summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc1352.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc1352.txt')
-rw-r--r--doc/rfc/rfc1352.txt2299
1 files changed, 2299 insertions, 0 deletions
diff --git a/doc/rfc/rfc1352.txt b/doc/rfc/rfc1352.txt
new file mode 100644
index 0000000..ec3b938
--- /dev/null
+++ b/doc/rfc/rfc1352.txt
@@ -0,0 +1,2299 @@
+
+
+
+
+
+
+Network Working Group J. Galvin
+Request for Comments: 1352 Trusted Information Systems, Inc.
+ K. McCloghrie
+ Hughes LAN Systems, Inc.
+ J. Davin
+ MIT Laboratory for Computer Science
+ July 1992
+
+
+ SNMP Security Protocols
+
+Status of this Memo
+
+ This document specifies an IAB standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "IAB
+ Official Protocol Standards" for the standardization state and status
+ of this protocol. Distribution of this memo is unlimited.
+
+Table of Contents
+
+ 1. Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2.1 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2.2 Goals and Constraints . . . . . . . . . . . . . . . . . . . 5
+ 2.3 Security Services . . . . . . . . . . . . . . . . . . . . . 6
+ 2.4 Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 2.4.1 Message Digest Algorithm . . . . . . . . . . . . . . . . . 7
+ 2.4.2 Symmetric Encryption Algorithm . . . . . . . . . . . . . . 8
+ 3. SNMP Party . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 4. Digest Authentication Protocol . . . . . . . . . . . . . . . 11
+ 4.1 Generating a Message . . . . . . . . . . . . . . . . . . . 14
+ 4.2 Receiving a Message . . . . . . . . . . . . . . . . . . . . 15
+ 5. Symmetric Privacy Protocol . . . . . . . . . . . . . . . . . 16
+ 5.1 Generating a Message . . . . . . . . . . . . . . . . . . . 17
+ 5.2 Receiving a Message . . . . . . . . . . . . . . . . . . . . 18
+ 6. Clock and Secret Distribution . . . . . . . . . . . . . . . 19
+ 6.1 Initial Configuration . . . . . . . . . . . . . . . . . . 20
+ 6.2 Clock Distribution . . . . . . . . . . . . . . . . . . . . 22
+ 6.3 Clock Synchronization . . . . . . . . . . . . . . . . . . . 24
+ 6.4 Secret Distribution . . . . . . . . . . . . . . . . . . . . 26
+ 6.5 Crash Recovery . . . . . . . . . . . . . . . . . . . . . . 28
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . 30
+ 7.1 Recommended Practices . . . . . . . . . . . . . . . . . . . 30
+ 7.2 Conformance . . . . . . . . . . . . . . . . . . . . . . . 33
+ 7.3 Protocol Correctness . . . . . . . . . . . . . . . . . . . . 34
+ 7.3.1 Clock Monotonicity Mechanism . . . . . . . . . . . . . . . 35
+ 7.3.2 Data Integrity Mechanism . . . . . . . . . . . . . . . . . 36
+
+
+
+Galvin, McCloghrie, & Davin [Page 1]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ 7.3.3 Data Origin Authentication Mechanism . . . . . . . . . . . 36
+ 7.3.4 Restricted Administration Mechanism . . . . . . . . . . . 36
+ 7.3.5 Ordered Delivery Mechanism . . . . . . . . . . . . . . . 37
+ 7.3.6 Message Timeliness Mechanism . . . . . . . . . . . . . . . 38
+ 7.3.7 Selective Clock Acceleration Mechanism . . . . . . . . . . 38
+ 7.3.8 Confidentiality Mechanism . . . . . . . . . . . . . . . . 39
+ 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39
+ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40
+ 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 41
+
+1. Abstract
+
+ The Simple Network Management Protocol (SNMP) specification [1]
+ allows for the protection of network management operations by a
+ variety of security protocols. The SNMP administrative model
+ described in [2] provides a framework for securing SNMP network
+ management. In the context of that framework, this memo defines
+ protocols to support the following three security services:
+
+ o data integrity,
+
+ o data origin authentication, and
+
+ o data confidentiality.
+
+ Please send comments to the SNMP Security Developers mailing list
+ (snmp-sec-dev@tis.com).
+
+2. Introduction
+
+ In the model described in [2], each SNMP party is, by definition,
+ associated with a single authentication protocol. The authentication
+ protocol provides a mechanism by which SNMP management communications
+ transmitted by the party may be reliably identified as having
+ originated from that party. The authentication protocol defined in
+ this memo also reliably determines that the message received is the
+ message that was sent.
+
+ Similarly, each SNMP party is, by definition, associated with a
+ single privacy protocol. The privacy protocol provides a mechanism by
+ which SNMP management communications transmitted to said party are
+ protected from disclosure. The privacy protocol in this memo
+ specifies that only authenticated messages may be protected from
+ disclosure.
+
+ These protocols are secure alternatives to the so-called "trivial"
+ protocol defined in [1].
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 2]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ USE OF THE TRIVIAL PROTOCOL ALONE DOES NOT CONSTITUTE SECURE
+ NETWORK MANAGEMENT. THEREFORE, A NETWORK MANAGEMENT SYSTEM THAT
+ IMPLEMENTS ONLY THE TRIVIAL PROTOCOL IS NOT CONFORMANT TO THIS
+ SPECIFICATION.
+
+ The Digest Authentication Protocol is described in Section 4. It
+ provides a data integrity service by transmitting a message digest --
+ computed by the originator and verified by the recipient -- with each
+ SNMP message. The data origin authentication service is provided by
+ prefixing the message with a secret value known only to the
+ originator and recipient, prior to computing the digest. Thus, data
+ integrity is supported explicitly while data origin authentication is
+ supported implicitly in the verification of the digest.
+
+ The Symmetric Privacy Protocol is described in Section 5. It protects
+ messages from disclosure by encrypting their contents according to a
+ secret cryptographic key known only to the originator and recipient.
+ The additional functionality afforded by this protocol is assumed to
+ justify its additional computational cost.
+
+ The Digest Authentication Protocol depends on the existence of
+ loosely synchronized clocks between the originator and recipient of a
+ message. The protocol specification makes no assumptions about the
+ strategy by which such clocks are synchronized. Section 6.3 presents
+ one strategy that is particularly suited to the demands of SNMP
+ network management.
+
+ Both protocols described here require the sharing of secret
+ information between the originator of a message and its recipient.
+ The protocol specifications assume the existence of the necessary
+ secrets. The selection of such secrets and their secure distribution
+ to appropriate parties may be accomplished by a variety of
+ strategies. Section 6.4 presents one such strategy that is
+ particularly suited to the demands of SNMP network management.
+
+2.1 Threats
+
+ Several of the classical threats to network protocols are applicable
+ to the network management problem and therefore would be applicable
+ to any SNMP security protocol. Other threats are not applicable to
+ the network management problem. This section discusses principal
+ threats, secondary threats, and threats which are of lesser
+ importance.
+
+ The principal threats against which any SNMP security protocol should
+ provide protection are:
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 3]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ Modification of Information.
+ The SNMP protocol provides the means for management stations to
+ interrogate and to manipulate the value of objects in a managed
+ agent. The modification threat is the danger that some party may
+ alter in-transit messages generated by an authorized party in such
+ a way as to effect unauthorized management operations, including
+ falsifying the value of an object.
+
+ Masquerade.
+ The SNMP administrative model includes an access control model.
+ Access control necessarily depends on knowledge of the origin of a
+ message. The masquerade threat is the danger that management
+ operations not authorized for some party may be attempted by that
+ party by assuming the identity of another party that has the
+ appropriate authorizations.
+
+ Two secondary threats are also identified. The security protocols
+ defined in this memo do provide protection against:
+
+ Message Stream Modification.
+ The SNMP protocol is based upon connectionless transport services.
+ The message stream modification threat is the danger that messages
+ may be arbitrarily re-ordered, delayed or replayed to effect
+ unauthorized management operations. This threat may arise either
+ by the work of a malicious attacker or by the natural operation of
+ a subnetwork service.
+
+ Disclosure.
+ The disclosure threat is the danger of eavesdropping on the
+ exchanges between managed agents and a management station.
+ Protecting against this threat is mandatory when the SNMP is used
+ to administer private parameters on which its security is based.
+ Protecting against the disclosure threat may also be required as a
+ matter of local policy.
+
+ There are at least two threats that a SNMP security protocol need not
+ protect against. The security protocols defined in this memo do not
+ provide protection against:
+
+ Denial of Service.
+ A SNMP security protocol need not attempt to address the broad
+ range of attacks by which service to authorized parties is denied.
+ Indeed, such denial-of-service attacks are in many cases
+ indistinguishable from the type of network failures with which any
+ viable network management protocol must cope as a matter of
+ course.
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 4]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ Traffic Analysis.
+ In addition, a SNMP security protocol need not attempt to address
+ traffic analysis attacks. Indeed, many traffic patterns are
+ predictable -- agents may be managed on a regular basis by a
+ relatively small number of management stations -- and therefore
+ there is no significant advantage afforded by protecting against
+ traffic analysis.
+
+2.2 Goals and Constraints
+
+ Based on the foregoing account of threats in the SNMP network
+ management environment, the goals of a SNMP security protocol are
+ enumerated below.
