Title: ISMS March 2005 IETF
1ISMS March 2005 IETF
2Problem To be Solved
- Reduce the incremental operational cost of
supporting SNMPv3 to approach zero! - Primarily for network infrastructure devices
(such as routers, bridges, etc), but also servers
and work stations - Assume work is already done to configure
authentication for access via CLI and/or WEB - Problem is both authentication and authorization,
but WG charter defers authorization solutions.
3Types of SNMP Entities
- Agents provide access to management information
on the system containing the agent - Managers access management info on managed
systems (that is systems containing agents) - Observers "third party" reporter of events
- Proxy Agents Application level forwarder (and
optionally version translator) of SNMP messages - Mid-level Managers are simply quite powerful
agents that access info from other agents and
make it available to managers.
4Categories of SNMP Managers
- Poller identity is a service name, such as
"poller". Long running. Transport address need
not be stable. Only reads mgmt info. - Notification receiver identity is a service,
such as "notifyrcvr". Long running. Transport
addr must be stable. Passive. - Mgmt app identity is the user that initiated it.
Used for config, trouble shooting, etc. Transport
addr need not be stable. May read and write mgmt
info.
5SNMPv3/USM
- Each operation is independent from each other
- Each message provides for identity verification,
message integrity check (MIC), encryption, and
timeliness and limited replay detection - Identities are in a name-space that is
independent of all other existing security
infrastructures - Key for authentication verification also used for
MIC - Authentication and encryption keys are long
lived, since they are typically changed together
and based on identity pass-phrase
6SNMPv3/USM DoesNot Solve the Problem
- Requires extra work to be done on each system
containing an SNMP agent - Requires extra work and separate SNMP specific
applications to manage USM users and keys
7Ideal solution
- Uses existing name space and attributes of
existing security infrastructures including SSH
key pairs, X.509 certs, name/password, and/or
name secureID card - Network infrastructure device configured with
identities and verification mechanisms, then
support for SNMPv3 is turned on - No new information or configuration is needed on
systems that run SNMP management applications
8Info Held By SNMP Managers
- User identity to use
- Credentials for the user identity
- Transport address of a system containing an SNMP
agent - Identity and info to verify SNMP agent identity
(for example, for SSH - IP address and
fingerprint of public key, for X.509 CA cert) - Note, Proxy has not yet been considered
9Info not Required to beHeld by SNMP Managers
- Radius server address
- Shared secret for use with Radius
- Other authentication method specific info
10Pure EAP Authen Message Flow
MethodspecificAuthenservers
EAPPEER
Authenticationserver
Authenticator
SNMPManager
RadiusServer
SNMPAgent
RadiusClient
Session setup authen with Radius server
Key and session ID handoff
11Mixed Authen Message Flow
Perform authentication locally or via EAP based
on policy setting
MethodspecificAuthenservers
Authenticationserver
RadiusServer
SNMPManager
SNMPAgent
Localaccount
X.509 Certs
SSH key
12Sessions Two Parts
- Session establishment, results in
- Mutual authentication
- Session ID (such as a SA pair)
- Master session key (used to derive MIC and
encryption keys) - Operating, uses
- Session ID
- MIC and encryption keys
- What is used for timeliness and replay detection?
13USM Timeliness and Replay Detection
- Uses a loosely synchronized clock
- Replays and message delays can occur within a 150
second window - Because in USM, each message is independent, a
complex mechanism is used - The concept of "authoritative" and
"nonauthoritative" engine and procedures were
created to manage and update the loosely
synchronized clock - Authoritative and nonauthoritative causes
problems with traps and informs
14Reuse USM?
- Problems with mapping the pair msgAuthoritativeEng
ineIDmsgUserName to session identifier (how to
distinguish multiple sessions that have the same
engineIDname pair) - Problems with clock (msgAuthoritativeEngineBoots
msgAuthoritativeEngineTime) (see previous page) - However, can reuse msgAuthenticationParameters
and msgPrivacyParameters, and crypto procedures
associated with values for usmUserAuthProtocol
and usmUserPrivProtocol
15Updated Security Model Specific Info
- UsmSecurityParameters SEQUENCE
- -- global User-based security parameters
- msgAuthoritativeEngineID OCTET STRING,
- msgAuthoritativeEngineBoots INTEGER
(0..2147483647), - msgAuthoritativeEngineTime INTEGER
(0..2147483647), - msgUserName OCTET STRING
(SIZE(0..32)), - -- authentication protocol specific parameters
- msgAuthenticationParameters OCTET STRING,
- -- privacy protocol specific parameters
- msgPrivacyParameters OCTET STRING
-
- msgSrcSA INTEGER (0..4294967295),
- msgDstSA INTEGER (0..4294967295),
- msgSeqNum INTEGER (0..4294967295),
Make appropriatechanges
Stay the same
Replacement for firstpart above
16Summary
- Operating message flow requires a session to be
established between the SNMP manager and SNMP
agent. - SNMP agent to choose authentication method based
on policy configuration at the agent. - Sessions instead of per message allows
simplification of timeliness and replay detection