Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker NMRG Meeting October 19, 2003

Similar documents
This chapter will describe the architecture that the

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

SNMPv3 Secure, Safe and Still Simple

Internet Engineering Task Force (IETF) Obsoletes: 5953 July 2011 Category: Standards Track ISSN:

Configuring IKEv2 Fragmentation

Secure management using HP Network Node Manager SPI for SNMPv3

Cryptography and Network Security. Sixth Edition by William Stallings

IKEv2 - Protection Against Distributed Denial of Service

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

SilverCreek Compare Versions

Key Encryption as per T10/06-103

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

SNMP SIMULATOR. Description

SilverCreek SNMP Test Suite

Configure SNMP. Understand SNMP. This chapter explains Simple Network Management Protocol (SNMP) as implemented by Cisco NCS 4000 series.

1) Revision history Revision 0 (Oct 29, 2008) First revision (r0)

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

Some optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.

Cisco Live /11/2016

EFFICIENT MECHANISM FOR THE SETUP OF UE-INITIATED TUNNELS IN 3GPP-WLAN INTERWORKING. 1. Introduction

SNMP Simple Network Management Protocol

Network Management (NETW-1001)

SilverCreek The World s Best-Selling SNMP Test Suite

June Transport Subsystem for the Simple Network Management Protocol (SNMP)

Network Security: IPsec. Tuomas Aura

ECC Based IKE Protocol Design for Internet Applications

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Internet security and privacy

Internet Engineering Task Force (IETF) Category: Standards Track. K. Patel Cisco Systems M. Baer SPARTA May 2013

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Network Working Group. Intended status: Standards Track. January 15, 2010

Virtual Tunnel Interface

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

CHAPTER. Introduction

Outline. SNMP Simple Network Management Protocol. Before we start on SNMP. Simple Network Management Protocol

Host Identity Protocol (HIP):

Configuring IKEv2 Load Balancer

Simple Network Management Protocol

Request for Comments: Wichorus G. Tsirtsis Qualcomm T. Ernst INRIA K. Nagami INTEC NetCore October 2009

Command Manual SNMP-RMON. Table of Contents

CS 494/594 Computer and Network Security

Crypto Templates. Crypto Template Parameters

Revision History Revision 0 (T10/06-225r0): Posted to the T10 web site on 4 May 2006.

Internet Engineering Task Force INTERNET DRAFT. C. Perkins Nokia Research Center R. Droms(ed.) Cisco Systems 1 March 2001

Network Encryption 3 4/20/17

Internet Engineering Task Force INTERNET DRAFT. C. Perkins Nokia Research Center R. Droms(ed.) Cisco Systems 15 April 2001

DELL EMC OPENMANAGE ESSENTIALS (OME) SNMPV3 SUPPORT

Configuring SNMP. About SNMP. SNMP Functional Overview

Table of Contents 1 SNMP Configuration Commands RMON Configuration Commands 2-1

Internet Engineering Task Force (IETF) Category: Standards Track ISSN: October 2015

Virtual Private Networks

Configuring VPNs in the EN-1000

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

PKCS #3: Diffie-Hellman Key-Agreement

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Brief Introduction to the Internet Standard Management Framework

Internet Engineering Task Force (IETF) Updates: 5066 February 2014 Category: Standards Track ISSN:

Definitions of Managed Objects for Mapping of Address and Port with Encapsulation (MAP-E)

VPN Overview. VPN Types

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

Redundant IPSec Tunnel Fail-over

IPsec NAT Transparency

Table of Contents. 2 MIB Configuration Commands 2-1 MIB Configuration Commands 2-1 display mib-style 2-1 mib-style 2-1

Network Security. Security of Mobile Internet Communications. Chapter 17. Network Security (WS 2002): 17 Mobile Internet Security 1 Dr.-Ing G.

JacobsSNMP. Siarhei Kuryla. May 10, Networks and Distributed Systems seminar

Configuring SNMP. Understanding SNMP CHAPTER

PKCS #3: Diffie-Hellman Key- Agreement Standard

Secure RTP Library API Documentation. David A. McGrew Cisco Systems, Inc.

