Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Chapter 7

advertisement 
Chapter 7
Chapter 7
SNMPv3
Network Management: Principles and Practice
© Mani Subramanian 2000
7-1
Chapter 7
Key Features
• Modularization of document
• Modularization of architecture
• SNMP engine
• Security feature
• Secure information
• Access control
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-2
Chapter 7
Documentation
SNMP
D o c u m e n ta tio n
S N M P F ra m e w o rk s
SNMPv1
SN M Pv2 RF C 19xx
SN M Pv3 RF C 2271
e ra l*
admap
p lic a b ility S ta te m e n t
e x is te n c e a n d T ra n s itio n
e
io n s
M IB s
S ta n d a rd v 1 R F C 1 1 5 7 F o rm a t
S ta n d a rd v 1 R F C 1 2 1 2 F o rm a t
H is to ric R F C 1 4 x x F o rm a t
D ra ft R F C 1 9 x x F o rm a t
M e s s a g e H a n d lin g
T ra n s p o rt M a p p in g s
M e s s a g e P ro c e s s in g
a n d D is p a tc h e r R F C 2 2 7 3
S e c u rity R F C 2 2 7 4
P D U H a n d lin g
P ro to c o l O p e
A p p lic a tio n s
Access C ont
c u m e n ts
F C s 1442, 1443, and 1444
F C s 1902, 1903, and 1904
F ig u re 7 .1 S N M P D o c u m e n ta tio n (re c o m m e n d e d in S N M P v 3 )
• Compare this to the document organization in Chapter 4
Network Management: Principles and Practice
© Mani Subramanian 2000
7-3
Chapter 7
Architecture
S N M P e n tity
S N M P E n g in e (id e n tifie d b y s n m p E n g in e ID )
D is p a tc h e r
M essage
P ro c e s s in g
S u b s y s te m
S e c u rity
S u b s y s te m
Access
C o n tro l
S u b s y s te m
A p p lic a tio n (s )
C om m and
G e n e ra to r
N o tific a tio n
R e c e iv e r
P ro x y
F o rw a rd e r
S u b s y s te m
C om m and
R esponder
N o tific a tio n
O rig in a to r
O th e r
F ig u re 7 .2 S N M P v 3 A rc h ite c tu re
Notes
• SNMP entity is a node with an SNMP management
element - either an agent or manager or both
• Three names associated with an entity
• Entities: SNMP engine
• Identities: Principal and security name
• Management Information: Context engine
Network Management: Principles and Practice
© Mani Subramanian 2000
7-4
Chapter 7
SNMP Engine ID
1st
b it
SN M Pv1
SN M Pv2
0
E n te rp ris e ID
(1 -4 o c te ts )
E n te rp ris e m e th o d
(5 th o c te t)
F u n c tio n o f th e m e th o d
(6 -1 2 o c te ts )
SN M Pv3
1
E n te rp ris e ID
(1 -4 o c te ts )
F o rm a t in d ic a to r
(5 th o c te t)
F o rm a t
(v a ria b le n u m b e r o f o c te ts )
F ig u re 7 .3 S N M P E n g in e ID
Notes
• Each SNMP engine has a unique ID: snmpEngineID
• Acme Networks {enterprises 696}
• SNMPv1 snmpEngineID ‘000002b8’H
• SNMPv3 snmpEngineID ‘800002b8’H
(the 1st octet is 1000 0000)
Network Management: Principles and Practice
© Mani Subramanian 2000
7-5
Chapter 7
SNMPv3 Engine ID Format
5th Octet
T a b le 7 .2 S N M P v3 E n g in e ID F o rm a t (5 th o c tet)
0
R e se rve d , un u se d
1
IP v4 a d d re ss (4 o cte ts)
2
IP v6 (1 6 o ctets)
L o w e st n o n -sp e cial IP a dd re ss
3
M A C a d d re ss (6 o ctets)
L o w e st IE E E M A C a d d re ss, ca n o nical ord e r
4
T e xt, a d m in istrative ly a ssig n e d
M a xim u m re m a inin g le ng th 2 7
5
O cte ts, a d m in istra tively a ssig n e d
