Systems and Network Management Revision Exercises with SNMP, DHCP — Solutions 1 1.1 Background SNMP • snmp is a Internet ietf standard, open protocol, broadly supported by most network equipment vendors. • A networked device that supports snmp runs software called an agent • The agent provides many managed objects • Each managed object is identified by an object identifier, oid, which has a numeric form, (e.g., .1.3.6.1.2.1) and may also have a named form (e.g., .iso.org.dod. internet.mgmt.mib-2) 1.1.1 Management Information Base, ASN.1 • The definition of each managed object is in the Mangement Information Base, mib, which is defined by text files written in Abstract Syntax Notation One, asn.1. • Standard mibs are written in the standards documents of the Internet, Request For Comments, rfcs, which are freely downloadable from many sites on the Internet 1.1.2 Structure of Management Information • The format of each entry in the mib is defined by the Structure of Management Information, smi. • The smi defines (among other things): ◦ part of the mib tree structure; ◦ the syntax (data types) that are allowed; ◦ the access allowed to a managed object (for example, read-only, read-write, not-accessible) • asn.1 defines these basic types used in smi: ◦ INTEGER a number; allowable range of values can be specified. ◦ OCTET STRING: a string of bytes ◦ OBJECT IDENTIFIER: an oid 1.1.3 Versions of SNMP, SMI • There are two versions of smi: smi v1 for snmp version 1, and smi v2 for snmp versions 2 and 3: smi version 1 defines the following types in terms of the basic asn.1 types above: ◦ Counter: 32 unsigned value that wraps (i.e, after reaching 232 − 1, it goes back to zero) ◦ Gauge: 32-bit unsigned value that can increase or decrease but not wrap ◦ IpAddress: 32-bit ip version 4 address Nick Urbanik ver. 1.3 Solutions Revision Exercises with SNMP, DHCP Systems and Network Management 2 ◦ TimeTicks: 32-bit count in hundredths of a second ◦ Opaque: allows any kind of data smi version 2 defines these data types: ◦ ◦ ◦ ◦ ◦ Integer32: a 32-bit integer Counter32: same as Counter (wraps; count to 232 − 1 then back to 0) Guage32: Same as Guage (doesn’t wrap) Unsigned32: 32-bit unsigned value Counter64: Same as Counter32, except uses 64 bits, a useful extension to cope with fast networks, where a Counter32 would wrap in less than one hour. If a counter wraps too fast, the management station may miss the wrapping, and report a much lower data flow than actually occurred. ◦ BITS: a set of named bits • snmp operations (all versions) are: ◦ get-request: given an exact oid, complete with instance number, manager requests exactly that managed object’s data ◦ get-next-request: given an oid as a starting point, manager asks agent to do a depth-first search of the mib tree, find the next oid, and return its data. ◦ set-request: manager writes a new value to a writable object on the agent ◦ response: the answer sent back by the agent to a get-request, get-next-request, or set-request operation sent by the management station ◦ trap: a pdu sent by the agent to the manager indicating that something needs attention. Manager does not send any acknowlegement back. • snmp versions 2 and 3 add these operations: ◦ get-bulk-request: sent by the manager to the agent, requesting the efficient transfer of large ammounts of data; especially used for table data. ◦ inform-request: sent by manager or agent to manager; reply is a response. It is like a trap, but has an acknowlegment. ◦ Report: is named but details of use are not defined, so is not used. • Each operation is authenticated; in versions 1 and 2, the authentication is by a plain-text shared password called a community string. Since these community strings can be easily read by any network sniffer, such as ethereal or tcpdump, community string based snmp must never be accessible on the Internet. Version 3 has a much more comprehensive (and complex) authentication and encryption scheme that is much more secure. snmp v3 products are now available from a number of companies, including Cisco. • snmp version 2 introduces additional standard mibs, in particular the security and snmpv2 mib subgroups. There are also changes to the system and snmp subgroups in version 1. 1.1.4 mib-2 group, tables and instance numbers • We studied the ifTable (interface table) in the mib-2 mib group, because it contains information about all the network interfaces on a managed device. • Each interface has one row in the table, distinguished by an index called an instance number. • We can recognise each interface by the ifDescr (interface description) field: Nick Urbanik ver. 1.3 Solutions Revision Exercises with SNMP, DHCP Systems and Network Management 3 $ snmpwalk ictlab public ifDescr interfaces.ifTable.ifEntry.ifDescr.1 = lo interfaces.ifTable.ifEntry.ifDescr.2 = eth0 • This allows us to determine that the row in the table with instance number 1 is the loopback interface lo, and the row in the table with instance number 2 is the Ethernet interface, eth0. • Cricket uses this method to automatically map names to entries in the table—called instance mapping. • You monitored network traffic in and out of each network interface using the entries in the ifTable: ifInOctets and ifOutOctets. • Scalar objects, such as system.sysUpTime have an instance number of zero. • The get-request snmp operation requires the exact specific oid required, including the instance number : $ snmpget -v 2c ictlab public sysUpTime system.sysUpTime = No Such Instance currently exists $ snmpget -v 2c ictlab public sysUpTime.0 system.sysUpTime.0 = Timeticks: (103721046) 12 days, 0:06:50.46 1.2 DHCP The dhcp client moves through the states shown in the state diagram in figure 1. Table 1 on the next page lists all the dhcp messages, and their purpose. Figure 1: The dhcp client moves through the states shown in this state diagram. Nick Urbanik ver. 1.3 Solutions Revision Exercises with SNMP, DHCP Systems and Network Management 4 DHCPDISCOVER DHCPOFFER - Client broadcast to locate available servers. Server to client in response to DHCPDISCOVER with offer of configuration parameters. Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address. Server to client with configuration parameters, including committed network address. Server to client indicating client’s notion of network address is incorrect (e.g., client has moved to new subnet) or client’s lease as expired Client to server indicating network address is already in use. Client to server relinquishing network address and cancelling remaining lease. Client to server, asking only for local configuration parameters; client already has externally configured network address. DHCPREQUEST - DHCPACK - DHCPNAK - DHCPDECLINE - DHCPRELEASE - DHCPINFORM - Table 1: DHCP Messages extracted from RFC 2131 2 2.1 Questions SNMP 1. An Internet Service Provider (isp) has a Cisco router on the Internet. Discuss the advantages and disadvantages of managing this using snmp version 2. Both snmp version 1 and version 2c use plain text shared passwords called community strings. Both the agent on the managed device and the manager need to use the same community string to talk with each other. It is trivial to use a packet analyser or a program like ethereal or tcpdump to read these strings. As a result, the security is very low. It is very unwise to expose an snmp version 1 or 2c device to general access from the Internet. The main disadvantage is exposure to this risk. Advantages of snmp version 2, compared with version 1, include the Counter64 type, useful if the router has very heavy traffic, and the get-bulk-request (useful for efficient transfer of large tables) and inform-request operations. snmp version 3 offers a comprehensive authentication and encryption facility, and should be used on devices that are exposed to the Internet. 2. Determine the full numerical oid of the snmpv2 subgroup. Nick Urbanik ver. 1.3 Solutions Revision Exercises with SNMP, DHCP Systems and Network Management 5 i ..................................................... .1.3.6.1.6 3. What is the lowest possible value of an instance number for an entry in a table? i ..................................................... 4. List the major differences between snmp version 1 and 2 There is a detailed answer to this in section 1.1.3 on page 1. 1 5. List the major differences between snmp version 2 and 3 There is a detailed answer to this in section 1.1.3 on page 1. The main difference is in authentication and encryption; snmp version 3 adds security to the very insecure snmp versions 1 and 2. 2.2 i DHCP and DNS the client in? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . init 1. When a computer has just been turned on, and it has no dhcp lease, what state is 2. List the states through which a client will pass when it is turned on, with no dhcp lease. i init, selecting, bound 3. List the states through which a client will pass when it is turned on, with a current dhcp lease. i init-reboot, bound 4. List the states through which a client will pass when it is turned on, with a current dhcp lease, but for a different subnet. i init-reboot, init, selecting, bound 5. Under what circumstances will a client move into the rebinding state? i after reaching T2 = 7/8 of its lease time Nick Urbanik ver. 1.3 Solutions Revision Exercises with SNMP, DHCP Systems and Network Management 6 6. Briefly describe how the current dhcp system used in the Institute allocates addresses. (Refer to the link from the subject page). • The system uses fixed addresses for each host. • Each host is registered in one row in an Excel spreadsheet which is shared out using samba. • For each host, at least this minimum information is kept: ◦ The mac address ◦ A permanent ip address ◦ A hostname • The system has a cron job to check every two minutes whether the spreadsheet is newer than the dhcp configuration file, /etc/dhcpd.conf • If the spreadsheet is newer, then it has been modified by a technician, so the following happens: ◦ ◦ ◦ ◦ ◦ ◦ A Perl program reads each row of the spreadsheet, generates a new dhcp configuration file copies the new configuration file to /etc/dhcpd.conf restarts the dhcp server Another Perl program reads the spreadsheet again generates dns records using the h2n program (http://examples. oreilly.com/dns4/dns.4ed.tar.Z) ◦ restarts the dns server. 7. List some of the shortcomings of the dhcp system used in this Institute, and ways that it could be improved. The main problem is that if a person wants to connect their computer to the network, they need to fill in a long form, which must be signed by a number of people, including the head of department. This paper must spend some days sitting in trays, waiting to reach its destination, which is in the hands of the person who will log into their Samba account, edit the spreadsheet, and type in a new entry for the new computer. This may be too long for some people. For example. suppose that a visitor needs to use their notebook to present a seminar. They may need Internet access in five minutes, rather than in five days. There are many ways to automate this further, such as the scheme described in the last slides of the lecture notes. This scheme depends on dhcp providing short leases to unregistered hosts, and normal leases to registered hosts. The short lease provides the ip address of a special dns server, configured to map all names to one ip address, the address of a server running a web application to register computers. So when the user plugs in their notebook, opens a web browser, they find themselves at the simple registration page, where they need enter their user name and password. The application determines their mac address from the dhcp server automatically, and then creates the registration immediately. The result is a valid, normal long term lease with normal network access in less than three minutes instead of five days. The computer has been registered, and the person who registered it has authenticated themselves, so there is no need for the head of department to sign any form to verify their identity. Nick Urbanik ver. 1.3