rfc1910.txt

来自「<VC++网络游戏建摸与实现>源代码」· 文本 代码 · 共 1,516 行 · 第 1/5 页

Network Working Group                                  G. Waters, Editor
Request for Comments: 1910                   Bell-Northern Research Ltd.
Category: Experimental                                     February 1996


                  User-based Security Model for SNMPv2

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  This memo does not specify an Internet standard of any
   kind.  Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Table of Contents

   1. Introduction ................................................    2
   1.1 Threats ....................................................    3
   1.2 Goals and Constraints ......................................    4
   1.3 Security Services ..........................................    5
   1.4 Mechanisms .................................................    5
   1.4.1 Digest Authentication Protocol ...........................    7
   1.4.2 Symmetric Encryption Protocol ............................    8
   2. Elements of the Model .......................................   10
   2.1 SNMPv2 Users ...............................................   10
   2.2 Contexts and Context Selectors .............................   11
   2.3 Quality of Service (qoS) ...................................   13
   2.4 Access Policy ..............................................   13
   2.5 Replay Protection ..........................................   13
   2.5.1 agentID ..................................................   14
   2.5.2 agentBoots and agentTime .................................   14
   2.5.3 Time Window ..............................................   15
   2.6 Error Reporting ............................................   15
   2.7 Time Synchronization .......................................   16
   2.8 Proxy Error Propagation ....................................   16
   2.9 SNMPv2 Messages Using this Model ...........................   16
   2.10 Local Configuration Datastore (LCD) .......................   18
   3. Elements of Procedure .......................................   19
   3.1 Generating a Request or Notification .......................   19
   3.2 Processing a Received Communication ........................   20
   3.2.1 Additional Details .......................................   28
   3.2.1.1 ASN.1 Parsing Errors ...................................   28
   3.2.1.2 Incorrectly Encoded Parameters .........................   29
   3.2.1.3 Generation of a Report PDU .............................   29
   3.2.1.4 Cache Timeout ..........................................   29
   3.3 Generating a Response ......................................   30
   4. Discovery ...................................................   30
   5. Definitions .................................................   31



Waters                        Experimental                      [Page 1]

RFC 1910          User-based Security Model for SNMPv2     February 1996


   4.1 The USEC Basic Group .......................................   32
   4.2 Conformance Information ....................................   35
   4.2.1 Compliance Statements ....................................   35
   4.2.2 Units of Conformance .....................................   35
   6. Security Considerations .....................................   36
   6.1 Recommended Practices ......................................   36
   6.2 Defining Users .............................................   37
   6.3 Conformance ................................................   38
   7. Editor's Address ............................................   38
   8. Acknowledgements ............................................   39
   9. References ..................................................   39
   Appendix A Installation ........................................   41
   Appendix A.1 Agent Installation Parameters .....................   41
   Appendix A.2 Password to Key Algorithm .........................   43
   Appendix A.3 Password to Key Sample ............................   44

1.  Introduction

   A management system contains:  several (potentially many) nodes, each
   with a processing entity, termed an agent, which has access to
   management instrumentation; at least one management station; and, a
   management protocol, used to convey management information between
   the agents and management stations.  Operations of the protocol are
   carried out under an administrative framework which defines
   authentication, authorization, access control, and privacy policies.

   Management stations execute management applications which monitor and
   control managed elements.  Managed elements are devices such as
   hosts, routers, terminal servers, etc., which are monitored and
   controlled via access to their management information.

   The Administrative Infrastructure for SNMPv2 document [1] defines an
   administrative framework which realizes effective management in a
   variety of configurations and environments.

   In this administrative framework, a security model defines the
   mechanisms used to achieve an administratively-defined level of
   security for protocol interactions.  Although many such security
   models might be defined, it is the purpose of this document, User-
   based Security Model for SNMPv2, to define the first, and, as of this
   writing, only, security model for this administrative framework.

   This administrative framework includes the provision of an access
   control model.  The enforcement of access rights requires the means
   to identify the entity on whose behalf a request is generated.  This
   SNMPv2 security model identifies an entity on whose behalf an SNMPv2
   message is generated as a "user".




Waters                        Experimental                      [Page 2]

RFC 1910          User-based Security Model for SNMPv2     February 1996


1.1.  Threats

   Several of the classical threats to network protocols are applicable
   to the network management problem and therefore would be applicable
   to any SNMPv2 security model.  Other threats are not applicable to
   the network management problem.  This section discusses principal
   threats, secondary threats, and threats which are of lesser
   importance.

   The principal threats against which this SNMPv2 security model should
   provide protection are:

Modification of Information
     The modification threat is the danger that some unauthorized entity
     may alter in-transit SNMPv2 messages generated on behalf of an
     authorized user in such a way as to effect unauthorized management
     operations, including falsifying the value of an object.

Masquerade
     The masquerade threat is the danger that management operations not
     authorized for some user may be attempted by assuming the identity
     of another user that has the appropriate authorizations.

