1 Based on Behzad Akbari Fall 2011 Network Management lectures and These slides are based in parts upon slides of Prof. Dssouli (Concordia university )

 Modularization of documentation and architecture  Enables the use of SNMPv1 and SNMPv2 with the newly developed SNMPv3.  SNMP engine defined  – A model for the processing of SNMP messages.  New Security features  – Secure information to prevent tampering of data  – Access control to determine proper access to MIB. 2

 Distributed, interacting collection of SNMP entities  SNMP entity implements a portion of the SNMP capability:  It acts either as an agent or manager or both  A collection of modules interacting with each other to provide services 3

Advantages:  The role of SNMP entity is determined by the modules implemented in that entity o Certain set of modules are required for agent, while a different set is required for a manager  Security subsystem provides services such as authentication and privacy of messages o Multiple security models can coexist  Set of authorization services an application can use for checking access rights o Access Control 4

SNMP Architecture-Manager NOTIFICATION RECEIVER COMMAND GENERATOR PDU DISPATCHER USER BASED SECURITY MODEL OTHER SECURITY MODEL SECURITY SUBSYSTEM SNMPv1 SNMPv2C SNMPv3 OTHER MESSAGE PROCESSING SUBSYSTEM MESSAGE DISPATCHER TRANSPORT MAPPINGS NOTIFICATION ORIGINATOR SECURITY MODEL COMMUNITY BASED 5

 Command Generator Application o Monitor and manipulate management data at remote agents o Make use of SNMPv1,v2 PDUs: Get, GetNext, GetBulk, etc.  Notification Originator Application  Initiates messages, such as InformRequest PDU  Notification Receiver Application o Receive messages from other managers or agents o InformRequest, SNMPv1- and SNMPv2-Traps, etc…  These applications make use of the services provided by the SNMP engine: o Get Outgoing PDUs, process them and generates SNMP messages for transmission over the transport layer o Accept incoming SNMP messages, process them, and extracts PDUs and passes them to appropriate SNMP application 6

 Dispatcher functions: o Accepts PDUs from applications o Handles multiple version messages (SNMPv1, v2, v3) o Interfaces with application modules, network, and message processing models  PDU dispatcher handles messages between application and MPS SNMP Engine (identified by snmpEngineID) Dispatcher Message Processing Subsystem Security Subsystem 7

Message Processing Subsystem functions:  Accepts outgoing PDUs from Dispatcher, attach appropriate header, and return message to Dispatcher  Accepts incoming messages, process each message header, and return the enclosed PDU to the Dispatcher  Contains one or more Message Processing Models, each for each SNMP version  SNMP version identified in the header SNMP Engine (identified by snmpEngineID) Message Processing Subsystem Security Subsystem Dispatcher 8

9  Security subsystems perform authentication and encryption functions for each outgoing/incoming message  Outgoing PDUs may be encrypted and authentication codes generated and appended to the message header o The message is then returned to the MPS  Incoming messages are passed to the security subsystem o Message decryption o Messages authenticated SNMP Engine (identified by snmpEngineID) Security Subsystem Dispatcher Message Processing Subsystem

10 PDU DISPATCHER SNMPv1 SNMPv2C SNMPv3 OTHER MESSAGE PROCESSING SUBSYSTEM MESSAGE DISPATCHER TRANSPORT MAPPINGS MANAGEMENT INFORMATION BASE VIEW BASED ACCESS CONTROL ACCESS CONTROL SUBSYSTEM NOTIFICATION ORIGINATOR COMMAND RESPONDER USER BASED SECURITY MODEL OTHER SECURITY MODEL SECURITY SUBSYSTEM Proxy Forwarder Applications COMMUNITY BASED SECURITY MODEL

11  Command Responder Application o Provides access to management data o Responds to incoming requests by retrieving and/or setting managed objects and issuing Response PDU  Notification Originator Application o Trap PDUs of SNMPv1, v2  Proxy Forwarder Application o Forwards messages between entities  Access Control Subsystem o Provides authorization services to “control access” to the MIB for reading and setting management objects o Who can access o What can be accessed

