Académique Documents
Professionnel Documents
Culture Documents
The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the
exchange of management information between network devices. It is part of the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP enables network administrators to manage
network performance, find and solve network problems, and plan for network growth. SNMPv1 is a
simple request/response protocol. In the SNMPv1 framework, the network-management system
installed a request, and managed devices return responses.
(A) SNMP Basic Components
An SNMP-managed network consists of three key components: managed devices, agents, and network
management systems (NMSs).
A managed device is a network node that contains an SNMP agent and that resides on a managed
network. Managed devices collect and store management information and make this information
available to NMSs using SNMP. Managed devices, sometimes called network elements, can be routers
and access servers, switches and bridges, hubs, computer hosts, or printers.
An agent is a network-management software module that resides in a managed device. An agent has
local knowledge of management information and translates that information into a form compatible
with SNMP.
An NMS executes applications that monitor and control managed devices. NMSs provide the bulk of
the processing and memory resources required for network management. One or more NMSs must
exist on any managed network. Figure 1.1 illustrates the relationships of these three components.
Figure 1.1 An SNMP-Managed Network Consists of Managed Devices, Agents, and NMSs
(B)SNMP Basic Commands
:
Managed devices are monitored and controlled using four basic SNMP commands: read, write, trap,
and traversal operations.
The read command is used by an NMS to monitor managed devices. The NMS examines different
variables that are maintained by managed devices.
The write command is used by an NMS to control managed devices. The NMS changes the values of
variables stored within managed devices.
The trap command is used by managed devices to asynchronously report events to the NMS. When
certain types of events occur, a managed device sends a trap to the NMS.
Traversal operations are used by the NMS to determine which variables a managed device supports
and to sequentially gather information in variable tables, such as a routing table.
(C)SNMP Architecture
The SNMP architecture is illustrated in the figure 1.2 below. The figure identifies two major roles
(Manager and Agent) and two communication channels (UDP port 161 and UDP port 162).
SNMP managers can be anything from monolithic GUI based management frameworks to
individual console applications that communicate over network using SNMPv1 protocol. There
are also specific trap listeners for logging and dispatching incoming trap event messages.
SNMP agents can either work alone or with sub-agents. When sub-agents are present, the agent
that listens for SNMPv1 requests from managers is called a master agent. The master agent
forwards a received request to corresponding sub-agents. This communication may be done
using a special sub-agent protocol. If the sub-agent does not respond directly to the requester,
then the master agent may be involved in converting the response into SNMPv1 and delivering
it to the manager. The master agent may be completely transparent to the manager.
"A master agent provides access to SNMP variables that may be provided by one or more
subagents. The master agent usually uses a subagent protocol (AgentX, DPI, SMUX,
EMANATE, ...) to interact with the subagents. One of the key features of such an extensible
agent is that it is complete transparent to the manager."
A SNMP proxy agent is an element capable of acting as gateway to the other management
agents. Proxies could be used to map different management protocols and to pass through an
application level firewall.
"The current definition of a proxy SNMP agent is an agent which acts like a gateway to other
SNMP agents. This can be useful in order to pass firewalls or to map SNMP protocol versions.
Such a proxy is however not transparent to the manager since the manager usually has to
select special parameters to address the target agent through the proxy."
Figure 1.5 The MIB Tree Illustrates the Various Hierarchies Assigned by Different Organizations
:
Figure 1.6 SNMPv1 Get, GetNext, Response, and Set PDUs Contain the Same Fields
PDU typeSpecifies the type of PDU transmitted.
Request IDAssociates SNMP requests with responses.
Error statusIndicates one of a number of errors and error types. Only the response operation sets
this field. Other operations set this field to zero.
Error indexAssociates an error with a particular object instance. Only the response operation sets
this field. Other operations set this field to zero.
Variable bindingsServes as the data field of the SNMPv1 PDU. Each variable binding associates a
particular object instance with its current value (with the exception of Get and GetNext requests, for
which the value is ignored).
Trap PDU Format
Figure 1.7 illustrates the fields of the SNMPv1 Trap PDU.
one, and many-to-many communication links between managers and agents, the basic authentication
scheme and the access policy have been specified in SNMP. Figure 1.8 shows the authentication
scheme, which is a filter module in the manager and in the agent.
an Internet model, but can be managed by a proxy agent and integrated into the overall management
system.
