rfc1910.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,485 行 · 第 1/5 页
TXT
1,485 行
Network Working Group G. Waters, Editor
Request for Comments: 1910 Bell-Northern Research Ltd.
Category: Experimental February 1996
User-based Security Model for SNMPv2
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. This memo does not specify an Internet standard of any
kind. Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Table of Contents
1. Introduction ................................................ 2
1.1 Threats .................................................... 3
1.2 Goals and Constraints ...................................... 4
1.3 Security Services .......................................... 5
1.4 Mechanisms ................................................. 5
1.4.1 Digest Authentication Protocol ........................... 7
1.4.2 Symmetric Encryption Protocol ............................ 8
2. Elements of the Model ....................................... 10
2.1 SNMPv2 Users ............................................... 10
2.2 Contexts and Context Selectors ............................. 11
2.3 Quality of Service (qoS) ................................... 13
2.4 Access Policy .............................................. 13
2.5 Replay Protection .......................................... 13
2.5.1 agentID .................................................. 14
2.5.2 agentBoots and agentTime ................................. 14
2.5.3 Time Window .............................................. 15
2.6 Error Reporting ............................................ 15
2.7 Time Synchronization ....................................... 16
2.8 Proxy Error Propagation .................................... 16
2.9 SNMPv2 Messages Using this Model ........................... 16
2.10 Local Configuration Datastore (LCD) ....................... 18
3. Elements of Procedure ....................................... 19
3.1 Generating a Request or Notification ....................... 19
3.2 Processing a Received Communication ........................ 20
3.2.1 Additional Details ....................................... 28
3.2.1.1 ASN.1 Parsing Errors ................................... 28
3.2.1.2 Incorrectly Encoded Parameters ......................... 29
3.2.1.3 Generation of a Report PDU ............................. 29
3.2.1.4 Cache Timeout .......................................... 29
3.3 Generating a Response ...................................... 30
4. Discovery ................................................... 30
5. Definitions ................................................. 31
Waters Experimental [Page 1]
RFC 1910 User-based Security Model for SNMPv2 February 1996
4.1 The USEC Basic Group ....................................... 32
4.2 Conformance Information .................................... 35
4.2.1 Compliance Statements .................................... 35
4.2.2 Units of Conformance ..................................... 35
6. Security Considerations ..................................... 36
6.1 Recommended Practices ...................................... 36
6.2 Defining Users ............................................. 37
6.3 Conformance ................................................ 38
7. Editor's Address ............................................ 38
8. Acknowledgements ............................................ 39
9. References .................................................. 39
Appendix A Installation ........................................ 41
Appendix A.1 Agent Installation Parameters ..................... 41
Appendix A.2 Password to Key Algorithm ......................... 43
Appendix A.3 Password to Key Sample ............................ 44
1. Introduction
A management system contains: several (potentially many) nodes, each
with a processing entity, termed an agent, which has access to
management instrumentation; at least one management station; and, a
management protocol, used to convey management information between
the agents and management stations. Operations of the protocol are
carried out under an administrative framework which defines
authentication, authorization, access control, and privacy policies.
Management stations execute management applications which monitor and
control managed elements. Managed elements are devices such as
hosts, routers, terminal servers, etc., which are monitored and
controlled via access to their management information.
The Administrative Infrastructure for SNMPv2 document [1] defines an
administrative framework which realizes effective management in a
variety of configurations and environments.
In this administrative framework, a security model defines the
mechanisms used to achieve an administratively-defined level of
security for protocol interactions. Although many such security
models might be defined, it is the purpose of this document, User-
based Security Model for SNMPv2, to define the first, and, as of this
writing, only, security model for this administrative framework.
This administrative framework includes the provision of an access
control model. The enforcement of access rights requires the means
to identify the entity on whose behalf a request is generated. This
SNMPv2 security model identifies an entity on whose behalf an SNMPv2
message is generated as a "user".
Waters Experimental [Page 2]
RFC 1910 User-based Security Model for SNMPv2 February 1996
1.1. Threats
Several of the classical threats to network protocols are applicable
to the network management problem and therefore would be applicable
to any SNMPv2 security model. Other threats are not applicable to
the network management problem. This section discusses principal
threats, secondary threats, and threats which are of lesser
importance.
The principal threats against which this SNMPv2 security model should
provide protection are:
Modification of Information
The modification threat is the danger that some unauthorized entity
may alter in-transit SNMPv2 messages generated on behalf of an
authorized user in such a way as to effect unauthorized management
operations, including falsifying the value of an object.
