《计算机网络管理》 主讲教师:王继龙 清华大学信息网络工程研究中心...
description
Transcript of 《计算机网络管理》 主讲教师:王继龙 清华大学信息网络工程研究中心...
《计算机网络管理》主讲教师:王继龙清华大学信息网络工程研究中心
本节内容 SNMP Overview ( Cont. ) 下节课讨论准备 第一次作业情况
SNMP 应用 配置管理
- 拓扑结构发现- 网络划分信息获取- 节点设备类型、分布、设置信息获取
故障管理(邹焕英)- 线路故障监控- 节点故障监控- 协议故障监控
性能(宋驰)(菅骁翔)- 流量监控- 协议监控- 诊断监控- 用户行为监控
计费管理(陈鹏宇 钟华强)- 用户数据采集
SNMP Overview
体系结构
Agent/Server Client/APPProtocol
MIB 定义
MIB 实现协议栈标准 MIB
私有 MIB
UDP
SNMP
SNMP 命令协议栈
UDP
SNMP
GET
SET
Trap
SNMP Overview
管理信息的定义—— MIB 管理信息的采集和提供—— Agent/Server 管理信息的传输—— SNMP 协议 管理信息的收集和利用—— Client/Application
S N M P N am e S tru c tu re
1 - directory
1 - sysDescr 2 - sysObjectID
1 - system
1 - ifIndex 2 - ifDescr 3 - ifT ype ........ 10 - ifInOctets
1 - ifEntry
1 - ifT able
2 - interfaces
1 - m ib
2 - m gm t 3 - expt
9 - c isco
1 - Enterprise
4 - private
1 - Internet
6 - dod
3 - org
1 - iso
Client/Application
实现了 SNMP 命令- 理解: ftp 协议和 ftp 命令- 例: snmpwalk –v 1 166.111.0.1 public 1.3.6.1.2.1.1.1
SNMP 请求的发起者 Agent 也可能向其他 Agent 发出 SNMP 请求,此时他的角色
就是 Client 。如一台 Linux 主机实现了 SNMP Agent ,同时又安装了网络管理系统。
Client 也可能提供 SNMP 请求的应答,此时其角色是Agent 。如上面的例子。
管理信息的传输—— Protocol
SNMP 数据请求- GET- GET NEXT
SNMP 数据操作- SET
SNMP 应答- Response
事件发生(主动消息发生)- Trap
LIMITATIONS OF SNMPv1
LIMITED ERROR CODES LIMITED DATA TYPES LIMITED NOTIFICATIONS LIMITED PERFORMANCE TRANSPORT DEPENDENCE LACK OF HIERARCHIES LACK OF SECURITY
New Features
IMPROVED COMMUNICATION MODEL- TRAPS HAVE SAME FORMAT AS OTHER PDUS- GET-BULK PDU- ADDITIONAL ERROR CODES FOR SETS
TWO SECURITY MODELS- SNMPv2C: COMMUNITY BASED- SNMPv2U: USER BASED
INDEPENDENCE OF UNDERLYING TRANSPORT MIB-II SPLIT INTO MODULES IMPROVED INFORMATION MODEL (SMIv2)
- ADDITIONAL DATA TYPES- TEXTUAL CONVENTIONS
• E.G. ROW STATUS- NOTIFICATIONS
HISTORY OF SNMPv2
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
SNMP/SMI v1
SNMPSMP
SNMPv2 parties
security
SMIv2
community
SNMPv3
draf
tst
anda
rd
full
stan
dard
DISMAN
V2U
sec
V2* ...
full
stan
dard
prop
osed
stan
dard
prop
osed
stan
dard
draf
tst
anda
rd1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
SNMP/SMI v1
SNMPSMP
SNMPv2 parties
security
SMIv2
community
SNMPv3
draf
tst
anda
rd
full
stan
dard
DISMAN
V2U
sec
V2* ...
full
stan
dard
prop
osed
stan
dard
prop
osed
stan
dard
draf
tst
anda
rd
HIERARCHIES: ORIGINAL IDEA
poll
inform command
M
M
M
A A AAA
WORK HAS MOVED TO A
SEPARATE DISTRIBUTED
MANAGEMENT GROUP
(DISMAN)
SNMPv2 SECURITY: WHAT HAPPENED?
APRIL 1993- PROPOSED STANDARD- FOUR EDITORS- SECURITY BASED ON PARTIES- FIRST PROTOTYPES APPEARED SOON
JUNE 1995- PROPOSED STANDARD REJECTED BY TWO OF THE
ORIGINAL EDITORS! AUGUST 1995
- GENERAL AGREEMENT THAT PARTY BASED MODEL WAS TOO COMPLEX!