Error status- Indicates one of a number of errors and error types. Only the response operation
sets this field. Other operations set this field to zero.
Error index- Associates an error with a particular object instance. Only the response operation
sets this field. Other operations set this field to zero.
Variable bindings- Serves as the data field of the SNMPv1 PDU. Each variable binding
associates a particular object instance with its current value (with the exception of Get and
GetNext requests, for which the value is ignored).
Generic trap type -- Field describing the event being reported. The following seven values are
defined:
Specific trap type -- Used to identify a non-generic trap when the Generic Trap Type is
enterprise specific.
Timestamp -- Value of the sysUpTime object, representing the amount of time elapsed
between the last (re-)initialization and the generation of that Trap.
of multiple network managers working together has appeared. SNMPv1 did not have provisions for
two network managers to exchange messages specifically between managers (instead, it provided
manager/agent messages). Figure 2.1 illustrates the new capability provided by SNMPv2, with two
managers sharing responsibility for managing the SNMP agent. Just as a manger can exchange
information with the agent (who is under the control of the manager), so also can a manager exchange
information with a partner manager to coordinate management of the agent. A new SNMP message
informrequest provides the means for one manager to request information from another manager, just
as the get-request provides the means for a manager to request information from an agent.
AnSNMPv2-trap event, known as trap in version 1, is generated and transmitted by agent process
when an exceptional situation occurs. The destination to which it is sent implementation-dependent.
The PDU structure has been modified to be consistent with other PDUs.
(C) SNMPv2 Structure of Management Information
There several changes to SMI in version 2, as well as enhancements to SMlv2 over of SMlvl. As stated
earlier, the SMIv2 [RFC 1902], is divided into three parts: module definitions, object definitions, and
notification definitions. The module definitions describe the semantics of an information module and
are formally defined by an ASN.1 macro, MODULE-ENTITY. Object definitions are used to describe
managed objects. The OBJECT-TYPE macro is used to define managed objects. Notification is
specified by an ASN.1 macro, NOTIFICATION-TYPE, and conveys both its syntax and semantics.
Basic Augmentation of Table
Figure 1a shows a table in SNMPv2. Column C1 contains the index specifying the row of the table. If
you want to read the information in the second row (say with index-1 = 127.128.129.130), you would
use the value of this index 127.128.129.130 rather than the numerical number of the row. Next, assume
(e.g., as manufacturer of the network element or as the manager of the system) that you want to add
additional information to (i.e., you want to augment) each of the rows in Figure 1a to have the 7
column table in Figure 1b. To make such changes, you would need to rewrite the definitions of this
table (respecifying the columns of the table entry) - and you do not want to do this. SNMPv2 provides
a means of augmenting the table with the "AUGMENT" construct. Figure 1c shows conceptually one
way to do this - illustrated visually with the new "Augment" column containing an arrow pointing to a
new column to add. We would call the new column Table 2. Conceptually, Figure 1d shows the
augmenting as an addition of a row with multiple elements within the rightmost column of Figure 1d.
This is intended to illustrate that the index for the first row remains index-1 for the new row of
instances extending Table 1 in Figure 1a. This would be done by defining a new table (Table 2) and,
when defining the row entries, adding a statement "AUGMENTS {Table 1}." Figure 1e shows the final
result, namely two tables sharing a common index to define the rows of each. Here, the work
"Augments" has been removed from the individual rows and shown only for the column labels,
reflecting the fact that the "AUGMENT" statement is associated with the general row definition, not
any specific row.
SNMPv2 message headers contain two fields: Version Number and Community Name.
Version numberspecifies the version of SNMP that is being used.
Community namedefines an access environment for a group of NMSs. NMSs within the
community are said to exist within the same administrative domain. Community names serve as a
weak form of authentication because devices that do not know the proper community name are
precluded from SNMP operations.
SNMPv2 Protocol Data Unit
SNMPv2 specifies two PDU formats, depending on the SNMP protocol operation. SNMPv2 PDU
fields are variable in length, as prescribed by Abstract Syntax Notation One (ASN.1).
Figure 2.3 illustrates the fields of the SNMPv2 Get, GetNext, Inform, Response, Set, and Trap PDUs.
The following descriptions summarize the fields illustrated in Figure 2.3:
PDU typeIdentifies the type of PDU transmitted (Get, GetNext, Inform, Response, Set, or Trap).