+
+ 1. The protocol should provide for verification that each
+ received SNMP message has not been modified during
+ its transmission through the network in such a way that
+ an unauthorized management operation might result.
+
+ 2. The protocol should provide for verification of the
+ identity of the originator of each received SNMP
+ message.
+
+ 3. The protocol should provide that the apparent time of
+ generation for each received SNMP message is recent.
+
+ 4. The protocol should provide that the apparent time of
+ generation for each received SNMP message is
+ subsequent to that for all previously delivered messages
+ of similar origin.
+
+ 5. The protocol should provide, when necessary, that the
+ contents of each received SNMP message are protected
+ from disclosure.
+
+ In addition to the principal goal of supporting secure network
+ management, the design of any SNMP security protocol is also
+ influenced by the following constraints:
+
+ 1. When the requirements of effective management in times
+ of network stress are inconsistent with those of security,
+ the former are preferred.
+
+ 2. Neither the security protocol nor its underlying security
+ mechanisms should depend upon the ready availability
+ of other network services (e.g., Network Time Protocol
+ (NTP) or secret/key management protocols).
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 5]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ 3. A security mechanism should entail no changes to the
+ basic SNMP network management philosophy.
+
+2.3 Security Services
+
+ The security services necessary to support the goals of a SNMP
+ security protocol are as follows.
+
+ Data Integrity is the provision of the property that data
+ and data sequences have not been altered or destroyed
+ in an unauthorized manner.
+
+ Data Origin Authentication is the provision of the
+ property that the claimed origin of received data is
+ corroborated.
+
+ Data Confidentiality is the provision of the property that
+ information is not made available or disclosed to
+ unauthorized individuals, entities, or processes.
+
+ The protocols specified in this memo require both data
+ integrity and data origin authentication to be used at all
+ times. For these protocols, it is not possible to realize data
+ integrity without data origin authentication, nor is it possible
+ to realize data origin authentication without data integrity.
+
+ Further, there is no provision for data confidentiality without
+ both data integrity and data origin authentication.
+
+2.4 Mechanisms
+
+ The security protocols defined in this memo employ several
+ types of mechanisms in order to realize the goals and security
+ services described above:
+
+ o In support of data integrity, a message digest algorithm
+ is required. A digest is calculated over an appropriate
+ portion of a SNMP message and included as part of the
+ message sent to the recipient.
+
+ o In support of data origin authentication and data
+ integrity, the portion of a SNMP message that is
+ digested is first prefixed with a secret value shared by
+ the originator of that message and its intended recipient.
+
+ o To protect against the threat of message reordering, a
+ timestamp value is included in each message generated.
+ A recipient evaluates the timestamp to determine if the
+
+
+
+Galvin, McCloghrie, & Davin [Page 6]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ message is recent and it uses the timestamp to determine
+ if the message is ordered relative to other messages it
+ has received. In conjunction with other readily available
+ information (e.g., the request-id), the timestamp also
+ indicates whether or not the message is a replay of a
+ previous message. This protection against the threat of
+ message reordering implies no protection against
+ unauthorized deletion or suppression of messages.
+
+ o In support of data confidentiality, a symmetric
+ encryption algorithm is required. An appropriate
+ portion of the message is encrypted prior to being
+ transmitted to its recipient.
+
+ The security protocols in this memo are defined independently of the
+ particular choice of a message digest and encryption algorithm --
+ owing principally to the lack of a suitable metric by which to
+ evaluate the security of particular algorithm choices. However, in
+ the interests of completeness and in order to guarantee
+ interoperability, Sections 2.4.1 and 2.4.2 specify particular
+ choices, which are considered acceptably secure as of this writing.
+ In the future, this memo may be updated by the publication of a memo
+ specifying substitute or alternate choices of algorithms, i.e., a
+ replacement for or addition to the sections below.
+
+2.4.1 Message Digest Algorithm
+
+ In support of data integrity, the use of the MD5 [3] message digest
+ algorithm is chosen. A 128-bit digest is calculated over the
+ designated portion of a SNMP message and included as part of the
+ message sent to the recipient.
+
+ An appendix of [3] contains a C Programming Language implementation
+ of the algorithm. This code was written with portability being the
+ principal objective. Implementors may wish to optimize the
+ implementation with respect to the characteristics of their hardware
+ and software platforms.
+
+ The use of this algorithm in conjunction with the Digest
+ Authentication Protocol (see Section 4) is identified by the ASN.1
+ object identifier value md5AuthProtocol, defined in [4].
+
+ For any SNMP party for which the authentication protocol is
+ md5AuthProtocol, the size of its private authentication key is 16
+ octets.
+
+ Within an authenticated management communication generated by such a
+ party, the size of the authDigest component of that communication
+
+
+
+Galvin, McCloghrie, & Davin [Page 7]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ (see Section 4) is 16 octets.
+
+2.4.2 Symmetric Encryption Algorithm
+
+ In support of data confidentiality, the use of the Data Encryption
+ Standard (DES) in the Cipher Block Chaining mode of operation is
+ chosen. The designated portion of a SNMP message is encrypted and
+ included as part of the message sent to the recipient.
+
+ Two organizations have published specifications defining the DES: the
+ National Institute of Standards and Technology (NIST) [5] and the
+ American National Standards Institute [6]. There is a companion
+ Modes of Operation specification for each definition (see [7] and
+ [8], respectively).
+
+ The NIST has published three additional documents that implementors
+ may find useful.
+
+ o There is a document with guidelines for implementing
+ and using the DES, including functional specifications
+ for the DES and its modes of operation [9].
+
+ o There is a specification of a validation test suite for the
+ DES [10]. The suite is designed to test all aspects of the
+ DES and is useful for pinpointing specific problems.
+
+ o There is a specification of a maintenance test for the
+ DES [11]. The test utilizes a minimal amount of data
+ and processing to test all components of the DES. It
+ provides a simple yes-or-no indication of correct
+ operation and is useful to run as part of an initialization
+ step, e.g., when a computer reboots.
+
+
+ The use of this algorithm in conjunction with the Symmetric Privacy
+ Protocol (see Section 5) is identified by the ASN.1 object identifier
+ value desPrivProtocol, defined in [4].
+
+ For any SNMP party for which the privacy protocol is desPrivProtocol,
+ the size of the private privacy key is 16 octets, of which the first
+ 8 octets are a DES key and the second 8 octets are a DES
+ Initialization Vector. The 64-bit DES key in the first 8 octets of
+ the private key is a 56 bit quantity used directly by the algorithm
+ plus 8 parity bits -- arranged so that one parity bit is the least
+ significant bit of each octet. The setting of the parity bits is
+ ignored.
+
+ The length of the octet sequence to be encrypted by the DES must be
+
+
+
+Galvin, McCloghrie, & Davin [Page 8]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ an integral multiple of 8. When encrypting, the data should be padded
+ at the end as necessary; the actual pad value is insignificant.
+
+ If the length of the octet sequence to be decrypted is not an
+ integral multiple of 8 octets, the processing of the octet sequence
+ should be halted and an appropriate exception noted. Upon decrypting,
+ the padding should be ignored.
+
+3. SNMP Party
+
+ Recall from [2] that a SNMP party is a conceptual, virtual execution
+ context whose operation is restricted (for security or other
+ purposes) to an administratively defined subset of all possible
+ operations of a particular SNMP protocol entity. A SNMP protocol
+ entity is an actual process which performs network management
+ operations by generating and/or responding to SNMP protocol messages
+ in the manner specified in [1]. Architecturally, every SNMP protocol
+ entity maintains a local database that represents all SNMP parties
+ known to it.
+
+ A SNMP party may be represented by an ASN.1 value with the following
+ syntax.
+
+
+ SnmpParty ::= SEQUENCE {
+ partyIdentity
+ OBJECT IDENTIFIER,
+ partyTDomain
+ OBJECT IDENTIFIER,
+ partyTAddr
+ OCTET STRING,
+ partyProxyFor
+ OBJECT IDENTIFIER,
+ partyMaxMessageSize
+ INTEGER,
+ partyAuthProtocol
+ OBJECT IDENTIFIER,
+ partyAuthClock
+ INTEGER,
+ partyAuthLastMsg
+ INTEGER,
+ partyAuthNonce
+ INTEGER,
+ partyAuthPrivate
+ OCTET STRING,
+ partyAuthPublic
+ OCTET STRING,
+ partyAuthLifetime
+
+
+
+Galvin, McCloghrie, & Davin [Page 9]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ INTEGER,
+ partyPrivProtocol
+ OBJECT IDENTIFIER,
+ partyPrivPrivate
+ OCTET STRING,
+ partyPrivPublic
+ OCTET STRING
+ }
+
+
+ For each SnmpParty value that represents a SNMP party, the generic
+ significance of each of its components is defined in [2]. For each
+ SNMP party that supports the generation of messages using the Digest
+ Authentication Protocol, additional, special significance is
+ attributed to certain components of that party's representation:
+
+ o Its partyAuthProtocol component is called the
+ authentication protocol and identifies a combination of
+ the Digest Authentication Protocol with a particular
+ digest algorithm (such as that defined in Section 2.4.1).
+ This combined mechanism is used to authenticate the
+ origin and integrity of all messages generated by the
+ party.
+
+ o Its partyAuthClock component is called the
+ authentication clock and represents a notion of the
+ current time that is specific to the party.
