SBSM BOF Session-Based Security Model for SNMPv3
-
Upload
brendon-mawe -
Category
Documents
-
view
27 -
download
0
description
Transcript of SBSM BOF Session-Based Security Model for SNMPv3
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM BOF
Session-Based Security Model for SNMPv3
Wes Hardaker David T. PerkinsNovember, 2004
(draft-hardaker-snmp-sbsm-03.txt)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Protocol Proposal
• Current draft:– draft-hardaker-snmp-sbsm-03.txt
• Creates a “session” between two points• 3 phases to the session:
– Initialization (Security setup, authentication)
– Running– Closing
• Initialization PDUs sent are GET/REPORT PDUs, but the application never sees them.– Similar to EngineID discovery today
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Clo
sing
Run
ning
Initi
aliz
atio
nSession Message Flow
SNMP App SBSM Initiator SNMP AppSBSM Responder
Note: Other SNMPv3 components (MP, etc) not shown but exist where expected
Init 1
SNMP PDU
Init 1
Init 2
Running
SNMP PDUSNMP PDU
Close
Close
...
Traffic protected by SBSM
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Disadvantages
• Based on SNMPv3 security model parameters
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Advantages
• Reuses existing transports– (UDP, TCP, IPX, AAL5, … +future)
• SNMPv3 architecture compliant• SNMPv3 application compliant• Reuses Existing Authentication Systems
– Local accounts, SSH, X.509, …– No “must have” system to make it work
• Extensible Authentication Definitions– New authentication types = 1-2 pages
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Advantages
• Supports compression• Supports identity disclosure protection• Supports true replay protection• Reuses SNMPv3 where possible
– Same message integrity (MD5, SHA-1)– Same encryption (DES, AES)
• Flexible enough to negotiate needs• Rigid enough not to make negotiation
a complex burden
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Advantages
• Based on a mathematically proven cryptographic exchange protocol– SIGMA (also used in other
protocols)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Implementation Report
• Implementation completed for:– Local account authentication– Key negotiation– Authentication Algorithm Negotiation– Encryption Algorithm Negotiation
• Total time to implement in Net-SNMP:
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Implementation Report
• Implementation completed for:– Local account authentication– Key negotiation– Authentication Algorithm Negotiation– Encryption Algorithm Negotiation
• Total time to implement in Net-SNMP:– 19.5 Hours
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Questions?
Wes Hardaker David T. PerkinsNovember, 2004
(draft-hardaker-snmp-sbsm-03.txt)