M a xim u m re m a inin g le ng th 2 7
6 -1 2 7
R e se rve d , un u se d
1 2 8 -2 55
A s d e fine d b y the e n terp rise s
M a xim u m re m a inin g le ng th 2 7
Notes
• For SNMPv1 and SNMPv2:
• Octet 5 is the method
• Octet 6-12 is IP address
• Examples: IBM host IP address 10.10.10.10
SNMPv1: 00 00 00 02 01 0A 0A 0A 0A 00 00 00
SNMPv3: 10 00 00 02 02 00 00 00 00 00 00 00 0A 0A 0A 0A
Network Management: Principles and Practice
© Mani Subramanian 2000
7-6
Chapter 7
Dispatcher
S N M P E n g in e (id e n tifie d b y s n m p E n g in e ID )
D is p a tc h e r
M essage
P ro c e s s in g
S u b s y s te m
S e c u rity
S u b s y s te m
Access
C o n tro l
S u b s y s te m
• One dispatcher in an SNMP engine
• Handles multiple version messages
• Interfaces with application modules, network, and
message processing models
• Three components for three functions
• Transport mapper delivers messages over the
transport protocol
• Message Dispatcher routes messages between
network and appropriate module of MPS
• PDU dispatcher handles messages between
application and MSP
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-7
Chapter 7
Message Processing Subsystem
S N M P E n g in e (id e n tifie d b y s n m p E n g in e ID )
D is p a tc h e r
M essage
P ro c e s s in g
S u b s y s te m
S e c u rity
S u b s y s te m
Access
C o n tro l
S u b s y s te m
• Contains one or more Message Processing Models
• One MPM for each SNMP version
• SNMP version identified in the header
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-8
Chapter 7
Security and Access Control
S N M P E n g in e (id e n tifie d b y s n m p E n g in e ID )
D is p a tc h e r
M essage
P ro c e s s in g
S u b s y s te m
S e c u rity
S u b s y s te m
Access
C o n tro l
S u b s y s te m
• Security at the message level
• Authentication
• Privacy of message via secure communication
• Flexible access control
• Who can access
• What can be accessed
• Flexible MIB views
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-9
Chapter 7
Applications
A p p lic a tio n (s )
C om m and
G e n e ra to r
N o tific a tio n
R e c e iv e r
P ro x y
F o rw a rd e r
S u b s y s te m
C om m and
R esponder
N o tific a tio n
O rig in a to r
O th e r
Application
• Command generator
• Command responder
• Notification receiver
• Notification receiver
• Proxy Forwarder
(SNMP versions only)
• Other
Example
get-request
get-response
trap generation
trap processing
get-bulk to get-next
Special application
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-10
Chapter 7
Names
• SNMP Engine ID
snmpEngineID
• Principal
principal
Who: person or group or application
• Security Name
securityName
human readable name
• Context Engine ID
contextEngineID
• Context Name
contextName
Notes
• An SNMP agent can monitor more than one
network element (context)
Examples:
SNMP Engine ID
IP address
Principal
John Smith
Security Name Administrator
Principal
Li, David, Kristen, Rashmi,
Security Name Operator
Network Management: Principles and Practice
© Mani Subramanian 2000
7-11
Chapter 7
Abstract Service Interface
p rim itiv e A B
IN = a 1 , a 2 .
