Upload
mavis-burns
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
SNMPv3
1
Based on Behzad Akbari Fall 2011 Network Management lectures and
These slides are based in parts upon slides of Prof. Dssouli (Concordia university)
Key Features of SNMPv3
Modularization of documentation and architecture Enables the use of SNMPv1 and SNMPv2 with the newly
developed SNMPv3. SNMP engine defined
– A model for the processing of SNMP messages. New Security features
– Secure information to prevent tampering of data – Access control to determine proper access to MIB.
2
SNMP Architecture
Distributed, interacting collection of SNMP entities SNMP entity implements a portion of the SNMP capability:
It acts either as an agent or manager or both A collection of modules interacting with each other to provide services
OTHERNOTIFICATIONORIGINATOR
COMMANDRESPONDER
COMMANDGENERATOR
NOTIFICATIONRECEIVER
PROXYFORWARDER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSING
SUBSYSTEMDISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
OTHER
3
SNMP Architecture
Advantages:
The role of SNMP entity is determined by the modules implemented in that entityo Certain set of modules are required for agent, while a different
set is required for a manager
Security subsystem provides services such as authentication and privacy of messageso Multiple security models can coexist
Set of authorization services an application can use for checking access rightso Access Control
4
SNMP Architecture-Manager
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
NOTIFICATIONORIGINATOR
SECURITY MODELCOMMUNITY BASED
5
SNMPv3 Architecture-Manager
Command Generator Applicationo Monitor and manipulate management data at remote agentso Make use of SNMPv1,v2 PDUs: Get, GetNext, GetBulk, etc.
Notification Originator Application Initiates messages, such as InformRequest PDU
Notification Receiver Applicationo Receive messages from other managers or agentso InformRequest, SNMPv1- and SNMPv2-Traps, etc…
These applications make use of the services provided by the SNMP engine:o Get Outgoing PDUs, process them and generates SNMP
messages for transmission over the transport layero Accept incoming SNMP messages, process them, and extracts
PDUs and passes them to appropriate SNMP application6
SNMPv3 Architecture-Manager
Dispatcher functions:o Accepts PDUs from applicationso Handles multiple version messages (SNMPv1, v2, v3)o Interfaces with application modules, network, and message processing
models PDU dispatcher handles messages between application and
MPS
SNMP Engine (identified by snmpEngineID)
DispatcherMessage
ProcessingSubsystem
SecuritySubsystem
7
SNMPv3 Architecture-Manager
Message Processing Subsystem functions:
Accepts outgoing PDUs from Dispatcher, attach appropriate header, and return message to Dispatcher
Accepts incoming messages, process each message header, and return the enclosed PDU to the Dispatcher
Contains one or more Message Processing Models, each for each SNMP version
SNMP version identified in the header
SNMP Engine (identified by snmpEngineID)
MessageProcessingSubsystem
SecuritySubsystem
Dispatcher
8
SNMPv3 Architecture-Manager
9
Security subsystems perform authentication and encryption functions for each outgoing/incoming message
Outgoing PDUs may be encrypted and authentication codes generated and appended to the message headero The message is then returned to the MPS
Incoming messages are passed to the security subsystemo Message decryption o Messages authenticated
SNMP Engine (identified by snmpEngineID)
SecuritySubsystem
DispatcherMessage
ProcessingSubsystem
SNMPv3 Architecture-Agent
10
PDUDISPATCHER
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
Proxy ForwarderApplications
COMMUNITY BASEDSECURITY MODEL
SNMPv3 Architecture-Agent
11
Command Responder Applicationo Provides access to management datao Responds to incoming requests by retrieving and/or setting
managed objects and issuing Response PDU
Notification Originator Applicationo Trap PDUs of SNMPv1, v2
Proxy Forwarder Application o Forwards messages between entities
Access Control Subsystemo Provides authorization services to “control access” to the MIB
for reading and setting management objectso Who can accesso What can be accessed
Terminology
12
SNMP Engine ID snmpEngineID -- associated with each SNMP entity
Principal principal -- person or group or application requesting services
Security Name securityName -- human readable name
Context Engine ID contextEngineID -- each entity has a unique context ID (identical to snmpEngineID)
Context Name contextName --a context associated with a managed object (for access control)
An SNMP agent can monitor more than one network element (context)
Example: SNMP Engine ID IP address
Principal John Smith Security Name Administrator
snmpEngineID
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=4
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=2
O TH ER
SNMP ENGINE
SNMP ENTITY
snmpEngineID=3
OT HE R
SNMP ENGINE
SNMP ENTITY
snmpEngineID=1
13
Abstract Service Interfaces
Abstract service interface is a conceptual interface between modules, independent of implementation
