Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 3414

User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)

Pages: 88
Internet Standard: 62
Errata
STD 62 is also:  3411341234133415341634173418
Obsoletes:  2574
Updated by:  5590
Part 1 of 4 – Pages 1 to 12
None   None   Next

Top   ToC   RFC3414 - Page 1
Network Working Group                                      U. Blumenthal
Request for Comments: 3414                                     B. Wijnen
STD: 62                                              Lucent Technologies
Obsoletes: 2574                                            December 2002
Category: Standards Track


          User-based Security Model (USM) for version 3 of the
              Simple Network Management Protocol (SNMPv3)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

This document describes the User-based Security Model (USM) for Simple Network Management Protocol (SNMP) version 3 for use in the SNMP architecture. It defines the Elements of Procedure for providing SNMP message level security. This document also includes a Management Information Base (MIB) for remotely monitoring/managing the configuration parameters for this Security Model. This document obsoletes RFC 2574.

Table of Contents

1. Introduction.......................................... 4 1.1. Threats............................................... 4 1.2. Goals and Constraints................................. 6 1.3. Security Services..................................... 6 1.4. Module Organization................................... 7 1.4.1. Timeliness Module..................................... 8 1.4.2. Authentication Protocol............................... 8 1.4.3. Privacy Protocol...................................... 8 1.5. Protection against Message Replay, Delay and Redirection....................................... 9 1.5.1. Authoritative SNMP engine............................. 9 1.5.2. Mechanisms............................................ 9 1.6. Abstract Service Interfaces........................... 11
Top   ToC   RFC3414 - Page 2
   1.6.1.    User-based Security Model Primitives
             for Authentication.................................... 11
   1.6.2.    User-based Security Model Primitives
             for Privacy........................................... 12
   2.        Elements of the Model................................. 12
   2.1.      User-based Security Model Users....................... 12
   2.2.      Replay Protection..................................... 13
   2.2.1.    msgAuthoritativeEngineID.............................. 14
   2.2.2.    msgAuthoritativeEngineBoots and
             msgAuthoritativeEngineTime............................ 14
   2.2.3.    Time Window........................................... 15
   2.3.      Time Synchronization.................................. 15
   2.4.      SNMP Messages Using this Security Model............... 16
   2.5.      Services provided by the User-based Security Model.... 17
   2.5.1.    Services for Generating an Outgoing SNMP Message...... 17
   2.5.2.    Services for Processing an Incoming SNMP Message...... 20
   2.6.      Key Localization Algorithm............................ 22
   3.        Elements of Procedure................................. 22
   3.1.      Generating an Outgoing SNMP Message................... 22
   3.2.      Processing an Incoming SNMP Message................... 26
   4.        Discovery............................................. 31
   5.        Definitions........................................... 32
   6.        HMAC-MD5-96 Authentication Protocol................... 51
   6.1.      Mechanisms............................................ 51
   6.1.1.    Digest Authentication Mechanism....................... 51
   6.2.      Elements of the Digest Authentication Protocol........ 52
   6.2.1.    Users................................................. 52
   6.2.2.    msgAuthoritativeEngineID.............................. 53
   6.2.3.    SNMP Messages Using this Authentication Protocol...... 53
   6.2.4.    Services provided by the HMAC-MD5-96
             Authentication Module................................. 53
   6.2.4.1.  Services for Generating an Outgoing SNMP Message...... 53
   6.2.4.2.  Services for Processing an Incoming SNMP Message...... 54
   6.3.      Elements of Procedure................................. 55
   6.3.1.    Processing an Outgoing Message........................ 55
   6.3.2.    Processing an Incoming Message........................ 56
   7.        HMAC-SHA-96 Authentication Protocol................... 57
   7.1.      Mechanisms............................................ 57
   7.1.1.    Digest Authentication Mechanism....................... 57
   7.2.      Elements of the HMAC-SHA-96 Authentication Protocol... 58
   7.2.1.    Users................................................. 58
   7.2.2.    msgAuthoritativeEngineID.............................. 58
   7.2.3.    SNMP Messages Using this Authentication Protocol...... 59
   7.2.4.    Services provided by the HMAC-SHA-96
             Authentication Module................................. 59
   7.2.4.1.  Services for Generating an Outgoing SNMP Message...... 59
   7.2.4.2.  Services for Processing an Incoming SNMP Message...... 60
   7.3.      Elements of Procedure................................. 61
Top   ToC   RFC3414 - Page 3
   7.3.1.    Processing an Outgoing Message........................ 61
   7.3.2.    Processing an Incoming Message........................ 61
   8.        CBC-DES Symmetric Encryption Protocol................. 63
   8.1.      Mechanisms............................................ 63
   8.1.1.    Symmetric Encryption Protocol......................... 63
   8.1.1.1.  DES key and Initialization Vector..................... 64
   8.1.1.2.  Data Encryption....................................... 65
   8.1.1.3.  Data Decryption....................................... 65
   8.2.      Elements of the DES Privacy Protocol.................. 65
   8.2.1.    Users................................................. 65
   8.2.2.    msgAuthoritativeEngineID.............................. 66
   8.2.3.    SNMP Messages Using this Privacy Protocol............. 66
   8.2.4.    Services provided by the DES Privacy Module........... 66
   8.2.4.1.  Services for Encrypting Outgoing Data................. 66
   8.2.4.2.  Services for Decrypting Incoming Data................. 67
   8.3.      Elements of Procedure................................. 68
   8.3.1.    Processing an Outgoing Message........................ 68
   8.3.2.    Processing an Incoming Message........................ 69
   9.        Intellectual Property................................. 69
   10.       Acknowledgements...................................... 70
   11.       Security Considerations............................... 71
   11.1.     Recommended Practices................................. 71
   11.2.     Defining Users........................................ 73
   11.3.     Conformance........................................... 74
   11.4.     Use of Reports........................................ 75
   11.5.     Access to the SNMP-USER-BASED-SM-MIB.................. 75
   12.       References............................................ 75
   A.        Installation.......................................... 78
   A.1.      SNMP engine Installation Parameters................... 78
   A.2.      Password to Key Algorithm............................. 80
   A.2.1.    Password to Key Sample Code for MD5................... 81
   A.2.2.    Password to Key Sample Code for SHA................... 82
   A.3.      Password to Key Sample Results........................ 83
   A.3.1.    Password to Key Sample Results using MD5.............. 83
   A.3.2.    Password to Key Sample Results using SHA.............. 83
   A.4.      Sample encoding of msgSecurityParameters.............. 83
   A.5.      Sample keyChange Results.............................. 84
   A.5.1.    Sample keyChange Results using MD5.................... 84
   A.5.2.    Sample keyChange Results using SHA.................... 85
   B.        Change Log............................................ 86
             Editors' Addresses.................................... 87
             Full Copyright Statement.............................. 88
Top   ToC   RFC3414 - Page 4

