Simple Network Management Protocol SNMP

1
Simple Network Management Protocol(SNMP)

• J. Won-Ki Hong
• Dept. of Computer Science and Engineering
• POSTECH
• Tel 054-279-2244
• Email jwkhong_at_postech.ac.kr

2
Table of Contents

• SNMP Operations
• Protocol Specification
• Transport-Level Support
• Limitations of SNMPv1

3
SNMP Operations

• Operations supported in SNMP are the inspection
  and modification of variables
• GET operation
• retrieves management information (values of
  scalar objects)
• SET operation
• updates management information (values on scalar
  objects)
• TRAP operation
• sends unsolicited scalar object values to notify
  problems

4
SNMP Operations (contd)

• Not possible to change the structure of a MIB
• cannot add or delete object instances
• No explicit action is supported
• Access is provided only to leaf objects in the
  MIB tree
• not possible to access an entire table or a row
  of a table with a single atomic action
• These simplify the implementation of SNMP but
  limit the capability of the NMS

5
SNMP Security Concepts

• Authentication service
• agent may wish to limit access to the MIB to
  authorized managers
• Access policy
• agent may wish to give different access
  privileges to different managers
• Proxy service
• agent may act as a proxy to other managed devices
• this may require authentication service and
  access policy for other managed devices on the
  proxy
• SNMP provides only a primitive and limited
  security capability via the concept of community

6
SNMP Community

• is a relationship between an agent and a set of
  managers that defines authentication, access
  control proxy characteristics
• a community is locally defined by the agent
• each community is given a unique community name
• an agent may establish a number of communities
• the community name is needed for all get and set
  operations
• the same community name may be used by different
  agents
• SNMP authentication service
• every SNMP message from a manager includes a
  community name (used as a password) --- very
  primitive
• most agents only allow GET operations

7
SNMP Community (contd)

• SNMP Access Policy
• an agent can provide different categories of MIB
  access using the following concepts SNMP MIB
  View Access Mode
• SNMP MIB View
• a subset of objects within a MIB
• different MIB views may be defined for each
  community
• the set of objects in a view need not belong to a
  single subtree
• SNMP Access Mode
• an access mode READ-ONLY, READ-WRITE is defined
  for each community
• the access mode is applied uniformly to all
  objects in the MIB view
• SNMP Community Profile
• a combination of a MIB view and an access mode

8
MIB ACCESS Category vs. SNMP Access Mode
9
SNMP Administrative Concepts
10
Object Instance Identification

• SNMP defines two techniques for identifying a
  specific object instance
• Serial access technique (via lexicographic
  ordering of objects)
• Random access technique
• Random access technique
• objects in MIB tables are referred to as columnar
  objects
• the object identifier is not sufficient to
  identify the instance
• SNMP convention
• concatenate the scalar object identifier with the
  values of INDEX objects, listed in the order
  which the INDEX objects are defined
• see the example in Table 7.2 on page 169

11
Lexicographical Ordering

• is used for accessing MIB objects serially
• given the tree structure of a MIB, the OID for a
  particular object may be derived by tracing a
  path from the root to the object
• lexicographical ordering is also referred to as
• preorder traversal (root, left, right) of a tree
• depth-first search
• useful for examining MIBs whose structure is not
  known to NMS

12
Lexicographical OrderingExample
13
Protocol SpecificationSNMP Message Formats

• SNMP manager and agent exchange requests and
  management information using SNMP messages
• SNMP message includes a version number (e.g., 0
  for SNMPv1, 1 for SNMPv2), a community name and
  one of five types of protocol data units (PDUs)
• PDU Types GetRequest, GetNext-Request,
  SetRequest, GetResponse, Trap

14
SNMP Message Formats
SNMP PDU
Version
Community
(a) SNMP message
variablebindings
0
0
request id
PDU type
(b) GetRequest PDU, GetNextRequest PDU, and
SetRequest PDU
variablebindings
error index
error status
request id
PDU type
(c) GetResponse PDU
variablebindings
time stamp
specific trap
generic trap
agent addr
enter- prise
PDU type
(d) Trap PDU
valueN
nameN
. . .
value2
name2
value1
name1
(e) variablebindings
15
SNMP Message Fields
16
SNMP Message Fields (contd)
17
Transmission of SNMP Message

