Moderní technologie Internetu

Moderní technologie
Internetu
(2)
Jan Janeek
janecek@cs felk.cvut.cz
SNMP protokol
MANAGER
AGENT
MIB
SNMP MESSAGES
UDP
UDP
IP
IP
LINK
LINK
10/2006
Moderní technologie Internetu (2)
2
SNMP komunikace
10/2006
Moderní technologie Internetu (2)
3
SNMP operace
manager
agent
get
manager
agent
getNext
MIB
MIB
response
manager
agent
response
manager
agent
set
MIB
trap
response
10/2006
Moderní technologie Internetu (2)
4
SNMP zprávy
variable bindings:
NAME 1 VALUE 1 NAME 2 VALUE 2
•••
•••
NAME n VALUE n
SNMP PDU:
*
PDU TYPE
REQUEST
ID
ERROR
STATUS
ERROR
INDEX
VARIABLE BINDINGS
SNMP message:
VERSION COMMUNITY
10/2006
SNMP PDU
Moderní technologie Internetu (2)
5
Píklad
1
address (1)
info (2)
route-table (3)
130.89.16.2
name (1)
uptime (2)
printer-1
123456
route-entry (1)
dest(1) policy(2) next(3)
2
7
1
5
9
8
3
10/2006
Moderní technologie Internetu (2)
2
3
5
5
7
8
9
1
1
1
2
1
1
1
2
3
2
3
2
3
2
6
Operace get
manager
get
agent
MIB
response
get(1.1.0)
response(1.1.0 => 130.89.16.2)
get(1.2.0)
response(error-status = noSuchName)
get(1.1.0; 1.2.2.0)
response(1.1.0 => 130.89.16.2; 1.2.2.0 => 123456)
get(1.3.1.3.5.1)
response(1.3.1.3.5.1 => 2)
get(1.3.1.1.5.1)
response(1.3.1.1.5.1 => 5)
get(1.3.1.1.5.1, 1.3.1.2.5.1, 1.3.1.3.5.1)
response(1.3.1.1.5.1 => 5, 1.3.1.2.5.1 => 1, 1.3.1.3.5.1 => 2)
10/2006
Moderní technologie Internetu (2)
7
Operace set
manager
set
agent
MIB
response
set(1.2.1.0 => my-printer)
response(noError; 1.2.1.0 => my-printer)
set(1.2.1.0 => my-printer, 1.2.2.0 => 0)
response(error-status = noSuchName; error-index = 2)
10/2006
Moderní technologie Internetu (2)
8
Lexikografické uspoádání
10/2006
INSTANCE ID
INSTANCE VALUE
1.1.0
130.89.16.2
1.2.1.0
printer-1
1.2.2.0
123456
1.3.1.1.2.1
2
1.3.1.1.3.1
1.3.1.1.5.1
3
5
...
...
1.3.1.1.9.1
9
1.3.1.2.2.1
1
1.3.1.2.3.1
1
...
...
1.3.1.2.9.1
1
1.3.1.3.2.1
2
...
...
Moderní technologie Internetu (2)
9
Kódování SNMP
MANAGER
ABSTRACT SYNTAX
BER
AGENT
MIB
BER
TRANSFER SYNTAX
UDP
UDP
IP
IP
LINK
LINK
10/2006
Moderní technologie Internetu (2)
10
BER - Basic Encoding Rules
kódování ASN.1
tag
10/2006
length
Moderní technologie Internetu (2)
value
11
ASN.1 - definice typu
f
primitive (=simple) / constructed (=structured)
0 0 = universal tag
0 1 = application-wide tag
1 0 = (context specific tag)
1 1 = (private tag)
Universal tags
Application-wide tags
BIT PATTERN
ASN.1 TYPE
BIT PATTERN
APPLICATION TYPE
00 0 0 0010
INTEGER
01 0 0 0000
IpAddress
00 0 0 0100
OCTET STRING
01 0 0 0001
Counter32
00 0 0 0110
OBJECT IDENTIFIER
01 0 0 0010
Gauge32
01 0 0 0010
Unsigned32
01 0 0 0011
TimeTicks
01 0 0 0100
Opaque
01 0 0 0110
Counter64
10/2006
Moderní technologie Internetu (2)
12
ASN.1 - definice délky
SHORT FORM:
0
LONG FORM:
1
n
n
10/2006
Moderní technologie Internetu (2)
(1 £ n £ 2)
13
Hierarchie MIB
root
ccitt (0)
joint-iso-ccitt (2)
iso (1)
stnd (0)
reg-auth (1)
mb (2)
org (3)
dod (6)
internet (1)
directory (1)
experimental (3)
mngt (2)
security (5)
private (4)
snmpV2 (6)
mib-2 (1)
system (1)
interfaces (2)
...