+
+ o Its partyAuthLastMsg component is called the
+ last-timestamp and represents a notion of time
+ associated with the most recent, authentic protocol
+ message generated by the party.
+
+ o Its partyAuthNonce component is called the nonce
+ and represents a monotonically increasing integer
+ associated with the most recent, authentic protocol
+ message generated by the party. The nonce associated
+ with a particular message distinguishes it among all
+ others transmitted in the same unit time interval.
+
+ o Its partyAuthPrivate component is called the private
+ authentication key and represents any secret value
+ needed to support the Digest Authentication Protocol
+ and associated digest algorithm.
+
+ o Its partyAuthPublic component is called the public
+ authentication key and represents any public value that
+ may be needed to support the authentication protocol.
+
+
+
+Galvin, McCloghrie, & Davin [Page 10]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ This component is not significant except as suggested in
+ Section 6.4.
+
+ o Its partyAuthLifetime component is called the
+ lifetime and represents an administrative upper bound
+ on acceptable delivery delay for protocol messages
+ generated by the party.
+
+ For each SNMP party that supports the receipt of messages via the
+ Symmetric Privacy Protocol, additional, special significance is
+ attributed to certain components of that party's representation:
+
+ o Its partyPrivProtocol component is called the privacy
+ protocol and identifies a combination of the Symmetric
+ Privacy Protocol with a particular encryption algorithm
+ (such as that defined in Section 2.4.2). This combined
+ mechanism is used to protect from disclosure all protocol
+ messages received by the party.
+
+ o Its partyPrivPrivate component is called the private
+ privacy key and represents any secret value needed to
+ support the Symmetric Privacy Protocol and associated
+ encryption algorithm.
+
+ o Its partyPrivPublic component is called the public
+ privacy key and represents any public value that may be
+ needed to support the privacy protocol. This component
+ is not significant except as suggested in Section 6.4.
+
+4. Digest Authentication Protocol
+
+ This section describes the Digest Authentication Protocol. It
+ provides both for verifying the integrity of a received message
+ (i.e., the message received is the message sent) and for verifying
+ the origin of a message (i.e., the reliable identification of the
+ originator). The integrity of the message is protected by computing a
+ digest over an appropriate portion of a message. The digest is
+ computed by the originator of the message, transmitted with the
+ message, and verified by the recipient of the message.
+
+ A secret value known only to the originator and recipient of the
+ message is prefixed to the message prior to the digest computation.
+ Thus, the origin of the message is known implicitly with the
+ verification of the digest.
+
+ Recall from [2] that a SNMP management communication is represented
+ by an ASN.1 value with the following syntax.
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 11]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ SnmpMgmtCom ::= [1] IMPLICIT SEQUENCE {
+ dstParty
+ OBJECT IDENTIFIER,
+ srcParty
+ OBJECT IDENTIFIER,
+ pdu PDUs
+ }
+
+
+ For each SnmpMgmtCom value that represents a SNMP management
+ communication, the following statements are true:
+
+ o Its dstParty component is called the destination and
+ identifies the SNMP party to which the communication
+ is directed.
+
+ o Its srcParty component is called the source and
+ identifies the SNMP party from which the
+ communication is originated.
+
+ o Its pdu component has the form and significance
+ attributed to it in [1].
+
+ Recall from [2] that a SNMP authenticated management communication is
+ represented by an ASN.1 value with the following syntax.
+
+ SnmpAuthMsg ::= [1] IMPLICIT SEQUENCE {
+ authInfo
+ ANY, - defined by authentication protocol
+ authData
+ SnmpMgmtCom
+ }
+
+
+ For each SnmpAuthMsg value that represents a SNMP authenticated
+ management communication, the following statements are true:
+
+ o Its authInfo component is called the authentication
+ information and represents information required in
+ support of the authentication protocol used by the
+ SNMP party originating the message. The detailed
+ significance of the authentication information is specific
+ to the authentication protocol in use; it has no effect on
+ the application semantics of the communication other
+ than its use by the authentication protocol in
+ determining whether the communication is authentic or
+ not.
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 12]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ o Its authData component is called the authentication
+ data and represents a SNMP management
+ communication.
+
+ In support of the Digest Authentication Protocol, an authInfo
+ component is of type AuthInformation:
+
+ AuthInformation ::= [1] IMPLICIT SEQUENCE {
+ authTimestamp
+ INTEGER (0..2147483647),
+ authNonce
+ INTEGER (0..2147483647),
+ authDigest
+ OCTET STRING
+ }
+
+
+ For each AuthInformation value that represents authentication
+ information, the following statements are true:
+
+
+ o Its authTimestamp component is called the
+ authentication timestamp and represents the time of the
+ generation of the message according to the
+ partyAuthClock of the SNMP party that originated
+ it. Note that the granularity of the authentication
+ timestamp is 1 second.
+
+ o Its authNonce component is called the authentication
+ nonce and represents a non-negative integer value
+ evaluated according to the authTimestamp value. In
+ order not to limit transmission frequency of management
+ communications to the granularity of the authentication
+ timestamp, the authentication nonce is provided to
+ differentiate between multiple messages sent with the
+ same value of authTimestamp. The authentication
+ nonce is a monotonically increasing sequence number,
+ that is reset for each new authentication timestamp
+ value.
+
+ o Its authDigest component is called the authentication
+ digest and represents the digest computed over an
+ appropriate portion of the message, where the message is
+ temporarily prefixed with a secret value for the purposes
+ of computing the digest.
+
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 13]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+4.1 Generating a Message
+
+ This section describes the behavior of a SNMP protocol entity when it
+ acts as a SNMP party for which the authentication protocol is
+ administratively specified as the Digest Authentication Protocol.
+ Insofar as the behavior of a SNMP protocol entity when transmitting
+ protocol messages is defined generically in [2], only those aspects
+ of that behavior that are specific to the Digest Authentication
+ Protocol are described below. In particular, this section describes
+ the encapsulation of a SNMP management communication into a SNMP
+ authenticated management communication.
+
+ According to [2], a SnmpAuthMsg value is constructed during Step 3 of
+ generic processing. In particular, it states the authInfo component
+ is constructed according to the authentication protocol identified
+ for the SNMP party originating the message. When the relevant
+ authentication protocol is the Digest Authentication Protocol, the
+ procedure performed by a SNMP protocol entity whenever a management
+ communication is to be transmitted by a SNMP party is as follows.
+
+ 1. The local database is consulted to determine the
+ authentication clock, last-timestamp, nonce, and private
+ authentication key (extracted, for example, according to
+ the conventions defined in Section 2.4.1) of the SNMP
+ party originating the message.
+
+ 2. The authTimestamp component is set to the retrieved
+ authentication clock value.
+
+ 3. If the last-timestamp is equal to the authentication
+ clock, the nonce is incremented. Otherwise the nonce is
+ set to zero. The authNonce component is set to the
+ nonce value. In the local database, the originating
+ SNMP party's nonce and last-timestamp are set to the
+ nonce value and the authentication clock, respectively.
+
+ 4. The authentication digest is temporarily set to the
+ private authentication key. The SnmpAuthMsg value
+ is serialized according to the conventions of [12] and [1].
+ A digest is computed over the octet sequence
+ representing that serialized value using, for example, the
+ algorithm specified in Section 2.4.1. The authDigest
+ component is set to the computed digest value.
+
+ As set forth in [2], the SnmpAuthMsg value is then encapsulated
+ according to the appropriate privacy protocol into a SnmpPrivMsg
+ value. This latter value is then serialized and transmitted to the
+ receiving SNMP party.
+
+
+
+Galvin, McCloghrie, & Davin [Page 14]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+4.2 Receiving a Message
+
+ This section describes the behavior of a SNMP protocol entity upon
+ receipt of a protocol message from a SNMP party for which the
+ authentication protocol is administratively specified as the Digest
+ Authentication Protocol. Insofar as the behavior of a SNMP protocol
+ entity when receiving protocol messages is defined generically in
+ [2], only those aspects of that behavior that are specific to the
+ Digest Authentication Protocol are described below.
+
+ According to [2], a SnmpAuthMsg value is evaluated during Step 9 of
+ generic processing. In particular, it states the SnmpAuthMsg value is
+ evaluated according to the authentication protocol identified for the
+ SNMP party that originated the message. When the relevant
+ authentication protocol is the Digest Authentication Protocol, the
+ procedure performed by a SNMP protocol entity whenever a management
+ communication is received by a SNMP party is as follows.
+
+ 1. If the ASN.1 type of the authInfo component is not
+ AuthInformation, the message is evaluated as
+ unauthentic. Otherwise, the authTimestamp,
+ authNonce, and authDigest components are
+ extracted from the SnmpAuthMsg value.
+
+ 2. The local database is consulted to determine the
+ authentication clock, last-timestamp, nonce, private
+ authentication key (extracted, for example, according to
+ the conventions defined in Section 2.4.1), and lifetime of
+ the SNMP party that originated the message.
+
+ 3. If the authTimestamp component plus the lifetime is
+ less than the authentication clock, the message is
+ evaluated as unauthentic.
+
+ 4. If the authTimestamp component is less than the
+ last-timestamp recorded for the originating party in the
+ local database, the message is evaluated as unauthentic.
+
+ 5. If the authTimestamp component is equal to the
+ last-timestamp and if the authNonce component is less
+ than or equal to the nonce, the message is evaluated as
+ unauthentic.