1. Introduction

The Architecture for describing Internet Management Frameworks [RFC3411] describes that an SNMP engine is composed of: 1) a Dispatcher, 2) a Message Processing Subsystem, 3) a Security Subsystem, and 4) an Access Control Subsystem. Applications make use of the services of these subsystems. It is important to understand the SNMP architecture and the terminology of the architecture to understand where the Security Model described in this document fits into the architecture and interacts with other subsystems within the architecture. The reader is expected to have read and understood the description of the SNMP architecture, as defined in [RFC3411]. This memo describes the User-based Security Model as it is used within the SNMP Architecture. The main idea is that we use the traditional concept of a user (identified by a userName) with which to associate security information. This memo describes the use of HMAC-MD5-96 and HMAC-SHA-96 as the authentication protocols and the use of CBC-DES as the privacy protocol. The User-based Security Model however allows for other such protocols to be used instead of or concurrent with these protocols. Therefore, the description of HMAC-MD5-96, HMAC-SHA-96 and CBC-DES are in separate sections to reflect their self-contained nature and to indicate that they can be replaced or supplemented in the future. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

1.1. Threats

Several of the classical threats to network protocols are applicable to the network management problem and therefore would be applicable to any SNMP Security Model. Other threats are not applicable to the network management problem. This section discusses principal threats, secondary threats, and threats which are of lesser importance. The principal threats against which this SNMP Security Model should provide protection are:
Top   ToC   RFC3414 - Page 5
   - Modification of Information The modification threat is the danger
     that some unauthorized entity may alter in-transit SNMP messages
     generated on behalf of an authorized principal in such a way as to
     effect unauthorized management operations, including falsifying the
     value of an object.

