• Home
• About the IETF
• Mission
• Standards Process
• Note Well
• Internet-Drafts
• Search
• Submit
• Tracker
• RFC Pages
• Search RFC Ed Index
• RFC Editor Queue
• Working Groups
• WG Charters
• Email Lists
• WG Chairs' Page
• Web Tools
• Community Tools
• Wikis
• Meetings
• Upcoming Meetings
• Important Dates
• Proceedings
• Mailing Lists
• Announcement Lists
• Discussion Lists
• Non-WG Lists
• IESG
• Announcements
• Statements
• Members
• Minutes
• IPR
• IPR Policy
• File a Disclosure
• Disclosure Search
• Liaisons
• Liaison Statements
• Liaison Managers
• Contact
• Report Web Site Errors
• Customize View
  
• Brief
• Normal
• Extended
• Advanced
• (Requires Javascript)

Integrated Security Model for SNMP (isms)

Last Modified: 2010-01-13

Additional information is available at tools.ietf.org/wg/isms

Chair(s):

• Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
  
• Russ Mundy <Russ.Mundy@sparta.com>
  

Security Area Director(s):

• Tim Polk <tim.polk@nist.gov>
  
• Pasi Eronen <pasi.eronen@nokia.com>
  

Security Area Advisor:

• Pasi Eronen <pasi.eronen@nokia.com>
  

Mailing Lists:

General Discussion: isms@ietf.org
To Subscribe: isms-request@ietf.org
In Body: in body: (un)subscribe
Archive: http://www.ietf.org/mail-archive/web/isms/current/maillist.html

Description of Working Group:

The Simple Network Management Protocol version 3 (SNMPv3) provides
message security services through the security subsystem. Previously
the ISMS Working Group defined a Transport Subsystem definition, a new
Transport Security Model, and a Secure Shell Transport Model and a
method for authenticating SNMPv3 users via the Remote Authentication
Dial-In User Service (RADIUS). The initial body of work to be tackled
by the working group involved only these pieces. Additional work on
other transport models and other security extensions were to wait
until the initial transport architecture and defining documents were
completed.

It is now possible to authenticate SNMPv3 messages via a RADIUS when
those messages are sent over the newly defined SSH transport.
However, it still remains impossible to centrally authorize a given
SNMP transaction as on-device pre-existing authorization configuration
is still required. In order to leverage a centralized RADIUS service
to its full extent, the access control decision in the Access Control
Subsystem needs to be based on authorization information received from
RADIUS as well. The result will be an extension to obtain
authorization information for an authenticated principal from RADIUS.
The authorization information will be limited to mapping the
authenticated principal to existing named access control policies,
defining session timeouts, and similar session parameters. This
mechanism will not provision the detailed access control rules.

Additionally, new work will be undertaken to define TLS and DTLS-based
transports that can offer support for environments that prefer
certificate authentication. Certificate based authentication is
desirable for many environments with a centralized authentication
service. DTLS also provides datagram-based transmissions which may be
desired for environments where TCP performance suffers because of
network anomalies (e.g. high packet loss rates). A combination of TLS
and DTLS-based transports offers solutions that addresses both the
need for certificate-based authentication and for datagram-based
delivery. Operators will be able to chose the transport solution that
best meets their needs.

The current goal of the ISMS working group is two-fold: to develop a
method for allowing for access control decisions to be based on
information provide by an AAA provisioning service and to develop
TLS-based and DTLS-based Transport Models.

The new work must not modify any other aspects of SNMPv3 protocol as
defined in STD 62 (e.g., it must not create new PDU types).

The working group will cover the following work items:

- Specify a mechanism to support centralization of SNMPv3 Access
Control decisions by means of a RADIUS-provisioned policy name
bound to a username, which the VACM extension will use to
dynamically populate the securityToGroupname table. Additionally,
specify a time limit for access decisions, and such a time limit
should be used to garbage collect expired dynamic securityToGroup
mappings.

- Specify TLS and DTLS transport models for SNMP.

Goals and Milestones:

Done		Cut-off date for internet-drafts to be submitted to the working group for consideration as a proposed solution
Done		Decision about which architecture the WG will focus its efforts on
Done		Initial version of a general transport mapping security models (TMSMs) document that specifies how TMSMs fit into the SNMPv3 architecture and that defines the requirements for transport mapping security models
Done		Initial version of a document specifying the SSH security model for SNMP
Jul 2009		Publish initial documentation for the centralized access control
Jul 2009		Publish initial documentation on the (D)TLS transports for SNMP
Jan 2010		Submit documentation for the centralized access control to IESG
Jan 2010		Submit documentation on the (D)TLS transports for SNMP to IESG

Internet-Drafts:

Transport Layer Security (TLS) Transport Model for SNMP (152088 bytes)
Extensions to the View-based Access Control Model for use with RADIUS (40398 bytes)

Request For Comments:

Secure Shell Transport Model for the Simple Network Management Protocol (SNMP) (RFC 5592) (82822 bytes)
Transport Security Model for the Simple Network Management Protocol (SNMP) (RFC 5591) (61747 bytes)
Transport Subsystem for the Simple Network Management Protocol (SNMP) (RFC 5590) (84513 bytes) updates RFC 3411,RFC 3412,RFC 3414,RFC 3417
Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models (RFC 5608) (34857 bytes)

Home - Tools - Datatracker - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.