Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
11/14/12
1
Networkcontrolandmanagement
Networkmanagement
Whatisnetworkmanagement??Whyisitneeded?
ManiSubramanian,NetworkManagement:Anintroductiontoprinciplesandpractice,AddisonWesleyLongman,2000
11/14/12
2
Networkmanagement Growthofinternetandlocalnetworkscausedsmallnetworksto
connectintooneLARGEinfrastructure.WithitincreasedtheneedforSISTEMATICmanagementofhardwareandsoftwarecomponentsofthissystem.Frequentquestions:
Whichresourcesareavailableinthenetwork? Howmuchtrafficistravelingthroughacertainnetworkequipment? Whousesnetworkconnectionsthatcausetheirdirectortoreceivehisemailtooslowly? WhycantIsenddatatoacertaincomputer?
Definition:Managinganetworkinvolvesdeployment,integrationandcoordinationofhardware,softwareandhumanresourcesforthepurposeofobservation,testing,configuration,analysisandcontrolofnetworkresources,forwhichwewanttoprovideoperationinreal‐time(oroperationwithappropriatequality‐QoS)atanaffordableprice.
Examplesofmanagementac8vi8es1. detectionoferrorsonthecomputerorrouterinterface:
administratorcanbenotifiedbythesoftwarethattheinterfacehasaproblem(evenbeforeitfails!)
2. controllingcomputeroperationandnetworkanalysis3. controllingnetworktraffic:administratorcanobservefrequent
communicationsanddirectionfindingbottlenecks,
4. detectionofrapidchangesinroutingtables:thisphenomenonmayindicateproblemswithroutingorerrorintherouter,
5. controllinglevelsofserviceprovision:networkserviceprovidersareabletoguaranteeavailability,latencyandcertainservicethroughput;administratorcanmeasureandverify,
6. intrusiondetection:administratorcanbenotifiedifcertaintrafficarrivesfromsuspicioussources;hecanalsodetectaparticulartypeoftraffic(eg,asetofSYNpacketsintendedforonesingleinterface)
Examplesofac8vi8es
controllingcomputeroperationandnetworkanalysis(detectionofnetworktopology)
11/14/12
3
Examplesofac8vi8es
controllingnetworktraffic(profiling)
Examplesofac8vi8es
controllingthelevelofserviceprovision(dataflow)
Examplesofac8vi8es
controllingcomputeroperationandnetworkanalysis(listofIPaddresses)
11/14/12
4
Examplesofac8vi8es
controllingcomputeroperationandnetworkanalysis(diagnosticsandfaultdetection)
Areasofmanagement
UpravljanjezNAPAKAMI
(faultmanagement)
UpravljanjesKONFIGURACIJAMI
(configurationmanagement)
UpravljanjezBELEŽENJEMDOSTOPOV(accountingmanagement)
UpravljanjezVARNOSTJO(security)
UPRAVLJANJE
Managementso>ware CLI(CommandLineInterface):
precisecontrol, possibilityofusingcommandlines(batch),– problemofsyntaxknowledge,storage
configurationsdifficulty,lessgeneral–specifictoaparticularnetworkequipment
GUI(GraphicalUserInterface)applications:
visuallybeautiful,providesanoverviewofthewholesystem/network,usesitsown(concise)protocoltocommunicatewithadevice–speed,
– weloosetheabilityofreadableconfigurationstorage(binary),itcanmaskallconfigurationoptions
11/14/12
5
Managementinfrastructure
agent data
controlled device
operator data
management protocol
agent data
agent dataagent data
controlled device
controlled device
controlled device
Managementsystemcomponents:
operator=entity(application+human),BOSS,
controlleddevice(containsNMAagentandcontrolledOBJECTScontainingcontrolledPARAMETERS),
managementprotocol(eg,SNMP).
OSICMIP CommonManagementInformationProtocol,
ITU‐TX.700standardcreatedin1980:firstmanagementstandard,
standardizedtooslow,neverimplementedinpractice
SNMP SimpleNetworkManagementProtocol,
IETFstandard verysimplefirstversion, rapiddeploymentandexpansioninpractice
currently:SNMPV3(addedsafety!),
defactostandardfornetworkmanagement.
