tsin02 - internetworking · tsin02 - internetworking 8 snmp at a glance introduced in 1988 – to...
TRANSCRIPT
![Page 1: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/1.jpg)
TSIN02 - Internetworking
© 2004 Image Coding Group, Linköpings Universitet
Lecture 10: SNMP and AAA
Literature:● Forouzan, chapter 23● RFC2881● RFC2905● RFC2903● Diameter next generation's AAA protocol by Håkan Ventura
(handouts)
![Page 2: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/2.jpg)
TSIN02 - Internetworking
2
Lecture 10: SNMP and AAA
Outline:
● SNMP
● AAA introduction
● AAA in Network Access Servers
● DIAMETER, an AAA compliant protocol
![Page 3: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/3.jpg)
TSIN02 - Internetworking
3
Network management framework?
● Management Information Base (MIB)● Structure of Management Information (SMI)● SNMP● Security and Administration● ASN1
![Page 4: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/4.jpg)
TSIN02 - Internetworking
4
Why network management?
Complex systems are difficult to manage. Too much happens in too many places. Information has to be pooled to be possible to overview.
● All large systems need to be managed systematically– Industrial chemical processes– Large organisations– Electrical power system
![Page 5: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/5.jpg)
TSIN02 - Internetworking
5
Network management
● Device Management– Checking the state of a device– Changing configuration of a device– Activating or turning of a device– Monitoring a software
● Network Management– Properties of the network as a whole
![Page 6: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/6.jpg)
TSIN02 - Internetworking
6
Examples of managing tasks– Shutting down a network interface on a router– Checking the speed of an Ethernet interface– Monitoring the temperature on a switch, and
sending a warning if it gets too high– Checking the state of a webserver (the software)– Collecting statistics about link usage
![Page 7: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/7.jpg)
TSIN02 - Internetworking
7
InfrastructureManaged devices contain objects
whose data is gathered into aManagement Information Base
Data
Data Data
Data
Data
DataAgent
Agent
Agent
AgentAgent
Managingentity
NetworkManagementProtocol
![Page 8: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/8.jpg)
TSIN02 - Internetworking
8
SNMP at a glance
● Introduced in 1988– To meet the need for a standard for managing IP
devices.● Replaced SGMP
– Simple Gateway Management Protocol was used for managing Internet routers
● Latest version is v3
![Page 9: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/9.jpg)
TSIN02 - Internetworking
9
SNMP parts
● SMI – Structure of Management Information– The language for defining MIB objects
● MIB – Management Information Base– Defines a set of objects, similar to a database
● SNMP– Application program that allows the manager to
retrieve and store object values in agents, and agents to send alarm messages to the manager
● Security– The main addition from v2 to v3
![Page 10: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/10.jpg)
TSIN02 - Internetworking
10
SMI – Object Attributes
Figure from Forouzan
![Page 11: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/11.jpg)
TSIN02 - Internetworking
11
SMI Naming– A tree structure is the basis for SNMP naming– Each tree node is described by dot-separated
numbers/names Root
ccitt(0) iso(1) joint(2)
Org(3)
dod(6)
internet(1)
directory(1) mgmt(2) experimental(3) private(4)
mib-2(1)1.3.6.1.2.1
sys(1) if(2) at(3)
iicmp(5) tcp(6) udp(7) egp(8) trans(11) snmp(12)ip(4)
UdpIn Datagrams(1) UdpNo Ports(2) UdpIn Errors(3) UdpOut Datagrams(4) udpTable(5)
![Page 12: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/12.jpg)
TSIN02 - Internetworking
12
SMI type and syntax
● Managed agents are heterogenous and may represent data in many different ways
● There is a need for a well-defined and machine-independent syntax
● Solution: ASN.1● Simple datatypes are offered (signed and
unsigned integers, strings, etc)● Structured types can be built from simple types
![Page 13: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/13.jpg)
TSIN02 - Internetworking
13
Abstract Syntax Notation One (ASN.1)
● ISO standard, defines data types in a machine independent way
● Intermediate format for communication between different machines
Data in machine 1,represented in its
internal representation
Encoder
Transmission in abstract,machine independent form
Decoder
Data in machine 2,represented in its
internal representation
![Page 14: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/14.jpg)
TSIN02 - Internetworking
14
Data Types
Figure from Forouzan
![Page 15: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/15.jpg)
TSIN02 - Internetworking
15
SMI Encoding - BER
● ASN.1 is not enough for transmission, since it makes an abstract definition of data types
● We need a standardized way of encoding data for transmission
● The solution for this is Basic Encoding Rules● Tag-Length-Value
![Page 16: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/16.jpg)
TSIN02 - Internetworking
16
Encoding Format
Figure from Forouzan
Format
0 – Simple1 - Structured
Tag
00 – ASN.101 – SMI extentions10 – context-specific11 – private (vendor specific)
![Page 17: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/17.jpg)
TSIN02 - Internetworking
17
Length Format
Figure from Forouzan
