Charles M. Kozierok The TCP-IP Guide
Подождите немного. Документ загружается.
The TCP/IP Guide - Version 3.0 (Contents) ` 1211 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
mation to be exchanged. SNMP applications run on the NMS and provide the interface to
the human administrator, and allow information to be collected from the MIBs at each
SNMP agent, as shown in Figure 270. Simple! See, the name is good after all. ☺
Figure 270: SNMP Operational Model
This diagram shows a simplified implementation of SNMP, with one network management station used to
maintain three managed nodes. Each device has an SNMP Entity, and they communicate using SNMP
messages. The SNMP entity of the NMS consists of the SNMP Manager and one or more SNMP Applications;
the managed nodes each run an SNMP Agent and maintain a Management Information Base (MIB).
SNMP Entity
SNM P Age nt
Management
Information
Base (MIB)
SNMP Entity
SNMP Manager
SNM P
Application
SNM P
Application
SNM P
Application
Network Management
Station (NMS)
Managed
Node
SNMP Entity
SNM P Age nt
Management
Information
Base (MIB)
Managed
Node
SNMP Entity
SNM P Age nt
Management
Information
Base (MIB)
Managed
Node
SNMP
Messaging
SNMP
Messaging
The TCP/IP Guide - Version 3.0 (Contents) ` 1212 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
Key Concept: SNMP allows a network administrator using a network management
station (NMS) to control a set of managed nodes. Each device incorporates an
SNMP entity that implements the technology. In an NMS, the entity consists of an
SNMP manager module and a set of SNMP applications; in a managed node, an SNMP
agent and management information base (MIB).
TCP/IP Internet Standard Management Framework Architecture and
Protocol Components
TCP/IP network management is based on the Simple Network Management Protocol,
abbreviated SNMP. As we saw in the overview topic, however, this term is ambiguous.
While it is commonly used to refer to the actual communication protocol used to exchange
network management information, the term also refers to the entire set of technologies that
enable TCP/IP network management. The technical name for this larger architecture is the
Internet Standard Management Framework. Again, even though it may seem strange, this
term is actually abbreviated in the standards as “SNMP”. For simplicity, I abbreviate it as the
“SNMP Framework”, to differentiate it from the SNMP protocol.
he Internet Standard Management Framework encompasses all of the technologies that
comprise the TCP/IP network management solution. The SNMP Framework consists of a
number of architectural components that define how management information is structured,
how it is stored, and how it is exchanged using the SNMP protocol. The Framework also
describes how the different components fit together, how SNMP is to be implemented in
network devices, and how the devices interact.
SNMP Framework Components
As we will explore in more detail later, the Internet Standard Management Framework is
entirely information-oriented. It includes the following primary components (see Figure
271):
☯ Structure of Management Information (SMI): To ensure interoperability of various
devices, we want to have a consistent way of describing the characteristics of devices
to be managed using SNMP. In computer science, a data description language (DDL)
is the tool for this job. The Structure of Management Information (SMI) is a standard
that defines the structure, syntax and characteristics of management information in
SNMP.
☯ Management Information Bases (MIBs): Each managed device contains a set of
variables that is used to manage it. These variables represent information about the
operation of the device that is sent to a network management station, and/or param-
eters sent to the managed device to control it. The management information base
(MIB) is the full set of these variables that describe the management characteristics of
a particular type of device.
Each variable in a MIB is called a MIB object, and is defined using the SMI data
description language. A device may have many objects, corresponding to the different
The TCP/IP Guide - Version 3.0 (Contents) ` 1213 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
hardware and software elements it contains. Initially, a single document defined the
MIB for SNMP, but this model was inflexible. To allow new MIB objects to be more
easily defined, groups of related MIB objects are now defined in separate RFC
standards called MIB modules. Over 100 such MIB modules have been defined so far.
☯ Simple Network Management Protocol (SNMP): This is the actual SNMP protocol
itself. It defines how information is exchanged between SNMP agents and network
management stations. The SNMP protocol operations define the various SNMP
messages and how they are created and used. SNMP transport mappings describe
how SNMP can be used over various underlying internetworks, such as TCP/IP, IPX
and others.
