Chapter 8 - Network Management: Malfunction

8: Network Management 1
Chapter 8
Network
Management
network
data link
physical
application
transport
network
data link
physical
As we have learned thus far, computer networks are complex
systems of numerous hardware and software components.
As such, they are subject to operational problems involving
outage, malfunction, mis-configuration, poor performance,
and other issues. In this final chapter, we will briefly look
at the architecture, protocols and tools available to identify
and solve these problems.
network
data link
physical
network
data link
physical
network
data link
physical
network
data link
physical
network
data link
physical
network
data link
physical
network
data link
physical
application
transport
network
data link
physical
application
transport
network
data link
physical
Chapter 8: Network Management
Chapter goals:
introduction to network management
motivation
major components
Internet network management framework
MIB: management information base
SMI: data definition language
SNMP: protocol for network management
security and administration
presentation services: ASN.1
firewalls

Network management motivation
networks are complex autonomous systems
Consisting of 100s (or 1000s) of interacting hardware and
software components
"Network management includes the deployment, integration
and coordination of the hardware, software, and human
elements to monitor, test, poll, configure, analyze, evaluate,
and control the network and element resources to meet the
real-time, operational performance, and Quality of Service
requirements at a reasonable cost."
the network management infrastructure does NOT:
dictate decision making policies
address resource provisioning/service management issues
Motivation for network management stuff
happens
managed device
managed device
managed device
managed device
performance problems
device faults
configuration issues
security problems
software bugs
accounting/billing issues
numerous potential issues/problems to deal with
For example:
UTA ACS
Abilene Net
Network management: 4 key goals
Monitor
see whats happening
host interfaces, traffic levels, service levels,
security, performance, routing table changes,
etc.
Analyze
determine what it means
Reactively control
take action based on what is happening
Proactively manage
take action based on what current trends tell
you to will happen
Infrastructure for network management
agent
data
agent
data
agent
data
agent
data
managed device
managed device
managed device
managed device
managing
entity
data
network
management
protocol
definitions:
managed devices contain
managed objects whose
data is gathered into a
Management Information
Base (MIB)

managing entity*
* AKA - Network Management
Station (NMS)
SNMP Protocol
(Commands,
Replies,Traps)
A typical Network Management Systems
Network
Management
Console
Network
Management
MIB
Managed
Devices
Network Management standards
OSI CMIP
Common Management
Information Protocol
designed 1980s: the
unifying net
management standard
too slowly
standardized

SNMP: Simple Network
Management Protocol
Internet roots (SGMP
ISMF)
started simple
deployed, adopted rapidly
growth: size, complexity
currently: SNMP V3
(released April 1999)
de facto network
management standard
SNMP overview: 4 key parts of the
Internet network management framework
Management information base (MIB):
distributed information store of network
management data (MIB objects)
Structure of Management Information (SMI):
data definition language for MIB objects
SNMP protocol
convey manager<->managed object info, commands
Security & administration capabilities
major addition in SNMPv3
SMI: data definition language
(RFC 2578)
Purpose: syntax, semantics of
management data well-
defined, unambiguous
base data types:
straightforward, boring
OBJECT-TYPE
data type, status,
semantics of managed
object
MODULE-IDENTITY
groups related objects
into MIB module
Basic Data Types
INTEGER
Integer32
Unsigned32
OCTET STRING
OBJECT IDENTIFIER
IPaddress
Counter32
Counter64
Guage32
Time Ticks
Opaque
SNMP MIB
OBJECT-TYPE:
OBJECT-TYPE:
OBJECT-TYPE:
objects specified via SMI
OBJECT-TYPE construct

MIB module specified via SMI
MODULE-IDENTITY
(100s of standardized MIBs, more vendor-
specific)

MODULE
SMI: Object, module examples
OBJECT-TYPE: ipInDelivers MODULE-IDENTITY: ipMIB
ipInDelivers OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
The total number of input
datagrams successfully
delivered to IP user-
protocols (including ICMP)
::= { ip 9}
ipMIB MODULE-IDENTITY
LAST-UPDATED 941101000Z
ORGANZATION IETF SNPv2
Working Group
CONTACT-INFO
Keith McCloghrie

DESCRIPTION
The MIB module for managing IP
and ICMP implementations, but
excluding their management of
IP routes.
REVISION 019331000Z

::= {mib-2 48}
Note: RFC 2011-IP MIB, RFC 2012-
TCP MIB, RFC 2013-UDP MIB,
SNMP Naming (OBJECT IDENTIFIER)
question: how to name every possible standard
object (protocol, data, more..) in every
possible network standard??
answer: ISO Object Identifier tree:
hierarchical naming of all objects
each branchpoint has name, number
1.3.6.1.2.1.7.1
ISO
ISO-ident. Org.
US DoD
Internet
udpInDatagrams
UDP
MIB2
management
Check out www.alvestrand.no/harald/objectid/top.html
ISO
Object
Identifier
Tree
MIB example: UDP module
Object ID Name Type Comments
1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 # UDP datagrams delivered
at this node
1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # undeliverable datagrams,
no application at port
1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams,
all other reasons
1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # UDP datagrams sent
1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port
UDP Entry in use by app, gives port #
and IP address
SNMP protocol
Two ways to convey MIB info, commands:
agent data
Managed device
managing
entity
response
agent data
Managed device
managing
entity
trap msg.
request
request/response mode trap mode
SNMP protocol: message types
GetRequest (0)
GetNextRequest (1)
GetBulkRequest (5)
Mgr-to-Agent: get me data
(instance,next in list, block)
Message type Function
InformRequest (6) Mgr-to-Mgr: heres MIB value
SetRequest (3)
Mgr-to-Agent: set MIB value
Response (2)
Agent-to-Mgr: value, response to
Request
Trap (7) Agent-to-Mgr: inform manager
of exceptional event
SNMP protocol: message formats
Trap
messages
Get,
Set,
Inform,
Response
messages
SNMP security and administration
encryption: DES-encrypt SNMP message
authentication: compute, send MIC(m,k):
compute hash (MIC) over message (m),
secret shared key (k)
protection against playback: use nonce
view-based access control
SNMP entity maintains database of access
rights, policies for various users
database itself accessible as managed object!
MIC: Message Integrity Code (like a digital signature)
The presentation problem
Q: does perfect memory-to-memory copy
solve the communication problem?
A: not always!
problem: different data format, storage conventions
(e.g. big-endian, little-endian)
struct {
char code;
int x;
} test;
test.x = 259;
test.code=a
a
00000001
00000011
a

