1

Dive into RFC 2574Dive into RFC 2574

User-based Security Model (USM) for the SNMP-v3

2

Threats

Limited protection provided for:

Modification of Information Masquerade - False pretend of unauthorized users Disclosure - Eavesdropping on the exchange

between managed agents and managed station. Message Stream Modification – Danger of the

message being re-ordered, delayed, or replayed by unauthorized management stations

3

Threats Cont.

No protection against:

Denial of Service Traffic Analysis

4

Goals

Verify that each received SNMP message has not been modified during its transmission through the network.

Verify the identity of the user on whose behalf a received SNMP message claims to have been generated.

Detect the received SNMP messages, which request or contain management information, whose time of generation was not recent.

Provide, when necessary, that the contents of each received SNMP message are protected from disclosure.

5

Constraints

When the requirements of effective management in times of network stress are inconsistent with those of security, the design should prefer the former

Neither the security protocol nor its underlying security mechanisms should depend upon the ready availability of other network services (e.g., Network Time Protocol (NTP) or key management protocols)

A security mechanism should entail no changes to the basic SNMP network management philosophy

6

Security Services

Data Integrity

Data Origin Authentication

Data Confidentiality

Message timeliness and limited replay protection

7

Why Use SNMP-v3

• Authentication• HMAC-MD5-96, or SHA authentication• Password must be greater than 8 characters including spaces

• Privacy• Packet data may now be DES encrypted (additional encryptions)• CBC-DES Symmetric Encryption Protocol • Allows for unique Privacy password

• Inform Traps• Old style trap was "throw-n-pray" over UDP• v2 Inform trap is over TCP and requires a response • Traps may also have Authentication and Privacy passwords

• Security Structures• User / Scope / ACL all may have independent AuthPriv structures

8

Authoritative and Non-authoritative Engines

In any message one of the transmitter/receiver SNMP entities is designated as the Authoritative SNMP engine

When a message expects a response, the receiver of such messages is authoritative

When no response is expected the sender is authoritative This serves two purposes

• Timeliness of message determined with clock of authoritative engine

• Key localization process

9

Protocol context of SNMP

10

SNMPv3 Architecture

SNMPv3 architecture (RFC 2571) consists of a distributed collection of SNMP entities communicating together

Each SNMP entity may act as manager, agent, or combination

SNMP Engine - Implements functions for:• sending and receiving messages• Authenticating and encrypting/decrypting messages• Controlling access to managed objects

11

SNMP Engine Modules

Modular nature means that upgrades to individual modules can be made without redoing the architecture

Modules:• Dispatcher - • Message Processing Subsystem• Security Subsystem• Access Control Subsystem

12

SNMP Manager

NOTIFICATIONRECEIVER

COMMANDGENERATOR

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

13

SNMP Agent

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGEDISPATCHER

TRANSPORTMAPPINGS

MANAGEMENT INFORMATION BASE

VIEW BASEDACCESS CONTROL

ACCESS CONTROL SUBSYSTEM

NOTIFICATIONORIGINATOR

COMMANDRESPONDER

14

SNMP Engine Modules: Dispatcher

Dispatcher is a simple traffic manager On incoming messages

It accepts incoming messages from the transport layer Routes each message to the appropriate message processing

module When the message processing completes the Dispatcher

sends the PDU to the appropriate application On outgoing messages

• It accepts PDUs from Application layer

• Sends to Message processing subsystem

• Sends to Transport layer

15

SNMP Engine Modules: Dispatcher

Dispatcher Submodules• PDU Dispatcher – sends/accepts Protocol Data Units (PDUs)

to/from SNMP applications• Message Dispatcher – transmits to/from message processing

subsystem• Transport Mapping – sends/receives transport layer packets

16

Message Processing Module

Accepts outgoing PDUs from dispatcher Passes message to the security subsytem Wraps the result with the appropriate header Sends back to the dispatcher

On incoming PDUs• Accepts messages from the dispatcher

• Processes the headers

• Possibly sending to Security Subsystem for authenitication and decryption and

• Returns the enclosed PDU to the dispatcher

17

Security and Access Control Modules

Security modules– User-based Security Model (USM)– Other security models allowed for but not yet.

Access Control Modules– View-based access control model (VACM)– Others allowed

18

SNMPv3 Terminology

snmpEngineId – unique ID to engine (Octet string) contextEngineId – unique ID to SNMP entity contextName – identifies particular context within SNMP

Engine scopedPDU – block including: contextEngineId,

contextName and an SNMP PDU snmpMessageProcessingModel – unique identifier snmpSecurityModel – integer indicating whether

authentication and/or encryption are required principal – the entity for “Whom the Bell Tolls” securityName – string representation of the principal

19

SNMPv3 Applications

Command generator applications

• Makes use of sendPdu primitive

• Dispatcher Message Processing Security subsytem

• Finally UDP

• and later the processResponse dispatcher primitive handles the response Notification originator/receiver applications

• Operates similarly sending a notification Command Responder applications use primitives

RegisterContextEngineID – here is my ID (unregister also) processPDU returnRespnsePDU isAccessAllowed (Access Control Subsystem primitive)

Proxy forwarder application

20

Message Processing Model

RFC 2572 defines the message processing model The model on outgoing messages

• Accepts PDUs from the dispatcher

• Encapsulates them in messages

• Invokes the user Security Model (USM) to insert security related parameters in the headers

• On incoming• Invokes the user Security Model (USM) process the security

related parameters in the header

• Delivers encapsulated PDU back to dispatcher

• SNMP message first five fields

21

SNMP3 Message Format with USM

22

USM Timeliness Mechanisms

Non authoritative engine maintains copies of snmpEngineBoots = number of times rebooted since originally

configured 0 to 231 snmpEngineTime latestReceived EngineTime

USM update conditions USM update rule Message judged to be outside window …

23

Key Localization Process

24

SNMPv3 RFCs

OTHER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSINGSUBSYSTEM

DISPATCHERSECURITY

SUBSYSTEMACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

RFC 2573

RFC 2571

RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575

25

SNMP-v3 Strength

Widespread Support– SNMP agents available for many network deviced

(hosts, routers, switches, bridges, modems, printers, etc.)

Flexible and Extensible– SNMP agents can be extended to cover device-

specific data– Clear mechanism for upgrading– Additional interoperability via proxies

26

SNMP-v3 Weaknesses

SNMP is not really “simple”– Complicated protocol to implement– Complex encoding rules

SNMP is not an efficient protocol– Bandwidth wasted with useless information– Inefficiencies of ASN.1 with respect to compactness

SNMP lacking in security Lack of privacy or strong authentication Offered in SNMP-v3, but SNMP-v1 still widely used Limits utility for monitoring remote networks

27

SNMP Weaknesses Cont.

Latency can be high in SNMP– Request-response protocol, leading to a delay between time of

request and time of response– Typically small in a LAN, but potentially a problem in a WAN

28

THANK YOU