In the Name of the

Most High

SNMPv3

by
Dr. Angelito F. Argete

2nd Sem 2020-2021

1
Key Features of SNMPv3
 Modularization of documentation and architecture
 Enables the use of SNMPv1 and SNMPv2 with the newly
developed SNMPv3.
 SNMP engine defined
 – A model for the processing of SNMP messages.
 New Security features
 – Secure information to prevent tampering of data
 – Access control to determine proper access to MIB.

2
Documentation

3
SNMP Architecture

SNMP ENTITY

SNMP APPLICATIONS

COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY

GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER OTHER
OTHER

SNMP ENGINE

MESSAGE PROCESSING SECURITY ACCESS CONTROL

DISPATCHER
SUBSYSTEM SUBSYSTEM SUBSYSTEM
SNMP Architecture
SNMP Architecture-Manager

COMMAND NOTIFICATION NOTIFICATION

GENERATOR RECEIVER ORIGINATOR

PDU MESSAGE PROCESSING SECURITY SUBSYSTEM

DISPATCHER SUBSYSTEM
COMMUNITY BASED
SNMPv1 SECURITY MODEL

MESSAGE
DISPATCHER SNMPv2C
USER BASED
SECURITY MODEL
SNMPv3

OTHER
TRANSPORT SECURITY MODEL
MAPPINGS OTHER
SNMPv3 Architecture-Manager
SNMPv3 Architecture-Manager
SNMP Engine (identified by snmpEngineID)

Message
Security
Dispatcher Processing
Subsystem
Subsystem

 One dispatcher in an SNMP engine

o Accepts PDUs from applications
o Handles multiple version messages (SNMPv1, v2, v3)
o Interfaces with application modules, network, and message processing
models
 Three components for three functions
 Transport mapper delivers messages over the transport protocol
 Routes messages between network and appropriate module of
MPS
 PDU dispatcher handles messages between application and MPS
SNMPv3 Architecture-Manager
SNMP Engine (identified by snmpEngineID)

Message
Security
Dispatcher Processing
Subsystem
Subsystem

 Accepts outgoing PDUs from Dispatcher, attach appropriate

header, and return message to Dispatcher
 Accepts incoming messages, process each message header,
and return the enclosed PDU to the Dispatcher
 Contains one or more Message Processing Models, each for
each SNMP version
 SNMP version identified in the header
SNMPv3 Architecture-Manager
SNMP Engine (identified by snmpEngineID)

Message
Security
Dispatcher Processing
Subsystem
Subsystem

 Security subsystems perform authentication and encryption functions

for each outgoing/incoming message
 Outgoing PDUs may be encrypted and authentication codes generated
and appended to the message header
o The message is then returned to the MPS
 Incoming messages are passed to the security subsystem
o Message decryption
o Messages authenticated
SNMPv3 Architecture-Agent

MANAGEMENT INFORMATION BASE

ACCESS CONTROL SUBSYSTEM

COMMAND VIEW BASED
NOTIFICATION Proxy Forwarder
RESPONDER ACCESS CONTROL
ORIGINATOR Applications

PDU MESSAGE PROCESSING SECURITY SUBSYSTEM

DISPATCHER SUBSYSTEM
COMMUNITY BASED
SNMPv1 SECURITY MODEL

MESSAGE
DISPATCHER SNMPv2C USER BASED
SECURITY MODEL

SNMPv3
OTHER
TRANSPORT SECURITY MODEL
MAPPINGS OTHER
SNMPv3 Architecture-Agent
 Command Responder Application
o Provides access to management data
o Responds to incoming requests by retrieving and/or setting
managed objects and issuing Response PDU
 Notification Originator Application
o e.g., SNMPv1, v2 Trap PDU

 Proxy Forwarder Application

o Forwards messages between entities

 Access Control Subsystem

o Provides authorization services to “control access” to the MIB
for reading and setting management objects
o Who can access
o What can be accessed
Terminology
snmpEngineID