Masquerade
The masquerade threat is the danger that management operations not
authorized for some user may be attempted by assuming the identity
of another user that has the appropriate authorizations.
Two secondary threats are also identified. The security protocols
defined in this memo do provide protection against:
Message Stream Modification
The SNMPv2 protocol is typically based upon a connectionless
transport service which may operate over any subnetwork service.
The re-ordering, delay or replay of messages can and does occur
through the natural operation of many such subnetwork services.
The message stream modification threat is the danger that messages
may be maliciously re-ordered, delayed or replayed to an extent
which is greater than can occur through the natural operation of a
subnetwork service, in order to effect unauthorized management
operations.
Disclosure
The disclosure threat is the danger of eavesdropping on the
exchanges between managed agents and a management station.
Protecting against this threat may be required as a matter of local
policy.
There are at least two threats that an SNMPv2 security protocol need
not protect against. The security protocols defined in this memo do
not provide protection against:
Waters Experimental [Page 3]
RFC 1910 User-based Security Model for SNMPv2 February 1996
Denial of Service
An SNMPv2 security protocol need not attempt to address the broad
range of attacks by which service on behalf of authorized users is
denied. Indeed, such denial-of-service attacks are in many cases
indistinguishable from the type of network failures with which any
viable network management protocol must cope as a matter of course.
Traffic Analysis
In addition, an SNMPv2 security protocol need not attempt to
address traffic analysis attacks. Indeed, many traffic patterns
are predictable - agents may be managed on a regular basis by a
relatively small number of management stations - and therefore
there is no significant advantage afforded by protecting against
traffic analysis.
1.2. Goals and Constraints
Based on the foregoing account of threats in the SNMP network
management environment, the goals of this SNMPv2 security model are
as follows.
(1) The protocol should provide for verification that each received
SNMPv2 message has not been modified during its transmission
through the network in such a way that an unauthorized management
operation might result.
(2) The protocol should provide for verification of the identity of the
user on whose behalf a received SNMPv2 message claims to have been
generated.
(3) The protocol should provide for detection of received SNMPv2
messages, which request or contain management information, whose
time of generation was not recent.
(4) The protocol should provide, when necessary, that the contents of
each received SNMPv2 message are protected from disclosure.
In addition to the principal goal of supporting secure network
management, the design of this SNMPv2 security model is also
influenced by the following constraints:
(1) When the requirements of effective management in times of network
stress are inconsistent with those of security, the design should
prefer the former.
(2) Neither the security protocol nor its underlying security
mechanisms should depend upon the ready availability of other
network services (e.g., Network Time Protocol (NTP) or key
Waters Experimental [Page 4]
RFC 1910 User-based Security Model for SNMPv2 February 1996
management protocols).
(3) A security mechanism should entail no changes to the basic SNMP
network management philosophy.
1.3. Security Services
The security services necessary to support the goals of an SNMPv2
security model are as follows.
Data Integrity
is the provision of the property that data has not been altered or
destroyed in an unauthorized manner, nor have data sequences been
altered to an extent greater than can occur non-maliciously.
Data Origin Authentication
is the provision of the property that the claimed identity of the
user on whose behalf received data was originated is corroborated.
Data Confidentiality
is the provision of the property that information is not made
available or disclosed to unauthorized individuals, entities, or
processes.
For the protocols specified in this memo, it is not possible to
assure the specific originator of a received SNMPv2 message; rather,
it is the user on whose behalf the message was originated that is
authenticated.
For these protocols, it not possible to obtain data integrity without
data origin authentication, nor is it possible to obtain data origin
authentication without data integrity. Further, there is no
provision for data confidentiality without both data integrity and
data origin authentication.
The security protocols used in this memo are considered acceptably
secure at the time of writing. However, the procedures allow for new
authentication and privacy methods to be specified at a future time
if the need arises.
1.4. Mechanisms
The security protocols defined in this memo employ several types of
mechanisms in order to realize the goals and security services
described above:
Waters Experimental [Page 5]
RFC 1910 User-based Security Model for SNMPv2 February 1996
- In support of data integrity, a message digest algorithm is
required. A digest is calculated over an appropriate portion of an
SNMPv2 message and included as part of the message sent to the
recipient.
- In support of data origin authentication and data integrity, a
secret value is both inserted into, and appended to, the SNMPv2
message prior to computing the digest; the inserted value
overwritten prior to transmission, and the appended value is not
transmitted. The secret value is shared by all SNMPv2 entities
authorized to originate messages on behalf of the appropriate user.
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?