Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISMS IETF72 David Harrington. Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt.

Published byWesley Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "ISMS IETF72 David Harrington. Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt."— Presentation transcript:

1 ISMS IETF72 David Harrington

2 Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt –IETF72: draft-ietf-isms-tmsm-12.txt Transport Security Model for SNMP –IETF69: draft-ietf-isms-transport-security-model-05.txt –IETF72: draft-ietf-isms-transport-security-model-08.txt Secure Shell Transport Model for SNMP –IETF69: draft-ietf-isms-secshell-08.txt –IETF72: draft-ietf-isms-secshell-11.txt

3 Status IETF72 WGLC started following ietf69: –draft-ietf-isms-tmsm-09.txt –draft-ietf-isms-transport-security-model-05.txt –draft-ietf-isms-secshell-08.txt

4 Transport Subsystem

5 draft-ietf-isms-tmsm-12.txt Compatibility with SNMPv3, RFC2119 and RFC4181 Security considerations for v1/v2c co-existence Updated architectural diagrams and ASIs Same security for request/response Moved comparison with USM to TSM document IANA duplicate registries fixed

6 Transport Security Model

7 draft-ietf-isms-transport-security-model-08.txt Compatibility with SNMPv3, RFC2119 and RFC4181 Added tsmLCD MIB Differentiated requested/actual securityLevels Eliminated all mention of sessions from TSM

8 SSH Transport Model

9 draft-ietf-isms-secshell-11.txt Compatibility with SNMPv3, RFC2119 and RFC4181 Added sshtmLCD MIB Differentiated requested/actual securityLevels Notification originators act as SSH client Op considerations about client key distribution Session cleanup to prevent reuse security hole Resolved#8: TM cannot specify SM

10 Open Issues Predictability of securityName/identity mappings

11 Open Issues #2,3 Admins need to configure user-specific policies into the VACM MIB and Target MIB and Event MIB using securityName. The (possibly multi-step) transform to/from a specific transport-security mechanism from/to a securityName must be predictable An admin must be able to predict what the securityName will be for a given principal authenticated by a security mechanism, and which security identity will be used for a given securityName.

12 Open Issue #2a – incoming TM SSHTM does not have predictability in generating tmSecurityName from the various security mechanisms SSH can use. SSH provides a required “user name” field, but makes the content optional, so we cannot rely on the value of “user name” to construct a predictable transform. We could require that for SNMP usage, only mechanisms/implementations that provide predictable “user name” content be used.

13 Open Issue #2b – incoming SM TSM does not have predictability in mapping from tmSecurityName to securityName We could state that securityName must be set to the value of tmSecurityName to make this predictable. Problem: different TMs could automatically generate the same tmSecurityName for different principals

14 Open Issue #2c – incoming SM Problem: Different TMs might generate the same tmSecurityName for different principals Proposal: add a mapping table in TSM to map SSH::tmSecurityName and TLS::tmSecurityName to different securityNames (and allow mapping different tmSecurityNames to a single securityName) These are extra features, with extra complexity, requiring admin pre-configuration This might be handled in the SSH and TLS configurations rather than in an SNMP-specific solution

15 Open Issue #2a – outgoing TM SSHTM does not have predictability in mapping tmSecurityName to the various security mechanisms SSH can use, including session identifiers.

16 Open Issue #2b – outgoing SM TSM does not have predictability in mapping from securityName to tmSecurityName We could state that tmSecurityName must be set to the value of securityName to make this predictable.

17 Open Issue #3c – outgoing SM Problem: Different TMs might utilize the same tmSecurityName for different principals or sessions Proposal: add a mapping table in TSM to map different securityNames to SSH::tmSecurityName and TLS::tmSecurityName and/or session IDs These are extra features, with extra complexity, requiring admin pre-configuration This might be handled in the SSH and TLS configurations rather than in an SNMP-specific solution

18 Thank You Questions?

Download ppt "ISMS IETF72 David Harrington. Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt."

Similar presentations

1 ISMS WG 79th IETF Beijing November 10, 2010 Goal:Creating a security model for SNMPv3 that will meet the security and operational needs of network administrators.

1 ISMS WG 79th IETF Beijing November 10, 2010 Goal:Creating a security model for SNMPv3 that will meet the security and operational needs of network administrators.
Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
SNMP v3.

SNMP v3.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
May 12, 2015IEEE Network Management Symposium Page-1 Requirements for Configuration Management of IP-based Networks Luis A. Sanchez Chief Technology Officer,

May 12, 2015IEEE Network Management Symposium Page-1 Requirements for Configuration Management of IP-based Networks Luis A. Sanchez Chief Technology Officer,
2004-08-06miasma1 Minimally Integrated Access Security Module Application isms BOF IETF-60, San Diego, California Randy Presuhn

miasma1 Minimally Integrated Access Security Module Application isms BOF IETF-60, San Diego, California Randy Presuhn
Networked Device Management with SNMP SIA Working Group Presentation ASIS 2014 (Atlanta) SIA SNMP Working Group ASIS 20141.

Networked Device Management with SNMP SIA Working Group Presentation ASIS 2014 (Atlanta) SIA SNMP Working Group ASIS
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Integrated Security Model for SNMPv3 (ISMS) pronounced is miss David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University

SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
Automated XML Content Data Exchange and Management draft-waltermire-content-repository-00

Automated XML Content Data Exchange and Management draft-waltermire-content-repository-00
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
CSD 2006 / TEAM 12 Final presentation 29 th May 2006.

CSD 2006 / TEAM 12 Final presentation 29 th May 2006.
Unrestricted Connection manager MIF WG IETF 78, Maastricht 2010-07-29 Gaëtan Feige, Cisco (presenter) Pierrick Seïté, France Telecom -

Unrestricted Connection manager MIF WG IETF 78, Maastricht Gaëtan Feige, Cisco (presenter) Pierrick Seïté, France Telecom -
On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,

On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,
1 Introduction to Internet Network Management Mi-Jung Choi Dept. of Computer Science KNU

1 Introduction to Internet Network Management Mi-Jung Choi Dept. of Computer Science KNU
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

Similar presentations

Ads by Google