   - Masquerade The masquerade threat is the danger that management
     operations not authorized for some user may be attempted by
     assuming the identity of another user that has the appropriate
     authorizations.

   Two secondary threats are also identified.  The Security Model
   defined in this memo provides limited protection against:

   - Disclosure The disclosure threat is the danger of eavesdropping on
     the exchanges between managed agents and a management station.
     Protecting against this threat may be required as a matter of local
     policy.

   - Message Stream Modification The SNMP protocol is typically based
     upon a connection-less transport service which may operate over any
     sub-network service.  The re-ordering, delay or replay of messages
     can and does occur through the natural operation of many such sub-
     network services.  The message stream modification threat is the
     danger that messages may be maliciously re-ordered, delayed or
     replayed to an extent which is greater than can occur through the
     natural operation of a sub-network service, in order to effect
     unauthorized management operations.

   There are at least two threats that an SNMP Security Model need not
   protect against.  The security protocols defined in this memo do not
   provide protection against:

   - Denial of Service This SNMP Security Model does not attempt to
     address the broad range of attacks by which service on behalf of
     authorized users is denied.  Indeed, such denial-of-service attacks
     are in many cases indistinguishable from the type of network
     failures with which any viable network management protocol must
     cope as a matter of course.

   - Traffic Analysis This SNMP Security Model does not attempt to
     address traffic analysis attacks.  Indeed, many traffic patterns
     are predictable - devices may be managed on a regular basis by a
     relatively small number of management applications - and therefore
     there is no significant advantage afforded by protecting against
     traffic analysis.
Top   ToC   RFC3414 - Page 6

1.2. Goals and Constraints

Based on the foregoing account of threats in the SNMP network management environment, the goals of this SNMP Security Model are as follows. 1) Provide for verification that each received SNMP message has not been modified during its transmission through the network. 2) Provide for verification of the identity of the user on whose behalf a received SNMP message claims to have been generated. 3) Provide for detection of received SNMP messages, which request or contain management information, whose time of generation was not recent. 4) Provide, when necessary, that the contents of each received SNMP message are protected from disclosure. In addition to the principal goal of supporting secure network management, the design of this SNMP Security Model is also influenced by the following constraints: 1) When the requirements of effective management in times of network stress are inconsistent with those of security, the design of USM has given preference to the former. 2) Neither the security protocol nor its underlying security mechanisms should depend upon the ready availability of other network services (e.g., Network Time Protocol (NTP) or key management protocols). 3) A security mechanism should entail no changes to the basic SNMP network management philosophy.

1.3. Security Services

The security services necessary to support the goals of this SNMP Security Model are as follows: - Data Integrity is the provision of the property that data has not been altered or destroyed in an unauthorized manner, nor have data sequences been altered to an extent greater than can occur non- maliciously. - Data Origin Authentication is the provision of the property that the claimed identity of the user on whose behalf received data was originated is corroborated.
Top   ToC   RFC3414 - Page 7
   - Data Confidentiality is the provision of the property that
     information is not made available or disclosed to unauthorized
     individuals, entities, or processes.

   - Message timeliness and limited replay protection is the provision
     of the property that a message whose generation time is outside of
     a specified time window is not accepted.  Note that message
     reordering is not dealt with and can occur in normal conditions
     too.

   For the protocols specified in this memo, it is not possible to
   assure the specific originator of a received SNMP message; rather, it
   is the user on whose behalf the message was originated that is
   authenticated.

   For these protocols, it not possible to obtain data integrity without
   data origin authentication, nor is it possible to obtain data origin
   authentication without data integrity.  Further, there is no
   provision for data confidentiality without both data integrity and
   data origin authentication.

   The security protocols used in this memo are considered acceptably
   secure at the time of writing.  However, the procedures allow for new
   authentication and privacy methods to be specified at a future time
   if the need arises.

