Scribd Logo
Upload

Welcome to Scribd!

  • Chapter6-SNMP-V3 - V2 - V1 Network Management

    Uploaded by

    94aku
    116 views21 pages
    SNMPv3 uses MD5 and DES as "symmetric" i.e., private key mechanisms. Snmpv2c uses a symmetric key mechanism to encrypt messages. Nsnmpv3 uses asymmetric key mechanisms, e.g., ciphertext encryption.

    Original Description:

    Original Title

    Chapter6-SNMP-V3_V2_V1 Network Management

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SNMPv3 uses MD5 and DES as "symmetric" i.e., private key mechanisms. Snmpv2c uses a symmetric key mechanism to encrypt messages. Nsnmpv3 uses asymmetric key mechanisms, e.g., ciphertext encryption.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    116 views21 pages

    Chapter6-SNMP-V3 - V2 - V1 Network Management

    Uploaded by

    94aku
    SNMPv3 uses MD5 and DES as "symmetric" i.e., private key mechanisms. Snmpv2c uses a symmetric key mechanism to encrypt messages. Nsnmpv3 uses asymmetric key mechanisms, e.g., ciphertext encryption.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    SNMP Update

    Please see www.snmp.com/jdctutorial.ppt for slides

    Topics:
    Introduction Differences

    between SNMPv1, SNMPv2c, and

    SNMPv3

    Advantages of SNMPv3 over SNMPv1 and SNMPv2c Disadvantages of SNMPv3

    Protocol Versions: Summary Picture


    Simple-Based Management SNMPv1
    Party-based SNMPv2 Common

    SNMPv3
    SNMPv2*

    SNMPv2

    SNMPv2c

    SNMPv2u

    Management Information Definitions (MIB Documents)

    RFC 1155 Format

    RFC 1212/1215 Format

    RFC 1442-4 Format

    RFC 1902-4 Format

    RFC 2578-80 Format

    New Features of SNMPv2c


    Expanded

    data types: 64-bit counters Improved efficiency and performance: get-bulk operator Confirmed event notifications: inform operator Richer error handling: errors and exceptions Improved sets: especially row creation/deletion Transport independence: IP, Appletalk, IPX, ... Etc.

    New Features of SNMPv3


    New

    features inherited from SNMPv2c, plus Security and Administration

    New Features of SNMPv3 Inherited from SNMPv2c


    The

    list we just saw

    Expanded data types: 64-bit counters Improved efficiency and performance: get-bulk operator Confirmed event notifications: inform operator Richer error handling: errors and exceptions Improved sets: especially row creation/deletion Transport independence: IP, AppleTalk, IPX, ... Etc.
    Plus

    ...
    7

    Features of SNMPv3: Security and Administrative Framework


    Security

    authentication privacy

    Administration

    Authorization and view-based access control Logical contexts Naming of entities, identities, and information People and policies Usernames and key management Notification destinations and proxy relationships Remotely configurable via SNMP operations
    8

    Security Threats and Mechanisms


    Threats

    protected against by SNMPv3:

    1. Masquerade/data origin authentication: interloper assumes the identity of a sender to gain its privileges. 2. Modification of information/data integrity: alteration of in-transit messages. 3. Message stream modification: messages are reordered, delayed, or replayed 4. Disclosure/data confidentiality: privileged information is obtained via eavesdropping on messages.

    Security Mechanisms
    SNMPv3

    uses MD5 and DES as symmetric, i.e., private key mechanisms (MD5 = Message Digest Algorithm 5, RFC 1321) (DES = Data Encryption Standard)

    10

    SNMPv3 User-based Authentication Mechanism


    Based

    on:

    MD5 message digest algorithm in HMAC


    indirectly provides data origin authentication directly defends against data modification attacks uses private key known by both sender and receiver 16 byte key 128 bit digest (truncated to 96 bits)

    SHA an optional alternative algorithm Loosely synchronized monotonically increasing time indicator values

    defends against certain message stream modification attacks


    11

    SNMPv3 User-based Privacy Mechanism


    Based

    on:

    Symmetric encryption used Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode
    provides privacy / protection against disclosure uses encryption subject to export and use restrictions in many jurisdictions

    16 byte key (8 bytes DES key, 8 byte DES initialization vector) Multiple levels of compliance with respect to DES due to problems associated with international use
    12

    Advantages of SNMPv3
    So What? Who Cares?

    Good Things Operators and Administrators will like in SNMPv3


    Able

    to practice safe sets

    Configuration / Control / Provisioning No longer mere monitoring Able to augment or replace proprietary CLI over Telnet Via standards-based solutions providing
    Commercial-grade industrial strength security Authentication and Privacy

    14

    Good Things Operators and Administrators will like in SNMPv3 (Contd)


    Now

    able to distribute management out to intelligent agents and mid-level managers


    Important for scalability Keep local management traffic local Shorter feedback loops with lower latency

    15

    Good Things Operators and Administrators will like in SNMPv3 (Contd)


    Better

    Notifications:

    Traps
    Spray and pray The only option in SNMPv1

    Informs
    Send, wait for acknowledgement Retry count and retry interval Added in SNMPv2c but with problems Problems fixed in SNMPv3

    Standard MIB objects to configure Source-side notification suppression


    16

    Good Things Operators and Administrators will like in SNMPv3 (Contd)


    Source

    Side Notification Suppression

    Too many resources spent on uninteresting notification messages, e.g., unwanted traps and informs
    Notification generation Notification transmission and delivery Notification logging Notification filtering

    SNMPv3 allows you to use a standard MIB and standards-based tools to turn unwanted notifications off at the source You will really like this
    17

    Good Things Operators and Administrators will like in SNMPv3 (Contd)


    Better

    performance

    The Awesome getBulk operator works better with SNMPv3


    Less latency and lower overhead through a smaller number of larger packets One to three orders of magnitude faster than SNMPv1 getNext operator (typically two) Negotiates maximum message size correctly

    Counter64

    No need to poll as often

    New

    features eliminate need for gross hacks

    e.g., logical contexts


    18

    Good Things Operators and Administrators will like in SNMPv3 (Contd)


    Better

    error handling:

    In a Get Request with 10 items requested and one is unavailable:


    In SNMPv1, returns in an error with no partial results In SNMPv2/3, results in 9/10 good values and one exception

    In a Set Request, if something fails:


    In SNMPv1, results in a No In SNMPv2/3, results in a No-because

    19

    Disadvantages of SNMPv3
    Security

    is expensive

    More to configure and administer


    Unlocked doors are more convenient to use Community strings were relatively easy to administer Off-the-shelf tools help

    More overhead
    Message headers longer and more complex Cryptographic calculations can increase CPU load approximately 20-ish percent It will run slower, it will run much slower if softwarebased DES is used, especially if implemented in Java

    Some machines do not have the hardware assets, but almost all do: NO EXCUSES
    20

    Disadvantages of SNMPv3 (Contd)


    Export

    and international usage considerations Incomplete product support


    Some vendors claim customers (i.e., you) dont care about security

    Agents better than manager stations and applications

    SNMPv3 code often less mature and shaken out

    21

    Conclusion: What is SNMPv3?


    Newest

    version of the Internet-standard Management Framework What SNMPv2 should have been - builds on the good Compatible with the SMI and MIB you use now Important enabling technology for configuration and control: adds security and administration for safe sets Security: authentication and privacy Administration: logical contexts, view-based access control, remote configuration Available now
    22

    You might also like