+
+ 6. The authDigest component is extracted and
+ temporarily recorded.
+
+ 7. A new SnmpAuthMsg value is constructed such that
+ its authDigest component is set to the private
+
+
+
+Galvin, McCloghrie, & Davin [Page 15]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ authentication key and its other components are set to
+ the value of the corresponding components in the
+ received SnmpAuthMsg value. This new
+ SnmpAuthMsg value is serialized according to the
+ conventions of [12] and [1]. A digest is computed over
+ the octet sequence representing that serialized value
+ using, for example, the algorithm specified in
+ Section 2.4.1.
+
+ 8. If the computed digest value is not equal to the
+ previously recorded digest value, the message is
+ evaluated as unauthentic.
+
+ 9. The message is evaluated as authentic.
+
+ 10. The last-timestamp and nonce values locally recorded
+ for the originating SNMP party are set to the
+ authTimestamp value and the authNonce value,
+ respectively.
+
+ 11. The authentication clock value locally recorded for the
+ originating SNMP party is advanced to the
+ authTimestamp value if this latter exceeds the
+ recorded value.
+
+ If the SnmpAuthMsg value is evaluated as unauthentic, an
+ authentication failure is noted and the received message is discarded
+ without further processing. Otherwise, processing of the received
+ message continues as specified in [2].
+
+5. Symmetric Privacy Protocol
+
+ This section describes the Symmetric Privacy Protocol. It provides
+ for protection from disclosure of a received message. An appropriate
+ portion of the message is encrypted according to a secret key known
+ only to the originator and recipient of the message.
+
+ This protocol assumes the underlying mechanism is a symmetric
+ encryption algorithm. In addition, the message to be encrypted must
+ be protected according to the conventions of the Digest
+ Authentication Protocol.
+
+ Recall from [2] that a SNMP private management communication is
+ represented by an ASN.1 value with the following syntax.
+
+
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 16]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ SnmpPrivMsg ::= [1] IMPLICIT SEQUENCE {
+ privDst
+ OBJECT IDENTIFIER,
+ privData
+ [1] IMPLICIT OCTET STRING
+ }
+
+
+ For each SnmpPrivMsg value that represents a SNMP private management
+ communication, the following statements are true:
+
+ o Its privDst component is called the privacy destination
+ and identifies the SNMP party to which the
+ communication is directed.
+
+ o Its privData component is called the privacy data and
+ represents the (possibly encrypted) serialization
+ (according to the conventions of [12] and [1]) of a SNMP
+ authenticated management communication.
+
+5.1 Generating a Message
+
+ This section describes the behavior of a SNMP protocol entity when it
+ communicates with a SNMP party for which the privacy protocol is
+ administratively specified as the Symmetric Privacy Protocol. Insofar
+ as the behavior of a SNMP protocol entity when transmitting a
+ protocol message is defined generically in [2], only those aspects of
+ that behavior that are specific to the Symmetric Privacy Protocol are
+ described below. In particular, this section describes the
+ encapsulation of a SNMP authenticated management communication into a
+ SNMP private management communication.
+
+ According to [2], a SnmpPrivMsg value is constructed during Step 5 of
+ generic processing. In particular, it states the privData component
+ is constructed according to the privacy protocol identified for the
+ SNMP party receiving the message. When the relevant privacy protocol
+ is the Symmetric Privacy Protocol, the procedure performed by a SNMP
+ protocol entity whenever a management communication is to be
+ transmitted by a SNMP party is as follows.
+
+ 1. If the SnmpAuthMsg value is not authenticated
+ according to the conventions of the Digest
+ Authentication Protocol, the generation of the private
+ management communication fails according to a local
+ procedure, without further processing.
+
+ 2. The local database is consulted to determine the private
+ privacy key of the SNMP party receiving the message
+
+
+
+Galvin, McCloghrie, & Davin [Page 17]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ (represented, for example, according to the conventions
+ defined in Section 2.4.2).
+
+ 3. The SnmpAuthMsg value is serialized according to the
+ conventions of [12] and [1].
+
+ 4. The octet sequence representing the serialized
+ SnmpAuthMsg value is encrypted using, for example,
+ the algorithm specified in Section 2.4.2 and the
+ extracted private privacy key.
+
+ 5. The privData component is set to the encrypted value.
+
+ As set forth in [2], the SnmpPrivMsg value is then serialized
+ and transmitted to the receiving SNMP party.
+
+5.2 Receiving a Message
+
+ This section describes the behavior of a SNMP protocol entity when it
+ acts as a SNMP party for which the privacy protocol is
+ administratively specified as the Symmetric Privacy Protocol. Insofar
+ as the behavior of a SNMP protocol entity when receiving a protocol
+ message is defined generically in [2], only those aspects of that
+ behavior that are specific to the Symmetric Privacy Protocol are
+ described below.
+
+ According to [2], the privData component of a received SnmpPrivMsg
+ value is evaluated during Step 4 of generic processing. In
+ particular, it states the privData component is evaluated according
+ to the privacy protocol identified for the SNMP party receiving the
+ message. When the relevant privacy protocol is the Symmetric Privacy
+ Protocol, the procedure performed by a SNMP protocol entity whenever
+ a management communication is received by a SNMP party is as follows.
+
+ 1. The local database is consulted to determine the private
+ privacy key of the SNMP party receiving the message
+ (represented, for example, according to the conventions
+ defined in Section 2.4.2).
+
+ 2. The contents octets of the privData component are
+ decrypted using, for example, the algorithm specified in
+ Section 2.4.2 and the extracted private privacy key.
+
+ Processing of the received message continues as specified in [2].
+
+
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 18]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+6. Clock and Secret Distribution
+
+ The protocols described in Sections 4 and 5 assume the existence of
+ loosely synchronized clocks and shared secret values. Three
+ requirements constrain the strategy by which clock values and secrets
+ are distributed.
+
+ o If the value of an authentication clock is decreased, the
+ last-timestamp and private authentication key must be
+ changed concurrently.
+
+ When the value of an authentication clock is decreased,
+ messages that have been sent with a timestamp value
+ between the value of the authentication clock and its
+ new value may be replayed. Changing the private
+ authentication key obviates this threat. However,
+ changing the authentication clock and the private
+ authentication key is not sufficient to ensure proper
+ operation. If the last-timestamp is not reduced similarly
+ to the authentication clock, no message will be
+ considered authentic until the value of the authentication
+ clock exceeds the value of the last-timestamp.
+
+ o The private authentication key and private privacy key
+ must be known only to the parties requiring knowledge
+ of them.
+
+ Protecting the secrets from disclosure is critical to the
+ security of the protocols. In particular, if the secrets are
+ distributed via a network, the secrets must be protected
+ with a protocol that supports confidentiality, e.g., the
+ Symmetric Privacy Protocol. Further, knowledge of the
+ secrets must be as restricted as possible within an
+ implementation. In particular, although the secrets may
+ be known to one or more persons during the initial
+ configuration of a device, the secrets should be changed
+ immediately after configuration such that their actual
+ value is known only to the software. A management
+ station has the additional responsibility of recovering the
+ state of all parties whenever it boots, and it may address
+ this responsibility by recording the secrets on a
+ long-term storage device. Access to information on this
+ device must be as restricted as is practically possible.
+
+ o There must exist at least one SNMP protocol entity that
+ assumes the role of a responsible management station.
+
+ This management station is responsible for ensuring that
+
+
+
+Galvin, McCloghrie, & Davin [Page 19]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ all authentication clocks are synchronized and for
+ changing the secret values when necessary. Although
+ more than one management station may share this
+ responsibility, their coordination is essential to the
+ secure management of the network. The mechanism by
+ which multiple management stations ensure that no
+ more than one of them attempts to synchronize the
+ clocks or update the secrets at any one time is a local
+ implementation issue.
+
+ A responsible management station may either support
+ clock synchronization and secret distribution as separate
+ functions, or combine them into a single functional unit.
+
+ The first section below specifies the procedures by which a SNMP
+ protocol entity is initially configured. The next two sections
+ describe one strategy for distributing clock values and one for
+ determining a synchronized clock value among SNMP parties supporting
+ the Digest Authentication Protocol. For SNMP parties supporting the
+ Symmetric Privacy Protocol, the next section describes a strategy for
+ distributing secret values. The last section specifies the procedures
+ by which a SNMP protocol entity recovers from a "crash."
+
+6.1 Initial Configuration
+
+ This section describes the initial configuration of a SNMP protocol
+ entity that supports the Digest Authentication Protocol or both the
+ Digest Authentication Protocol and the Symmetric Privacy Protocol.
+
+ When a network device is first installed, its initial, secure
+ configuration must be done manually, i.e., a person must physically
+ visit the device and enter the initial secret values for at least its
+ first secure SNMP party. This requirement suggests that the person
+ will have knowledge of the initial secret values.
+
+ In general, the security of a system is enhanced as the number of
+ entities that know a secret is reduced. Requiring a person to
+ physically visit a device every time a SNMP party is configured not
+ only exposes the secrets unnecessarily but is administratively
+ prohibitive. In particular, when MD5 is used, the initial
+ authentication secret is 128 bits long and when DES is used an
+ additional 128 bits are needed -- 64 bits each for the key and
+ initialization vector. Clearly, these values will need to be recorded
+ on a medium in order to be transported between a responsible
+ management station and a managed agent. The recommended procedure is
+ to configure a small set of initial SNMP parties for each SNMP
+ protocol entity, one pair of which may be used initially to configure
+ all other SNMP parties.
