1 based on behzad akbari fall 2011 network management lectures and these slides are based in parts...

SNMPv3

1

Based on Behzad Akbari Fall 2011 Network Management lectures and

These slides are based in parts upon slides of Prof. Dssouli (Concordia university)

Key Features of SNMPv3

Modularization of documentation and architecture Enables the use of SNMPv1 and SNMPv2 with the newly

developed SNMPv3. SNMP engine defined

– A model for the processing of SNMP messages. New Security features

– Secure information to prevent tampering of data – Access control to determine proper access to MIB.

2

SNMP Architecture

Distributed, interacting collection of SNMP entities SNMP entity implements a portion of the SNMP capability:

It acts either as an agent or manager or both A collection of modules interacting with each other to provide services

OTHERNOTIFICATIONORIGINATOR

COMMANDRESPONDER

COMMANDGENERATOR

NOTIFICATIONRECEIVER

PROXYFORWARDER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSING

SUBSYSTEMDISPATCHERSECURITY

SUBSYSTEMACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

OTHER

3

SNMP Architecture

Advantages:

The role of SNMP entity is determined by the modules implemented in that entityo Certain set of modules are required for agent, while a different

set is required for a manager

Security subsystem provides services such as authentication and privacy of messageso Multiple security models can coexist

Set of authorization services an application can use for checking access rightso Access Control

4

SNMP Architecture-Manager

NOTIFICATIONRECEIVER

COMMANDGENERATOR

PDUDISPATCHER

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

NOTIFICATIONORIGINATOR

SECURITY MODELCOMMUNITY BASED

5

SNMPv3 Architecture-Manager

Command Generator Applicationo Monitor and manipulate management data at remote agentso Make use of SNMPv1,v2 PDUs: Get, GetNext, GetBulk, etc.

Notification Originator Application Initiates messages, such as InformRequest PDU

Notification Receiver Applicationo Receive messages from other managers or agentso InformRequest, SNMPv1- and SNMPv2-Traps, etc…

These applications make use of the services provided by the SNMP engine:o Get Outgoing PDUs, process them and generates SNMP

messages for transmission over the transport layero Accept incoming SNMP messages, process them, and extracts

PDUs and passes them to appropriate SNMP application6


Dispatcher functions:o Accepts PDUs from applicationso Handles multiple version messages (SNMPv1, v2, v3)o Interfaces with application modules, network, and message processing

models PDU dispatcher handles messages between application and

MPS

SNMP Engine (identified by snmpEngineID)

DispatcherMessage

ProcessingSubsystem

SecuritySubsystem

7


Message Processing Subsystem functions:

Accepts outgoing PDUs from Dispatcher, attach appropriate header, and return message to Dispatcher

Accepts incoming messages, process each message header, and return the enclosed PDU to the Dispatcher

Contains one or more Message Processing Models, each for each SNMP version

SNMP version identified in the header


MessageProcessingSubsystem

SecuritySubsystem

Dispatcher

8


9

Security subsystems perform authentication and encryption functions for each outgoing/incoming message

Outgoing PDUs may be encrypted and authentication codes generated and appended to the message headero The message is then returned to the MPS

Incoming messages are passed to the security subsystemo Message decryption o Messages authenticated


SecuritySubsystem

DispatcherMessage

ProcessingSubsystem

SNMPv3 Architecture-Agent

10

PDUDISPATCHER

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

MANAGEMENT INFORMATION BASE

VIEW BASEDACCESS CONTROL

ACCESS CONTROL SUBSYSTEM

NOTIFICATIONORIGINATOR

COMMANDRESPONDER

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

Proxy ForwarderApplications

COMMUNITY BASEDSECURITY MODEL

SNMPv3 Architecture-Agent

11

Command Responder Applicationo Provides access to management datao Responds to incoming requests by retrieving and/or setting

managed objects and issuing Response PDU

Notification Originator Applicationo Trap PDUs of SNMPv1, v2

Proxy Forwarder Application o Forwards messages between entities

Access Control Subsystemo Provides authorization services to “control access” to the MIB

for reading and setting management objectso Who can accesso What can be accessed

Terminology

12

SNMP Engine ID snmpEngineID -- associated with each SNMP entity

Principal principal -- person or group or application requesting services

Security Name securityName -- human readable name

Context Engine ID contextEngineID -- each entity has a unique context ID (identical to snmpEngineID)

Context Name contextName --a context associated with a managed object (for access control)

An SNMP agent can monitor more than one network element (context)

Example: SNMP Engine ID IP address

Principal John Smith Security Name Administrator

snmpEngineID

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=4

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=2

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=3

OT HE R

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1

13

Abstract Service Interfaces

Abstract service interface is a conceptual interface between modules, independent of implementation

Defines a set of primitives o A primitive specifies the function to be performed (e.g.,

procedural call)

Primitives associated with receiving entitieso An interface defined using primitive and parameters is referred

to as “abstract service interface”

e.g., Dispatcher primitives:o Handle messages to and from applicationso registering and un-registering of application moduleso transmitting to and receiving messages from network

