Computer Network Management - SNMPv3 Key Features

Computer Network Management - SNMPv3 Key Features
Slide Note
Embed
Share

This content delves into SNMPv3, focusing on its key features, architecture, engine IDs, and more. Explore the modularization of architecture, security features, SNMP entity structures, and the importance of SNMP engine IDs in network management. Gain insights into the elements comprising SNMPv3 architecture and the unique identifiers associated with SNMP engines for authentication and encryption purposes.

  • Network Management
  • SNMPv3
  • Architecture
  • Security Features
  • Engine IDs
ada_abb
ada_abb Follow

Uploaded on Feb 26, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. CT 1305 Computer Network Management SNMPv3 Dr. Mostafa H. Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa

  2. Acknowledgements Notes are based on slides of: Network Management: Principles and Practice, 2E, Mani Subramanian. 2

  3. SNMPv3 Key Features Modularization of document Modularization of architecture SNMP engine Security features 3

  4. SNMPv3 Architecture SNMP entity SNMP Engine (identified by snmpEngineID) Message Processing Subsystem Access Control Subsystem Security Subsystem Dispatcher Application(s) Proxy Forwarder Subsystem Command Generator Notification Receiver Command Responder Notification Originator Other Figure 7.2 SNMPv3 Architecture 4

  5. SNMPv3 Architecture SNMP entity is a node with an SNMP management element Either an agent or manager or both Three names associated with an entity Entities: SNMP engine Identities: Principal and security name Management Information: Context engine 5

  6. SNMP Engine ID Each SNMP engine has a unique ID: snmpEngineID Acme Networks {enterprises 696} SNMPv1 snmpEngineID 000002b8 H SNMPv3 snmpEngineID 800002b8 H (the 1st octet is 1000 0000) Engine ID is used with hash function to generate keys for authentication and encryption 6

  7. SNMPv3 Engine ID 1st bit Enterprise ID (1-4 octets) Enterprise method (5th octet) Function of the method (6-12 octets) SNMPv1 SNMPv2 0 Enterprise ID (1-4 octets) Format indicator (5th octet) Format SNMPv3 1 (variable number of octets) Figure 7.3 SNMP Engine ID 7

  8. SNMPv3 Engine ID Table 7.2 SNMPv3 Engine ID Format (5th octet) Description Reserved, unused IPv4 address (4 octets) IPv6 (16 octets) Lowest non-special IP address MAC address (6 octets) Lowest IEEE MAC address, canonical order Text, administratively assigned Maximum remaining length 27 Octets, administratively assigned Maximum remaining length 27 Reserved, unused Value 0 1 2 3 4 5 6-127 8

  9. SNMPv3 Engine ID For SNMPv1 and SNMPv2: Octet 5 is the method Octet 6-12 is IP address Examples IBM host IP address 10.10.10.10 SNMPv1: 00 00 00 02 01 0A 0A 0A 0A 00 00 00 SNMPv3: 10 00 00 02 02 00 00 ... 00 00 00 0A 0A 0A 0A 9

  10. SNMPv3 MIB snmpModules {1.3.6.1.6.3} snmpFrameworkMIB (10) snmpMPDMIB (11) snmpTargetMIB (12) snmpVacmMIB (16) snmpUsmMIB (15) snmpProxyMIB (14) snmpNotificationMIB (13) Figure 7.7 SNMPv3 MIB Notes SNMPv3 MIB developed under snmpModules SNMPv2 Security placeholder is not used 10

  11. SNMPv3 MIB MIB snmpFrameworkMIB Description describes SNMP management architecture snmpMPDMIB identifies objects in the message processing and dispatch subsystems used for notification generation snmpTargetMIB snmpNotificationMIB snmpProxyMIB defines translation table for proxy forwarding snmpUsm MIB snmpVacmMIB defines user-based security model objects defines objects for view-based access control 11

  12. Security Threats Modification of information Contents modified by unauthorized user, does not include address change Masquerade message altered by an unauthorized user change of originating address fragments of message altered to modify the meaning of the message Disclosure eavesdropping does not require interception of message 12

  13. Security Threats Modification of information Masquerade Message stream modification Management Entity A Management Entity B Disclosure Figure 7.10 Security Threats to Management Information 13

  14. Security Services Data integrity HMAC-MD5-96 / HMAC-SHA-96 Data origin authentication Append a unique Identifier associated with authoritative SNMP engine Privacy / confidentiality Encryption Timeliness Authoritative Engine ID Number of engine boots and time in seconds 14

  15. Security Services Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Processing Model Privacy Module Data Confidentiality Message Timeliness & Limited Replay Protection Timeliness Module Figure 7.11 Security Services 15

  16. User-based Security Model Based on traditional user name concept USM primitives across abstract service interfaces Authentication service primitives authenticateOutgoingMsg authenticateIncomingMsg Privacy Services encryptData decryptData 16

  17. Secure Outgoing Message USM invokes privacy module with encryption key and scopedPDU Privacy module returns privacy parameters and encrypted scopedPDU USM invokes authentication module with authentication key and whole message USM receives authenticated whole message SecuritySubsystem MPMInformation Encryptionkey User-based Security Model Headerdata scopedPDU Privacy Module Securitydata Privacy parameters scopedPDU Encrypted scopedPDU Message Processing Model Authenticationkey (Authenticated/encrypted) wholemessage WholeMessage Authentication Module Authenticated WholeMessage Wholemessagelength SecurityParameters Figure7.13PrivacyandAuthenticationServiceforOutgoingMessage 17

