SNMP protocol details

I. Overall understanding

1. Four components of TCP/IP-based network management

(1) Management Information Library (MIB), which contains all the parameters that the Agent process may query or modify, that is, the parameters of the managed object.

(2) management information structure (SMI). management information is a collection of managed objects. SMI defines a rule set maintained by a device and is used to name and encode managed objects.

(3) SNMP protocol for managing communication between processes and proxy processes. The SNMP protocol is an application layer protocol. The protocol is generally UDP, the management process port number is 162, and the agent process port number is 161.

(4) security mechanism: the security mechanism in SNMPv1 is very simple. V2 and V3 have made some improvements in the security mechanism.

2. Management Information Library and Management Information Structure

(1) The management information structure is similar to the management information database mode. The Management Information Structure defines what each object looks like, and the management information library shows what each object is ".

(2) manage database variables. There are two types of variables: simple variables and tables. Simple variables correspond to the leaf nodes in the MIB tree. The identification method is to add ". 0" after the Object ID, and the table identification method uses the Union index method.

3. SNMP Protocol and Security Mechanism

(1) The SNMP protocol mainly includes five types of packets: Get, getnext, set, getresponse, and trap. The first three packets are sent by the management process, and the last two are sent by the Agent process.

(2) Security Mechanism: SNMPv1 uses the "Community" field as the authentication password for the management process and proxy process. Only the corresponding "community name" can access the process, this method is only a simple plaintext exchange method. The security mechanism of SNMPv2 has no essential improvement. SNMPv3 proposes a new security mechanism and a set of specialized network security and access control rules.

 

Ii. SNMP Network Management Tools

1. snmpget

Is a command used to manage a process to obtain information from a proxy process.

Example: snmpget-C public localhost system. sysdescr.0

System. sysdescr.0 = unknown

-C indicates the community string.

2. snmpgetnext

3. snmpset

4. SNMPTRAP

5. snmpwalk

6. snmptranslate

Iii. SNMP Architecture

1. Application requirements that the architecture can meet

(1) only use the command responder and notification GeneratorProgram(Traditional agent );

(2) SNMP entities with proxy forwarding applications (traditional SNMP proxy agent );

(3) SNMP entities with command line drivers for command generators and notification receiver applications (traditional manager );

(4) SNMP entities (traditional SNMP intermediate horizontal manager or dual entity) with the command generator and notification receiver applications, plus the command responder and notification generator applications );

(5) applications with command generators and notification receivers and other applications (traditional (network) management stations) to manage a large number of managed nodes ).

 

2. Objectives of this architecture

(1) Use as many existing resources as possible;

(2) improved support for security mechanisms;

(3)

3. Three Security Requirements

(1) major security threats: Tampering with messages and disguise;

(2) secondary security threats: Tampering with message streams and leaks;

(3) small security threats: Denial of Service and traffic decomposition.

4. Document Overview

As shown in figure 1, the document structure defines the SNMP framework.

 

5. SNMPv3 Architecture

One of the goals of SNMPv3 is to support a scalable modular architecture that unified the proxies and management sites in previous versions into SNMP entities. An SNMP entity consists of an SNMP engine and an SNMP application (2 ).

SNMP engine. In the same management domain, the system has a unique snmpengineid. The SNMP engine corresponds to the SNMP entity one by one. It contains four subsystems.

L DISPATCHER: in an SNMP engine, it has a unique scheduler that allows concurrent support for multi-version SNMP messages. Main functions:

1) receives or sends SNMP messages to or from the network;

2) confirm the version and interact with the corresponding message processing module;

3) provides an abstract interface for transmitting PDUS between SNMP applications.

 

L message processing subsystem: prepares the message to be sent and extracts data from the received message. It contains multiple message processing models (four models). Each model corresponds to an SNMP version. It prepares messages to be sent for a specific version format and extracts data for messages of a specific version.

 

L Security Subsystem (Security Subsystem): includes user-based security models and community-based security models. Provides security services such as authentication and encryption/decryption. The security subsystem defines the threats that can be prevented and the security protocols used to provide security services. Security Protocols define implementation mechanisms and processes, and provide MIB objects such as identification and encryption/Decryption services.

