management
Click on the red underlined text to get to the source
... SNMP) specification [1]
allows for the protection of network management operations by a
variety of security protocols. The SNMP ...
... framework for securing SNMP network
management. In the context of that framework, this memo defines
...
... authentication protocol. The authentication
protocol provides a mechanism by which SNMP management communications
transmitted by the party may be reliably identified as having
originated from that party. The authentication protocol ...
... privacy protocol provides a mechanism by
which SNMP management communications transmitted to said party are
protected from disclosure. The privacy protocol in this memo
...
...
USE OF THE TRIVIAL PROTOCOL ALONE DOES NOT CONSTITUTE SECURE
NETWORK MANAGEMENT. THEREFORE, A NETWORK MANAGEMENT SYSTEM THAT
IMPLEMENTS ONLY THE TRIVIAL PROTOCOL IS NOT CONFORMANT TO THIS
...
... USE OF THE TRIVIAL PROTOCOL ALONE DOES NOT CONSTITUTE SECURE
NETWORK MANAGEMENT. THEREFORE, A NETWORK MANAGEMENT SYSTEM THAT
IMPLEMENTS ONLY THE TRIVIAL PROTOCOL IS NOT CONFORMANT TO THIS
SPECIFICATION.
...
... strategy by which such clocks are synchronized. Section 6.3 presents
one strategy that is particularly suited to the demands of SNMP
network management.
...
... strategies. Section 6.4 presents one such strategy that is
particularly suited to the demands of SNMP network management.
...
... Several of the classical threats to network protocols are applicable
to the network management problem and therefore would be applicable
to any SNMP security protocol ...
... SNMP security protocol. Other threats are not applicable to
the network management problem. This section discusses principal
threats, secondary threats, and threats which are of lesser
...
... Modification of Information.
The SNMP protocol provides the means for management stations to
interrogate and to manipulate the value of objects in a managed
agent ...
... agent. The modification threat is the danger that some party may
alter in-transit messages generated by an authorized party in such
a way as to effect unauthorized management operations, including
falsifying the value of an object.
...
... Access control necessarily depends on knowledge of the origin of a
message. The masquerade threat is the danger that management
operations not authorized for some party may be attempted by that
party by assuming the identity ...
... stream modification threat is the danger that messages
may be arbitrarily re-ordered, delayed or replayed to effect
unauthorized management operations. This threat may arise either
by the work of a malicious attacker or by the natural operation of
...
... The disclosure threat is the danger of eavesdropping on the
exchanges between managed agents and a management station.
Protecting against this threat is mandatory when the SNMP is used
...
... indistinguishable from the type of network failures with which any
viable network management protocol must cope as a matter of
course.
...
... predictable -- agents may be managed on a regular basis by a
relatively small number of management stations -- and therefore
there is no significant advantage afforded by protecting against
traffic analysis ...
... Based on the foregoing account of threats in the SNMP network
management environment, the goals of a SNMP security protocol are
...
... its transmission through the network in such a way that
an unauthorized management operation might result.
2. The protocol should provide for verification ...
... principal goal of supporting secure network
management, the design of any SNMP security protocol is also
...
...
1. When the requirements of effective management in times
of network stress are inconsistent with those of security ...
... security mechanism should entail no changes to the
basic SNMP network management philosophy.
...
...
Within an authenticated management communication generated by such a
party, the size of the authDigest component of that communication
(see Section 4) is 16 octets ...
... SNMP protocol
entity is an actual process which performs network management
operations by generating and/or responding to SNMP protocol messages ...
... Recall from [2] that a SNMP management communication is represented
by an ASN.1 value with the following syntax.
...
...
For each SnmpMgmtCom value that represents a SNMP management
communication, the following statements are true:
...
... 2] that a SNMP authenticated management communication is
represented by an ASN.1 value with the following syntax.
...
... Its authData component is called the authentication
data and represents a SNMP management
communication.
...
