View
1
Download
0
Category
Preview:
Citation preview
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.
Cisco Networking Academy,
U.S./Canada
SNMP V3
Eng. Maha Jeha
SNMPv3
1. OVERVIEW:
2. DESIGN DECISIONS
3. ARCHITECTURE
4. SNMP MESSAGE STRUCTURE
5. SECURE COMMUNICATION 1. USER SECURITY MODEL (USM)
6. ACCESS CONTROL
1. VIEW BASED ACCESS CONTROL MODEL (VACM)
7. IMPLEMENTATIONS 8. RFCs
BY : ENG. Maha Jeha
DESIGN DECISIONS
ADDRESS THE NEED FOR SECURY SET SUPPORT
DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP
ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE
MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS
ALLOW FOR FUTURE EXTENSIONS
KEEP SNMP AS SIMPLE AS POSSIBLE
ALLOW FOR MINIMAL IMPLEMENTATIONS
SUPPORT ALSO THE MORE COMPLEX FEATURES,
WHICH ARE REQUIRED IN LARGE NETWORKS
RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE
BY : ENG. Maha Jeha
SNMPv3 ARCHITECTURE
OTHERNOTIFICATION
ORIGINATOR
COMMAND
RESPONDER
COMMAND
GENERATOR
NOTIFICATION
RECEIVER
PROXY
FORWARDER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSING
SUBSYSTEMDISPATCHER
SECURITY
SUBSYSTEM
ACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
OTHER
BY : ENG. Maha Jeha
SNMPv3 ARCHITECTURE: MANAGER
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASED
SECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGE
DISPATCHER
TRANSPORTMAPPINGS
BY : ENG. Maha Jeha
SNMPv3 ARCHITECTURE: AGENT
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASED
SECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGE
DISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASED
ACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
BY : ENG. Maha Jeha
CONCEPTS: snmpEngineID
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=4
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=2
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=3
OT HE R
SNMP ENGINE
SNMP ENTITY
snmpEngineID=1
BY : ENG. Maha Jeha
CONCEPTS: Context
OTHER
COMMAND RESPONDER APPLICATION
SNMP ENGINE
SNMP ENTITY
snmpEngineID=1
contextEngineID=1The context can be reached from this engine, thus:
MIB
contextName=card1
MIB
contextName=card2
BY : ENG. Maha Jeha
PRIMITIVES BETWEEN MODULES
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
BY : ENG. Maha Jeha
sendPdu
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
sendPdu
APPLICATIONS
BY : ENG. Maha Jeha
prepareOutgoingMessage
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareOutgoingMessage
DISPATCHER
BY : ENG. Maha Jeha
generateRequestMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateRequestMsg
MESSAGE
PROCESSINGSUBSYSTEM
BY : ENG. Maha Jeha
send / receive
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
BY : ENG. Maha Jeha
prepareDataElements
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
BY : ENG. Maha Jeha
processIncomingMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGE
PROCESSINGSUBSYSTEM
BY : ENG. Maha Jeha
processPd
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processPdu
DISPATCHER
BY : ENG. Maha Jeha
isAccessAllowed
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
isAccessAllowed
APPLICATIONS
BY : ENG. Maha Jeha
returnResponsePdu
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
returnResponsePdu
APPLICATIONS
BY : ENG. Maha Jeha
prepareResponseMessage
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareResponseMessage
DISPATCHER
BY : ENG. Maha Jeha
generateResponseMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateResponseMsg
MESSAGE
PROCESSINGSUBSYSTEM
BY : ENG. Maha Jeha
send / receive
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
BY : ENG. Maha Jeha
prepareDataElements
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
BY : ENG. Maha Jeha
processIncomingMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGE
PROCESSINGSUBSYSTEM
BY : ENG. Maha Jeha
