SNMPv3 - Computer Engineering

advertisement
In the Name of the Most High
SNMPv3
by
Behzad Akbari
Fall 2011
These slides are based in parts upon slides of Prof. Dssouli (Concordia university)
1
Key Features of SNMPv3

Modularization of documentation and architecture


SNMP engine defined


Enables the use of SNMPv1 and SNMPv2 with the newly
developed SNMPv3.
– A model for the processing of SNMP messages.
New Security features


– Secure information to prevent tampering of data
– Access control to determine proper access to MIB.
2
Documentation
3
SNMP Architecture


Distributed, interacting collection of SNMP entities
SNMP entity implements a portion of the SNMP capability:


It acts either as an agent or manager or both
A collection of modules interacting with each other to provide services
SNMP ENTITY
SNMP APPLICATIONS
COMMAND
GENERATOR
COMMAND
RESPONDER
NOTIFICATION
ORIGINATOR
NOTIFICATION
RECEIVER
PROXY
FORWARDER
OTHER
OTHER
SNMP ENGINE
DISPATCHER
MESSAGE PROCESSING
SUBSYSTEM
SECURITY
SUBSYSTEM
ACCESS CONTROL
SUBSYSTEM
SNMP Architecture
Advantages:

The role of SNMP entity is determined by the
modules implemented in that entity
o

Security subsystem provides services such as
authentication and privacy of messages
o

Certain set of modules are required for agent, while
a different set is required for a manager
Multiple security models can coexist
Set of authorization services an application
can use for checking access rights
o
Access Control
SNMP Architecture-Manager
COMMAND
GENERATOR
PDU
DISPATCHER
NOTIFICATION
RECEIVER
MESSAGE PROCESSING
SUBSYSTEM
SNMPv1
MESSAGE
DISPATCHER
SNMPv2C
NOTIFICATION
ORIGINATOR
SECURITY SUBSYSTEM
COMMUNITY BASED
SECURITY MODEL
USER BASED
SECURITY MODEL
SNMPv3
TRANSPORT
MAPPINGS
OTHER
OTHER
SECURITY MODEL
SNMPv3 Architecture-Manager




Command Generator Application
o Monitor and manipulate management data at remote agents
o Make use of SNMPv1,v2 PDUs: Get, GetNext, GetBulk, etc.
Notification Originator Application
 Initiates messages, such as InformRequest PDU
Notification Receiver Application
o Receive messages from other managers or agents
o InformRequest, SNMPv1- and SNMPv2-Traps, etc…
These applications make use of the services provided by the
SNMP engine:
o Get Outgoing PDUs, process them and generates SNMP
messages for transmission over the transport layer
o Accept incoming SNMP messages, process them, and extracts
PDUs and passes them to appropriate SNMP application
SNMPv3 Architecture-Manager
SNMP Engine (identified by snmpEngineID)
Dispatcher

Security
Subsystem
One dispatcher in an SNMP engine
o
o
o

Message
Processing
Subsystem
Accepts PDUs from applications
Handles multiple version messages (SNMPv1, v2, v3)
Interfaces with application modules, network, and message processing
models
Three components for three functions
 Transport mapper delivers messages over the transport protocol
 Routes messages between network and appropriate module of MPS
 PDU dispatcher handles messages between application and MPS
SNMPv3 Architecture-Manager
SNMP Engine (identified by snmpEngineID)
Dispatcher
Message
Processing
Subsystem
Security
Subsystem

Accepts outgoing PDUs from Dispatcher, attach appropriate
header, and return message to Dispatcher

Accepts incoming messages, process each message header, and
return the enclosed PDU to the Dispatcher

Contains one or more Message Processing Models, each for
each SNMP version

SNMP version identified in the header
SNMPv3 Architecture-Manager
SNMP Engine (identified by snmpEngineID)
Dispatcher