- MANY NEW PROPOSALS APPEARED 1997
- NEW SNMPv3 WORKING GROUP WAS FORMED- WITH NEW EDITORS
SNMPv2 PROTOCOL OPERATIONS
getNext
response
MIB
manager agent
set
response
MIB
manager agent
get
response
MIB
manager agent
getBulk
response
MIB
manager agent
trap
MIB
manager agent
response
inform
MIB
manager "agent"
GET
SIMILAR TO SNMPv1, EXCEPT FOR "EXCEPTIONS"
POSSIBLE EXCEPTIONS: • noSuchObject • noSuchInstance
EXCEPTIONS ARE CODED WITHIN THE VARBINDS
EXCEPTIONS DO NOT RAISE ERROR STATUS AND INDEX
manager agentget
response
MIB
GET-NEXT
SIMILAR TO SNMPv1, EXCEPT FOR "EXCEPTIONS"
POSSIBLE EXCEPTIONS:- endOfMibView
EXAMPLE- getNext(1.4.0)- response(error-status => noError, 1.4.0 => endOfMibView)
manager agentgetNext
response
MIB
GET-BULK
NEW IN SNMPv2
TO RETRIEVE A LARGE NUMBER OF VARBINDS
IMPROVES PERFORMANCE!
manager agentgetBulk
response
MIB
GET-BULK
getBulk REQUEST HAS TWO ADDITIONAL PARAMETERS:
- non-repeators- max-repetitions
THE FIRST N ELEMENTS (non-repeators) OF THE VARBIND LIST ARE TREATED AS IF THE OPERATION WAS A NORMAL getnext OPERATION
THE NEXT ELEMENTS OF THE VARBIND LIST ARE TREATED AS IF THE OPERATION
CONSISTED OF A NUMBER (max-repetitions) OF REPEATED getnext OPERATIONS
GET-BULKREQUEST(non-repeaters = N; max-repetitions = M;
VariableBinding-1; ... ; VariableBinding-N; VariableBinding-(N+1); ... ; VariableBinding-(N+R)
RESPONSE(
)
VariableBinding-1; ... ; VariableBinding-N; VariableBinding-(N+1); ... ; VariableBinding-(N+R)
VariableBinding-(N+1); ... ; VariableBinding-(N+R)
VariableBinding-(N+1); ... ; VariableBinding-(N+R)
...
VariableBinding-(N+1); ... ; VariableBinding-(N+R))
1st LEXICOGRAPHICAL SUCCESSOR
2nd LEXICOGRAPHICAL SUCCESSOR
3th LEXICOGRAPHICAL SUCCESSOR
Mth LEXICOGRAPHICAL SUCCESSOR
N-TIMES
M-TIMES
GET-BULK EXAMPLE
getBulk(max-repetitions = 4; 1.1)response(
1.1.0 => 130.89.16.21.2.1.0 => printer-11.2.2.0 => 1234561.3.1.1.2.1 => 2 )
getBulk(max-repetitions = 3; 1.3.1.1; 1.3.1.2; 1.3.1.3)response(1.3.1.1.2.1 => 2; 1.3.1.2.2.1 => 1; 1.3.1.3.2.1 => 21.3.1.1.3.1 => 3; 1.3.1.2.3.1 => 1; 1.3.1.3.3.1 => 31.3.1.1.5.1 => 5; 1.3.1.2.5.1 => 1; 1.3.1.3.5.1 => 2 )
SET
SIMILAR TO SNMPv1
CONCEPTUAL TWO PHASE COMMIT:- PHASE 1: PERFORM VARIOUS CHECKS- PHASE 2: PERFORM THE ACTUAL SET
MANY NEW ERROR CODES ARE DEFINED
manager agentset
response
MIB
NEW ERROR CODES FOR SETS
wrongValuewrongEncodingwrongTypewrongLengthinconsistentValuenoAccessnotWritablenoCreationinconsistentNameresourceUnavailablegenErr
CommitFailedundoFailed
badValuebadValuebadValuebadValuebadValuenoSuchNamenoSuchNamenoSuchNamenoSuchNamegenErrgenErr
genErrgenErr
SNMPv1 SNMPv2
PHASE 1:
PHASE 2:
TRAP
SNMPv1:COLD STARTWARM STARTLINK DOWNLINK UPAUTHETICATION FAILUREEGP NEIGHBOR LOSS
SNMPv2:- MIBs MAY NOW INCLUDE NOTIFICATION TYPE MACROS- FIRST TWO VARBINDS: sysUptime AND snmpTrapOID- USES SAME FORMAT AS OTHER PDUs
manager agent
trapMIB
INFORM