1.4. Module Organization

The security protocols defined in this memo are split in three different modules and each has its specific responsibilities such that together they realize the goals and security services described above: - The authentication module MUST provide for: - Data Integrity, - Data Origin Authentication, - The timeliness module MUST provide for: - Protection against message delay or replay (to an extent greater than can occur through normal operation). - The privacy module MUST provide for - Protection against disclosure of the message payload.
Top   ToC   RFC3414 - Page 8
   The timeliness module is fixed for the User-based Security Model
   while there is provision for multiple authentication and/or privacy
   modules, each of which implements a specific authentication or
   privacy protocol respectively.

1.4.1. Timeliness Module

Section 3 (Elements of Procedure) uses the timeliness values in an SNMP message to do timeliness checking. The timeliness check is only performed if authentication is applied to the message. Since the complete message is checked for integrity, we can assume that the timeliness values in a message that passes the authentication module are trustworthy.

1.4.2. Authentication Protocol

Section 6 describes the HMAC-MD5-96 authentication protocol which is the first authentication protocol that MUST be supported with the User-based Security Model. Section 7 describes the HMAC-SHA-96 authentication protocol which is another authentication protocol that SHOULD be supported with the User-based Security Model. In the future additional or replacement authentication protocols may be defined as new needs arise. The User-based Security Model prescribes that, if authentication is used, then the complete message is checked for integrity in the authentication module. For a message to be authenticated, it needs to pass authentication check by the authentication module and the timeliness check which is a fixed part of this User-based Security model.

1.4.3. Privacy Protocol

Section 8 describes the CBC-DES Symmetric Encryption Protocol which is the first privacy protocol to be used with the User-based Security Model. In the future additional or replacement privacy protocols may be defined as new needs arise. The User-based Security Model prescribes that the scopedPDU is protected from disclosure when a message is sent with privacy. The User-based Security Model also prescribes that a message needs to be authenticated if privacy is in use.
Top   ToC   RFC3414 - Page 9

1.5. Protection against Message Replay, Delay and Redirection

1.5.1. Authoritative SNMP Engine

In order to protect against message replay, delay and redirection, one of the SNMP engines involved in each communication is designated to be the authoritative SNMP engine. When an SNMP message contains a payload which expects a response (those messages that contain a Confirmed Class PDU [RFC3411]), then the receiver of such messages is authoritative. When an SNMP message contains a payload which does not expect a response (those messages that contain an Unconfirmed Class PDU [RFC3411]), then the sender of such a message is authoritative.

1.5.2. Mechanisms

The following mechanisms are used: 1) To protect against the threat of message delay or replay (to an extent greater than can occur through normal operation), a set of timeliness indicators (for the authoritative SNMP engine) are included in each message generated. An SNMP engine evaluates the timeliness indicators to determine if a received message is recent. An SNMP engine may evaluate the timeliness indicators to ensure that a received message is at least as recent as the last message it received from the same source. A non-authoritative SNMP engine uses received authentic messages to advance its notion of the timeliness indicators at the remote authoritative source. An SNMP engine MUST also use a mechanism to match incoming Responses to outstanding Requests and it MUST drop any Responses that do not match an outstanding request. For example, a msgID can be inserted in every message to cater for this functionality. These mechanisms provide for the detection of authenticated messages whose time of generation was not recent. This protection against the threat of message delay or replay does not imply nor provide any protection against unauthorized deletion or suppression of messages. Also, an SNMP engine may not be able to detect message reordering if all the messages involved are sent within the Time Window interval. Other mechanisms defined independently of the security protocol can also be used to detect the re-ordering replay, deletion, or suppression of messages containing Set operations (e.g., the MIB variable snmpSetSerialNo [RFC3418]).
Top   ToC   RFC3414 - Page 10
   2) Verification that a message sent to/from one authoritative SNMP
      engine cannot be replayed to/as-if-from another authoritative SNMP
      engine.

      Included in each message is an identifier unique to the
      authoritative SNMP engine associated with the sender or intended
      recipient of the message.