Message
Processing
Subsystem
Security
Subsystem
Security subsystems perform authentication and encryption functions
for each outgoing/incoming message
Outgoing PDUs may be encrypted and authentication codes generated
and appended to the message header
o The message is then returned to the MPS
Incoming messages are passed to the security subsystem
o Message decryption
o Messages authenticated
SNMPv3 Architecture-Agent
MANAGEMENT INFORMATION BASE
ACCESS CONTROL SUBSYSTEM
COMMAND
RESPONDER
PDU
DISPATCHER
VIEW BASED
ACCESS CONTROL
MESSAGE PROCESSING
SUBSYSTEM
SNMPv1
MESSAGE
DISPATCHER
SNMPv2C
NOTIFICATION
ORIGINATOR
Proxy Forwarder
Applications
SECURITY SUBSYSTEM
COMMUNITY BASED
SECURITY MODEL
USER BASED
SECURITY MODEL
SNMPv3
TRANSPORT
MAPPINGS
OTHER
OTHER
SECURITY MODEL
SNMPv3 Architecture-Agent

Command Responder Application
o Provides access to management data
o Responds to incoming requests by retrieving and/or setting
managed objects and issuing Response PDU

Notification Originator Application
o e.g., SNMPv1, v2 Trap PDU

Proxy Forwarder Application
o Forwards messages between entities

Access Control Subsystem
o Provides authorization services to “control access” to the MIB
for reading and setting management objects
o Who can access
o What can be accessed
Terminology
SNMP Engine ID
snmpEngineID -- associated with each SNMP entity
Principal
principal
Security Name
Context Engine ID
-- person or group or application requesting services
securityName -- human readable name
contextEngineID -- each entity has a unique
context ID (identical to snmpEngineID)
Context Name
contextName --a context associated with a
managed object (for access control)
An SNMP agent can monitor more than one network element (context)
Example:


SNMP Engine ID
Principal
Security Name
IP address
John Smith
Administrator
snmpEngineID
SNMP ENTITY
OT HE R
SNMP ENGINE
snmpEngineID=1
SNMP ENTITY
O TH ER
SNMP ENGINE
snmpEngineID=2
SNMP ENTITY
O TH ER
SNMP ENTITY
O TH ER
SNMP ENGINE
snmpEngineID=3
SNMP ENGINE
snmpEngineID=4
Abstract Service Interfaces

Abstract service interface is a conceptual interface between
modules, independent of implementation

Defines a set of primitives
o A primitive specifies the function to be performed (e.g.,
procedural call)

Primitives associated with receiving entities
o An interface defined using primitive and parameters is referred
to as “abstract service interface”

e.g., Dispatcher primitives:
o Handle messages to and from applications
o registering and un-registering of application modules
o transmitting to and receiving messages from network

IN and OUT parameters

Status information / result
sendPdu
Command
Generator
sendPdu



sendPduHandle/
Error Indication
Abstract
Service
Interface
Dispatcher
prepareOutgoingMessage
Dispatcher Primitives
Message
Processing
Model
Abstract
Service
Interface
Used by a command generator to send SNMP request or notification
PDU to another SNMP entity
When successfully preparing the message by the Dispatcher:
 a sendPduHandle (unique identifier) is returned (to track any response, if
any is expected)
The application also provides transport domain/address for the PDU
as well as message processing model, security model, principal,
level of security, the context for this PDU, and the PDU itself
sendPdu
Command
Generator
sendPduHandle/
errorIndication
processResponsePdu
Dispatcher
prepareOutgoingMessage
Dispatcher Primitives
Message
Processing
Model
Abstract
Service
Interface
processResponsePdu


Used by Dispatcher to pass an incoming response PDU to
an application
The application checks whether it is matched with a
preceding request or notification PDU by checking the
sendPduHandle:
 Success or failure
returnResponsePdu
Command
Responder
Dispatcher
processPdu
processPdu


prepareResponseMessage
Dispatcher Primitives
Message
Processing
Model
Abstract
Service
Interface
Used by Dispatcher to pass an incoming request or
notification PDU to an application (command responder)
Security related information is required to generate a matching
response message

The security subsystem (access control) will check whether access
is allowed and a response will be generated accordingly
returnResponsePdu

Used by command responder to return an SNMP response in
response to an incoming request or notification
sendPdu
Command
Generator
sendPduHandle/
errorIndication
Dispatcher
prepareOutgoingMessage
Message Processing Subsystem Primitives
Message
Processing
Model
Abstract
Service
Interface
prepareOutgoingMessage



Prepare a message for an outgoing SNMP request or notification
PDU
The IN parameter is a PDU and OUT parameter is the message
Success or failure is returned
returnResponsePdu
Command
Responder
Dispatcher
processPdu
prepareResponseMessage
Message Processing Subsystem Primitives
Message
Processing
Model
Abstract
Service
Interface
prepareResponseMessage