10/2006
...
ethernet (6)
transmission (10)
token ring (9)
snmp (11)
fddi (15)
ospf (14)
adsl (94)
Moderní technologie Internetu (2)
bgp (15)
...
...
14
SNMP
MIB-II - Protokoly
SYSTEM
TCP
UDP
IP
ICMP
EGP
AT
INTERFACES
TRANSMISSION
10/2006
Moderní technologie Internetu (2)
15
MIB-II - Protokoly
SYSTEM GROUP
SNMPv2 MIB (RFC 1907)
INTERFACES (IF) GROUP
IF-MIB (RFC 2863)
ADDR. TRANSLATION GROUPdeprecated
IP & ICMP GROUPS
IP-MIB (RFC 2011)
TCP GROUP
TCP-MIB (RFC 2012)
UDP GROUP
UDP-MIB (RFC 2013)
EGP GROUP
outdated (BGP)
TRANSMISSION GROUP
IS PLACEHOLDER
SNMP GROUP SNMPv2 MIB (RFC 1907)
10/2006
Moderní technologie Internetu (2)
16
ipAdEntBcastAddr
ipAdEntReasmMaxSize
192.89.16.4 1
ipAdEntNetMask
ipAdEntIfIndex
ipAdEntAddr
IP MIB - Tabulka adres
255.255.255.0
1
65535
192.89.16.8
10/2006
Moderní technologie Internetu (2)
17
IP MIB - ítae paket
ipInDelivers
ipOutRequests
ipInUnknownProtos
ipInDiscards
ipReasmOKs
ipReasmFails
ipReasmReqds
ipForwDatagrams
ipInAddrErrors
ipInHdrErrors
ipInReceives
10/2006
Moderní technologie Internetu (2)
ipOutNoRoutes
ipOutDiscards
ipFragOKs
ipFragFails
ipFragCreates
18
IP MIB - ARP tabulka
ipNetToMedia
IfIndex
ipNetToMedia
PhysAddress
ipNetToMedia
NetAddress
ipNetToMedia
Type
1
08:00:20:00:25:66
129.14.16.4
3 (dynamic)
2
10/2006
Moderní technologie Internetu (2)
19
ipRouteNextHop
ipRouteIfIndex
ipRouteMask
129.14.16.4
129.16.1.7
1
255.255.0.0
10/2006
3
Moderní technologie Internetu (2)
ipRouteInfo
ipRouteProto
ipRouteAge
ipRouteType
ipRouteMetric1
ipRouteMetric2
ipRouteMetric3
ipRouteMetric4
ipRouteMetric5
ipRouteDest
IP MIB - Smrovací tabulka
ospf
192.89.16.8
20
SNMPv2 - Basic idea
M
inform
command
M
M
poll
A
10/2006
A
A
A
Moderní technologie Internetu (2)
A
21
SNMPv2 - getBulk
manager
getBulk
agent
MIB
response
10/2006
Moderní technologie Internetu (2)
22
SBNMPv2 - getBulk
getBulk(max-repetitions = 4; 1.1)
response( 1.1.0 => 130.89.16.2
1.2.1.0 => printer-1
1.2.2.0 => 123456
1.3.1.1.2.1 => 2 )
getBulk(max-repetitions = 3; 1.3.1.1;
response( 1.3.1.1.2.1 => 2;
1.3.1.1.3.1 => 3;
1.3.1.1.5.1 => 5;
10/2006
1.3.1.2;
1.3.1.2.2.1 => 1;
1.3.1.2.3.1 => 1;
1.3.1.2.5.1 => 1;
Moderní technologie Internetu (2)
1.3.1.3)
1.3.1.3.2.1 => 2
1.3.1.3.3.1 => 3
1.3.1.3.5.1 => 2
)
23
SNMPv2 - Inform
manager
"agent"
inform
MIB
Response
10/2006
Moderní technologie Internetu (2)
24
SNMPv3 - Manager
COMMAND
GENERATOR
PDU
DISPATCHER
MESSAGE
DISPATCHER
