SNMP

SNMP
• Application layer protocol
Simple Network Management Protocol • Runs over UDP, CLNS, DDP, IPX
Jerry Martin
• Basic Components:
– Managed devices
– Agents
– Network-management systems (NMS)

Basic Components Basic Components

• Managed Device • Network-management system (NMS)
– Network node containing an SNMP agent – Does bulk of work
– routers, servers, bridges, hubs, computer hosts, – Sends and receives network information from
printers multiple managed devices on the network
• Agent – Software module
– Has knowledge of local management
information. Translates info into SNMP form

Basic SNMP Command

An SNMP Managed Network
• Read
– NMS retrieves variables in managed devices
• Write
– Changes value of variables in managed devices
• Trap
– Managed devices asynchronously report events
to NMS
• Traversal operations
– NMS determines what operations a device
supports and gathers information from device
tables

1
 Management Information Base
(MIB)
• Information hierarchy

• Contains scalar and tabular object instances

Protocol Operations SNMPv2 Messages

• Get
• GetNext
• Set • Message Header:
• Trap – Version Number
• GetBulk – Community name
• Inform
– NMS sends trap info to another NMS and then
receives a response

SNMPv2 PDU SNMP – Version 3

• Three services:
– Authentication
• PDU Type – Privacy
• Request ID – Access Control
• Introduced principal
• Error Status
– Entity on whose behalf services are rendered.
• Error Index – Can be an individual, a set of individuals in a certain
• Variable bindings role, or applications.
– Issues SNMP commands to agent system

2
 SNMPv3 Engine SNMPv3 Messages
• Unique ID for each engine on the network • Composed of 3 parts:
• Each managed device/NMS has its own – Message header
engine • Contains Version, ID, Size, Flags

• Engine handles message passing, – Security Parameters

• Defined by User-based Security Model (USM)
encryption, access control, etc.
– Scoped PDU

SNMPv3 Message
msgFlags
• reportableFlag
– If set to 1, Report PDU must be returned
– This is always set to 1 in Get,Set, Inform
– Only used when PDU can’t be decoded, send back an
error message
• privFlag
– Apply encryption if 1.
• authFlag
– Apply Authorization if 1.

Authoritative Engine Why have authoritative engines?

• When message expects a response the
receiver is authoritative
– Get, GetNext, GetBulk, Set or Inform PDU
• When message does not expect a response
the sender is authoritative
– Trap, Response, or Report PDU
• Allows the Boot and Time parameters to be
set
• Timeliness
– Determined with respect to clock maintained by
the authoritative engine

3
 Authentication
• Secret-Key Authentication
– Two communicating entities share an
authentication key
– Uses msgAuthenticationParameters field
– The code is a function of message contents, the
ID of principal and engine, time of
transmission, and secret key
Privacy
• Both parties share an encryption key
• PDU part of message encrypted
• Cipher-block-chaining is used.
– Initial value stored in msgPrivacyParameters
References
• http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/
snmp.htm
• http://www.cisco.com/warp/public/759/ipj_3.pdf
• http://www.ibr.cs.tu-bs.de/ietf/snmpv3/
• http://www.cisco.com/warp/public/535/3.html
Authentication
• Timeliness Verification
– Protects against replay attacks
– Uses snmpEngineBoots, snmpEngineTime
fields
– If boot values match and time values are within
150 seconds, then it is a timely message
Access Control
• View-based Access Control Model
(VACM)
• Provides different levels of access to
different managers
– Restrict portions of agent MIBs
– Limit the operations a principal can use