《全套英文版《计算机网络》PPT电子课件教案Chapter 8 Network Management》由会员分享,可在线阅读,更多相关《全套英文版《计算机网络》PPT电子课件教案Chapter 8 Network Management(24页珍藏版)》请在金锄头文库上搜索。
1、Chapter 8: Network ManagementChapter goals: rintroduction to network managementmmotivationmmajor componentsrInternet network management frameworkmMIB: management information basemSMI: data definition languagemSNMP: protocol for network managementmsecurity and administrationrpresentation services: AS
2、N.1rfirewalls18: Network ManagementWhat is network management?rautonomous systems (aka “network”): 100s or 1000s of interacting hw/sw componentsrother complex systems requiring monitoring, control:mjet airplanemnuclear power plantmothers?Network management includes the deployment, integration and co
3、ordination of the hardware, software, and human elements to monitor, test, poll, configure, analyze, evaluate, and control the network and element resources to meet the real-time, operational performance, and Quality of Service requirements at a reasonable cost. 28: Network ManagementInfrastructure
4、for network managementagent dataagent dataagent dataagent datamanaged devicemanaged devicemanaged devicemanaged devicemanagingentitydatanetworkmanagementprotocoldefinitions:managed devices containmanaged objects whose data is gathered into aManagement InformationBase (MIB) managing entity38: Network
5、 ManagementNetwork Management standardsOSI CMIPrCommon Management Information Protocolrdesigned 1980s: the unifying net management standardrtoo slowly standardizedSNMP: Simple Network Management ProtocolrInternet roots (SGMP)rstarted simplerdeployed, adopted rapidlyrgrowth: size, complexityrcurrentl
6、y: SNMP V3rde facto network management standard48: Network ManagementSNMP overview: 4 key partsrManagement information base (MIB):mdistributed information store of network management datarStructure of Management Information (SMI):mdata definition language for MIB objectsrSNMP protocolmconvey manager
7、managed object info, commandsrsecurity, administration capabilitiesmmajor addition in SNMPv358: Network ManagementSMI: data definition language Purpose: syntax, semantics of management data well-defined, unambiguousrbase data types: mstraightforward, boringrOBJECT-TYPEmdata type, status, semantics o
8、f managed objectrMODULE-IDENTITYmgroups related objects into MIB moduleBasic Data TypesINTEGERInteger32Unsigned32OCTET STRINGOBJECT IDENTIFIEDIPaddressCounter32Counter64Guage32Tie TicksOpaque68: Network ManagementSNMP MIBOBJECT TYPE:OBJECT TYPE:OBJECT TYPE:objects specified via SMIOBJECT-TYPE constr
9、uctMIB module specified via SMI MODULE-IDENTITY(100 standardized MIBs, more vendor-specific)MODULE78: Network ManagementSMI: Object, module examplesOBJECT-TYPE: ipInDeliversMODULE-IDENTITY: ipMIBipInDelivers OBJECT TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION “The total numb
10、er of input datagrams successfully delivered to IP user- protocols (including ICMP)”:= ip 9ipMIB MODULE-IDENTITY LAST-UPDATED “941101000Z” ORGANZATION “IETF SNPv2 Working Group” CONTACT-INFO “ Keith McCloghrie ” DESCRIPTION “The MIB module for managing IP and ICMP implementations, but excluding thei
11、r management of IP routes.” REVISION “019331000Z” := mib-2 4888: Network ManagementMIB example: UDP moduleObject ID Name Type Comments1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered at this node1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams no app at portl1.3.6.