Defines a set of primitives o A primitive specifies the function to be performed (e.g.,
procedural call)
Primitives associated with receiving entitieso An interface defined using primitive and parameters is referred
to as “abstract service interface”
e.g., Dispatcher primitives:o Handle messages to and from applicationso registering and un-registering of application moduleso transmitting to and receiving messages from network
IN and OUT parameters
Status information / result
14
Dispatcher Primitives
sendPdu
Used by a command generator to send SNMP request or notification PDU to another SNMP entity
When successfully preparing the message by the Dispatcher: a sendPduHandle (unique identifier) is returned (to track any response, if
any is expected)
The application also provides transport domain/address for the PDU as well as message processing model, security model, principal, level of security, the context for this PDU, and the PDU itself
CommandGenerator
Dispatcher
AbstractService
Interface
sendPdu
AbstractService
Interface
prep
areO
utgo
ingM
essa
ge
MessageProcessing
Model
sendPduHandle/Error Indication
15
Dispatcher Primitives
processResponsePdu Used by Dispatcher to pass an incoming response PDU to
an application The application checks whether it is matched with a
preceding request or notification PDU by checking the sendPduHandle: Success or failure
CommandGenerator
Dispatcher
sendPdu
AbstractService
Interface
prep
areO
utgo
ingM
essa
ge
MessageProcessing
Model
sendPduHandle/errorIndication
processResponsePdu
16
Dispatcher Primitives
processPdu Used by Dispatcher to pass an incoming request or
notification PDU to an application (command responder) Security related information is required to generate a matching
response message The security subsystem (access control) will check whether access
is allowed and a response will be generated accordingly
returnResponsePdu Used by command responder to return an SNMP response in
response to an incoming request or notification
CommandResponder
Dispatcher
returnResponsePdu
AbstractService
Interface
prep
areR
espo
nseM
essa
ge
MessageProcessing
ModelprocessPdu
17
Message Processing Subsystem Primitives
prepareOutgoingMessage Prepare a message for an outgoing SNMP request or notification
PDU The IN parameter is a PDU and OUT parameter is the message Success or failure is returned
CommandGenerator
Dispatcher
sendPdu
AbstractService
Interface
prep
areO
utgo
ingM
essa
ge
MessageProcessing
Model
sendPduHandle/errorIndication
18
Message Processing Subsystem Primitives
prepareResponseMessage Request the preparation of a message containing an
outgoing SNMP response PDU, in response to an incoming request or notification PDU
CommandResponder
Dispatcher
returnResponsePdu
AbstractService
Interface
prep
areR
espo
nseM
essa
ge
MessageProcessing
ModelprocessPdu
19
Security Subsystem PrimitivesgenerateRequestMessage
Generate a “message” containing an outgoing SNMP request or notification PDU
Returns to the MPS a message (with possibly authentication and encryption) and associated security parameters
processIncomingMessage Provide security function for incoming messages Return success or failure indicating the result of the security check If successful, a PDU is returned to the MPS
generateResponseMessage Generate a message containing outgoing SNMP response PDU in
response to incoming request or notification Returns to the MPS a message (with some authentication and encryption
applied) and associated security parameters
20
Applications
21
Application(s)
CommandGenerator
NotificationReceiver
ProxyForwarderSubsystem
CommandResponder
NotificationOriginator
Other
Application Example • Command generator get-request• Command responder get-response• Notification originator trap generation• Notification receiver trap processing• Proxy Forwarder get-bulk to get-next
(SNMP versions only)• Other Special application
Command Generator
Network
send get-request message
receive get-response message
CommandGenerator Dispatcher
MessageProcessing
ModelSecurityModel
sendPdu
PduHandle
prepareOutgoingMessage
generateRequestMsg
processResponsePdu
prepareDataElemetsprocessIncomingMsg
CommandGenerator
DispatcherMessage
ProcessingModel
SecurityModel
Command Generator:1)-Examine parameters from
the received PDU and match/compare them with a cached copy (security model/level/name, contextName, etc.). If no match, message is discarded
2)-Check the received PDU (check request-id, etc.)
3)- if all OK, then take action
22
Command Responder
Network
receive get-request message
send get-response message
CommandResponder
Dispatcher
MessageProcessing
ModelSecurityModel
processPdu
processIncomingMsg
prepareDataElements
Figure 7.6 Command Responder Application
returnResponsePdu
prepareResponseMsg
generateResponseMsg
DispatcherMessage
ProcessingModel
SecurityModel
registerContextEngineID
Command Responder:1)-examines content of request
PDU. Check whether object has already registered with the responder
2)- isAccessAllowed primitive is invoked (to determine whether object can be accessed by the principal making the request) check the security level
3)- if access permitted, prepare a response.