OUT = b1, b2
S u b s y s te m A
S u b s y s te m B
p rim itiv e B C
S u b s y s te m C
s ta tu s In fo rm a tio n /
re s u lt
A b s tra c t
S e rv ic e
In te rfa c e
A b s tra c t
S e rv ic e
In te rfa c e
F ig u re 7 .4 (a ) A b s tra c t S e rv ic e In te rfa c e
Notes
• Abstract service interface is a conceptual interface
between modules, independent of implementation
• Defines a set of primitives
• Primitives associated with receiving entities except
for Dispatcher
• Dispatcher primitives associated with
• messages to and from applications
• registering and un-registering of application
modules
• transmitting to and receiving messages from
network
• IN and OUT parameters
• Status information / result
Network Management: Principles and Practice
© Mani Subramanian 2000
7-12
Chapter 7
sendPdu
C om m and
G e n e ra to r
s e n d P d u H a n d le /
e rro rIn d ic a tio n
A b s tra c t
S e rv ic e
In te rfa c e
D is p a tc h e r
p r e p a re O u t g o in g M e s s a g e
sendPDU Primitive
M essage
P ro c e s s in g
Model
A b s tra c t
S e rv ic e
In te rfa c e
F ig u re 7 .4 (b ) A b s tra c t S e rv ic e In te rfa c e fo r s e n d P d u
Notes
• sendPdu request sent by the application module,
command generator, is associated with the
receiving module, dispatcher
• After the message is transmitted over the network,
dispatcher sends a handle to the command generator
for tracking the response
• sendPdu is the IN parameter
• sendPduHandle is the OUT parameter, shown as
coupled to the IN parameter
Network Management: Principles and Practice
© Mani Subramanian 2000
7-13
Chapter 7
Dispatcher Primitives
M o d u le
P rim itive
S e rvic e P ro vid e d
D isp a tche r
se n d P d u
R e q u e st fro m a p p lica tio n to se n d a
P D U to a re m o te e n tity
D isp a tche r
p ro ce ssP d u
P ro ce ssin g o f in co m in g m e ssa g e
fro m re m o te e n tity
D isp a tche r
re tu rn R esp o n se P d u
R e q u e st fro m a p p lica tio n to se n d a
re sp o n se P D U
D isp a tche r
p ro ce ssR e sp on se P d u
P ro ce ssin g o f in co m in g re sp o n se
fro m a re m o te e n tity
D isp a tche r
re giste rC on te xtE n g in e ID
R e g ister re q u e st fro m a C o n te xt
E n g in e
D isp a tche r
u n re gisterC o n te xtE n g in e ID
U n re giste r re q ue st fro m a C o n te xt
E n g in e
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-14
Chapter 7
Command Generator
M essage
P ro c e s s in g
Model
C om m and
G e n e ra to r
S e c u rity
Model
D is p a tc h e r
sendPdu
p re p a re O u tg o in g M e s s a g e
g e n e ra te R e q u e s tM s g
P d u H a n d le
s e n d g e t-re q u e s t m e s s a g e
N e tw o rk
re c e iv e g e t-re s p o n s e m e s s a g e
p re p a re D a ta E le m e ts
p ro c e s s In c o m in g M s g
p ro c e s s R e s p o n s e P d u
C om m and
G e n e ra to r
D is p a tc h e r
M essage
P ro c e s s in g
Model
Network Management: Principles and Practice
© Mani Subramanian 2000
S e c u rity
Model
7-15
Chapter 7
Command Responder
C om m and
R esponder
M essage
P ro c e s s in g
Model
D is p a tc h e r
S e c u rity
Model
p ro c e s s P d u
p ro c e s s In c o m in g M s g
p re p a re D a ta E le m e n ts
re g is te rC o n te x tE n g in e ID
re c e iv e g e t-re q u e s t m e s s a g e
N e tw o rk
s e n d g e t-re s p o n s e m e s s a g e
g e n e ra te R e s p o n s e M s g
p re p a re R e s p o n s e M s g
re tu rn R e s p o n s e P d u
D is p a tc h e r
M essage
P ro c e s s in g
Model
S e c u rity
Model
F ig u r e 7 .6 C o m m a n d R e s p o n d e r A p p lic a tio n
