SNMPv3
Yen-Cheng ChenDepartment of Information Management
National Chi Nan University
http://www.comsoc.org/livepubs/surveys/public/4q98issue/stallings.htmlReference:
SNMPv3 RFCs Introduction and Applicability Statements for Internet-
Standard Management Framework An Architecture for Describing Simple Network
Management Protocol (SNMP) Management Frameworks Message Processing and Dispatching for the Simple
Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP)
Applications User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3) View-based Access Control Model (VACM) for the Simple
Network Management Protocol (SNMP) Version 2 of the Protocol Operations for the Simple
Network Management Protocol (SNMP) Transport Mappings for the Simple Network Management
Protocol (SNMP) Management Information Base (MIB) for the Simple
Network Management Protocol (SNMP)
RFC3410
RFC3411
RFC3412
RFC3413RFC3414
RFC3415
RFC3416
RFC3417
RFC3418
SNMP entity
Application(s)
CommandGenerator
NotificationReceiver
ProxyForwarderSubsystem
CommandResponder
NotificationOriginator
Other
SNMP Engine (identified by snmpEngineIDsnmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
SNMP entity is a node with an SNMP management element- either an agent or manager or both
SNMPv3 ArchitectureSNMPv3 Architecture
Dispatcher
• Sending and receiving SNMP messages to/from the network
• Determining the version of an SNMP message and interacting with the corresponding Message Processing Model
• Providing an abstract interface to SNMP applications for delivery of a PDU to an application.
• Providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity.
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
Dispatcher
Three components• Transport mapping delivers messages over the
transport protocol• Message Dispatcher routes messages between
network and appropriate module of MPS
• PDU dispatcher handles messages between
application and MSP
Message Processing Subsystem
Contains one or more Message Processing Models
One MPM for each SNMP version SNMP version identified in the header
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
Security and Access Control
Security at the message level Authentication Privacy of message via secure communication
Flexible access control Who can access What can be accessed Flexible MIB views
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
AccessControl
Subsystem
ApplicationsApplication(s)
CommandGenerator
NotificationReceiver
ProxyForwarderSubsystem
CommandResponder
NotificationOriginator
Other
Application Example • Command generator get-request• Command responder get-response• Notification receiver trap generation• Notification receiver trap processing• Proxy Forwarder get-bulk to get-next (SNMP versions only)• Other Special application
Manager
AgentAgent
Command Generator orNotification Originator
Command Responder
Names Entity Engine (snmpEngineID)
Associated with each SNMP entity is a unique snmpEngineID. Context (contextName)
A context is a collection of management information accessible by an SNMP entity.
Context engine (contextEngineID) = snmpEngineID
Principal (securityName) the "who" on whose behalf services are provided or processing takes
place. may be an individual or an application or a group of individuals or ap
plications.
Context Engine
contextName
contexts
Security Threats
Management
Entity A
Management
Entity B
Modification of information
Masquerade
Message stream modification
Disclosure
Security Threats
SNMPv3 security model is developed to protect the following security threats: Modification of information
Contents modified by unauthorized user Masquerade
change of originating address by unauthorized user Message Stream Modification
Re-ordering, delay or replay of messages Disclosure
Eavesdropping SNMPv3 security model doesn’t protect Denial of Servi
ce (DoS) and Traffic Analysis.
Security ServicesSecurity Subsystem
MessageProcessing
Model
AuthenticationModule
PrivacyModule
TimelinessModule
Message Timeliness &Limited Replay Protection
Data Integrity
Data Confidentiality
Data Origin Authentication
SNMPv3 Security Authentication
Data integrity: HMAC-MD5-96 / HMAC-SHA-96
Data origin authentication Append to the message a unique Identifier
associated with authoritative SNMP engine Privacy / confidentiality:
Encryption Timeliness:
Authoritative Engine ID, No. of engine boots and time in seconds
Role of SNMP Engines
Non-Authoritative Engine(NMS)
Authoritative Engine(Agent)
VersionGlobal/Header
Data
SecurityParameters
Plaintext / EncryptedscopedPDU Data
MessageID
MessageMax. Size
MessageFlag
MessageSecurityModel
AuthoritativeEngine ID
AuthoritativeEngine Boots
AuthoritativeEngine Time
User Name
AuthenticationParameters
PrivacyParameters
ContextEngine ID
ContextName
Data
Figure 7.12 SNMPv3 Message Format
Header Data scopedPDU
Security Parameters
Whole Message
See P. 304
See p. 304
User-Based Security Model
Based on traditional user name concept Authentication service primitives
authenticateOutgoingMsg authenticateIncomingMsg
Privacy Services encryptData decryptData
Security Subsystem
PrivacyModule
scopedPDU
Encryption keyUser-based
SecurityModel
EncryptedscopedPDU
Privacyparameters
AuthenticationModule
Whole Message
Authentication key
AuthenticatedWhole Message
Figure 7.13 Privacy and Authentication Service for Outgoing Message
MessageProcessing
Model
MPM Information
Header data
Security data
scopedPDU
(Authenticated/encrypted)whole message
Whole message length
Security Parameters
Security Subsystem
User-basedSecurityModel
Figure 7.14 Privacy and Authentication Service for Incoming Message
MessageProcessing
Model
MPM Information
Header data
Security parameters
whole message
(Decrypted) scopedPDU PrivacyModule
Decrypt key
DecryptedscopedPDU
Privacyparameters
AuthenticationModule
Whole Message(as received from network)
Authentication key
AuthenticatedWhole Message
Authenticationparameters
Encrypted PDU
Authentication Protocols Authentication Key
Derived from a password chosen by the user digest0: repeat password 220 octets digest1: H(digest0) digest2: H(engineID || digest1) AuthKey = digest2
Use HMAC-MD5-96 or HMAC-SHA-96