snmpv3

SNMPv3

OVERVIEW:

DESIGN DECISIONS

ARCHITECTURE

SNMP MESSAGE STRUCTURE

SECURE COMMUNICATION• USER SECURITY MODEL (USM)

ACCESS CONTROL• VIEW BASED ACCESS CONTROL MODEL (VACM)

IMPLEMENTATIONS

These sheets may be used for educational purposes

DESIGN DECISIONS

ADDRESS THE NEED FOR SECURY SET SUPPORT

DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP

ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTUREMOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS

ALLOW FOR FUTURE EXTENSIONS

KEEP SNMP AS SIMPLE AS POSSIBLE

ALLOW FOR MINIMAL IMPLEMENTATIONS

SUPPORT ALSO THE MORE COMPLEX FEATURES,WHICH ARE REQUIRED IN LARGE NETWORKS

RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE

SNMPv3 ARCHITECTURE

OTHERNOTIFICATIONORIGINATOR

COMMANDRESPONDER

COMMANDGENERATOR

NOTIFICATIONRECEIVER

PROXYFORWARDER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSINGSUBSYSTEM

DISPATCHERSECURITY

SUBSYSTEMACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

SNMPv3 ARCHITECTURE: MANAGER

NOTIFICATIONRECEIVER

COMMANDGENERATOR

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

SNMPv3 ARCHITECTURE: AGENT

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

MANAGEMENT INFORMATION BASE

VIEW BASEDACCESS CONTROL

ACCESS CONTROL SUBSYSTEM

NOTIFICATIONORIGINATOR

COMMANDRESPONDER

CONCEPTS: snmpEngineID

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=4

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=2

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=3

OT HE R

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1

CONCEPTS: Context

COMMAND RESPONDER APPLICATION

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1

contextEngineID=1The context can be reached from this engine, thus:

