1. 2004-08-06miasma1 Minimally Integrated Access Security Module Application isms BOF IETF-60, San Diego, California Randy Presuhn randy_presuhn@mindspring.com

2. 2004-08-06miasma2 Outline 1.Goals 2.Proposal 1.Extensions to MIB modules 2.Extensions to Elements of Procedure 3.SNMP Engine Configuration 4.Security Administrator Assistant Application 5.Operation 3.Shortcomings

3. 2004-08-06miasma3 Goals Specification and implementation goals: –Maximize compatibility with existing specs –Minimize changes to SNMP engine code –Minimize MIB extensions required –Avoid re-opening STD 62 Operational goals: –Allow key lifetimes to be limited –Support “on-demand” update of keys –Coexist with existing SNMP key & user mgmt. –Integrate existing non-SNMP key & user mgmt. –No changes to any protocols on the wire

4. 2004-08-06miasma4 Extensions to MIB modules OBJECT-TYPE “usmUserKeyExpirationDate” –AUGMENTS usmUserTable –DEFVAL is a sentinel value with semantic of “never expires” (which is existing semantic of table entries) OBJECT-TYPE “usmExpiredUserName” –MAX-ACCESS accessible-for-notify OBJECT-TYPE “usmExpiredUserEngineID” NOTIFICATION-TYPE “usmExpiredUserNotification” –OBJECTS list includes usmStatsUnknownUserNames, usmExpiredUserName, and usmExpiredUserEngineID –Generated whenever usmStatsUnknownUserNames is incremented, or a user with an expired key is encountered

5. 2004-08-06miasma5 Extensions to Elements of Procedure Whenever usmStatsUnknownUserNames would be incremented, generate a usmExpiredUserNotification Whenever a PDU arrives and the user’s usmUserKeyExpirationDate indicates that the keys are stale, generate a usmExpiredUserNotification Whenever a PDU would be sent using expired keying material

6. 2004-08-06miasma6 SNMP Engine Configuration Configure VACM to allow security administrator to update keys and the usmUserKeyExpirationDate; prohibit access by others. Configure VACM to allow secured delivery of the usmExpiredUserNotification to the security administrator. Configure SNMP-TARGET-MIB and SNMP- NOTIFICATION-MIB to securely deliver any usmExpiredUserNotification to a security administrator assistant application (next slide)

7. 2004-08-06miasma7 Security Administrator Assistant Application Runs on behalf of Security Administrator Processes received usmExpiredUserNotification Uses existing user and key management protocols to interact with existing user and key management infrastructure to determine what the new keys and key expiration date should be Uses SNMPv3 to update the keys and the usmUserKeyExpirationDate for the user /SNMP Engine combination named in the usmExpiredUserNotification on the SNMP engine which generated the notification.

8. 2004-08-06miasma8 Operation SNMP Engine SNMP Engine Security Administrator Assistance Application Legacy Key and User Management Existing Protocols SNMP Notify Update

9. 2004-08-06miasma9 Shortcomings Other than key expiry, no improvement to security Only works with key management protocols that provide sufficient information to the SAAA to generate a USM key update Coordination of multiple SAAAs could be complicated; a single SAAA is an inviting target Should separate unknown user & expired key aspects of operation Much more, I’m sure.