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

The IPSec Security Architecture for the Internet Protocol

Internet Engineering Task Force (IETF) Y. Zhang, Ed. Fortinet, Inc. May 2010

Transport Level Security

Chapter 9 Network Management

Real-time protocol. Chapter 16: Real-Time Communication Security

Configuring Internet Key Exchange Security Protocol

IPsec Anti-Replay Window Expanding and Disabling

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

IPSec Site-to-Site VPN (SVTI)

Request for Comments: E. Demaria Telecom Italia J. Bournelle Orange Labs R. Lopez University of Murcia September 2009

Lecture 5: Foundation of Network Management

IPsec Dead Peer Detection Periodic Message Option

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Internet Engineering Task Force (IETF) Category: Standards Track ISSN: January 2015

Restrictions for SNMP use on Cisco IOS XR Software

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Configuring SNMP. Understanding SNMP CHAPTER

The Secure Shell (SSH) Protocol

Network control and management

Encryption setup for gateways and trunks

IPsec NAT Transparency

The IPsec protocols. Overview

Lawful Intercept Architecture

Defining IPsec Networks and Customers

Transcription:

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker NMRG Meeting October 19, 2003

SNMPv3 Background The following topics were left out due to time considerations: SNMPv3 message format SNMPv3 security and general security terminology The operational problems with using SNMPv3 with USM Oct 7, 2003 NMRG Meeting 2

SBSM Characteristics Uses existing security infrastructures for identity authentication (supports many) Both ends of message exchange are authenticated, and may use different mechanisms (including anonymous identity) When session establishment is initiated by a manager, the agent reveals its identity and authenticates before the manager (note that identities are encrypted) Has limited life time keys for message authentication and encryption Oct 7, 2003 NMRG Meeting 3

Characteristics (continued) Separates security mechanisms used for identity authentication from those used for message authentication and encryption Has no reprocessing of messages that are duplicated or replayed (reduces cost of packet loss processing and latency) Operates over connection oriented and connectionless transports Can use unmodified VACM, or with slight modifications Oct 7, 2003 NMRG Meeting 4

Consequences of Characteristics No (or low) cost to create new identities, change their authentication credentials, or delete, since provided by existing security infrastructure Saved encrypted messages can not be decrypted after compromised identity key Oct 7, 2003 NMRG Meeting 5

Most Important Characteristic and Consequence Session establishment based on SIGMA protocol, which has had extensive review SIGMA is simple and efficient, (it minimizes messages and computation) SIGMA protects identity of the session initiator SIGMA - Krawczyk, H., "SIGMA: the `SIGn-and-MAc' Approach to Authenticated Diffie- Hellman and its Use in the IKE Protocols", in Advances in Cryptography - CRYPTO 2003 Proceedings, LNCS 2729, Springer, 2003. available at: http://www.ee.technion.ac.il/~hugo/sigma.html Current draft of IKEv2 is draft-ietf-ipsec-ikev2-11.txt Oct 7, 2003 NMRG Meeting 6

SNMPv3 Message Format msgversion msgglobaldata msgsecurityparms msgdata msgid msgmaxsize msgflags msgsecuritymodel Present legal values are: '100'b - a noauthnoencr request '000'b - a noauthnoencr response or unacknowledged notification '101'b - an authnoencr request '001'b - an authnoencr response or unacknowledged notification '111'b - an authencr request '011'b - an authencr response or unacknowledged notification New format for SBSM New value for SBSM Oct 7, 2003 NMRG Meeting 7

SBSM Overview Security based on sessions Three phases of a session, which are: Establishment: SNMP entity identity authentication, and creation of session authentication and encryption keys Running: SNMP operations Termination: graceful close of session Oct 7, 2003 NMRG Meeting 8

SBSM Session Establishment Initiator SNMP GET message SBSMInit1 SBSMInit3 Session established Responder SNMP REPORT message SBSMInit2 SBSMRunning May iterate to support various mechanisms for identity authentication Note: for SNMPv3 messages containing SBSMInit[1,2,or 3] messages, the value for field msgflags indicates noauthnoencr security level Oct 7, 2003 NMRG Meeting 9

Session Operation Initiator Responder SBSMRunning SBSMRunning Note: SNMPv3 messages containing SBSMRunning messages are always authenticated, and are possibly encrypted using the session auth and encr keys. Thus, the value for field msgflags never indicates noauthnoencr security level. Oct 7, 2003 NMRG Meeting 10

