![Page 1: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/1.jpg)
SNMPv3
Yen-Cheng ChenDepartment of Information Management
National Chi Nan University
http://www.comsoc.org/livepubs/surveys/public/4q98issue/stallings.htmlReference:
![Page 2: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/2.jpg)
SNMPv3 RFCs Introduction and Applicability Statements for Internet-
Standard Management Framework An Architecture for Describing Simple Network
Management Protocol (SNMP) Management Frameworks Message Processing and Dispatching for the Simple
Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP)
Applications User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3) View-based Access Control Model (VACM) for the Simple
Network Management Protocol (SNMP) Version 2 of the Protocol Operations for the Simple
Network Management Protocol (SNMP) Transport Mappings for the Simple Network Management
Protocol (SNMP) Management Information Base (MIB) for the Simple
Network Management Protocol (SNMP)
RFC3410
RFC3411
RFC3412
RFC3413RFC3414
RFC3415
RFC3416
RFC3417
RFC3418
![Page 3: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/3.jpg)
![Page 4: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/4.jpg)
SNMP entity
Application(s)
CommandGenerator
NotificationReceiver
ProxyForwarderSubsystem
CommandResponder
NotificationOriginator
Other
SNMP Engine (identified by snmpEngineIDsnmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
SNMP entity is a node with an SNMP management element- either an agent or manager or both
SNMPv3 ArchitectureSNMPv3 Architecture
![Page 5: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/5.jpg)
Dispatcher
• Sending and receiving SNMP messages to/from the network
• Determining the version of an SNMP message and interacting with the corresponding Message Processing Model
• Providing an abstract interface to SNMP applications for delivery of a PDU to an application.
• Providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity.
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
![Page 6: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/6.jpg)
Dispatcher
Three components• Transport mapping delivers messages over the
transport protocol• Message Dispatcher routes messages between
network and appropriate module of MPS
• PDU dispatcher handles messages between
application and MSP
![Page 7: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/7.jpg)
Message Processing Subsystem
Contains one or more Message Processing Models
One MPM for each SNMP version SNMP version identified in the header
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
![Page 8: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/8.jpg)
Security and Access Control
Security at the message level Authentication Privacy of message via secure communication
Flexible access control Who can access What can be accessed Flexible MIB views
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
![Page 9: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/9.jpg)
ApplicationsApplication(s)
CommandGenerator
NotificationReceiver
ProxyForwarderSubsystem
CommandResponder
NotificationOriginator
Other
Application Example • Command generator get-request• Command responder get-response• Notification receiver trap generation• Notification receiver trap processing• Proxy Forwarder get-bulk to get-next (SNMP versions only)• Other Special application
![Page 10: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/10.jpg)
Manager
![Page 11: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/11.jpg)
AgentAgent
![Page 12: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/12.jpg)
Command Generator orNotification Originator
![Page 13: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/13.jpg)
Command Responder
![Page 14: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/14.jpg)
Names Entity Engine (snmpEngineID)
Associated with each SNMP entity is a unique snmpEngineID. Context (contextName)
A context is a collection of management information accessible by an SNMP entity.
Context engine (contextEngineID) = snmpEngineID
Principal (securityName) the "who" on whose behalf services are provided or processing takes
place. may be an individual or an application or a group of individuals or ap
plications.
![Page 15: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/15.jpg)
Context Engine
contextName
contexts
![Page 16: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/16.jpg)
Security Threats
Management
Entity A
Management
Entity B
Modification of information
Masquerade
Message stream modification
Disclosure
![Page 17: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/17.jpg)
Security Threats
SNMPv3 security model is developed to protect the following security threats: Modification of information
Contents modified by unauthorized user Masquerade
change of originating address by unauthorized user Message Stream Modification
Re-ordering, delay or replay of messages Disclosure
Eavesdropping SNMPv3 security model doesn’t protect Denial of Servi
ce (DoS) and Traffic Analysis.
![Page 18: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/18.jpg)
Security ServicesSecurity Subsystem
MessageProcessing
Model
AuthenticationModule
PrivacyModule
TimelinessModule
Message Timeliness &Limited Replay Protection
Data Integrity
Data Confidentiality
Data Origin Authentication
![Page 19: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/19.jpg)
SNMPv3 Security Authentication
Data integrity: HMAC-MD5-96 / HMAC-SHA-96
Data origin authentication Append to the message a unique Identifier
associated with authoritative SNMP engine Privacy / confidentiality:
Encryption Timeliness:
Authoritative Engine ID, No. of engine boots and time in seconds
![Page 20: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/20.jpg)
Role of SNMP Engines
Non-Authoritative Engine(NMS)
Authoritative Engine(Agent)
![Page 21: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/21.jpg)
VersionGlobal/Header
Data
SecurityParameters
Plaintext / EncryptedscopedPDU Data
MessageID
MessageMax. Size
MessageFlag
MessageSecurityModel
AuthoritativeEngine ID
AuthoritativeEngine Boots
AuthoritativeEngine Time
User Name
AuthenticationParameters
PrivacyParameters
ContextEngine ID
ContextName
Data
Figure 7.12 SNMPv3 Message Format
Header Data scopedPDU
Security Parameters
Whole Message
See P. 304
![Page 22: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/22.jpg)
See p. 304
![Page 23: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/23.jpg)
User-Based Security Model
Based on traditional user name concept Authentication service primitives
authenticateOutgoingMsg authenticateIncomingMsg
Privacy Services encryptData decryptData
![Page 24: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/24.jpg)
Security Subsystem
PrivacyModule
scopedPDU
Encryption keyUser-based
SecurityModel
EncryptedscopedPDU
Privacyparameters
AuthenticationModule
Whole Message
Authentication key
AuthenticatedWhole Message
Figure 7.13 Privacy and Authentication Service for Outgoing Message
MessageProcessing
Model
MPM Information
Header data
Security data
scopedPDU
(Authenticated/encrypted)whole message
Whole message length
Security Parameters
![Page 25: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/25.jpg)
Security Subsystem
User-basedSecurityModel
Figure 7.14 Privacy and Authentication Service for Incoming Message
MessageProcessing
Model
MPM Information
Header data
Security parameters
whole message
(Decrypted) scopedPDU PrivacyModule
Decrypt key
DecryptedscopedPDU
Privacyparameters
AuthenticationModule
Whole Message(as received from network)
Authentication key
AuthenticatedWhole Message
Authenticationparameters
Encrypted PDU
![Page 26: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/26.jpg)
Authentication Protocols Authentication Key
Derived from a password chosen by the user digest0: repeat password 220 octets digest1: H(digest0) digest2: H(engineID || digest1) AuthKey = digest2
Use HMAC-MD5-96 or HMAC-SHA-96
![Page 27: SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University](https://reader035.vdocuments.site/reader035/viewer/2022062314/56649d9c5503460f94a84c2f/html5/thumbnails/27.jpg)