+
+
+
+Galvin, McCloghrie, & Davin [Page 20]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ In fact, there is a minimal, useful set of SNMP parties that could be
+ configured between each responsible management station and managed
+ agent. This minimal set includes one of each of the following for
+ both the responsible management station and the managed agent:
+
+ o a SNMP party for which the authentication protocol and
+ privacy protocol are the values noAuth and noPriv,
+ respectively,
+
+ o a SNMP party for which the authentication protocol
+ identifies the mechanism defined in Section 2.4.1 and its
+ privacy protocol is the value noPriv, and
+
+ o a SNMP party for which the authentication protocol and
+ privacy protocol identify the mechanisms defined in
+ Section 2.4.1 and Section 2.4.2, respectively.
+
+ The last of these SNMP parties in both the responsible management
+ station and the managed agent could be used to configure all other
+ SNMP parties. It is the only suitable party for this purpose because
+ it is the only party that supports data confidentiality, which is
+ necessary in order to protect the distributed secrets from disclosure
+ to unauthorized entities.
+
+ Configuring one pair of SNMP parties to be used to configure all
+ other parties has the advantage of exposing only one pair of secrets
+ -- the secrets used to configure the minimal, useful set identified
+ above. To limit this exposure, the responsible management station
+ should change these values as its first operation upon completion of
+ the initial configuration. In this way, secrets are known only to the
+ peers requiring knowledge of them in order to communicate.
+
+ The Management Information Base (MIB) document [4] supporting these
+ security protocols specifies 6 initial party identities and initial
+ values, which, by convention, are assigned to the parties and their
+ associated parameters.
+
+ All 6 parties should be configured in each new managed agent and its
+ responsible management station. The responsible management station
+ should be configured first, since the management station can be used
+ to generate the initial secrets and provide them to a person, on a
+ suitable medium, for distribution to the managed agent. The following
+ sequence of steps describes the initial configuration of a managed
+ agent and its responsible management station.
+
+ 1. Determine the initial values for each of the attributes of
+ the SNMP party to be configured. Some of these values
+ may be computed by the responsible management
+
+
+
+Galvin, McCloghrie, & Davin [Page 21]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ station, some may be specified in the MIB document,
+ and some may be administratively determined.
+
+ 2. Configure the parties in the responsible management
+ station, according to the set of initial values. If the
+ management station is computing some initial values to
+ be entered into the agent, an appropriate medium must
+ be present to record the values.
+
+ 3. Configure the parties in the managed agent, according to
+ the set of initial values.
+
+ 4. The responsible management station must synchronize
+ the authentication clock values for each party it shares
+ with each managed agent. Section 6.3 specifies one
+ strategy by which this could be accomplished.
+
+ 5. The responsible management station should change the
+ secret values manually configured to ensure the actual
+ values are known only to the peers requiring knowledge
+ of them in order to communicate. To do this, the
+ management station generates new secrets for each party
+ to be reconfigured and distributes those secrets with a
+ strategy that uses a protocol that protects them from
+ disclosure, e.g., Symmetric Privacy Protocol (see
+ Section 6.4). Upon receiving positive acknowledgement
+ that the new values have been distributed, the
+ management station should update its local database
+ with the new values.
+
+ If the managed agent does not support a protocol that protects
+ messages from disclosure, then automatic maintenance and
+ configuration of parties is not possible, i.e., the last step above
+ is not possible. The secrets can only be changed by a physical visit
+ to the device.
+
+ If there are other SNMP protocol entities requiring knowledge of the
+ secrets, the responsible management station must distribute the
+ information upon completion of the initial configuration. The
+ mechanism used must protect the secrets from disclosure to
+ unauthorized entities. The Symmetric Privacy Protocol, for example,
+ is an acceptable mechanism.
+
+6.2 Clock Distribution
+
+ A responsible management station must ensure that the authentication
+ clock value for each SNMP party for which it is responsible
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 22]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ o is loosely synchronized among all the local databases in
+ which it appears,
+
+ o is reset, as indicated below, upon reaching its maximal
+ value, and
+
+ o is non-decreasing, except as indicated below.
+
+ The skew among the clock values must be accounted for in the lifetime
+ value, in addition to the expected communication delivery delay.
+
+ A skewed authentication clock may be detected by a number of
+ strategies, including knowledge of the accuracy of the system clock,
+ unauthenticated queries of the party database, and recognition of
+ authentication failures originated by the party.
+
+ Whenever clock skew is detected, and whenever the SNMP entities at
+ both the responsible management station and the relevant managed
+ agent support an appropriate privacy protocol (e.g., the Symmetric
+ Privacy Protocol), a straightforward strategy for the correction of
+ clock skew is simultaneous alteration of authentication clock and
+ private key for the relevant SNMP party. If the request to alter the
+ key and clock for a particular party originates from that same party,
+ then, prior to transmitting that request, the local notion of the
+ authentication clock is artificially advanced to assure acceptance of
+ the request as authentic.
+
+ More generally, however, since an authentication clock value need not
+ be protected from disclosure, it is not necessary that a managed
+ agent support a privacy protocol in order for a responsible
+ management station to correct skewed clock values. The procedure for
+ correcting clock skew in the general case is presented in Section
+ 6.3.
+
+ In addition to correcting skewed notions of authentication clocks,
+ every SNMP entity must react correctly as an authentication clock
+ approaches its maximal value. If the authentication clock for a
+ particular SNMP party ever reaches the maximal time value, the clock
+ must halt at that value. (The value of interest may be the maximum
+ less lifetime. When authenticating a message, its authentication
+ timestamp is added to lifetime and compared to the authentication
+ clock. A SNMP protocol entity must guarantee that the sum is never
+ greater than the maximal time value.) In this state, the only
+ authenticated request a management station should generate for this
+ party is one that alters the value of at least its authentication
+ clock and private authentication key. In order to reset these values,
+ the responsible management station may set the authentication
+ timestamp in the message to the maximal time value. In this case, the
+
+
+
+Galvin, McCloghrie, & Davin [Page 23]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ nonce value may be used to distinguish multiple messages.
+
+ The value of the authentication clock for a particular SNMP party
+ must never be altered such that its new value is less than its old
+ value, unless its last-timestamp and private authentication key are
+ also altered at the same time.
+
+6.3 Clock Synchronization
+
+ Unless the secrets are changed at the same time, the correct way to
+ synchronize clocks is to advance the slower clock to be equal to the
+ faster clock. Suppose that party agentParty is realized by the SNMP
+ entity in a managed agent; suppose that party mgrParty is realized by
+ the SNMP entity in the corresponding responsible management station.
+ For any pair of parties, there are four possible conditions of the
+ authentication clocks that could require correction:
+
+ 1. The management station's notion of the value of the
+ authentication clock for agentParty exceeds the agent's
+ notion.
+
+ 2. The management station's notion of the value of the
+ authentication clock for mgrParty exceeds the agent's
+ notion.
+
+ 3. The agent's notion of the value of the authentication
+ clock for agentParty exceeds the management station's
+ notion.
+
+ 4. The agent's notion of the value of the authentication
+ clock for mgrParty exceeds the management station's
+ notion.
+
+ The selective clock acceleration mechanism intrinsic to the protocol
+ corrects conditions 2 and 3 as part of the normal processing of an
+ authentic message. Therefore, the clock adjustment procedure below
+ does not provide for any adjustments in those cases. Rather, the
+ following sequence of steps specifies how the clocks may be
+ synchronized when condition 1, condition 4, or both of those
+ conditions are manifest.
+
+ 1. The responsible management station saves its existing
+ notions of the authentication clocks for the two parties
+ agentParty and mgrParty.
+
+ 2. The responsible management station retrieves the
+ authentication clock values for both agentParty and
+ mgrParty from the agent. This retrieval must be an
+
+
+
+Galvin, McCloghrie, & Davin [Page 24]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ unauthenticated request, since the management station
+ does not know if the clocks are synchronized. If the
+ request fails, the clocks cannot be synchronized, and the
+ clock adjustment procedure is aborted without further
+ processing.
+
+ 3. If the management station's notion of the authentication
+ clock for agentParty exceeds the notion just retrieved
+ from the agent by more than the amount of the
+ communications delay between the two protocol entities,
+ then condition 1 is manifest. The recommended estimate
+ of communication delay in this context is one half of the
+ lifetime value recorded for agentParty.
+
+ 4. If the notion of the authentication clock for mgrParty
+ just retrieved from the agent exceeds the management
+ station's notion, then condition 4 is manifest, and the
+ responsible management station advances its notion of
+ the authentication clock for mgrParty to match the
+ agent's notion.
+
+ 5. If condition 1 is manifest, then the responsible
+ management station sends an authenticated
+ management operation to the agent that advances the
+ agent's notion of the authentication clock for
+ agentParty to be equal to the management station's
+ notion. If this management operation fails, then the
+ management station restores its previously saved notions
+ of the clock values, and the clock adjustment procedure
+ is aborted without further processing.