NOTIFICATION
RECEIVER
MESSAGE PROCESSING
SUBSYSTEM
SECURITY SUBSYSTEM
SNMPv1
COMMUNITY BASED
SECURITY MODEL
SNMPv2C
USER BASED
SECURITY MODEL
SNMPv3
TRANSPORT
MAPPINGS
10/2006
OTHER
OTHER
SECURITY MODEL
Moderní technologie Internetu (2)
25
SNMPv3 - Agent
MANAGEMENT INFORMATION BASE
ACCESS CONTROL SUBSYSTEM
COMMAND
RESPONDER
PDU
DISPATCHER
MESSAGE
DISPATCHER
VIEW BASED
ACCESS CONTROL
NOTIFICATION
ORIGINATOR
MESSAGE PROCESSING
SUBSYSTEM
SECURITY SUBSYSTEM
SNMPv1
COMMUNITY BASED
SECURITY MODEL
SNMPv2C
USER BASED
SECURITY MODEL
SNMPv3
TRANSPORT
MAPPINGS
10/2006
OTHER
OTHER
SECURITY MODEL
Moderní technologie Internetu (2)
26
SNMPv3 - Bezpenost
10/2006
THREAT
ADDRESSED?
MECHANISM
REPLAY
YES
TIME STAMP
MASQUERADE
YES
MD5 / SHA-1
INTEGRITY
YES
(MD5 / SHA-1)
DISCLOSURE
YES
DES
DENIAL OF SERVICE
YES
TRAFFIC ANALYSIS
YES
Moderní technologie Internetu (2)
27
SNMPv3 - Reply protection
Nonauthoritative Engine
LOCAL NOTION OF
REMOTE CLOCK
Authoritative Engine
ALLOWED
LIFETIME
+
ID BOOTS TIME
10/2006
DATA
ID BOOTS TIME
Moderní technologie Internetu (2)
LOCAL
CLOCK
>?
DATA
28
SNMPv3 - Authentication
KEY
DATA
HASH FUNCTION
KEY
DATA
HASH FUNCTION
MAC
MAC
=?
USER
10/2006
MAC
DATA
USER
Moderní technologie Internetu (2)
MAC
DATA
29
SNMPv3 - Encryption
DES-KEY
DATA
DATA
DES ALGORITHM
DES ALGORITHM
ENCRYPTED DATA
ENCRYPTED DATA
USER ENCRYPTED DATA
10/2006
DES-KEY
USER ENCRYPTED DATA
Moderní technologie Internetu (2)
30
SNMPv3 - Access Control
10/2006
MIB VIEW
ALLOWED
OPERATIONS
ALLOWED
MANAGERS
REQUIRED LEVEL
OF SECURITY
Interface Table
SET
John
Authentication
Encryption
Interface Table
GET / GETNEXT
John, Paul
Authentication
Systems Group
GET / GETNEXT
George
None
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
Moderní technologie Internetu (2)
31
RMON - Groups
MANAGER
RMON
WAN
10/2006
E
T
H
E
R
N
E
T
Moderní technologie Internetu (2)
statistics
history
host
host top N
traffic matrix
alarms
filters
packet capture
events
32
RMON - Statistics
Counts
Pakets
Oktets
Broadcasts
Multicasts
Collisions
Errors
Size distribution
10/2006
Moderní technologie Internetu (2)
33
RMON - Alarms
900
800
NOTIFICATION
NOTIFICATION
RISING TRESHOLD
700
600
500
400
FALLING TRESHOLD
300
200
NOTIFICATION
100
10/2006
Moderní technologie Internetu (2)
34
RMON - Filters
MIB VARIABLES
ALARMS
LOG
TABLE
EVENTS
FILTER
10/2006
TRAPS
CAPTURE
TABLE
Moderní technologie Internetu (2)
35
Konec
...