1 / 38

Management Architecture and Standards II

Management Architecture and Standards II. IACT 418 IACT 918 Corporate Network Planning Gene Awyzio Spring 2001. SNMP - the Management Protocol Used for TCP/IP.  SNMP includes the following key capabilities: Get Set Trap The standards do not specify The number of management stations

kato-cook
Download Presentation

Management Architecture and Standards II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Management Architecture and Standards II IACT 418 IACT 918Corporate Network Planning Gene Awyzio Spring 2001

  2. SNMP - the Management Protocol Used for TCP/IP •  SNMP includes the following key capabilities: • Get • Set • Trap • The standards do not specify • The number of management stations • The ratio of management stations to agents

  3. SNMP - the Management Protocol Used for TCP/IP • In general, it is prudent to have at least two systems capable of performing the management station functions • As SNMP is simple it can handle many agents • SNMP is designed to be an application-level protocol that is part of the TCP/IP protocol suite which operates over the user datagram protocol (UDP)

  4. SNMP - the Management Protocol Used for TCP/IP

  5. SNMP - the Management Protocol Used for TCP/IP

  6. SNMP - the Management Protocol Used for TCP/IP • From a management station, three types of SNMP messages are issued on behalf of a management application: • GetRequest • GetNextRequest • SetRequest

  7. SNMP - the Management Protocol Used for TCP/IP • The first two are two variations of the get function • All three messages are acknowledged by the agent in the form of a GetResponse message, which is passed up to the management application

  8. SNMP - the Management Protocol Used for TCP/IP • An agent may issue a trap message in response to an event that affects the MIB and the underlying managed resources - this is received by the manager • SNMP relies on UDP, which is connectionless so SNMP is itself connectionless ie each exchange is a separate transaction between a management station and an agent

  9. Trap - Directed Polling • Preferred strategy is: • A management station can poll all of the agents it knows for some key information • Once the baseline is established, the management station refrains from polling • Each agent is responsible for notifying the management station of any unusual event

  10. Trap - Directed Polling • These events are communicated in SNMP messages known as traps • Once a management station is alerted to an exception condition, it chooses to take the appropriate action

  11. Trap - Directed Polling • Trap-directed polling can result in substantial savings of • Network capacity • Agent processing time • Reduces unnecessary polling of agents by managers thus reducing management induced network traffic

  12. Limitations of SNMP • SNMP may not be suitable for the management of very large networks • Each agent needs to be polled and generates trap traffic • SNMP is not suited to retrieving large volumes of data such as a entire routing table • SNMP traps are unacknowledged meaning the agent generating the trap does not know if the manager received it

  13. Limitations of SNMP • Basic SNMP standard only provides trivial authentication • SNMP does not directly support imperative commands with parameters, conditions, status and results

  14. Limitations of SNMP • SNMP MIB model is limited not supporting sophisticated management queries based on object values or types • SNMP does not support manager to manager communications ie no mechanism for one manager to find out about another network managers, managed network elements

  15. SNMPv2 :1991/1992 • Networks grow larger and larger • SNMPv1 became more and more inadequate • OSI implementations and standardization were still not ready • Network managers recognised this, so the call went out for an extension to SNMP • in the mean time till OSI’s CMIP became available

  16. SNMPv2 :1991/1992 • One major flaw • SNMPv1 did not have any security facilities • For this reason SNMPv1 network human managers often disabled the ‘set’ PDU crippling the network management facility

  17. Adding Security • To address this problem a set of RFC’s called ‘secure SNMP’ was issued as proposed in July 1992 • secure SNMP did not address other deficiencies related to performance and functionality of SNMPv1 • SMP was also issued in July 1992 as a set of 8 documents, they were not RFC’s • They constituted a private proposal to the internet community to upgrade SNMPv1

  18. SMP • The proposed extensions defined in SMP fell into three categories • Scope • Size, speed, and efficiency • Security and privacy