CONFIRMED TRAP
ORIGINALLY TO INFORM A HIGHER LEVEL MANAGER
SAME FORMAT AS TRAP PDU
POSSIBLE ERROR: tooBig
manager "agent"
Response
inform MIB
TRANSPORT DEPENDANCE
SNMPv1:- UDP
SNMPv2:- UDP- CLNS (OSI)- DDP (APPLETALK)- IPX
SNMPv2 RFCs COMMUNICATION MODEL
- DRAFT STANDARD- RFC 1905, RFC1906
SECURITY MODEL - SNMPv2C:- COMMUNITY BASED SNMP- SAME ‘SECURITY MECHANISMS’ AS SNMPv1- EXPERIMENTAL STATUS- RFC 1901
SECURITY MODEL - SNMPv2U:- USER BASED SECURITY (AUTHENTICATION /
ENCRYPTION / ACCESS CONTROL)- EXPERIMENTAL STATUS- RFC 1909, RFC1910
INFORMATION MODEL:- STANDARD- RFC2578, RFC2579, RFC2580
DESIGN DECISIONS ADDRESS THE NEED FOR SECURY SET SUPPORT DEFINE AN ARCHITECTURE THAT ALLOWS FOR
LONGEVITY OF SNMP ALLOW THAT DIFFERENT PORTIONS OF THE
ARCHITECTURE MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD
STATUS ALLOW FOR FUTURE EXTENSIONS KEEP SNMP AS SIMPLE AS POSSIBLE ALLOW FOR MINIMAL IMPLEMENTATIONS SUPPORT ALSO THE MORE COMPLEX
FEATURES,WHICH ARE REQUIRED IN LARGE NETWORKS
RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE
SNMPv3 ARCHITECTURE
OTHERNOTIFICATIONORIGINATOR
COMMANDRESPONDER
COMMANDGENERATOR
NOTIFICATIONRECEIVER
PROXYFORWARDER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEMDISPATCHER
SECURITYSUBSYSTEM
ACCESS CONTROLSUBSYSTEM
SNMP ENTITY
OTHER
SNMPv3 ARCHITECTURE: MANAGER
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
SNMPv3 ARCHITECTURE: AGENT
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
CONCEPTS: snmpEngineID
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=4
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=2
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=3
OT HE R
SNMP ENGINE
SNMP ENTITY
snmpEngineID=1
PRIMITIVES BETWEEN MODULES
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
sendPdu
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
sendPdu
APPLICATIONS
prepareOutgoingMessage
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareOutgoingMessage
DISPATCHER
generateRequestMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateRequestMsg
MESSAGEPROCESSINGSUBSYSTEM
send / receive
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
prepareDataElements
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
processIncomingMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGEPROCESSINGSUBSYSTEM
processPd
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processPdu
DISPATCHER
isAccessAllowed
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
isAccessAllowed
APPLICATIONS
returnResponsePdu
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
returnResponsePdu
APPLICATIONS
prepareResponseMessage
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareResponseMessage
DISPATCHER
generateResponseMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateResponseMsg
MESSAGEPROCESSINGSUBSYSTEM
send / receive
