Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,

Published byMorgan Day Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,"— Presentation transcript:

1 On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011, pp.52-64 http://dx.doi.org/10.1109/TNSM.2011.012111.00011 1 24 slides Group 6 KHAN, Taimur KONG, Jing SHIH, Min SUN, Mengti YU, Chenglin

2 Summary 2 Question: How can SSH, TLS, DTLS be used to address limitations in SNMPv3/USM? Analyzing impact and performance between the various options to secure SNMP Answer this question by

3 Outline Background SNMP Architecture Message-based Security Session-based Security Performance Evaluation Key Findings Guidelines for Choosing Solutions 3

4 Background SSH, TLS, DTLS are introduced which can take advantage of already deployed key management infrastructures 4 SNMPv1 has no cryptographic security && the engineered solution on SNMPv2 is too complex USM (User- based Security Model) on SNMPv3 SNMPv3 and USM have to deploy another user and key management infrastructure  high cost

5 SNMP Architecture 5 Ref. RFC3414(USM), 3584(CSM), 5591(TSM), 5592(SSHTM), 6353(TLSTM) ASIs are the interfaces between subsystem

6 SNMP Architecture SNMP engine – Dispatcher organizes data flows – Subsystems contain multiple models – Abstract Service Interfaces (ASIs) are used between the communicating subsystems 6 Ref. RFC3411, 5590

7 SNMP Engine Subsystems Message Processing Security – User-based Security Model (USM) – Community-based Security Model (CSM) – Transport Security Model (TSM) Interacts with session-based transports through cache Access Control – View-based Access Control Model (VACM) Transport – SSH Transport Model (SSHTM) – (D)TLS Transport Model (TLSTM) 7

8 Message-based Security CSM (SNMPv1, SNMPv2c) – Plain-text community string which provides very little security. USM (SNMPv3) – noAuthNoPriv (nn) no authentication, no encryption – authNoPriv (an) message authentication, message integrity, timeliness checking no encryption – authPriv (ap) message authentication, message integrity, timeliness checking encryption of the payload of SNMP messages 6

9 TSD for Message-based Security 7

10 Session-based Security Transport Security Model – Negligible costs on passing existing information SSH Transport Model – Many methods for authentication TLS Transport Model for TLS – Session resumption mechanism – X.509 certificates for authentication TLS Transport Model for DTLS (over datagram) 8

11 TSD for Session-based Security 9

12 Performance Evaluation Session Establishment Latency without Packet Loss Bandwidth Usage Latency with Packet Loss Impact of Bulk Retrieval 10

13 11 Session Establishment PERFORMANCE OF A SINGLE SNMPGET REQUESTS (SYSDESCR.0)

14 Session Establishment TCP > UDP, otherwise SNMPv1 ≈ SNMPv2c USM > CSM, however USM/ap ≈ USM/nn Session establishment = significant delays especially on slow machine SSH > TLS/DTLS TLS with session resumption is close to USM in terms of bandwidth and packets exchanged 14

15 12 USM/ap ≈ USM/an ≈ USM/nn little benefit in removing auth/priv Slow machine Fast machine

16 13 USM/ap ≈ TSM/SSH ≈ TSM/(D)TLS difference of protocols do not have much impact on delays if using similar hash functions and encryption transformations Latency without Packet Loss ( II )

17 14 For v3/USM/ap, v3/USM/nn, v2/CSM over UDP ≈ over TCP UDP ≈ TCP in a fast reliable network

18 15 USM/ap > USM/an > USM/nn > SNMPv2/TCP >SNMPv2/UDP

19 16 TSM/TLS > TSM/SSH > USM > TSM/DTLS

20 Bandwidth Usage USM/ap > USM/an > USM/nn > SNMPv2/TCP > SNMPv2/UDP – carrying security parameters – TCP header > UDP header Interestingly USM/ap-nn ≈ SNMPv2/tcp-udp TSM/TLS > TSM/SSH > USM > TSM/DTLS – TCP header > UDP header – TLS is less efficient than SSH in message encodings Interestingly TSM/SSH/TCP/ap ≈ USM/UDP/ap 20