History:managementprotocols
ForeachtypeofcontrolleddevicewehaveourownMIB(ManagementInformationBase)whereinformationregardingmanagedOBJECTSandtheirPARAMETERSisstored.
TheoperatorhashisownMDB(ManagementDatabase),wherehestoresconcretevaluesforMIBobjects/parametersforeachmanageddevice.
AlanguagethatdefineshowOBJECTSandPARAMETERSarewrittenisneeded:SMI(StructureofManagementInformation)
Managementdata
11/14/12
6
basicdatatypes:INTEGER,Integer32,Unsigned32,OCTETSTRING,OBJECTIDENTIFIED,IPaddress,Counter32,Counter64,Gauge32,TimeTicks,Opaque
structureddatatypes: OBJECT‐TYPE MODULE‐TYPE
SMI:languagefordefiningobjectsinMIB
objectdefinition:itcontainsdatatype,status,andmeaningdescription
ipSystemStatsInDelivers OBJECT TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current
DESCRIPTION “The total number of input datagrams successfully delivered to IP user-protocols (including ICMP)” ::= { ip 9}
SMI:objectdefini8on
MODULE:content‐relatedgroupofobjects
ipMIB MODULE-IDENTITY LAST-UPDATED “941101000Z” ORGANZATION “IETF SNPv2 Working Group” CONTACT-INFO “ Keith McCloghrie ……” DESCRIPTION “The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes.” REVISION “019331000Z” ::= {mib-2 48}
SMI:groupingobjectsintomodules
OBJECT TYPE: OBJECT TYPE: OBJECT TYPE:
MODULE
11/14/12
7
MODULES: “standardized”, vendor‐specific
IETF(InternetEngineeringTaskForce)responsibleforstandardizationofMIBmodulesforrouters,interfacesandothernetworkequipment ‐>naming(labeling)ofstandardcomponentsisrequired! ISOASN.1(AbstractSyntaxNotation1)designationisused
MIBmodules:standardiza8on
hierarchicalarrangementofobjectswithtreeidentifiers
eachobjecthasanameconsistingofasequenceofnumberidentifiersfromthetreeroottoaleaf example:1.3.6.1.2.1.7meansUDPprotocol
challenge:whatisonthesecondandthirdlevelofthetreeidentifiers?
MIBmodules:standardizationstandardizationcompanies
controlledobjects/parameters
Example: 1.3.6.1.2.1.7providesprotocolUDP 1.3.6.1.2.1.7.*providestheobservedparametersoftheUDPprotocol
MIB:naming,example
1.3.6.1.2.1.7.1ISO
ISO‐ident.Org.USDoDInternet
udpInDatagramsUDPMIB2management
11/14/12
8
MIB:naming,example
Object ID Name Type Comments
1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered at this node
1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams no app at portl
1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams all other reasons
1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent
1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port in use by app, gives port # and IP address
SNMPprotocol
SimpleNetworkManagementProtokol protocolforexchangingcontrolinformationbetweentheoperator
andmonitoredobjects. informationofcontrolledobjectsisbeingtransferredbetween
controlledequipmentandtheoperatorwithaccordancetotheMIBdefinition.
Twooperatingmodes: request‐response:readingandsettingvalues trapmessage:thedeviceinformstheoperatorabouttheevent
11/14/12
9
SNMPprotocol
twooperatingmodes
SNMP:messagetypes
Message Direc+on Meaning
GetRequestGetNextRequestGetBulkRequest
operator‐>agent"givemeinforma8on"(value,nextinlist,datablock‐table)
InformRequest operator‐>operatormutualtransmissionofvaluesfromMIB
SetRequest operator‐>agent setthevalueinMIB
Response agent‐>operator"hereisthevalue",responsetoRequest
Trap agent‐>operatorno8fica8ontooperatorabouttheincident
SNMPprotocol
challenge:findRFCdocumentsaboutSNMPandfinddifferencesbetweenthem
SNMPusesUDPtransportprotocol port161:“general"SNMPport,wheredeviceslistenforSNMPrequests port162:notificationsport(traps),usuallywheresystemslistenforcontroland
managementofanetwork
SNMPimplementationmustaddressthefollowingproblems: packagesize:SNMPpacketscancontainextensiveinformationaboutobjectsin
MIB,UDPontheotherhandhasanupperlimitforthesizeofthesegment(TCPdoesn't),
resending:sinceUDPisused,deliveryandconfirmationisnotguaranteed.DeliverycontrolshouldthereforebeaddressedatahigherOSIlevel.
problemwithlostnotifications:ifanotificationislostduringtransfer,thesenderdoesn'tknowanythingaboutit;therecipientalsodoesn'treceiveit
challenge:howdoesSNMPv3addresstheseproblems?
