SNMPv3基于用户的安全模型USM(1)

SNMPv3使用了基于用户的安全模型USM.
- RFC 3411 Architecture for SNMP Frameworks http://www.ietf.org/rfc/rfc3411.txt
- RFC 3414 User-based Security Model (USM) http://www.ietf.org/rfc/rfc3414.txt

 

SNMP Entity
RFC3411里面定义在一个SNMPv3 entity里面包括以下部分。
SNMPv3基于用户的安全模型USM(1)_第1张图片
1) Dispatcher
1个SNMP entity里面只有1个Dispatcher,负责消息的收发。

2) Message Processing Subsystem
在SNMP-FRAMEWORK-MIB里面定义了如下几种消息处理模式
SnmpMessageProcessingModel
                     0  reserved for SNMPv1
                     1  reserved for SNMPv2c
                     2  reserved for SNMPv2u and SNMPv2*
                     3  reserved for SNMPv3

3) Security Subsystem
在SNMP-FRAMEWORK-MIB里面定义了如下几种安全模式
SnmpSecurityModel
                     0  reserved for 'any'
                     1  reserved for SNMPv1
                     2  reserved for SNMPv2c
                     3  User-Based Security Model (USM)

定义了如下几种安全级别
SnmpSecurityLevel
                     noAuthNoPriv(1),   --无认证无加密
                     authNoPriv(2),       --有认证无加密
                     authPriv(3)            --有认证有加密
     
4) Access Control Subsystem

5) Applications
包括
      -  command generators, which monitor and manipulate management data,
      -  command responders, which provide access to management data,
      -  notification originators, which initiate asynchronous messages,
      -  notification receivers, which process asynchronous messages,
      -  proxy forwarders, which forward messages between entities.

 

SNMP Context
An SNMP context, or just "context" for short, is a collection of  management information accessible by an SNMP entity.
An SNMP  entity potentially has access to many contexts. The combination of a contextEngineID and a contextName unambiguously identifies a context within an administrative domain.
SNMP context可以看作是管理信息的一个集合。
一个SNMP entity里面可以访问多个SNMP context。
contextEngineID和contextName结合起来识别一个特定的SNMP context。
 SNMPv3基于用户的安全模型USM(1)_第2张图片


USM
1) Authentication Protocol
支持HMAC-MD5-96 和 HMAC-SHA-96两种认证协议。
*HMAC算法->http://blog.csdn.net/fw0124/article/details/8473858
*HMAC-MD5-96表示HMAC算法使用MD5作为杂凑函数,输出结果使用前96位(MD5输出结果128)。
*HMAC-SHA1-96表示HMAC算法使用SHA1作为杂凑函数,输出结果使用前96位(SHA1输出结果160位)。

2) authKey
用于HMAC认证的用户密钥。
实际上使用的HMAC密钥是此用户密钥和engineID经过计算得出的,这个过程称为localize。

3) Privacy Protocol
支持CBC-DES和CFB-AES两种加密方法。
*分组加密模式->http://blog.csdn.net/fw0124/article/details/8472560
*CBC-DES表示使用CBC加密模式,DES加密算法。
*CFB-AES表示使用CFB加密模式,AES加密算法。

4) privKey
用于加密的用户密钥。
实际上使用的加密密钥是此用户密钥和engineID经过计算得出的,这个过程称为localize。

5) 防止消息延迟或者重放攻击/protect against the threat of message delay or replay
-在request里面包含msgID,response里面必须返回这个msgID,否则此reponse会被丢弃。
-在request里面包含engineBoots和engineTime,agent会检查它们是否在150秒的时间窗口内。
*engineBoots表示SNMP engine的reboot次数
*engineTime表示上次reboot之后经过的秒数

6) 时间同步/Time Synchronization
Time synchronization, required by a non-authoritative SNMP engine in order to proceed with authentic communications, has occurred when the non-authoritative SNMP engine has obtained a local notion of the authoritative SNMP engine's values of snmpEngineBoots and snmpEngineTime from the authoritative SNMP engine.  These values must be (and remain) within the authoritative SNMP engine's Time Window. So the local notion of the authoritative SNMP engine's values must be kept loosely synchronized with the values stored  at the authoritative SNMP engine.
In addition to keeping a local  copy of snmpEngineBoots and snmpEngineTime from the authoritative SNMP engine, a non-authoritative SNMP engine must also keep one local variable, latestReceivedEngineTime.  This value records the highest value of snmpEngineTime that was received by the non-authoritative SNMP engine from the authoritative SNMP engine.
A non-authoritative SNMP engine must keep local notions of these values (snmpEngineBoots, snmpEngineTime and latestReceivedEngineTime)  for each authoritative SNMP engine with which it wishes to
 communicate.  Since each authoritative SNMP engine is uniquely and unambiguously identified by its value of snmpEngineID, the  non-authoritative SNMP engine may use this value as a key in order to cache its local notions of these values.
 首先有两个概念需要搞清楚。
 - authoritative SNMP engine, 可以理解为snmp agent.
 - non-authoritative SNMP engine, 可以理解为snmp NMS(network management station)
 时间同步由non-authoritative SNMP engine发起,以获得authoritative SNMP engine的snmpEngineBoots和snmpEngineTime并存于本地,另外本地还保存latestReceivedEngineTime这个变量,它是最近一次收到authoritative SNMP engine发来的消息中的snmpEngineTime。
 对于authoritative SNMP engine,如果收到的消息中包含的engineBoots不等于自身的engineBoots,或者engineBoots相等但是收到的engineTime处于时间窗口外,也就是自身的engineTime+/-150秒之外,就会产生一个notInTimeWindow的错误,并增加usmStatsNotInTimeWindows的统计counter, 然后生成一个包含usmStatsNotInTimeWindows的report返回给调用方。
 对于non-authoritative SNMP engine,如果收到的消息中包含的engineBoots大于自身的engineBoots,或者engineBoots相等但是收到的engineTime大于latestReceivedEngineTime,那么需要更新保存于本地的engineBoots, engineTime和latestReceivedEngineTime。如果收到的消息中包含的engineBoots小于自身的engineBoots,或者engineBoots相等但是收到的engineTime小于自身的engineTime-150秒,就会认为这个消息处于时间窗口外。

你可能感兴趣的:(SNMPv3基于用户的安全模型USM(1))