☯ Security and Administration: To the three main architectural components above, the
SNMP Framework adds a number of supporting elements. These provide enhance-
ments to the operation of the SNMP protocol for security, and address issues related
to SNMP implementation, version transition and other administrative issues.
SNMP Framework Architecture
The creators of SNMP specifically designed the Framework to be modular because when
SNMP was originally created, it was seen as only a temporary solution until a transition
could be made to another network management protocol from the OSI protocol suite. The
modular architecture separated definitional, data and functional (protocol) elements, to
allow the SNMP protocol itself to be replaced without changing how network management
information was defined and described.
This transition to the OSI protocol never occurred, but the architecture has still proven
valuable in defining the entire scope of SNMP and in making its implementation much
simpler. Each of the major components above, the SMI, MIBs and SNMP itself, are
described in different standards. The modularity of the SNMP Framework has also allowed
Figure 271: Components of the TCP/IP Internet Standard Management Framework
Internet Standard Management Framework
(SNMP Framework)
Simple Network Management
Protocol (SNMP)
Management Information
Bases (MIBs)
Structure of Management
Information (SMI)
SNM P
Security
and
Administration
The TCP/IP Guide - Version 3.0 (Contents) ` 1214 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
changes to be made to these components relatively independently of each other, making
the transition between SNMP versions easier than it would have been if one huge
document defined everything.
Key Concept: The three main components of the Internet Standard Management
Framework (SNMP Framework) are the Structure of Management Information (SMI),
Management Information Bases (MIBs) and the SNMP Protocol itself. These are
supported by SNMP security and administration elements.
TCP/IP Internet Standard Management Framework and SNMP Versions
(SNMPv1, SNMPv2 Variants, SNMPv3)
In the Networking Fundamentals chapter near the beginning if this Guide, I have a section
that discusses networking standards and their importance. I also explain the differences
between proprietary, de facto and open standards, and explain the many benefits of open
standards. History is replete with examples of technologies that have succeeded because
they used an open standard where a competing standard was proprietary.
TCP/IP and the Internet are often held up as a model for proper open standards devel-
opment. Thousands of TCP/IP standards have been developed and published using the
well-known “Request For Comments” (“RFC”) standardization process. The result has been
the most successful set of internetworking protocols in computing history, accepted and
used worldwide.
Nobody is perfect, however, and no process is perfect either. Some problems occurred in
the introduction of SNMP version 2, leading to a virtual breakdown in the normally smooth
protocol standardization method, and a proliferation of incompatible “variants” that we aren't
used to seeing in TCP/IP. The story behind this is a continuation of the general SNMP
overview and history from earlier in this section, and explains the many SNMP standard
names and numbers, so you can make sense of them. At the same time, the discussion
serves as a vivid reminder of how important proper standard development is, and what the
consequences are when there isn't universal agreement on how a standard should evolve.
SNMPv1
The first version of SNMP was developed in early 1988, and published in the form of three
RFC standards in August 1988. This first version is now known as SNMP version 1 or
SNMPv1. The three SNMPv1 standards provided the initial description of the three main
Internet Standard Management Framework components: the Structure of Management
Information (SMI), Management Information Bases (MIB) and the SNMP protocol itself.
However, the term “Internet Standard Management Framework” was not actually used at
that time.
The TCP/IP Guide - Version 3.0 (Contents) ` 1215 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
SNMPv1 was generally accepted and widely deployed in many networks. SNMPv1 got the
job done and became the standard for TCP/IP network management; it is still widely used
today. It is the “Old Faithful” of SNMP versions. Slight revisions were made to the initial
standards and more and more MIB modules were defined over time, but the technology
remained the same for a number of years.
As with any technology, users of SNMPv1 identified weaknesses in it and opportunities for
improvement, over time. One of the areas in which SNMPv1 was most criticized was the
area of security. SNMP version 1 used only a “trivial” (as RFC 3410 puts it) authentication
scheme using a password-like construct called a community string.
The issue of security turned out to be the bone of contention that eventually led to serious
problems in the development of SNMP. Some people felt that community strings were suffi-
cient security, but many others felt it was important that better security be put into SNMP.