Request the preparation of a message containing an
outgoing SNMP response PDU, in response to an
incoming request or notification PDU
Security Subsystem Primitives
generateRequestMessage


Generate a “message” containing an outgoing SNMP request or
notification PDU
Returns to the MPS a message (with possibly authentication and
encryption) and associated security parameters
processIncomingMessage



Provide security function for incoming messages
Return success or failure indicating the result of the security check
If successful, a PDU is returned to the MPS
generateResponseMessage


Generate a message containing outgoing SNMP response PDU in
response to incoming request or notification
Returns to the MPS a message (with some authentication and encryption
applied) and associated security parameters
Applications
Application(s)
Command
Generator
Notification
Receiver
Proxy
Forwarder
Subsystem
Command
Responder
Notification
Originator
Other
Application
• Command generator
• Command responder
• Notification originator
• Notification receiver
• Proxy Forwarder
(SNMP versions only)
• Other
Example
get-request
get-response
trap generation
trap processing
get-bulk to get-next
Special application
22
Command Generator
Command
Generator
Command Generator:
1)-Examine parameters from
the received PDU and
match/compare them with a
cached copy (security
model/level/name,
contextName, etc.). If no
match, message is
discarded
2)-Check the received PDU
(check request-id,
etc.)
Message
Processing
Model
Dispatcher
Security
Model
sendPdu
prepareOutgoingMessage
generateRequestMsg
PduHandle
send get-request message
Network
receive get-response message
prepareDataElemets
processIncomingMsg
3)- if all OK, then take action
processResponsePdu
Command
Generator
Dispatcher
Message
Processing
Model
Security
Model
Command Responder
Command
Responder
Command Responder:
1)-examines content of request
PDU. Check whether object
has already registered with
the responder
2)- isAccessAllowed
primitive is invoked (to
determine whether object
can be accessed by the
principal making the
request)
 check the security level
3)- if access permitted, prepare
a response.
Message
Processing
Model
Dispatcher
Security
Model
processPdu
processIncomingMsg
prepareDataElements
registerContextEngineID
receive get-request message
Network
send get-response message
generateResponseMsg
prepareResponseMsg
returnResponsePdu
Dispatcher
Message
Processing
Model
Figure 7.6 Command Responder Application
Security
Model
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
sendPdu
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
prepareOutgoingMessage
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
generateRequestMsg
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
send and receive
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
prepareDataElements
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
processIncomingMsg
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
processPdu
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
isAccessAllowed
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
returnResponsePdu
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
prepareResponseMessage
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
generateResponseMsg
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
send and receive
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
prepareDataElements
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
processIncomingMsg
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
APPLICATIONS
APPLICATIONS
processResponsePdu
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
ACCESS
CONTROL
SUBSYSTEM
DISPATCHER
SECURITY
SUBSYSTEM
MESSAGE
PROCESSING
SUBSYSTEM
contextEngineID
contextName
destTransportAddress
destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
outgoingMessage
outgoingMessageLength
PDU
pduType
pduVersion
scopedPDU
stateReference
statusInformation
securityEngineID
securityLevel
securityModel
securityName
securityParameters
securityStateReference
sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Message Format
reportableFlag
privFlag
authFlag
Header Data
Message
ID
Message
Max. Size
Message
Flag
Version
scopedPDU
Message
Security
Model
Global/
Header
Data
1 SNMPv1
2 SNMPv2
3 SNMPv3
Security
Parameters
Context
Engine ID
Plaintext / Encrypted
scopedPDU Data
Context
Name
Whole Message
Security Parameters
Authoritative
Engine ID
Authoritative
Engine Boots
Authoritative
Engine Time
Time synch. between entities to avoid
message replay and achieve timeliness
User
Name
Authentication
Parameters
Data
Privacy
Parameters
Message Format
Field
Version
Message ID
Message Max. Size
Message flags
Message Security
Model
Object name
Description
msgVersion
SNMP version number of the
message format
msgID
Administrative ID associated with the
message
msgMaxSize
Maximum size supported by the
sender
msgFlags
Bit fields identifying report,
authentication, and privacy of the
message
msgSecurityModel
Security model used for the message;
concurrent multiple models allowed
Security Parameters msgSecurityParameters
Security parameters used for
(See Table 7.8)
communication between sending and
receiving security modules
Plaintext/Encrypted
scopedPDU Data
scopedPduData
Choice of plaintext or encrypted
scopedPDU; scopedPDU uniquely
identifies context and PDU
Context Engine ID
contextEngineID
Unique ID of a context (managed
entity) with a context name realized by
an SNMP entity
contextName
Name of the context (managed entity)
data
Contains unencrypted PDU
Context Name
PDU
See p. 304
43
Security Threats
Modification of Information
 an entity may alter in-transit SNMP
messages generated on behalf of an
authorized principal in such a way
as to effect unauthorized
management operations, including
falsifying the value of an object
Masquerade
 management operations not
authorized for some entity may be
attempted by assuming the identity
of another entity that has the
appropriate authorizations
Modification of information
Masquerade
Message stream modification
Management
Entity A
Management
Entity B
Disclosure
Security Threats
Message Stream Modification
 SNMP is typically based upon a
connectionless transport service.
Messages may be maliciously reordered, delayed or replayed, in
order to effect unauthorized
management operations.
o
For example, a message to reboot
a system could be copied and
replayed later
Disclosure
 Eavesdropping or intercepting on
the exchanges between SNMP
engines
Modification of information
Masquerade
Message stream modification
Management
Entity A
Management
Entity B
Disclosure
Security Threats
SNMPv3 is not intended to secure
against these two threats:
Denial of Service:
 An attacker may prevent
exchanges between manager
and agent