Request IDAssociates SNMP requests with responses.
Error status Indicates one of a number of errors and error types. Only the response operation sets
this field. Other operations set this field to zero.
Error indexAssociates an error with a particular object instance. Only the response operation sets
this field. Other operations set this field to zero.
Variable bindingsServes as the data field of the SNMPv2 PDU. Each variable binding associates a
particular object instance with its current value (with the exception of Get and GetNext requests, for
which the value is ignored).
Figure 2.3 SNMPv2 Get, GetNext, Inform, Response, Set, and Trap PDUs Contain the Same
Fields
Figure 2.4 illustrates the fields of the SNMPv2 GetBulk PDU.
Variable bindingsServes as the data field of the SNMPv2 PDU. Each variable binding associates a
particular object instance with its current value (with the exception of Get and GetNext requests, for
which the value is ignored).
(E) SNMPv2 Protocol
The general formats for all SNMP versions are similar except the format of PDU (Protocol Data Unit).
The format of the PDU for SNMPv2 is displayed as follows:
For SNMPv2, Get, GetNext, Inform, Response, Set, and Trap PDUs have the following format:
PDU type Request ID Error status Error index Object 1, value 1
Object 2, value 2
...
PDU type- Identifies the type of PDU transmitted (Get, GetNext, Inform, Response, Set, or
Trap).
Request ID- Associates SNMP requests with responses.
Error status- Indicates one of a number of errors and error types. Only the response operation
sets this field. Other operations set this field to zero.
Error index- Associates an error with a particular object instance. Only the response operation
sets this field. Other operations set this field to zero.
Variable bindings- Serves as the data field (value 1, value 2) of the SNMPv2 PDU. Each
variable binding associates a particular object instance with its current value (with the
exception of Get and GetNext requests, for which the value is ignored).
Obj 1, Val 1
...
Non repeaters- Specifies the number of object instances in the variable bindings field that
should be retrieved no more than once from the beginning of the request. This field is used
when some of the instances are scalar objects with only one variable.
Max repetitions- Defines the maximum number of times that other variables beyond those
specified by the Non repeaters field should be retrieved.
Variable bindings- Serves as the data field (Obj 1, Obj 2 ) of the SNMPv2 PDU. Each
variable binding associates a particular object instance with its current value (with the
exception of Get and GetNext requests, for which the value is ignored).
Obj 1,Val 1
SNMPv1:
cold start
warm start
link down
link up
authetication failure
egp neighbor loss
SNMPv2:
MIBs may now include notification type macros
First two varbinds: sysuptime and snmptrapoid
Uses same format as other PDUs
EXAMPLE OF NOTIFICATION TYPE MACRO
:
linkUp NOTIFICATION-TYPE
OBJECTS {ifIndex}
STATUS current
DESCRIPTION "A linkUp trap signifies that the entity has detected that the ifOperStatus object has
changed to Up"
::= {snmpTraps 4}
It is confirmed trap. It is originally to inform a higher level manager It has same format as trap
PDU.Possible error: toobig
request for the port number for dpiPortForTCP.0. This request is issued to UDP 161 on the SNMP
agent, after which the SNMP agent responds to the DPI2 subagent with the port number for
dpiPortForTCP.0. After the port number is received, the DPI2 subagent establishes a connection with
the DPI2 agent using the port number given. The DPI2 subagent then registers its MIB subtrees with
the DPI2 agent.
SMUXpeers
A SNMP Multiplexing (SMUX) peer, such as gated, when started, will establish the connection to TCP
199 and will initialize the SMUX association.
A SNMP Multiplexing (SMUX) peer, such as gated, when started, will establish the connection
to TCP 199 and will initialize the SMUX association.
Following the initialization, the SMUX peer will register the MIB subtrees it is going to
manage.
After the registration, the SMUX peer is ready to accept any incoming request from the SMUX
server and send responses back. When the SMUX peer receives a request, it will process the
request and send a response back the SMUX server.
The SMUX peer can also send a trap to the SMUX server. If a trap is sent, the SNMP agent
will check the /etc/snmpdv3.conf file to determine the IP address or addresses to which the trap
must be forwarded, and it will send the trap to those addresses.