SNMP ENTITY
OT HE R

SNMP ENGINE
snmpEngineID=1

SNMP ENTITY
O TH ER

SNMP ENGINE
snmpEngineID=2

SNMP ENTITY
SNMP ENTITY
O TH ER

O TH ER
SNMP ENGINE
snmpEngineID=4
SNMP ENGINE
snmpEngineID=3
Abstract Service Interfaces
 Abstract service interface is a conceptual interface between
modules, independent of implementation
 Defines a set of primitives
o A primitive specifies the function to be performed (e.g.,
procedural call)
 Primitives associated with receiving entities
o An interface defined using primitive and parameters is referred
to as “abstract service interface”
 e.g., Dispatcher primitives:
o Handle messages to and from applications
o registering and un-registering of application modules
o transmitting to and receiving messages from network

 IN and OUT parameters

 Status information / result
Dispatcher Primitives

prepareOutgoingMessage
sendPdu
Message
Command sendPduHandle/
Dispatcher Processing
Generator Error Indication
Model

Abstract
Abstract Service
Service Interface
sendPdu
Interface

 Used by a command generator to send SNMP request or

notification PDU to another SNMP entity
 When successfully preparing the message by the Dispatcher:
 a sendPduHandle (unique identifier) is returned (to track any response, if
any is expected)
 The application also provides transport domain/address for the PDU
as well as message processing model, security model, principal,
level of security, the context for this PDU, and the PDU itself
Dispatcher Primitives

prepareOutgoingMessage
sendPdu
Message
Command sendPduHandle/
Dispatcher Processing
Generator errorIndication
Model

processResponsePdu

Abstract
Service
Interface

processResponsePdu
 Used by Dispatcher to pass an incoming response PDU to
an application
 The application checks whether it is matched with a
preceding request or notification PDU by checking the
sendPduHandle:
 Success or failure
Dispatcher Primitives

prepareResponseMessage
returnResponsePdu
Message
Command
Dispatcher Processing
Responder
Model
processPdu

Abstract
Service
processPdu Interface
 Used by Dispatcher to pass an incoming request or
notification PDU to an application (command responder)
 Security related information is required to generate a matching
response message
 The security subsystem (access control) will check whether access
is allowed and a response will be generated accordingly

returnResponsePdu
 Used by command responder to return an SNMP response in
response to an incoming request or notification
Message Processing Subsystem Primitives

prepareOutgoingMessage
sendPdu
Message
Command sendPduHandle/
Dispatcher Processing
Generator errorIndication
Model

Abstract
Service
Interface

prepareOutgoingMessage
 Prepare a message for an outgoing SNMP request or notification
PDU
 The IN parameter is a PDU and OUT parameter is the message
 Success or failure is returned
Message Processing Subsystem Primitives

prepareResponseMessage
returnResponsePdu
Message
Command
Dispatcher Processing
Responder
Model
processPdu

Abstract
Service
Interface

prepareResponseMessage
 Request the preparation of a message containing an
outgoing SNMP response PDU, in response to an
incoming request or notification PDU
Security Subsystem Primitives
generateRequestMessage
 Generate a “message” containing an outgoing SNMP request or
notification PDU
 Returns to the MPS a message (with possibly authentication and
encryption) and associated security parameters

processIncomingMessage
 Provide security function for incoming messages
 Return success or failure indicating the result of the security check
 If successful, a PDU is returned to the MPS

generateResponseMessage
 Generate a message containing outgoing SNMP response PDU in
response to incoming request or notification
 Returns to the MPS a message (with some authentication and encryption
applied) and associated security parameters
Applications
Application(s)
Command Notification Proxy
Forwarder
Generator Receiver Subsystem

Command Notification
Other
Responder Originator

Application Example
• Command generator get-request
• Command responder get-response
• Notification originator trap generation
• Notification receiver trap processing
• Proxy Forwarder get-bulk to get-next
(SNMP versions only)
• Other Special application
22
Command Generator
Message
Processing Security
Command Model Model
Generator Dispatcher