Network Management: Principles and Practice
© Mani Subramanian 2000
7-16
Chapter 7
Notification / Proxy
• Notification originator
• Generates trap and inform messages
• Determine target, SNMP version, and security
• Decides context information
• Notification receiver
• Registers with SNMP engine
• Receives notification messages
• Proxy forwarder
• Proxy server
• Handles only SNMP messages by
• Command generator
• Command responder
• Notification generator
• Report indicator
• Uses the translation table in the proxy group MIB
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-17
Chapter 7
SNMpV2 MIB
In te rn e t
{1 3 6 1 }
d ire c to ry
(1 )
mgmt
(2
e x p e rim e n ta l
(3 )
p riv a te
(4 )
s n m p d o m a in s
(1 )
s e c u rity
(5 )
s n m p P ro x y s
(2 )
m ib -2
(1 )
s y s te m
(1 )
snm pv2
(6 )
s n m p M o d u le s
(3 )
s n m p M IB
(1 )
snm p
(1 1 )
s n m p M IB O b je c ts
(1 )
s n m p M IB C o n fo rm a n c e
(2 )
F ig u r e 6 .3 1 S N M P v 2 In te r n e t G r o u p
Notes
• SNMPv3 MIB developed under snmpModules
• Security placeholder not used
Network Management: Principles and Practice
© Mani Subramanian 2000
7-18
Chapter 7
SNMPv3 MIB
s n m p M o d u le s
{1 .3 .6 .1 .6 .3 }
s n m p F ra m e w o rk M IB (1 0 )
s n m p V a c m M IB (1 6 )
s n m p M P D M IB (1 1 )
s n m p U s m M IB (1 5 )
s n m p T a rg e tM IB (1 2 )
s n m p P ro x y M IB (1 4 )
s n m p N o tific a tio n M IB (1 3 )
F ig u r e 7 .7 S N M P v 3 M IB
Notes
• snmpFrameworkMIB describes SNMP
management architecture
• snmpMPDMIB identifies objects in the message
processing and dispatch subsystems
• snmpTargetMIB and snmpNotificationMIB used
for notification generation
• snmpProxyMIB defines translation table for proxy
forwarding
• snmpUsMIB defines user-based security model
objects
• snmpVacmMIB defines objects for view-based
access control
Network Management: Principles and Practice
© Mani Subramanian 2000
7-19
Chapter 7
SNMPv3 Target MIB
s n m p T a rg e tM IB
{s n m p M o d u le s 1 2 }
s n m p T a rg e tO b je c ts
(1 )
s n m p T a rg e tA d d rT a b le
(2 )
s n m p T a rg e tP a ra m s T a b le
(3 )
F ig u re 7 .8 T a rg e t A d d re s s a n d T a rg e t P a ra m e te r T a b le s
Notes
• Target MIB contains two tables
• Target address table contains addresses of the
targets for notifications (see notification group)
• Target address table also contains information for
establishing the transport parameters
• Target address table contains reference to the
second table, target parameter table
• Target parameter table contains security parameters
for authentication and privacy
Network Management: Principles and Practice
© Mani Subramanian 2000
7-20
Chapter 7
SNMPv3 Notification MIB
s n m p N o tific a tio n M IB
{s n m p M o d u le s 1 3 }
s n m p N o tify O b je c ts
(1 )
s n m p N o tify T a b le (1 )
s n m p N o tify F ilte rT a b le (1 )
s n m p N o tify F ilte rP ro file T a b le
(2 )
F ig u r e 7 .9 S N M P N o tific a tio n T a b le s
Notes
• Notification group contains three tables
• Notify table contains groups of management targets
to receive notifications and the type of notifications
• The target addresses to receive notifications that
are listed in target address table (see target group)
are tagged here
• Notification profile table defines filter profiles
associated with target parameters
• Notification filter table contains table profiles of the
targets
Network Management: Principles and Practice
© Mani Subramanian 2000
7-21
Chapter 7
Security Threats
M o d ific a tio n o f in fo rm a tio n
