rfc1446.txt
来自「著名的RFC文档,其中有一些文档是已经翻译成中文的的.」· 文本 代码 · 共 1,792 行 · 第 1/5 页
TXT
1,792 行
Network Working Group J. Galvin Request for Comments: 1446 Trusted Information Systems K. McCloghrie Hughes LAN Systems April 1993 Security Protocols for version 2 of the Simple Network Management Protocol (SNMPv2) Status of this Memo This RFC specifes an IAB standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "IAB Official Protocol Standards" for the standardization state and status of this protocol. Distribution of this memo is unlimited. Table of Contents 1 Introduction .......................................... 2 1.1 A Note on Terminology ............................... 3 1.2 Threats ............................................. 4 1.3 Goals and Constraints ............................... 5 1.4 Security Services ................................... 6 1.5 Mechanisms .......................................... 7 1.5.1 Message Digest Algorithm .......................... 8 1.5.2 Symmetric Encryption Algorithm .................... 9 2 SNMPv2 Party .......................................... 11 3 Digest Authentication Protocol ........................ 14 3.1 Generating a Message ................................ 16 3.2 Receiving a Message ................................. 18 4 Symmetric Privacy Protocol ............................ 21 4.1 Generating a Message ................................ 21 4.2 Receiving a Message ................................. 22 5 Clock and Secret Distribution ......................... 24 5.1 Initial Configuration ............................... 25 5.2 Clock Distribution .................................. 28 5.3 Clock Synchronization ............................... 29 5.4 Secret Distribution ................................. 31 5.5 Crash Recovery ...................................... 34 6 Security Considerations ............................... 37 6.1 Recommended Practices ............................... 37 6.2 Conformance ......................................... 39 6.3 Protocol Correctness ................................ 42 Galvin & McCloghrie [Page i]
RFC 1446 Security Protocols for SNMPv2 April 1993 6.3.1 Clock Monotonicity Mechanism ...................... 43 6.3.2 Data Integrity Mechanism .......................... 43 6.3.3 Data Origin Authentication Mechanism .............. 44 6.3.4 Restricted Administration Mechanism ............... 44 6.3.5 Message Timeliness Mechanism ...................... 45 6.3.6 Selective Clock Acceleration Mechanism ............ 46 6.3.7 Confidentiality Mechanism ......................... 47 7 Acknowledgements ...................................... 48 8 References ............................................ 49 9 Authors' Addresses .................................... 51 Galvin & McCloghrie [Page 1]
RFC 1446 Security Protocols for SNMPv2 April 1993 1. Introduction A network management system contains: several (potentially many) nodes, each with a processing entity, termed an agent, which has access to management instrumentation; at least one management station; and, a management protocol, used to convey management information between the agents and management stations. Operations of the protocol are carried out under an administrative framework which defines both authentication and authorization policies. Network management stations execute management applications which monitor and control network elements. Network elements are devices such as hosts, routers, terminal servers, etc., which are monitored and controlled through access to their management information. In the Administrative Model for SNMPv2 document [1], each SNMPv2 party is, by definition, associated with a single authentication protocol and a single privacy protocol. It is the purpose of this document, Security Protocols for SNMPv2, to define one such authentication and one such privacy protocol. The authentication protocol provides a mechanism by which SNMPv2 management communications transmitted by the party may be reliably identified as having originated from that party. The authentication protocol defined in this memo also reliably determines that the message received is the message that was sent. The privacy protocol provides a mechanism by which SNMPv2 management communications transmitted to said party are protected from disclosure. The privacy protocol in this memo specifies that only authenticated messages may be protected from disclosure. These protocols are secure alternatives to the so-called "trivial" protocol defined in [2]. USE OF THE TRIVIAL PROTOCOL ALONE DOES NOT CONSTITUTE SECURE NETWORK MANAGEMENT. THEREFORE, A NETWORK MANAGEMENT SYSTEM THAT IMPLEMENTS ONLY THE TRIVIAL PROTOCOL IS NOT CONFORMANT TO THIS SPECIFICATION. Galvin & McCloghrie [Page 2]