SNMP manager
The SNMP manager runs clsnmp, which is compatible with SNMPv1, SNMPv2c, and SNMPv3. The
SNMP manager runs clsnmp, which is compatible with SNMPv1, SNMPv2c, and SNMPv3. Use the
clsnmp command to issue a request, such as a get, get-next, get-bulk, or set request. The request is sent
to UDP 161 on the SNMP agent, after which it waits for the response from the SNMP agent.
MIB variables
Information on MIB variables can be found in the following locations:
Information on MIB variables can be found in the following locations.
For information on MIB variables.
If you want to configure your own DPI2 subagent or smux peer.
(B) SNMPv3 Applications
It is the purpose of RFC 3413, "SNMPv3 Applications" to describe the five types of applications that
can be associated with an SNMP engine. The applications are: Command Generators, Command
Responders, Notification Originators, Notification Receivers, and Proxy Forwarders. The document
also defines MIB modules for specifying targets of management operations (including notifications),
for notification filtering, and for proxy forwarding.
(C) SNMPv2 Management Information Base
MIB modules usually contain object definitions, may contain definitions of notifications, and
sometimes include compliance statements specified in terms of appropriate object groups. As such,
MIB modules define the management information 1) maintained by the instrumentation in managed
nodes, 2) made remotely accessible by management agents, 3) conveyed by the management protocol,
and 4) manipulated by management applications.
MIB modules are defined according to the rules defined in the documents that specify the data
definition language, principally the SMI as supplemented by the related specifications. There is a large
and growing number of standards-based MIB modules as defined in the periodically updated list of
standard protocols (RFC 2400). As of this writing, there are about 100 standards-based MIB modules
with a total number of defined objects of approximately 10,000. In addition, there is an even larger and
:
growing number of enterprise-specific MIB modules defined unilaterally by various vendors, research
groups, consortia, and the like resulting in an unknown and virtually uncountable number of defined
objects.
In general, management information defined in any MIB module, regardless of the version of the data
definition language used, can be used with any version of the protocol. For example, MIB modules
defined in terms of the SNMPv1 SMI are compatible with the SNMPv3 Management Framework and
can be conveyed by the protocols specified therein. Conversely, with one notable exception, MIB
modules defined using the SNMPv2 SMI are compatible with the SNMPv1 protocol operations. The
exception is the new Counter64 data type introduced in the SNMPv2 SMI: an SNMPv1 protocol
engine is unable to convey data of this type.
(D) SNMPv2 Message Format
data: contains the SNMPv3 PDU, which must be one of the PDUs specified in RFC 1905:
GetRequest, GetNextRequest, Response, SetRequest, GetBulkRequest, InformRequest, SNMPv2-Trap
or Report.
(E) SNMPv3 Protocol
Msg Size -- Maximum size of a message in octets supported by the sender of the message
Msg Flags --An octet string containing three flags in the least significant three bits:
reportableFlag, privFlag, authFlag.
Security Model --An identifier to indicate which security model was used by the sender and
therefore which security model must be used by the receiver to process this message.
User Name --The user (principal) on whose behalf the message is being exchanged.
PrivacyParameters -- Null if privacy is not being used for this exchange. Otherwise, this is a
privacy parameter.
PDU (Protocol Data Unit)-- The PDU types for SNMPv3 are the same as the SNMPv2.
Engine is an engine which receives SNMP messages which need a response. This is always the
agent that a manager communicates with.
USM Security Parameters
The USM uses the msgSecurityParameters to hold five values. These values are used by the
authentication module to ensure data integrity and origin authentication, by the timeliness module to
protect against message delay or replay, and by the privacy module to protect against message payload
disclosure.
msgAuthoritativeEngineID
The snmpEngineID of the authoritative engine is always put in this field no matter which side
the packet originates from.
msgAuthoritativeEngineBoots
The snmpEngineBoots of the authoritative engine.
msgAuthoritativeEngineTime
The snmpEngineTime of the authoritative engine.
msgUserName
The name of the user whose secret keys were used to possibly authenticate and encrypt the
packet.
msgAuthenticationParameters
If the packet has been authenticated, then this field contains the computed HMAC-MD5 or
HMAC-SHA message digest for the packet.
msgPrivacyParameters
If the scopedPDU of the packet has been encrypted, then this field contains the salt (i.e. random
variant) that was used as input to the DES algorithm.
