Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Jim Binkley snmp v3 (one more time) Network Mgmt/Sec.

Published byJordyn Mullings Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Jim Binkley snmp v3 (one more time) Network Mgmt/Sec."— Presentation transcript:

1 1 Jim Binkley snmp v3 (one more time) Network Mgmt/Sec.

2 2 Jim Binkley aka u is three really the charm?

3 3 Jim Binkley Outline u intro u architecture/structure - u more protocol u user-based security –authentication/encryption/key management u view-based access control (brief)

4 4 Jim Binkley bibliography, RFC-wise (jan/98) u 2271 - Architecture u 2272 - Message Processing/Dispatch u 2273 - v3 applications (functional parts) u 2274 - User-Based Security Model u 2275 - View-Based Access Control Model

5 5 Jim Binkley so what is it? u v2 + –protocol security, i.e., authentication/confidentiality/key management »this is the User-Based Security model »note: confidentiality is called privacy –an enhanced access-control model »based on MIB views »and groups »this is the View-Based Access Control model

6 6 Jim Binkley protocol overview u roughly (v3 wrapper, (v2/v1 PDU)) global sec. model scoped pdu snmp pdu hdr hdr hdr (v2 bits) crypto-fied part pdu part may be authenticated OR auth/encrypted snmp v3 part

7 7 Jim Binkley architectural elements/dictionary u snmpEngineId - a string that uniquely defines a manager or agent or combo, note == contextEngineId, may have many contexts u contextEngineId - identity with a context u contextName - parameter to access control subsystem, set of MIB objects, string –objects can be lumped into named sets with different rights associated (readonly, writeable)

8 8 Jim Binkley we have new terms u scopedPDU - PDU with contextEngineID, contextName u snmpSecurityModel - which sec. model –v1, v2c, USM are possible u snmpSecurityLevel –noAuthnoPriv, authNoPriv, authPriv u principal - for whom do we do all this crud –people ultimately but processes in real life u securityName - string representing principal

9 9 Jim Binkley snmpEngineId something like: u 12 bytes long acc. to AgentID, rfc 1910 or u (4 bytes of private enterprise number) + more bytes with byte 5 indicating: –IPv4 address (thus 6,7,8,9) (byte 5 = 1) –IPv6 address (add 16) –MAC –text (max is 27)

10 10 Jim Binkley generalized abstract architecture applications (snmp of course) - forms pdus, get, response, etc snmp engine (id is snmpEngineId) - does subsystem processing including security, access control

11 11 Jim Binkley applications include u command generator, *does get/getnext/getbulk/set and processes response received u command responder, recvs get, etc., and sends response u notification recv/originator (traps/informs)

12 12 Jim Binkley snmp engine parts u dispatcher - i/f to apps/network/and other snmp engine parts u message processing- tie the v3 message together from sub-systems including: –and might do v1/v2/v3 messages... u security subsystem - user-based sec. model u access control - view-based model

13 13 Jim Binkley access-control subsystem primtitive (e.g.,) u isAccessAllowed() parameters include: –securityModel INPUT (e.g., USM) –securityName INPUT (principal) –securityLevel IN (e.g., auth only) –viewType IN (read/write/notify view) –contextName IN (contains variableName) –variableName IN (OID...) –statusInformation returned - OK or boo hiss

14 14 Jim Binkley application MIBs for v3 u SNMP-TARGET-MIB defines objects for defining who to send notifications and/or proxy messages to u SNMP-NOTIFICATION-MIB defines objects for remote config of notifications u SNMP-PROXY-MIB contains info for remote config of proxy

15 15 Jim Binkley SNMP-TARGET-MIB u snmpTargetObjects contains: –snmpTargetSpinLock(1) –snmpTargetAddrTable(2) »use UDP with IP addr Y, timeout T, retry R etc. –snmpTargetParamsTable(3) »v1/v2/v3, securityModel, securityName, securityLevel –and more...

16 16 Jim Binkley NOTIFICATION MIB u three tables including: –snmpNotifyTable - select who to notify from previous snmpTargetAddrTable –snmpNotifyFilterProfileTable - associate filters with a particular target –snmpNotifyfilterTable - define filters

17 17 Jim Binkley protocol overview u roughly (v3 wrapper, (v2/v1 PDU)) global sec. model scoped pdu snmp pdu hdr hdr hdr (v2 bits) crypto-fied part pdu part may be authenticated OR auth/encrypted snmp v3 part

18 18 Jim Binkley header contains 5 fields (still TLVs): u msgVersion (3 for v3) - INTEGER u msgID (request ID) - INTEGER u msgMaxSize - max segment size e.g., response u msgFlags - flag bits, –reportableFlag (bit 1) - if set, report may be sent, if not set, report may NOT be set (used if message encrypted but not decodable) –privFlag = 1, was encrypted –authFlag = 1, was authenticated

19 19 Jim Binkley cont. u msgSecurityModel - 1 for v1, 2 for v2c, 3 for USM

20 20 Jim Binkley scoped pdu has 3 parts u context ID (engine ID) and u context name u used in access control

21 21 Jim Binkley USM header part u msgAuthoritativeEngineId - likely the agent’s engine Id u msgAuthoritativeEngineBoots - # of reboots u msgAuthoritativeEngineTime - # of secs since reboot u msgUserName - principal name for msg u msgAuthenticationParameters - hash u msgPrivacyParameters - IV

22 22 Jim Binkley USM - authoritative engine u means receiver of get/getnext/getbulk/set/inform u OR sender of trap/response u time in message consists of 2-tuple –(boot count N, time since boot) u based on clock in authoritative engine –non-authoritative msg sender must estimate time in authoritative engine