There were many different ways proposed to add security to SNMP, and no universal
agreement on how to do it. The points raised about the security weaknesses in the original
SNMPv1 had some validity, as I explore in the SNMP protocol operations section.
SNMPsec
The first attempt to add security to SNMP came in the form of three standards published in
July 1992 that defined a new security mechanism using logical identifiers called parties.
This is sometimes called SNMP Security or SNMPsec. This method was more secure than
the original SNMPv1, but SNMPsec was never widely accepted, and is now considered
“historic”.
SNMPv2
While SNMPsec went away, the idea of party-based security it introduced never did. It was
used as the basis of the definition of the first full revision of SNMP, when SNMP Version 2
(SNMPv2) was published in RFCs 1441 through 1452 in April 1993. This new version incor-
porated the new security model, as well as making changes to the actual SNMP protocol
operations, changes to the Structure of Management Information (SMI) standard (defining
version 2 of SMI, SMIv2), and formalizing the concept of the Internet Standard Management
Framework.
Unfortunately, this new standard too was never universally accepted. Some people thought
the whole new version was a great advance, but others took issue with the party-based
security, claiming it was too complex. I am not familiar with all the details, but from what I
understand, a great deal of debate and discussion took place over the next couple of years,
as an attempt was made to get everyone “on board” with the new version.
The TCP/IP Guide - Version 3.0 (Contents) ` 1216 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
SNMPv2 Variants
Acceptance of SNMPv2 never happened. Instead, different “splinter groups” broke off and
began work on variants of SNMPv2. To prevent confusion, the original SNMPv2 became
known as either SNMPv2 classic (reminiscent of the name a particular soft drink) or
SNMPv2p, with the “p” referring to “party-based” security. Things got very interesting (and
confusing) when the following were proposed and/or developed:
☯ SNMPv1.5: I can tell immediately that an idea is probably going to be a problem when
it proposes a version number lower than a number already standardized. SNMPv1.5
was an attempt to retain the “uncontroversial” elements in SNMPv2p—the enhance-
ments to the SNMP protocol and SMI—while going back to community-based security
as in SNMPv1. It never became a standard itself, but became the basis of…
☯ Community-Based SNMPv2 (SNMPv2c): This is SNMPv2p modified to use
community strings instead of party-based security; in essence, the same idea as
SNMPv1.5 but with a more “official-sounding” name and a few changes. Interestingly,
the standard that defines this, RFC 1901, still has an “experimental” status, despite the
fact that SNMPv2c actually achieved some degree of commercial success where the
“standard” SNMPv2p did not.
SNMPv2c was defined by standards RFC 1902 through 1908, which incorporate other
changes including a new version of SMI (SMIv2).
☯ User-Based SNMPv2 (SNMPv2u): This is an alternative security method for
SNMPv2c, which is based on users rather than community strings. It is considered
simpler than party-based but more secure than community-string security. It is defined
by RFC 1909 and RFC 1910. It too is formally considered “experimental”.
☯ SNMPv2*: As if all of the above was not enough, a well-known vendor decided to
define another variant called SNMPv2* that combined elements of SNMPv2p and
SNMPv2u. This was never formally standardized. (Yes, that's an asterisk in the name.
No, there's no footnote at the bottom of this topic, so don’t bother looking for one. Yes,
putting an asterisk in a name is extremely confusing. No, I don't know how it is that
marketing people get paid good money to come up with names like that. ☺)
Now, imagine that you were a network administrator in the mid-1990s and were faced with
SNMPv2p, SNMPv2c, SNMPv2u and SNMPv2*. Which one would you choose? Well, if you
are like most people, you'd choose “none of the above”, saying “I think I'll stick with
SNMPv1 until these version 2 folks get their act together”. And that's basically what
happened. Some proponents of these variations promoted them, but there was never any
agreement and the result was that the success of all of the various and sundry SNMPv2's
was limited. As I said, a classic illustration of how important universal standardization is.
SNMPv3
I would imagine that at some point, everyone realized that the situation was a mess, and
decided “enough is enough”. In 1996 work began on a new approach to resolve the
outstanding issues and return universality to SNMP. In 1998, SNMP version 3 (SNMPv3)
was developed, which includes additional enhancements to SNMP and finally gets all the
players back on the same team.
The TCP/IP Guide - Version 3.0 (Contents) ` 1217 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
SNMPv3 is the most current version of SNMP and is still being actively revised. One of the
important changes in SNMPv3 is a more formalized way of handing different security
approaches to SNMP—obviously, a lesson learned from the SNMPv2 experience.
SNMPv3 uses SNMPv2 protocol operations and its PDU message format, and the SMIv2
standard from SNMPv2 as well. SNMPv3 allows a number of different security methods to
be incorporated into its architecture, and includes standards describing user-based security
as defined in SNMPv2u and SNMPv2* as well as a new view-based access control model.
It also includes additional tools to aid in the administration of SNMP.
TCP/IP Internet Standard Management Framework and SNMP Standards
We've now seen that there are three different versions of the Internet Standard
Management Framework. Some of these versions have different variants. Each version or
variant of the Framework includes multiple modular components. Each component has one
or more documents that define it. Some of these have multiple revisions. Add to that
dozens of individual Management Information Bases (MIBs) defined for SNMP and other
support documents and what do you have? A boatload of TCP/IP standards, that's what.
There are probably more RFCs defining parts of SNMP than any other single TCP/IP
protocol or technology.
It is specifically because there are so many versions and components and documents
associated with SNMP that I feel it is important to keep all the standards straight. To that
end I have created a number of tables, which show the major SNMP standards for each of
the versions and variants of the SNMP Framework. Each individual RFC defines one
component of one version of the Framework.
The usual way that RFCs work is that when new versions of a standard are released that
are direct replacements for older ones, the older ones are “obsoleted” by the new ones.
With SNMP, due to the many versions and the controversy over the variants, this is a bit
unclear. For example, the standards defining SNMPv2p are not considered by the IETF to
obsolete the standards for SNMPv1, but the IETF says the standards for SNMPv2c and
SNMPv2u do obsolete those of SNMPv2p.
To keep all of this distinct I have made the decision to show the standards for each version
or variant separately. I only put the RFC numbers for obsolete RFCs where those RFCs are
for the same SNMP version or variant. For example, RFC 3410 obsoletes 2570 because
they both deal with SNMPv3 and 3410 is a direct replacement for 2570. Also, there are a
few cases where the name of a standard changed slightly between RFC numbers; I have
shown the current name.
The TCP/IP Guide - Version 3.0 (Contents) ` 1218 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
Each of the six tables below shows the current and obsoleted standards for one of the
SNMP versions or variants: SNMPv1 (Table 200); SNMPSec (Table 201); SNMPv2p (Table
202); SNMPv2c (Table 203); SNMPv2u (Table 204) and SNMPv3 (Table 205). (SNMPv2*
was not standardized using the regular RFC process.)