Authentication
The USM specifies the use of the Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1)
algorithms for authenticating SNMPv3 packets. These algorithms are used to create unique fixed sized
message digests, also called digital signatures or fingerprints, of a variable length message. MD5
creates a digest of 128 bits (16 bytes) and SHA-1 creates a digest of 160 bits (20 bytes). Both MD5 and
SHA-1 cannot be used directly as a message authentication code because they do not use secret keys as
input to derivate the computed message digest. This is why the Keyed Hashing for Message
Authentication (HMAC) algorithm in combination with MD5 and SHA-1 is used for computing
message digests. The HMAC algorithm defines a procedure for appending a secret key to the data and
then computing the MD5 or SHA-1 message digest. This guarantees that parties who wish to compute
identical message digests for the same block of data must share a common secret key. Here are the
steps that are taken for sending and receiving an authenticated SNMPv3 packet:
Sending an authenticated SNMPv3 packet:
1. The entire packet is created. The authentication flag is turned on in the msgFlags, and the
msgAuthenticationParameters is zeroed out.
2. A message digest is computed of the packet using the secret authentication key for the user
specified in msgUserName. The algorithm used (i.e. HMAC-MD5 or HMAC-SHA) is
determined by the authentication protocol specified for the user in the User Table.
3. The computed message digest is inserted in the msgAuthenticationParameters.
4. The packet is sent.
Receiving an authenticated SNMPv3 packet:
1. The packet is received.
2. If the authentication flag is turned on in the msgFlags, then continue with the authentication
process at step 3. If the packet was not authenticated by the sender, authentication is skipped.
:
authenticated and if so, which authentication protocol to use. The current values for this field
are: usmNoAuthProtocol, usmHMACMD5AuthProtocol, and usmHMACSHAAuthProtocol.
Authentication Key
The localized secret key used by the authentication protocol for authenticating messages.
Privacy Protocol
An indication of whether or not messages sent or received on behalf of this user can be
encrypted and if so, which privacy protocol to use. The current values for this field are:
usmNoPrivProtocol and usmDESPrivProtocol.
Privacy Key
The localized secret key used by the privacy protocol for encrypting and decrypting messages.
The User Table has a spin lock associated with it named usmUserSpinLock. A spin lock is an advisory
lock which is used to allow several SNMP managers to coordinate their attempts in modifying a MIB
table. The concept is simple. Whenever a change is going to be made to the User Table on an agent, the
value of the usmUserSpinLock must be retrieved via a GET command by the manager. Then the
manager sends a SET command to the agent which contains a PDU to set the usmUserSpinLock and
whatever variables in the User Table that need to be modified. The value of the usmUserSpinLock in
the SET command must be the value that was retrieved in the previous GET command. Once the agent
receives the message containing the SET command, the usmUserSpinLock is immediately processed.
If the current value of the usmUserSpinLock is not the same as the value specified in the SET
command, the SET operation has failed and an error is returned. If the two values are the same, then
the User Table variables specified in the PDU of the SET command are set. When the agent has
finished processing the entire PDU, the usmUserSpinLock value is incremented by one. As you can
see, if the value of the usmUserSpinLock is different when it is being set, then the User Table has been
modified since the initial retrieval of the usmUserSpinLock value.
Localized Keys
A localized key is a concept that allows the use of the same password for a user on many different
agents. It would be very cumbersome to be forced to remember a different password for each agent the
user exists. The localized key is computed using a one way hash function (e.g. MD5 or SHA-1) against
a secret password and the snmpEngineID of the agent where the user exists. This results in secret keys
that, although use the same password, are completely different for each agent.
Changing Keys
The USM introduces the KeyChange type which describes a convention for using secret keys. The
KeyChange definition provides a secure means of sending localized keys across networks which
allows users to change their keys. The following steps will occur when a user changes their key:
Manager:
1. The user enters in a new password.
2. The localized key is computed using the new password and the snmpEngineID of the agent
where the key is going to be changed.
3. A one-way function is used to produce a value from the old key.
4. This value is exclusively or'ed (XOR) with the new key.
5. The final KeyChange value is sent to the agent in a SET operation.
Agent: (after receiving the KeyChange SET operation)
1. The same one-way function that the manager used to produce a value from the old key is
performed.
2. This value is exclusively or'ed (XOR) with the received KeyChange to produce the new key.
3. The new key for the user is set in the User Table.
: