application
transport
network
data link
physical
Chapter 8
Network
Management
network
data link
physical
network
data link
physical
network
data link
physical
application
transport
network
data link
physical
network
data link
physical
network
data link
physical
network
data link
physical
network
data link
physical
network
data link
physical
application
transport
network
data link
physical
As we have learned thus far, computer networks are complex
systems of numerous hardware and software components.
As such, they are subject to operational problems involving
outage, malfunction, mis-configuration, poor performance,
and other issues. In this final chapter, we will briefly look
at the architecture, protocols and tools available to identify
and solve these problems.
8: Network
�Chapter 8: Network Management
Chapter goals:
introduction to network management
motivation
major components
Internet network management framework
MIB: management information base
SMI: data definition language
SNMP: protocol for network management
security and administration
presentation services: ASN.1
firewalls
8: Network
�Network management motivation
networks are complex autonomous systems
Consisting of 100s (or 1000s) of interacting hardware and
software components
"Network management includes the deployment, integration
and coordination of the hardware, software, and human
elements to monitor, test, poll, configure, analyze, evaluate,
and control the network and element resources to meet the
real-time, operational performance, and Quality of Service
requirements at a reasonable cost."
the network management infrastructure does NOT:
dictate decision making policies
address resource provisioning/service management issues
8: Network
�Motivation for network management stuff
happens
numerous potential issues/problems to deal with
configuration issues
device faults
managed device
security problems
performance problems
managed device
software bugs
managed device
managed device
accounting/billing issues
For example:
UTA ACS
Abilene Net
8: Network
�Network management: 4 key goals
Monitor
see whats happening
host interfaces, traffic levels, service levels,
security, performance, routing table changes,
etc.
Analyze
determine what it means
Reactively control
take action based on what is happening
Proactively manage
take action based on what current trends tell
you to will happen
8: Network
�Infrastructure for network management
definitions:
managing entity*
managing
data
entity
network
management
protocol
agent data
managed device
agent data
managed device
managed devices contain
managed objects whose
data is gathered into a
Management Information
Base (MIB)
agent data
agent data
managed device
managed device
* AKA - Network Management
Station (NMS)
8: Network
�A typical Network Management Systems
Network
Management
Console
Network
Management
MIB
SNMP Protocol
(Commands,
Replies,Traps)
Managed
Devices
8: Network
�Network Management standards
OSI CMIP
Common Management
Information Protocol
designed 1980s: the
unifying net
management standard
too slowly
standardized
SNMP: Simple Network
Management Protocol
Internet roots (SGMP
ISMF)
started simple
deployed, adopted rapidly
growth: size, complexity
currently: SNMP V3
(released April 1999)
de facto network
management standard
8: Network
�SNMP overview: 4 key parts of the
Internet network management framework
Management information base (MIB):
distributed information store of network
management data (MIB objects)
Structure of Management Information (SMI):
data definition language for MIB objects
SNMP protocol
convey manager<->managed object info, commands
Security & administration capabilities
major addition in SNMPv3
8: Network
�SMI: data definition language
(RFC 2578)
Purpose: syntax, semantics of
management data welldefined, unambiguous
base data types:
straightforward, boring
OBJECT-TYPE
data type, status,
semantics of managed
object
MODULE-IDENTITY
groups related objects
into MIB module
Basic Data Types
INTEGER
Integer32
Unsigned32
OCTET STRING
OBJECT IDENTIFIER
IPaddress
Counter32
Counter64
Guage32
Time Ticks
Opaque
8: Network
�SNMP MIB
MIB module specified via SMI
MODULE-IDENTITY
(100s of standardized MIBs, more vendorspecific)
MODULE
OBJECT-TYPE:
OBJECT-TYPE:OBJECT-TYPE:
objects specified via SMI
OBJECT-TYPE construct
8: Network
�SMI: Object, module examples
OBJECT-TYPE:
ipInDelivers
ipInDelivers OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
The total number of input
datagrams successfully
delivered to IP userprotocols (including ICMP)
::= { ip 9}
Note: RFC 2011-IP MIB,
RFC 2012-TCP MIB, RFC 2013-UDP
MIB,
MODULE-IDENTITY:
ipMIB
ipMIB MODULE-IDENTITY
LAST-UPDATED 941101000Z
ORGANZATION IETF SNPv2
Working Group
CONTACT-INFO
Keith McCloghrie
DESCRIPTION
The MIB module for managing IP
and ICMP implementations, but
excluding their management of
IP routes.
