SNMPv3

1. DESIGN REQUIREMENTS

2. BIRTH & FEATURES of SNMPv3

3. ARCHITECTURE

4. SECURE COMMUNICATION- USER SECURITY MODEL (USM)

5. ACCESS CONTROL- VIEW BASED ACCESS CONTROL MODEL (VACM)

6. IMPLEMENTATIONS

7. REFERENCESCopyright © 2001 by Aiko Pras

These sheets may be used for educational purposes

DESIGN REQUIREMENTS

• ADDRESS THE NEED FOR SECURY SUPPORT

• DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP

• ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS

• ALLOW FOR FUTURE EXTENSIONS

• KEEP SNMP AS SIMPLE AS POSSIBLE

• ALLOW FOR MINIMAL IMPLEMENTATIONS

• SUPPORT ALSO THE MORE COMPLEX FEATURES, WHICH ARE REQUIRED IN LARGE NETWORKS

• RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE

The Birth and Features of SNMPv3

• SNMPv3 Working Group did not "reinvent the wheel," but reused the SNMPv2 Draft Standard documents (i.e., RFCs 1902-1908)

• As a result, SNMPv3 is SNMPv2 plus security and administration. The new features of SNMPv3 (in addition to SNMPv2) include:

• Security authentication and privacy authorization and access control

• Administrative Framework naming of entities people and policies usernames and key management notification destinations proxy relationships remotely configurable via SNMP operations

SNMPv3 RFCs

OTHER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSINGSUBSYSTEM

DISPATCHERSECURITY

SUBSYSTEMACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

RFC 3413

RFC 3411

RFC 3412 RFC 3412 USM: RFC 3414 VACM: RFC 3415

RFC 3410 (Informational) - Introduction and Applicability Statements for Internet Standard Management Framework (December 2002)

RFC 3411 - An Architecture for Describing SNMP Management Frameworks (December 2002)

RFC 3412 - Message Processing and Dispatching (December 2002) RFC 3413 - SNMP Applications (December 2002) RFC 3414 - User-based Security Model (December 2002) RFC 3415 - View-based Access Control Model (December 2002) RFC 3416 - Version 2 of SNMP Protocol Operations (December 2002) RFC 3417 - Transport Mappings (December 2002) RFC 3418 - Management Information Base (MIB) for the Simple Network

Management Protocol (SNMP) (December 2002)

RFC 3411-3418 have all become Internet Standard

SNMPv3 RFCs (2)

SNMPv3 ARCHITECTURE

OTHERNOTIFICATIONORIGINATOR

COMMANDRESPONDER

COMMANDGENERATOR

NOTIFICATIONRECEIVER

PROXYFORWARDER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSINGSUBSYSTEM

DISPATCHERSECURITY

SUBSYSTEMACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

OTHER

SNMPv3 ARCHITECTURE: MANAGER

NOTIFICATIONRECEIVER

COMMANDGENERATOR

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

SNMPv3 ARCHITECTURE: AGENT

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

MANAGEMENT INFORMATION BASE

VIEW BASEDACCESS CONTROL

ACCESS CONTROL SUBSYSTEM

NOTIFICATIONORIGINATOR

COMMANDRESPONDER

CONCEPTS: snmpEngineID

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=4

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=2

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=3

OT HE R

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1

MODULES OF THE SNMPv3 ARCHITECTURE

DISPATCHER AND MESSAGE PROCESSING MODULE• SNMPv3 MESSAGE STRUCTURE• snmpMPDMIB• RFC 3412 (Standard)

APPLICATIONS• snmpTargetMIB• snmpNotificationMIB• snmpProxyMIB• RFC 3413 (Standard)

SECURITY SUBSYSTEM• USER-BASED SECURITY MODEL (USM)• snmpUsmMIB• RFC 3414 (Standard)

ACCESS CONTROL SUBSYSTEM• VIEW-BASED ACCESS CONTROL MODEL (VACM)• snmpVacmMIB• RFC 3415 (Standard)

SNMPv3 MESSAGE STRUCTURE

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModel

msgSecurityParameters

contextEngineIDcontextName

PDU

USED BY MESSAGE PROCESSING SUBSYSTEM

USED BY SNMPv3 PROCESSING MODULE

USED BY SECURITY SUBSYSTEM

USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS

SNMPv3 PROCESSING MODULE PARAMETERS

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModel

msgSecurityParameters

contextEngineIDcontextName

PDU

authFlagprivFlagreportableFlag

SNMPv1SNMPv2cUSM

484..2147483647

0..2147483647

SECURE COMMUNICATION VERSUS ACCESS CONTROL

MIB

MANAGER

APPLICATION PROCESSES

TRANSPORT SERVICE

MANAGER AGENT

GET / GET-NEXT / GETBULKSET / TRAP / INFORM

SECURE COMMUNICATION

ACCESS CONTROL

USM: SECURITY THREATS

THREAT ADDRESSED? MECHANISM

REPLAY

YES

TIME STAMP

MASQUERADE YES MD5 / SHA-1

INTEGRITY

YES

(MD5 / SHA-1)

DISCLOSURE YES DES

DENIAL OF SERVICE YES

TRAFFIC ANALYSIS YES

USM MESSAGE STRUCTURE

msgVersionmsgID

msgMaxSizemsgFlags

msgSecurityModelmsgAuthoritativeEngineID

msgAuthoritativeEngineBootsmsgAuthoritativeEngineTime

msgUserNamemsgAuthenticationParameters

msgPrivacyParameterscontextEngineID

contextName

PDU

REPLAY

MASQUERADE/INTEGRITY/DISCLOSURE

DISCLOSURE

MASQUERADE/INTEGRITY

VIEW BASED ACCESS CONTROL MODEL

ACCESS CONTROL TABLE

MIB VIEWS

ACCESS CONTROL TABLES

GET / GETNEXTInterface Table John, Paul Authentication

•••••• ••• •••

•••••• ••• •••

SETInterface Table JohnAuthentication

GET / GETNEXTSystems Group George None

•••••• ••• •••

•••••• ••• •••

Encryption

MIB VIEWALLOWED

MANAGERSREQUIRED LEVEL

OF SECURITYALLOWED

OPERATIONS

MIB VIEWS

SNMPv3 IMPLEMENTATIONS

ACE*COMMAdventNet

BMC SoftwareCisco

EpilogueGambit Communications

HalcyonIBMISI

IWLMG-SOFT

MultiPort CorporationSimpleSoft

SNMP Research

SNMP++ TU of Braunschweig

Net-SNMPUniversity of Quebec

SNMPv3 References

• http://www.ibr.cs.tu-bs.de/ietf/snmpv3/• http://www.ietf.org/html.charters/snmpv3-charter.html• http://www.simpleweb.org/ietf/• http://www.net-snmp.org

• READ Chapters 14, 15, 16, 17 of Stallings• Read SNMPv3 White Paper,

http://www.snmp.com/snmpv3/v3white.html