SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION -...
-
Upload
pierce-dennis -
Category
Documents
-
view
223 -
download
2
Transcript of SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION -...
![Page 1: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/1.jpg)
SNMPv3
1. DESIGN REQUIREMENTS
2. BIRTH & FEATURES of SNMPv3
3. ARCHITECTURE
4. SECURE COMMUNICATION- USER SECURITY MODEL (USM)
5. ACCESS CONTROL- VIEW BASED ACCESS CONTROL MODEL (VACM)
6. IMPLEMENTATIONS
7. REFERENCESCopyright © 2001 by Aiko Pras
These sheets may be used for educational purposes
![Page 2: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/2.jpg)
DESIGN REQUIREMENTS
• ADDRESS THE NEED FOR SECURY SUPPORT
• DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP
• ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS
• ALLOW FOR FUTURE EXTENSIONS
• KEEP SNMP AS SIMPLE AS POSSIBLE
• ALLOW FOR MINIMAL IMPLEMENTATIONS
• SUPPORT ALSO THE MORE COMPLEX FEATURES, WHICH ARE REQUIRED IN LARGE NETWORKS
• RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE
![Page 3: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/3.jpg)
The Birth and Features of SNMPv3
• SNMPv3 Working Group did not "reinvent the wheel," but reused the SNMPv2 Draft Standard documents (i.e., RFCs 1902-1908)
• As a result, SNMPv3 is SNMPv2 plus security and administration. The new features of SNMPv3 (in addition to SNMPv2) include:
• Security authentication and privacy authorization and access control
• Administrative Framework naming of entities people and policies usernames and key management notification destinations proxy relationships remotely configurable via SNMP operations
![Page 4: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/4.jpg)
SNMPv3 RFCs
OTHER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
RFC 3413
RFC 3411
RFC 3412 RFC 3412 USM: RFC 3414 VACM: RFC 3415
![Page 5: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/5.jpg)
RFC 3410 (Informational) - Introduction and Applicability Statements for Internet Standard Management Framework (December 2002)
RFC 3411 - An Architecture for Describing SNMP Management Frameworks (December 2002)
RFC 3412 - Message Processing and Dispatching (December 2002) RFC 3413 - SNMP Applications (December 2002) RFC 3414 - User-based Security Model (December 2002) RFC 3415 - View-based Access Control Model (December 2002) RFC 3416 - Version 2 of SNMP Protocol Operations (December 2002) RFC 3417 - Transport Mappings (December 2002) RFC 3418 - Management Information Base (MIB) for the Simple Network
Management Protocol (SNMP) (December 2002)
RFC 3411-3418 have all become Internet Standard
SNMPv3 RFCs (2)
![Page 6: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/6.jpg)
SNMPv3 ARCHITECTURE
OTHERNOTIFICATIONORIGINATOR
COMMANDRESPONDER
COMMANDGENERATOR
NOTIFICATIONRECEIVER
PROXYFORWARDER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
OTHER
![Page 7: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/7.jpg)
SNMPv3 ARCHITECTURE: MANAGER
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
![Page 8: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/8.jpg)
SNMPv3 ARCHITECTURE: AGENT
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
![Page 9: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/9.jpg)
CONCEPTS: snmpEngineID
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=4
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=2
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=3
OT HE R
SNMP ENGINE
SNMP ENTITY
snmpEngineID=1
![Page 10: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/10.jpg)
MODULES OF THE SNMPv3 ARCHITECTURE
DISPATCHER AND MESSAGE PROCESSING MODULE• SNMPv3 MESSAGE STRUCTURE• snmpMPDMIB• RFC 3412 (Standard)
APPLICATIONS• snmpTargetMIB• snmpNotificationMIB• snmpProxyMIB• RFC 3413 (Standard)
SECURITY SUBSYSTEM• USER-BASED SECURITY MODEL (USM)• snmpUsmMIB• RFC 3414 (Standard)
ACCESS CONTROL SUBSYSTEM• VIEW-BASED ACCESS CONTROL MODEL (VACM)• snmpVacmMIB• RFC 3415 (Standard)
![Page 11: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/11.jpg)
SNMPv3 MESSAGE STRUCTURE
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModel
msgSecurityParameters
contextEngineIDcontextName
PDU
USED BY MESSAGE PROCESSING SUBSYSTEM
USED BY SNMPv3 PROCESSING MODULE
USED BY SECURITY SUBSYSTEM
USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS
![Page 12: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/12.jpg)
SNMPv3 PROCESSING MODULE PARAMETERS
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModel
msgSecurityParameters
contextEngineIDcontextName
PDU
authFlagprivFlagreportableFlag
SNMPv1SNMPv2cUSM
484..2147483647
0..2147483647
![Page 13: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/13.jpg)
SECURE COMMUNICATION VERSUS ACCESS CONTROL
MIB
MANAGER
APPLICATION PROCESSES
TRANSPORT SERVICE
MANAGER AGENT
GET / GET-NEXT / GETBULKSET / TRAP / INFORM
SECURE COMMUNICATION
ACCESS CONTROL
![Page 14: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/14.jpg)
USM: SECURITY THREATS
THREAT ADDRESSED? MECHANISM
REPLAY
YES
TIME STAMP
MASQUERADE YES MD5 / SHA-1
INTEGRITY
YES
(MD5 / SHA-1)
DISCLOSURE YES DES
DENIAL OF SERVICE YES
TRAFFIC ANALYSIS YES
![Page 15: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/15.jpg)
USM MESSAGE STRUCTURE
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModelmsgAuthoritativeEngineID
msgAuthoritativeEngineBootsmsgAuthoritativeEngineTime
msgUserNamemsgAuthenticationParameters
msgPrivacyParameterscontextEngineID
contextName
PDU
REPLAY
MASQUERADE/INTEGRITY/DISCLOSURE
DISCLOSURE
MASQUERADE/INTEGRITY
![Page 16: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/16.jpg)
VIEW BASED ACCESS CONTROL MODEL
ACCESS CONTROL TABLE
MIB VIEWS
![Page 17: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/17.jpg)
ACCESS CONTROL TABLES
GET / GETNEXTInterface Table John, Paul Authentication
•••••• ••• •••
•••••• ••• •••
SETInterface Table JohnAuthentication
GET / GETNEXTSystems Group George None
•••••• ••• •••
•••••• ••• •••
Encryption
MIB VIEWALLOWED
MANAGERSREQUIRED LEVEL
OF SECURITYALLOWED
OPERATIONS
![Page 18: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/18.jpg)
MIB VIEWS
![Page 19: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/19.jpg)
SNMPv3 IMPLEMENTATIONS
ACE*COMMAdventNet
BMC SoftwareCisco
EpilogueGambit Communications
HalcyonIBMISI
IWLMG-SOFT
MultiPort CorporationSimpleSoft
SNMP Research
SNMP++ TU of Braunschweig
Net-SNMPUniversity of Quebec
![Page 20: SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649f125503460f94c2520a/html5/thumbnails/20.jpg)
SNMPv3 References
• http://www.ibr.cs.tu-bs.de/ietf/snmpv3/• http://www.ietf.org/html.charters/snmpv3-charter.html• http://www.simpleweb.org/ietf/• http://www.net-snmp.org
• READ Chapters 14, 15, 16, 17 of Stallings• Read SNMPv3 White Paper,
http://www.snmp.com/snmpv3/v3white.html