11/14/12
10
SNMP:messageform
Verzija SNMPprotocolversion
DestinationParty Recipientidentifier
SourceParty Senderidentifier
Context DefinesasetofMIBobjectsthatentitycanobtain
PDU Maincontentofthemessage,datafromtheMIB
PDU(protocoldataunit)
head
SNMP:request‐responsemessagetype
RequestID IntegerNumberthatrelatesarequestwithresponse.Adevicethatanswers,whenitstoresintoapackageofResponsetype.Itisalsousedforartificialcontrolofreceivedpackets(SNMPusesUDPtransportprotocolwhichdoesn'tprovidethis!)
ErrorStatus IntegerErrorcodewhichagentforwardswithaResponsetypepackage.Value0meansthattherewasnoerrorandanyothervaluedefinesaspecificerror.
challenge:lookatdifferenttypesoferrors
ErrorIndex Integer Iftherewasanerror,thisvalueistheindexofanobjectthatcausedtheerror.
VariableBindings Variable Name‐valuepairs,thatdefineobjectsandtheirvalues.
SNMP:no8fica8ontypemessage
PDUType Integer Valuethatdefinesthetypeofmessage.Value4/7meansnotification(trapmessage).
Enterprise SequenceofInteger Groupidentifier.
AgentAddress NetworkAddress IPaddressoftheagentthatgeneratedanotification.
GenericTrapCode Integer Generalerrorcode–frompredefinedcoding.
SpecificTrapCode Integer Specificerrorcode(dependsonthemanufacturerequipment)
TimeStamp TimeTicks Timesincethelasttimethedeviceinitialized.Usedforrecording.
VariableBindings Variable Name‐valuepairsthatdefineobjectsandtheirvalues.
11/14/12
11
VerzijeSNMP
SNMPv1 definedinthelate80s turnedouttobetooweaktoimplementallthenecessaryrequirements(limitedin
compositionofPDU)
SNMPv2 improvedSNMPv1inspeed(addedGetBulkRequest),safety(buttoocomplex
implementation),communicationbetweenoperators, RFC1901,RFC2578 usesSMIv2(improvedstandardforstructuringinformation)
SNMPv3 improvedSNMPv2–addedsafetymechanisms, enablescryptography,assuressafety,integrity,authentication alsousesSMIv2
Safety
Whyisitimportant? SetRequestadjustscontrolleddevices.Requestcanbesentatanytime?
challenge:find3moreexamplesofotherpossibleSNMPabuses.
SafetyelementsareonlyintroducedinSNMPv3,previousversiondidnothaveit.SNMPv3hasbuilt‐insecuritybasedonusernames challenge:readRFC3414andfindinformationaboutwhichkindofintrusionsdoesSNMPv3
enableprotectionagainst.HowaboutDenialofServiceattacksandeavesdroppingontraffic?
SNMP.Safetymechanisms
1. packetscontentencryption(PDU):DESisused(exchangeofkeysisrequiredpriortouse)
2. integrity:usedformessagedensificationwithakeywhichisknowntobothsenderandrecipient.Withexaminationofsentdensifiedvaluewehavecontroloveractivemessagecounterfeiting
11/14/12
12
SNMP:Safetymechanisms3. protectionagainstrepetitionofalreadycompleted
communication(replayattack):useofone‐timechips(nonce,žeton):thesendermustencodethemessageaccordingtothenoncewhichisdefinedbythereceiver(thisisusuallythenumberofsystemstart‐upsandthetimepassedsincethelaststart‐up)
SNMP:Safetymechanisms4. accesscontrol:accesscontrolbasedonusernames.Theuserrights
specifywhichuserscanread/changewhichinformation.UserdataisstoredinLocalConfigurationDataStoredatabasewhichalsocontainscontrolledobjectssSNMP! challenge:examineRFC3415.WhatisaView‐basedAccessControlModelConfigurationMIB?