Table 200: SNMP Version 1 (SNMPv1) Standards
Obsolete
RFCs
Most
Recent RFC
Date of
Most
Recent RFC
Standard Name
1065 1155 May 1990
Structure and identification of management information for
TCP/IP-based internets
1066 1156 May 1990
Management Information Base for network management
of TCP/IP-based internets
1067, 1098 1157 May 1990 Simple Network Management Protocol (SNMP)
1158 1213 March 1991
Management Information Base for Network Management
of TCP/IP-based internets: MIB-II
Table 201: SNMP Security (SNMPSec) Standards
Obsolete
RFCs
Most
Recent RFC
Date of
Most
Recent RFC
Standard Name
— 1351 July 1992 SNMP Administrative Model
— 1352 July 1992 SNMP Security Protocols
— 1353 July 1992
Definitions of Managed Objects for Administration of
SNMP Parties
Table 202: Party-Based SNMP Version 2 (SNMPv2p) Standards (Page 1 of 2)
Obsolete
RFCs
Most
Recent RFC
Date of
Most
Recent RFC
Standard Name
— 1441 April 1993
Introduction to version 2 of the Internet-standard Network
Management Framework
— 1442 April 1993
Structure of Management Information for version 2 of the
Simple Network Management Protocol (SNMPv2)
— 1443 April 1993
Textual Conventions for version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1444 April 1993
Conformance Statements for version 2 of the Simple
Network Management Protocol (SNMPv2)
— 1445 April 1993
Administrative Model for version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1446 April 1993
Security Protocols for version 2 of the Simple Network
Management Protocol (SNMPv2)
The TCP/IP Guide - Version 3.0 (Contents) ` 1219 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
— 1447 April 1993
Party MIB for version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1448 April 1993
Protocol Operations for version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1449 April 1993
Transport Mappings for version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1450 April 1993
Management Information Base for version 2 of the Simple
Network Management Protocol (SNMPv2)
— 1451 April 1993 Manager-to-Manager Management Information Base
— 1452 April 1993
Coexistence between version 1 and version 2 of the
Internet-standard Network Management Framework
Table 203: Community-Based SNMP Version 2 (SNMPv2c) Standards
Obsolete
RFCs
Most
Recent RFC
Date of
Most
Recent RFC
Standard Name
— 1901 January 1996 Introduction to Community-based SNMPv2
— 1902 January 1996
Structure of Management Information for Version 2 of the
Simple Network Management Protocol (SNMPv2)
— 1903 January 1996
Textual Conventions for Version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1904 January 1996
Conformance Statements for Version 2 of the Simple
Network Management Protocol (SNMPv2)
— 1905 January 1996
Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1906 January 1996
Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)
— 1907 January 1996
Management Information Base for Version 2 of the Simple
Network Management Protocol (SNMPv2)
— 1908 January 1996
Coexistence between Version 1 and Version 2 of the
Internet-standard Network Management Framework
Table 202: Party-Based SNMP Version 2 (SNMPv2p) Standards (Page 2 of 2)
Obsolete
RFCs
Most
Recent RFC
Date of
Most
Recent RFC
Standard Name
The TCP/IP Guide - Version 3.0 (Contents) ` 1220 _ © 2001-2005 Charles M. Kozierok. All Rights Reserved.
In addition to all of these tables, as I mentioned before, there are dozens of supplemental
RFCs that describe MIB modules and also clarify various fine points of operation related to
SNMP. Listing all of these would… make me go insane. Sorry, those tables were bad
enough. ☺ You can find all the MIBs in an online list of RFCs by searching for “MIB” or
“SNMP”.
Table 204: User-Based SNMP Version 2 (SNMPv2u) Standards
Obsolete
RFCs
Most
Recent RFC
Date of
Most
Recent RFC
Standard Name
— 1909
February
1996
An Administrative Infrastructure for SNMPv2
— 1910
February
1996
User-based Security Model for SNMPv2
Table 205: SNMP Version 3 (SNMPv3) Standards
Obsolete
RFCs
Most
Recent RFC
Date of
Most
Recent RFC
Standard Name
— 2576 March 2000
Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework
— 2578 April 1999 Structure of Management Information Version 2 (SMIv2)
— 2579 April 1999 Textual Conventions for SMIv2
— 2580 April 1999 Conformance Statements for SMIv2
2570 3410
December
2002
Introduction and Applicability Statements for Internet-
Standard Management Framework
2261, 2271,
2571
3411
December
2002
An Architecture for Describing Simple Network
Management Protocol (SNMP) Management Frameworks
2262, 2272,
2572
3412
December
2002
Message Processing and Dispatching for the Simple
Network Management Protocol (SNMP)
2263, 2273,
2573
3413
December
2002
Simple Network Management Protocol (SNMP)
Applications
2264, 2274,
2574
3414
December
2002
User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)
2265, 2275,
2575
3415
December
2002
View-based Access Control Model (VACM) for the Simple
Network Management Protocol (SNMP)
— 3416
December
2002
Version 2 of the Protocol Operations for the Simple
Network Management Protocol (SNMP)
— 3417
December
2002
Transport Mappings for the Simple Network Management
Protocol (SNMP)
— 3418
December
2002
Management Information Base (MIB) for the Simple
Network Management Protocol (SNMP)