21 Latency with Packet Loss TCP's retransmission algorithm clearly outperforms simple non-adaptive SNMP retransmission algorithm 17 PACKET SIZES FOR ALL SECURITY MODEL / TRANSPORT / SECURITY LEVEL COMBINATIONS

22 18 Impact of Bulk Retrieval ↑ max-repetitions parameter (r) ↓ number of interaction needed ↓ overall latency In the best case, r reduces the number of interactions to 1/r. But not the same factor for latency

23 Impact of Bulk Retrieval ↑ max-repetitions parameter (r) ↓ number of interaction needed ↓ overall latency In the best case, r reduces the number of interactions to 1/r But not the same factor for latency – larger response messages – startup costs not affected 23

24 Key Findings TLS session resumption feature significantly reduces the session reestablishment costs. – The resumption mechanism for SSH has yet to be standardised The difference between USM, SSH, TLS and DTLS in terms of latency is small after the session is established. The non-adaptive SNMP retransmission algorithm is outperformed by TCP algorithms in packet loss networks. The usage of GetBulk dramatically reduces the number of requests sent over the network, resulting in much better overall performance. 19

25 Guidelines for Choosing Solutions (SNMPv3/TSM/SSH) Good AAA Integration Easy derivation of securityName Efficient message encoding × Large session establishment overhead × Lack of session resumption mechanisms TCP Supports large messages better than UDP TCP retransmission algorithms work well 20

26 Guidelines for Choosing Solutions (SNMPv3/TSM/TLS) Same pros and cons of using TCP as SSHTM TLS session resumption Less session startup overhead than SSH × Less efficient in message encodings than SSH × Complicated derivation of securityName × Lack of good AAA integration × X.509 infrastructure must be in place 21

27 Guidelines for Choosing Solutions (SNMPv3/TSM/DTLS) Shares most of the pros and cons of TLSTM Smaller framing overhead over UDP Applications have control over retransmissions Although application retransmission timers are to be coordinated with DTLS retransmission timers 22

28 Guidelines for Choosing Solutions (SNMPv3/USM/UDP) Separate key management infrastructure – Ensures the availability of security regardless of the presence of other infrastructures – × Expensive to deploy Works efficiently if interactions are sporadic Applications have full control over retransmissions. SNMP/UDP may suffer from IP fragmentation 23

29 Related work Session resumption for the secure shell protocol http://dx.doi.org/10.1109/INM.2009.5188805 http://dx.doi.org/10.1109/INM.2009.5188805 Thank you! Question? 24

Download ppt "On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,"

Similar presentations

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
SNMP v3.

SNMP v3.
Implementation and Performance Analysis of SNMP on a TLS/TCP Base. Du, Shayman and Rozenblitz Sarwar S Raza WPI – CS 577.

Implementation and Performance Analysis of SNMP on a TLS/TCP Base. Du, Shayman and Rozenblitz Sarwar S Raza WPI – CS 577.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:521-545.

Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.

Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.
EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.

EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.
1 SNMP Simple Network Management Protocol. 2 SNMP Overview Define mechanism for remote management of network devices (routers, bridges, etc.) Fundamental.

1 SNMP Simple Network Management Protocol. 2 SNMP Overview Define mechanism for remote management of network devices (routers, bridges, etc.) Fundamental.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
UDP© Dr. Ayman Abdel-Hamid, CS4254 Spring 20061 CS4254 Computer Network Architecture and Programming Dr. Ayman A. Abdel-Hamid Computer Science Department.

UDP© Dr. Ayman Abdel-Hamid, CS4254 Spring CS4254 Computer Network Architecture and Programming Dr. Ayman A. Abdel-Hamid Computer Science Department.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

Similar presentations

Ads by Google