![Page 18: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/18.jpg)
TSIN02 - Internetworking
18
Examples
Figure from Forouzan
![Page 19: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/19.jpg)
TSIN02 - Internetworking
19
Management Information Base (v2)
● Each agent has its own MIB● The collection of objects that are managed● The objects are sorted into the groups under
1.3.6.1.2.1 (mib-2)● Only leafs in the tree are accessible● The objects are accessed using SNMP
operations● Lots of standard objects; and extended by
vendor specific ones
![Page 20: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/20.jpg)
TSIN02 - Internetworking
20
MIB-2
Figure from Forouzan
![Page 21: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/21.jpg)
TSIN02 - Internetworking
21
UDP Group
Figure from Forouzan
![Page 22: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/22.jpg)
TSIN02 - Internetworking
22
UDP Variables and Tables
Figure from Forouzan
![Page 23: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/23.jpg)
TSIN02 - Internetworking
23
Indexes for UDP Table
Figure from Forouzan
![Page 24: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/24.jpg)
TSIN02 - Internetworking
24
Lexicographic Ordering
Figure from Forouzan
![Page 25: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/25.jpg)
TSIN02 - Internetworking
25
SNMP Operations
Figure from Forouzan
![Page 26: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/26.jpg)
TSIN02 - Internetworking
26
SNMP PDU Format
Figure from Forouzan
![Page 27: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/27.jpg)
TSIN02 - Internetworking
27
SNMP Message Format
Figure from Forouzan
![Page 28: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/28.jpg)
TSIN02 - Internetworking
28
UDP Ports
Figure from Forouzan
![Page 29: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/29.jpg)
TSIN02 - Internetworking
29
AAA Introduction
● Authentication– Validate user identity.
● Authorization– Check which services the user is allowed access
to.● Accounting
– Store information about use of a service, eg for billing purposes.
![Page 30: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/30.jpg)
TSIN02 - Internetworking
30
Authentication
● Validate the identity of a user● Used for
– Access control– Authorization decisions– Account records
![Page 31: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/31.jpg)
TSIN02 - Internetworking
31
Authentication techniques
● Providing some credential that proves a claimed identity– ID– Smart card– SIM – Certificate– Biometrics– Password– Public – Secret Key pair
![Page 32: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/32.jpg)
TSIN02 - Internetworking
32
Authentication protocol
Example:
If A wants to contact B through the Internet, how can A prove his/her identity?
![Page 33: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/33.jpg)
TSIN02 - Internetworking
33
Authorization
● Policy– Identity– Current actions– Outside state–
● Allowing access to services to authenticated users
![Page 34: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/34.jpg)
TSIN02 - Internetworking
34
Accounting
● Tracking the usage of resources for– Billing– Management– Planning– Auditing–
![Page 35: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/35.jpg)
TSIN02 - Internetworking
35
Protocols for AAA● RADIUS
–
● TACACS
–
● COPS
–
● DIAMETER
–
![Page 36: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/36.jpg)
TSIN02 - Internetworking
36
Network Access Server
A Network Access Server (NAS) is often the initial entry point to a network.
A NAS is a gateway between the users and a network, supplying one or more ways to connect, eg.:– Dial-up – direct network access (eg. through SLIP or PPP)– asynchronous terminal services (eg. telnet)– tunneling
![Page 37: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/37.jpg)
TSIN02 - Internetworking
37
DIAMETER
The Diameter Base Protocol is intended to provide an Authentication, Authorization and Accounting framework for applications such as network access and IP mobility.
![Page 38: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/38.jpg)
TSIN02 - Internetworking
38
DIAMETER FacilitiesThe Diameter Base Protocol provides the following facilities:
● Delivery of attribute value pairs (AVPs)
● Capabilities negotiation
● Error notification
● Extensiability, through addition of new commands and AVPs
● Basic services necessary for applications, such as handling of user sessions or accounting
The Diameter Base Protocol provides the minimum requirements needed for an AAA-protocol, as defined in RFC2989
![Page 39: TSIN02 - Internetworking · TSIN02 - Internetworking 8 SNMP at a glance Introduced in 1988 – To meet the need for a standard for managing IP devices. Replaced SGMP – Simple Gateway](https://reader034.vdocuments.mx/reader034/viewer/2022050508/5f98f28d58b9c924082e4a66/html5/thumbnails/39.jpg)
TSIN02 - Internetworking
39
DIAMETER FeaturesAll data delivered by the protocol is in the form of an AVP. These
are used by the base protocol to support the following features:
● Transporting of user authentication information, for the purpose of enabling the Diameter server to authenticae the user.
● Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access should be granted.
● Exchanging resource usage information, which may be used for accounting purposes, capacity planning etc.
● Relaying, proxying and redirecting of diameter messages through a server hierarchy.