1 / 27

SNMPv3

SNMPv3. Yen-Cheng Chen Department of Information Management National Chi Nan University. Reference:. http://www.comsoc.org/livepubs/surveys/public/4q98issue/stallings.html. SNMPv3 RFCs. RFC3410 RFC3411 RFC3412 RFC3413 RFC3414 RFC3415 RFC3416 RFC3417 RFC3418.

sahkyo
Télécharger la présentation

SNMPv3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University Reference: http://www.comsoc.org/livepubs/surveys/public/4q98issue/stallings.html

  2. SNMPv3 RFCs RFC3410 RFC3411 RFC3412 RFC3413 RFC3414 RFC3415 RFC3416 RFC3417 RFC3418 • Introduction and Applicability Statements for Internet-Standard Management Framework • An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks • Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) • Simple Network Management Protocol (SNMP) Applications • User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) • View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) • Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) • Transport Mappings for the Simple Network Management Protocol (SNMP) • Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)

  3. SNMPv3 Architecture SNMP entity SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem Application(s) Proxy Command Notification Forwarder Generator Receiver Subsystem Command Notification Other Responder Originator SNMP entity is a node with an SNMP management element - either an agent or manager or both

  4. Dispatcher • Sending and receiving SNMP messages to/from the network • Determining the version of an SNMP message and interacting with the corresponding Message Processing Model • Providing an abstract interface to SNMP applications for delivery of a PDU to an application. • Providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity. SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem

  5. Dispatcher Three components • Transport mapping delivers messages over the transport protocol • Message Dispatcher routes messages betweennetwork and appropriate module of MPS • PDU dispatcher handles messages between application and MSP

  6. Message Processing Subsystem • Contains one or more Message Processing Models • One MPM for each SNMP version • SNMP version identified in the header SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem

  7. Security and Access Control • Security at the message level • Authentication • Privacy of message via secure communication • Flexible access control • Who can access • What can be accessed • Flexible MIB views SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem

  8. Applications Application(s) Proxy Command Notification Forwarder Generator Receiver Subsystem Command Notification Other Responder Originator • Application Example • Command generator get-request • Command responder get-response • Notification receiver trap generation • Notification receiver trap processing • Proxy Forwarder get-bulk to get-next (SNMP versions only) • Other Special application

  9. Manager

  10. Agent

  11. Command Generator or Notification Originator

  12. Command Responder

  13. Names • Entity • Engine (snmpEngineID) • Associated with each SNMP entity is a unique snmpEngineID. • Context (contextName) • A context is a collection of management information accessible by an SNMP entity. • Context engine (contextEngineID) • = snmpEngineID • Principal (securityName) • the "who" on whose behalf services are provided or processing takes place. • may be an individual or an application or a group of individuals or applications.

  14. Context Engine contextName contexts

  15. Security Threats Modification of information Masquerade Message stream modification Management Management Entity B Entity A Disclosure

  16. Security Threats • SNMPv3 security model is developed to protect the following security threats: • Modification of information • Contents modified by unauthorized user • Masquerade • change of originating address by unauthorized user • Message Stream Modification • Re-ordering, delay or replay of messages • Disclosure • Eavesdropping • SNMPv3 security model doesn’t protect Denial of Service (DoS) and Traffic Analysis.

  17. Security Services Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Processing Privacy Data Confidentiality Module Model Message Timeliness & Timeliness Module Limited Replay Protection

  18. SNMPv3 Security • Authentication • Data integrity: • HMAC-MD5-96 / HMAC-SHA-96 • Data origin authentication • Append to the message a unique Identifier associated with authoritative SNMP engine • Privacy / confidentiality: • Encryption • Timeliness: • Authoritative Engine ID, No. of engine boots and time in seconds  

  19. Role of SNMP Engines Non-Authoritative Engine (NMS) Authoritative Engine(Agent)

  20. Header Data scopedPDU Message Message Message Message Context Context Security Data ID Max. Size Flag Engine ID Name Model Global/ Security Plaintext / Encrypted Version Header Whole Message Parameters scopedPDU Data Data Security Parameters Authoritative Authoritative Authoritative User Authentication Privacy Engine ID Engine Boots Engine Time Name Parameters Parameters Figure 7.12 SNMPv3 Message Format See P. 304

  21. See p. 304

  22. User-Based Security Model • Based on traditional user name concept • Authentication service primitives • authenticateOutgoingMsg • authenticateIncomingMsg • Privacy Services • encryptData • decryptData

  23. Authentication Protocols • Authentication Key • Derived from a password chosen by the user • digest0: repeat password  220 octets • digest1: H(digest0) • digest2: H(engineID || digest1) • AuthKey = digest2 • Use HMAC-MD5-96 or HMAC-SHA-96

More Related