Lecture 10: SNMP and AAA Literature: Forouzan, chapter 23 RFC2881 RFC2905 RFC2903 Diameter next generation's AAA protocol by Håkan Ventura (handouts) 2004 Image Coding Group, Linköpings Universitet
Lecture 10: SNMP and AAA Outline: SNMP AAA introduction AAA in Network Access Servers DIAMETER, an AAA compliant protocol 2
Network management framework? Management Information Base (MIB) Structure of Management Information (SMI) SNMP Security and Administration ASN1 3
Why network management? Complex systems are difficult to manage. Too much happens in too many places. Information has to be pooled to be possible to overview. All large systems need to be managed systematically Industrial chemical processes Large organisations Electrical power system 4
Network management Device Management Checking the state of a device Changing configuration of a device Activating or turning of a device Monitoring a software Network Management Properties of the network as a whole 5
Examples of managing tasks Shutting down a network interface on a router Checking the speed of an Ethernet interface Monitoring the temperature on a switch, and sending a warning if it gets too high Checking the state of a webserver (the software) Collecting statistics about link usage 6
Infrastructure Managed devices contain objects whose data is gathered into a Management Information Base Agent Data Managing entity Data Agent Data Network Management Protocol Agent Data Data Agent Agent Data 7
SNMP at a glance Introduced in 1988 To meet the need for a standard for managing IP devices. Replaced SGMP Simple Gateway Management Protocol was used for managing Internet routers Latest version is v3 8
SNMP parts SMI Structure of Management Information The language for defining MIB objects MIB Management Information Base Defines a set of objects, similar to a database SNMP Application program that allows the manager to retrieve and store object values in agents, and agents to send alarm messages to the manager Security The main addition from v2 to v3 9
SMI Object Attributes Figure from Forouzan 10
SMI Naming A tree structure is the basis for SNMP naming Each tree node is described by dot-separated Root numbers/names ccitt(0) iso(1) joint(2) Org(3) internet(1) dod(6) 1.3.6.1.2.1 directory(1) mgmt(2) experimental(3) private(4) mib-2(1) sys(1) if(2) at(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) trans(11) snmp(12) i UdpIn Datagrams(1) UdpNo Ports(2) UdpIn Errors(3) UdpOut Datagrams(4) udptable(5) 11
SMI type and syntax Managed agents are heterogenous and may represent data in many different ways There is a need for a well-defined and machine-independent syntax Solution: ASN.1 Simple datatypes are offered (signed and unsigned integers, strings, etc) Structured types can be built from simple types 12
Abstract Syntax Notation One (ASN.1) ISO standard, defines data types in a machine independent way Intermediate format for communication between different machines Data in machine 1, represented in its internal representation Data in machine 2, represented in its internal representation Encoder Transmission in abstract, machine independent form Decoder 13
Data Types Figure from Forouzan 14
SMI Encoding - BER ASN.1 is not enough for transmission, since it makes an abstract definition of data types We need a standardized way of encoding data for transmission The solution for this is Basic Encoding Rules Tag-Length-Value 15
Encoding Format Tag 00 ASN.1 01 SMI extentions 10 context-specific 11 private (vendor specific) Format 0 Simple 1 - Structured Figure from Forouzan 16
Length Format Figure from Forouzan 17
Examples Figure from Forouzan 18
Management Information Base (v2) Each agent has its own MIB The collection of objects that are managed The objects are sorted into the groups under 1.3.6.1.2.1 (mib-2) Only leafs in the tree are accessible The objects are accessed using SNMP operations Lots of standard objects; and extended by vendor specific ones 19
MIB-2 Figure from Forouzan 20
UDP Group Figure from Forouzan 21
UDP Variables and Tables Figure from Forouzan 22
Indexes for UDP Table Figure from Forouzan 23
Lexicographic Ordering Figure from Forouzan 24
SNMP Operations Figure from Forouzan 25
SNMP PDU Format Figure from Forouzan 26
SNMP Message Format Figure from Forouzan 27
UDP Ports Figure from Forouzan 28
AAA Introduction Authentication Validate user identity. Authorization Check which services the user is allowed access to. Accounting Store information about use of a service, eg for billing purposes. 29
Authentication Validate the identity of a user Used for Access control Authorization decisions Account records 30
Authentication techniques Providing some credential that proves a claimed identity ID Smart card SIM Certificate Biometrics Password Public Secret Key pair 31
Authentication protocol Example: If A wants to contact B through the Internet, how can A prove his/her identity? 32
Authorization Policy Identity Current actions Outside state Allowing access to services to authenticated users 33
Accounting Tracking the usage of resources for Billing Management Planning Auditing 34
Protocols for AAA RADIUS TACACS COPS DIAMETER 35
Network Access Server A Network Access Server (NAS) is often the initial entry point to a network. A NAS is a gateway between the users and a network, supplying one or more ways to connect, eg.: Dial-up direct network access (eg. through SLIP or PPP) asynchronous terminal services (eg. telnet) tunneling 36
DIAMETER The Diameter Base Protocol is intended to provide an Authentication, Authorization and Accounting framework for applications such as network access and IP mobility. 37
DIAMETER Facilities The Diameter Base Protocol provides the following facilities: Delivery of attribute value pairs (AVPs) Capabilities negotiation Error notification Extensiability, through addition of new commands and AVPs Basic services necessary for applications, such as handling of user sessions or accounting The Diameter Base Protocol provides the minimum requirements needed for an AAA-protocol, as defined in RFC2989 38
DIAMETER Features All data delivered by the protocol is in the form of an AVP. These are used by the base protocol to support the following features: Transporting of user authentication information, for the purpose of enabling the Diameter server to authenticae the user. Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access should be granted. Exchanging resource usage information, which may be used for accounting purposes, capacity planning etc. Relaying, proxying and redirecting of diameter messages through a server hierarchy. 39