Simple Network Management Protocol (SNMP)

• SNMP v1 (RFC 1157) • UDP Port 161• Operation supported by SNMP– Get: retrieves a scalar object value – Set: updates a scalar object value– Trap: sends an unsolicited scalar object value

Aspects of SNMP

• 3 aspects to control between SNMP managers and agents– Authentication – limit access to the MIB to the

authorized managed stations– Access control – the managed station may wish to

give different access privileges to different management stations

– Proxy Service – a managed station may act as a proxy to other managed stations

Community (1)

• The community concept is a local one defined at the managed system (device)

• The agent may establish a number of communities with overlapping management station membership

• Each community is given a unique community name – The management station must employ the

community name in all get/set operation

Authentication Service

• RFC 1157 SNMP provides for only a trivial scheme for authentication

• Use community name as a password for get/set operation

• SET operation is sensitive area • Improved in SNMP v3

Access Policy (1)

• The agent can provide different categories of MIB access to different management stations.– SNMP MIB view – a subset of the objects within a

MIB ,different MIB views may be defined for each community

– SNMP access mode – an element of the set { READ-ONLY,READ-WRITE}

• Community profile is the combination of a MIB view and access mode

Access Policy (2)

Proxy service

• SNMP agent can act as on behalf of other devices – Typically, other devices are foreign (do not

support TCP/IP and SNMP)– In some case, the proxied system may support

SNMP but the proxy is used to minimize the interaction between the proxied device and network management system

Region #3 work as Proxy agent

Administrative concepts

Lexicographical Ordering (1)

• The management station can access objects without specifying them by name– It can supply object instance identifier and ask for

the next object in the ordering

• Preorder traversal– Visit the root– Traverse the subtrees from left to right

• Fig7-8

Lexicographical Ordering (2)

Fig 7-2

• Table 7.5

Protocol specification – SNMP format

• Fig7-3

• Table 7.6

Transmission of SNMP Message (1)

1 PDU is constructed using ASN.1 structure defined in RFC1157

2 This PDU is then passed to an authentication service together with the source and destination transport address and a community name– Perform any required transformations (encryption

or inclusion of an authentication code and returns the result)

Transmission of SNMP Message (2)

3 Construct the message consisting of a version field and community name and the result from step2

4 This object is then encoded using basic encoding rule (BER) and passed to the transport service

Receipt of an SNMP message

1 Basic syntax-check of the message and discards the message if fails

2 Verify the version number , discard if mismatch3 authentication check– If fails generate a trap and discard the message

4 syntax-check of PDU – If mismatch, discard the PDU– If match, SNMP access policy is selected and process

accordingly

Variable Binding (1)

• To group same type of operation in a single message – Get more than one instance of objects within a single

response

• SNMP PDU include a “variablebindings“ field • This field consists of a sequence of references to

object instances together with the value of those objects.

Variable Binding (2)

SNMP PDU Sequences

• Fig 7.5

GetRequest (1)

• The response is either all values are retrieved or none– If the responding entity can provide for all values, they are

included in variablebinding field in GetResponse PDU– If not, no value are returned– Change to be not atomic operation in SNMPv2

• The following error conditions can occur– 1 if object named in the variablebinding not match , return

error-status of noSuchName and a value in the error-index

GetRequest (2)

• 2 the resulting PDU exceed a local limitation (up to configrution), return error-status of tooBig

• 3 if cannot supply at least one of the objects ,return error-status of genErr and a value in the error-index

GetRequest (3)

• Basically, SNMP does not allow to retrieve entire row of the entry by referencing the entry object

• It can be done by using variablebindings list.– GetRequest (IpRouteDest.9.1.2.3,

IpRouteMetric1.9.1.2.3, IpRouteNexthop.9.1.2.3)

GetNextRequest (1)

• Same PDU exchange pattern and same format as GetRequest PDU

• Only difference is the returned value is the value of the next object in lexicographical order

GetNextRequest (2)

• Fig 8-1

Navigation (walk) of a MIB in GetNextNavigation (walk) of a MIB in GetNextRequest)Request)

GetNextRequest (3)

GetNextRequest (4)

• Example - to retrieve data from instance of scalar objects in udp group

• GetRequest(udpInDatagrams.0,udpNoPorts.0,udpInerrors.0,udpOutDatagrams.0)

• GetResponse((udpInDatagrams.0=100),(udpNoPorts.0=1),(udpInerrors.0=2),(udpOutDatagrams.0=200))

GetNextRequest (5)

• GetNextRequest(udpInDatagrams,udpNoPorts,udpInerrors,udpOutDatagrams)

• The next instance of udpInDatagrams is udpDatagrams.0 ,so

• GetResponse((udpInDatagrams.0=100),(udpNoPorts.0=1),(udpInerrors.0=2),

(udpOutDatagrams.0=200))