  19. SMP and Secure SNMP • The ‘Internet community’ came to the consensus that there should be a second generation SNMP that would • include both security and functional enhancements • enable users and vendors to make a smooth transition from SNMPv1 to what becomes known as SNMPv2

  20. Adding Security • Two working groups were formed: • one for security aspects • one for all other aspects such as protocol and management information • Work began in October 1992 to be completed March 1993, but was completed by end of 1992

  21. Adding Security • The work of the two groups was combined and published as proposed internet standards in March 1993 • SNMPv2 was revised in 1996 by an IETF task Force • New RFC’s contained no security! • The rest of the standard experienced minor changes

  22. Community • The standard SNMPv2 makes use of the SNMPv1 message wrapper, with its use of the community concept • This “administrative framework” for SNMPv2 is termed “community based snmpv2” or SNMPv2c

  23. Community • In SNMPv1 an SNMP community is a relationship between • A SNMP agent • A set of SNMP managers • That defines authentication, access control, and proxy characteristics

  24. Community • In SNMPv1 • Communities are defined locally within the agent • Each community is given a unique (within the agent) community name • The management station must keep track of and store all the community names of each of its managed agents • The management stations within the community are provided with and must use this community name in all set and get operations with this agent • There is no reason why the same name may not be used by different agents - as the agent uses this name locally

  25. Community • The SNMPv2 message is wrapped with a PDU in a SNMPv1 format • including a version number • A community name

  26. What Happened to the Security? • Little enthusiasm among vendors and users for the way in which security was specified in the 1993 documents • When the work began on the 1996 documents, it was hoped that some minor tune-ups to the security portion would suffice • As the effort was nearing completion it was shown that the security portion of snmpv2 was fatally flawed!

  27. What Happened to the Security? • To make a long story short, there was an extension of the deadline for completing the new snmpv2 documents to allow time for a new consensus to develop on a new security specification • Deadlock occurred • No consensus reached • Time ran out • Then the plug was pulled on the process and the new snmpv2 was issued without security enhancements

  28. What Happened to the Security? • This decision had the advantage of solidifying the specification of the many functional enhancements found in snmpv2, but leads onto the need for another version of SNMP (version 3)

  29. Standards

  30. SNMPv2 Enhancements • An overall change implemented in SNMPv2 is that it can support either a highly centralized network management strategy or a distributed one • For distributed some systems can operate as both a manager and a agent

  31. SNMPv2 Enhancements • For a system acting in dual modes of agent and manager it: • accepts commands from a superior management system • it can also issue trap messages to the superior manager

  32. SNMPv2 Enhancements • The key enhancements to SNMP that are provided in SNMPv2 fall into the following categories: • Structure of management information (SMI) • Manager-to-manager capability • Protocol operations

  33. SNMPv2 Protocol operations enhancements (over SNMPv1) • The most noticeable change in protocol operations is the inclusion of two new PDUs: • GetBulkRequest PDU : enables the manager to retrieve large blocks of data efficiently --- it is well suited to retrieving multiple rows in a table eg routing table. • InformRequest PDU : enables one manager to send trap type of information to another manager.

  34. SNMPv1 and SNMPv2 coexistence • SNMPv2 was designed to co-exist with SNMPv1 • This involved two areas of the standards: • management information • protocol operations • protocol operations • Two approaches are described in the standard: • use of proxy agents • use of bilingual managers

  35. For the proxy agent:

  36. For the proxy agent: • The main point here is that GetBulkRequest is converted to a GetNextRequest with only the first “row” of the table or variables being accessible (but the device is SNMPv1 enabled so its expecting that this is the norm)

  37. For the bilingual manager:

  38. For the bilingual manager: • This setup requires the manager to be able to handle both protocols and manager SNMPv1 and SNMPv2 agents • While SNMPv2 provided enhancements in functionality, especially in the manager to manager functions, the lack of security still inhibits the secure use of SNMP on managed networks.

More Related