  18. Secure Incoming Message Processing secure incoming message reverse of secure outgoing message Authentication validation done first by authentication module Decryption of message is then done by the privacy module SecuritySubsystem Authenticationkey MPMInformation User-based Security Model WholeMessage (asreceivedfromnetwork) Authentication parameters Headerdata Authentication Module Securityparameters wholemessage Authenticated WholeMessage Message Processing Model Decryptkey EncryptedPDU (Decrypted)scopedPDU Privacy parameters Privacy Module Decrypted scopedPDU Figure7.14PrivacyandAuthenticationServiceforIncomingMessage 18

  19. Access Control View-based Access Control Model Groups name of the group comprising security model and security name in SNMPv1, group is community name Security Level no authentication - no privacy authentication - no privacy authentication - privacy Contexts names of the context 19

  20. Access Control MIB Views and View Families MIB view is a combination of view subtrees Access Policy read-view write-view notify-view not-accessible 20

  21. VACM Process Answers 6 questions: 1. Who are you (group)? 2. Where do you want to go (context)? 3. How secured are you to access the information (security model and security level)? 4. Why do you want to access the information (read, write, or send notification)? 5. What object (object type) do you want to access? 6. Which object (object instance) do you want to access? 21

  22. VACM MIB snmpVacmMIB (snmpModules 16) vacmMIBObjects (1) vacmContextTable (1) vacmAccessTable (4) vacmMIBViews (5) vacmSecurityToGroupTable (2) vacmViewSpinLock (1) vacmViewTreeFamilyAccessTable (2) Figure 7.17 VACM MIB 22

  23. MIB Views Simple view: system 1.3.6.1.2.1.1 Complex view: all information relevant to a particular interface system and interfaces groups Family view subtrees view with all columnar objects in a row appear as separate subtree OBJECT IDENTIFIER (family name) paired with bit-string value (family mask) to select or suppress columnar objects 23

  24. VACM MIB View vacmAccessTable (vacmMIBObjects 4) vacmAccessEntry (1) vacmAccessContextPrefix (1) vacmAccessStatus (9) vacmAccessSecurityModel (2) vacmAccessStorageType (8) vacmAccessNotifyViewName vacmAccessSecurityLevel (3) (7) vacmAccessContextMatch (4) vacmAccessWriteViewName (6) vacmAccessReadViewName (5) Figure 7.18 VACM Access Table 24

  25. VACM MIB View Examples Family view name = system Family subtree = 1.3.6.1.2.1.1 Family mask = (implies all 1s by convention) Family type = 1 (implies value to be included) More examples are available in the tutorial 25

Related


BCA 601(N): Computer Network Security

BCA 601(N): Computer Network Security

danna
Computer Organization and Architecture

Computer Organization and Architecture

alexei
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization

Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization

sidra
Computer Network Addressing

Computer Network Addressing

gaston
Overview of Computer and Network Security Fundamentals

Overview of Computer and Network Security Fundamentals

menaal
Computer Architecture and Organization

Computer Architecture and Organization

jovanni
Network Slicing with OAI 5G CN Workshop Overview

Network Slicing with OAI 5G CN Workshop Overview

justice
Computer Science Department Information and Courses Offered

Computer Science Department Information and Courses Offered

suki
Evolution of Algorithms and Computer Science Through History

Evolution of Algorithms and Computer Science Through History

irvin
Computer Communication Networks at Anjuman College

Computer Communication Networks at Anjuman College

julien
Management Plane Analytics in Networking

Management Plane Analytics in Networking

hamilton
Transportation Network Modeling and Analysis with C.Coupled SE Platform

Transportation Network Modeling and Analysis with C.Coupled SE Platform

choz_91
Computer Crimes and Prevention Strategies

Computer Crimes and Prevention Strategies

annaluc
Meridian: An SDN Platform for Cloud Network Services

Meridian: An SDN Platform for Cloud Network Services

aki_enc
Network Management Processes in Computer Networks

Network Management Processes in Computer Networks

yzul
Network Management Processes in Computer Networks

Network Management Processes in Computer Networks

jeanpie
Network Analysis: Whole Networks vs. Ego Networks

Network Analysis: Whole Networks vs. Ego Networks

kayliee
Overview of Prof. Dr.-Ing. Jochen Schiller's Operating Systems and Computer Networks Course

Overview of Prof. Dr.-Ing. Jochen Schiller's Operating Systems and Computer Networks Course

emon_99
Network Function Virtualization (NFV) Overview

Network Function Virtualization (NFV) Overview

brey983
Enhancing Network Stability with Network Monitoring Systems

Enhancing Network Stability with Network Monitoring Systems

rosa_735
Emerging Career Paths in Computer Networking Field

Emerging Career Paths in Computer Networking Field

dvalv
Overview of Network Operating Systems and Their Features

Overview of Network Operating Systems and Their Features

issabelle

More Related Content