... integer value
evaluated according to the authTimestamp value. In
order not to limit transmission frequency of management
communications to the granularity of the authentication
...
... procedure performed by a SNMP protocol entity whenever a management
communication is to be transmitted by a SNMP party is as follows.
...
... procedure performed by a SNMP protocol entity whenever a management
communication is received by a SNMP party is as follows.
...
... Recall from [2] that a SNMP private management communication is
represented by an ASN.1 value with the following syntax.
...
...
For each SnmpPrivMsg value that represents a SNMP private management
communication, the following statements are true:
...
... encapsulation of a SNMP authenticated management communication into a
SNMP private management ...
... SNMP
protocol entity whenever a management communication is to be
transmitted by a SNMP party is as follows.
...
... according to the conventions of the Digest
Authentication Protocol, the generation of the private
management communication fails according to a local
procedure, without further processing.
...
... SNMP protocol entity whenever
a management communication is received by a SNMP party is as follows.
...
... configuration of a device, the secrets should be changed
immediately after configuration such that their actual
value is known only to the software. A management
station has the additional responsibility of recovering the
state of all parties whenever it boots, and it may address ...
...
This management station is responsible for ensuring that
all authentication clocks are synchronized and for
...
... authentication clocks are synchronized and for
changing the secret values when necessary. Although
more than one management station may share this
responsibility, their coordination is essential to the
secure management ...
... management station may share this
responsibility, their coordination is essential to the
secure management of the network. The mechanism by
which multiple management stations ...
... management of the network. The mechanism by
which multiple management stations ensure that no
more than one of them attempts to synchronize the
clocks or update ...
...
A responsible management station may either support
clock synchronization and secret distribution as separate
...
... initialization vector. Clearly, these values will need to be recorded
on a medium in order to be transported between a responsible
management station and a managed agent. The recommended procedure is
to configure a small set of initial SNMP ...
... In fact, there is a minimal, useful set of SNMP parties that could be
configured between each responsible management station and managed
agent. This minimal set includes one of each of the following for
...
... agent. This minimal set includes one of each of the following for
both the responsible management station and the managed agent:
...
...
The last of these SNMP parties in both the responsible management
station and the managed agent could be used to configure all other
SNMP ...
... other parties has the advantage of exposing only one pair of secrets
-- the secrets used to configure the minimal, useful set identified
above. To limit this exposure, the responsible management station
should change these values as its first operation upon completion of
the initial configuration. In this way, secrets are known only to the
...
... All 6 parties should be configured in each new managed agent and its
responsible management station. The responsible management station
should be configured first, since the management station ...
... agent and its
responsible management station. The responsible management station
should be configured first, since the management station can be used
...
... management station. The responsible management station
should be configured first, since the management station can be used
to generate the initial secrets and provide them to a person, on a
suitable medium, for distribution to the managed agent ...
... sequence of steps describes the initial configuration of a managed
agent and its responsible management station.
...
... the SNMP party to be configured. Some of these values
may be computed by the responsible management
station, some may be specified in the MIB document,
and some may be administratively determined.
...
... and some may be administratively determined.
2. Configure the parties in the responsible management
station, according to the set of initial values. If the
management station is computing some initial values to
...
... 2. Configure the parties in the responsible management
station, according to the set of initial values. If the
management station is computing some initial values to
be entered into the agent, an appropriate medium must
...
... the set of initial values.
4. The responsible management station must synchronize
the authentication clock values for each party it shares
...
... strategy by which this could be accomplished.
5. The responsible management station should change the
secret values manually configured to ensure the actual
values are known only to the peers requiring knowledge
...
... actual
values are known only to the peers requiring knowledge
of them in order to communicate. To do this, the
management station generates new secrets for each party
to be reconfigured and distributes those secrets with a
strategy that uses a protocol that protects them from
...
... receiving positive acknowledgement
that the new values have been distributed, the
management station should update its local database
...
... If there are other SNMP protocol entities requiring knowledge of the
secrets, the responsible management station must distribute the
information upon completion of the initial configuration. The
mechanism used must protect the secrets from disclosure to
...