Command Generator: sendPdu

1)-Examine parameters from prepareOutgoingMessage

the received PDU and generateRequestMsg

match/compare them with a

cached copy (security PduHandle

model/level/name, send get-request message

contextName, etc.). If no
match, message is Network

discarded
2)-Check the received PDU receive get-response message

(check request-id,
etc.) prepareDataElemets
processIncomingMsg
3)- if all OK, then take action
processResponsePdu

Message
Command Security
Dispatcher Processing
Generator Model
Model
Command Responder
Message
Command Processing Security
Dispatcher
Responder Model Model

Command Responder:
processPdu
1)-examines content of request
PDU. Check whether object
processIncomingMsg
has already registered with prepareDataElements

the responder
registerContextEngineID
2)- isAccessAllowed receive get-request message

primitive is invoked (to

determine whether object Network

can be accessed by the

principal making the send get-response message

request)
 check the security level
3)- if access permitted, prepare generateResponseMsg
prepareResponseMsg
a response. returnResponsePdu

Message
Security
Dispatcher Processing
Model
Model

Figure 7.6 Command Responder Application

Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
sendPdu maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
prepareOutgoingMessage viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
generateRequestMsg viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
send and receive wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
prepareDataElements viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
processIncomingMsg viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
processPdu maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
isAccessAllowed maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
returnResponsePdu maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
prepareResponseMessage viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
generateResponseMsg viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
send and receive wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
prepareDataElements viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
processIncomingMsg viewType
wholeMsg
wholeMsgLength
Scenario Diagrams
Parameters
contextEngineID
contextName
destTransportAddress
APPLICATIONS APPLICATIONS destTransportDomain
expectResponse
globalData
processResponsePdu maxMessageSize
maxSizeResponseScopedPDU
messageProcessingModel
ACCESS ACCESS outgoingMessage
CONTROL CONTROL outgoingMessageLength
SUBSYSTEM SUBSYSTEM PDU
pduType
pduVersion
scopedPDU
stateReference
SECURITY SECURITY
DISPATCHER DISPATCHER statusInformation
SUBSYSTEM SUBSYSTEM
securityEngineID
securityLevel
securityModel
securityName
MESSAGE MESSAGE securityParameters
PROCESSING PROCESSING securityStateReference
SUBSYSTEM SUBSYSTEM sendPduHandle
transportAddress
transportDomain
variableName
viewType
wholeMsg
wholeMsgLength
Message Format
reportableFlag
privFlag
authFlag
Header Data scopedPDU
Message 1 SNMPv1
Message Message Message Context Context
Security 2 SNMPv2 Data
ID Max. Size Flag 3 SNMPv3 Engine ID Name
Model

Global/
Security Plaintext / Encrypted
Version Header Whole Message
Parameters scopedPDU Data
Data

Security Parameters

Authoritative Authoritative Authoritative User Authentication Privacy

Engine ID Engine Boots Engine Time Name Parameters Parameters

Time synch. between entities to avoid

message replay and achieve timeliness
Message Format
Field Object name Description
Version msgVersion SNMP version number of the
message format
Message ID msgID Administrative ID associated with the
message
Message Max. Size msgMaxSize Maximum size supported by the
sender
Message flags msgFlags Bit fields identifying report,
authentication, and privacy of the
message
Message Security msgSecurityModel Security model used for the message;
Model concurrent multiple models allowed
Security Parameters msgSecurityParameters Security parameters used for
(See Table 7.8) communication between sending and
receiving security modules
Plaintext/Encrypted scopedPduData Choice of plaintext or encrypted
scopedPDU Data scopedPDU; scopedPDU uniquely
identifies context and PDU
Context Engine ID contextEngineID Unique ID of a context (managed
entity) with a context name realized by
an SNMP entity
Context Name contextName Name of the context (managed entity)
PDU data Contains unencrypted PDU
See p. 304
43
Security Threats

Modification of Information
 an entity may alter in-transit SNMP
messages generated on behalf of
an authorized principal in such a Modification of information
Masquerade
way as to effect unauthorized Message stream modification

management operations, including

falsifying the value of an object
Management Management
Entity A Entity B
Masquerade
 management operations not
Disclosure
authorized for some entity may be
attempted by assuming the identity
of another entity that has the
appropriate authorizations
Security Threats

