Internet Management Protocols

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.

Cisco Networking Academy,

U.S./Canada

SNMP V3

Eng. Maha Jeha

SNMPv3

1. OVERVIEW:

2. DESIGN DECISIONS

3. ARCHITECTURE

4. SNMP MESSAGE STRUCTURE

5. SECURE COMMUNICATION 1. USER SECURITY MODEL (USM)

6. ACCESS CONTROL

1. VIEW BASED ACCESS CONTROL MODEL (VACM)

7. IMPLEMENTATIONS 8. RFCs

BY : ENG. Maha Jeha

http://www.simpleweb.org/tutorials/

DESIGN DECISIONS

ADDRESS THE NEED FOR SECURY SET SUPPORT

DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP

ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE

MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS

ALLOW FOR FUTURE EXTENSIONS

KEEP SNMP AS SIMPLE AS POSSIBLE

ALLOW FOR MINIMAL IMPLEMENTATIONS

SUPPORT ALSO THE MORE COMPLEX FEATURES,

WHICH ARE REQUIRED IN LARGE NETWORKS

RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE

BY : ENG. Maha Jeha


SNMPv3 ARCHITECTURE

OTHERNOTIFICATION

ORIGINATOR

COMMAND

RESPONDER

COMMAND

GENERATOR

NOTIFICATION

RECEIVER

PROXY

FORWARDER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSING

SUBSYSTEMDISPATCHER

SECURITY

SUBSYSTEM

ACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

OTHER

BY : ENG. Maha Jeha


SNMPv3 ARCHITECTURE: MANAGER

NOTIFICATIONRECEIVER

COMMANDGENERATOR

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASED

SECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGE

DISPATCHER

TRANSPORTMAPPINGS

BY : ENG. Maha Jeha


SNMPv3 ARCHITECTURE: AGENT

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASED

SECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER

MESSAGE PROCESSINGSUBSYSTEM

MESSAGE

DISPATCHER

TRANSPORTMAPPINGS

MANAGEMENT INFORMATION BASE

VIEW BASED

ACCESS CONTROL

ACCESS CONTROL SUBSYSTEM

NOTIFICATIONORIGINATOR

COMMANDRESPONDER

BY : ENG. Maha Jeha


CONCEPTS: snmpEngineID

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=4

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=2

O TH ER

SNMP ENGINE

SNMP ENTITY

snmpEngineID=3

OT HE R

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1

BY : ENG. Maha Jeha


CONCEPTS: Context

OTHER

COMMAND RESPONDER APPLICATION

SNMP ENGINE

SNMP ENTITY

snmpEngineID=1

contextEngineID=1The context can be reached from this engine, thus:

MIB

contextName=card1

MIB

contextName=card2

BY : ENG. Maha Jeha


PRIMITIVES BETWEEN MODULES

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters

transportDomaintransportAddress

messageProcessingModel

securityModelsecurityName

securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse

maxSizeResponseScopedPDU

stateReferencestatusInformation

sendPduHandle

destTransportDomaindestTransportAddress

outgoingMessageoutgoingMessageLength

wholeMsg

wholeMsgLength

pduType

viewTypevariableName

globalDatamaxMessageSize

securityEngineID

scopedPDU

securityParameterssecurityStateReference

BY : ENG. Maha Jeha


sendPdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


sendPdu

APPLICATIONS

BY : ENG. Maha Jeha


prepareOutgoingMessage

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


prepareOutgoingMessage

DISPATCHER

BY : ENG. Maha Jeha


generateRequestMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


generateRequestMsg

MESSAGE

PROCESSINGSUBSYSTEM

BY : ENG. Maha Jeha


send / receive

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER

BY : ENG. Maha Jeha


prepareDataElements

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER

BY : ENG. Maha Jeha


processIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


processIncomingMsg

MESSAGE

PROCESSINGSUBSYSTEM

BY : ENG. Maha Jeha


processPd

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


processPdu

DISPATCHER

BY : ENG. Maha Jeha


isAccessAllowed

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


isAccessAllowed

APPLICATIONS

BY : ENG. Maha Jeha


returnResponsePdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


returnResponsePdu

APPLICATIONS

BY : ENG. Maha Jeha


prepareResponseMessage

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


prepareResponseMessage

DISPATCHER

BY : ENG. Maha Jeha


generateResponseMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


generateResponseMsg

MESSAGE

PROCESSINGSUBSYSTEM

BY : ENG. Maha Jeha


send / receive

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER

BY : ENG. Maha Jeha


prepareDataElements

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER

BY : ENG. Maha Jeha


processIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


processIncomingMsg

MESSAGE

PROCESSINGSUBSYSTEM

BY : ENG. Maha Jeha


processResponsePdu

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEMDISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGE

PROCESSINGSUBSYSTEM

SECURITY

SUBSYSTEM

Parameters




securityLevel

contextEngineID

contextName

pduVersion

PDU

expectResponse



sendPduHandle



wholeMsg

wholeMsgLength

pduType



securityEngineID

scopedPDU


processResponsePdu

DISPATCHER

BY : ENG. Maha Jeha


MODULES OF THE SNMPv3 ARCHITECTURE

DISPATCHER AND MESSAGE PROCESSING MODULE • SNMPv3 MESSAGE STRUCTURE

• snmpMPDMIB • RFC 2572

APPLICATIONS • snmpTargetMIB

• snmpNotificationMIB • snmpProxyMIB

• RFC 2573

SECURITY SUBSYSTEM • USER BASED SECURITY MODEL

• snmpUsmMIB • RFC 2574

ACCESS CONTROL SUBSYSTEM

• VIEW BASED ACCESS CONTROL MODEL • snmpVacmMIB

• RFC 2575

BY : ENG. Maha Jeha


SNMPv3 MESSAGE STRUCTURE

msgVersion

msgID

msgMaxSize

msgFlags

msgSecurityModel

msgSecurityParameters

contextEngineID

contextName

PDU

USED BY MESSAGE PROCESSING SUBSYSTEM

USED BY SNMPv3 PROCESSING MODULE

USED BY SECURITY SUBSYSTEM

USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS

BY : ENG. Maha Jeha


SNMPv3 PROCESSING MODULE PARAMETERS

msgVersion

msgID

msgMaxSize

msgFlags

msgSecurityModel

msgSecurityParameters

contextEngineID

contextName

PDU

authFlag

privFlagreportableFlag

SNMPv1SNMPv2cUSM

484..2147483647

0..2147483647

BY : ENG. Maha Jeha


SECURE COMMUNICATION VERSUS ACCESS CONTROL

MIB

MANAGER

APPLICATION PROCESSES

TRANSPORT SERVICE

MANAGER AGENT

GET / GET-NEXT / GETBULKSET / TRAP / INFORM

SECURE COMMUNICATION

ACCESS CONTROL

BY : ENG. Maha Jeha


USM: SECURITY THREATS

THREAT ADDRESSED? MECHANISM

REPLAY YES TIME STAMP

MASQUERADE YES MD5 / SHA-1

INTEGRITY YES (MD5 / SHA-1)

DISCLOSURE YES DES

DENIAL OF SERVICE YES

TRAFFIC ANALYSIS YES

BY : ENG. Maha Jeha


USM MESSAGE STRUCTURE

msgVersion

msgID

msgMaxSize

msgFlags

msgSecurityModel

msgAuthoritativeEngineID

msgAuthoritativeEngineBoots

msgAuthoritativeEngineTime

msgUserName

msgAuthenticationParameters

msgPrivacyParameters

contextEngineID

contextName

PDU

REPLAY

MASQUERADE/INTEGRITY/DISCLOSURE

DISCLOSURE

MASQUERADE/INTEGRITY

BY : ENG. Maha Jeha


IDEA BEHIND REPLAY PROTECTION

LOCAL NOTION OFREMOTE CLOCK

ALLOWEDLIFETIME

LOCALCLOCK

+ >?

ID BOOTS TIME DATA ID BOOTS TIME DATA

Authoritative EngineNonauthoritative Engine

BY : ENG. Maha Jeha


IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION

HASH FUNCTION

DATAKEY

MAC

ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATAAND SEND THE RESULT

BY : ENG. Maha Jeha


IDEA BEHIND AUTHENTICATION

HASH FUNCTION

KEY

MAC

DATAUSER MAC

DATA

HASH FUNCTION

KEY

MAC

DATAUSER MAC

DATA

=?

BY : ENG. Maha Jeha


IDEA BEHIND THE DATA CONFIDENTIALITY (DES)

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

BY : ENG. Maha Jeha


IDEA BEHIND ENCRYPTION

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

ENCRYPTED DATAUSER

DES ALGORITHM

DATADES-KEY

ENCRYPTED DATA

ENCRYPTED DATAUSER

BY : ENG. Maha Jeha


VIEW BASED ACCESS CONTROL MODEL

ACCESS CONTROL TABLE

MIB VIEWS

BY : ENG. Maha Jeha


ACCESS CONTROL TABLES

GET / GETNEXTInterface Table John, Paul Authentication

•••••• ••• •••

•••••• ••• •••

SETInterface Table JohnAuthentication

GET / GETNEXTSystems Group George None

•••••• ••• •••

•••••• ••• •••

Encryption

MIB VIEWALLOWED

MANAGERSREQUIRED LEVEL

OF SECURITYALLOWED

OPERATIONS

BY : ENG. Maha Jeha


MIB VIEWS

BY : ENG. Maha Jeha


SNMPv3 IMPLEMENTATIONS

ACE*COMM AdventNet

BMC Software Cisco

Epilogue Gambit communications

Halcyon IBM ISI

IWL MG-SOFT

MultiPort Corporation SimpleSoft

SNMP Research

SNMP++ TU of Braunschweig

UCD University of Quebec

BY : ENG. Maha Jeha


SNMPv3 RFCs

OTHER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSING

SUBSYSTEMDISPATCHER

SECURITY

SUBSYSTEM

ACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

RFC 2573

RFC 2571

RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575

BY : ENG. Maha Jeha


Internet Management Protocols

Documents