12、1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams all other reasons1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port in use by app, gives port # and IP address98: Network ManagementSNMP Namingquestion: how to name every possibl
13、e standard object (protocol, data, more.) in every possible network standard?answer: ISO Object Identifier tree: mhierarchical naming of all objectsmeach branchpoint has name, number1.3.6.1.2.1.7.1ISOISO-ident. Org.US DoDInternetudpInDatagramsUDPMIB2management108: Network ManagementCheck out www.alv
14、estrand.no/harald/objectid/top.htmlOSI Object Identifier Tree118: Network ManagementSNMP protocolTwo ways to convey MIB info, commands:agent dataManaged devicemanagingentityresponseagent dataManaged devicemanagingentitytrap msgrequestrequest/response modetrap mode128: Network ManagementSNMP protocol
15、: message typesGetRequestGetNextRequestGetBulkRequestMgr-to-agent: “get me data”(instance,next in list, block)Message typeFunctionInformRequestMgr-to-Mgr: heres MIB valueSetRequestMgr-to-agent: set MIB valueResponseAgent-to-mgr: value, response to RequestTrapAgent-to-mgr: inform managerof exceptiona
16、l event138: Network ManagementSNMP protocol: message formats148: Network ManagementSNMP security and administrationrencryption: DES-encrypt SNMP message rauthentication: compute, send MIC(m,k): compute hash (MIC) over message (m), secret shared key (k)rprotection against playback: use noncerview-bas
17、ed access controlmSNMP entity maintains database of access rights, policies for various usersmdatabase itself accessible as managed object!158: Network ManagementThe presentation problemQ: does perfect memory-to-memory copy solve “the communication problem”?A: not always!problem: different data form
18、at, storage conventionsstruct char code; int x; test;test.x = 256;test.code=aa0000000100000011a0000001100000001test.codetest.xtest.codetest.xhost 1 formathost 2 format168: Network ManagementSolving the presentation problem1. Translate local-host format to host-independent format2. Transmit data in h
19、ost-independent format3. Translate host-independent format to remote-host format178: Network ManagementASN.1: Abstract Syntax Notation 1rISO standard X.680mused extensively in Internetmlike eating vegetables, knowing this “good for you”!rdefined data types, object constructors mlike SMIrBER: Basic E
20、ncoding Rulesmspecify how ASN.1-defined data objects to be transmittedmeach transmitted object has Type, Length, Value (TLV) encoding188: Network ManagementTLV EncodingIdea: transmitted data is self-identifyingmT: data type, one of ASN.1-defined typesmL: length of data in bytesmV: value of data, enc
21、oded according to ASN.1 standard1234569BooleanIntegerBitstringOctet stringNullObject IdentifierRealTag Value Type198: Network ManagementTLV encoding: exampleValue, 5 octets (chars)Length, 5 bytesType=4, octet stringValue, 259Length, 2 bytesType=2, integer208: Network ManagementFirewallsTwo firewall
22、types:mpacket filtermapplication gatewaysTo prevent denial of service attacks:mSYN flooding: attacker establishes many bogus TCP connections. Attacked host allocs TCP buffers for bogus connections, none left for “real” connections. To prevent illegal modification of internal data.me.g., attacker rep
23、laces CIAs homepage with something elseTo prevent intruders from obtaining secret info.isolates organizations internal net from larger Internet, allowing some packets to pass, blocking others.firewall218: Network ManagementPacket FilteringrInternal network is connected to Internet through a router.r
24、Router manufacturer provides options for filtering packets, based on:msource IP addressmdestination IP addressmTCP/UDP source and destination port numbersmICMP message typemTCP SYN and ACK bitsrExample 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or des
25、t port = 23.mAll incoming and outgoing UDP flows and telnet connections are blocked.rExample 2: Block inbound TCP segments with ACK=0.mPrevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.228: Network ManagementApplication gat
26、ewaysrFilters packets on application data as well as on IP/TCP/UDP fields.rExample: allow select internal users to telnet outside.host-to-gatewaytelnet sessiongateway-to-remote host telnet sessionapplicationgatewayrouter and filter1. Require all telnet users to telnet through gateway.2. For authoriz
27、ed users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections3. Router filter blocks all telnet connections not originating from gateway.238: Network ManagementLimitations of firewalls and gatewaysrIP spoofing: router cant know if data “really” comes from claime
28、d sourcerIf multiple apps. need special treatment, each has own app. gateway.rClient software must know how to contact gateway.me.g., must set IP address of proxy in Web browserrFilters often use all or nothing policy for UDP.rTradeoff: degree of communication with outside world, level of securityrMany highly protected sites still suffer from attacks.248: Network Management
