internet management protocols - snmpv3

UNIVERSITY OF TWENTEThe SimpleWeb

CopyrighThese sh

SNMPv3

OVERVIEW:

DESIGN DECISIONS

ARCHITECTURE

SNMP MESSAGE STRUCTURE

SECURE COMMUNICATION• USER SECURITY MODEL (USM)

ACCESS CONTROL• VIEW BASED ACCESS CONTROL MODEL (VACM)

RFCs

t © 2005 by Aiko Praseets may be used for educational purposes

http://www.utwente.nl

http://www.simpleweb.org/

http://www.simpleweb.org/tutorials/copyright.html

http://wwwhome.cs.utwente.nl/~pras


DESIGN DECISIONS

ADDRESS THE NEED FOR SECURY SET SUPPORT

DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP

ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTUREMOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS

ALLOW FOR FUTURE EXTENSIONS

KEEP SNMP AS SIMPLE AS POSSIBLE

ALLOW FOR MINIMAL IMPLEMENTATIONS

SUPPORT ALSO THE MORE COMPLEX FEATURES,WHICH ARE REQUIRED IN LARGE NETWORKS

RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE




SNMPv3 ARCHITECTURE

OTHERNOTIFICATIONORIGINATOR

COMMANDRESPONDER

COMMANDGENERATOR

NOTIFICATIONRECEIVER

PROXYFORWARDER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSINGSUBSYSTEMDISPATCHER

SECURITYSUBSYSTEM

ACCESS CONTROLSUBSYSTEM

SNMP ENTITY

OTHER




SNMPv3 ARCHITECTURE: MANAGER

NOTIFICATIONRECEIVER

COMMANDGENERATOR

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS




SNMPv3 ARCHITECTURE: AGENT

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

MANAGEMENT INFORMATION BASE

VIEW BASEDACCESS CONTROL

ACCESS CONTROL SUBSYSTEM

NOTIFICATIONORIGINATOR

COMMANDRESPONDER




CONCEPTS: snmpEngineID

OTHER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=4

OTHER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=2

OTHER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=3

OTHER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1





SYNTAX DEFINED VIA TEXTUAL CONVENTION

OCTET STRING (5..32)

THE VALUE OF snmpEngineID MAY BE DETERMINED BY:• HUMAN OPERATOR

• AUTOMATIC ALGORITHM

AUTOMATIC ALGORITHM USES:• PRIVATE ENTERPRISE NUMBER

• IPv4 ADDRESS / IPv6 ADDRESS / MAC ADDRESS

TEXTUAL CONVENTION DEFINED IN SNMP FRAMEWORK MIB





THE TERM EngineID IS FREQUENTLY USED

snmpEngineID The identifier of an SNMP engine.

SnmpEngineID The textual convention.

securityEngineID Parameter of primitives in the architecture. The authoritative SNMP entity(which is the receiver of a confirmed PDU, the sender of a trap).

contextEngineID Parameter of primitives in the architecture, andParameter in messages. Identifies the engine associated with the data.

msgAuthoritativeEngineID Parameter in messages. USM security parameter.

usmUserEngineID

An object in the snmpUsmMIB.In a simple agent, this is the agent’s own snmpEngineID. It may also be the snmpEngineID of a remote SNMP engine with which this user can communi-cate.

usmStatsUnknownEngineID An object in the snmpUsmMIB.

snmpCommunityContextEngineID An object in the communityMIB.

entLogicalContextEngineID An object in the entityMIB.

snmpProxyContextEngineID An object in the proxyMIB.




CONCEPTS: Context

OTHER

COMMAND RESPONDER APPLICATION

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1

contextEngineID=1The context can be reached from this engine, thus:

