2004-08-06miasma1 Minimally Integrated Access Security Module Application isms BOF IETF-60, San Diego, California Randy Presuhn

Slides:



Advertisements
Similar presentations
SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
Advertisements

2 Introduction A central issue in supporting interoperability is achieving type compatibility. Type compatibility allows (a) entities developed by various.
Henric Johnson1 Chapter 12 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden
Net Security1 Chapter 8 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew Yang.
YANG Boot Camp The YANG Gang IETF 71. YANG Boot Camp The YANG Gang IETF 71.
SNMP v3.
Chapter 19: Network Management Business Data Communications, 5e.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Overview of Network Management. Outline Describe responsibilities of a network manager Define network management vocabulary Discuss network management.
1 Pertemuan 03 Garis besar manajemen jaringan Matakuliah: H0372/Manajemen Jaringan Tahun: 2005 Versi: 1/0.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
COMP4690, by Dr Xiaowen Chu, HKBU
2000/11/30Chin-Kai Wu, CS, NTHU1 A MIB For Video Server System Management David Robinson Don Hooper (Video Interactive Information Services Group, VIISG)
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
Title: HP OpenView Network Node Manager SPI for SNMPv3 Session #: 326 Speakers: Jeff Scheaffer, HP OpenView NSM David Reid, SNMP Research.
Network Management8-1 Chapter 8: Network Management Chapter goals: r introduction to network management m motivation m major components r Internet network.
SNMP ITL. ITL: © Hans Kruse, Shawn Ostermann, Carl Bruggeman2 Objectives Overview of SNMP SNMP Tools SNMP Monitoring Infrastructure.
Communication and Functional Models
1 Network Management Security Behzad Akbari Fall 2009 In the Name of the Most High.
Abierman-rmonwg-17mar03 1 RMONMIB WG 56th IETF San Francisco, California March 17, 2003 Discussion: Admin:
CS 453 Computer Networks Lecture 22 Network Management.
(Business) Process Centric Exchanges
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT.
Henric Johnson1 Chapter 12 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden
SNMP Simple Network Management Protocol SNMP Simple Network Management Protocol Haris Ribic.
Network Management Security
Prof. Younghee Lee 1 1 Computer Networks u Lecture 14: Network Management Prof. Younghee Lee * Some part of this teaching materials are prepared referencing.
1 Based on Behzad Akbari Fall 2011 Network Management lectures.
Internet Standard Management Framework
Do We Need a New Network Management Framework? David Harrington IETF66 OPS Area Meeting Montreal, Quebec, Canada.
SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel)
SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.
SNMP.
Network Management Security
SNMP V2 & V3 W.lilakiatsakun. SNMP V2 Protocol RFC types of access to management information – Manager–agent request-response – Manager-Manager.
OASIS Mngt Protocol Use Cases. Actors and Their Roles “Manageable” Object Management Application Service Access Point “Managed” Objects Management Discovery.
CITA 440 Week 6 SNMPv1. Internet SNMP Management Internet Engineering Task Force (IETF) –1990SNMPv1 –1996SNMPv2 –1998SNMPv3 Internet documents: –Request.
Ch 9. Network Management Myungchul Kim
ISMS IETF72 David Harrington. Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt.
Moving towards an IRS WG Charter Ross Callon IETF 85, Atlanta.
Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.
Lecture 2 Recap.
Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.
Dept. of Computer Science and Engineering
IETF SNMPv3Agenda, 29 March 2000, # 1 NAI Labs SNMPv3 Working Group 47th IETF Adelaide, SA, Australia 29 March 2000.
1 Kyung Hee University Prof. Choong Seon HONG Chapter 15 SNMPV3 Architecture and Applications.
Lec 2: Infrastructure of Network Management Part1 from : Computer Networking: A Top Down Approach 6 th edition – Chapter 9 1 Organized by: Nada Alhirabi.
1 SNMPv2 by Behzad Akbari Fall 2008 In the Name of the Most High.
YANG Background and Discussion: Why we need a new language for NETCONF configuration modeling The YANG Gang IETF 70 Vancouver, Canada.
Topic 11 Network Management. SNMPv1 This information is specific to SNMPv1. When using SNMPv1, the snmpd agent uses a simple authentication scheme to.
Netmod Netconf Data Modeling Sharon Chisholm Nortel
IPCDN Cable Device MIB Update February 13, 2003 Richard Woundy Comcast Cable.
Jaringan Telekomunikasi, Sukiswo ST, MT Sukiswo
Computer and Information Security
Convergence of Network Management Protocols
SBSM BOF Session-Based Security Model for SNMPv3
Chapter 4 Network Management Standards and Models
SNMPv3 OVERVIEW: DESIGN DECISIONS ARCHITECTURE SNMP MESSAGE STRUCTURE
Job Attribute and Event Monitoring Methods
Chapter 5 SNMP Management
Chapter 4 Network Management Standards and Models
Chapter 5 SNMP Management
Network Management Security
Presentation transcript:

