Download presentation
Presentation is loading. Please wait.
Published byCameron Poole Modified over 9 years ago
1
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University http://www.comsoc.org/livepubs/surveys/public/4q98issue/stallings.html Reference:
2
SNMPv3 RFCs Introduction and Applicability Statements for Internet-Standard Management Framework An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) Applications User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) Transport Mappings for the Simple Network Management Protocol (SNMP) Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) RFC3410 RFC3411 RFC3412 RFC3413 RFC3414 RFC3415 RFC3416 RFC3417 RFC3418
4
SNMP entity Application(s) Command Generator Notification Receiver Proxy Forwarder Subsystem Command Responder Notification Originator Other snmpEngineID SNMP Engine (identified by snmpEngineID) Dispatcher Message Processing Subsystem Security Subsystem Access Control Subsystem SNMP entity is a node with an SNMP management element - either an agent or manager or both SNMPv3 Architecture
5
Dispatcher Sending and receiving SNMP messages to/from the network Determining the version of an SNMP message and interacting with the corresponding Message Processing Model Providing an abstract interface to SNMP applications for delivery of a PDU to an application. Providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity. SNMP Engine (identified by snmpEngineID) Dispatcher Message Processing Subsystem Security Subsystem Access Control Subsystem
6
Dispatcher Three components Transport mapping delivers messages over the transport protocol Message Dispatcher routes messages between network and appropriate module of MPS PDU dispatcher handles messages between application and MSP
7
Message Processing Subsystem Contains one or more Message Processing Models One MPM for each SNMP version SNMP version identified in the header SNMP Engine (identified by snmpEngineID) Dispatcher Message Processing Subsystem Security Subsystem Access Control Subsystem
8
Security and Access Control Security at the message level Authentication Privacy of message via secure communication Flexible access control Who can access What can be accessed Flexible MIB views SNMP Engine (identified by snmpEngineID) Dispatcher Message Processing Subsystem Security Subsystem Access Control Subsystem
9
Applications Application(s) Command Generator Notification Receiver Proxy Forwarder Subsystem Command Responder Notification Originator Other Application Example Command generator get-request Command responderget-response Notification receivertrap generation Notification receivertrap processing Proxy Forwarderget-bulk to get-next (SNMP versions only) OtherSpecial application
10
Manager
11
Agent
12
Command Generator or Notification Originator
13
Command Responder
14
Names Entity Engine (snmpEngineID) Associated with each SNMP entity is a unique snmpEngineID. Context (contextName) A context is a collection of management information accessible by an SNMP entity. Context engine (contextEngineID) = snmpEngineID Principal (securityName) the "who" on whose behalf services are provided or processing takes place. may be an individual or an application or a group of individuals or applications.
15
Context Engine contextName contexts
16
Security Threats Management Entity A Management Entity B Modification of information Masquerade Message stream modification Disclosure
17
Security Threats SNMPv3 security model is developed to protect the following security threats: Modification of information Contents modified by unauthorized user Masquerade change of originating address by unauthorized user Message Stream Modification Re-ordering, delay or replay of messages Disclosure Eavesdropping SNMPv3 security model doesn ’ t protect Denial of Service (DoS) and Traffic Analysis.
18
Security Services Security Subsystem Message Processing Model Authentication Module Privacy Module Timeliness Module Message Timeliness & Limited Replay Protection Data Integrity Data Confidentiality Data Origin Authentication
19
SNMPv3 Security Authentication Data integrity: HMAC-MD5-96 / HMAC-SHA-96 Data origin authentication Append to the message a unique Identifier associated with authoritative SNMP engine Privacy / confidentiality: Encryption Timeliness: Authoritative Engine ID, No. of engine boots and time in seconds
20
Role of SNMP Engines Non-Authoritative Engine (NMS) Authoritative Engine (Agent)
21
Version Global/ Header Data Security Parameters Plaintext / Encrypted scopedPDU Data Message ID Message Max. Size Message Flag Message Security Model Authoritative Engine ID Authoritative Engine Boots Authoritative Engine Time User Name Authentication Parameters Privacy Parameters Context Engine ID Context Name Data Figure 7.12 SNMPv3 Message Format Header DatascopedPDU Security Parameters Whole Message See P. 304
22
See p. 304
23
User-Based Security Model Based on traditional user name concept Authentication service primitives authenticateOutgoingMsg authenticateIncomingMsg Privacy Services encryptData decryptData
26
Authentication Protocols Authentication Key Derived from a password chosen by the user digest0: repeat password 2 20 octets digest1: H(digest0) digest2: H(engineID || digest1) AuthKey = digest2 Use HMAC-MD5-96 or HMAC-SHA-96
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.