Embed Size (px)
DESCRIPTION
SBSM BOF Session-Based Security Model for SNMPv3. Wes Hardaker David T. Perkins August 06, 2004 (draft-hardaker-snmp-sbsm-03.txt). SBSM Protocol Proposal. Current draft: draft-hardaker-snmp-sbsm-03.txt Creates a “session” between two points. SBSM Protocol Details. - PowerPoint PPT Presentation
Citation preview
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM BOF
Session-Based Security Model for SNMPv3
Wes Hardaker David T. PerkinsAugust 06, 2004
(draft-hardaker-snmp-sbsm-03.txt)
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Protocol Proposal
• Current draft:– draft-hardaker-snmp-sbsm-03.txt
• Creates a “session” between two points
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Protocol Details
• Works over any transport (UDP/TCP/...)• Requires no modifications to existing
SNMPv3 components
–apps, MP, Dispatcher, VACM, …• Requires no new SNMP PDU types• All security and parameter negotiation
(eg, auth/priv types) is application invisible
• Compression before encryption support
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Protocol Security• Supports multiple types of identification
–Reuses existing infrastructure
–Identities are protected from sniffers– Initiator identity's protected from active
identity discovery attacks– Requires no outside infrastructure, but can
use if available– Able to handle all operator authentication
needs– Authenticates both sides independently
• Protects against replay entirely– Retries will resend the exact same response
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Protocol Security• Based on the SIGMA key-exchange
protocol.– Uses a Diffie-Helman exchange– A proven secure protocol– Also used in the widely deployed IKE protocol
• Uses existing SNMPv3 security algorithms for message authentication and encryption– SHA1/MD5 & DES/AES– Security parameters are negotiated
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
SBSM Protocol
• SNMPv3/SBSM divided into 3 phases:– Initialization– Running– Closing
• Initialization PDUs sent are GET/REPORT PDUs, but the application never sees them.– Similar to EngineID discovery today
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Session State Information• Status (initializing, running, closed)• Remote identity type and name• Remote EngineID• Anti-replay support parameters• Authentication & Encryption parameters
– Algorithms, incoming/outgoing keys, algorthim specific parameters
• Session parameters:– Numeric identifiers, start time, max length
• Additional implementation specific parameters
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Clo
sing
Run
ning
Initi
aliz
atio
nSession Message Flow
SNMP App SBSM Initiator SNMP AppSBSM Responder
Note: Other SNMPv3 components (MP, etc) not shown but exist where expected
Init 1
SNMP PDU
Init 1
Init 2
Running
SNMP PDUSNMP PDU
Close
Close
...
Traffic protected by SBSM
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Questions?
• Note: this was a high level presentation– More details in the last BOF when this
was the only candidate
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Identification Schemes
Manager Agent
Used for:• Current USM model• Local Accounts• SSH Identities
Local DB
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Identification Schemes
Manager Agent
Used for:• Radius• Tacsplus
Identification
Server
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Identification Schemes
Manager Agent
Used for:• Kerberos
TicketMaster
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
Identification Schemes
Manager Agent
Used for:• PKI deployments (CA use is optional on both sides)
CertificateAuthority
IS
MS
BO
F:
SB
SM
August 6, 2004Hardaker/Perkins
VACM interaction
DispatcherMessageProcessor
Security Model(SBSM)
Agent VACM
Security model = SBSMSecurity model = Identity security model
From Network