IN and OUT parameters

Status information / result

14

Dispatcher Primitives

sendPdu

Used by a command generator to send SNMP request or notification PDU to another SNMP entity

When successfully preparing the message by the Dispatcher: a sendPduHandle (unique identifier) is returned (to track any response, if

any is expected)

The application also provides transport domain/address for the PDU as well as message processing model, security model, principal, level of security, the context for this PDU, and the PDU itself

CommandGenerator

Dispatcher

AbstractService

Interface

sendPdu

AbstractService

Interface

prep

areO

utgo

ingM

essa

ge

MessageProcessing

Model

sendPduHandle/Error Indication

15


processResponsePdu Used by Dispatcher to pass an incoming response PDU to

an application The application checks whether it is matched with a

preceding request or notification PDU by checking the sendPduHandle: Success or failure

CommandGenerator

Dispatcher

sendPdu

AbstractService

Interface

prep

areO

utgo

ingM

essa

ge

MessageProcessing

Model

sendPduHandle/errorIndication

processResponsePdu

16


processPdu Used by Dispatcher to pass an incoming request or

notification PDU to an application (command responder) Security related information is required to generate a matching

response message The security subsystem (access control) will check whether access

is allowed and a response will be generated accordingly

returnResponsePdu Used by command responder to return an SNMP response in

response to an incoming request or notification

CommandResponder

Dispatcher

returnResponsePdu

AbstractService

Interface

prep

areR

espo

nseM

essa

ge

MessageProcessing

ModelprocessPdu

17

Message Processing Subsystem Primitives

prepareOutgoingMessage Prepare a message for an outgoing SNMP request or notification

PDU The IN parameter is a PDU and OUT parameter is the message Success or failure is returned

CommandGenerator

Dispatcher

sendPdu

AbstractService

Interface

prep

areO

utgo

ingM

essa

ge

MessageProcessing

Model

sendPduHandle/errorIndication

18

Message Processing Subsystem Primitives

prepareResponseMessage Request the preparation of a message containing an

outgoing SNMP response PDU, in response to an incoming request or notification PDU

CommandResponder

Dispatcher

returnResponsePdu

AbstractService

Interface

prep

areR

espo

nseM

essa

ge

MessageProcessing

ModelprocessPdu

19

Security Subsystem PrimitivesgenerateRequestMessage

Generate a “message” containing an outgoing SNMP request or notification PDU

Returns to the MPS a message (with possibly authentication and encryption) and associated security parameters

processIncomingMessage Provide security function for incoming messages Return success or failure indicating the result of the security check If successful, a PDU is returned to the MPS

generateResponseMessage Generate a message containing outgoing SNMP response PDU in

response to incoming request or notification Returns to the MPS a message (with some authentication and encryption

applied) and associated security parameters

20

Applications

21

Application(s)

CommandGenerator

NotificationReceiver

ProxyForwarderSubsystem

CommandResponder

NotificationOriginator

Other

Application Example • Command generator get-request• Command responder get-response• Notification originator trap generation• Notification receiver trap processing• Proxy Forwarder get-bulk to get-next

(SNMP versions only)• Other Special application

Command Generator

Network

send get-request message

receive get-response message

CommandGenerator Dispatcher

MessageProcessing

ModelSecurityModel

sendPdu

PduHandle

prepareOutgoingMessage

generateRequestMsg

processResponsePdu

prepareDataElemetsprocessIncomingMsg

CommandGenerator

DispatcherMessage

ProcessingModel

SecurityModel

Command Generator:1)-Examine parameters from

the received PDU and match/compare them with a cached copy (security model/level/name, contextName, etc.). If no match, message is discarded

2)-Check the received PDU (check request-id, etc.)

3)- if all OK, then take action

22

Command Responder

Network

receive get-request message

send get-response message

CommandResponder

Dispatcher

MessageProcessing

ModelSecurityModel

processPdu

processIncomingMsg

prepareDataElements

Figure 7.6 Command Responder Application

returnResponsePdu

prepareResponseMsg

generateResponseMsg

DispatcherMessage

ProcessingModel

SecurityModel

registerContextEngineID

Command Responder:1)-examines content of request

PDU. Check whether object has already registered with the responder

2)- isAccessAllowed primitive is invoked (to determine whether object can be accessed by the principal making the request) check the security level

3)- if access permitted, prepare a response.