EncodingPDUcontent Howtoencodepacketcontentsothatitisunderstoodonall
platforms(differentdatatypesareofdifferentlengths,thick/thinend)?
weneedauniformcodingorsomedemonstrationlevelofthisdata ASN.1standardinadditiontodatatypesalsodefinesencodingstandards. wewillseethatTLVnotationisusedforpresentationoftheseoperators.
test.x = 256; test.code=‘a’
How to make this transfer?
11/14/12
13
EncodingPDUcontent Similarproblem:
Thisisabsolutelygroovy!
grandma
teenager
Hmmm??? Hmmm???
EncodingPDUcontent Similarproblem:
Thisisabsolutelygroovy!
grandma
teenager
Aha!!! Aha!!!
Presentationservice
Presentationservice
Presentationservice
Pleasant! Pleasant!
Straight‐forwardsweet!
Cool!Thisrocks!
Presenta8onservice:possiblesolu8ons1. Senderaccountsthedataformusedbytherecipient:heconvertsdata
intothecorrectformforrecipientandonlythensendsit.2. sendersendsdatainhisownform,precipientconvertsintohisown
form3. Senderconvertsintoindependentformandthensends.Recipient
transformsindependentformintohisown. challenge:whatareadvantagesanddisadvantagesofthesethreeapproaches?
ASN.1usesthe(3).thirdsolution(independentform). BERrulesareusedwhenwritingtypes(BinaryEncodingRules).They
definetherecordingofdataaccordingtoTLVprinciple(Type,Length,Value).
11/14/12
14
ExampleofBERencodingaccordingtoTLVprinciple
BasicASN.1datatype
TypeNo. Use
BOOLEAN 1 Modellogical,two‐statevariablevalues
INTEGER 2 Modelintegervariablevalues
BITSTRING 3 Modelbinarydataofarbitrarylength
OCTETSTRING 4Modelbinarydatawhoselengthisamultipleofeight
NULL 5 Indicateeffectiveabsenceofasequenceelement
OBJECTIDENTIFIER
6 Nameinformationobjects
REAL 9 Modelrealvariablevalues
ENUMERATED 10 Modelvaluesofvariableswithatleastthreestates
CHARACTERSTRING
*Modelsvaluesthatarestringsofcharactersfromaspecifiedcharacterset
SNMPpackagecapture
SNMPprogramstructure
11/14/12
15
Alterna8vebou8quesolu8ons
1. XML&SOAP(applicationlevel):XMLenablesgraphicandhierarchicalwayofencodingdatawhichrepresentelementsandcontentofcontrolledobjectsinthenetwork.SOAPisasimpleprotocolthatenablesexchangeofXMLdocumentsinthenetwork. easyreadingandunderstandingofcontentonthe
receiverside.– largeoverheadcomparedtobinarydataencoding
2. CORBA(CommonObjectRequestBrokerArchitecture)(applicationlevel):architecturethatdefinesinter‐utilityofobjectsofdifferentprogramminglanguagesandondifferentarchitectures.
protocolcombination!
Event‐drivenmonitoring
RMON(RemoteMonitoring)(additionalmechanism):ClassicalSNMPcancontrolthenetworkfromacontrolstation.RMONcollectsandanalysesmeasureslocallyandsendstheresultstoaremotecontrolstation.Ithasit'sownMIBwithextensionsfordifferentmediatypes. everyRMONagentis
responsibleforlocalcontrol, sendingalreadycompleted
analysisreducesSNMPtrafficbetweensub‐networks
Itisn'tnecessarythatagentsarealwaysvisiblefromthecentralcontrolsystemside.
– longerestablishmentandinstallationtimeofsystemisrequired.
11/14/12
16
Homework
Assignmentforadditionalpointswithhomework’s:
ReadRFC789whichdescribesaknownARPAnetnetworkfailurewhichhappenedin1980.Howcouldthenetworkfailurebeavoidedorit’srecoverytimeimprovedifthenetworkadministratorswouldhavetoday’stoolfornetworkmanagementandcontrolattheirdisposal?
Next8mewearemovingon!
trafficforapplicationsinrealtime!