23
24
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
25
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
sendPdu
APPLICATIONS
26
Scenario Diagrams
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareOutgoingMessage
DISPATCHER
27
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateRequestMsg
MESSAGEPROCESSINGSUBSYSTEM
28
Scenario Diagrams
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
29
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
30
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGEPROCESSINGSUBSYSTEM
31
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processPdu
DISPATCHER
32
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
isAccessAllowed
APPLICATIONS
33
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
returnResponsePdu
APPLICATIONS
34
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareResponseMessage
DISPATCHER
35
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateResponseMsg
MESSAGEPROCESSINGSUBSYSTEM
36
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
37
Scenario Diagrams
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
38
Scenario Diagrams
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGEPROCESSINGSUBSYSTEM
39
Scenario Diagrams
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processResponsePdu
DISPATCHER
40
Message Format
VersionGlobal/Header
Data
SecurityParameters
Plaintext / EncryptedscopedPDU Data
MessageID
MessageMax. Size
MessageFlag
MessageSecurityModel
Header Data
ContextEngine ID
ContextName
Data
scopedPDU
AuthoritativeEngine ID
AuthoritativeEngine Boots
AuthoritativeEngine Time
User Name
AuthenticationParameters
PrivacyParameters
Security Parameters
Whole Message
1 SNMPv12 SNMPv23 SNMPv3
reportableFlagprivFlagauthFlag
Time synch. between entities to avoid message replay and achieve timeliness
Message FormatField Object name Description
Version msgVersion SNMP version number of the message format
Message ID msgID Administrative ID associated with the message
Message Max. Size msgMaxSize Maximum size supported by the sender
Message flags msgFlags Bit fields identifying report, authentication, and privacy of the
message
Message Security Model
msgSecurityModel Security model used for the message; concurrent multiple models allowed
Security Parameters (See Table 7.8)
msgSecurityParameters Security parameters used for communication between sending and
receiving security modules
Plaintext/Encrypted scopedPDU Data
scopedPduData Choice of plaintext or encrypted scopedPDU; scopedPDU uniquely
identifies context and PDU
Context Engine ID contextEngineID Unique ID of a context (managed entity) with a context name realized by
an SNMP entity
Context Name contextName Name of the context (managed entity)
PDU data Contains unencrypted PDU
41
42
See p. 304
Security Threats
Modification of Information an entity may alter in-transit SNMP
messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object
Masquerade management operations not
authorized for some entity may be attempted by assuming the identity of another entity that has the appropriate authorizations
ManagementEntity A
ManagementEntity B
Modification of informationMasquerade
Message stream modification
Disclosure
43
Security Threats
Message Stream Modification SNMP is typically based upon a
connectionless transport service. Messages may be maliciously re-ordered, delayed or replayed, in order to effect unauthorized management operations. o For example, a message to
reboot a system could be copied and replayed later
Disclosure Eavesdropping or intercepting on
the exchanges between SNMP engines
ManagementEntity A
ManagementEntity B
Modification of informationMasquerade
Message stream modification
Disclosure
44
Security Threats
SNMPv3 is not intended to secure against these two threats:
Denial of Service: An attacker may prevent
exchanges between manager and agent DOS are indistinguishable from
network element failures DOS may disrupt all services (not
just those pertaining to NM)
Traffic Analysis: An attacker may observe the
general pattern of traffic between managers and agents
ManagementEntity A
ManagementEntity B
Modification of informationMasquerade
Message stream modification
Disclosure
45
Security Model Goals
o Data Integrity (Authentication)
o Authentication
o Message redirection/re-ordering/delay/replay
o Data encryption/decryption
46
Security Model
The Security model authenticates and forwards incoming and outgoing messages to the MPM
3 different moduleso Authentication moduleo Privacy moduleo Timeliness module
Security Subsystem
MessageProcessing
Model
AuthenticationModule
PrivacyModule
TimelinessModule
Data Integrity
Data Origin Authentication
Data Confidentiality
Message Timeliness &Limited Replay Protection
47
Authentication Module
Data integrityo message authentication at sender and validation at receivero Ensure that a message is not modified by an unauthorized intrudero Authentication protocols: HMAC-MD5-96 / HMAC-SHA-96
Data origin authenticationo Check the identity of a user on whose behalf a message is sento Append to the message a unique Identifier associated with
authoritative SNMP engine
Security Subsystem
MessageProcessing
Model
AuthenticationModule
PrivacyModule
TimelinessModule
Data Integrity
Data Origin Authentication
Data Confidentiality
Message Timeliness &Limited Replay Protection
48
Privacy Module
Data confidentiality ensures that data is not made available to unauthorized users or entities
Encryption is applied at the sender and decryption at receiver (CBC-DES)
Security Subsystem
MessageProcessing
Model
AuthenticationModule
PrivacyModule
TimelinessModule
Data Integrity
Data Origin Authentication
Data Confidentiality
Message Timeliness &Limited Replay Protection
49
Timeliness Module
Prevent message redirection, delay and replay
Configure a receiver window for accepting message (e.g., 150 s for SNMPv3)
Three objects: snmpEngineIP, snmpEngineBoots, snmpEngineTime
Security Subsystem
MessageProcessing
Model
AuthenticationModule
PrivacyModule
TimelinessModule
Data Integrity
Data Origin Authentication
Data Confidentiality
Message Timeliness &Limited Replay Protection
50