Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
TSIN02 - Internetworking
© 2004 Image Coding Group, Linköpings Universitet
Lecture 11: SNMP and AAA
Literature:● Forouzan, chapter 21● Diameter next generation's AAA protocol by Håkan Ventura,
sections 2- 3.3.6● RFC2881 (optional extra material)● RFC2905 (optional extra material)● RFC2903 (optional extra material)
TSIN02 - Internetworking
2
Lecture 10: SNMP and AAA
Outline:
● SNMP
● AAA introduction
● AAA in Network Access Servers
● DIAMETER, an AAA compliant protocol
TSIN02 - Internetworking
3
Network management framework
● Management Information Base (MIB)● Structure of Management Information (SMI)● SNMP● Security and Administration● ASN1
TSIN02 - Internetworking
4
Why network management?
Complex systems are difficult to manage. Too much happens in too many places. Information has to be pooled to be possible to overview.
● All large systems need to be managed systematically– Industrial chemical processes– Large organizations– Electrical power system
TSIN02 - Internetworking
5
Network management
● Device Management– Checking the state of a device– Changing configuration of a device– Activating or turning of a device– Monitoring a software
● Network Management– Properties of the network as a whole
TSIN02 - Internetworking
6
Examples of managing tasks– Shutting down a network interface on a router– Checking the speed of an Ethernet interface– Monitoring the temperature on a switch, and
sending a warning if it gets too high– Checking the state of a web server (the software)– Collecting statistics about link usage
TSIN02 - Internetworking
7
InfrastructureManaged devices contain objects
whose data is gathered into aManagement Information Base
Data
Data Data
Data
Data
DataAgent
Agent
Agent
AgentAgent
Managingentity
NetworkManagementProtocol
TSIN02 - Internetworking
8
SNMP at a glance
● Introduced in 1988– To meet the need for a standard for managing IP
devices.● Replaced SGMP
– Simple Gateway Management Protocol was used for managing Internet routers
● Latest version is v3
TSIN02 - Internetworking
9
SNMP parts
● SMI – Structure of Management Information– The language for defining MIB objects
● MIB – Management Information Base– Defines a set of objects, similar to a database
● SNMP– Application program that allows the manager to
retrieve and store object values in agents, and agents to send alarm messages to the manager
● Security– The main addition from v2 to v3
TSIN02 - Internetworking
10
SMI – Object Attributes
Figure from Forouzan
TSIN02 - Internetworking
11
SMI Naming– A tree structure is the basis for SNMP naming– Each tree node is described by dot-separated
numbers/names Root
ccitt(0) iso(1) joint(2)
Org(3)
dod(6)
internet(1)
directory(1) mgmt(2) experimental(3) private(4)
mib-2(1)1.3.6.1.2.1
sys(1) if(2) at(3)
iicmp(5) tcp(6) udp(7) egp(8) trans(11) snmp(12)ip(4)
UdpIn Datagrams(1) UdpNo Ports(2) UdpIn Errors(3) UdpOut Datagrams(4) udpTable(5)
TSIN02 - Internetworking
12
SMI type and syntax
● Managed agents are heterogenous and may represent data in many different ways
● There is a need for a well-defined and machine-independent syntax
● Solution: ASN.1● Simple datatypes are offered (signed and
unsigned integers, strings, etc)● Structured types can be built from simple types
TSIN02 - Internetworking
13
Abstract Syntax Notation One (ASN.1)
● ISO standard, defines data types in a machine independent way
● Intermediate format for data type definitions on different machines
Data in machine 1,represented in its
internal representation
Encoder
Data type description in abstract,machine independent form
Decoder
Data in machine 2,represented in its
internal representation
TSIN02 - Internetworking
14
Data Types
Figure from Forouzan
TSIN02 - Internetworking
15
SMI Encoding - BER
● ASN.1 is not enough for transmission, since it only makes an abstract definition of data types
● We need a standardized way of encoding data for transmission
● The solution for this is Basic Encoding Rules● Tag-Length-Value
TSIN02 - Internetworking
16
Encoding Format
Figure from Forouzan
Format
0 – Simple1 - Structured
Tag
00 – ASN.101 – SMI extensions10 – context-specific11 – private (vendor specific)
TSIN02 - Internetworking
17
Length Format
Figure from Forouzan
TSIN02 - Internetworking
18
Examples
Figure from Forouzan