DOS are indistinguishable from
network element failures
DOS may disrupt all services (not
just those pertaining to NM)
Modification of information
Masquerade
Message stream modification
Management
Entity A
Management
Entity B
Disclosure
Traffic Analysis:
 An attacker may observe the
general pattern of traffic between
managers and agents
Security Model Goals
o
Data Integrity (Authentication)
o
Authentication
o
Message redirection/re-ordering/delay/replay
o
Data encryption/decryption
Security Model
Security Subsystem
Data Integrity
Data Origin Authentication
Message
Processing
Model
Authentication
Module
Data Confidentiality
Privacy
Module
Message Timeliness &
Limited Replay Protection
Timeliness
Module

The Security model authenticates and forwards incoming and outgoing
messages to the MPM

3 different modules
o Authentication module
o Privacy module
o Timeliness module
Authentication Module
Security Subsystem
Data Integrity
Data Origin Authentication
Message
Processing
Model

Data Confidentiality
Privacy
Module
Message Timeliness &
Limited Replay Protection
Timeliness
Module
Data integrity
o
o
o

Authentication
Module
message authentication at sender and validation at receiver
Ensure that a message is not modified by an unauthorized intruder
Authentication protocols: HMAC-MD5-96 / HMAC-SHA-96
Data origin authentication
o
o
Check the identity of a user on whose behalf a message is sent
Append to the message a unique Identifier associated with
authoritative SNMP engine
Privacy Module
Security Subsystem
Data Integrity
Data Origin Authentication
Message
Processing
Model
Data Confidentiality
Message Timeliness &
Limited Replay Protection
Authentication
Module
Privacy
Module
Timeliness
Module

Data confidentiality ensures that data is not made available
to unauthorized users or entities

Encryption is applied at the sender and decryption at
receiver (CBC-DES)
Timeliness Module
Security Subsystem
Data Integrity
Data Origin Authentication
Message
Processing
Model
Data Confidentiality
Message Timeliness &
Limited Replay Protection
Authentication
Module
Privacy
Module
Timeliness
Module

Prevent message redirection, delay and replay

Configure a receiver window for accepting message (e.g.,
150 s for SNMPv3)

Three objects: snmpEngineIP, snmpEngineBoots,
snmpEngineTime
Authoritative vs. non-authoritative engine


Responsibility of Authoritative
engine
o
Unique SNMP engine ID
o
Time-stamp (a clock maintained
by the authoritative engine)
Non-authoritative engine should
keep a table of the time-stamp and
authoritative engine ID
o Synchronize its clock with regard
to that of the authoritative engine
Non-Authoritative Engine
(NMS)
Authoritative Engine
(Agent)
User-based Security Model (USM)