Message Stream Modification

 SNMP is typically based upon a
connectionless transport service.
Messages may be maliciously re- Modification of information
Masquerade
ordered, delayed or replayed, in Message stream modification

order to effect unauthorized

management operations.
o For example, a message to reboot Management Management
a system could be copied and Entity A Entity B

replayed later
Disclosure Disclosure

 Eavesdropping or intercepting on
the exchanges between SNMP
engines
Security Threats

SNMPv3 is not intended to secure

against these two threats:
Denial of Service:
 An attacker may prevent Modification of information
Masquerade
exchanges between manager Message stream modification

and agent
 DOS are indistinguishable from
network element failures Management Management
Entity A Entity B
 DOS may disrupt all services (not
just those pertaining to NM)
Disclosure

Traffic Analysis:
 An attacker may observe the
general pattern of traffic between
managers and agents
Security Model Goals
o Data Integrity (Authentication)

o Authentication

o Message redirection/re-ordering/delay/replay

o Data encryption/decryption
Security Model
Security Subsystem

Data Integrity
Authentication
Module
Data Origin Authentication

Message
Privacy
Processing Data Confidentiality
Module
Model

Message Timeliness & Timeliness

Limited Replay Protection Module

 The Security model authenticates and forwards incoming and outgoing

messages to the MPM

 3 different modules
o Authentication module
o Privacy module
o Timeliness module
Authentication Module
Security Subsystem

Data Integrity
Authentication
Module
Data Origin Authentication

Message
Privacy
Processing Data Confidentiality
Module
Model

Message Timeliness & Timeliness

Limited Replay Protection Module

 Data integrity
o message authentication at sender and validation at receiver
o Ensure that a message is not modified by an unauthorized intruder
o Authentication protocols: HMAC-MD5-96 / HMAC-SHA-96
 Data origin authentication
o Check the identity of a user on whose behalf a message is sent
o Append to the message a unique Identifier associated with
authoritative SNMP engine
Privacy Module
Security Subsystem

Data Integrity
Authentication
Module
Data Origin Authentication

Message
Privacy
Processing Data Confidentiality
Module
Model

Message Timeliness & Timeliness

Limited Replay Protection Module

 Data confidentiality ensures that data is not made available

to unauthorized users or entities

 Encryption is applied at the sender and decryption at

receiver (CBC-DES)
Timeliness Module
Security Subsystem

Data Integrity
Authentication
Module
Data Origin Authentication

Message
Privacy
Processing Data Confidentiality
Module
Model

Message Timeliness & Timeliness

Limited Replay Protection Module

 Prevent message redirection, delay and replay

 Configure a receiver window for accepting message (e.g.,
150 s for SNMPv3)
 Three objects: snmpEngineIP, snmpEngineBoots,
snmpEngineTime
Authoritative vs. non-authoritative engine

 Responsibility of Authoritative
engine Non-Authoritative Engine
(NMS)
o Unique SNMP engine ID
o Time-stamp (a clock maintained
by the authoritative engine)

 Non-authoritative engine should Authoritative Engine

keep a table of the time-stamp and (Agent)
authoritative engine ID
o Synchronize its clock with regard
to that of the authoritative engine
User-based Security Model (USM)
 USM primitives across abstract service
interfaces
o Authentication service primitives
o authenticateOutgoingMsg
o authenticateIncomingMsg
o Privacy Services
o encryptData // outgoing PDU
o decryptData // incoming PDU
User-based Security Model (USM)

Security Subsystem

MPM Information Encryption key

User-based
Header data Security scopedPDU
Privacy
Security data Model Privacy Module
scopedPDU parameters

Message Encrypted
Processing scopedPDU
Model

Authentication key
(Authenticated/encrypted)
whole message Whole Message Authentication
Authenticated Module
Whole message length
Whole Message
Security Parameters