...
A responsible management station must ensure that the authentication
clock value for each SNMP ...
... Whenever clock skew is detected, and whenever the SNMP entities at
both the responsible management station and the relevant managed
agent support an appropriate privacy protocol ...
... agent support a privacy protocol in order for a responsible
management station to correct skewed clock values. The procedure for
correcting clock skew in the general case is presented in Section
6.3.
...
... state, the only
authenticated request a management station should generate for this
party is one that alters the value of at least its authentication
...
... clock and private authentication key. In order to reset these values,
the responsible management station may set the authentication
timestamp ...
... the SNMP entity in the corresponding responsible management station.
For any pair of parties, there are four possible conditions of the
authentication ...
...
1. The management station's notion of the value of the
authentication clock for agentParty exceeds the agent ...
... notion.
2. The management station's notion of the value of the
authentication clock for mgrParty exceeds the agent ...
... agent's notion of the value of the authentication
clock for agentParty exceeds the management station's
notion.
...
... agent's notion of the value of the authentication
clock for mgrParty exceeds the management station's
notion.
...
...
1. The responsible management station saves its existing
notions of the authentication clocks for the two parties
...
... agentParty and mgrParty.
2. The responsible management station retrieves the
authentication clock values for both agentParty and
...
... mgrParty from the agent. This retrieval must be an
unauthenticated request, since the management station
does not know if the clocks are synchronized. If the
request fails, the clocks cannot be synchronized, and the
...
... processing.
3. If the management station's notion of the authentication
clock for agentParty exceeds the notion just retrieved
...
... authentication clock for mgrParty
just retrieved from the agent exceeds the management
station's notion, then condition 4 is manifest, and the
responsible management station advances its notion of
...
... agent exceeds the management
station's notion, then condition 4 is manifest, and the
responsible management station advances its notion of
the authentication clock for mgrParty to match the
...
...
5. If condition 1 is manifest, then the responsible
management station sends an authenticated
management ...
... management station sends an authenticated
management operation to the agent that advances the
agent ...
... agent's notion of the authentication clock for
agentParty to be equal to the management station's
notion. If this management operation fails, then the
...
... agentParty to be equal to the management station's
notion. If this management operation fails, then the
management station restores its previously saved notions
...
... notion. If this management operation fails, then the
management station restores its previously saved notions
of the clock values, and the clock adjustment procedure
is aborted without further processing.
...
... is aborted without further processing.
6. The responsible management station retrieves the
authentication clock values for both agentParty and
...
... agent. This retrieval must be an
authenticated request, in order that the management
station may verify that the clock values are properly
synchronized. If this authenticated query ...
... authenticated query fails, then the
management station restores its previously saved notions
of the clock values, and the clock adjustment procedure
is aborted without further processing. Otherwise, clock
...
... agent may evaluate the request in
step 5 as unauthentic. Similarly, step 5 above must be completed
before attempting step 6. Otherwise, the management station may
evaluate the query response in step 6 as unauthentic.
...
... intended to increase with the passage of time. A potential
operational problem is the rejection of management operations that
are authenticated using a previous value of the relevant party clock.
...
... are authenticated using a previous value of the relevant party clock.
This possibility may be avoided if a management station suppresses
generation of management traffic ...
... This possibility may be avoided if a management station suppresses
generation of management traffic between relevant parties while this
clock adjustment procedure is in progress.
...
...
The following sequence of steps specifies how a responsible
management station alters a secret value (i.e., the private
authentication key or the private privacy ...
...
1. The responsible management station generates a new
secret value.
...
... SNMP Set request in a SNMP private management
communication with at least the following properties.
...
... SNMP Set response in a
SNMP private management communication with at least
the following properties.
...
... 7. Upon receiving the response, the responsible
management station updates its local database with the
new value.
...
...
If the responsible management station does not receive a response to
its request, there are two possible causes.
...
