TSIN02 - Internetworking Literature: Lecture 11: SNMP and AAA Forouzan, chapter 21 Diameter next generation's AAA protocol by Håkan Ventura, sections 2-3.3.6 RFC2881 (optional extra material) Outline: SNMP AAA introduction AAA in Network Access Servers DIAMETER, an AAA compliant protocol RFC2905 (optional extra material) RFC2903 (optional extra material) 2004 Image Coding Group, Linköpings Universitet 2 Management Information Base (MIB) Structure of Management Information (SMI) SNMP Security and Administration ASN1 Complex systems are difficult to manage. Too much happens in too many places. Information has to be pooled to be possible to overview. All large systems need to be managed systematically Industrial chemical processes Large organizations Electrical power system 3 4
Device Management Checking the state of a device Changing configuration of a device Activating or turning of a device Monitoring a software Network Management Shutting down a network interface on a router Checking the speed of an Ethernet interface Monitoring the temperature on a switch, and sending a warning if it gets too high Checking the state of a web server (the software) Collecting statistics about link usage Properties of the network as a whole 5 6 Managed devices contain objects whose data is gathered into a Management Information Base Introduced in 1988 To meet the need for a standard for managing IP devices. Replaced SGMP Simple Gateway Management Protocol was used for managing Internet routers Latest version is v3 7 8
SMI Structure of Management Information The language for defining MIB objects MIB Management Information Base Defines a set of objects, similar to a database SNMP Application program that allows the manager to retrieve and store object values in agents, and agents to send alarm messages to the manager Security The main addition from v2 to v3 9 10 A tree structure is the basis for SNMP naming Each tree node is described by dot-separated numbers/names!" ##$ # %& " & '( )* Managed agents are heterogenous and may represent data in many different ways There is a need for a well-defined and machine-independent syntax Solution: ASN.1 Simple datatypes are offered (signed and unsigned integers, strings, etc) Structured types can be built from simple types " &( &+ &$ #&, &- &.#&/.#&.#&/0".#&! ( #&1)+ 11 12
ISO standard, defines data types in a machine independent way Intermediate format for data type definitions on different machines 2 3 &# & 2 3 &# & 0# &# & )3 2 #&# # 13 14 ASN.1 is not enough for transmission, since it only makes an abstract definition of data types We need a standardized way of encoding data for transmission The solution for this is Basic Encoding Rules Tag-Length-Value Tag 00 ASN.1 01 SMI extensions 10 context-specific 11 private (vendor specific) Format 0 Simple 1 - Structured 15 16
17 18 Each agent has its own MIB The collection of objects that are managed The objects are sorted into the groups under 1.3.6.1.2.1 (mib-2) Only leaves in the tree are accessible The objects are accessed using SNMP operations Lots of standard objects; and extended by vendor specific ones 19 20
UDP Variables and Tables TSIN02 - Internetworking 21 22 23 24
25 26 SNMP Message Format TSIN02 - Internetworking 27 28
29 1) 30 Interpretation help: Data types Interpretation help: MIB2 tree 1) 31 32
UDP Ports TSIN02 - Internetworking Authentication Validate user identity. Authorization Check which services the user is allowed access to. Accounting Store information about use of a service, e.g. for billing purposes. 33 34 Validate the identity of a user Used for Access control Authorization decisions Accounting records Providing some credential that proves a claimed identity ID Smart card SIM Certificate Biometrics Password Public Secret Key pair 35 36
Something you have Something you know Something you are Example: If A wants to contact B through the Internet, how can A prove his/her identity? 37 38 Policy Identity Current actions Outside state Allowing access to services to authenticated users Tracking the usage of resources for Billing Management Planning Auditing 39 40
RADIUS TACACS COPS DIAMETER 41 A Network Access Server (NAS) is often the initial entry point to a network. A NAS is a gateway between the users and a network, supplying one or more ways to connect, e.g.: Dial-up direct network access (eg. through SLIP or PPP) asynchronous terminal services (eg. telnet) tunneling The NAS contacts an AAA server to see if the user is authorized to access the network. This communication needs a protocol! 42 The Diameter Base Protocol is intended to provide an Authentication, Authorization and Accounting framework for applications such as network access and IP mobility. The Diameter Base Protocol provides the following facilities: Delivery of attribute value pairs (AVPs) Capabilities negotiation Error notification Extendability, through addition of new commands and AVPs Basic services necessary for applications, such as handling of user sessions or accounting The Diameter Base Protocol provides the minimum requirements needed for an AAA-protocol, as defined in RFC2989 43 44
All data delivered by the protocol is in the form of an AVP. These are used by the base protocol to support the following features: Transporting of user authentication information, for the purpose of enabling the Diameter server to authenticate the user. Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access should be granted. Exchanging resource usage information, which may be used for accounting purposes, capacity planning etc. Relaying, proxying and redirecting of Diameter messages through a server hierarchy. 45