M a s q u e ra d e
M e s s a g e s tre a m m o d ific a tio n
M anagem ent
E n tity A
M anagem ent
E n tity B
D is c lo s u re
F ig u r e 7 .1 0 S e c u r ity T h r e a ts to M a n a g e m e n t In fo r m a tio n
Notes
• Modification of information: Contents modified by
unauthorized user, does not include address change
• Masquerade: change of originating address by
unauthorized user
• Fragments of message altered by an unauthorized
user to modify the meaning of the message
• Disclosure is eavesdropping
• Disclosure does not require interception of message
• Denial of service and traffic analysis are not considered as threats
Network Management: Principles and Practice
© Mani Subramanian 2000
7-22
Chapter 7
Security Services
S e c u rity S u b s y s te m
D a ta In te g rity
A u th e n tic a tio n
M o d u le
D a ta O rig in A u th e n tic a tio n
M essage
P ro c e s s in g
Model
D a ta C o n fid e n tia lity
P riv a c y
M o d u le
M e s s a g e T im e lin e s s &
L im ite d R e p la y P ro te c tio n
T im e lin e s s
M o d u le
F ig u re 7 .1 1 S e c u rity S e rv ic e s
Notes
• Authentication
• Data integrity:
• HMAC-MD5-96 / HMAC-SHA-96
• Data origin authentication
• Append to the message a unique Identifier
associated with authoritative SNMP engine
• Privacy / confidentiality:
• Encryption
• Timeliness:
• Authoritative Engine ID, No. of engine boots
and time in seconds
Network Management: Principles and Practice
© Mani Subramanian 2000
7-23
Chapter 7
Role of SNMP Engines
Non-Authoritative Engine
(NMS)
Authoritative Engine
(Agent)
Notes
• Responsibility of Authoritative engine:
• Unique SNMP engine ID
• Time-stamp
• Non-authoritative engine should keep a table of the
time-stamp and authoritative engine ID
Network Management: Principles and Practice
© Mani Subramanian 2000
7-24
Chapter 7
SNMPv3 Message Format
scopedPD U
age
S iz e
M essage
F la g
V e rs io n
rita tiv e
n e ID
M essage
S e c u rity
Model
G lo b a l/
H eader
D a ta
C o n te x t
E n g in e ID
S e c u rity
P a ra m e te rs
Co
N
P la in te x t / E n c ry p te d
s c o p e d P D U D a ta
S e c u rity P a ra m e te rs
A u th o rita tiv e
E n g in e B o o ts
A u th o rita tiv e
E n g in e T im e
U ser
Name
A u th e n tic a tio n
P a ra m e te rs
P riv a c
P a ra m e t
F ig u r e 7 .1 2 S N M P v 3 M e s s a g e F o r m a t
Network Management: Principles and Practice
© Mani Subramanian 2000
7-25
Chapter 7
SNMPv3 Message Format
F ie ld
O b je c t n a m e
D e s c rip tio n
V e rs io n
m s g V e rs io n
S N M P v e rs io n n u m b e r o f th e
m e s s a g e fo r m a t
M e s s a g e ID
m s g ID
A d m in is tra tiv e ID a s so cia te d w ith th e
message
M e s s a g e M a x. S iz e
m s g M a xS iz e
M a xim u m s iz e s u p p orte d b y th e
sender
M e s s a g e flag s
m s g F la g s
B it field s id en tifyin g re p o rt,
a u th e n tic a tion , a nd p riv a c y o f th e
message
M e s s a g e S e c u rity
M odel
m s g S e c u rity M o d el
S e c u rity m o d e l u s e d for th e m e s s a g e ;
c o n c u rren t m u ltip le m o d e ls allo w e d
S e c u rity P a ra m e te rs m s g S e c u rity P a ra m e te rs
(S e e T a ble 7 .8 )
S e c u rity p a ra m e te rs u s e d fo r
c o m m u n ic a tio n b e tw e e n s e nd in g a nd
re c eivin g s e c urity m o d u le s
P lain te xt/E n c ry p te d
s c o p e d P D U D a ta
s c o p e d P d u D a ta
C h o ic e o f plain te xt o r e n c ry pte d
s c o p e d P D U ; s c o p e d P D U u niqu ely
id e ntifie s c o n te xt a n d P D U
C o n te xt E n g in e ID
c o n te xtE n g in e ID
