on the impact of security protocols on the performance of snmp
DESCRIPTION
On the Impact of Security Protocols on the Performance of SNMP. Group 6 KHAN, Taimur KONG, Jing SHIH, Min SUN, Mengti YU, Chenglin. J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011, pp.52-64 http://dx.doi.org/10.1109/TNSM.2011.012111.00011. - PowerPoint PPT PresentationTRANSCRIPT
1
On the Impact of Security Protocols on the Performance of SNMP
J. Schonwalder and V. MarinovIEEE Transactions on Network and Service Management, 2011, pp.52-64
http://dx.doi.org/10.1109/TNSM.2011.012111.00011
24 slides
Group 6KHAN, Taimur KONG, JingSHIH, MinSUN, MengtiYU, Chenglin
Summary
2
Question: How can SSH, TLS, DTLS be used to address limitations in SNMPv3/USM?
Analyzing impact and performance between the various options to secure SNMP
Answer this question by
Outline
• Background• SNMP Architecture• Message-based Security• Session-based Security• Performance Evaluation• Key Findings• Guidelines for Choosing Solutions
3
Background
SSH, TLS, DTLS are introduced which can take advantage of already deployed key management infrastructures 4
SNMPv1 has no cryptographic security && the engineered solution on SNMPv2 is too complex
USM (User- based Security Model) on SNMPv3
SNMPv3 and USM have to deploy another user and key management infrastructure high cost
SNMP Architecture
5Ref. RFC3414(USM), 3584(CSM), 5591(TSM), 5592(SSHTM), 6353(TLSTM)
ASIs are the interfaces between subsystem
Message-based Security
• CSM (SNMPv1, SNMPv2c)– Plain-text community string which provides very little security.
• USM (SNMPv3)– noAuthNoPriv (nn)
• no authentication, no encryption – authNoPriv (an)
• message authentication, message integrity, timeliness checking• no encryption
– authPriv (ap)• message authentication, message integrity, timeliness checking• encryption of the payload of SNMP messages
6
TSD for Message-based Security
7
Session-based Security
• Transport Security Model– Negligible costs on passing existing information
• SSH Transport Model– Many methods for authentication
• TLS Transport Model for TLS– Session resumption mechanism– X.509 certificates for authentication
• TLS Transport Model for DTLS (over datagram)8
TSD for Session-based Security
9
Performance Evaluation
• Session Establishment• Latency without Packet Loss• Bandwidth Usage• Latency with Packet Loss• Impact of Bulk Retrieval
10
11
Session EstablishmentPERFORMANCE OF A SINGLE SNMPGET REQUESTS (SYSDESCR.0)
12
USM/ap ≈ USM/an ≈ USM/nnlittle benefit in removing auth/priv
Slow machine
Fast machine
13
USM/ap ≈ TSM/SSH ≈ TSM/(D)TLSdifference of protocols do not have much impact on delays if using similar hash functions and encryption transformations
Latency without Packet Loss ( II)
14
For v3/USM/ap, v3/USM/nn, v2/CSMover UDP ≈ over TCP
UDP ≈ TCP in a fast reliable network
15USM/ap > USM/an > USM/nn > SNMPv2/TCP >SNMPv2/UDP
16
TSM/TLS > TSM/SSH > USM > TSM/DTLS
Latency with Packet Loss• TCP's retransmission algorithm clearly
outperforms simple non-adaptive SNMP retransmission algorithm
17
PACKET SIZES FOR ALL SECURITY MODEL / TRANSPORT / SECURITY LEVEL COMBINATIONS
18
Impact of Bulk Retrieval
↑ max-repetitions parameter (r)↓ number of interaction needed↓ overall latency
In the best case, r reduces the number of interactions to 1/r. But not the same factor for latency
Key Findings• TLS session resumption feature significantly reduces the
session reestablishment costs.– The resumption mechanism for SSH has yet to be
standardised• The difference between USM, SSH, TLS and DTLS in terms of
latency is small after the session is established.• The non-adaptive SNMP retransmission algorithm is
outperformed by TCP algorithms in packet loss networks.• The usage of GetBulk dramatically reduces the number of
requests sent over the network, resulting in much better overall performance.
19
Guidelines for Choosing Solutions(SNMPv3/TSM/SSH)
• Good AAA Integration• Easy derivation of securityName• Efficient message encoding• × Large session establishment overhead• × Lack of session resumption mechanisms• TCP Supports large messages better than UDP• TCP retransmission algorithms work well
20
Guidelines for Choosing Solutions(SNMPv3/TSM/TLS)
• Same pros and cons of using TCP as SSHTM• TLS session resumption• Less session startup overhead than SSH• × Less efficient in message encodings than SSH• × Complicated derivation of securityName• × Lack of good AAA integration• × X.509 infrastructure must be in place
21
Guidelines for Choosing Solutions(SNMPv3/TSM/DTLS)
• Shares most of the pros and cons of TLSTM• Smaller framing overhead over UDP• Applications have control over retransmissions• Although application retransmission timers
are to be coordinated with DTLS retransmission timers
22
Guidelines for Choosing Solutions(SNMPv3/USM/UDP)
• Separate key management infrastructure– Ensures the availability of security regardless of
the presence of other infrastructures– × Expensive to deploy
• Works efficiently if interactions are sporadic• Applications have full control over
retransmissions.• SNMP/UDP may suffer from IP fragmentation
23
Related work
• Session resumption for the secure shell protocolhttp://dx.doi.org/10.1109/INM.2009.5188805
Thank you!
Question?
24