1 Kyung Hee University Prof. Choong Seon HONG Chapter 15 SNMPV3 Architecture and Applications

2 Kyung Hee University The Evolution of SNMP

3 Kyung Hee University SNMPv3 Overview  Design Requirements SNMPv3 security features rely heavily on SNMPv2u and SNMPv2* Address the need for secure Set request messages over real- world networks, which is the most important deficiency of SNMPv1 and SNMPv2

4 Kyung Hee University SNMPv3 Overview - Design Requirements -  ADDRESS THE NEED FOR SECURY SUPPORT  DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP  ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS  ALLOW FOR FUTURE EXTENSIONS  KEEP SNMP AS SIMPLE AS POSSIBLE  ALLOW FOR MINIMAL IMPLEMENTATIONS  SUPPORT ALSO THE MORE COMPLEX FEATURES, WHICH ARE REQUIRED IN LARGE NETWORKS  RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE

5 Kyung Hee University SNMP Entities

6 Kyung Hee University SNMPv3 ARCHITECTURE: MANAGER UDP, IPX, Others

7 Kyung Hee University SNMPv3 ARCHITECTURE: Agent

8 Kyung Hee University CONCEPTS: snmpEngineID

9 Kyung Hee University CONCEPTS: Context

10 Kyung Hee University PRIMITIVES BETWEEN MODULES

11 Kyung Hee University SendPdu

12 prepareOutgoingMessage

13 generateRequestMsg

14 send / receive

15 Kyung Hee University prepareDataElements

16 processIncomingMsg

17 processPd

18 isAccessAllowed

19 returnResponsePdu

20 prepareResponseMessage

21 generateResponseMsg

22 send / receive

23 Kyung Hee University prepareDataElements

24 processIncomingMsg

25 processResponsePdu

26 MODULES OF THE SNMPv3 ARCHITECTURE  DISPATCHER AND MESSAGE PROCESSING MODULE SNMPv3 MESSAGE STRUCTURE snmpMPDMIB RFC 3412  APPLICATIONS snmpTargetMIB snmpNotificationMIB snmpProxyMIB RFC 3413  SECURITY SUBSYSTEM USER-BASED SECURITY MODEL (USM) snmpUsmMIB RFC 3414  ACCESS CONTROL SUBSYSTEM VIEW-BASED ACCESS CONTROL MODEL (VACM) snmpVacmMIB RFC 3415

27 Kyung Hee University SNMPv3 MESSAGE STRUCTURE

28 Kyung Hee University SNMPv3 PROCESSING MODULE PARAMETERS

29 Kyung Hee University SECURE COMMUNICATION VERSUS ACCESS CONTROL

30 Kyung Hee University USM: SECURITY THREATS

31 Kyung Hee University USM MESSAGE STRUCTURE

32 Kyung Hee University IDEA BEHIND REPLAY PROTECTION

33 Kyung Hee University IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION

34 Kyung Hee University SNMPv3 IMPLEMENTATIONS  ACE*COMM  AdventNet  BMC Software  Cisco  Epilogue  Gambit Communications  Halcyon  IBM  ISI  IWL  MG-SOFT  MultiPort Corporation  SimpleSoft  SNMP Research  SNMP++  TU of Braunschweig  UCD  University of Quebec

35 Kyung Hee University SNMPv3 RFCs OTHER SNMP APPLICATIONS SNMP ENGINE MESSAGE PROCESSING SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM ACCESS CONTROL SUBSYSTEM SNMP ENTITY RFC 3413 RFC 3411 RFC 3412 USM: RFC 3414VACM: RFC 3415

36 Kyung Hee University SNMPv3 RFCs (2)  RFC 3410 (Informational) - Introduction and Applicability Statements for Internet Standard Management Framework (December 2002)  RFC An Architecture for Describing SNMP Management Frameworks (December 2002)  RFC Message Processing and Dispatching (December 2002)  RFC SNMP Applications (December 2002)  RFC User-based Security Model (December 2002)  RFC View-based Access Control Model (December 2002)  RFC Version 2 of SNMP Protocol Operations (December 2002)  RFC Transport Mappings (December 2002)  RFC Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) (December 2002)