GetNextRequest (6)- Accessing Table Values

• GetNextRequest (ipRouteDest,ipRouteMetric1,ipRouteNextHop)

• GetResponse ((ipRouteDest.9.1.2.3=9.1.2.3),(ipRouteMetric1.9.1.2.3=3),(ipRouteNextHop.9.1.2.3=99.0.0.3))

GetNextRequest (7)

• Retrieve the second row• GetNextRequest

(ipRouteDest.9.1.2.3,ipRouteMetric1.9.1.2.3,ipRouteNextHop.9.1.2.3)

• GetResponse ((ipRouteDest.10.0.0.51=10.0.0.51),(ipRouteMetric10.0.0.51=5),(ipRouteNextHop.10.0.0.51=89.1.1.42))

Row-by row navigation of a MIB with GET-NEXT

• Fig 8-2

SetRequest (1)

• Agent responds to SetRequest PDU with a GetResponse PDU containing the same request-id

• Atomic operation as same as GetRequest– Do all or none– Change to be not atomic operation in SNMPv2

SetRequest (2)

• Updating table– For the existing table• SetRequest (ipRouteMetric1.9.1.2.3 = 9)• GetResponse (ipRouteMetric1.9.1.2.3 =9)

– Add new row• SetRequest

(ipRouteDest.11.3.3.12=11.3.3.12,ipRouteMetric1.11.3.3.12=9,ipRouteNextHop.11.3.3.12=91.0.0.5)

SetRequest (3) - Problems

• The value of ipRouteDest is the index value still unknown to the agent

• RFC1212 indicate 3 ways to handle1 the agent could reject operation and return error-

status of noSuchName2 the agent could accept operation but return error-

status of badValue3 the agent could accept the operation and create a

new row

SetRequest (3)

• Row deletion– SetRequest (ipRouteType.7.3.5.3 = invalid)– GetResponse (ipRouteDest.7.3.5.3 = invalid)

• Performing an Action – an object can be used to represent a command so that a specific action is taken if the object is set to a specific value– Example : a reBoot obect – initial value is 0 if a

management station set the object value to 1 the agent system reboots and resets th object value to 0

– Ping/Trace Route/Look up Operation MIB (RFC2925)

SetRequest (4)-Deleting/Nullifying Row in MIB-2 Tables

• table7.8

SetRequest (5)

• Fig 8-3

Ping MIB operationPing MIB operation

SetRequest (5)

Ping object in MIB Ping object in MIB

TRAP (1)

• It is used to provide management station with notification of some significant events

• PDU fields– PDU Type : Trap PDU– Enterprise: identifiy the system that generated the

trap (sysObjectID)– Agent-addr: IP address of the object generating the

trap

TRAP (2)

– Generic-trap: predefined trap types– Specific-trap: more specifically the nature of the

trap– Time-stamp: the time that issued the trap

(sysUptime when the trap is generated)– Variablebindings : addition information relating to

the trap (implementation-specific)

TRAP (3)• Who is emitting the trap– enterprise field: value is taken from sysObjectID– address field: IP address

• What occurred– Generic–trap field/Specific-trap field:

• When it occurred– time-stamp field: time between the last initialization and

he generation of the trap• Additional information– variablebindings field:

Trap (4)

• Generic-trap– coldStart (0): unexpected restart due to a crash or

major fault– warmStart(1): routine restart– linkDown(2): signal failure in one of communication

links of the agent (the first element in the variablebindings field is the name and value of the ifIndex instance for the referenced interface)

Trap (5)

• Generic-trap (cont’)– linkUp(3): signal that one of the communication links of

the agent has come up (the first element in the variablebindings field is the name and value of the ifIndex instance for the referenced interface)

– authenticationFailure (4): receive a protocol message that has failed authentication

– egpNeighborLoss(5): EGP neighbor has been mark downed and the peer relationship no longer exists

– enterpriseSpecific(6): specific for enterprise

Transport level support

• Connectionless Transport Service– UDP(TCP/IP) Port 161– CLTS (OSI)

• The management application has to deal with the loss of message– Time out– Periodic query * Loss of Trap message is difficult to detect

Polling Frequency

• N <= T/∆• N = number of agents• T = desired polling interval• ∆ = average time to perform a single poll– Network delay – Processing time

Limitation of SNMP(1)

• SNMP may not be suitable for the truly large network– Results in large volumes of routine messages

• SNMP is not well suited for retrieving large volume of data (limited by size of PDU)

• SNMP traps are unacknowledged, so the critical message can not be sure that it arrive

• SNMP provide only trivial authentication, better for monitoring than control

Limitation of SNMP(2)

• SNMP does not support imperative command, indirect way to command the agent through SET operation

• SNMP does not readily support application to query based on object values or types

• SNMP does not support manager-to manager communication

* Many of these deficiencies are addressed in SNMP v2

SNMP Group (1)

• Under MIB-II Node

SNMP Group (2)

SNMP Group (3)