      A message containing an Unconfirmed Class PDU sent by an
      authoritative SNMP engine to one non-authoritative SNMP engine can
      potentially be replayed to another non-authoritative SNMP engine.
      The latter non-authoritative SNMP engine might (if it knows about
      the same userName with the same secrets at the authoritative SNMP
      engine) as a result update its notion of timeliness indicators of
      the authoritative SNMP engine, but that is not considered a
      threat.  In this case, A Report or Response message will be
      discarded by the Message Processing Model, because there should
      not be an outstanding Request message.  A Trap will possibly be
      accepted.  Again, that is not considered a threat, because the
      communication was authenticated and timely.  It is as if the
      authoritative SNMP engine was configured to start sending Traps to
      the second SNMP engine, which theoretically can happen without the
      knowledge of the second SNMP engine anyway.  Anyway, the second
      SNMP engine may not expect to receive this Trap, but is allowed to
      see the management information contained in it.

   3) Detection of messages which were not recently generated.

      A set of time indicators are included in the message, indicating
      the time of generation.  Messages without recent time indicators
      are not considered authentic.  In addition, an SNMP engine MUST
      drop any Responses that do not match an outstanding request.  This
      however is the responsibility of the Message Processing Model.

   This memo allows the same user to be defined on multiple SNMP
   engines.  Each SNMP engine maintains a value, snmpEngineID, which
   uniquely identifies the SNMP engine.  This value is included in each
   message sent to/from the SNMP engine that is authoritative (see
   section 1.5.1).  On receipt of a message, an authoritative SNMP
   engine checks the value to ensure that it is the intended recipient,
   and a non-authoritative SNMP engine uses the value to ensure that the
   message is processed using the correct state information.

   Each SNMP engine maintains two values, snmpEngineBoots and
   snmpEngineTime, which taken together provide an indication of time at
   that SNMP engine.  Both of these values are included in an
   authenticated message sent to/received from that SNMP engine.  On
   receipt, the values are checked to ensure that the indicated
Top   ToC   RFC3414 - Page 11
   timeliness value is within a Time Window of the current time.  The
   Time Window represents an administrative upper bound on acceptable
   delivery delay for protocol messages.

   For an SNMP engine to generate a message which an authoritative SNMP
   engine will accept as authentic, and to verify that a message
   received from that authoritative SNMP engine is authentic, such an
   SNMP engine must first achieve timeliness synchronization with the
   authoritative SNMP engine.  See section 2.3.

1.6. Abstract Service Interfaces

Abstract service interfaces have been defined to describe the conceptual interfaces between the various subsystems within an SNMP entity. Similarly a set of abstract service interfaces have been defined within the User-based Security Model (USM) to describe the conceptual interfaces between the generic USM services and the self-contained authentication and privacy services. These abstract service interfaces are defined by a set of primitives that define the services provided and the abstract data elements that must be passed when the services are invoked. This section lists the primitives that have been defined for the User-based Security Model.

1.6.1. User-based Security Model Primitives for Authentication

The User-based Security Model provides the following internal primitives to pass data back and forth between the Security Model itself and the authentication service: statusInformation = authenticateOutgoingMsg( IN authKey -- secret key for authentication IN wholeMsg -- unauthenticated complete message OUT authenticatedWholeMsg -- complete authenticated message ) statusInformation = authenticateIncomingMsg( IN authKey -- secret key for authentication IN authParameters -- as received on the wire IN wholeMsg -- as received on the wire OUT authenticatedWholeMsg -- complete authenticated message )
Top   ToC   RFC3414 - Page 12

1.6.2. User-based Security Model Primitives for Privacy

The User-based Security Model provides the following internal primitives to pass data back and forth between the Security Model itself and the privacy service: statusInformation = encryptData( IN encryptKey -- secret key for encryption IN dataToEncrypt -- data to encrypt (scopedPDU) OUT encryptedData -- encrypted data (encryptedPDU) OUT privParameters -- filled in by service provider ) statusInformation = decryptData( IN decryptKey -- secret key for decrypting IN privParameters -- as received on the wire IN encryptedData -- encrypted data (encryptedPDU) OUT decryptedData -- decrypted data (scopedPDU) )


(page 12 continued on part 2)

Next Section