Detailed SNMP protocol

Simple Network Management Protocol (SNMP: Simple Network Management Protocol) is a set of network management protocols defined by the Internet Engineering Task Force (IETF: Internet Engineering Task Force). The protocol is based on the Simple Gateway Monitor Protocol (SGMP: Simple Gateway Monitor Protocol). Using SNMP, a management workstation can remotely manage all network devices that support this protocol, including monitoring network status, modifying network device configuration, and receiving network event warnings. In IP network management, it is mainly for network devices (routers, switches, firewalls) to perform performance monitoring and management. In order to understand the SNMP protocol, we must first understand the definition of OID and MIB, so that we can better understand the SNMP protocol.
OID
An OID is a variable that represents a specific meaning. Its format is a number separated by "." For example, 1.3.6.1.2.1.1.1 is an OID that represents the device system description. By sending an SNMP request to the device for the variable 1.3.6.1.2.1.1.0, you can get the device description information.
Management Information Base MIB

The management information base MIB specified by the IETF defines the accessible network devices and their attributes, which are uniquely specified by the object identifier (OID: Object IdenTIfier). MIB is a tree structure. SNMP protocol messages access the devices in the network by traversing the nodes in the MIB tree directory. The following figure is a simple example of MIB library:



The MIB library actually defines the specific meaning of each OID as a tree-like collection of OIDs. OIDs are divided into two types of variables: simple variables and table variables. The simple variable is similar to 1.3.6.1.2.1.1.1 mentioned above. This variable is a simple variable, and a ".0" will be added after the specific SNMP request is sent.
Table variable means that there will be multiple instances of the variable. For example, the switch interface bandwidth, the OID of this variable is 1.3.6.1.2.1.2.2.1.5, a switch usually has multiple interfaces, and each specific request will be filled with the index of this interface, such as 1.3.6.1.2.1.2.2 .1.5.1 represents the bandwidth of interface 1. The following figure is a list of interfaces of a switch.



MIB is divided into public MIB and private MIB. Public MIB-2 was defined in 1990. All equipment manufacturers support the OID variable defined by the MIB library. Each manufacturer can also supplement its own MIB library. This is a private MIB, such as CISCO The private MIB starts at 1.3.6.4.1.9, and all sub-variables under this node are defined by CISCO itself. 9 is the unique manufacturer number applied for by CISCO.