processResponsePdu
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEMDISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGE
PROCESSINGSUBSYSTEM
SECURITY
SUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineID
contextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsg
wholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processResponsePdu
DISPATCHER
BY : ENG. Maha Jeha
MODULES OF THE SNMPv3 ARCHITECTURE
DISPATCHER AND MESSAGE PROCESSING MODULE • SNMPv3 MESSAGE STRUCTURE
• snmpMPDMIB • RFC 2572
APPLICATIONS • snmpTargetMIB
• snmpNotificationMIB • snmpProxyMIB
• RFC 2573
SECURITY SUBSYSTEM • USER BASED SECURITY MODEL
• snmpUsmMIB • RFC 2574
ACCESS CONTROL SUBSYSTEM
• VIEW BASED ACCESS CONTROL MODEL • snmpVacmMIB
• RFC 2575
BY : ENG. Maha Jeha
SNMPv3 MESSAGE STRUCTURE
msgVersion
msgID
msgMaxSize
msgFlags
msgSecurityModel
msgSecurityParameters
contextEngineID
contextName
PDU
USED BY MESSAGE PROCESSING SUBSYSTEM
USED BY SNMPv3 PROCESSING MODULE
USED BY SECURITY SUBSYSTEM
USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS
BY : ENG. Maha Jeha
SNMPv3 PROCESSING MODULE PARAMETERS
msgVersion
msgID
msgMaxSize
msgFlags
msgSecurityModel
msgSecurityParameters
contextEngineID
contextName
PDU
authFlag
privFlagreportableFlag
SNMPv1SNMPv2cUSM
484..2147483647
0..2147483647
BY : ENG. Maha Jeha
SECURE COMMUNICATION VERSUS ACCESS CONTROL
MIB
MANAGER
APPLICATION PROCESSES
TRANSPORT SERVICE
MANAGER AGENT
GET / GET-NEXT / GETBULKSET / TRAP / INFORM
SECURE COMMUNICATION
ACCESS CONTROL
BY : ENG. Maha Jeha
USM: SECURITY THREATS
THREAT ADDRESSED? MECHANISM
REPLAY YES TIME STAMP
MASQUERADE YES MD5 / SHA-1
INTEGRITY YES (MD5 / SHA-1)
DISCLOSURE YES DES
DENIAL OF SERVICE YES
TRAFFIC ANALYSIS YES
BY : ENG. Maha Jeha
USM MESSAGE STRUCTURE
msgVersion
msgID
msgMaxSize
msgFlags
msgSecurityModel
msgAuthoritativeEngineID
msgAuthoritativeEngineBoots
msgAuthoritativeEngineTime
msgUserName
msgAuthenticationParameters
msgPrivacyParameters
contextEngineID
contextName
PDU
REPLAY
MASQUERADE/INTEGRITY/DISCLOSURE
DISCLOSURE
MASQUERADE/INTEGRITY
BY : ENG. Maha Jeha
IDEA BEHIND REPLAY PROTECTION
LOCAL NOTION OFREMOTE CLOCK
ALLOWEDLIFETIME
LOCALCLOCK
+ >?
ID BOOTS TIME DATA ID BOOTS TIME DATA
Authoritative EngineNonauthoritative Engine
BY : ENG. Maha Jeha
IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION
HASH FUNCTION
DATAKEY
MAC
ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATAAND SEND THE RESULT
BY : ENG. Maha Jeha
IDEA BEHIND AUTHENTICATION
HASH FUNCTION
KEY
MAC
DATAUSER MAC
DATA
HASH FUNCTION
KEY
MAC
DATAUSER MAC
DATA
=?
BY : ENG. Maha Jeha
IDEA BEHIND THE DATA CONFIDENTIALITY (DES)
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
BY : ENG. Maha Jeha
IDEA BEHIND ENCRYPTION
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
ENCRYPTED DATAUSER
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
ENCRYPTED DATAUSER
BY : ENG. Maha Jeha
VIEW BASED ACCESS CONTROL MODEL
ACCESS CONTROL TABLE
MIB VIEWS
BY : ENG. Maha Jeha
ACCESS CONTROL TABLES
GET / GETNEXTInterface Table John, Paul Authentication
•••••• ••• •••
•••••• ••• •••
SETInterface Table JohnAuthentication
GET / GETNEXTSystems Group George None
•••••• ••• •••
•••••• ••• •••
Encryption
MIB VIEWALLOWED
MANAGERSREQUIRED LEVEL
OF SECURITYALLOWED
OPERATIONS
BY : ENG. Maha Jeha
SNMPv3 IMPLEMENTATIONS
ACE*COMM AdventNet
BMC Software Cisco
Epilogue Gambit communications
Halcyon IBM ISI
IWL MG-SOFT
MultiPort Corporation SimpleSoft
SNMP Research
SNMP++ TU of Braunschweig
UCD University of Quebec
BY : ENG. Maha Jeha
SNMPv3 RFCs
OTHER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSING
SUBSYSTEMDISPATCHER
SECURITY
SUBSYSTEM
ACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
RFC 2573
RFC 2571
RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575
BY : ENG. Maha Jeha
Recommended