23

24

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGEPROCESSINGSUBSYSTEM

SECURITYSUBSYSTEM DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters

transportDomaintransportAddress

messageProcessingModel

securityModelsecurityName

securityLevel

contextEngineIDcontextName

pduVersion

PDU

expectResponse

maxSizeResponseScopedPDU

stateReferencestatusInformation

sendPduHandle

destTransportDomaindestTransportAddress

outgoingMessageoutgoingMessageLength

wholeMsgwholeMsgLength

pduType

viewTypevariableName

globalDatamaxMessageSize

securityEngineID

scopedPDU

securityParameterssecurityStateReference

25

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


sendPdu

APPLICATIONS

26

Scenario Diagrams

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareOutgoingMessage

DISPATCHER

27

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


generateRequestMsg


28

Scenario Diagrams

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER

29

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER

30

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processIncomingMsg


31

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processPdu

DISPATCHER

32

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


isAccessAllowed

APPLICATIONS

33

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


returnResponsePdu

APPLICATIONS

34

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareResponseMessage

DISPATCHER

35

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


generateResponseMsg


36

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER

37

Scenario Diagrams

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER

38

Scenario Diagrams

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processIncomingMsg


39

Scenario Diagrams

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processResponsePdu

DISPATCHER

40

Message Format

VersionGlobal/Header

Data

SecurityParameters

Plaintext / EncryptedscopedPDU Data

MessageID

MessageMax. Size

MessageFlag

MessageSecurityModel

Header Data

ContextEngine ID

ContextName

Data

scopedPDU

AuthoritativeEngine ID

AuthoritativeEngine Boots

AuthoritativeEngine Time

User Name

AuthenticationParameters

PrivacyParameters

Security Parameters

Whole Message

1 SNMPv12 SNMPv23 SNMPv3

reportableFlagprivFlagauthFlag

Time synch. between entities to avoid message replay and achieve timeliness

Message FormatField Object name Description

Version msgVersion SNMP version number of the message format

Message ID msgID Administrative ID associated with the message

Message Max. Size msgMaxSize Maximum size supported by the sender

Message flags msgFlags Bit fields identifying report, authentication, and privacy of the

message

Message Security Model

msgSecurityModel Security model used for the message; concurrent multiple models allowed

Security Parameters (See Table 7.8)

msgSecurityParameters Security parameters used for communication between sending and

receiving security modules

Plaintext/Encrypted scopedPDU Data

scopedPduData Choice of plaintext or encrypted scopedPDU; scopedPDU uniquely

identifies context and PDU

Context Engine ID contextEngineID Unique ID of a context (managed entity) with a context name realized by

an SNMP entity

Context Name contextName Name of the context (managed entity)

PDU data Contains unencrypted PDU

41

42

See p. 304

Security Threats

Modification of Information an entity may alter in-transit SNMP

messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object

Masquerade management operations not

authorized for some entity may be attempted by assuming the identity of another entity that has the appropriate authorizations

ManagementEntity A

ManagementEntity B

Modification of informationMasquerade

Message stream modification

Disclosure

43

Security Threats

Message Stream Modification SNMP is typically based upon a

connectionless transport service. Messages may be maliciously re-ordered, delayed or replayed, in order to effect unauthorized management operations. o For example, a message to

reboot a system could be copied and replayed later

Disclosure Eavesdropping or intercepting on

the exchanges between SNMP engines

ManagementEntity A

ManagementEntity B



Disclosure

44

Security Threats

SNMPv3 is not intended to secure against these two threats:

Denial of Service: An attacker may prevent

exchanges between manager and agent DOS are indistinguishable from

network element failures DOS may disrupt all services (not

just those pertaining to NM)

Traffic Analysis: An attacker may observe the

general pattern of traffic between managers and agents

ManagementEntity A

ManagementEntity B



Disclosure

45

Security Model Goals

o Data Integrity (Authentication)

o Authentication

o Message redirection/re-ordering/delay/replay

o Data encryption/decryption

46

Security Model

The Security model authenticates and forwards incoming and outgoing messages to the MPM

3 different moduleso Authentication moduleo Privacy moduleo Timeliness module

Security Subsystem

MessageProcessing

Model

AuthenticationModule

PrivacyModule

TimelinessModule

Data Integrity

Data Origin Authentication

Data Confidentiality

Message Timeliness &Limited Replay Protection

47

Authentication Module

Data integrityo message authentication at sender and validation at receivero Ensure that a message is not modified by an unauthorized intrudero Authentication protocols: HMAC-MD5-96 / HMAC-SHA-96

Data origin authenticationo Check the identity of a user on whose behalf a message is sento Append to the message a unique Identifier associated with

authoritative SNMP engine

Security Subsystem

MessageProcessing

Model


PrivacyModule

TimelinessModule

Data Integrity




48

Privacy Module

Data confidentiality ensures that data is not made available to unauthorized users or entities

Encryption is applied at the sender and decryption at receiver (CBC-DES)

Security Subsystem

MessageProcessing

Model


PrivacyModule

TimelinessModule

Data Integrity




49

Timeliness Module

Prevent message redirection, delay and replay

Configure a receiver window for accepting message (e.g., 150 s for SNMPv3)

Three objects: snmpEngineIP, snmpEngineBoots, snmpEngineTime

Security Subsystem

MessageProcessing

Model


PrivacyModule

TimelinessModule

Data Integrity




50

1 based on behzad akbari fall 2011 network management lectures and these slides are based in parts...

Documents

processing of snmp messages

message header o

incoming snmp messages

snmp version snmp version

appropriate snmp application

snmp capability

header snmp engine

manager security subsystem