1 / 14

SBSM BOF Session-Based Security Model for SNMPv3

SBSM BOF Session-Based Security Model for SNMPv3. Wes Hardaker David T. Perkins August 06, 2004 (draft-hardaker-snmp-sbsm-03.txt). SBSM Protocol Proposal. Current draft: draft-hardaker-snmp-sbsm-03.txt Creates a “session” between two points. SBSM Protocol Details.

hirwin
Download Presentation

SBSM BOF Session-Based Security Model for SNMPv3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SBSM BOFSession-Based Security Model for SNMPv3 Wes Hardaker David T. Perkins August 06, 2004 (draft-hardaker-snmp-sbsm-03.txt)

  2. SBSM Protocol Proposal • Current draft: • draft-hardaker-snmp-sbsm-03.txt • Creates a “session” between two points

  3. SBSM Protocol Details • Works over any transport (UDP/TCP/...) • Requires no modifications to existing SNMPv3 components • apps, MP, Dispatcher, VACM, … • Requires no new SNMP PDU types • All security and parameter negotiation (eg, auth/priv types) is application invisible • Compression before encryption support

  4. SBSM Protocol Security • Supports multiple types of identification • Reuses existing infrastructure • Identities are protected from sniffers • Initiator identity's protected from active identity discovery attacks • Requires no outside infrastructure, but can use if available • Able to handle all operator authentication needs • Authenticates both sides independently • Protects against replay entirely • Retries will resend the exact same response

  5. SBSM Protocol Security • Based on the SIGMA key-exchange protocol. • Uses a Diffie-Helman exchange • A proven secure protocol • Also used in the widely deployed IKE protocol • Uses existing SNMPv3 security algorithms for message authentication and encryption • SHA1/MD5 & DES/AES • Security parameters are negotiated

  6. SBSM Protocol • SNMPv3/SBSM divided into 3 phases: • Initialization • Running • Closing • Initialization PDUs sent are GET/REPORT PDUs, but the application never sees them. • Similar to EngineID discovery today

  7. Session State Information • Status (initializing, running, closed) • Remote identity type and name • Remote EngineID • Anti-replay support parameters • Authentication & Encryption parameters • Algorithms, incoming/outgoing keys, algorthim specific parameters • Session parameters: • Numeric identifiers, start time, max length • Additional implementation specific parameters

  8. Session Message Flow Initialization Running SNMP PDU Init 1 Closing Init 2 Init 1 Running SNMP PDU SNMP PDU Close Close Init 1 SNMP App SBSM Initiator SBSM Responder SNMP App Traffic protected by SBSM ... Note: Other SNMPv3 components (MP, etc) not shown but exist where expected

  9. Questions? • Note: this was a high level presentation • More details in the last BOF when this was the only candidate

  10. Identification Schemes Manager Agent Local DB • Used for: • Current USM model • Local Accounts • SSH Identities

  11. Identification Schemes Identification Server Manager Agent • Used for: • Radius • Tacsplus

  12. Identification Schemes Ticket Master Manager Agent • Used for: • Kerberos

  13. Identification Schemes Certificate Authority Manager Agent • Used for: • PKI deployments (CA use is optional on both sides)

  14. VACM interaction Dispatcher Message Processor Security Model (SBSM) Agent VACM From Network Security model = SBSM Security model = Identity security model

More Related