+
+ 6. The responsible management station retrieves the
+ authentication clock values for both agentParty and
+ mgrParty from the agent. This retrieval must be an
+ authenticated request, in order that the management
+ station may verify that the clock values are properly
+ synchronized. If this authenticated query fails, then the
+ management station restores its previously saved notions
+ of the clock values, and the clock adjustment procedure
+ is aborted without further processing. Otherwise, clock
+ synchronization has been successfully realized.
+
+ It is important to note step 4 above must be completed before
+ attempting step 5. Otherwise, the agent may evaluate the request in
+ step 5 as unauthentic. Similarly, step 5 above must be completed
+ before attempting step 6. Otherwise, the management station may
+ evaluate the query response in step 6 as unauthentic.
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 25]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ Administrative advancement of a clock as described above does not
+ introduce any new vulnerabilities, since the value of the clock is
+ intended to increase with the passage of time. A potential
+ operational problem is the rejection of management operations that
+ are authenticated using a previous value of the relevant party clock.
+ This possibility may be avoided if a management station suppresses
+ generation of management traffic between relevant parties while this
+ clock adjustment procedure is in progress.
+
+6.4 Secret Distribution
+
+ This section describes one strategy by which a SNMP protocol entity
+ that supports both the Digest Authentication Protocol and the
+ Symmetric Privacy Protocol can change the secrets for a particular
+ SNMP party.
+
+ The frequency with which the secrets of a SNMP party should be
+ changed is a local administrative issue. However, the more frequently
+ a secret is used, the more frequently it should be changed. At a
+ minimum, the secrets must be changed whenever the associated
+ authentication clock approaches its maximal value (see Section 7).
+ Note that, owing to both administrative and automatic advances of the
+ authentication clock described in this memo, the authentication clock
+ for a SNMP party may well approach its maximal value sooner than
+ might otherwise be expected.
+
+ The following sequence of steps specifies how a responsible
+ management station alters a secret value (i.e., the private
+ authentication key or the private privacy key) for a particular SNMP
+ party.
+
+ 1. The responsible management station generates a new
+ secret value.
+
+ 2. The responsible management station encapsulates a
+ SNMP Set request in a SNMP private management
+ communication with at least the following properties.
+
+ o Its source supports the Digest Authentication
+ Protocol and the Symmetric Privacy Protocol.
+
+ o Its destination supports the Symmetric Privacy
+ Protocol and the Digest Authentication Protocol.
+
+ 3. The SNMP private management communication is
+ transmitted to its destination.
+
+ 4. Upon receiving the request, the recipient processes the
+
+
+
+Galvin, McCloghrie, & Davin [Page 26]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ message according to [1] and [2].
+
+ 5. The recipient encapsulates a SNMP Set response in a
+ SNMP private management communication with at least
+ the following properties.
+
+ o Its source supports the Digest Authentication
+ Protocol and the Symmetric Privacy Protocol.
+
+ o Its destination supports the Symmetric Privacy
+ Protocol and the Digest Authentication Protocol.
+
+ 6. The SNMP private management communication is
+ transmitted to its destination.
+
+ 7. Upon receiving the response, the responsible
+ management station updates its local database with the
+ new value.
+
+ If the responsible management station does not receive a response to
+ its request, there are two possible causes.
+
+ o The request may not have been delivered to the
+ destination.
+
+ o The response may not have been delivered to the
+ originator of the request.
+
+ In order to distinguish the two possible error conditions, a
+ responsible management station could check the destination to see if
+ the change has occurred. Unfortunately, since the secret values are
+ unreadable, this is not directly possible.
+
+ The recommended strategy for verifying key changes is to set the
+ public value corresponding to the secret being changed to a
+ recognizable, novel value: that is, alter the public authentication
+ key value for the relevant party when changing its private
+ authentication key, or alter its public privacy key value when
+ changing its private privacy key. In this way, the responsible
+ management station may retrieve the public value when a response is
+ not received, and verify whether or not the change has taken place.
+ (This strategy is available since the public values are not used by
+ the protocols defined in this memo. If this strategy is employed,
+ then the public values are significant in this context. Of course,
+ protocols using the public values may make use of this strategy
+ directly.)
+
+ One other scenario worthy of mention is using a SNMP party to change
+
+
+
+Galvin, McCloghrie, & Davin [Page 27]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ its own secrets. In this case, the destination will change its local
+ database prior to generating a response. Thus, the response will be
+ constructed according to the new value. However, the responsible
+ management station will not update its local database until after the
+ response is received. This suggests the responsible management
+ station may receive a response which will be evaluated as
+ unauthentic, unless the correct secret is used. The responsible
+ management station may either account for this scenario as a special
+ case, or use an alteration of the relevant public values (as
+ described above) to verify the key change.
+
+ Note, during the period of time after the request has been sent and
+ before the response is received, the management station must keep
+ track of both the old and new secret values. Since the delay may be
+ the result of a network failure, the management station must be
+ prepared to retain both values for an extended period of time,
+ including across reboots.
+
+6.5 Crash Recovery
+
+ This section describes the requirements for SNMP protocol entities in
+ connection with recovery from system crashes or other service
+ interruptions.
+
+ For each SNMP party in the local database for a particular SNMP
+ protocol entity, its identity, authentication clock, private
+ authentication key, and private privacy key must enjoy non-volatile,
+ incorruptible representations. If possible, lifetime should also
+ enjoy a non-volatile, incorruptible representation. If said protocol
+ entity supports other security protocols or algorithms in addition to
+ the two defined in this memo, then the authentication protocol and
+ the privacy protocol for each party also require non-volatile,
+ incorruptible representation.
+
+ The authentication clock of a SNMP party is a critical component of
+ the overall security of the protocols. The inclusion of a reliable
+ representation of a clock in a SNMP protocol entity enhances overall
+ security. A reliable clock representation continues to increase
+ according to the passage of time, even when the local SNMP protocol
+ entity -- due to power loss or other system failure -- may not be
+ operating. An example of a reliable clock representation is that
+ provided by battery-powered clock-calendar devices incorporated into
+ some contemporary systems. It is assumed that management stations
+ always support reliable clock representations, where clock adjustment
+ by a human operator during crash recovery may contribute to that
+ reliability.
+
+ If a managed agent crashes and does not reboot in time for its
+
+
+
+Galvin, McCloghrie, & Davin [Page 28]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ responsible management station to prevent its authentication clock
+ from reaching its maximal value, upon reboot the clock must be halted
+ at its maximal value. The procedures specified in Section 6.3 would
+ then apply.
+
+ If a managed network element supports a reliable clock
+ representation, recovering from a crash requires few special actions.
+ Upon recovery, those attributes of each SNMP party that do not enjoy
+ non-volatile or reliable representation are initialized as follows.
+
+ o If the private authentication key is not the OCTET
+ STRING of zero length, the authentication protocol is
+ set to identify use of the Digest Authentication Protocol
+ in conjunction with the algorithm specified in
+ Section 2.4.1.
+
+ o The last-timestamp is initialized to the value of the
+ authentication clock.
+
+ o The nonce is initialized to zero.
+
+ o If the lifetime is not retained, it should be initialized to
+ zero.
+
+ o If the private privacy key is not the OCTET STRING
+ of zero length, the privacy protocol is set to identify use
+ of the Symmetric Privacy Protocol in conjunction with
+ the algorithm specified in Section 2.4.2.
+
+ Upon detecting that a managed agent has rebooted, a responsible
+ management station must reset all other party attributes, including
+ the lifetime if it was not retained. In order to reset the lifetime,
+ the responsible management station should set the authentication
+ timestamp in the message to the sum of the authentication clock and
+ desired lifetime. This is an artificial advancement of the
+ authentication timestamp in order to guarantee the message will be
+ authentic when received by the recipient.
+
+ If, alternatively, a managed network element does not support a
+ reliable clock representation, then those attributes of each SNMP
+ party that do not enjoy non-volatile representation are initialized
+ as follows.
+
+ o If the private authentication key is not the OCTET
+ STRING of zero length, the authentication protocol is
+ set to identify use of the Digest Authentication Protocol
+ in conjunction with the algorithm specified in
+ Section 2.4.1.
+
+
+
+Galvin, McCloghrie, & Davin [Page 29]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ o The authentication clock is initialized to the maximal
+ time value.
+
+ o The last-timestamp is initialized to the maximal time
+ value.
+
+ o The nonce is initialized to zero.
+
+ o If the lifetime is not retained, it should be initialized to
+ zero.
+
+ o If the private privacy key is not the OCTET STRING
+ of zero length, the privacy protocol is set to identify use
+ of the Symmetric Privacy Protocol in conjunction with
+ the algorithm specified in Section 2.4.2.
+
+ The only authenticated request a management station should generate
+ for a party in this initial state is one that alters the value of at
+ least its authentication clock, private authentication key, and
+ lifetime (if that was not retained). In order to reset these values,
+ the responsible management station must set the authentication
+ timestamp in the message to the maximal time value. The nonce value
+ may be used to distinguish multiple messages.
+
+7. Security Considerations
+
+ This section highlights security considerations relevant to the
+ protocols and procedures defined in this memo. Practices that
+ contribute to secure, effective operation of the mechanisms defined
+ here are described first. Constraints on implementation behavior that
+ are necessary to the security of the system are presented next.
+ Finally, an informal account of the contribution of each mechanism of
+ the protocols to the required goals is presented.
+
+7.1 Recommended Practices
+
+ This section describes practices that contribute to the secure,
+ effective operation of the mechanisms defined in this memo.