Session Graceful Termination Details later Oct 7, 2003 NMRG Meeting 11

Use With VACM VACM has abstract function isaccessallowed, which has the following input parameters: security model ID: the message level security model security name: the identity for the operation security level: one of noauthnoencr, authnoencr, or authencr operation type: one of read, write, or notify context ID: the context which contains the instance of management information instance ID: the ID of the instance of management information for the operation Oct 7, 2003 NMRG Meeting 12

VACM Modification Abstract function isaccessallowed has input securityname and securitymodelid, which maps to a group name via table vacmsecuritytogrouptable Clarification: SBSM is really a higher level security model that supports many combinations of endpoint identity authentication. The security model ID for VACM is the identity security model, which is called the security sub-model. Issue: The to group table contains security names, which means that it must be updated for each new security identity, and if a system is compromised, then provides a list to help attacker. Need more study to determine if another or additional mechanisms are needed to get group ID Oct 7, 2003 NMRG Meeting 13

Details on SBSM security parms In an SNMPv3 message, field security parms is an octet string, which is the BER serialization of a security model dependent ASN.1 value For SBSM, the ASN.1 definition of a value is: SBSMSecurityParameters ::= CHOICE { sbsm-establishment1[0] SBSMInit1, sbsm-establishment2[1] SBSMInit2, sbsm-establishment3[2] SBSMInit3, sbsm-running[3] -- other values for termination and errors } SBSMRunning Oct 7, 2003 NMRG Meeting 14

SBSM Session Attributes local-identifier Unsigned32, remote-identifier Unsigned32, session-status INTEGER { init1(1), init2(2), up(3) } diffiehelmanexponent OCTET STRING, outgoingsequencenumber Unsigned32, incomingminsequencenumber Unsigned32, security-sub-model Unsigned32, securityname OCTET STRING, authenticationtype OBJECT IDENTIFER, incomingauthenticationkey OBJECT STRING, outgoingauthenticationkey OBJECT STRING, Oct 7, 2003 NMRG Meeting 15

Session Attributes (continued) encryptiontype OBJECT IDENTIFER, incomingencryptionparameters OCTET STRING, outgoingencryptionparameters OCTET STRING, incomingencryptionkey OBJECT STRING, outgoingencryptionkey OBJECT STRING, window-size INTEGER (1..255), starttime Unsigned32, legalsessionlength Unsigned32, -- seconds remoteengineid OCTET STRING (0 5..32) -- data cache array for replaying responses lastincominginit OCTET STRING, messagecachelist SEQUENCE (SIZE(0..255)) OF SBSMMessageCache Oct 7, 2003 NMRG Meeting 16

SBSMInit1 Generation Results SBSMInit1 is used to start establishment of a session Causes creation of a session instance Generator fills in: init-identifier session-status diffiehelmanexponent outgoingencryptionparameters Oct 7, 2003 NMRG Meeting 17

SBSMInit1 Reception Results Reception results in creation of a session instance with field values: local-identifier remote-identifier authenticationtype and encryptiontype incomingencryptionparameters outgoingencryptionparameters Incoming/outgoing Auth/Encr Key starttime and legalsessionlength lastincominginit, messagecachelist[0].message Oct 7, 2003 NMRG Meeting 18

SBSMInit2 Reception Results Reception results in update of the following: Incoming/outgoing Auth/Encr Key authenticationtype and encryptiontype remoteengineid window-size outgoingsequencenumber and incomingminsequencenumber session-status securityname starttime and legalsessionlength Oct 7, 2003 NMRG Meeting 19

SBSMInit3 Reception Results Reception results in update of the following: window-size session-status securityname starttime and legalsessionlength remoteengineid Oct 7, 2003 NMRG Meeting 20

What s Next? Further update of I-D to polish terminology, and fill in small missing pieces Complete the error handling descriptions Work through notification generation using the model and MIB from RFC 3414 (SNMP Applications) (was RFC Choose a couple of Identity Authentication types, document well, and write code Oct 7, 2003 NMRG Meeting 21

Questions Oct 7, 2003 NMRG Meeting 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback