ISMS March 2005 IETF - PowerPoint PPT Presentation

About This Presentation
Title:

ISMS March 2005 IETF

Description:

... concept of 'authoritative' and 'nonauthoritative' engine and procedures were ... Authoritative and nonauthoritative causes problems with traps and informs ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 17
Provided by: davidtp
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: ISMS March 2005 IETF


1
ISMS March 2005 IETF
  • David T. Perkins

2
Problem To be Solved
  • Reduce the incremental operational cost of
    supporting SNMPv3 to approach zero!
  • Primarily for network infrastructure devices
    (such as routers, bridges, etc), but also servers
    and work stations
  • Assume work is already done to configure
    authentication for access via CLI and/or WEB
  • Problem is both authentication and authorization,
    but WG charter defers authorization solutions.

3
Types of SNMP Entities
  • Agents provide access to management information
    on the system containing the agent
  • Managers access management info on managed
    systems (that is systems containing agents)
  • Observers "third party" reporter of events
  • Proxy Agents Application level forwarder (and
    optionally version translator) of SNMP messages
  • Mid-level Managers are simply quite powerful
    agents that access info from other agents and
    make it available to managers.

4
Categories of SNMP Managers
  • Poller identity is a service name, such as
    "poller". Long running. Transport address need
    not be stable. Only reads mgmt info.
  • Notification receiver identity is a service,
    such as "notifyrcvr". Long running. Transport
    addr must be stable. Passive.
  • Mgmt app identity is the user that initiated it.
    Used for config, trouble shooting, etc. Transport
    addr need not be stable. May read and write mgmt
    info.

5
SNMPv3/USM
  • Each operation is independent from each other
  • Each message provides for identity verification,
    message integrity check (MIC), encryption, and
    timeliness and limited replay detection
  • Identities are in a name-space that is
    independent of all other existing security
    infrastructures
  • Key for authentication verification also used for
    MIC
  • Authentication and encryption keys are long
    lived, since they are typically changed together
    and based on identity pass-phrase

6
SNMPv3/USM DoesNot Solve the Problem
  • Requires extra work to be done on each system
    containing an SNMP agent
  • Requires extra work and separate SNMP specific
    applications to manage USM users and keys

7
Ideal solution
  • Uses existing name space and attributes of
    existing security infrastructures including SSH
    key pairs, X.509 certs, name/password, and/or
    name secureID card
  • Network infrastructure device configured with
    identities and verification mechanisms, then
    support for SNMPv3 is turned on
  • No new information or configuration is needed on
    systems that run SNMP management applications

8
Info Held By SNMP Managers
  • User identity to use
  • Credentials for the user identity
  • Transport address of a system containing an SNMP
    agent
  • Identity and info to verify SNMP agent identity
    (for example, for SSH - IP address and
    fingerprint of public key, for X.509 CA cert)
  • Note, Proxy has not yet been considered

9
Info not Required to beHeld by SNMP Managers
  • Radius server address
  • Shared secret for use with Radius
  • Other authentication method specific info

10
Pure EAP Authen Message Flow
MethodspecificAuthenservers
EAPPEER
Authenticationserver
Authenticator
SNMPManager
RadiusServer
SNMPAgent
RadiusClient
Session setup authen with Radius server
Key and session ID handoff
11
Mixed Authen Message Flow
Perform authentication locally or via EAP based
on policy setting
MethodspecificAuthenservers
Authenticationserver
RadiusServer
SNMPManager
SNMPAgent
Localaccount
X.509 Certs
SSH key
12
Sessions Two Parts
  • Session establishment, results in
  • Mutual authentication
  • Session ID (such as a SA pair)
  • Master session key (used to derive MIC and
    encryption keys)
  • Operating, uses
  • Session ID
  • MIC and encryption keys
  • What is used for timeliness and replay detection?

13
USM Timeliness and Replay Detection
  • Uses a loosely synchronized clock
  • Replays and message delays can occur within a 150
    second window
  • Because in USM, each message is independent, a
    complex mechanism is used
  • The concept of "authoritative" and
    "nonauthoritative" engine and procedures were
    created to manage and update the loosely
    synchronized clock
  • Authoritative and nonauthoritative causes
    problems with traps and informs

14
Reuse USM?
  • Problems with mapping the pair msgAuthoritativeEng
    ineIDmsgUserName to session identifier (how to
    distinguish multiple sessions that have the same
    engineIDname pair)
  • Problems with clock (msgAuthoritativeEngineBoots
    msgAuthoritativeEngineTime) (see previous page)
  • However, can reuse msgAuthenticationParameters
    and msgPrivacyParameters, and crypto procedures
    associated with values for usmUserAuthProtocol
    and usmUserPrivProtocol

15
Updated Security Model Specific Info
  • UsmSecurityParameters SEQUENCE
  • -- global User-based security parameters
  • msgAuthoritativeEngineID OCTET STRING,
  • msgAuthoritativeEngineBoots INTEGER
    (0..2147483647),
  • msgAuthoritativeEngineTime INTEGER
    (0..2147483647),
  • msgUserName OCTET STRING
    (SIZE(0..32)),
  • -- authentication protocol specific parameters
  • msgAuthenticationParameters OCTET STRING,
  • -- privacy protocol specific parameters
  • msgPrivacyParameters OCTET STRING
  • msgSrcSA INTEGER (0..4294967295),
  • msgDstSA INTEGER (0..4294967295),
  • msgSeqNum INTEGER (0..4294967295),

Make appropriatechanges
Stay the same
Replacement for firstpart above
16
Summary
  • Operating message flow requires a session to be
    established between the SNMP manager and SNMP
    agent.
  • SNMP agent to choose authentication method based
    on policy configuration at the agent.
  • Sessions instead of per message allows
    simplification of timeliness and replay detection
Write a Comment
User Comments (0)
About PowerShow.com