23 23 Jim Binkley initialization protocol exists u 2-step discovery mechanism exists to allow one to obtain info about other entities (agents) u nonauth. engine sends request with no security and user name “initial”, recvs snmpEngineId back u if authentication used, sends authenticated request to get back boots and time values

24 24 Jim Binkley USM functionality (security model) u crypto u anti-replay and time u usmUser group u key management –password to hash key mechanism –key localization –key update

25 25 Jim Binkley USM security overview u denial of service attacks - NO help here –probably such an attack is more fundamental than just an attack on SNMP u traffic analysis - NO u note that authentication is non-trivial –encryption if DES based not so strong –may need better algorithm or folding of SNMP across WAN inside IPSEC u anti-replay features exist (time)

26 26 Jim Binkley anti-replay evil fred authenticated msgs could fred record and play back the msg stream? mgr agent

27 27 Jim Binkley time-replay u (boot count, ticks since boot) in message u allows recv to judge if message is “too old”, can send notInTimeWindow error u non-auth. engine must keep track of auth. engines time u auth. engine must keep time window and track timeliness of messages (so does non-auth engine) u roughly boot count must match and msg must be within 150 seconds of stored time

28 28 Jim Binkley crypto u authentication algorithms –HMAC-MD5-96 »128 bit authKey/output truncated to 96 bit hash –HMAC-SHA-96 »160 bit key/output again truncated to 96 bits u encryption –DES-CBC (still a revolutionary act) »56 bit in 8 octets, least significant bit ignored

29 29 Jim Binkley usmUser group u information about local and remote principals u spinlock plus usmUserTable which includes: –usmUserEngineID - authoritative engine ID (local/remote) –usmUserName - principal name, e.g., “bob” –usmUserSecurityName - securityName (same as above) –usmUserCloneFrom - pointer to another conceptual row - used to point to keys and clone keys –usmUserAuthProtocol - none, hmac-md5 (def), h-sha

30 30 Jim Binkley cont. u usmUserAuthKeyChange - byte string with keyChange syntax. causes keyChange hash function to occur in terms of key update u usmUserOwnAuthKeyChange - user can change only own key u usmUserPrivProtocol - none (def), DES u usmUserPrivKeyChange - drive key change u usmUserOwnPrivKeyChange u usmUserPublic - not clear

31 31 Jim Binkley processing u to send –encrypt 1st then authenticate –before authentication, store time values u to recv –note securityEngineID/securityName used for lookup in usmUserTable –perform authentication check –then perform decrypt if needed

32 32 Jim Binkley key management u it is assumed that there are separate keys for authentication and encryption (by definition) u each principal has a pair of keys u keys cannot be obtained via SNMP (gets) –duh... u key localization and password to key allow one user to access many agents with one set of keys

33 33 Jim Binkley password to key u human-readable password mapped by function into desired crypto keys u RFC 2274 defines algorithm u passwords should not be poor of course u password is duplicated to produce string of 2 ** 20 bytes (slow down brute-force attack) u if MD5 used, take md5 hash to form digest

34 34 Jim Binkley key localization u keys are localized by taking hashed user key and hashing it again with remote EngineID value u f (user key(hashed), EngineID) -> digest/key u this is called localized key u upshot: use localized key - if attacker captures on wire, && breaks it, can only attack one agent

35 35 Jim Binkley key update u initial keys must “somehow” be installed out of band –assume manually u post initial installation, key change or update process can be initiated by user u done by using hash function + XOR u f(keyOld, random bits, etc)., where the keys are not sent, but random bits are transmitted u hash function is one way, if new key learned, old key not derivable

36 36 Jim Binkley view-based access control model u group –has groupname –list of principals (securityName) + securityModel with same access rights –securityModel e.g., USM or SNMPv1 community u context –basically a MIB view (defined by tree and filter) –has name

37 37 Jim Binkley and the point... u we might wish to restrict access on engine Y to –user Z can read anything but can’t write anything –user X can write but has to have a auth key with USM »or stronger... encrypted too –notify privileges must be considered as well (e.g., traps must be authenticated)

38 38 Jim Binkley scoped pdu in v3 headers u contextEngineId - which application gets it u contextName - the MIB view via a simple string name u and yes, the actual SNMP PDU (presumably a V2 PDU)

39 39 Jim Binkley VBACM elements u msgUserName/msgSecurityModel mapped into groupName u contextEngineID - who carries it out u contextName - what MIB objects u msgAuthenticationParameters - checked out by USM before it gets to VACM u access control based on groupName, contextName, security Model, securityLevel (from msgFlags) u MIB view determined by vacmAccessTable and PDU operation type (read/write/notify)

Download ppt "1 Jim Binkley snmp v3 (one more time) Network Mgmt/Sec."

Similar presentations

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
SNMP v3.

SNMP v3.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Chapter 19: Network Management Business Data Communications, 5e.

Chapter 19: Network Management Business Data Communications, 5e.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
SNMPv3 * * Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.

SNMPv3 * * Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.

TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.

MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim 04.19.2010.

CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 SNMP Simple Network Management Protocol. 2 SNMP Overview Define mechanism for remote management of network devices (routers, bridges, etc.) Fundamental.

1 SNMP Simple Network Management Protocol. 2 SNMP Overview Define mechanism for remote management of network devices (routers, bridges, etc.) Fundamental.
This presentation is based on the slides listed in references.

This presentation is based on the slides listed in references.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
COMP4690, by Dr Xiaowen Chu, HKBU

COMP4690, by Dr Xiaowen Chu, HKBU
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP Simple Network Management Protocol

SNMP Simple Network Management Protocol

Similar presentations

Ads by Google