Download - Dive into RFC 2574
![Page 1: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/1.jpg)
1
Dive into RFC 2574Dive into RFC 2574
User-based Security Model (USM) for the SNMP-v3
![Page 2: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/2.jpg)
2
Threats
Limited protection provided for:
Modification of Information Masquerade - False pretend of unauthorized users Disclosure - Eavesdropping on the exchange
between managed agents and managed station. Message Stream Modification – Danger of the
message being re-ordered, delayed, or replayed by unauthorized management stations
![Page 3: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/3.jpg)
3
Threats Cont.
No protection against:
Denial of Service Traffic Analysis
![Page 4: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/4.jpg)
4
Goals
Verify that each received SNMP message has not been modified during its transmission through the network.
Verify the identity of the user on whose behalf a received SNMP message claims to have been generated.
Detect the received SNMP messages, which request or contain management information, whose time of generation was not recent.
Provide, when necessary, that the contents of each received SNMP message are protected from disclosure.
![Page 5: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/5.jpg)
5
Constraints
When the requirements of effective management in times of network stress are inconsistent with those of security, the design should prefer the former
Neither the security protocol nor its underlying security mechanisms should depend upon the ready availability of other network services (e.g., Network Time Protocol (NTP) or key management protocols)
A security mechanism should entail no changes to the basic SNMP network management philosophy
![Page 6: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/6.jpg)
6
Security Services
Data Integrity
Data Origin Authentication
Data Confidentiality
Message timeliness and limited replay protection
![Page 7: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/7.jpg)
7
Why Use SNMP-v3
• Authentication• HMAC-MD5-96, or SHA authentication• Password must be greater than 8 characters including spaces
• Privacy• Packet data may now be DES encrypted (additional encryptions)• CBC-DES Symmetric Encryption Protocol • Allows for unique Privacy password
• Inform Traps• Old style trap was "throw-n-pray" over UDP• v2 Inform trap is over TCP and requires a response • Traps may also have Authentication and Privacy passwords
• Security Structures• User / Scope / ACL all may have independent AuthPriv structures
![Page 8: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/8.jpg)
8
Authoritative and Non-authoritative Engines
In any message one of the transmitter/receiver SNMP entities is designated as the Authoritative SNMP engine
When a message expects a response, the receiver of such messages is authoritative
When no response is expected the sender is authoritative This serves two purposes
• Timeliness of message determined with clock of authoritative engine
• Key localization process
![Page 9: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/9.jpg)
9
Protocol context of SNMP
![Page 10: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/10.jpg)
10
SNMPv3 Architecture
SNMPv3 architecture (RFC 2571) consists of a distributed collection of SNMP entities communicating together
Each SNMP entity may act as manager, agent, or combination
SNMP Engine - Implements functions for:• sending and receiving messages• Authenticating and encrypting/decrypting messages• Controlling access to managed objects
![Page 11: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/11.jpg)
11
SNMP Engine Modules
Modular nature means that upgrades to individual modules can be made without redoing the architecture
Modules:• Dispatcher - • Message Processing Subsystem• Security Subsystem• Access Control Subsystem
![Page 12: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/12.jpg)
12
SNMP Manager
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
![Page 13: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/13.jpg)
13
SNMP Agent
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
![Page 14: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/14.jpg)
14
SNMP Engine Modules: Dispatcher
Dispatcher is a simple traffic manager On incoming messages
It accepts incoming messages from the transport layer Routes each message to the appropriate message processing
module When the message processing completes the Dispatcher
sends the PDU to the appropriate application On outgoing messages
• It accepts PDUs from Application layer
• Sends to Message processing subsystem
• Sends to Transport layer
![Page 15: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/15.jpg)
15
SNMP Engine Modules: Dispatcher
Dispatcher Submodules• PDU Dispatcher – sends/accepts Protocol Data Units (PDUs)
to/from SNMP applications• Message Dispatcher – transmits to/from message processing
subsystem• Transport Mapping – sends/receives transport layer packets
![Page 16: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/16.jpg)
16
Message Processing Module
Accepts outgoing PDUs from dispatcher Passes message to the security subsytem Wraps the result with the appropriate header Sends back to the dispatcher
On incoming PDUs• Accepts messages from the dispatcher
• Processes the headers
• Possibly sending to Security Subsystem for authenitication and decryption and
• Returns the enclosed PDU to the dispatcher
![Page 17: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/17.jpg)
17
Security and Access Control Modules
Security modules– User-based Security Model (USM)– Other security models allowed for but not yet.