RFC 1446 Security Protocols for SNMPv2 April 1993 The Digest Authentication Protocol is described in Section 3. It provides a data integrity service by transmitting a message digest - computed by the originator and verified by the recipient - with each SNMPv2 message. The data origin authentication service is provided by prefixing the message with a secret value known only to the originator and recipient, prior to computing the digest. Thus, data integrity is supported explicitly while data origin authentication is supported implicitly in the verification of the digest. The Symmetric Privacy Protocol is described in Section 4. It protects messages from disclosure by encrypting their contents according to a secret cryptographic key known only to the originator and recipient. The additional functionality afforded by this protocol is assumed to justify its additional computational cost. The Digest Authentication Protocol depends on the existence of loosely synchronized clocks between the originator and recipient of a message. The protocol specification makes no assumptions about the strategy by which such clocks are synchronized. Section 5.3 presents one strategy that is particularly suited to the demands of SNMP network management. Both protocols described here require the sharing of secret information between the originator of a message and its recipient. The protocol specifications assume the existence of the necessary secrets. The selection of such secrets and their secure distribution to appropriate parties may be accomplished by a variety of strategies. Section 5.4 presents one such strategy that is particularly suited to the demands of SNMP network management. 1.1. A Note on Terminology For the purpose of exposition, the original Internet-standard Network Management Framework, as described in RFCs 1155, 1157, and 1212, is termed the SNMP version 1 framework (SNMPv1). The current framework is termed the SNMP version 2 framework (SNMPv2). Galvin & McCloghrie [Page 3]
RFC 1446 Security Protocols for SNMPv2 April 1993 1.2. Threats Several of the classical threats to network protocols are applicable to the network management problem and therefore would be applicable to any SNMPv2 security protocol. Other threats are not applicable to the network management problem. This section discusses principal threats, secondary threats, and threats which are of lesser importance. The principal threats against which any SNMPv2 security protocol should provide protection are: Modification of Information The SNMPv2 protocol provides the means for management stations to interrogate and to manipulate the value of objects in a managed agent. The modification threat is the danger that some party may alter in-transit messages generated by an authorized party in such a way as to effect unauthorized management operations, including falsifying the value of an object. Masquerade The SNMPv2 administrative model includes an access control model. Access control necessarily depends on knowledge of the origin of a message. The masquerade threat is the danger that management operations not authorized for some party may be attempted by that party by assuming the identity of another party that has the appropriate authorizations. Two secondary threats are also identified. The security protocols defined in this memo do provide protection against: Message Stream Modification The SNMPv2 protocol is based upon a connectionless transport service which may operate over any subnetwork service. The re-ordering, delay or replay of messages can and does occur through the natural operation of many such subnetwork services. The message stream modification threat is the danger that messages may be maliciously re-ordered, delayed or replayed to an extent which is greater than can occur through the natural operation of a subnetwork service, in order to effect unauthorized management operations. Galvin & McCloghrie [Page 4]
RFC 1446 Security Protocols for SNMPv2 April 1993 Disclosure The disclosure threat is the danger of eavesdropping on the exchanges between managed agents and a management station. Protecting against this threat is mandatory when the SNMPv2 is used to create new SNMPv2 parties [1] on which subsequent secure operation might be based. Protecting against the disclosure threat may also be required as a matter of local policy. There are at least two threats that a SNMPv2 security protocol need not protect against. The security protocols defined in this memo do not provide protection against: Denial of Service A SNMPv2 security protocol need not attempt to address the broad range of attacks by which service to authorized parties is denied. Indeed, such denial-of-service attacks are in many cases indistinguishable from the type of network failures with which any viable network management protocol must cope as a matter of course. Traffic Analysis In addition, a SNMPv2 security protocol need not attempt to address traffic analysis attacks. Indeed, many traffic patterns are predictable - agents may be managed on a regular basis by a relatively small number of management stations - and therefore there is no significant advantage afforded by protecting against traffic analysis. 1.3. Goals and Constraints Based on the foregoing account of threats in the SNMP network management environment, the goals of a SNMPv2 security protocol are enumerated below. (1) The protocol should provide for verification that each received SNMPv2 message has not been modified during its transmission through the network in such a way that an unauthorized management operation might result. (2) The protocol should provide for verification of the identity of the originator of each received SNMPv2 message. Galvin & McCloghrie [Page 5]
RFC 1446 Security Protocols for SNMPv2 April 1993⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?