REVISION 019331000Z
::= {mib-2 48}
8: Network
�SNMP Naming
(OBJECT IDENTIFIER)
question: how to name every possible standard
object (protocol, data, more..) in every
possible network standard??
answer: ISO Object Identifier tree:
hierarchical naming of all objects
each branchpoint has name, number
1.3.6.1.2.1.7.1
ISO
ISO-ident. Org.
US DoD
Internet
udpInDatagrams
UDP
MIB2
management
8: Network
�ISO
Object
Identifier
Tree
Check out www.alvestrand.no/harald/objectid/top.html
8: Network
�MIB example: UDP module
Object ID
Name
Type
1.3.6.1.2.1.7.1
UDPInDatagrams Counter32
Comments
# UDP datagrams delivered
at this node
1.3.6.1.2.1.7.2
UDPNoPorts
Counter32
# undeliverable datagrams,
no application at port
1.3.6.1.2.1.7.3
UDInErrors
Counter32
# undeliverable datagrams,
all other reasons
1.3.6.1.2.1.7.4
UDPOutDatagrams Counter32
1.3.6.1.2.1.7.5
udpTable
# UDP datagrams sent
SEQUENCE one entry for each port
UDP Entry
in use by app, gives port #
and IP address
8: Network
�SNMP protocol
Two ways to convey MIB info, commands:
managing
entity
request
response
agent data
Managed device
request/response mode
managing
entity
trap msg.
agent data
Managed device
trap mode
8: Network
�SNMP protocol: message types
Message type
GetRequest (0)
GetNextRequest (1)
GetBulkRequest (5)
InformRequest (6)
SetRequest (3)
Function
Mgr-to-Agent: get me data
(instance,next in list, block)
Mgr-to-Mgr: heres MIB value
Mgr-to-Agent: set MIB value
Response (2)
Agent-to-Mgr: value, response to
Request
Trap (7)
Agent-to-Mgr: inform manager
of exceptional event
8: Network
�SNMP protocol: message formats
Get,
Set,
Inform,
Response
messages
Trap
messages
8: Network
�SNMP security and administration
encryption: DES-encrypt SNMP message
authentication: compute, send MIC(m,k):
compute hash (MIC) over message (m),
secret shared key (k)
protection against playback: use nonce
view-based access control
SNMP entity maintains database of access
rights, policies for various users
database itself accessible as managed object!
MIC: Message Integrity Code (like a digital signature)
8: Network
�The presentation problem
Q: does perfect memory-to-memory copy
solve the communication problem?
A: not always!
struct {
char code;
int x;
} test;
test.x = 259;
test.code=a
test.code
test.x
a
00000001
00000011
host 1 format
test.code
test.x
a
00000011
00000001
host 2 format
problem: different data format, storage conventions
(e.g. big-endian, little-endian)
8: Network 2
�Solving the presentation problem
1. Translate local-host format to host-independent format
2. Transmit data in host-independent format
3. Translate host-independent format to remote-host
format
8: Network
�ASN.1: Abstract Syntax Notation 1
The language of standards writers.