Principles of SNMP
SNMP uses a special form of Client / Server model: agent / management station model. The management and maintenance of the network is completed through the interactive work between the management workstation and the SNMP agent. Each SNMP slave agent is responsible for answering various inquiries about the MIB definition information of the SNMP management station (master agent).
The request sent by SNMP is a UDP request. The UDP request is a connectionless, lightweight, and non-secure request, so it is generally retried 3 times to ensure that the agent receives it.
SNMP message type
Get This is a request message. The SNMP management system uses Get messages to request information about MIB entries on the SNMP agent.
A type of Getnext request message that can be used to browse the entire MIB tree of proxy objects.
A type of Getbulk request that specifies that the agent transmits as much data as possible within the limits of the message size.
Set It is used to send and distribute the updated MIB value to the agent.
NoTIfy (or Trap) This is an unsolicited message. When the agent detects a specific type of event locally on the managed host, the agent will send this message to the SNMP management system.
SNMP events (or traps) are sent to the management station that filters events without request, and therefore, affect network traffic.
SNMP version
At present, after more than 10 years of development, SNMP has three versions, V1, V2, and V3. The difference between the three versions is mainly in the security mechanism.
1. The security mechanism of SNMPv1 SNMPv1 only provides limited security, that is, the concept of community.
Group is a local concept defined on agency. An agent can define several groups, and each group uses a unique group name. Each SNMP community is an authentication, access control, and conversion agent relationship defined between an SNMP agent and multiple SNMP managers.
Each SNMPv1 message includes a community field, and a community name is filled in the field, and the community name functions as a password. SNMPv1 assumes that if the sender knows this password, the information is considered to be authenticated and reliable.
The access right of a piece of authenticated information to the MIB is mainly realized through access control. The agent defines an SNMPv1 community framework file for each community. The framework file includes two parts:
· MIB field of view: a subset of MIB objects, each group can define a different MIB field of view, the object set in a field of view does not need to belong to a single sub-tree of MIB
· SNMP access mode: an element of a collection (read-only, read-write), each group only defines one access mode.
The combination of the SNMP community and the SNMP community framework file becomes the SNMPv1 access strategy. A certified information must specify a community, then it has its own community framework file, and can only perform specified operations (read-only or read-write) on the specified object in the MIB field of view of the framework file.
2. The security mechanism of SNMPv2 SNMPv2 has the features of supporting distributed network management, expanding data types, enabling simultaneous transmission of large amounts of data, enriching fault handling capabilities, adding aggregate processing functions, and strengthening data definition languages.
In addition, SNMPv2 also introduces the concept of "context". A context is a collection of managed object resources that can be accessed by an SNMPv2 entity, and is divided into a local context and a remote context: the local context is identified as a MIB field of view, and the remote context is identified as a conversion agent relationship.
The access control strategy using context consists of the following 4 elements:
· Target: SNMP participant, which performs management operations at the request of the subject;
· Subject: SNMP participant, which requests the target party to perform management operations;
· Resource: The management information on which the management operation is performed. It can be expressed as a local MIB horizon or an agent relationship. This item is called a context;
Permissions: For operations that are allowed in a specific context, these operations are defined with allowable protocol data units and are executed by the target on behalf of the subject.
However, SNMPv2 has not fully achieved the expected goals, especially the security performance has not been improved, such as: identity verification (such as user initial access authentication, information integrity analysis, repeated operations prevention), encryption, authorization and Access control, proper remote security configuration, and management capabilities have not been implemented. The SNMPv2c released in 1996 is a modified version of SNMPv2. Although the functions have been enhanced, the security performance has not been improved. Instead, SNMPv1 continues to use the plain text key-based authentication method.
3. The security mechanism of SNMPv3 The IETF SNMPv3 working group put forward Internet recommendations RFC 2271 ~ 2275 in January 1998, formally forming SNMPv3. This series of documents defines the system framework including all functions of SNMPv1 and SNMPv2, and a new security mechanism including authentication services and encryption services. It also specifies a set of special network security and access control rules. It can be said that SNMPv3 adds security and management mechanisms based on SNMPv2. The SNMPv3 architecture defined in RFC 2271 embodies the modular design idea, and can simply add and modify functions. The main features are:
· Adaptability: suitable for a variety of operating environments, not only can manage the simplest network, realize basic management functions, but also provide powerful network management functions to meet the management needs of complex networks;
· Good expansibility: modules can be added as needed;
· Good security: It has multiple security processing modules.
SNMPv3 mainly has 3 modules: information processing and control module, local processing module and user security module.
1 Information processing and control module The information processing and control module is defined in RFC 2272, responsible for the generation and analysis of information, and to determine whether the information has to pass through a proxy server during transmission.
2 Local processing module The main function of the local processing module is to perform access control, handle packaged data and interrupts. Access control refers to setting relevant information of the agent? The management processes of different management stations have different rights when accessing the agent, and are completed at the level of the protocol data unit. There are two common control strategies: limit the commands that the management station can issue to the agent or determine that the management station can access specific parts of the agent MIB. The access control strategy must be set in advance. SNMPv3 flexibly determines the access control method by using primitives with different parameters.
3 User security module Compared with SNMPv1 and SNMPv2, SNMPv3 adds three new security mechanisms: authentication, encryption and access control. Among them, the access control function is completed by the local processing module, and the identity verification and data privacy services are provided by the user security module. Identity verification means that when an agent (management station) receives information, it must first confirm whether the information comes from an authorized management station (agent) and whether the information changes during transmission. The realization of this function requires that the management station and the agent must share the same key. The management station uses the key to calculate the verification code (which is a function of the information) and then adds it to the information, while the agent uses the same key to extract the verification code from the received information, thereby obtaining the information. The process of encryption is similar to identity verification. It also requires the management station and the agent to share the same key to encrypt and decrypt the information.
SNMPv3 uses a private key (private key) and an authentication key (authenTIcaTIon key) to implement authentication and encryption functions. As shown below:

S15 Mono LED Neon

Custom Neon Lights,Led Neon Flex,Custom Led Signs,Neon Wall Lights

Tes Lighting Co,.Ltd. , https://www.neonflexlight.com

Posted on