U n iq ue ID o f a c o n te xt (m a n a g e d
e n tity ) w ith a co n te xt n a m e re a liz e d b y
a n S N M P e n tity
C o n te xt N a m e
c o n te xtN a m e
N a m e o f th e c o n te xt (m a n a g e d e n tity)
PDU
d a ta
C o n ta in s u n en c ry p ted P D U
Network Management: Principles and Practice
© Mani Subramanian 2000
7-26
Chapter 7
User-Based Security Model
• Based on traditional user name concept
• USM primitives across abstract service interfaces
• Authentication service primitives
• authenticateOutgoingMsg
• authenticateIncomingMsg
• Privacy Services
• encryptData
• decryptData
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-27
Chapter 7
Secure Outgoing Message
S e c u rity S u b s y s te m
M P M In fo rm a tio n
U s e r-b a s e d
S e c u rity
Model
H e a d e r d a ta
S e c u rity d a ta
scopedPD U
E n c ry p tio n k e y
scopedPD U
P
M
P riv a c y
p a ra m e te rs
E n c ry p te d
scopedPD U
A u th e n tic a tio n k e y
A u th e n tic a te d /e n c ry p te d )
w h o le m e s s a g e
W h o le m e s s a g e le n g th
W h o le M e s s a g e
A u th e n tic a te d
W h o le M e s s a g e
A u th
M
S e c u rity P a ra m e te rs
F ig u re 7 .1 3 P riv a c y a n d A u th e n tic a tio n S e rv ic e fo r O u tg o in g M e s s a g e
Notes
• USM invokes privacy module w/ encryption key and scopedPD
• Privacy module returns privacy parameters and encrypted scop
• USM then invokes the authentication module w/authentication
whole message and receives authenticated whole message
Network Management: Principles and Practice
© Mani Subramanian 2000
7-28
Chapter 7
Secure Incoming Message
S e c u rity S u b s y s te m
M P M In fo rm a tio n
H e a d e r d a ta
S e c u rity p a ra m e te rs
w h o le m e s s a g e
A u th e n tic a tio n k e y
U s e r-b a s e d
S e c u rity
Model
W h o le M e s s a g e
(a s re c e iv e d fro m n e tw o rk )
A u th e n tic a tio n
p a ra m e te rs
A u th e n tic a te d
W h o le M e s s a g e
D e c ry p t k e y
E n c ry p te d P D U
D e c ry p te d ) s c o p e d P D U
P riv a c y
p a ra m e te rs
D e c ry p te d
scopedPD U
F ig u re 7 .1 4 P riv a c y a n d A u th e n tic a tio n S e rv ic e fo r In c o m in g M e s s a g e
Notes
• Processing secure incoming message reverse of secure
• Authentication validation done first by the authentication m
• Decryption of the message done then by the privacy mod
Network Management: Principles and Practice
© Mani Subramanian 2000
7-29
Chapter 7
Security Parameters
s n m p M o d u le s
{1 .3 .6 .1 .6 .3 }
s n m p F ra m e w o rk M IB
(1 0 )
s n m p F ra m e w o rk M IB O b je c ts
(1 )
s n m p E n g in e
(1 )
s n m p U s m M IB
(1 5 )
s n m p F ra m e w o rk A d m in
(1 )
s n m p A u th P ro to c o ls
(1 )
U s m M IB O b je c ts
(1 )
s n m p P riv P ro to c o ls
(2 )
U s m U s e rS p in L o c k
(1 )
U sm U ser
(2 )
U s m U s e rT a b le
(2 )
F ig u r e 7 .1 5 S N M P v 3 M IB O b je c ts fo r S e c u r ity P a r a m e te r s
Notes
T a b le 7 .8 S e c u rity P a ra m e te rs a n d C o rr e s p o n d in g M IB O b je c ts
S e c u rity P a ra m e te rs
m s g A u th o rita tiv e E n g in e ID
m s g A u th o rita tiv e E n g in e B o
o ts
m s g A u th o rita tiv e E n g in e T i
me
m s g U s e rN a m e
m s g A u th e n tic a tio n P a ra m e
te rs
m s g P riv a c yP a ra m e te rs
U S M U s e r G ro u p O b je c ts
s n m p E n g in e ID (u n d e r s n m p E n g in e G ro u p )
s n m p E n g in e B o o ts (u n d e r s n m p E n g in e G ro u p )
s n m p E n g in e T im e (u n d e r s n m p E n g in e G ro u p )