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
prepareDataElements
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
processIncomingMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGEPROCESSINGSUBSYSTEM
processResponsePdu
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processResponsePdu
DISPATCHER
MODULES OF THE SNMPv3 ARCHITECTURE
DISPATCHER AND MESSAGE PROCESSING MODULE SNMPv3 MESSAGE STRUCTURE snmpMPDMIB RFC 2572
APPLICATIONS snmpTargetMIB snmpNotificationMIB snmpProxyMIB RFC 2573
SECURITY SUBSYSTEM USER BASED SECURITY MODEL snmpUsmMIB RFC 2574
ACCESS CONTROL SUBSYSTEM VIEW BASED ACCESS CONTROL MODEL snmpVacmMIB RFC 2575
SNMPv3 MESSAGE STRUCTUREmsgVersion
msgIDmsgMaxSize
msgFlagsmsgSecurityModel
msgSecurityParameters
contextEngineIDcontextName
PDU
USED BY MESSAGE PROCESSING SUBSYSTEM
USED BY SNMPv3 PROCESSING MODULE
USED BY SECURITY SUBSYSTEM
USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS
SNMPv3 PROCESSING MODULE PARAMETERS
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModel
msgSecurityParameters
contextEngineIDcontextName
PDU
authFlagprivFlagreportableFlag
SNMPv1SNMPv2cUSM
484..2147483647
0..2147483647
SECURE COMMUNICATION VERSUS ACCESS CONTROL
MIBMANAGER
APPLICATION PROCESSES
TRANSPORT SERVICE
MANAGER AGENT
GET / GET-NEXT / GETBULKSET / TRAP / INFORM
SECURE COMMUNICATION
ACCESS CONTROL
USM: SECURITY THREATSTHREAT ADDRESSED? MECHANISM
REPLAY YES TIME STAMP
MASQUERADE YES MD5 / SHA-1
INTEGRITY YES (MD5 / SHA-1)
DISCLOSURE YES DES
DENIAL OF SERVICE YES
TRAFFIC ANALYSIS YES
USM MESSAGE STRUCTUREmsgVersion
msgIDmsgMaxSize
msgFlagsmsgSecurityModel
msgAuthoritativeEngineIDmsgAuthoritativeEngineBootsmsgAuthoritativeEngineTime
msgUserNamemsgAuthenticationParameters
msgPrivacyParameterscontextEngineID
contextName
PDU
REPLAY
MASQUERADE/INTEGRITY/DISCLOSURE
DISCLOSURE
MASQUERADE/INTEGRITY
IDEA BEHIND REPLAY PROTECTION
LOCAL NOTION OFREMOTE CLOCK
ALLOWEDLIFETIME
LOCALCLOCK
+ >?
ID BOOTS TIME DATA ID BOOTS TIME DATA
Authoritative EngineNonauthoritative Engine
IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION
HASH FUNCTION
DATAKEY
MAC
ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATAAND SEND THE RESULT
IDEA BEHIND AUTHENTICATION
HASH FUNCTION
KEY
MAC
DATAUSER MAC
DATA
HASH FUNCTION
KEY
MAC
DATAUSER MAC
DATA
=?
IDEA BEHIND THE DATA CONFIDENTIALITY (DES)
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
IDEA BEHIND ENCRYPTION
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
ENCRYPTED DATAUSER
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
ENCRYPTED DATAUSER
ACCESS CONTROL TABLES
GET / GETNEXTInterface Table John, Paul Authentication
•••••• ••• •••
•••••• ••• •••
SETInterface Table John Authentication
GET / GETNEXTSystems Group George None
•••••• ••• •••
•••••• ••• •••
Encryption
MIB VIEW ALLOWEDMANAGERS
REQUIRED LEVELOF SECURITY
ALLOWEDOPERATIONS
MIB VIEWS
