesincethelasttimethedeviceinitialized.Usedforrecording.
VariableBindings Variable Name‐valuepairsthatdefineobjectsandtheirvalues.
![Page 11: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/11.jpg)
11/14/12
11
VerzijeSNMP
SNMPv1 definedinthelate80s turnedouttobetooweaktoimplementallthenecessaryrequirements(limitedin
compositionofPDU)
SNMPv2 improvedSNMPv1inspeed(addedGetBulkRequest),safety(buttoocomplex
implementation),communicationbetweenoperators, RFC1901,RFC2578 usesSMIv2(improvedstandardforstructuringinformation)
SNMPv3 improvedSNMPv2–addedsafetymechanisms, enablescryptography,assuressafety,integrity,authentication alsousesSMIv2
Safety
Whyisitimportant? SetRequestadjustscontrolleddevices.Requestcanbesentatanytime?
challenge:find3moreexamplesofotherpossibleSNMPabuses.
SafetyelementsareonlyintroducedinSNMPv3,previousversiondidnothaveit.SNMPv3hasbuilt‐insecuritybasedonusernames challenge:readRFC3414andfindinformationaboutwhichkindofintrusionsdoesSNMPv3
enableprotectionagainst.HowaboutDenialofServiceattacksandeavesdroppingontraffic?
SNMP.Safetymechanisms
1. packetscontentencryption(PDU):DESisused(exchangeofkeysisrequiredpriortouse)
2. integrity:usedformessagedensificationwithakeywhichisknowntobothsenderandrecipient.Withexaminationofsentdensifiedvaluewehavecontroloveractivemessagecounterfeiting
![Page 12: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/12.jpg)
11/14/12
12
SNMP:Safetymechanisms3. protectionagainstrepetitionofalreadycompleted
communication(replayattack):useofone‐timechips(nonce,žeton):thesendermustencodethemessageaccordingtothenoncewhichisdefinedbythereceiver(thisisusuallythenumberofsystemstart‐upsandthetimepassedsincethelaststart‐up)
SNMP:Safetymechanisms4. accesscontrol:accesscontrolbasedonusernames.Theuserrights
specifywhichuserscanread/changewhichinformation.UserdataisstoredinLocalConfigurationDataStoredatabasewhichalsocontainscontrolledobjectssSNMP! challenge:examineRFC3415.WhatisaView‐basedAccessControlModelConfigurationMIB?
EncodingPDUcontent Howtoencodepacketcontentsothatitisunderstoodonall
platforms(differentdatatypesareofdifferentlengths,thick/thinend)?
weneedauniformcodingorsomedemonstrationlevelofthisdata ASN.1standardinadditiontodatatypesalsodefinesencodingstandards. wewillseethatTLVnotationisusedforpresentationoftheseoperators.
test.x = 256; test.code=‘a’
How to make this transfer?
![Page 13: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/13.jpg)
11/14/12
13
EncodingPDUcontent Similarproblem:
Thisisabsolutelygroovy!
grandma
teenager
Hmmm??? Hmmm???
EncodingPDUcontent Similarproblem:
Thisisabsolutelygroovy!
grandma
teenager
Aha!!! Aha!!!
Presentationservice
Presentationservice
Presentationservice
Pleasant! Pleasant!
Straight‐forwardsweet!
Cool!Thisrocks!
Presenta8onservice:possiblesolu8ons1. Senderaccountsthedataformusedbytherecipient:heconvertsdata
intothecorrectformforrecipientandonlythensendsit.2. sendersendsdatainhisownform,precipientconvertsintohisown
form3. Senderconvertsintoindependentformandthensends.Recipient
transformsindependentformintohisown. challenge:whatareadvantagesanddisadvantagesofthesethreeapproaches?
ASN.1usesthe(3).thirdsolution(independentform). BERrulesareusedwhenwritingtypes(BinaryEncodingRules).They
definetherecordingofdataaccordingtoTLVprinciple(Type,Length,Value).
![Page 14: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/14.jpg)
11/14/12
14
ExampleofBERencodingaccordingtoTLVprinciple
BasicASN.1datatype
TypeNo. Use
BOOLEAN 1 Modellogical,two‐statevariablevalues
INTEGER 2 Modelintegervariablevalues
BITSTRING 3 Modelbinarydataofarbitrarylength
OCTETSTRING 4Modelbinarydatawhoselengthisamultipleofeight
NULL 5 Indicateeffectiveabsenceofasequenceelement
OBJECTIDENTIFIER
6 Nameinformationobjects
REAL 9 Modelrealvariablevalues
ENUMERATED 10 Modelvaluesofvariableswithatleastthreestates
CHARACTERSTRING
*Modelsvaluesthatarestringsofcharactersfromaspecifiedcharacterset
SNMPpackagecapture
SNMPprogramstructure
![Page 15: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/15.jpg)
11/14/12
15
Alterna8vebou8quesolu8ons
1. XML&SOAP(applicationlevel):XMLenablesgraphicandhierarchicalwayofencodingdatawhichrepresentelementsandcontentofcontrolledobjectsinthenetwork.SOAPisasimpleprotocolthatenablesexchangeofXMLdocumentsinthenetwork. easyreadingandunderstandingofcontentonthe
receiverside.– largeoverheadcomparedtobinarydataencoding
2. CORBA(CommonObjectRequestBrokerArchitecture)(applicationlevel):architecturethatdefinesinter‐utilityofobjectsofdifferentprogramminglanguagesandondifferentarchitectures.
protocolcombination!
Event‐drivenmonitoring
RMON(RemoteMonitoring)(additionalmechanism):ClassicalSNMPcancontrolthenetworkfromacontrolstation.RMONcollectsandanalysesmeasureslocallyandsendstheresultstoaremotecontrolstation.Ithasit'sownMIBwithextensionsfordifferentmediatypes. everyRMONagentis
responsibleforlocalcontrol, sendingalreadycompleted
analysisreducesSNMPtrafficbetweensub‐networks
Itisn'tnecessarythatagentsarealwaysvisiblefromthecentralcontrolsystemside.
– longerestablishmentandinstallationtimeofsystemisrequired.
![Page 16: P04-Management-en - LUSY · 11/14/12 6 basic data types: INTEGER, Integer32,Unsigned32, OCTET STRING, OBJECT IDENTIFIED, IPaddress, Counter32,](https://reader034.fdocuments.us/reader034/viewer/2022050123/5f531fd7b2166a55861a1721/html5/thumbnails/16.jpg)
11/14/12
16
Homework
Assignmentforadditionalpointswithhomework’s:
ReadRFC789whichdescribesaknownARPAnetnetworkfailurewhichhappenedin1980.Howcouldthenetworkfailurebeavoidedorit’srecoverytimeimprovedifthenetworkadministratorswouldhavetoday’stoolfornetworkmanagementandcontrolattheirdisposal?
Next8mewearemovingon!
trafficforapplicationsinrealtime!