Access Control Modules– View-based access control model (VACM)– Others allowed
![Page 18: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/18.jpg)
18
SNMPv3 Terminology
snmpEngineId – unique ID to engine (Octet string) contextEngineId – unique ID to SNMP entity contextName – identifies particular context within SNMP
Engine scopedPDU – block including: contextEngineId,
contextName and an SNMP PDU snmpMessageProcessingModel – unique identifier snmpSecurityModel – integer indicating whether
authentication and/or encryption are required principal – the entity for “Whom the Bell Tolls” securityName – string representation of the principal
![Page 19: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/19.jpg)
19
SNMPv3 Applications
Command generator applications
• Makes use of sendPdu primitive
• Dispatcher Message Processing Security subsytem
• Finally UDP
• and later the processResponse dispatcher primitive handles the response Notification originator/receiver applications
• Operates similarly sending a notification Command Responder applications use primitives
RegisterContextEngineID – here is my ID (unregister also) processPDU returnRespnsePDU isAccessAllowed (Access Control Subsystem primitive)
Proxy forwarder application
![Page 20: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/20.jpg)
20
Message Processing Model
RFC 2572 defines the message processing model The model on outgoing messages
• Accepts PDUs from the dispatcher
• Encapsulates them in messages
• Invokes the user Security Model (USM) to insert security related parameters in the headers
• On incoming• Invokes the user Security Model (USM) process the security
related parameters in the header
• Delivers encapsulated PDU back to dispatcher
• SNMP message first five fields
![Page 21: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/21.jpg)
21
SNMP3 Message Format with USM
![Page 22: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/22.jpg)
22
USM Timeliness Mechanisms
Non authoritative engine maintains copies of snmpEngineBoots = number of times rebooted since originally
configured 0 to 231 snmpEngineTime latestReceived EngineTime
USM update conditions USM update rule Message judged to be outside window …
![Page 23: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/23.jpg)
23
Key Localization Process
![Page 24: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/24.jpg)
24
SNMPv3 RFCs
OTHER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
RFC 2573
RFC 2571
RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575
![Page 25: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/25.jpg)
25
SNMP-v3 Strength
Widespread Support– SNMP agents available for many network deviced
(hosts, routers, switches, bridges, modems, printers, etc.)
Flexible and Extensible– SNMP agents can be extended to cover device-
specific data– Clear mechanism for upgrading– Additional interoperability via proxies
![Page 26: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/26.jpg)
26
SNMP-v3 Weaknesses
SNMP is not really “simple”– Complicated protocol to implement– Complex encoding rules
SNMP is not an efficient protocol– Bandwidth wasted with useless information– Inefficiencies of ASN.1 with respect to compactness
SNMP lacking in security Lack of privacy or strong authentication Offered in SNMP-v3, but SNMP-v1 still widely used Limits utility for monitoring remote networks
![Page 27: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/27.jpg)
27
SNMP Weaknesses Cont.
Latency can be high in SNMP– Request-response protocol, leading to a delay between time of
request and time of response– Typically small in a LAN, but potentially a problem in a WAN
![Page 28: Dive into RFC 2574](https://reader036.vdocuments.site/reader036/viewer/2022062322/568143f0550346895db0763b/html5/thumbnails/28.jpg)
28
THANK YOU