miasma1 Minimally Integrated Access Security Module Application isms BOF IETF-60, San Diego, California Randy Presuhn

miasma2 Outline 1.Goals 2.Proposal 1.Extensions to MIB modules 2.Extensions to Elements of Procedure 3.SNMP Engine Configuration 4.Security Administrator Assistant Application 5.Operation 3.Shortcomings

miasma3 Goals Specification and implementation goals: –Maximize compatibility with existing specs –Minimize changes to SNMP engine code –Minimize MIB extensions required –Avoid re-opening STD 62 Operational goals: –Allow key lifetimes to be limited –Support “on-demand” update of keys –Coexist with existing SNMP key & user mgmt. –Integrate existing non-SNMP key & user mgmt. –No changes to any protocols on the wire

miasma4 Extensions to MIB modules OBJECT-TYPE “usmUserKeyExpirationDate” –AUGMENTS usmUserTable –DEFVAL is a sentinel value with semantic of “never expires” (which is existing semantic of table entries) OBJECT-TYPE “usmExpiredUserName” –MAX-ACCESS accessible-for-notify OBJECT-TYPE “usmExpiredUserEngineID” NOTIFICATION-TYPE “usmExpiredUserNotification” –OBJECTS list includes usmStatsUnknownUserNames, usmExpiredUserName, and usmExpiredUserEngineID –Generated whenever usmStatsUnknownUserNames is incremented, or a user with an expired key is encountered

miasma5 Extensions to Elements of Procedure Whenever usmStatsUnknownUserNames would be incremented, generate a usmExpiredUserNotification Whenever a PDU arrives and the user’s usmUserKeyExpirationDate indicates that the keys are stale, generate a usmExpiredUserNotification Whenever a PDU would be sent using expired keying material

miasma6 SNMP Engine Configuration Configure VACM to allow security administrator to update keys and the usmUserKeyExpirationDate; prohibit access by others. Configure VACM to allow secured delivery of the usmExpiredUserNotification to the security administrator. Configure SNMP-TARGET-MIB and SNMP- NOTIFICATION-MIB to securely deliver any usmExpiredUserNotification to a security administrator assistant application (next slide)

miasma7 Security Administrator Assistant Application Runs on behalf of Security Administrator Processes received usmExpiredUserNotification Uses existing user and key management protocols to interact with existing user and key management infrastructure to determine what the new keys and key expiration date should be Uses SNMPv3 to update the keys and the usmUserKeyExpirationDate for the user /SNMP Engine combination named in the usmExpiredUserNotification on the SNMP engine which generated the notification.

miasma8 Operation SNMP Engine SNMP Engine Security Administrator Assistance Application Legacy Key and User Management Existing Protocols SNMP Notify Update

miasma9 Shortcomings Other than key expiry, no improvement to security Only works with key management protocols that provide sufficient information to the SAAA to generate a USM key update Coordination of multiple SAAAs could be complicated; a single SAAA is an inviting target Should separate unknown user & expired key aspects of operation Much more, I’m sure.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.