Privacy and Authentication Service for Outgoing Message

User-based Security Model (USM)
Security Subsystem

MPM Information Encryption key

User-based
Header data Security scopedPDU
Privacy
Security data Model Privacy Module
scopedPDU parameters
Message Encrypted
Processing scopedPDU
Model

Authentication key
(Authenticated/encrypted)
whole message Whole Message Authentication
Authenticated Module
Whole message length
Whole Message
Security Parameters

 USM invokes privacy module w/ encryption key and scopedPDU

 Privacy module returns privacy parameters and encrypted

scopedPDU
 USM then invokes the authentication module w/authentication key
and whole message and receives authenticated whole message
User-based Security Model (USM)
Security Subsystem
Authentication key
MPM Information
User-based Whole Message
Header data Security (as received from network) Authentication
Security parameters Model Authentication Module
whole message parameters
Authenticated
Message
Whole Message
Processing
Model

Decrypt key
Encrypted PDU
(Decrypted) scopedPDU Privacy Privacy
parameters Module
Decrypted
scopedPDU

 Processing secure incoming message reverse of secure outgoing

message
 Authentication validation done first by the authentication
module
 Decryption of the message done then by the privacy module
User-based Security Model (USM)

Security Parameters and Corresponding MIB Objects

Security Parameters USM User Group Objects
msgAuthoritativeEngineID snmpEngineID (under snmpEngine Group)
msgAuthoritativeEngineBoots snmpEngineBoots (under snmpEngine
Group)
msgAuthoritativeEngineTime snmpEngineTime (under snmpEngine Group)
msgUserName usmUserName (in usmUserTable)
msgAuthenticationParameters usmUserAuthProtocol (in usmUserTable)
msgPrivacyParameters usmUserPrivProtocol (in usmUserTable)

 msgUserName: user or a principal on whose behalf the

message is being exchanged
 msgAuthenticationParameters: defined by authentication
protocol
 msgPrivacyParameters: type of privacy protocol used
SNMPv3-Next!

 Background and security threats

 SNMPv3 Architecture
 SNMPv3 Applications
 Message Format
 User-based Security Model (USM)
 USM Timeliness Mechanism
 Cryptographic Functions
 USM Message Processing
 Discovery
 Key Management
USM Timeliness Mechanism
Management of authoritative clocks
 All authoritative engines must maintain two objects:
o snmpEngineBoots
o snmpEngineTime
 Initially, both are set to 0
 snmpEngineTime is incremented once per second
 snmpEngineBoots is incremented if the system has
rebooted or if snmpEngineTime reaches its
maximum value (231 -1)
USM Timeliness Mechanism
Synchronization
 A non-authoritative engine must remain loosely
synchronized with each authoritative engine with
which it communicates
 A non-authoritative engine keeps a local copy of 3
variables for each authoritative engine:
o snmpEngineBoots:
o Most recent value of snmpEngineBoots for the remote
authoritative engine
o snmpEngineTime:
o Synchronized to the authoritative engine. Between synch events, it
is incremented once per second to maintain loose synch
o latestReceivedEngineTime:
o Highest value of msgAuthoritativeEngineTime.
o It protects against a replay message attack
o These values are stored in a cache indexed by
snmpEngineID
USM Timeliness Mechanism
Synchronization (cont’d)
authoritative non-authoritative

msgAuthoritativeEngineBoots,
msgAthoritativeEngineTime,
msgAthoritativeEngineID

If message is authentic  non auth. updates its local

variables according to this rule:
(msgAuthoritativeEngineBoots > snmpEngineBoots) OR
[(msgAuthoritativeEngineBoots = snmpEngineBoots) AND
(msgAuthoritativeEngineTime > latestReceivedEngineTime)]

If two messages arrive out of order or a replay attack is underway!

