Scribd Logo
Upload

Welcome to Scribd!

  • 20 views

    SNMPV 3

    Uploaded by

    Lathasri Koyya
    The document discusses SNMPv3, including its design decisions, architecture, message structure, and user security model. The architecture separates SNMP into a message processing subsystem, security subsystem, and access control subsystem. It also describes concepts like the SNMP engine ID, contexts, and primitives passed between modules.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    SNMPV 3

    Uploaded by

    Lathasri Koyya
    20 views35 pages
    The document discusses SNMPv3, including its design decisions, architecture, message structure, and user security model. The architecture separates SNMP into a message processing subsystem, security subsystem, and access control subsystem. It also describes concepts like the SNMP engine ID, contexts, and primitives passed between modules.

    Original Title

    SNMPv3

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses SNMPv3, including its design decisions, architecture, message structure, and user security model. The architecture separates SNMP into a message processing subsystem, security subsystem, and access control subsystem. It also describes concepts like the SNMP engine ID, contexts, and primitives passed between modules.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    20 views35 pages

    SNMPV 3

    Uploaded by

    Lathasri Koyya
    The document discusses SNMPv3, including its design decisions, architecture, message structure, and user security model. The architecture separates SNMP into a message processing subsystem, security subsystem, and access control subsystem. It also describes concepts like the SNMP engine ID, contexts, and primitives passed between modules.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    of 35

    SNMPv3

     OVERVIEW:

     DESIGN DECISIONS

     ARCHITECTURE

     SNMP MESSAGE STRUCTURE

     SECURE COMMUNICATION
     USER SECURITY MODEL (USM)

     IMPLEMENTATIONS
    DESIGN DECISIONS

     Address the need for secury set support


     Define an architecture that allows for longevity of snmp
     Allow that different portions of the architecture
     Move at different speeds towards standard status
     Allow for future extensions
     Keep snmp as simple as possible
     Allow for minimal implementations
     Support also the more complex features,
     Which are required in large networks
     Re-use existing specifications, whenever possible
    SNMPv3 ARCHITECTURE

    SNMP ENTITY

    SNMP APPLICATIONS

    COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY


    GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER
    OTHER
    OTHER

    SNMP ENGINE

    MESSAGE PROCESSING SECURITY ACCESS CONTROL


    DISPATCHER
    SUBSYSTEM SUBSYSTEM SUBSYSTEM
    SNMPv3 ARCHITECTURE: MANAGER

    COMMAND NOTIFICATION
    GENERATOR RECEIVER

    PDU MESSAGE PROCESSING SECURITY SUBSYSTEM


    DISPATCHER SUBSYSTEM

    SNMPv1 COMMUNITY BASED


    SECURITY MODEL
    MESSAGE
    DISPATCHER SNMPv2C
    USER BASED
    SECURITY MODEL
    SNMPv3
    OTHER
    TRANSPORT SECURITY MODEL
    OTHER
    MAPPINGS
    SNMPv3 ARCHITECTURE: AGENT

    MANAGEMENT INFORMATION BASE

    ACCESS CONTROL SUBSYSTEM


    COMMAND VIEW BASED
    NOTIFICATION
    RESPONDER ACCESS CONTROL
    ORIGINATOR

    PDU MESSAGE PROCESSING SECURITY SUBSYSTEM


    DISPATCHER SUBSYSTEM

    SNMPv1 COMMUNITY BASED


    SECURITY MODEL
    MESSAGE
    DISPATCHER SNMPv2C
    USER BASED
    SECURITY MODEL
    SNMPv3
    OTHER
    TRANSPORT SECURITY MODEL
    MAPPINGS OTHER
    CONCEPTS: snmpEngineID

    SNMP ENTITY
    OT HE R

    SNMP ENGINE
    snmpEngineID=1

    SNMP ENTITY
    O TH ER

    SNMP ENGINE
    snmpEngineID=2

    SNMP ENTITY
    SNMP ENTITY
    O TH ER

    O TH ER
    SNMP ENGINE
    SNMP ENGINE snmpEngineID=4
    snmpEngineID=3
    CONCEPTS: Context

    contextName=card1 contextName=card2

    SNMP ENTITY MIB MIB


    COMMAND RESPONDER APPLICATION

    OTHER

    SNMP ENGINE
    snmpEngineID=1

    The context can be reached from this engine, thus:


    contextEngineID=1
    PRIMITIVES BETWEEN MODULES
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    wholeMsg
    wholeMsgLength
    sendPdu
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    sendPdu maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    wholeMsg
    wholeMsgLength
    prepareOutgoingMessage
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    prepareOutgoingMessage viewType
    wholeMsg
    wholeMsgLength
    generateRequestMsg
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    generateRequestMsg viewType
    wholeMsg
    wholeMsgLength
    send / receive
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    send and receive wholeMsg
    wholeMsgLength
    prepareDataElements
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    prepareDataElements viewType
    wholeMsg
    wholeMsgLength
    processIncomingMsg
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    processIncomingMsg viewType
    wholeMsg
    wholeMsgLength
    processPd
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    processPdu maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    wholeMsg
    wholeMsgLength
    isAccessAllowed
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    isAccessAllowed maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    wholeMsg
    wholeMsgLength
    returnResponsePdu
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    returnResponsePdu maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    wholeMsg
    wholeMsgLength
    prepareResponseMessage
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    prepareResponseMessage viewType
    wholeMsg
    wholeMsgLength
    generateResponseMsg
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    generateResponseMsg viewType
    wholeMsg
    wholeMsgLength
    send / receive
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    send and receive wholeMsg
    wholeMsgLength
    prepareDataElements
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    prepareDataElements viewType
    wholeMsg
    wholeMsgLength
    processIncomingMsg
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    processIncomingMsg viewType
    wholeMsg
    wholeMsgLength
    processResponsePdu
    Parameters
    contextEngineID
    contextName
    destTransportAddress
    APPLICATIONS APPLICATIONS destTransportDomain
    expectResponse
    globalData
    processResponsePdu maxMessageSize
    maxSizeResponseScopedPDU
    messageProcessingModel
    ACCESS ACCESS outgoingMessage
    CONTROL CONTROL outgoingMessageLength
    SUBSYSTEM SUBSYSTEM PDU
    pduType
    pduVersion
    scopedPDU
    stateReference
    SECURITY SECURITY
    DISPATCHER DISPATCHER statusInformation
    SUBSYSTEM SUBSYSTEM
    securityEngineID
    securityLevel
    securityModel
    securityName
    MESSAGE MESSAGE securityParameters
    PROCESSING PROCESSING securityStateReference
    SUBSYSTEM SUBSYSTEM sendPduHandle
    transportAddress
    transportDomain
    variableName
    viewType
    wholeMsg
    wholeMsgLength
    MODULES OF THE SNMPv3 ARCHITECTURE
     DISPATCHER AND MESSAGE PROCESSING MODULE
     • SNMPv3 MESSAGE STRUCTURE
     • snmpMPDMIB
     • RFC 2572

     APPLICATIONS
     • snmpTargetMIB
     • snmpNotificationMIB
     • snmpProxyMIB
     • RFC 2573

     SECURITY SUBSYSTEM
     • USER BASED SECURITY MODEL
     • snmpUsmMIB
     • RFC 2574

     ACCESS CONTROL SUBSYSTEM


     • VIEW BASED ACCESS CONTROL MODEL
     • snmpVacmMIB
     • RFC 2575
    SNMPv3 MESSAGE STRUCTURE
    msgVersion USED BY MESSAGE PROCESSING SUBSYSTEM
    msgID
    msgMaxSize
    msgFlags USED BY SNMPv3 PROCESSING MODULE
    msgSecurityModel

    msgSecurityParameters USED BY SECURITY SUBSYSTEM

    contextEngineID
    contextName

    USED BY ACCESS CONTROL SUBSYSTEM


    AND APPLICATIONS
    PDU
    SNMPv3 PROCESSING MODULE PARAMETERS
    msgVersion
    0..2147483647
    msgID
    msgMaxSize 484..2147483647
    msgFlags
    msgSecurityModel authFlag
    privFlag
    reportableFlag

    msgSecurityParameters SNMPv1
    SNMPv2c
    USM
    contextEngineID
    contextName

    PDU
    SECURE COMMUNICATION VERSUS ACCESS CONTROL

    MANAGER AGENT

    MIB
    ACCESS CONTROL
    MANAGER
    APPLICATION PROCESSES

    SECURE COMMUNICATION

    GET / GET-NEXT / GETBULK


    SET / TRAP / INFORM

    TRANSPORT SERVICE
    USM: SECURITY THREATS

    THREAT ADDRESSED? MECHANISM

    REPLAY YES TIME STAMP

    MASQUERADE YES MD5 / SHA-1

    INTEGRITY YES (MD5 / SHA-1)

    DISCLOSURE YES DES

    DENIAL OF SERVICE YES

    TRAFFIC ANALYSIS YES


    USM MESSAGE STRUCTURE
    msgVersion
    msgID
    msgMaxSize
    msgFlags
    msgSecurityModel
    REPLAY
    msgAuthoritativeEngineID
    msgAuthoritativeEngineBoots
    msgAuthoritativeEngineTime
    MASQUERADE/INTEGRITY/DISCLOSURE
    msgUserName
    msgAuthenticationParameters MASQUERADE/INTEGRITY
    msgPrivacyParameters
    contextEngineID DISCLOSURE
    contextName

    PDU
    IDEA BEHIND REPLAY PROTECTION

    Nonauthoritative Engine Authoritative Engine

    LOCAL NOTION OF ALLOWED LOCAL


    REMOTE CLOCK LIFETIME CLOCK

    + >?

    ID BOOTS TIME DATA ID BOOTS TIME DATA


    IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION

    KEY DATA

    HASH FUNCTION

    MAC

    ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATA


    AND SEND THE RESULT
    IDEA BEHIND AUTHENTICATION

    KEY DATA KEY DATA

    HASH FUNCTION HASH FUNCTION

    MAC
    MAC
    =?

    USER MAC DATA USER MAC DATA


    IDEA BEHIND THE DATA CONFIDENTIALITY (DES)

    DES-KEY DATA

    DES ALGORITHM

    ENCRYPTED DATA
    IDEA BEHIND ENCRYPTION

    DES-KEY DATA DES-KEY DATA

    DES ALGORITHM DES ALGORITHM

    ENCRYPTED DATA ENCRYPTED DATA

    USER ENCRYPTED DATA USER ENCRYPTED DATA


    Thank You !!!

    You might also like