USM primitives across abstract service
interfaces
o
Authentication service primitives
o
o
o
authenticateOutgoingMsg
authenticateIncomingMsg
Privacy Services
o
o
encryptData // outgoing PDU
decryptData // incoming PDU
User-based Security Model (USM)
Security Subsystem
MPM Information
Header data
Security data
scopedPDU
User-based
Security
Model
Encryption key
scopedPDU
Privacy
parameters
Privacy
Module
Encrypted
scopedPDU
Message
Processing
Model
(Authenticated/encrypted)
whole message
Whole message length
Authentication key
Whole Message
Authenticated
Whole Message
Security Parameters
Privacy and Authentication Service for Outgoing Message
Authentication
Module
User-based Security Model (USM)
Security Subsystem
MPM Information
Header data
Security data
scopedPDU
User-based
Security
Model
Encryption key
scopedPDU
Privacy
Module
Privacy
parameters
Encrypted
scopedPDU
Message
Processing
Model
(Authenticated/encrypted)
whole message
Whole message length
Authentication key
Whole Message
Authenticated
Whole Message
Authentication
Module
Security Parameters

USM invokes privacy module w/ encryption key and scopedPDU

Privacy module returns privacy parameters and encrypted
scopedPDU

USM then invokes the authentication module w/authentication key
and whole message and receives authenticated whole message
User-based Security Model (USM)
Security Subsystem
MPM Information
Header data
Security parameters
whole message
Authentication key
User-based
Security
Model
Whole Message
(as received from network)
Authentication
parameters
Authentication
Module
Authenticated
Whole Message
Message
Processing
Model
Decrypt key
Encrypted PDU
(Decrypted) scopedPDU
Privacy
parameters
Privacy
Module
Decrypted
scopedPDU
Processing secure incoming message reverse of secure outgoing
message
 Authentication validation done first by the authentication
module
 Decryption of the message done then by the privacy module

User-based Security Model (USM)
Security Parameters and Corresponding MIB Objects
Security Parameters
msgAuthoritativeEngineID
msgAuthoritativeEngineBoots
msgAuthoritativeEngineTime
msgUserName
msgAuthenticationParameters
msgPrivacyParameters



USM User Group Objects
snmpEngineID (under snmpEngine Group)
snmpEngineBoots (under snmpEngine
Group)
snmpEngineTime (under snmpEngine Group)
usmUserName (in usmUserTable)
usmUserAuthProtocol (in usmUserTable)
usmUserPrivProtocol (in usmUserTable)
msgUserName: user or a principal on whose behalf the
message is being exchanged
msgAuthenticationParameters: defined by authentication
protocol
msgPrivacyParameters: type of privacy protocol used
SNMPv3-Next!





Background and security threats
SNMPv3 Architecture
SNMPv3 Applications
Message Format
User-based Security Model (USM)





USM Timeliness Mechanism
Cryptographic Functions
USM Message Processing
Discovery
Key Management
USM Timeliness Mechanism
Management of authoritative clocks

All authoritative engines must maintain two objects:
o
o



snmpEngineBoots
snmpEngineTime
Initially, both are set to 0
snmpEngineTime is incremented once per second
snmpEngineBoots is incremented if the system has
rebooted or if snmpEngineTime reaches its
maximum value (231 -1)
USM Timeliness Mechanism
Synchronization


A non-authoritative engine must remain loosely
synchronized with each authoritative engine with
which it communicates
A non-authoritative engine keeps a local copy of 3
variables for each authoritative engine:
snmpEngineBoots:
o
o
snmpEngineTime:
o
o
Synchronized to the authoritative engine. Between synch events, it
is incremented once per second to maintain loose synch
latestReceivedEngineTime:
o
o
o
Most recent value of snmpEngineBoots for the remote
authoritative engine
Highest value of msgAuthoritativeEngineTime.
o It protects against a replay message attack
These values are stored in a cache indexed by
snmpEngineID
USM Timeliness Mechanism
Synchronization (cont’d)
authoritative
non-authoritative
msgAuthoritativeEngineBoots,
msgAthoritativeEngineTime,
msgAthoritativeEngineID
If message is authentic  non auth. updates its local
variables according to this rule:
(msgAuthoritativeEngineBoots > snmpEngineBoots) OR
[(msgAuthoritativeEngineBoots = snmpEngineBoots) AND
(msgAuthoritativeEngineTime > latestReceivedEngineTime)]
If two messages arrive out of order or a replay attack is underway!
USM Timeliness Mechanism
Synchronization (cont’d)