USM Timeliness Mechanism
Synchronization (cont’d)
 If an update is called for, then
snmpEngineBoots := msgAuthoritativeEngineBoots
snmpEngineTime := msgAuthoritativeEngineTime
latestReceivedEngineTime := msgAuthoritativeEngineTime

 If (msgAuthoritativeEngineBoots < snmpEngineBoots) then no

update occurs [Message not authentic  to be discarded]

 If [(msgAuthoritativeEngineBoots = snmpEngineBoots) AND

(msgAuthoritativeEngineTime < latestReceivedEngineTime)]
then no update occurs [Message may be authentic but may be
misordered  Update of snmpEngineTime is not warranted]
USM Timeliness Mechanism
Timeliness checking by authoritative receiver
 Ensure that messages are received within a reasonable
time window (avoid delays and replays)
 Too small time window  authentic messages may be considered
as unauthentic
 Too large  increase vulnerability for attacks
 Incoming message is considered outside the time window
if the following is true :
snmpEngineBoots = (231 -1) OR
msgAuthoritativeEngineBoots  snmpEngineBoots OR
The value of msgAuthoritativeEngineTime differs from that of
snmpEngineTime by more than ± 150 seconds.
 message is considered not authentic (discarded and error
message returned)
USM Timeliness Mechanism
Timeliness checking by non-authoritative receiver
 Incoming message is considered outside the time window
if the following is true:
snmpEngineBoots = (231 -1) OR
msgAuthoritativeEngineBoots < snmpEngineBoots OR
[(msgAuthoritativeEngineBoots = snmpEngineBoots)
AND msgAuthoritativeEngineTime < snmpEngineTime –
150]

NOTE:

msgAuthoritativeEngineBoots > snmpEngineBoots is allowed

Cryptographic Functions-Authentication
2 functions defined by USM
 authentication: authKey
 encryption: privKey
 authKey and privKey are derived from the password and are not
accessible via SNMP

1- Authentication
 Two authentication protocols
o HMAC-MD5-96 (Message Digest)
o HMAC-SHA1-96 (Secure Hash Algorithm)
 HMAC: message authentication code generation from authKey
 A 96-bit MAC code generated and inserted in msgAuthenticationParameters
field of the message
 MD-5 (16-octet) and SHA1 (20-octet) are the underlying hash functions
Cryptographic Functions-Authentication
 Procedure:

 1. Derive extendedAuthKey:
 Supplement authKey with 0s to get 64-byte string

 2. Define ipad, opad, K1, and K2:

 ipad = 0x36 (00110110) repeated 64 times
 opad = 0x5c (01011100) repeated 64 times
 K1 = extendedAuthKey XOR ipad
 K2 = extendedAuthKey XOR opad

 3. Derive HMAC by hashing algorithm used

 HMAC = H (K2, H (K1, wholeMsg))

 Depending on whether MD-5 or SHA-1 is used, the algorithm produces

a 16 (MD-5) or 20 (SHA-1)-octet length output which is truncated to
produce a 12-octet MAC
HMAC Structure

67
Cryptographic Functions-Authentication

KEY DATA

HASH FUNCTION

MAC

ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATA

AND SEND THE RESULT
To authenticate

KEY DATA KEY DATA

HASH FUNCTION HASH FUNCTION

MAC
MAC
=?

USER MAC DATA USER MAC DATA

sender receiver
Cryptographic Functions-Encryption

2- Encryption and decryption of scoped PDU

(context engine ID, context name, and PDU)

 CBC - DES (Cipher Block Chaining - Data Encryption

Standard) symmetric protocol
o 16 octet privKey (derived from password, similar to
authKey ) is used as input to encryption protocol
o First 8 octets of privKey are used as DES key (only 56 bits
 LSB of each octet is ignored)
Cryptographic Functions-Encryption

 CBC Mode
o Last 8-octet of privKey used as pre-
initialization vector (pre-IV)
o Generate salt value (8 octets):
<snmpEgineBoots || local value>

Local value: 4-octet integer,

 Initialization vector: implementation dependent,
IV = salt XOR pre-IV modified after each use.

o Transmit salt in msgPrivacyParameters

so that receiver can recover the IV
Cryptographic Functions-Encryption

P1 P2 Pn

IV
Cn-1

k DES k DES k DES

Encrypt Encrypt Encrypt

C1 C2 Cn

Encryption

Data is divided into blocks of 64 bits each.

