snmpv3 1.design requirements 2.birth & features of snmpv3 3.architecture 4.secure communication...
TRANSCRIPT
SNMPv3
1. DESIGN REQUIREMENTS
2. BIRTH & FEATURES of SNMPv3
3. ARCHITECTURE
4. SECURE COMMUNICATION- USER SECURITY MODEL (USM)
5. ACCESS CONTROL- VIEW BASED ACCESS CONTROL MODEL (VACM)
6. IMPLEMENTATIONS
7. REFERENCESCopyright © 2001 by Aiko Pras
These sheets may be used for educational purposes
DESIGN REQUIREMENTS
• ADDRESS THE NEED FOR SECURY SUPPORT
• DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP
• ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS
• ALLOW FOR FUTURE EXTENSIONS
• KEEP SNMP AS SIMPLE AS POSSIBLE
• ALLOW FOR MINIMAL IMPLEMENTATIONS
• SUPPORT ALSO THE MORE COMPLEX FEATURES, WHICH ARE REQUIRED IN LARGE NETWORKS
• RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE
The Birth and Features of SNMPv3
• SNMPv3 Working Group did not "reinvent the wheel," but reused the SNMPv2 Draft Standard documents (i.e., RFCs 1902-1908)
• As a result, SNMPv3 is SNMPv2 plus security and administration. The new features of SNMPv3 (in addition to SNMPv2) include:
• Security authentication and privacy authorization and access control
• Administrative Framework naming of entities people and policies usernames and key management notification destinations proxy relationships remotely configurable via SNMP operations
SNMPv3 RFCs
OTHER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
RFC 3413
RFC 3411
RFC 3412 RFC 3412 USM: RFC 3414 VACM: RFC 3415
RFC 3410 (Informational) - Introduction and Applicability Statements for Internet Standard Management Framework (December 2002)
RFC 3411 - An Architecture for Describing SNMP Management Frameworks (December 2002)
RFC 3412 - Message Processing and Dispatching (December 2002) RFC 3413 - SNMP Applications (December 2002) RFC 3414 - User-based Security Model (December 2002) RFC 3415 - View-based Access Control Model (December 2002) RFC 3416 - Version 2 of SNMP Protocol Operations (December 2002) RFC 3417 - Transport Mappings (December 2002) RFC 3418 - Management Information Base (MIB) for the Simple Network
Management Protocol (SNMP) (December 2002)
RFC 3411-3418 have all become Internet Standard
SNMPv3 RFCs (2)
SNMPv3 ARCHITECTURE
OTHERNOTIFICATIONORIGINATOR
COMMANDRESPONDER
COMMANDGENERATOR
NOTIFICATIONRECEIVER
PROXYFORWARDER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
OTHER
SNMPv3 ARCHITECTURE: MANAGER
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
SNMPv3 ARCHITECTURE: AGENT
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
CONCEPTS: snmpEngineID
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=4
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=2
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=3
OT HE R
SNMP ENGINE
SNMP ENTITY
snmpEngineID=1
MODULES OF THE SNMPv3 ARCHITECTURE
DISPATCHER AND MESSAGE PROCESSING MODULE• SNMPv3 MESSAGE STRUCTURE• snmpMPDMIB• RFC 3412 (Standard)
APPLICATIONS• snmpTargetMIB• snmpNotificationMIB• snmpProxyMIB• RFC 3413 (Standard)
SECURITY SUBSYSTEM• USER-BASED SECURITY MODEL (USM)• snmpUsmMIB• RFC 3414 (Standard)
ACCESS CONTROL SUBSYSTEM• VIEW-BASED ACCESS CONTROL MODEL (VACM)• snmpVacmMIB• RFC 3415 (Standard)
SNMPv3 MESSAGE STRUCTURE
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModel
msgSecurityParameters
contextEngineIDcontextName
PDU
USED BY MESSAGE PROCESSING SUBSYSTEM
USED BY SNMPv3 PROCESSING MODULE
USED BY SECURITY SUBSYSTEM
USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS
SNMPv3 PROCESSING MODULE PARAMETERS
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModel
msgSecurityParameters
contextEngineIDcontextName
PDU
authFlagprivFlagreportableFlag
SNMPv1SNMPv2cUSM
484..2147483647
0..2147483647
SECURE COMMUNICATION VERSUS ACCESS CONTROL
MIB
MANAGER
APPLICATION PROCESSES
TRANSPORT SERVICE
MANAGER AGENT
GET / GET-NEXT / GETBULKSET / TRAP / INFORM
SECURE COMMUNICATION
ACCESS CONTROL
USM: SECURITY THREATS
THREAT ADDRESSED? MECHANISM
REPLAY
YES
TIME STAMP
MASQUERADE YES MD5 / SHA-1
INTEGRITY
YES
(MD5 / SHA-1)
DISCLOSURE YES DES
DENIAL OF SERVICE YES
TRAFFIC ANALYSIS YES
USM MESSAGE STRUCTURE
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModelmsgAuthoritativeEngineID
msgAuthoritativeEngineBootsmsgAuthoritativeEngineTime
msgUserNamemsgAuthenticationParameters
msgPrivacyParameterscontextEngineID
contextName
PDU
REPLAY
MASQUERADE/INTEGRITY/DISCLOSURE
DISCLOSURE
MASQUERADE/INTEGRITY
VIEW BASED ACCESS CONTROL MODEL
ACCESS CONTROL TABLE
MIB VIEWS
ACCESS CONTROL TABLES
GET / GETNEXTInterface Table John, Paul Authentication
•••••• ••• •••
•••••• ••• •••
SETInterface Table JohnAuthentication
GET / GETNEXTSystems Group George None
•••••• ••• •••
•••••• ••• •••
Encryption
MIB VIEWALLOWED
MANAGERSREQUIRED LEVEL
OF SECURITYALLOWED
OPERATIONS
MIB VIEWS
SNMPv3 IMPLEMENTATIONS
ACE*COMMAdventNet
BMC SoftwareCisco
EpilogueGambit Communications
HalcyonIBMISI
IWLMG-SOFT
MultiPort CorporationSimpleSoft
SNMP Research
SNMP++ TU of Braunschweig
Net-SNMPUniversity of Quebec
SNMPv3 References
• http://www.ibr.cs.tu-bs.de/ietf/snmpv3/• http://www.ietf.org/html.charters/snmpv3-charter.html• http://www.simpleweb.org/ietf/• http://www.net-snmp.org
• READ Chapters 14, 15, 16, 17 of Stallings• Read SNMPv3 White Paper,
http://www.snmp.com/snmpv3/v3white.html