 

L access control subsystem: Includes view-based access control models and other access control models. The access control model provides the Authorization Service to determine whether to allow access to a management object. The access control model defines the access decision-making function in detail to support access decision-making.

 

Applications

Five internal SNMP applications:

L command generator: Generate SNMP commands for collecting or setting management data;

L command responders: provides access to management data;

L notification originators (Notification generator): initializes the trap or inform message;

L notification receivers: receives and processes trap or inform messages;

L proxy forwarders: forwards messages between SNMP entities.

These applications use the services provided by the SNMP engine.

The SNMP entity that contains the command generator, notification generator, and notification receiver, that is, the traditional SNMP Management Station (3)

The SNMP entity that contains one or more command responder, notification generator, and proxy forwarder, that is, the traditional SNMP proxy (4)

6. Abstract Service Interface)

Abstract Service Interfaces describe the conceptual interfaces between subsystems in the SNMP entity. They tend to help describe the external visible behaviors of the SNMP entity rather than constrain the structure or organization of internal execution, an abstract service interface cannot be considered an API. It is defined by a set of primitives that define the provided services and abstract data elements.

(1) DISPATCHER primitives (Scheduler primitive)

A typical function of a scheduler is to provide services for SNMP applications through the PDU scheduler.

L generate outgoing (outgoing) requests or notifications

PDU scheduling provides the following primitives for applications to send SNMP requests or notifications to Other SNMP entities:

Statusinformation = -- sendpduhandle if success

-- Errorindication if failure

Sendpdu (

In transportdomain -- transport domain to be used

In transportaddress -- transport address to be used

In messageprocessingmodel -- typically, SNMP Version

In securitymodel -- security model to use

In securityname -- on behalf of this principal

In securitylevel -- level of security requested

In contextengineid -- data from/at this entity

In contextname -- data from/in this context

In pduversion -- the version of the PDU

In PDU -- SNMP protocol data unit

In expectresponse -- true or false

)

 

L process incoming (incoming) requests or notification PDUS

PDU scheduling uses the following primitive to send an snmp pdu to an application

Processpdu (-- process request/notification PDU

In messageprocessingmodel -- typically, SNMP Version

In securitymodel -- Security Model in use

In securityname -- on behalf of this principal

In securitylevel -- level of security

In contextengineid -- data from/at this SNMP entity

In contextname -- data from/in this context

In pduversion -- the version of the PDU

In PDU -- SNMP protocol data unit

In maxsizeresponsescopedpdu -- maximum size of the response PDU

In statereference -- reference to State Information

) -- Needed when sending a response

 

L generate outbound response

PDU scheduling provides the following primitives for PDU Scheduling for applications to return SNMP responses:

Result = -- success or failure

Returnresponsepdu (

In messageprocessingmodel -- typically, SNMP Version

In securitymodel -- Security Model in use

In securityname -- on behalf of this principal

In securitylevel -- same as on incoming request

In contextengineid -- data from/at this SNMP entity

In contextname -- data from/in this context

In pduversion -- the version of the PDU

In PDU -- SNMP protocol data unit

In maxsizeresponsescopedpdu -- maximum size sender can accept

In statereference -- reference to State Information

-- As presented with the request

In statusinformation -- success or errorindication

) -- Error counter OID/value if error

 

L process the incoming (incoming) response PDU

PDU scheduling uses the following primitive to transmit the introduced SNMP Response PDU to the application:

Processresponsepdu (-- Process Response PDU

In messageprocessingmodel -- typically, SNMP Version

In securitymodel -- Security Model in use

In securityname -- on behalf of this principal

In securitylevel -- level of security

In contextengineid -- data from/at this SNMP entity

In contextname -- data from/in this context

In pduversion -- the version of the PDU

In PDU -- SNMP protocol data unit

In statusinformation -- success or errorindication

In sendpduhandle -- handle from sendpdu

)

 

L register duties (responsiveness) for the snmp pdu for operations)

An application can register or deregister a specific contextengineid or a specific pdutype through the PDU scheduling primitive. The specific pdutype list that can be registered is determined by the message processing model.