+
+ o A management station should discard SNMP responses
+ for which neither the request-id component nor the
+ represented management information corresponds to any
+ currently outstanding request.
+
+ Although it would be typical for a management station
+ to do this as a matter of course, in the context of these
+ security protocols it is significant owing to the possibility
+ of message duplication (malicious or otherwise).
+
+
+
+Galvin, McCloghrie, & Davin [Page 30]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ o A management station should not interpret an agent's
+ lack of response to an authenticated SNMP management
+ communication as a conclusive indication of agent or
+ network failure.
+
+ It is possible for authentication failure traps to be lost or
+ suppressed as a result of authentication clock skew or
+ inconsistent notions of shared secrets. In order either to
+ facilitate administration of such SNMP parties or to
+ provide for continued management in times of network
+ stress, a management station implementation may
+ provide for arbitrary, artificial advancement of the
+ timestamp or selection of shared secrets on locally
+ generated messages.
+
+ o The lifetime value for a SNMP party should be chosen
+ (by the local administration) to be as small as possible,
+ given the accuracy of clock devices available, relevant
+ round-trip communications delays, and the frequency
+ with which a responsible management station will be
+ able to verify all clock values.
+
+ A large lifetime increases the vulnerability to malicious
+ delays of SNMP messages. The implementation of a
+ management station may, when explicitly authorized,
+ provide for dynamic adjustment of the lifetime in order
+ to accommodate changing network conditions.
+
+ o When sending state altering messages to a managed
+ agent, a management station should delay sending
+ successive messages to the managed agent until a
+ positive acknowledgement is received for the previous
+ message or until the previous message expires.
+
+ When using the noAuth protocol, no message ordering
+ is imposed by the SNMP. Messages may be received in
+ any order relative to their time of generation and each
+ will be processed in the ordered received. In contrast,
+ the security protocols guarantee that received messages
+ are ordered insofar as each received message must have
+ been sent subsequent to the sending of a previously
+ received message.
+
+ When an authenticated message is sent to a managed
+ agent, it will be valid for a period of time that does not
+ exceed lifetime under normal circumstances. During the
+ period of time this message is valid, if the management
+ station sends another authenticated message to the
+
+
+
+Galvin, McCloghrie, & Davin [Page 31]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ managed agent that is received and processed prior to
+ the first message, the first message will be considered
+ unauthentic when it is received by the managed agent.
+
+ Indeed, a management station must cope with the loss
+ and re-ordering of messages resulting from anomalies in
+ the network as a matter of course. A management
+ station implementation may choose to prevent the loss
+ of messages resulting from re-ordering when using the
+ security protocols defined in this memo by delaying
+ sending successive messages.
+
+ o The frequency with which the secrets of a SNMP party
+ should be changed is indirectly related to the frequency
+ of their use.
+
+ Protecting the secrets from disclosure is critical to the
+ overall security of the protocols. Frequent use of a secret
+ provides a continued source of data that may be useful
+ to a cryptanalyst in exploiting known or perceived
+ weaknesses in an algorithm. Frequent changes to the
+ secret avoid this vulnerability.
+
+ Changing a secret after each use is is generally regarded
+ as the most secure practice, but a significant amount of
+ overhead may be associated with that approach.
+
+ Note, too, in a local environment the threat of disclosure
+ may be insignificant, and as such the changing of secrets
+ may be less frequent. However, when public data
+ networks are the communication paths, more caution is
+ prudent.
+
+ o In order to foster the greatest degree of security, a
+ management station implementation must support
+ constrained, pairwise sharing of secrets among SNMP
+ entities as its default mode of operation.
+
+ Owing to the use of symmetric cryptography in the
+ protocols defined here, the secrets associated with a
+ particular SNMP party must be known to all other
+ SNMP parties with which that party may wish to
+ communicate. As the number of locations at which
+ secrets are known and used increases, the likelihood of
+ their disclosure also increases, as does the potential
+ impact of that disclosure. Moreover, if the set of SNMP
+ protocol entities with knowledge of a particular secret
+ numbers more than two, data origin cannot be reliably
+
+
+
+Galvin, McCloghrie, & Davin [Page 32]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ authenticated because it is impossible to determine with
+ any assurance which entity of that set may be the
+ originator of a particular SNMP message. Thus, the
+ greatest degree of security is afforded by configurations
+ in which the secrets for each SNMP party are known to
+ at most two protocol entities.
+
+7.2 Conformance
+
+ A SNMP protocol entity implementation that claims conformance to this
+ memo must satisfy the following requirements:
+
+ 1. It must implement the noAuth and noPriv protocols
+ whose object identifiers are defined in [4].
+
+ noAuth This protocol signifies that messages generated
+ by a party using it are not protected as to origin or
+ integrity. It is required to ensure that a party's
+ authentication clock is always accessible.
+ noPriv This protocol signifies that messages received
+ by a party using it are not protected from
+ disclosure. It is required to ensure that a party's
+ authentication clock is always accessible.
+
+ 2. It must implement the Digest Authentication Protocol in
+ conjunction with the algorithm defined in Section 2.4.1.
+
+ 3. It must include in its local database at least one SNMP
+ party with the following parameters set as follows:
+
+ o partyAuthProtocol is set to noAuth and
+ o partyPrivProtocol is set to noPriv.
+
+ This party must have a MIB view [2] specified that
+ includes at least the authentication clock of all other
+ parties. Alternatively, the authentication clocks of the
+ other parties may be partitioned among several similarly
+ configured parties according to a local implementation
+ convention.
+
+ 4. For each SNMP party about which it maintains
+ information in a local database, an implementation must
+ satisfy the following requirements:
+
+ (a) It must not allow a party's parameters to be set to
+ a value inconsistent with its expected syntax. In
+ particular, Section 2.4 specifies constraints for the
+ chosen mechanisms.
+
+
+
+Galvin, McCloghrie, & Davin [Page 33]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ (b) It must, to the maximal extent possible, prohibit
+ read-access to the private authentication key and
+ private encryption key under all circumstances
+ except as required to generate and/or validate
+ SNMP messages with respect to that party. This
+ prohibition includes prevention of read-access by
+ the entity's human operators.
+ (c) It must allow the party's authentication clock to be
+ publicly accessible. The correct operation of the
+ Digest Authentication Protocol requires that it be
+ possible to determine this value at all times in
+ order to guarantee that skewed authentication
+ clocks can be resynchronized.
+ (d) It must prohibit alterations to its record of the
+ authentication clock for that party independently of
+ alterations to its record of the private
+ authentication key (unless the clock alteration is an
+ advancement).
+ (e) It must never allow its record of the authentication
+ clock for that party to be incremented beyond the
+ maximal time value and so "roll-over" to zero.
+ (f) It must never increase its record of the lifetime for
+ that party except as may be explicitly authorized
+ (via imperative command or securely represented
+ configuration information) by the responsible
+ network administrator.
+ (g) In the event that the non-volatile, incorruptible
+ representations of a party's parameters (in
+ particular, either the private authentication key or
+ private encryption key) are lost or destroyed, it
+ must alter its record of these quantities to random
+ values so subsequent interaction with that party
+ requires manual redistribution of new secrets and
+ other parameters.
+
+ 5. If it selects new value(s) for a party's secret(s), it must
+ avoid bad or obvious choices for said secret(s). Choices
+ to be avoided are boundary values (such as all-zeros)
+ and predictable values (such as the same value as
+ previously or selecting from a predetermined set).
+
+7.3 Protocol Correctness
+
+ The correctness of these SNMP security protocols with respect to the
+ stated goals depends on the following assumptions:
+
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 34]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ 1. The chosen message digest algorithm satisfies its design
+ criteria. In particular, it must be computationally
+ infeasible to discover two messages that share the same
+ digest value.
+
+ 2. It is computationally infeasible to determine the secret
+ used in calculating a digest on the concatenation of the
+ secret and a message when both the digest and the
+ message are known.
+
+ 3. The chosen symmetric encryption algorithm satisfies its
+ design criteria. In particular, it must be computationally
+ infeasible to determine the cleartext message from the
+ ciphertext message without knowledge of the key used in
+ the transformation.
+
+ 4. Local notions of a party's authentication clock while it is
+ associated with a specific private key value are
+ monotonically non-decreasing (i.e., they never run
+ backwards) in the absence of administrative
+ manipulations.
+
+ 5. The secrets for a particular SNMP party are known only
+ to authorized SNMP protocol entities.
+
+ 6. Local notions of the authentication clock for a particular
+ SNMP party are never altered such that the
+ authentication clock's new value is less than the current
+ value without also altering the private authentication
+ key.
+
+ For each mechanism of the protocol, an informal account of its
+ contribution to the required goals is presented below. Pseudocode
+ fragments are provided where appropriate to exemplify possible
+ implementations; they are intended to be self-explanatory.
+
+7.3.1 Clock Monotonicity Mechanism
+
+ By pairing each sequence of a clock's values with a unique key, the
+ protocols partially realize goals 3 and 4, and the conjunction of
+ this property with assumption 6 above is sufficient for the claim
+ that, with respect to a specific private key value, all local notions
+ of a party's authentication clock are, in general, non-decreasing
+ with time.
