1 / 11

Comparison of Proposals for Integrated Security Models for SNMP

Comparison of Proposals for Integrated Security Models for SNMP. Uri Blumenthal Lakshminath Dondeti Randy Presuhn, Ed. Eric Rescorla. Purpose. Summary of “first” eval team’s work Goals of this presentation Quick review of the eval I-D

halil
Download Presentation

Comparison of Proposals for Integrated Security Models for SNMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comparison of Proposals for Integrated Security Models for SNMP Uri Blumenthal Lakshminath Dondeti Randy Presuhn, Ed. Eric Rescorla

  2. Purpose • Summary of “first” eval team’s work • Goals of this presentation • Quick review of the eval I-D • Go through recommendations • Determine WG consensus on each recommendation • Establish a baseline • Some things have changed • There may be another eval process • But let us discuss all that at the end of this presentation

  3. Proposed protocols • EUSM: External User Security Model [I-D.kaushik-snmp-external-usm] • SBSM: Session Based Security Model [I-D.hardaker-snmp-session-sm] • TLSM: Transport Layer Security Model [I-D.schoenw-snmp-tlsm]

  4. Goals of the evaluation • Two problems with USM • No key management (Major reason) • Replay protection is suspect • Our main criteria is the key management piece • WG’s goal is to create a security model for SNMPv3 that will meet the security and operational needs of network administrators. • maximize usability in operational environments • achieve high deployment success • minimize implementation and deployment costs • use of existing and commonly deployed security infrastructure

  5. External USM model Manager Managed device Key establish Key mgmt Key mgmt SNMP Engine SNMP Engine Encapsulated traffic USM USM

  6. Session-based security model Manager Managed device SNMP Engine SNMP Engine USM USM SBSM SBSM

  7. Transport Layer Security model Manager Managed device SNMP Engine SNMP Engine USM USM TLSM TLSM Security layer Security layer

  8. Evaluation • Architectural view • Conclusion: TLSM integrates well with RFC 3411 • Supported security infrastructures • Suggestion: Generic framework, AAA and Kerberos as use cases • VACM integration • Suggestion: EUSM’s user-to-group mapping • Session keys and PFS • Conclusion: No clear consensus on this in the eval team

  9. Evaluation • Number of Security Levels per Session • Suggestion: 1 • Caching user/session state • Suggestion: configurable • Reuse of IETF security protocols • Suggestion: please reuse and avoid redesign if at all possible

  10. Summary • None of the proposals is the “best” • However, EUSM with enhancements from other proposals and others suggested in the eval I-D is the best course forward • Leaves the USM model intact • Integrates well with an existing auth infrastructure • Reuses existing protocols • We suggest better integration with 3411 a la TLSM • See I-D for a more complete list

  11. Would like to gauge consensus on • Develop a key management protocol for USM vs. Design a new protocol (parallel to USM)

More Related