If an update is called for, then
snmpEngineBoots := msgAuthoritativeEngineBoots
snmpEngineTime := msgAuthoritativeEngineTime
latestReceivedEngineTime := msgAuthoritativeEngineTime

If (msgAuthoritativeEngineBoots < snmpEngineBoots) then no
update occurs [Message not authentic  to be discarded]

If [(msgAuthoritativeEngineBoots = snmpEngineBoots) AND
(msgAuthoritativeEngineTime < latestReceivedEngineTime)] then
no update occurs [Message may be authentic but may be misordered
 Update of snmpEngineTime is not warranted]
USM Timeliness Mechanism
Timeliness checking by authoritative receiver

Ensure that messages are received within a reasonable
time window (avoid delays and replays)



Too small time window  authentic messages may be considered
as unauthentic
Too large  increase vulnerability for attacks
Incoming message is considered outside the time window
if the following is true :
snmpEngineBoots = (231 -1) OR
msgAuthoritativeEngineBoots  snmpEngineBoots OR
The value of msgAuthoritativeEngineTime differs from that of
snmpEngineTime by more than ± 150 seconds.
 message is considered not authentic (discarded and error
message returned)
USM Timeliness Mechanism
Timeliness checking by non-authoritative receiver

Incoming message is considered outside the time window
if the following is true:
snmpEngineBoots = (231 -1) OR
msgAuthoritativeEngineBoots < snmpEngineBoots OR
[(msgAuthoritativeEngineBoots = snmpEngineBoots)
AND msgAuthoritativeEngineTime < snmpEngineTime –
150]
NOTE:
msgAuthoritativeEngineBoots > snmpEngineBoots is allowed
Cryptographic Functions-Authentication
2 functions defined by USM



authentication: authKey
encryption: privKey
authKey and privKey are derived from the password and are not
accessible via SNMP
1- Authentication

Two authentication protocols
o
o

HMAC: message authentication code generation from authKey


HMAC-MD5-96 (Message Digest)
HMAC-SHA1-96 (Secure Hash Algorithm)
A 96-bit MAC code generated and inserted in msgAuthenticationParameters
field of the message
MD-5 (16-octet) and SHA1 (20-octet) are the underlying hash functions
Cryptographic Functions-Authentication

Procedure:


1. Derive extendedAuthKey:
Supplement authKey with 0s to get 64-byte string





2. Define ipad, opad, K1, and K2:
ipad = 0x36 (00110110) repeated 64 times
opad = 0x5c (01011100) repeated 64 times
K1 = extendedAuthKey XOR ipad
K2 = extendedAuthKey XOR opad


3. Derive HMAC by hashing algorithm used
HMAC = H (K2, H (K1, wholeMsg))

Depending on whether MD-5 or SHA-1 is used, the algorithm produces
a 16 (MD-5) or 20 (SHA-1)-octet length output which is truncated to
produce a 12-octet MAC
HMAC Structure
67
Cryptographic Functions-Authentication
KEY
DATA
HASH FUNCTION
MAC
ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATA
AND SEND THE RESULT
To authenticate
KEY
DATA
HASH FUNCTION
KEY
DATA
HASH FUNCTION
MAC
MAC
=?
USER
MAC
sender
DATA
USER
MAC
receiver
DATA
Cryptographic Functions-Encryption
2- Encryption and decryption of scoped PDU
(context engine ID, context name, and PDU)

CBC - DES (Cipher Block Chaining - Data Encryption
Standard) symmetric protocol
o
o
16 octet privKey (derived from password, similar to
authKey ) is used as input to encryption protocol
First 8 octets of privKey are used as DES key (only 56 bits
 LSB of each octet is ignored)
Cryptographic Functions-Encryption

