sbsm bof session-based security model for snmpv3
DESCRIPTION
SBSM BOF Session-Based Security Model for SNMPv3. Wes Hardaker David T. Perkins November, 2004 (draft-hardaker-snmp-sbsm-03.txt). SBSM Protocol Proposal. Current draft: draft-hardaker-snmp-sbsm-03.txt Creates a “session” between two points 3 phases to the session: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/1.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM BOF
Session-Based Security Model for SNMPv3
Wes Hardaker David T. PerkinsNovember, 2004
(draft-hardaker-snmp-sbsm-03.txt)
![Page 2: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/2.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Protocol Proposal
• Current draft:– draft-hardaker-snmp-sbsm-03.txt
• Creates a “session” between two points• 3 phases to the session:
– Initialization (Security setup, authentication)
– Running– Closing
• Initialization PDUs sent are GET/REPORT PDUs, but the application never sees them.– Similar to EngineID discovery today
![Page 3: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/3.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Clo
sing
Run
ning
Initi
aliz
atio
nSession Message Flow
SNMP App SBSM Initiator SNMP AppSBSM Responder
Note: Other SNMPv3 components (MP, etc) not shown but exist where expected
Init 1
SNMP PDU
Init 1
Init 2
Running
SNMP PDUSNMP PDU
Close
Close
...
Traffic protected by SBSM
![Page 4: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/4.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Disadvantages
• Based on SNMPv3 security model parameters
![Page 5: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/5.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Advantages
• Reuses existing transports– (UDP, TCP, IPX, AAL5, … +future)
• SNMPv3 architecture compliant• SNMPv3 application compliant• Reuses Existing Authentication Systems
– Local accounts, SSH, X.509, …– No “must have” system to make it work
• Extensible Authentication Definitions– New authentication types = 1-2 pages
![Page 6: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/6.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Advantages
• Supports compression• Supports identity disclosure protection• Supports true replay protection• Reuses SNMPv3 where possible
– Same message integrity (MD5, SHA-1)– Same encryption (DES, AES)
• Flexible enough to negotiate needs• Rigid enough not to make negotiation
a complex burden
![Page 7: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/7.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Advantages
• Based on a mathematically proven cryptographic exchange protocol– SIGMA (also used in other
protocols)
![Page 8: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/8.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Implementation Report
• Implementation completed for:– Local account authentication– Key negotiation– Authentication Algorithm Negotiation– Encryption Algorithm Negotiation
• Total time to implement in Net-SNMP:
![Page 9: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/9.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Implementation Report
• Implementation completed for:– Local account authentication– Key negotiation– Authentication Algorithm Negotiation– Encryption Algorithm Negotiation
• Total time to implement in Net-SNMP:– 19.5 Hours
![Page 10: SBSM BOF Session-Based Security Model for SNMPv3](https://reader036.vdocument.in/reader036/viewer/2022082505/568130fc550346895d972961/html5/thumbnails/10.jpg)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Questions?
Wes Hardaker David T. PerkinsNovember, 2004
(draft-hardaker-snmp-sbsm-03.txt)