K is shared between sender and receiver
Cryptographic Functions-Encryption

C1 C2 Cn

k DES k DES k DES

Decrypt Decrypt Decrypt

IV

Cn-1

P1 P2 Pn

Decryption

IV at the receiver is generated from the salt that is

transmitted in the message
USM Message Processing
Security name of principal
Retrieve user Auth. snmpEngineID
information Determine security level …

YES Encrypt scopedPDU

Privacy
Required? set msgPrivacyParamters

NO

msgPrivacyParamters
 NULL

YES Compute MAC

Authent.
Required? set msgAuthent.Paramters

NO
msgAuthent.Paramters
 NULL

Message Transmission
USM Message Processing
security level
Retrieve msg
Security model
parameters
Security name….

YES Compute MAC

Authent.
Required? msgAuthent.Paramters

NO
Determine if msg is Time synch.
within time window Timeliness check

YES
Privacy Encrypt
Decrypt
scopedPDU
scopedPDU
Required? set msgPrivacyParamters

NO

Message reception
Discovery
 The non-authoritative engine sends a Request message:
securityLevel = noAuthnoPriv
msgUserName = “initial”
msgAuthoritativeEngineID = null
varBindList = null

 The authoritative engine responds with:

msgAuthoritativeEngineID = snmpEngineID (its own)

 If authenticated communication is required

o The non-authoritative engine establishes time synchronization with the
authoritative engine
o Authoritative engine sends an Report message with its current values:
msgAuthoritativeEngineBoots = snmpEngineBoots
msgAuthoritativeEngineTime = snmpEngineTime
Key Management

 Authentication and privacy keys Password to key generation

are required 1)- Repeat the psswd to generate
 A principal (i.e., NMS) should 220 bytes  digest0
deploy or use only one auth. key
2)-
and one priv. key.
digest1 = Hash (digest0)
 Keys are stored for the user’s
password digest1 is 16-octet (MD-5) or 20-
 Password: human readable, not
octet (SHA-1)
easy guessed  authKey is digest1
 Keys are not accessible via
NOTE :: A single password can be
SNMP and are not stored in the
used (authKey and privKey
MIB
are the same) or 2 passwords for 2
different keys
Key Localization

 A localized key is a secret key shared between a user

and one authoritative SNMP Engine
 Hence, a user can communicate with many agents but maintains
only one key (i.e., only one password)
Agent 1 Agent 2

User 1 (authKey1_1, privKey1_1) User 1 (authKey2_1, privKey2_1)

User 2 (authKey1_2, privKey1_2) User 4 (authKey2_4, privKey2_4)

If this agent compromised, only its keys

If compromised, other keys are not! are compromised. Other agents are
safe.
Generating localized Keys

Take Hash
of user key and
Remote Engine ID Localized
Key
digest2

Take Hash
of user key and
Remote Engine ID Localized
password Take Hash
of expanded key
password string
User
Key
(digest1)

Take Hash
of user key and
Localized keys are initially Remote Engine ID Localized
configured in a secure way ( key
could be manual!)
Key Update
To enhance security, Keys are to be updated from
time to time:
keyOld  keyNew
Requestor:
1)- Generate random
2)- Compute: digest = Hash ( keyOld || random )
3)- delta = digest XOR keyNew
4)- protocolKeyChange = ( random || delta)
Send a message setRequest ( protocolKeyChange )
Receiver:
1)- compute digest = Hash( keyOld || random)
2)- compute keyNew = digest XOR delta
NOTE: digest XOR delta = digest XOR (digest XOR keyNew) = keyNew

Since an attacker does not know keyOld, the update of the key is safe
Access Control
 Agent can validate sending sources and their
access privilege for command requests.
 Step following Authentication
 Maintain a local database contains access rights
and policies
MIB VIEW Allowed Allowed managers Required Level
Operations of Security
Interface SET John Authentication
Table , Encryption
Interface GET/GETNEXT John, Paul Authentication
Table
Systems GET/GETNEXT Georges None
Group
 Access Control

(read, write,
or send
notification)