| < draft-ietf-opsawg-snmp-engineid-discovery-02.txt | draft-ietf-opsawg-snmp-engineid-discovery-03.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Schoenwaelder | Network Working Group J. Schoenwaelder | |||
| Internet-Draft Jacobs University Bremen | Internet-Draft Jacobs University Bremen | |||
| Updates: 3411 (if approved) February 13, 2008 | Updates: 3411 (if approved) July 14, 2008 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: August 16, 2008 | Expires: January 15, 2009 | |||
| Simple Network Management Protocol (SNMP) Context EngineID Discovery | Simple Network Management Protocol (SNMP) Context EngineID Discovery | |||
| draft-ietf-opsawg-snmp-engineid-discovery-02.txt | draft-ietf-opsawg-snmp-engineid-discovery-03.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 16, 2008. | This Internet-Draft will expire on January 15, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| Abstract | Abstract | |||
| The Simple Network Management Protocol (SNMP) version three (SNMPv3) | The Simple Network Management Protocol (SNMP) version three (SNMPv3) | |||
| requires that an application knows the identifier (snmpEngineID) of | requires that an application knows the identifier (snmpEngineID) of | |||
| the remote SNMP protocol engine in order to retrieve or manipulate | the remote SNMP protocol engine in order to retrieve or manipulate | |||
| skipping to change at page 6, line 50 ¶ | skipping to change at page 6, line 50 ¶ | |||
| 1 IPv4 address [RFC3411] | 1 IPv4 address [RFC3411] | |||
| 2 IPv6 address [RFC3411] | 2 IPv6 address [RFC3411] | |||
| 3 MAC address [RFC3411] | 3 MAC address [RFC3411] | |||
| 4 administratively assigned text [RFC3411] | 4 administratively assigned text [RFC3411] | |||
| 5 administratively assigned octets [RFC3411] | 5 administratively assigned octets [RFC3411] | |||
| 6-127 reserved, unused [RFC3411] | 6-127 reserved, unused [RFC3411] | |||
| 128-255 enterprise specific [RFC3411] | 128-255 enterprise specific [RFC3411] | |||
| IANA can assign new format values out of the originally assigned and | IANA can assign new format values out of the originally assigned and | |||
| reserved number space 1-127. For new assignments in this number | reserved number space 1-127. For new assignments in this number | |||
| space, a specification is required as per [RFC2434]. The number | space, a specification is required as per [RFC5226]. The number | |||
| space 128-255 is enterprise specific and not controlled by IANA. | space 128-255 is enterprise specific and not controlled by IANA. | |||
| This document requested the following assignment: | This document requested the following assignment: | |||
| Format Description References | Format Description References | |||
| ------- ----------- ---------- | ------- ----------- ---------- | |||
| 6 local engine [RFCXXXX] | 6 local engine [RFCXXXX] | |||
| [RFC Ed.: replace XXXX with RFC number assigned to the document] | [RFC Ed.: replace XXXX with RFC number assigned to the document] | |||
| 5. Security Considerations | 5. Security Considerations | |||
| SNMP version 3 (SNMPv3) provides cryptographic security to protect | SNMP version 3 (SNMPv3) provides cryptographic security to protect | |||
| devices from unauthorized access. This specification recommends to | devices from unauthorized access. This specification recommends to | |||
| use the security services provided by SNMPv3. In particular, it is | use the security services provided by SNMPv3. In particular, it is | |||
| RECOMMENDED to protect the discovery exchange. | RECOMMENDED to protect the discovery exchange. | |||
| In situations where SNMPv3 is used without security (i.e., the | An snmpEngineID can contain information such as a device's MAC | |||
| security level of noAuthNoPriv is used), the introduction of a | address, IPv4 address, IPv6 address, or administratively assigned | |||
| localEngineID may make it slightly easier for an attacker to discover | text. An attacker located behind a router / firewall / network | |||
| suitable snmpEngineID values. However, since SNMP messages with a | address translator may not be able to obtain this information | |||
| security level of noAuthNoPriv are normally carried in clear-text | directly and he therefore might discover snmpEngineID values in order | |||
| over the wire, it is usually easy for an attacker to discover | to obtain this kind of device information. | |||
| snmpEngineID values by sniffing on the wire and any attempts to keep | ||||
| snmpEngineID values private will not lead to strong security. The | ||||
| usage of SNMPv3 without security is therefore generally NOT | ||||
