External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt

1. External User Security Model (EUSM) for SNMPv3draft-kaushik-snmp-external-usm-00.txt August, 2004

2. Deployment issues with SNMPv3 • SNMPv3 does not integrate well with administrative security schemes defined for existing management interfaces like the device command line interfaces. • Unified identity is key, cannot have separate user islands for CLI and SNMP. • SNMPv3 standard does not address the issue of management and distribution of the keying material for SNMP • User and User keys need to be configured on a per agent basis, it does not scale, same issues as local telnet passwords.

3. Design Considerations • The requirement of a Security Model for SNMPv3 •      - To integrate SNMPv3 authentication with external AAA server to unify the approach to administrative security for SNMPv3 and CLI. •      - To use strong authentication and key exchange, eliminating need to use long term secrets to protect SNMPv3 packets. •      - To minimize number of changes, preferably none, to SNMPv3 packet format given the current status of the SNMPv3 standard. • The Security Model MUST •   - extend capability of the AAA server to provide authentication, privacy and integrity protection for SNMPv3 agents. •     - provide support for variety of client authentication mechanisms including passwords, tokens and certificates. •     - optimize key management scheme to scale to large numbers of agents. •     - ensure a separate AAA request is not generated for every SNMP request. •     - be generic and should apply to existing and future AAA protocols.

4. EUSM Overview AAA Server SNMP Manager EAP exchange Establish Security Context & Master Session Key AAA Request Get SNMPv3 session keys Pass UserName & IP Address of the Manager to index the security context AAA Response Return SNMPv3 session keys Return SNMPv3 localized auth. and priv. keys derived from the master session key for this particular security context Return cache lifetime. Return User Group SNMPv3 Packet SNMPv3 Agent

5. EUSM Overview • Definition of External User Security Model (EUSM) for SNMPv3, a new security model for SNMPv3. EUSM will use AAA protocols to obtain keying material for the user from the AAA server for achieving the security goals defined for USM • Security Context setup between the SNMPv3 Manager and the AAA server using EAP. PEAP is the recommended EAP method. • The security context establishment authenticates the peers and setups master session keys at the SNMPv3 Manager and AAA server • The master session keys are localized to generate per agent SNMPv3 authentication and privacy keys. • SNMPv3 Agents request for keys from the AAA server using RADIUS (or TACACS+) based on network element configuration. • Keys distributed by the AAA server to the agents are cached for short durations at the agent, this avoids the need for an external AAA call for every SNMPv3 operation.

6. EUSM with EAP between Manager and AAA Server EAP Exchange Establish Security Context AAA Server SNMP Manager AAA Protocol Acquire Localized Session Keys SNMPv3 Packet Network Management Operation SNMPv3 Agent

7. EUSM with EAP in the 802.1x like model AAA Server SNMP Manager EAP Exchange Establish Security Context AAA Protocol {EAP Exchange Establish Security Context} AAA Protocol Acquire Localized Session Keys SNMPv3 Packet Network Management Operation SNMPv3 Agent

8. SNMPv3 Trap and Inform Processing • The SNMPv3 EUSM Trap processing uses an identical flow as specified for SNMPv3 request processing. • The SNMPv3 Manager is responsible for the setup of the master session key at the AAA server. • The authoritative engine is the SNMPv3 agent. The SNMPv3 agent requests for session keys from AAA server to use for protecting SNMPv3 traps. • The SNMPv3 EUSM Inform processing uses an identical flow as specified for the SNMPv3 request processing, except that the roles are reversed between the SNMPv3 manager and agent • The SNMPv3 Agent is responsible for the setup of the master session key at the AAA server. • The agent generates session keys from the master session key based on the engine ID of the Inform recipient, i.e. the SNMPv3 Manager. • Theauthoritative engine is the SNMPv3 manager. The SNMPv3 manager requests for session keys from the AAA server.

9. EUSM Inform Processing AAA Protocol Acquire Localized Session Keys AAA Server SNMP Manager EAP Exchange Establish Security Context SNMPv3 Inform SNMPv3 Agent

10. EUSM with RADIUS for Key Distribution RADIUS Access_Request/ Access_Accept PEAP Exchange RADIUS Server SNMP Manager RADIUS (Key_Request) Key (App ID) Calling-Station-ID UserName SNMPv3 Packet RADIUS (Key_Response) Key (Key, IV, Key ID, Lifetime, App ID, KEK ID) SNMP-Protection-Type SNMP-Group-Name SNMPv3 Agent

11. Key Caching • Session keys are cached at the SNMPv3 agent typically for duration of 90-180 seconds. • The common pattern of manager-agent interaction is in bursts with a duration of less than 90 seconds. • Master Session Key is cached for the duration of 8-10 hours. • Residual timer on the master session key used to address cache synchronization issues. • Key durations are configurable entities on the AAA server.

12. Implementation Status • We wanted to provide the BOF with feedback from an implementation. • EUSM prototype implementation in IOS close to completion. • EUSM prototype implementations in Cisco AAA server (Ciscosecure ACS) and Ciscoworks applications currently in progress. • So far, no implementation problems.