TSIN02 - Internetworking
19
Management Information Base (v2)
● Each agent has its own MIB● The collection of objects that are managed● The objects are sorted into the groups under
1.3.6.1.2.1 (mib-2)● Only leaves in the tree are accessible● The objects are accessed using SNMP
operations● Lots of standard objects; and extended by
vendor specific ones
TSIN02 - Internetworking
20
MIB-2
Figure from Forouzan
TSIN02 - Internetworking
21
UDP Group
Figure from Forouzan
TSIN02 - Internetworking
22
UDP Variables and Tables
Figure from Forouzan
TSIN02 - Internetworking
23
Indexes for UDP Table
Figure from Forouzan
TSIN02 - Internetworking
24
Lexicographic Ordering
Figure from Forouzan
TSIN02 - Internetworking
25
SNMP Operations
Figure from Forouzan
TSIN02 - Internetworking
26
SNMP PDU Format
Figure from Forouzan
TSIN02 - Internetworking
27
SNMP Message Format
Figure from Forouzan
TSIN02 - Internetworking
28
Example: GetRequest Message
Figure from Forouzan
TSIN02 - Internetworking
29
Example: GetRequest Message
Figure from Forouzan
TSIN02 - Internetworking
30
Example: GetRequest Message
Interpretation help: SNMP message types
Table from Forouzan
TSIN02 - Internetworking
31
Example: GetRequest Message
Interpretation help: Data types
Table from Forouzan
TSIN02 - Internetworking
32
Example: GetRequest Message
Interpretation help: MIB2 tree
Figure from Forouzan
TSIN02 - Internetworking
33
UDP Ports
Figure from Forouzan
TSIN02 - Internetworking
34
AAA Introduction
● Authentication– Validate user identity.
● Authorization– Check which services the user is allowed access
to.● Accounting
– Store information about use of a service, e.g. for billing purposes.
TSIN02 - Internetworking
35
Authentication
● Validate the identity of a user● Used for
– Access control– Authorization decisions– Accounting records
TSIN02 - Internetworking
36
Authentication techniques
● Providing some credential that proves a claimed identity– ID– Smart card– SIM – Certificate– Biometrics– Password– Public – Secret Key pair
TSIN02 - Internetworking
37
Authentication Basics
● Something you have● Something you know● Something you are
TSIN02 - Internetworking
38
Authentication protocol
Example:
If A wants to contact B through the Internet, how can A prove his/her identity?
TSIN02 - Internetworking
39
Authorization
● Policy– Identity– Current actions– Outside state–
● Allowing access to services to authenticated users
TSIN02 - Internetworking
40
Accounting
● Tracking the usage of resources for– Billing– Management– Planning– Auditing–
TSIN02 - Internetworking
41
Protocols for AAA● RADIUS
–
● TACACS
–
● COPS
–
● DIAMETER
–
TSIN02 - Internetworking
42
Network Access Server
A Network Access Server (NAS) is often the initial entry point to a network.
A NAS is a gateway between the users and a network, supplying one or more ways to connect, e.g.:
– Dial-up – direct network access (eg. through SLIP or PPP)– asynchronous terminal services (eg. telnet)– tunneling
The NAS contacts an AAA server to see if the user is authorized to access the network. This communication needs a protocol!
TSIN02 - Internetworking
43
DIAMETER
The Diameter Base Protocol is intended to provide an Authentication, Authorization and Accounting framework for applications such as network access and IP mobility.
TSIN02 - Internetworking
44
DIAMETER FacilitiesThe Diameter Base Protocol provides the following facilities:
● Delivery of attribute value pairs (AVPs)
● Capabilities negotiation
● Error notification
● Extendability, through addition of new commands and AVPs
● Basic services necessary for applications, such as handling of user sessions or accounting
The Diameter Base Protocol provides the minimum requirements needed for an AAA-protocol, as defined in RFC2989
TSIN02 - Internetworking
45
DIAMETER FeaturesAll data delivered by the protocol is in the form of an AVP. These
are used by the base protocol to support the following features:
● Transporting of user authentication information, for the purpose of enabling the Diameter server to authenticate the user.
● Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access should be granted.
● Exchanging resource usage information, which may be used for accounting purposes, capacity planning etc.
● Relaying, proxying and redirecting of Diameter messages through a server hierarchy.