u s m U s e rN a m e (in u s m U s e rT a b le )
u s m U s e rA u th P ro to c o l (in u s m U s e rT a b le )
u s m U s e rP riv P ro to c o l (in u s m U s e rT a b le )
Network Management: Principles and Practice
© Mani Subramanian 2000
7-30
Chapter 7
Privacy Module
• Encryption and decryption of scoped PDU
(context engine ID, context name, and PDU)
• CBC - DES (Cipher Block Chaining - Data
Encryption Standard) symmetric protocol
• Encryption key (and initialization vector)
made up of secret key (user password), and
timeliness value
• Privacy parameter is salt value (unique for
each packet) in CBC-DES
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-31
Chapter 7
Authentication Key
• Secret key for authentication
• Derived from user (NMS) password
• MD5 or SHA-1 algorithm used
• Authentication key is digest2
Notes
Procedure:
1. Derive digest0:
Password repeated until it forms 220 octets.
2. Derive digest1:
Hash digest0 using MD5 or SHA-1.
3. Derive digest2:
Concatenate authoritative SNMP engine ID and
digest1 and hash with the same algorithm
Network Management: Principles and Practice
© Mani Subramanian 2000
7-32
Chapter 7
Authentication Parameters
• Authentication parameter is Hashed Message
Access Code (HMAC)
• HMAC is 96-bit long (12 octets)
• Derived from authorization key (authKey)
Notes
Procedure:
1. Derive extendedAuthKey:
Supplement authKey with 0s to get 64-byte string
2. Define ipad, opad, K1, and K2:
ipad = 0x36 (00110110) repeated 64 times
opad = 0x5c (01011100) repeated 64 times
K1 = extendedAuthKey XOR ipad
K2 = extendedAuthKey XOR opad
3. Derive HMAC by hashing algorithm used
HMAC = H (K2, H (K1, wholeMsg))
Network Management: Principles and Practice
© Mani Subramanian 2000
7-33
Chapter 7
Encryption Protocol
• Cipher Block Chaining mode of
Data Encryption Standard (CBC-DES) protocol
• 16-octet privKey is secret key
• First 8-octet of privKey used as 56-bit DES key;
(Only 7 high-order bits of each octet used)
• Last 8-octet of privKey used as pre-initialization vector
T ra n s m is s io n
C hannel
C ip he rte xt
D e c ry p tio n
P la in text
S e c re t K e y
E n c ry p tio n
S e c re t K e y
P la in text
F ig u r e 1 3 .3 3 B a s ic C ry p to g r a p h ic C o m m u n ic a tio n
Notes
• CBC Mode
• Plaintext divided into 64-bit blocks
• Each block is XOR-d with ciphertext of the
previous block and then encrypted
• Use pre-IV (initialization vector) for prefixing
the first message block
Network Management: Principles and Practice
© Mani Subramanian 2000
7-34
Chapter 7
Access Control
• View-based Access Control Model
• Groups: Name of the group comprising
security model and security name:
In SNMPv1, is community name
• Security Level
• no authentication - no privacy
• authentication - no privacy
• authentication - privacy
• Contexts: Names of the context
• MIB Views and View Families
• MIB view is a combination of view subtrees
• Access Policy
• read-view
• write-view
• notify-view
• not-accessible
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-35
Chapter 7
VCAM Process
Answers 6 questions:
1. Who are you (group)?
2. Where do you want to go (context)?
3. How secured are you to access the information
(security model and security level)?
4. Why do you want to access the information
(read, write, or send notification)?
5. What object (object type) do you want to
access?
6. Which object (object instance) do you want to
access?
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-36
u rity
del
Chapter 7
VCAM Process
S e cu rity
N am e
(P rin cip a l)
W h o a re y o u ?