00000011
00000001
test.code
test.x
test.code

test.x
host 1 format
host 2 format
Solving the presentation problem
1. Translate local-host format to host-independent format
2. Transmit data in host-independent format
3. Translate host-independent format to remote-host
format
ASN.1: Abstract Syntax Notation 1
The language of standards writers.
ISO standard X.680
used extensively in Internet
defined data types, object constructors
like SMI
BER: Basic Encoding Rules (ITU-T X.209, X.690)
specify how ASN.1-defined data objects to be
transmitted
each transmitted object has Type, Length, Value
(TLV) encoding

ASN.1: Abstract Syntax Notation 1
Encoding Rules
BER - for management of the Internet, exchange
of electronic mail, control of telephone/computer
interactions
DER - specialized form of BER that is used in
security-conscious applications
CER another specialized form of BER that is
meant for use with huge messages
PER - recent version with more efficient
algorithms that result in faster and more compact
encodings; used in applications that are bandwidth
or CPU starved, such as air traffic control and
audio-visual telecommunications
TLV Encoding
Idea: transmitted data is self-identifying
T: data type, one of ASN.1-defined types
L: length of data in bytes
V: value of data, encoded according to ASN.1
standard
1
2
3
4
5
6
9
Boolean
Integer
Bit String
Octet string
Null
Object Identifier
Real
Tag
Value Type
TLV
encoding:
example
Value, 5 octets (chars)
Length, 5 bytes
Type=4, octet string
Value, 259
Length, 2 bytes
Type=2, integer
TLV encoding -
another example:
A Personnel Record:

Name: John P Smith
Date of Birth: 17 July 1959
(other data)
The ASN.1 description of a personnel record
(the standard) might be:

PersonnelRecord ::= [APPLICATION 0] IMPLICIT
SET {
Name,
title [0] VisibleString,
dateOfBirth [1] Date,
(other types defined) }

Name ::= [APPLICATION 1] IMPLICIT SEQUENCE {
givenName VisibleString,
initial VisibleString,
familyName VisibleString }
The application maps the personnel data into the
personnel record structure (ASN.1 data format), and then
applies the Basic Encoding Rules (BER) to the ASN.1 data:

Personnel
Record Length Contents
60 8185
Name Length Contents
61 10
VisibleString Length
Contents
1A 04
"John"
Contents
1A 01 "P"
Contents
1A 05
"Smith"
DateofBirth Length Contents
A0 0A
Date Length
Contents
43 08
"19590717"
Finally, what gets transmitted
(sent as application data to the
layer below in the protocol
stack)would be:

60 81 85 61 10 1A 04
Firewalls
Two firewall types:
packet filter
application gateway
To prevent denial of service
attacks:
SYN flooding: attacker
establishes many bogus
TCP connections.
Attacked host allocates
TCP buffers for bogus
connections, none left
for real connections.
To prevent illegal modification
of internal data.
e.g., attacker replaces
CIAs homepage with
something else
To prevent intruders from
obtaining secret info.
isolates organizations internal
net from larger Internet,
allowing some packets to pass,
blocking others.
firewall
Packet Filtering
Internal network is
typically connected to
Internet through a
router.
Router manufacturer
provides options for
filtering packets, based
on (for example):
source IP address
destination IP address
TCP/UDP source and
destination port
numbers
ICMP message type
TCP SYN and ACK bits
Example 1: block incoming
and outgoing datagrams
with IP protocol field = 17
and with either source or
destination port = 23.
All incoming and outgoing
UDP flows and telnet
connections are blocked.
Example 2: Block inbound
TCP segments with ACK
bit=0.
Prevents external clients
from making TCP
connections with internal
clients, but allows internal
clients to connect to
outside.
Application gateways
Filters packets on
application data as well
as on IP/TCP/UDP fields.
Example: allow select
internal users to telnet
outside.
host-to-gateway
telnet session
gateway-to-remote
host telnet session
application
gateway
router and filter
1. Require all telnet users to telnet through gateway.
2. For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating
from gateway.
Limitations of firewalls and gateways
IP spoofing: router
cant know if data
really comes from
claimed source
If multiple apps. need
special treatment, each
has own app. gateway.
Client software must
know how to contact
gateway.
e.g., must set IP address
of proxy in Web
browser
Filters often use all or
nothing policy for UDP.
Tradeoff: degree of
communication with
outside world, level of
security
Many highly protected
sites still suffer from
attacks.

Chapter 8 - Network Management: Malfunction

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 8 - Network Management: Malfunction

Uploaded by

Copyright:

Available Formats

8: Network Management 1

You might also like