SNMPv3 IMPLEMENTATIONS ACE*COMM AdventNet BMC Software Cisco Epilogue Gambit communications Halcyon IBM ISI IWL MG-SOFT MultiPort Corporation SimpleSoft SNMP Research SNMP++ TU of Braunschweig UCD University of Quebec
SNMPv3 RFCs
OTHER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEMDISPATCHER
SECURITYSUBSYSTEM
ACCESS CONTROLSUBSYSTEM
SNMP ENTITY
RFC 2573
RFC 2571
RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575
RMON 和 RMONⅡ RMON 概述 RMON 的工作方式 RMON 的应用 RMON ii
SNMP 的不足之处
RMON 收集数据的方法 RMON 监视器可用两种方法收集数据: 通过专用的 RMON 探测仪( probe ),网管站直接从探测仪获取管
理信息并控制网络资源,可以获取 RMON MIB 的全部信息; 将 RMON 代理直接植入网络设备(路由器、交换机、 HUB 等)使它
们成为带 RMON probe 功能的网络设施,网管站用 SNMP 的基本命令与其交换数据信息,收集网络管理信息。这种方式受设备资源限制,一般不能获取 RMON MIN 的所有数据,大多数只收集四个组的信息。
RMON 的 机 理 RMON MIB 由一组统计数据、分析数据和诊断数据组
成,不象标准 MIB 仅提供被管对象大量的关于端口的原始数据,它提供的是一个网段的统计数据和计算结果。通过运行在网络监视器上的支持 RMON 的 SNMP Agent ,网管站可以获得与被管网络设备接口相连的网段上的整体流量、错误统计和性能统计等信息,从而实现对网络(往往是远程的)的管理。 RMON 与现存的SNMP 框架相兼容,不需对该协议进行任何修改。
网络管理站与 RMON 代理通信
RMON 的工作方式 RMON MIB 对网段数据的采集和控制通过控制表
( control table )和数据表( data table )完成。 RMON MIB 按功能分成九个组。每个组有自己的控制表和数据表。其中,控制表可读写,数据表只读,控制表用于描述数据表所存放数据的格式。配置的时候,由管理站设置数据收集的要求,存入控制表。开始工作后, RMON monitor 根据控制表的配置,把收集到的数据存放到数据表。
RMON 的功能划分 统计组( statistics ):统计组统计被监控的每个子网的基本统计信息。网络管理员可以从
RMON 探针监测的设备端口获取一个网段的各种统计信息。目前只能对网络设备的以太网接口进行监控、统计,将来会被扩展以包括更多接口特定的表格(如 FDDI )。它能统计一个网段的流量(如:交通流量的总包数和总字节数)、统计各种类型包的分布(如:广播包、多点广播包、不同大小包的数量),还能统计各种类型错误包数、碰撞次数等。
RMON 的功能划分 历史组( history ):历史组定期地收集统计网络值地记录并为日后地处理把统计存储起来。它包含两个小组: History Control 组主要用来设置采样间隔时间等控制信息; Ethernet History 组为网络管理员提供有关网段流量、错误包、广播包、利用率以及碰撞次数等其他统计信息的历史数据。
RMON 的功能划分 告警组( alarm ):告警组允许网管站为网络性能(可以是监视器
本地MIB 的任意整数类型的对象)定义一组报警阀值。如果阀值在相应的方向上被越过,监视器就会产生警报并把警报发往网管站。告警组需要事件组的实现。
RMON 的功能划分 主机组( host ):主机组包含对连接在一个子网上所有主机的各种
类型交通流量的记数值。它能够发现网上的新主机,对每个主机的MAC地址保持一组统计数据,如主机发送或接收的数据包总数、广播包数、流量字节数、错误包数等等。它有一个控制表和两个数据表,这两个数据表的内容相同,只是组织排列顺序不同。
RMON 的功能划分 最高主机组( hostTopN ):最高主机组包括排序后的主机统计,该报告基于主机表中一些参数生成列表。它用于统计在一个子网上一些参数最高的一组主机,比如:它可以列出 10个传输数据最多的主机。它依赖于主机组的实现。
RMON 的功能划分
矩阵组( matrix ):矩阵组用于记录关于子网上两个主机之间流量的信息,该信息以矩阵形式存储起来。这种方法对于检索特定主机之间的流量信息十分有用,例如用于找出哪些设备对服务器的使用最多。矩阵组由三个表组成;一个控制表加上两个数据表。
RMON 的功能划分 过滤组( filter ):过滤组允许监视器观测与一过滤器相匹配的数据包。网络监视器可以捕获所有通过过滤器的数据包或简单地记下基于这些数据包的统计。
包捕获组( capture ):包捕获组控制数据被发往网管站的方式,它可以在把报文发送到某个通道后记录数据报文。
RMON 的功能划分事件组( event ):事件组提供关于 RMON 代理所产生的所有事件的表。当某事件发生时可以记录日志和(或)发送 TRAP到网管站。
RMON II
RMON II 标准能将网管员对网络的监控层次提高到网络协议栈的应用层。因而,除了能监控网络通信与容量外, RMONII还提供有关各应用所使用的网络带宽量的信息,这是在客户机 /服务器环境中进行故障排除的重要因素。
RMON ii 与 RMON
RMON 在网络中查找物理故障, RMON II 进行的则是更高层次的观察。它监控实际的网络使用模式。 RMON 探测器观察的是由一个路由器流向另一个路由器的数据包,而 RNOM II则深入到内部,它观察的是哪一个服务器发送数据包,哪一个用户预定要接受这一数据包,这一数据包表示何种应用。网管员能够使用这种信息,按照应用带宽和响应时间要求来区分用户。
---- RMON II没有取代 RMON ,而是它的补充技术。 RMON II 在 RMON标准基础上提供一种新层次的诊断和监控功能。事实上, RMON II 能够监控执行 RMON 标准的设备所发出的意外事件报警信号。
RMON ii 与 RMON 的网管着眼点 网络管理问题 相关 OSI 层 管理标准 物理故障与利用 介质访问控制层
(MAC) RMON
局域网网段 数据链路层 RMON
网络互连 网络层 RMON II
应用程序的使用 应用层 RMON II