MIB

contextName=card1

MIB

contextName=card2




PRIMITIVES BETWEEN MODULES

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGEPROCESSINGSUBSYSTEM

SECURITYSUBSYSTEM DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters

transportDomaintransportAddress

messageProcessingModel

securityModelsecurityName

securityLevel

contextEngineIDcontextName

pduVersion

PDU

expectResponse

maxSizeResponseScopedPDU

stateReferencestatusInformation

sendPduHandle

destTransportDomaindestTransportAddress

outgoingMessageoutgoingMessageLength

wholeMsgwholeMsgLength

pduType

viewTypevariableName

globalDatamaxMessageSize

securityEngineID

scopedPDU

securityParameterssecurityStateReference




sendPdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


sendPdu

APPLICATIONS




prepareOutgoingMessage

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareOutgoingMessage

DISPATCHER




generateRequestMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


generateRequestMsg





send / receive

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER




prepareDataElements

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER




processIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processIncomingMsg





processPdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processPdu

DISPATCHER




isAccessAllowed

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


isAccessAllowed

APPLICATIONS




returnResponsePdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


returnResponsePdu

APPLICATIONS




prepareResponseMessage

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareResponseMessage

DISPATCHER




generateResponseMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


generateResponseMsg





send / receive

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER




prepareDataElements

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER




processIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processIncomingMsg





processResponsePdu

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processResponsePdu

DISPATCHER




MODULES OF THE SNMPv3 ARCHITECTURE

DISPATCHER AND MESSAGE PROCESSING MODULE• RFC 3412

• SNMPv3 MESSAGE STRUCTURE• snmpMPDMIB

APPLICATIONS• RFC 3413

• snmpTargetMIB• snmpNotificationMIB

• snmpProxyMIB

SECURITY SUBSYSTEM• RFC 3414

• USER BASED SECURITY MODEL• snmpUsmMIB

ACCESS CONTROL SUBSYSTEM• RFC 3415

• VIEW BASED ACCESS CONTROL MODEL• snmpVacmMIB




SNMPv3 MESSAGE STRUCTURE

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModel

msgSecurityParameters


PDU

USED BY MESSAGE PROCESSING SUBSYSTEM

USED BY SNMPv3 PROCESSING MODULE

USED BY SECURITY SUBSYSTEM

USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS




SNMPv3 PROCESSING MODULE PARAMETERS

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModel

msgSecurityParameters


PDU

authFlagprivFlagreportableFlag

SNMPv1SNMPv2cUSM

484..2147483647

0..2147483647




SECURE COMMUNICATION VERSUS ACCESS CONTROL

MIB

MANAGER

APPLICATION PROCESSES

TRANSPORT SERVICE

MANAGER AGENT

GET / GET-NEXT / GETBULKSET / TRAP / INFORM

SECURE COMMUNICATION

ACCESS CONTROLVACM

USM




USM: SECURITY THREATS

THREAT ADDRESSED? MECHANISM

REPLAY YES TIME STAMP

MASQUERADE YES MD5 / SHA-1

INTEGRITY YES (MD5 / SHA-1)

DISCLOSURE YES DES

DENIAL OF SERVICE NO

TRAFFIC ANALYSIS NO




USM MESSAGE STRUCTURE

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModelmsgAuthoritativeEngineID

msgAuthoritativeEngineBootsmsgAuthoritativeEngineTime

msgUserNamemsgAuthenticationParameters

msgPrivacyParameterscontextEngineID

contextName

PDU

REPLAY

MASQUERADE/INTEGRITY/DISCLOSURE

DISCLOSURE

MASQUERADE/INTEGRITY



IDEA BEHIND REPLAY PROTECTION

LOCAL NOTION OFREMOTE CLOCK

ALLOWEDLIFETIME

LOCALCLOCK

+ >?

ID BOOTS TIME DATA ID BOOTS TIME DATA

Authoritative EngineNonauthoritative Engine

ID = msgAuthoritativeEngineID

BOOTS = msgAuthoritativeEngineBoots

TIME = msgAuthoritativeEngineTime

IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION

HASH FUNCTION

DATAKEY

MAC

ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATAAND SEND THE RESULT

IDEA BEHIND AUTHENTICATION

HASH FUNCTION

KEY

MAC

DATAUSER MAC

DATA

HASH FUNCTION

KEY

MAC

DATAUSER MAC

DATA

=?

MAC = msgAuthenticationParameters

USER = msgUserName

IDEA BEHIND THE DATA CONFIDENTIALITY (DES)

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

IDEA BEHIND ENCRYPTION

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

ENCRYPTED DATAUSER

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

ENCRYPTED DATAUSER

USER = msgUserName

VIEW BASED ACCESS CONTROL MODEL

ACCESS CONTROL TABLE

MIB VIEWS

ACCESS CONTROL TABLES

GET / GETNEXTInterface Table John, Paul Authentication

•••••• ••• •••

•••••• ••• •••

SETInterface Table John Authentication

GET / GETNEXTSystems Group George None

•••••• ••• •••

•••••• ••• •••

Encryption

MIB VIEWALLOWED

MANAGERSREQUIRED LEVEL

OF SECURITYALLOWED

OPERATIONS

MIB VIEWS

SNMPv3 RFCs

OTHER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSINGSUBSYSTEMDISPATCHER

SECURITYSUBSYSTEM

ACCESS CONTROLSUBSYSTEM

SNMP ENTITY

RFC 3413

RFC 3411

RFC 3412 RFC 3412 USM: RFC 3414 VACM: RFC 3415

internet management protocols - snmpv3

Documents