contextName=card1

contextName=card2

PRIMITIVES BETWEEN MODULES

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGEPROCESSINGSUBSYSTEM

SECURITYSUBSYSTEM DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

transportDomaintransportAddress

messageProcessingModel

securityModelsecurityName

securityLevel

contextEngineIDcontextName

pduVersion

expectResponse

maxSizeResponseScopedPDU

stateReferencestatusInformation

sendPduHandle

destTransportDomaindestTransportAddress

outgoingMessageoutgoingMessageLength

wholeMsgwholeMsgLength

pduType

viewTypevariableName

globalDatamaxMessageSize

securityEngineID

scopedPDU

securityParameterssecurityStateReference

sendPdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

sendPdu

APPLICATIONS

prepareOutgoingMessage

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

prepareOutgoingMessage

DISPATCHER

generateRequestMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

generateRequestMsg

send / receive

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

send and receive

DISPATCHER

prepareDataElements

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

prepareDataElements

DISPATCHER

processIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

processIncomingMsg

processPd

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

processPdu

DISPATCHER

isAccessAllowed

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

isAccessAllowed

APPLICATIONS

returnResponsePdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

returnResponsePdu

APPLICATIONS

prepareResponseMessage

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

prepareResponseMessage

DISPATCHER

generateResponseMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

generateResponseMsg

send / receive

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

send and receive

DISPATCHER

prepareDataElements

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

prepareDataElements

DISPATCHER

processIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

processIncomingMsg

processResponsePdu

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters

securityLevel

pduVersion

expectResponse

sendPduHandle

pduType

securityEngineID

scopedPDU

processResponsePdu

DISPATCHER

MODULES OF THE SNMPv3 ARCHITECTURE

DISPATCHER AND MESSAGE PROCESSING MODULE• SNMPv3 MESSAGE STRUCTURE

• snmpMPDMIB• RFC 2572

APPLICATIONS• snmpTargetMIB

• snmpNotificationMIB• snmpProxyMIB

• RFC 2573

SECURITY SUBSYSTEM• USER BASED SECURITY MODEL

• snmpUsmMIB• RFC 2574

ACCESS CONTROL SUBSYSTEM• VIEW BASED ACCESS CONTROL MODEL

• snmpVacmMIB• RFC 2575

SNMPv3 MESSAGE STRUCTURE

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModel

msgSecurityParameters

USED BY MESSAGE PROCESSING SUBSYSTEM

USED BY SNMPv3 PROCESSING MODULE

USED BY SECURITY SUBSYSTEM

USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS

SNMPv3 PROCESSING MODULE PARAMETERS

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModel

msgSecurityParameters

authFlagprivFlagreportableFlag

SNMPv1SNMPv2cUSM

484..2147483647

0..2147483647

SECURE COMMUNICATION VERSUS ACCESS CONTROL

MANAGER

APPLICATION PROCESSES

TRANSPORT SERVICE

MANAGER AGENT

GET / GET-NEXT / GETBULKSET / TRAP / INFORM

SECURE COMMUNICATION

ACCESS CONTROL

USM: SECURITY THREATS

THREAT ADDRESSED? MECHANISM

REPLAY YES TIME STAMP

MASQUERADE YES MD5 / SHA-1

INTEGRITY YES (MD5 / SHA-1)

DISCLOSURE YES DES

DENIAL OF SERVICE YES

TRAFFIC ANALYSIS YES

USM MESSAGE STRUCTURE

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModelmsgAuthoritativeEngineID

msgAuthoritativeEngineBootsmsgAuthoritativeEngineTime

msgUserNamemsgAuthenticationParameters

msgPrivacyParameterscontextEngineID

contextName

REPLAY

MASQUERADE/INTEGRITY/DISCLOSURE

DISCLOSURE

MASQUERADE/INTEGRITY

IDEA BEHIND REPLAY PROTECTION

LOCAL NOTION OFREMOTE CLOCK

ALLOWEDLIFETIME

LOCALCLOCK

ID BOOTS TIME DATA ID BOOTS TIME DATA

Authoritative EngineNonauthoritative Engine

IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION

HASH FUNCTION

DATAKEY

ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATAAND SEND THE RESULT

IDEA BEHIND AUTHENTICATION

HASH FUNCTION

DATAUSER MAC

HASH FUNCTION

DATAUSER MAC

IDEA BEHIND THE DATA CONFIDENTIALITY (DES)

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

IDEA BEHIND ENCRYPTION

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

ENCRYPTED DATAUSER

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

ENCRYPTED DATAUSER

VIEW BASED ACCESS CONTROL MODEL

ACCESS CONTROL TABLE

MIB VIEWS

ACCESS CONTROL TABLES

GET / GETNEXTInterface Table John, Paul Authentication

•••••• ••• •••

SETInterface Table JohnAuthentication

GET / GETNEXTSystems Group George None

•••••• ••• •••

Encryption

MIB VIEWALLOWED

MANAGERSREQUIRED LEVEL

OF SECURITYALLOWED

OPERATIONS

MIB VIEWS

SNMPv3 IMPLEMENTATIONS

ACE*COMMAdventNet

BMC SoftwareCisco

EpilogueGambit communications

HalcyonIBMISI

IWLMG-SOFT

MultiPort CorporationSimpleSoft

SNMP Research

SNMP++ TU of Braunschweig

UCDUniversity of Quebec

SNMPv3 RFCs

SNMP APPLICATIONS

SNMP ENGINE

DISPATCHERSECURITY

SUBSYSTEMACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

RFC 2573

RFC 2571

RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575

snmpv3

id boots time

access control

message processing

snmpv3 transport

snmp engine

security subsystem

contextengineid

snmpv3 architecture

Documents

title: hp openview network node manager spi for snmpv3...

1 chapter 8 network management security. 2 outline basic...

using snmpv3 on vnx

snmpv3 1.design requirements 2.birth & features of snmpv3...

snmpv3 yen-cheng chen department of information management...

outstation support server (oss) handbook · pdf fileoss...

chapter 7 snmpv3 network management: principles and practice...

configure snmpv3 add target-addr

snmp module 474-snmp / 474-snmpv3 - ihse

using snmpv3 with serverview suite products - overview

security and lexmark multifunction products: overview of ......

snmp - · pdf filesnmp version 3 (snmpv3) is an...

networking radio e tended ange...multi-factor authentication...

hpe oneview architectural advantages · hpe oneview...

revised spring 2006 snmpv3 and network management 1 snmpv3...

chapter 7 snmp management: snmpv3 chapter 7 snmp management:...

snmpv3 network management spring 2014 bahador bakhshi ce &...

snmp 1. snmp versions snmp version 1 (snmpv1) snmp version 2...

computer network management -...

spectrum snmpv3 user guide (5124) - ca...