Statusinformation = -- success or errorindication

Registercontextengineid (

In contextengineid -- take responsibility for this one

In pdutype -- The pdutype (s) to be registered

)

 

Unregistercontextengineid (

In contextengineid -- give up responsibility for this one

In pdutype -- The pdutype (s) to be unregistered

)

Note: to implement the registercontextengineid or unregistercontextengineid abstract service interface, you must provide specific implementation methods for applications that register various possible contextengineid or pdutype parameter values.

(2) Message Processing Subsystem primitives (Message Processing Subsystem primitive)

To process SNMP messages of a specific version, the scheduler interacts with the message processing subsystem.

L prepare outgoing SNMP requests or notification messages

The message processing subsystem provides service primitives for preparing outgoing SNMP requests or notification messages.

Statusinformation = -- success or errorindication

 

Prepareoutgoingmessage (

In transportdomain -- transport domain to be used

In transportaddress -- transport address to be used

In messageprocessingmodel -- typically, SNMP Version

In securitymodel -- security model to use

In securityname -- on behalf of this principal

In securitylevel -- level of security requested

In contextengineid -- data from/at this entity

In contextname -- data from/in this context

In pduversion -- the version of the PDU

In PDU -- SNMP protocol data unit

In expectresponse -- true or false

In sendpduhandle -- the handle for matching

-- Incoming responses

Out desttransportdomain -- destination transport domain

Out desttransportaddress -- destination Transport Address

Out outgoingmessage -- the message to send

Out outgoingmessagelength -- its length

)

 

L prepare the outgoing SNMP Response Message

The message processing subsystem provides service primitives for preparing outgoing SNMP response messages.

Result = -- success or failure

Prepareresponsemessage (

In messageprocessingmodel -- typically, SNMP Version

In securitymodel -- same as on incoming request

In securityname -- same as on incoming request

In securitylevel -- same as on incoming request

In contextengineid -- data from/at this SNMP entity

In contextname -- data from/in this context

In pduversion -- the version of the PDU

In PDU -- SNMP protocol data unit

In maxsizeresponsescopedpdu -- maximum size able to accept

In statereference -- reference to State Information

-- As presented with the request

In statusinformation -- success or errorindication

-- Error counter OID/value if error

Out desttransportdomain -- destination transport domain

Out desttransportaddress -- destination Transport Address

Out outgoingmessage -- the message to send

Out outgoingmessagelength -- its length

)

 

L prepare data elements from introduced SNMP messages

The message processing subsystem provides service primitives for abstracting data elements from introduced SNMP messages.

Result = -- success or errorindication

Preparedataelements (

In transportdomain -- Origin transport domain

In transportaddress -- Origin Transport Address

In wholemsg -- as stored ed from the network

In wholemsglength -- as stored ed from the network

Out messageprocessingmodel -- typically, SNMP Version

Out securitymodel -- security model to use

Out securityname -- on behalf of this principal

Out securitylevel -- level of security requested

Out contextengineid-data from/at this entity

Out contextname -- data from/in this context

Out pduversion -- the version of the PDU

Out PDU -- SNMP protocol data unit

Out pdutype -- snmp pdu type

Out sendpduhandle -- handle for matched request

Out maxsizeresponsescopedpdu -- maximum size sender can accept

Out statusinformation -- success or errorindication

-- Error counter OID/value if error

Out statereference -- reference to State Information

-- To be used for possible response

)

 

(3) Access Control Subsystem primitives (Access Control Subsystem primitive)

Compared with the Access Control Subsystem Service, an application is a typical client program. The access control subsystem checks whether access is allowed through the following primitives.

Statusinformation = -- success or errorindication

Isaccessallowed (

In securitymodel -- Security Model in use

In securityname -- Principal Who Wants To access

In securitylevel -- level of security

In viewtype -- read, write, or sort y View

In contextname -- Context containing variablename

In variablename -- OID for the managed object

)

 

(4) Security Subsystem primitives (Security Subsystem primitive)

The message processing subsystem is a typical client program compared with the security subsystem server.

L generate a request or notification message

The security subsystem generates a request or notification message through the following primitive.