   Two secondary threats are also identified.  The security protocols
   defined in this memo do provide protection against:

Message Stream Modification
     The SNMPv2 protocol is typically based upon a connectionless
     transport service which may operate over any subnetwork service.
     The re-ordering, delay or replay of messages can and does occur
     through the natural operation of many such subnetwork services.
     The message stream modification threat is the danger that messages
     may be maliciously re-ordered, delayed or replayed to an extent
     which is greater than can occur through the natural operation of a
     subnetwork service, in order to effect unauthorized management
     operations.

Disclosure
     The disclosure threat is the danger of eavesdropping on the
     exchanges between managed agents and a management station.
     Protecting against this threat may be required as a matter of local
     policy.

   There are at least two threats that an SNMPv2 security protocol need
   not protect against.  The security protocols defined in this memo do
   not provide protection against:





Waters                        Experimental                      [Page 3]

RFC 1910          User-based Security Model for SNMPv2     February 1996


Denial of Service
     An SNMPv2 security protocol need not attempt to address the broad
     range of attacks by which service on behalf of authorized users is
     denied.  Indeed, such denial-of-service attacks are in many cases
     indistinguishable from the type of network failures with which any
     viable network management protocol must cope as a matter of course.

Traffic Analysis
     In addition, an SNMPv2 security protocol need not attempt to
     address traffic analysis attacks.  Indeed, many traffic patterns
     are predictable - agents may be managed on a regular basis by a
     relatively small number of management stations - and therefore
     there is no significant advantage afforded by protecting against
     traffic analysis.

1.2.  Goals and Constraints

   Based on the foregoing account of threats in the SNMP network
   management environment, the goals of this SNMPv2 security model are
   as follows.

(1)  The protocol should provide for verification that each received
     SNMPv2 message has not been modified during its transmission
     through the network in such a way that an unauthorized management
     operation might result.

(2)  The protocol should provide for verification of the identity of the
     user on whose behalf a received SNMPv2 message claims to have been
     generated.

(3)  The protocol should provide for detection of received SNMPv2
     messages, which request or contain management information, whose
     time of generation was not recent.

(4)  The protocol should provide, when necessary, that the contents of
     each received SNMPv2 message are protected from disclosure.

   In addition to the principal goal of supporting secure network
   management, the design of this SNMPv2 security model is also
   influenced by the following constraints:

(1)  When the requirements of effective management in times of network
     stress are inconsistent with those of security, the design should
     prefer the former.

(2)  Neither the security protocol nor its underlying security
     mechanisms should depend upon the ready availability of other
     network services (e.g., Network Time Protocol (NTP) or key



Waters                        Experimental                      [Page 4]

RFC 1910          User-based Security Model for SNMPv2     February 1996


     management protocols).

(3)  A security mechanism should entail no changes to the basic SNMP
     network management philosophy.

1.3.  Security Services

   The security services necessary to support the goals of an SNMPv2
   security model are as follows.

Data Integrity
     is the provision of the property that data has not been altered or
     destroyed in an unauthorized manner, nor have data sequences been
     altered to an extent greater than can occur non-maliciously.

Data Origin Authentication
     is the provision of the property that the claimed identity of the
     user on whose behalf received data was originated is corroborated.

Data Confidentiality
     is the provision of the property that information is not made
     available or disclosed to unauthorized individuals, entities, or
     processes.

   For the protocols specified in this memo, it is not possible to
   assure the specific originator of a received SNMPv2 message; rather,
   it is the user on whose behalf the message was originated that is
   authenticated.

   For these protocols, it not possible to obtain data integrity without
   data origin authentication, nor is it possible to obtain data origin
   authentication without data integrity.  Further, there is no
   provision for data confidentiality without both data integrity and
   data origin authentication.

   The security protocols used in this memo are considered acceptably
   secure at the time of writing.  However, the procedures allow for new
   authentication and privacy methods to be specified at a future time
   if the need arises.

1.4.  Mechanisms

   The security protocols defined in this memo employ several types of
   mechanisms in order to realize the goals and security services
   described above:






Waters                        Experimental                      [Page 5]

RFC 1910          User-based Security Model for SNMPv2     February 1996


  -  In support of data integrity, a message digest algorithm is
     required.  A digest is calculated over an appropriate portion of an
     SNMPv2 message and included as part of the message sent to the
     recipient.

  -  In support of data origin authentication and data integrity, a
     secret value is both inserted into, and appended to, the SNMPv2
     message prior to computing the digest; the inserted value
     overwritten prior to transmission, and the appended value is not
     transmitted.  The secret value is shared by all SNMPv2 entities
     authorized to originate messages on behalf of the appropriate user.

  -  To protect against the threat of message delay or replay (to an
     extent greater than can occur through normal operation), a set of
     time (at the agent) indicators and a request-id are included in
     each message generated.  An SNMPv2 agent evaluates the time
     indicators to determine if a received message is recent.  An SNMPv2
     manager evaluates the time indicators to ensure that a received