This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Simple Network Management Protocol Version 3 is a interoperable standards based protocol for network management. It provides secure access to devices by two methods one is authenticating and the other is encrypting the packets in the internet. The main use of introducing the SNMPv3 is to provide security. The main security features provided in SNMPv3 are:
Message integrity- it makes sure whether the data is been tampered or not.
Authentication- It checks whether the data is from the valid source or not.
Encryption- encrypting the data to prevent from unauthorized use.
SNMPv3 provides both security models and security levels. A security model is an authentication strategy that is set up for the user and the group. It provides a required level of security to the group or the user. The combination of the security model and the security level will provide the security mechanism to the packet.
SNMPv3 User Security Model
It provides two different type of security models they are user based security(USM) model and view based access control model(VACM). The USM is specified in RFC 2574. It provides security and there are three classic threats that are to be addressed. They are
Modification of information:
It is to ensure that the data is not maliciously altered during the transmission.
It is also called as data origin authentication. It is to ensure that exactly who and where the data came from. It is to prevent the unauthorized entity.
It is also called data confidentiality. It ensures that an unauthorized entity cannot eavesdrop on the data exchanges.
Message stream modification:
It is to make sure that the data is received at a timely manner to prevent malicious reordering of data.
The USM is used to protect the SNMPv3 packets from the above threats. It uses the concept of multiple users where each user provides secret keys for the authentication and privacy. The authentication uses HMAC-MD5 and the private protocol uses CBC-DES.
SNMPv3 packet format:
SNMPv3 framework has many components that already have them in the v2 version. The SNMPv3 include more ways to provide security models to allow consecutive multiple security techniques. The SNMPv3 has the header and the encapsulated PDU. The overall SNMPv3 message is described in RFC 3412 which describes message processing and dispatching. The "non-security" fields are common to all implementations. The use of security fields in the header have themselves divided for security. The below is the figure for packet format.
The SNMP packet structure for version 3 has been changed and the security model of the USM will have
msg version - It's nothing but the version of the packet to which it belong such as version1 or version2 or version3.
msgID - the msgID is used to coordinate request and response messages between manager and agent. The ID used in the response must be same in the request.
msgMaxSize - It has the maximum message size that the sender able to accept in the SNMP.
msgFlags- It is a single octet which is used to check how the messages are been processed. The msgFlags are used to check whether the packets are been authenticated and been encrypted.
msgSecurityModel- It is used in the multiple co-existing security models.
msgSecurityParameters- It is a octet string which has a security model related data. It is used by only msgSecurityModel.
ScopedPDU- the scopedPDU will have the normal PDU and the information for identifying the unique context for processing the PDU.
USM Security Parameters:
It uses the msgSecurityParameters to hold five values. These values are used by the authentication module to make sure that the data is from the original sender. It also checks for the time gap between the packets. it also have the privacy module to protect against message payload disclosure.
msgAuthoritativeEngineID- It sends the require pact to that authoritative engine no matter which side the packet originates from.
msgAuthoritativeEngineBoots, msgAuthoritativeEngineTime- these belong to the authoritative engine.
Msgusername - The name of the user whose secret keys are used to authenticate and encrypt the packet.
msgAuthenticationParameters - the packet field contains HMAC-MD5 packet which are used for authentication.
MsgPrivacyParameters - It has the scoped PDU to make the data encrypted and used as input to the DES algorithm.
It is achieved by the discovery process. There are two types of discovery process available. The first one is used to discover the engineID of the agent an dthe second one is used to manage the security level of the authNOpriv or authpriv. This is because both are used in the timeliness module which belongs to the authentication module. The first discovery is used by the manager for sending SNMPv3 packet which contains bogus value. When the agent receives a packet where the engineer is different than its own. The returned discovered packet is used by the manager. The second discovery transaction requires an authentication packet to be sent to the agent and that says that the authentication packet will be in the msgFlags. The secret key used for the authentication will be done from the user. Once the authentication is completed the packet is discarded and the second discovery packet is returned to the manager. The return discovery packet is returned to the manager and the packet is authenticated using t he same userand must contain the correct values which must be used by the manager.
Once the manager has learned the snmpEngineBoots and snmpEngineTime of the agent the manager must maintain his own local Motion of what these values are supposed to be. If the snmpEngineTime rolls over, then snmpEngineBoots must be incremented. A manager must keep local notations of these values for each agent in which it wishes to communicate.the timeliness are considered as the authentication process and is done right after the received packet has been authenticated. If the EngineBoots are different from the agent's current value of the snmpEngineBoots. The packet will be discarded and the packet is sent back to the manager. If the difference between is more or less than 150 seconds, the packet is discarded and a discovery packet is sent back to the manager. The packets time is recorded and it checks whether the packets are received in a timely manner. The value of +/- 150 seconds is the default value specified by the RFC.
The USM specifies the use of message digest 5(MD5) and secure hash algorithm1. It uses algorithms for authenticating SNMPv3 packets. These are used for fixed size messages which are also called digital signatures or fingerprints of a variable length message. The MD5 creates a digest of 128 bits. Both MD5 and SHA-1 cannot be directly used for message authentication and they also not use secret key for inputs. The HMAC defines are used for computing message digests. It authenticates the message that the same data must share a common secret key.
Every agent maintains a user table which is used to store all the users that have access via SNMP. Each entity in the table contains the modified via SNMP operations on the USM MIB.The user table has a spin lock which is named userspinlock. It is a advisory lock which is used for several SNMPmanagers. When a change is made to the user table the value of the usmuserspinlock must be retrived via a GETcommand by the manager. A SET command must be the value that was retrieved in the GETcommand. The user table variables specified in the PDU of the SET command are set. When the agent has finished processing the entire PDU the user table will be modified.