Statusinformation =

Generaterequestmsg (

In messageprocessingmodel -- typically, SNMP Version

In globaldata -- message header, admin data

In maxmessagesize -- of the sending SNMP entity

In securitymodel -- for the outgoing message

In securityengineid -- Authoritative SNMP entity

In securityname -- on behalf of this principal

In securitylevel -- level of security requested

In scopedpdu -- message (plaintext) Payload

Out securityparameters -- filled in by Security Module

Out wholemsg -- complete generated message

Out wholemsglength -- length of the generated message

)

 

L process introduced messages

The security subsystem processes the introduced messages through the following primitive

Statusinformation = -- errorindication or success

-- Error counter OID/value if error

Processincomingmsg (

In messageprocessingmodel -- typically, SNMP Version

In maxmessagesize -- of the sending SNMP entity

In securityparameters -- for the specified ed message

In securitymodel -- for the specified ed message

In securitylevel -- level of security

In wholemsg -- as stored ed on the wire

In wholemsglength -- length as received on the wire

Out securityengineid -- Authoritative SNMP entity

Out securityname -- Identification of the principal

Out scopedpdu, -- message (plaintext) Payload

Out maxsizeresponsescopedpdu -- maximum size sender can handle

Out securitystatereference -- reference to security state

) -- Information, needed for response

 

L generate a Response Message

The security subsystem generates response messages through the following primitives.

Statusinformation =

Generateresponsemsg (

In messageprocessingmodel -- typically, SNMP Version

In globaldata -- message header, admin data

In maxmessagesize -- of the sending SNMP entity

In securitymodel -- for the outgoing message

In securityengineid -- Authoritative SNMP entity

In securityname -- on behalf of this principal

In securitylevel -- for the outgoing message

In scopedpdu -- message (plaintext) Payload

In securitystatereference -- reference to security state

-- Information from original request

Out securityparameters -- filled in by Security Module

Out wholemsg -- complete generated message

Out wholemsglength -- length of the generated message

)

(5) Common primitives)

The following primitives are common to multiple subsystems.

L release state reference information (release state index information)

All subsystems that transmit status index information also provide primitives for releasing status indexes to release the index memory.

Staterelease (

In statereference -- handle of reference to be released

)

 

(6) solution Diagram

L command generator or notification Generator

This figure shows how the command generator or notification generator application requests, how the PDU sends, and how the response is returned to the application.

 

L solution diagram of the command responder Application

This figure shows how the command responder or notification receiver application registers for pdutype processing, how to schedule the PDU to the application after receiving the SNMP message, and how the response is sent back to the network.

7. Definitions of managed objects in the SNMP management framework

(1) text protocols used in the SNMP management framework

L snmpengineid: it is a unique identifier for SNMP engine management. It is only used for marking and not for site selection, even if an address is used. Its value cannot be all 0 or all 1 or empty. Its initial value can be configured on the console orAlgorithmAlgorithm generation is recommended.

L snmpsecuritymodel: identifies a security model in an SNMP management system. The value is assigned as follows: 0 does not identify any security model; 1-255 (including 255) is retained to IANA; more than 255 is assigned to each enterprise security model.

L snmpmessageprocessingmodel: an identifier that uniquely identifies a message processing model in an SNMP management system. The value is allocated as follows: 0-255 (including 255) is retained to IANA; a value greater than 255 is assigned to the Message Processing Model of each enterprise.

L snmpsecuritylevel: the security level at which SNMP messages can be sent or processed. Its values include noauthnopriv, authnopriv, and authpriv.

L snmpadminstring: an eight-character string that contains management information that can be recognized by people.

(2) Manage allocation

L snmpframeworkadmin

L snmpframeworkmibobject

L snmpframeworkconformance

(3) snmpengine Group

L snmpengine

L snmpengineid:

L snmpengineboots

L snmpenginetime

L snmpenginemaxmessagesize

(4) authentication and encryption/decryption protocol registration points

L snmpauthprotocols

L snmpprivprotocols

(5) Conformance Information)

L snmpframeworkmibcompliances

L snmpframeworkmibgroup