ISO standard X.680
used extensively in Internet
defined data types, object constructors
like SMI
BER: Basic Encoding Rules (ITU-T X.209, X.690)
specify how ASN.1-defined data objects to be
transmitted
each transmitted object has Type, Length, Value
(TLV) encoding
8: Network
�ASN.1: Abstract Syntax Notation 1
Encoding Rules
BER - for management of the Internet, exchange
of electronic mail, control of telephone/computer
interactions
DER - specialized form of BER that is used in
security-conscious applications
CER another specialized form of BER that is
meant for use with huge messages
PER - recent version with more efficient
algorithms that result in faster and more compact
encodings; used in applications that are bandwidth
or CPU starved, such as air traffic control and
audio-visual telecommunications
8: Network
�TLV Encoding
Idea: transmitted data is self-identifying
T: data type, one of ASN.1-defined types
L: length of data in bytes
V: value of data, encoded according to ASN.1
standard
Tag
Value
Type
1
2
3
4
5
6
9
Boolean
Integer
Bit String
Octet string
Null
Object Identifier
Real
8: Network
�TLV
encoding:
example
Value, 259
Length, 2 bytes
Type=2, integer
Value, 5 octets (chars)
Length, 5 bytes
Type=4, octet string
8: Network
�TLV encoding another example:
The ASN.1 description of a personnel record
(the standard) might be:
A Personnel Record:
PersonnelRecord ::= [APPLICATION 0] IMPLICIT
SET {
Name,
title [0] VisibleString,
dateOfBirth [1] Date,
(other types defined) }
Name: John P Smith
Date of Birth: 17 July 1959
(other data)
The application maps the personnel data into the personnel
record structure (ASN.1 data format), and then applies the
Basic Encoding Rules (BER) to the ASN.1 data:
Personnel
Record Length Contents
60
8185
Name
Length Contents
61
10
VisibleString
Length Contents
1A
"John"
VisibleString
Length Contents
1A
"P"
VisibleString
Length Contents
1A
Name ::= [APPLICATION 1] IMPLICIT
SEQUENCE {
givenName VisibleString,
initial VisibleString,
familyName VisibleString }
04
Finally, what gets transmitted
(sent as application data to the
layer below in the protocol
stack)would be:
01
60 81 85 61 10 1A 04
05
8: Network
�Firewalls
firewall
isolates organizations internal
net from larger Internet,
allowing some packets to pass,
blocking others.
Two firewall types:
packet filter
application gateway
To prevent denial of service
attacks:
SYN flooding: attacker
establishes many bogus
TCP connections.
Attacked host allocates
TCP buffers for bogus
connections, none left
for real connections.
To prevent illegal modification
of internal data.
e.g., attacker replaces
CIAs homepage with
something else
To prevent intruders from
obtaining secret info.
8: Network
�Packet Filtering
Internal network is
typically connected to
Internet through a
router.
Router manufacturer
provides options for
filtering packets, based
on (for example):
source IP address
destination IP address
TCP/UDP source and
destination port
numbers
ICMP message type
TCP SYN and ACK bits
Example 1: block incoming
and outgoing datagrams
with IP protocol field = 17
and with either source or
destination port = 23.
All incoming and outgoing
UDP flows and telnet
connections are blocked.
Example 2: Block inbound
TCP segments with ACK
bit=0.
Prevents external clients
from making TCP
connections with internal
clients, but allows internal
clients to connect to
outside.
8: Network
�Application gateways
Filters packets on
application data as well as
on IP/TCP/UDP fields.
Example: allow select
internal users to telnet
outside.
gateway-to-remote
host telnet session
host-to-gateway
telnet session
application
gateway
router and filter
1. Require all telnet users to telnet through gateway.
2. For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating
from gateway.
8: Network
�Limitations of firewalls and gateways
IP spoofing: router
cant know if data
really comes from
claimed source
If multiple apps. need
special treatment, each
has own app. gateway.
Client software must
know how to contact
gateway.
Filters often use all or
nothing policy for UDP.
Tradeoff: degree of
communication with
outside world, level of
security
Many highly protected
sites still suffer from
attacks.
e.g., must set IP address
of proxy in Web browser
8: Network