12 SNMP Engine ID snmpEngineID -- associated with each SNMP entity Principalprincipal -- person or group or application requesting services Security Name securityName -- human readable name Context Engine IDcontextEngineID -- each entity has a unique context ID (identical to snmpEngineID) Context Name contextName -- a context associated with a managed object (for access control) An SNMP agent can monitor more than one network element (context) Example:  SNMP Engine IDIP address Principal John Smith  Security Name Administrator

snmpEngineID 13

Abstract Service Interfaces  Abstract service interface is a conceptual interface between modules, independent of implementation  Defines a set of primitives o A primitive specifies the function to be performed (e.g., procedural call)  Primitives associated with receiving entities o An interface defined using primitive and parameters is referred to as “abstract service interface”  e.g., Dispatcher primitives: o Handle messages to and from applications o registering and un-registering of application modules o transmitting to and receiving messages from network  IN and OUT parameters  Status information / result 14

Dispatcher Primitives sendPdu  Used by a command generator to send SNMP request or notification PDU to another SNMP entity  When successfully preparing the message by the Dispatcher:  a sendPduHandle (unique identifier) is returned (to track any response, if any is expected)  The application also provides transport domain/address for the PDU as well as message processing model, security model, principal, level of security, the context for this PDU, and the PDU itself Command Generator Dispatcher Abstract Service Interface sendPdu Abstract Service Interface prepareOutgoingMessage Message Processing Model sendPduHandle/ Error Indication 15

Dispatcher Primitives processResponsePdu  Used by Dispatcher to pass an incoming response PDU to an application  The application checks whether it is matched with a preceding request or notification PDU by checking the sendPduHandle:  Success or failure Command Generator Dispatcher sendPdu Abstract Service Interface prepareOutgoingMessage Message Processing Model sendPduHandle/ errorIndication processResponsePdu 16

Dispatcher Primitives processPdu  Used by Dispatcher to pass an incoming request or notification PDU to an application (command responder)  Security related information is required to generate a matching response message  The security subsystem (access control) will check whether access is allowed and a response will be generated accordingly returnResponsePdu  Used by command responder to return an SNMP response in response to an incoming request or notification Command Responder Dispatcher returnResponsePdu Abstract Service Interface prepareResponseMessage Message Processing Model processPdu 17

Message Processing Subsystem Primitives prepareOutgoingMessage  Prepare a message for an outgoing SNMP request or notification PDU  The IN parameter is a PDU and OUT parameter is the message  Success or failure is returned Command Generator Dispatcher sendPdu Abstract Service Interface prepareOutgoingMessage Message Processing Model sendPduHandle/ errorIndication 18

Message Processing Subsystem Primitives prepareResponseMessage  Request the preparation of a message containing an outgoing SNMP response PDU, in response to an incoming request or notification PDU Command Responder Dispatcher returnResponsePdu Abstract Service Interface prepareResponseMessage Message Processing Model processPdu 19

Security Subsystem Primitives generateRequestMessage  Generate a “message” containing an outgoing SNMP request or notification PDU  Returns to the MPS a message (with possibly authentication and encryption) and associated security parameters processIncomingMessage  Provide security function for incoming messages  Return success or failure indicating the result of the security check  If successful, a PDU is returned to the MPS generateResponseMessage  Generate a message containing outgoing SNMP response PDU in response to incoming request or notification  Returns to the MPS a message (with some authentication and encryption applied) and associated security parameters 20

21 Application(s) Command Generator Notification Receiver Proxy Forwarder Subsystem Command Responder Notification Originator Other Application Example Command generator get-request Command responderget-response Notification originator trap generation Notification receivertrap processing Proxy Forwarderget-bulk to get-next (SNMP versions only) OtherSpecial application

Command Generator  Command Generator: 1)-Examine parameters from the received PDU and match/compare them with a cached copy ( security model/level/name, contextName, etc.). If no match, message is discarded 2)-Check the received PDU (check request-id, etc. ) 3)- if all OK, then take action 22

