ISMS IETF72 David Harrington. Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt.

Slides:

Advertisements

Similar presentations

1 ISMS WG 79th IETF Beijing November 10, 2010 Goal:Creating a security model for SNMPv3 that will meet the security and operational needs of network administrators.

Advertisements

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

May 12, 2015IEEE Network Management Symposium Page-1 Requirements for Configuration Management of IP-based Networks Luis A. Sanchez Chief Technology Officer,

miasma1 Minimally Integrated Access Security Module Application isms BOF IETF-60, San Diego, California Randy Presuhn

Networked Device Management with SNMP SIA Working Group Presentation ASIS 2014 (Atlanta) SIA SNMP Working Group ASIS

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.

SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Automated XML Content Data Exchange and Management draft-waltermire-content-repository-00

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

CSD 2006 / TEAM 12 Final presentation 29 th May 2006.

Unrestricted Connection manager MIF WG IETF 78, Maastricht Gaëtan Feige, Cisco (presenter) Pierrick Seïté, France Telecom -

On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,

1 Introduction to Internet Network Management Mi-Jung Choi Dept. of Computer Science KNU

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

ECE Prof. John A. Copeland Office: Klaus or call.

Diameter Extended NAPTR Thursday, November 11, 2010 draft-ietf-dime-extended-naptr Mark Jones Jouni Korhonen IETF 79 Beijing, China.

draft-ietf-netconf-call-home-01

1 Network Management Security Behzad Akbari Fall 2009 In the Name of the Most High.

Abierman-rmonwg-17mar03 1 RMONMIB WG 56th IETF San Francisco, California March 17, 2003 Discussion: Admin:

Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman

DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.

(Business) Process Centric Exchanges

Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT.

68th IETF – OPS area – XML MIB Modules XML MIB Modules draft-stephan-ops-xml-mib-module-template-00 draft-stephan-ops-xml-mib-module-template-00.

XCON WG IETF-73 Meeting Instant Messaging Sessions with a Centralized Conferencing (XCON) System draft-boulton-xcon-session-chat-02 Authors: Chris Boulton.

Internet Standard Management Framework

1 82 nd IETF meeting NETCONF over WebSocket ( ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,

Architectural Patterns Support Lecture. Software Architecture l Architecture is OVERLOADED System architecture Application architecture l Architecture.

Do We Need a New Network Management Framework? David Harrington IETF66 OPS Area Meeting Montreal, Quebec, Canada.

Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.

SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.

Management Attributes RADEXT WG November 8, 2005 Dave Nelson Greg Weber IETF-64, Vancouver.

SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul -> Yacine El Mghazli (Alcatel)

SNMP for the PAA-EP protocol PANA wg - IETF 62 Minneapolis Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-03.txt.

September 28, 2006 Page 1 3GPP2 MMD Status for IMS Workshop Jack Nasielski

SSHSM Issues David Harrington IETF64 ISMS WG Vancouver, BC.

Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.

March 20, 2007BLISS BOF IETF-681 Requirements and Implementation Options for the Multiple Line Appearance Feature using the Session Initiation Protocol.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

Netconf Event Notifications IETF 66 Sharon Chisholm Hector Trevino

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

Database Form Processing Made Easy Chad Killingsworth Web Projects Coordinator.

MIDCOM MIB Juergen Quittek, Martin Stiemerling, Pyda Srisuresh 60th IETF meeting, MIDCOM session.

SPPP Transport Session Peering Provisioning Protocol draft-ietf-drinks-sppp-over-soap-04.

RADIUS Attributes for Management Authorization David B. Nelson IETF 66, RADEXT WG July 10, 2006.

Topic 11 Network Management. SNMPv1 This information is specific to SNMPv1. When using SNMPv1, the snmpd agent uses a simple authentication scheme to.

1 RFC 4247 Update Status draft-ietf-netconf-rfc4742bis-01.txt Margaret Wasserman IETF 78, Maastricht July 26, 2010.

Netmod Netconf Data Modeling Sharon Chisholm Nortel

Draft-ietf-netconf-server-model-04 NETCONF Server Configuration Model

Transport Mapping Security Model D. Harrington. Architecture Transport Mapping Dispatcher Message Processing Model ApplicationsAccess Control Model TM.

EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.

Jaringan Telekomunikasi, Sukiswo ST, MT Sukiswo

or call for office visit, or call Kathy Cheek,

Convergence of Network Management Protocols

PAA-EP protocol considerations PANA wg - IETF 57 Vienna

Introduction to Internet Network Management

Chapter 8: Monitoring the Network

Requirements and Approach

PAA-2-EP protocol PANA wg - IETF 58 Minneapolis

Chapter 5 SNMP Management

Requirements and Approach

Chapter 5 SNMP Management

Presentation transcript:

ISMS IETF72 David Harrington

Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt –IETF72: draft-ietf-isms-tmsm-12.txt Transport Security Model for SNMP –IETF69: draft-ietf-isms-transport-security-model-05.txt –IETF72: draft-ietf-isms-transport-security-model-08.txt Secure Shell Transport Model for SNMP –IETF69: draft-ietf-isms-secshell-08.txt –IETF72: draft-ietf-isms-secshell-11.txt

Status IETF72 WGLC started following ietf69: –draft-ietf-isms-tmsm-09.txt –draft-ietf-isms-transport-security-model-05.txt –draft-ietf-isms-secshell-08.txt

Transport Subsystem

draft-ietf-isms-tmsm-12.txt Compatibility with SNMPv3, RFC2119 and RFC4181 Security considerations for v1/v2c co-existence Updated architectural diagrams and ASIs Same security for request/response Moved comparison with USM to TSM document IANA duplicate registries fixed

Transport Security Model

draft-ietf-isms-transport-security-model-08.txt Compatibility with SNMPv3, RFC2119 and RFC4181 Added tsmLCD MIB Differentiated requested/actual securityLevels Eliminated all mention of sessions from TSM

SSH Transport Model

draft-ietf-isms-secshell-11.txt Compatibility with SNMPv3, RFC2119 and RFC4181 Added sshtmLCD MIB Differentiated requested/actual securityLevels Notification originators act as SSH client Op considerations about client key distribution Session cleanup to prevent reuse security hole Resolved#8: TM cannot specify SM

Open Issues Predictability of securityName/identity mappings

Open Issues #2,3 Admins need to configure user-specific policies into the VACM MIB and Target MIB and Event MIB using securityName. The (possibly multi-step) transform to/from a specific transport-security mechanism from/to a securityName must be predictable An admin must be able to predict what the securityName will be for a given principal authenticated by a security mechanism, and which security identity will be used for a given securityName.

Open Issue #2a – incoming TM SSHTM does not have predictability in generating tmSecurityName from the various security mechanisms SSH can use. SSH provides a required “user name” field, but makes the content optional, so we cannot rely on the value of “user name” to construct a predictable transform. We could require that for SNMP usage, only mechanisms/implementations that provide predictable “user name” content be used.

Open Issue #2b – incoming SM TSM does not have predictability in mapping from tmSecurityName to securityName We could state that securityName must be set to the value of tmSecurityName to make this predictable. Problem: different TMs could automatically generate the same tmSecurityName for different principals

Open Issue #2c – incoming SM Problem: Different TMs might generate the same tmSecurityName for different principals Proposal: add a mapping table in TSM to map SSH::tmSecurityName and TLS::tmSecurityName to different securityNames (and allow mapping different tmSecurityNames to a single securityName) These are extra features, with extra complexity, requiring admin pre-configuration This might be handled in the SSH and TLS configurations rather than in an SNMP-specific solution

Open Issue #2a – outgoing TM SSHTM does not have predictability in mapping tmSecurityName to the various security mechanisms SSH can use, including session identifiers.

Open Issue #2b – outgoing SM TSM does not have predictability in mapping from securityName to tmSecurityName We could state that tmSecurityName must be set to the value of securityName to make this predictable.

Open Issue #3c – outgoing SM Problem: Different TMs might utilize the same tmSecurityName for different principals or sessions Proposal: add a mapping table in TSM to map different securityNames to SSH::tmSecurityName and TLS::tmSecurityName and/or session IDs These are extra features, with extra complexity, requiring admin pre-configuration This might be handled in the SSH and TLS configurations rather than in an SNMP-specific solution

Thank You Questions?