• 1. The PDU is constructed using ASN.1
• 2. This PDU is passed to an authentication
  service with a community name and source
  destination transport addresses passed
• the authentication service performs any required
  transformations such as encryption or the
  inclusion of an authentication code
• 3. The protocol entity then constructs a message,
  consisting of a version field, the community
  name, and the result from step 2
• 4. This new ASN.1 object is then encoded using
  BER and passed to the transport service

18
Receipt of SNMP Message

• 1. The SNMP entity performs basic syntax-check of
  the message and discards it if it fails to parse
• 2. It verifies the version number and discards it
  if there is a mismatch
• 3. It then passes the community name, the PDU
  portion of the message and the source/destination
  transport address to an authentication service
• if authentication fails, the message is discarded
• if authentication succeeds, the authentication
  service returns a PDU in the form of an ASN.1
  object
• 4. If the PDU passes a basic syntax-check, the
  appropriate SNMP access policy is selected and
  the PDU is processed accordingly

19
SNMP PDU Sequences
20
GetRequest PDU

• is issued by an SNMP manager on behalf of NMS to
  retrieve information from an agent
• includes PDU type, request-id variablebindings
• GetResponse PDU containing the same request-id is
  used for the reply
• operation is atomic (all values are returned or
  none is)
• possible error-status
• noSuchName object instance cannot be found or it
  is an aggregate type
• tooBig the size of resulting values exceed a
  local limitation
• genErr may not be able to supply a value for at
  least one of the objects for some other reason

21
GetNextRequest PDU

• is also issued by an SNMP manager on behalf of
  NMS to retrieve information from an agent
• the PDU is the same as GetRequest PDU except
• In the GetRequest PDU, each variable in the
  variablebindings list refers to an object
  instance whose value is to be returned
• In the GetNextRequest PDU, for each variable in
  the variablebindings, the value of the object
  instance that is next in lexicographic order is
  returned
• allows NMS to discover the structure of a MIB
  view dynamically
• provides an efficient mechanism for searching a
  table whose entries are unknown

22
SetRequest PDU

• is issued by an SNMP manager on behalf of NMS to
  modify information in an agent
• the operation is also atomic
• if any one of the values cant be set, then the
  whole operation fails
• GetResponse PDU containing the same request-id is
  used for the reply
• if the operation succeeds, a GetResponse PDU is
  returned with the same variablebindings as in the
  original SetRequest PDU
• possible error-status
• noSuchName, tooBig, genErr plus
• badValue PDU contains at least one pair of
  variable name and value that is inconsistent

23
Trap PDU

• is issued by an SNMP agent to notify NMS of some
  significant event
• Trap PDU does not require a response and is not
  acknowledged ? can get lost
• Generic Trap types
• coldStart (0) unexpected restart due to a crash
  or major fault
• warmStart (1) routine restart
• linkDown (2) a communication link is
  inoperational
• linkUp (3) the link is back in operation
• authenticationFailure (4) received
  authentication-failed message
• egpNeighborLoss (5) EGP neighbor is down
• enterpriseSpecific (6) some enterprise-specific
  event occurred

24
Transport-Level Support

• SNMP requires the use of a transport service for
  the delivery of SNMP messages.
• SNMP makes no assumption about whether the
  underlying service is reliable or unreliable,
  connectionless or connection-oriented
• Most SNMP implementations use UDP
• It is possible to use CLTS
• UDP
• Unreliable, connectionless transport service in
  Internet
• CLTS
• Unreliable, connectionless transport service in
  the OSI architecture

25
Issues in using UDP

• Since UDP provides unreliable transport service,
  SNMP messages can get lost
• What happens if a GetRequest or GetNextRequest
  message is lost?
• What happens if a SetRequest message is lost?
• What happens if a Trap message is lost?

26
Limitations of SNMP

• SNMP may not be suitable for the mgmt of truly
  large networks because of the performance
  limitations of polling
• SNMP is not well suited for retrieving large
  volumes of data, such as an entire routing table
• SNMP traps are unacknowledged may not be
  delivered
• SNMP provides only trivial authentication
• SNMP does not support explict actions
• SNMP MIB model is limited (does not support mgmt
  queries based on object types or values)
• SNMP does not support manager-to-manager
  communications
• Many of these problems are addressed in SNMPv2!

27
READING

• Read Chapter 7 of Stallings