Command Responder  Command Responder: 1)-examines content of request PDU. Check whether object has already registered with the responder 2)- isAccessAllowed primitive is invoked (to determine whether object can be accessed by the principal making the request)  check the security level 3)- if access permitted, prepare a response. 23

24 Scenario Diagrams

25 Scenario Diagrams

26 Scenario Diagrams

27 Scenario Diagrams

28 Scenario Diagrams

29 Scenario Diagrams

30 Scenario Diagrams

31 Scenario Diagrams

32 Scenario Diagrams

33 Scenario Diagrams

34 Scenario Diagrams

35 Scenario Diagrams

36 Scenario Diagrams

37 Scenario Diagrams

38 Scenario Diagrams

39 Scenario Diagrams

40 Message Format Version Global/ Header Data Security Parameters Plaintext / Encrypted scopedPDU Data Message ID Message Max. Size Message Flag Message Security Model Header Data Context Engine ID Context Name Data scopedPDU Authoritative Engine ID Authoritative Engine Boots Authoritative Engine Time User Name Authentication Parameters Privacy Parameters Security Parameters Whole Message 1 SNMPv1 2 SNMPv2 3 SNMPv3 reportableFlag privFlag authFlag Time synch. between entities to avoid message replay and achieve timeliness

Message Format 41

42 See p. 304

Security Threats Modification of Information  an entity may alter in-transit SNMP messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object Masquerade  management operations not authorized for some entity may be attempted by assuming the identity of another entity that has the appropriate authorizations Management Entity A Management Entity B Modification of information Masquerade Message stream modification Disclosure 43

Security Threats Message Stream Modification  SNMP is typically based upon a connectionless transport service. Messages may be maliciously re- ordered, delayed or replayed, in order to effect unauthorized management operations. o For example, a message to reboot a system could be copied and replayed later Disclosure  Eavesdropping or intercepting on the exchanges between SNMP engines Management Entity A Management Entity B Modification of information Masquerade Message stream modification Disclosure 44

Security Threats SNMPv3 is not intended to secure against these two threats: Denial of Service:  An attacker may prevent exchanges between manager and agent  DOS are indistinguishable from network element failures  DOS may disrupt all services (not just those pertaining to NM) Traffic Analysis:  An attacker may observe the general pattern of traffic between managers and agents Management Entity A Management Entity B Modification of information Masquerade Message stream modification Disclosure 45

Security Model Goals o Data Integrity (Authentication) o Authentication o Message redirection/re-ordering/delay/replay o Data encryption/decryption 46

Security Model  The Security model authenticates and forwards incoming and outgoing messages to the MPM  3 different modules o Authentication module o Privacy module o Timeliness module Security Subsystem Message Processing Model Authentication Module Privacy Module Timeliness Module Data Integrity Data Origin Authentication Data Confidentiality Message Timeliness & Limited Replay Protection 47

Authentication Module  Data integrity o message authentication at sender and validation at receiver o Ensure that a message is not modified by an unauthorized intruder o Authentication protocols: HMAC-MD5-96 / HMAC-SHA-96  Data origin authentication o Check the identity of a user on whose behalf a message is sent authoritative o Append to the message a unique Identifier associated with authoritative SNMP engine Security Subsystem Message Processing Model Authentication Module Privacy Module Timeliness Module Data Integrity Data Origin Authentication Data Confidentiality Message Timeliness & Limited Replay Protection 48

Privacy Module  Data confidentiality ensures that data is not made available to unauthorized users or entities  Encryption is applied at the sender and decryption at receiver (CBC-DES) Security Subsystem Message Processing Model Authentication Module Privacy Module Timeliness Module Data Integrity Data Origin Authentication Data Confidentiality Message Timeliness & Limited Replay Protection 49

Timeliness Module  Prevent message redirection, delay and replay  Configure a receiver window for accepting message (e.g., 150 s for SNMPv3)  Three objects: snmpEngineIP, snmpEngineBoots, snmpEngineTime Security Subsystem Message Processing Model Authentication Module Privacy Module Timeliness Module Data Integrity Data Origin Authentication Data Confidentiality Message Timeliness & Limited Replay Protection 50