CBC Mode
o
o
Last 8-octet of privKey used as preinitialization vector (pre-IV)
Generate salt value (8 octets):
<snmpEgineBoots || local value>
 Initialization vector:
IV = salt XOR pre-IV
o
Local value: 4-octet integer,
implementation dependent,
modified after each use.
Transmit salt in msgPrivacyParameters
so that receiver can recover the IV
Cryptographic Functions-Encryption
P1
P2
Pn
IV
Cn-1
k
DES
Encrypt
C1
k
DES
Encrypt
C2
Encryption
Data is divided into blocks of 64 bits each.
K is shared between sender and receiver
k
DES
Encrypt
Cn
Cryptographic Functions-Encryption
C1
k
DES
Decrypt
C2
k
DES
Decrypt
Cn
k
DES
Decrypt
IV
Cn-1
P1
P2
Decryption
IV at the receiver is generated from the salt that is
transmitted in the message
Pn
USM Message Processing
Retrieve user
information
Privacy
Required?
Security name of principal
Auth. snmpEngineID
Determine security level …
YES
Encrypt scopedPDU
set msgPrivacyParamters
NO
msgPrivacyParamters
 NULL
Authent.
Required?
YES
NO
msgAuthent.Paramters
 NULL
Message Transmission
Compute MAC
set msgAuthent.Paramters
USM Message Processing
security level
Security model
Security name….
Retrieve msg
parameters
Authent.
Required?
YES
NO
Privacy
Required?
Compute MAC
msgAuthent.Paramters
Determine if msg is
within time window
YES
NO
Message reception
Encrypt
Decrypt
scopedPDU
scopedPDU
set msgPrivacyParamters
Time synch.
Timeliness check
Discovery

The non-authoritative engine sends a Request message:
securityLevel = noAuthnoPriv
msgUserName = “initial”
msgAuthoritativeEngineID = null
varBindList = null

The authoritative engine responds with:
msgAuthoritativeEngineID = snmpEngineID (its own)

If authenticated communication is required
o
o
The non-authoritative engine establishes time synchronization with the
authoritative engine
Authoritative engine sends an Report message with its current values:
msgAuthoritativeEngineBoots = snmpEngineBoots
msgAuthoritativeEngineTime = snmpEngineTime
Key Management



Authentication and privacy keys
are required
A principal (i.e., NMS) should
deploy or use only one auth. key
and one priv. key.
Keys are stored for the user’s
password


Password: human readable, not
easy guessed
Keys are not accessible via
SNMP and are not stored in the
MIB
Password to key generation
1)- Repeat the psswd to generate
220 bytes  digest0
2)digest1 = Hash (digest0)
digest1 is 16-octet (MD-5) or 20octet (SHA-1)
 authKey is digest1
NOTE :: A single password can be
used (authKey and privKey
are the same) or 2 passwords for 2
different keys
Key Localization

A localized key is a secret key shared between a user
and one authoritative SNMP Engine

Hence, a user can communicate with many agents but maintains
only one key (i.e., only one password)
Agent 1
Agent 2
User 1
(authKey1_1, privKey1_1)
User 1
(authKey2_1, privKey2_1)
User 2
(authKey1_2, privKey1_2)
User 4
(authKey2_4, privKey2_4)
If compromised, other keys are not!
If this agent compromised, only its keys
are compromised. Other agents are
safe.
Generating localized Keys
Take Hash
of user key and
Remote Engine ID
password
Take Hash
of expanded
password string
Take Hash
of user key and
Remote Engine ID
Localized
Key
digest2
Localized
key
User
Key
(digest1)
Localized keys are initially
configured in a secure way (
could be manual!)
Take Hash
of user key and
Remote Engine ID
Localized
key
Key Update
To enhance security, Keys are to be updated from
time to time:
keyOld  keyNew
Requestor:
1)- Generate random
2)- Compute: digest = Hash ( keyOld || random )
3)- delta = digest XOR keyNew
4)- protocolKeyChange = ( random || delta)
Send a message setRequest ( protocolKeyChange )
Receiver:
1)- compute digest = Hash( keyOld || random)
2)- compute keyNew = digest XOR delta
NOTE: digest XOR delta = digest XOR (digest XOR keyNew) = keyNew
Since an attacker does not know keyOld, the update of the key is safe
Access Control



Agent can validate sending sources and their
access privilege for command requests.
Step following Authentication
Maintain a local database contains access rights
and policies
MIB VIEW
Allowed
Operations
Allowed managers
Required Level
of Security
Interface
Table
SET
John
Authentication
, Encryption
Interface
Table
GET/GETNEXT
John, Paul
Authentication
Systems
Group
GET/GETNEXT
Georges
None
Access Control
(read, write,
or send
notification)
Download