| RECOMMENDED. | ||||
| If a device configuration permits non-secure SNMPv1/v2c access to a | In many environments, making snmpEngineID values accessible via a | |||
| target system, then reading the snmpEngineID variable of the SNMP- | security level of noAuthNoPriv will benefit legitimate tools that try | |||
| FRAMEWORK-MIB will also reveal a suitable contextEngineID value for | to algorithmically determine some basic information about a device. | |||
| subsequent SNMPv3 usage. However, implementations should not rely on | For this reason, the default View-based Access Control Model (VACM) | |||
| non-secure SNMPv1/v2c access and therefore MUST implement this | configuration in appendix A of RFC 3415 [RFC3415] gives noAuthNoPriv | |||
| specification to enable secure contextEngineID discovery. | read access to the snmpEngineID. Furthermore, the USM discovery | |||
| mechanism defined in RFC 3414 [RFC3414] uses unprotected messages and | ||||
| reveals snmpEngineID values. | ||||
| In highly secure environments, snmpEngineID values can be protected | ||||
| by using the discovery mechanism described in this document together | ||||
| with a security model that does not exchange cleartext SNMP messages, | ||||
| such as the Transport Security Model (TSM) [I-D.TSM]. | ||||
| The isAccessAllowed() abstract service primitive of the SNMP access | The isAccessAllowed() abstract service primitive of the SNMP access | |||
| control subsystem does not take the contextEngineID into account when | control subsystem does not take the contextEngineID into account when | |||
| checking access rights [RFC3411]. As a consequence, it is not | checking access rights [RFC3411]. As a consequence, it is not | |||
| possible to define a special view for context engineID discovery. A | possible to define a special view for context engineID discovery. A | |||
| request with a localEngineID is thus treated like a request with the | request with a localEngineID is thus treated like a request with the | |||
| correct snmpEngineID by the access control subsystem. This is inline | correct snmpEngineID by the access control subsystem. This is inline | |||
| with the SNMPv3 design where the authenticated identity is the | with the SNMPv3 design where the authenticated identity is the | |||
| securityName (together with the securityModel and securityLevel | securityName (together with the securityModel and securityLevel | |||
| information) and transport addresses or knowledge of contextEngineID | information) and transport addresses or knowledge of contextEngineID | |||
| skipping to change at page 8, line 41 ¶ | skipping to change at page 8, line 41 ¶ | |||
| Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. | Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. | |||
| [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the | [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the | |||
| Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
| RFC 3416, December 2002. | RFC 3416, December 2002. | |||
| [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | |||
| Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
| RFC 3418, December 2002. | RFC 3418, December 2002. | |||
| [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 2434, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| October 1998. | May 2008. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | |||
| "Introduction and Applicability Statements for Internet- | "Introduction and Applicability Statements for Internet- | |||
| Standard Management Framework", RFC 3410, December 2002. | Standard Management Framework", RFC 3410, December 2002. | |||
| [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based | ||||
| Access Control Model (VACM) for the Simple Network | ||||
| Management Protocol (SNMP)", STD 62, RFC 3415, | ||||
| December 2002. | ||||
| [I-D.TSM] Harrington, D., "Transport Security Model for SNMP", | [I-D.TSM] Harrington, D., "Transport Security Model for SNMP", | |||
| draft-ietf-isms-transport-security-model-07.txt (work in | draft-ietf-isms-transport-security-model-08.txt (work in | |||
| progress), November 2007. | progress), July 2008. | |||
| Author's Address | Author's Address | |||
| Juergen Schoenwaelder | Juergen Schoenwaelder | |||
| Jacobs University Bremen | Jacobs University Bremen | |||
| Campus Ring 1 | Campus Ring 1 | |||
| 28725 Bremen | 28725 Bremen | |||
| Germany | Germany | |||
| Phone: +49 421 200-3587 | Phone: +49 421 200-3587 | |||
| End of changes. 10 change blocks. | ||||
| 26 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||