G ro u p
S e cu rity
M odel
C o n te xt
N am e
C o n te xt
T a b le
H o w s e c u re d
a re y o u ?
S e c u rity L e v e l
G o W h e re?
C o n te x t
n o S u ch C o n te xt
S e cu rity
L e ve l
C o n te xt
N am e
M odel
L e ve l
G ro u p N a m e
me
R ead
A cce ss
T a b le
n o A cce ssE n try
n o S u ch V ie w
W rite
W hy do yo
w ant acces
V ie w T y p
Access
A llo w e d ?
V ie w N a m e
re a d /w rite /n o tify
V ie w T re e
F a m ily
T a b le
V ie w T yp e
S e le c t V a ria b le
Names
n o S u ch V ie w
n o tIn V ie w
Yes / N o
A cce ss
A llo w e d
F ig u re 7 .1 6 V A C M P ro c e s s
Network Management: Principles and Practice
© Mani Subramanian 2000
7-37
Ob
T
W
Chapter 7
VACM MIB
s n m p V a c m M IB
(s n m p M o d u le s 1 6 )
v a c m M IB O b je c ts
(1 )
v a c m C o n te x tT a b le
(1 )
v a c m S e c u rity T o G ro u p T a b le
(2 )
v a c m A c c e s s T a b le
(4 )
v a c m V ie w S p in L o c k
(1 )
v a c m M IB V ie w s
(5 )
v a c m V ie w T re e F a m ily A c c e s s T a b le
(2 )
F ig u re 7 .1 7 V A C M M IB
Notes
• Four tables used to achieve access control
• Group defined by security-to-group table
• Context defined by context table
• Access determines access allowed and the
view name
• View tree family table determines the MIB view,
which is very flexible
Network Management: Principles and Practice
© Mani Subramanian 2000
7-38
Chapter 7
MIB Views
Simple view:
system
1.3.6.1.2.1.1
Complex view:
All information relevant to a particular interface system and interfaces groups
Family view subtrees
View with all columnar objects in a row appear
as separate subtree.
OBJECT IDENTIFIER (family name)
paired with
bit-string value (family mask)
to select or suppress columnar objects
Notes
Network Management: Principles and Practice
© Mani Subramanian 2000
7-39
Chapter 7
VACM MIB View
v a c m M IB V ie w s
(v a c m M IB O b je c ts 5 )
v a c m V ie w S p in L o c k
(1 )
v a c m V ie w T re e F a m ily T a b le
(2 )
v a c m V ie w T re e F a m ily E n try
(1 )
v a c m V ie w T r e e F a m ily V ie w N a m e (1 )
v a c m V ie w T r e e F a m ily S u b tr e e (2 )
v a c m V ie w T re e F a m ily M a s k (3 )
v a c m V ie w T re e F a m ily S ta tu s (6 )
v a c m V ie w T re e F a m ily S to ra g e T y p e (5 )
v a c m V ie w T re e F a m ily T y p e (4 )
F ig u r e 7 .1 9 V A C M M IB V ie w s
Notes
Example:
Family view name = “system”
Family subtree = 1.3.6.1.2.1.1
Family mask = “” (implies all 1s by convention)
Family type = 1 (implies value to be included)
Network Management: Principles and Practice
© Mani Subramanian 2000
7-40
Related documents
Presentation14
Presentation14
A vision for an advanced supervision and control system
A vision for an advanced supervision and control system
Effect of induced anoxia on nematode densities, vertical distribution
Effect of induced anoxia on nematode densities, vertical distribution
Chapter 6
Chapter 6
BMW presentation
BMW presentation
Social Media Marketing, Ecommerce and the Opportunities for Africa
Social Media Marketing, Ecommerce and the Opportunities for Africa
REPORT BACK: Regional and Country reports
REPORT BACK: Regional and Country reports
When you turn on a radio, what type of energy transformation takes
When you turn on a radio, what type of energy transformation takes
The Estimated Population of Small NEOs
The Estimated Population of Small NEOs
Download
advertisement