... In order to distinguish the two possible error conditions, a
responsible management station could check the destination to see if
the change has occurred. Unfortunately, since the secret values are
...
... changing its private privacy key. In this way, the responsible
management station may retrieve the public value when a response is
not received, and verify whether or not the change has taken place.
...
... local
database prior to generating a response. Thus, the response will be
constructed according to the new value. However, the responsible
management station will not update its local database until after the
...
... update its local database until after the
response is received. This suggests the responsible management
station may receive a response which will be evaluated as
unauthentic, unless the correct secret is used. The responsible
management station ...
... management
station may receive a response which will be evaluated as
unauthentic, unless the correct secret is used. The responsible
management station may either account for this scenario as a special
case, or use an alteration of the relevant public values (as
...
...
Note, during the period of time after the request has been sent and
before the response is received, the management station must keep
track of both the old and new secret values. Since the delay may be
the result of a network ...
... track of both the old and new secret values. Since the delay may be
the result of a network failure, the management station must be
prepared to retain both values for an extended period of time,
including across reboots.
...
... provided by battery-powered clock-calendar devices incorporated into
some contemporary systems. It is assumed that management stations
always support reliable clock representations, where clock adjustment
by a human operator during crash recovery may contribute to that
...
... If a managed agent crashes and does not reboot in time for its
responsible management station to prevent its authentication clock
from reaching its maximal value, upon reboot the clock must be halted
...
... Upon detecting that a managed agent has rebooted, a responsible
management station must reset all other party attributes, including
the lifetime if it was not retained. In order to reset the lifetime ...
... lifetime if it was not retained. In order to reset the lifetime,
the responsible management station should set the authentication
timestamp ...
...
The only authenticated request a management station should generate
for a party in this initial state is one that alters the value of at
...
... lifetime (if that was not retained). In order to reset these values,
the responsible management station must set the authentication
timestamp ...
... A management station should discard SNMP responses
for which neither the request-id component nor the
...
... SNMP responses
for which neither the request-id component nor the
represented management information corresponds to any
currently outstanding request.
...
...
Although it would be typical for a management station
to do this as a matter of course, in the context of these
...
... lack of response to an authenticated SNMP management
communication as a conclusive indication of agent or
...
... facilitate administration of such SNMP parties or to
provide for continued management in times of network
stress, a management station ...
... management in times of network
stress, a management station implementation may
provide for arbitrary, artificial advancement of the
timestamp ...
... round-trip communications delays, and the frequency
with which a responsible management station will be
able to verify all clock values.
...
... delays of SNMP messages. The implementation of a
management station may, when explicitly authorized,
provide for dynamic adjustment of the lifetime in order
...
... state altering messages to a managed
agent, a management station should delay sending
successive messages to the managed agent until a
...
... lifetime under normal circumstances. During the
period of time this message is valid, if the management
station sends another authenticated message to the
managed agent ...
...
Indeed, a management station must cope with the loss
and re-ordering of messages resulting from anomalies in
the network ...
... and re-ordering of messages resulting from anomalies in
the network as a matter of course. A management
station implementation may choose to prevent the loss
of messages resulting from re-ordering when using the
security protocols ...
... In order to foster the greatest degree of security, a
management station implementation must support
constrained, pairwise sharing of secrets among SNMP
...
... SNMP messages as ASN.1 values, such modifications cannot --
consistent with goal 1 -- result in unauthorized management
operations.
...
... valid message delivery depends -- thereby
enhancing the effectiveness of the protocol in a management context.
...
... participants whose local notion of the party clock is relatively less
advanced. In this case, queries from a management station may not be
validly delivered and the management station needs to react
...
... queries from a management station may not be
validly delivered and the management station needs to react
appropriately (e.g., by administratively resynchronizing local
notions of the clock in conjunction ...
... Case, J., M. Fedor, M. Schoffstall, and J. Davin, The Simple Network Management Protocol", RFC 1157hist, University of Tennessee at Knoxville, Performance Systems International, Performance ...