+
+
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 35]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+7.3.2 Data Integrity Mechanism
+
+ The protocols require computation of a message digest computed over
+ the SNMP message prepended by the secret for the relevant party. By
+ virtue of this mechanism and assumptions 1 and 2, the protocols
+ realize goal 1.
+
+ Normally, the inclusion of the message digest value with the digested
+ message would not be sufficient to guarantee data integrity, since
+ the digest value can be modified in addition to the message while it
+ is enroute. However, since not all of the digested message is
+ included in the transmission to the destination, it is not possible
+ to substitute both a message and a digest value while enroute to a
+ destination.
+
+ Strictly speaking, the specified strategy for data integrity does not
+ detect a SNMP message modification which appends extraneous material
+ to the end of such messages. However, owing to the representation of
+ SNMP messages as ASN.1 values, such modifications cannot --
+ consistent with goal 1 -- result in unauthorized management
+ operations.
+
+ The data integrity mechanism specified in this memo protects only
+ against unauthorized modification of individual SNMP messages. A more
+ general data integrity service that affords protection against the
+ threat of message stream modification is not realized by this
+ mechanism, although limited protection against reordering, delay, and
+ duplication of messages within a message stream are provided by other
+ mechanisms of the protocol.
+
+7.3.3 Data Origin Authentication Mechanism
+
+ The data integrity mechanism requires the use of a secret value known
+ only to communicating parties. By virtue of this mechanism and
+ assumptions 1 and 2, the protocols explicitly prevent unauthorized
+ modification of messages. Data origin authentication is implicit if
+ the message digest value can be verified. That is, the protocols
+ realize goal 2.
+
+7.3.4 Restricted Administration Mechanism
+
+ This memo requires that implementations preclude administrative
+ alterations of the authentication clock for a particular party
+ independently from its private authentication key (unless that clock
+ alteration is an advancement). An example of an efficient
+ implementation of this restriction is provided in a pseudocode
+ fragment below. This pseudocode fragment meets the requirements of
+ assumption 6.
+
+
+
+Galvin, McCloghrie, & Davin [Page 36]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ Pseudocode Fragment. Observe that the requirement is not for
+ simultaneous alteration but to preclude independent alteration. This
+ latter requirement is fairly easily realized in a way that is
+ consistent with the defined semantics of the SNMP Set operation.
+
+
+ Void partySetKey (party, newKeyValue)
+ {
+ if (party->clockAltered) {
+ party->clockAltered = FALSE;
+ party->keyAltered = FALSE;
+ party->keyInUse = newKeyValue;
+ party->clockInUse = party->clockCache;
+ }
+ else {
+ party->keyAltered = TRUE;
+ party->keyCache = newKeyValue;
+ }
+ }
+
+ Void partySetClock (party, newClockValue)
+ {
+ if (party->keyAltered) {
+ party->keyAltered = FALSE;
+ party->clockAltered = FALSE;
+ party->clockInUse = newClockValue;
+ party->keyInUse = party->keyCache;
+ }
+ else {
+ party->clockAltered = TRUE;
+ party->clockCache = newClockValue;
+ }
+ }
+
+
+7.3.5 Ordered Delivery Mechanism
+
+ The definition of the Digest Authentication Protocol requires that,
+ if the timestamp value on a received message does not exceed the
+ timestamp of the most recent validated message locally delivered from
+ the originating party, then that message is not delivered. Otherwise,
+ the record of the timestamp for the most recent locally delivered
+ validated message is updated.
+
+
+ if (msgIsValidated) {
+ if (timestampOfReceivedMsg >
+ party->timestampOfLastDeliveredMsg) {
+
+
+
+Galvin, McCloghrie, & Davin [Page 37]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ party->timestampOfLastDeliveredMsg =
+ timestampOfReceivedMsg;
+ }
+ else {
+ msgIsValidated = FALSE;
+ }
+ }
+
+
+ Although not explicitly represented in the pseudocode above, in the
+ Digest Authentication Protocol, the ordered delivery mechanism must
+ ensure that, when the authentication timestamp of the received
+ message is equal to the last-timestamp, received messages continue to
+ be delivered as long as their nonce values are monotonically
+ increasing. By virtue of this mechanism, the protocols realize goal
+ 4.
+
+7.3.6 Message Timeliness Mechanism
+
+ The definition of the SNMP security protocols requires that, if the
+ authentication timestamp value on a received message -- augmented by
+ an administratively chosen lifetime value -- is less than the local
+ notion of the clock for the originating SNMP party, the message is
+ not delivered.
+
+
+ if (timestampOfReceivedMsg +
+ party->administrativeLifetime <=
+ party->localNotionOfClock) {
+ msgIsValidated = FALSE;
+ }
+
+
+ By virtue of this mechanism, the protocols realize goal 3. In cases
+ in which the local notions of a particular SNMP party clock are
+ moderately well-synchronized, the timeliness mechanism effectively
+ limits the age of validly delivered messages. Thus, if an attacker
+ diverts all validated messages for replay much later, the delay
+ introduced by this attack is limited to a period that is proportional
+ to the skew among local notions of the party clock.
+
+7.3.7 Selective Clock Acceleration Mechanism
+
+ The definition of the SNMP security protocols requires that, if the
+ timestamp value on a received, validated message exceeds the local
+ notion of the clock for the originating party, then that notion is
+ adjusted forward to correspond to said timestamp value. This
+ mechanism is neither strictly necessary nor sufficient to the
+
+
+
+Galvin, McCloghrie, & Davin [Page 38]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ security of the protocol; rather, it fosters the clock
+ synchronization on which valid message delivery depends -- thereby
+ enhancing the effectiveness of the protocol in a management context.
+
+
+ if (msgIsValidated) {
+ if (timestampOfReceivedMsg >
+ party->localNotionOfClock) {
+ party->localNotionOfClock =
+ timestampOfReceivedMsg;
+ }
+ }
+
+
+ The effect of this mechanism is to synchronize local notions of the
+ party clock more closely in the case where a sender's notion is more
+ advanced than a receiver's. In the opposite case, this mechanism has
+ no effect on local notions of the party clock and either the received
+ message is validly delivered or not according to other mechanisms of
+ the protocol.
+
+ Operation of this mechanism does not, in general, improve the
+ probability of validated delivery for messages generated by party
+ participants whose local notion of the party clock is relatively less
+ advanced. In this case, queries from a management station may not be
+ validly delivered and the management station needs to react
+ appropriately (e.g., by administratively resynchronizing local
+ notions of the clock in conjunction with a key change). In contrast,
+ the delivery of SNMP trap messages generated by an agent that suffers
+ from a less advanced notion of a party clock is more problematic, for
+ an agent may lack the capacity to recognize and react to security
+ failures that prevent delivery of its messages. Thus, the inherently
+ unreliable character of trap messages is likely to be compounded by
+ attempts to provide for their validated delivery.
+
+7.3.8 Confidentiality Mechanism
+
+ The protocols require the use of a symmetric encryption algorithm
+ when the data confidentiality service is required. By virtue of this
+ mechanism and assumption 3, the protocols realize goal 5.
+
+8. Acknowledgements
+
+ The authors would like to thank the members of the SNMP Security
+ Working Group of the IETF for their patience and comments. Special
+ thanks go to Jeff Case who provided the first implementation of the
+ protocols. Dave Balenson, John Linn, Dan Nessett, and all the members
+ of the Privacy and Security Research Group provided many valuable and
+
+
+
+Galvin, McCloghrie, & Davin [Page 39]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ detailed comments.
+
+9. References
+
+ [1] Case, J., M. Fedor, M. Schoffstall, and J. Davin, The Simple
+ Network Management Protocol", RFC 1157, University of Tennessee
+ at Knoxville, Performance Systems International, Performance
+ Systems International, and the MIT Laboratory for Computer
+ Science, May 1990. (Obsoletes RFC 1098.)
+
+ [2] Davin, J., Galvin, J., and K. McCloghrie, "SNMP Administrative
+ Model", RFC 1351, MIT Laboratory for Computer Science, Trusted
+ Information Systems, Inc., Hughes LAN Systems, Inc., July 1992.
+
+ [3] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, MIT
+ Laboratory for Computer Science, April 1992.
+
+ [4] McCloghrie, K., Davin, J., and J. Galvin, "Definitions of Managed
+ Objects for Administration of SNMP Parties", RFC 1353, Hughes LAN
+ Systems, Inc., MIT Laboratory for Computer Science, Trusted
+ Information Systems, Inc., July 1992.
+
+ [5] FIPS Publication 46-1, "Data Encryption Standard", National
+ Institute of Standards and Technology, Federal Information
+ Processing Standard (FIPS); Supersedes FIPS Publication 46,
+ January 15, 1977; Reaffirmed January 22, 1988.
+
+ [6] ANSI X3.92-1981, "Data Encryption Algorithm", American National
+ Standards Institute, December 30, 1980.
+
+ [7] FIPS Publication 81, "DES Modes of Operation", National Institute
+ of Standards and Technology, December 2, 1980, Federal
+ Information Processing Standard (FIPS).
+
+ [8] ANSI X3.106-1983, "Data Encryption Algorithm - Modes of
+ Operation", American National Standards Institute, May 16, 1983.
+
+ [9] FIPS Publication 74, "Guidelines for Implementing and Using the
+ NBS Data Encryption Standard", National Institute of Standards
+ and Technology, April 1, 1981. Federal Information Processing
+ Standard (FIPS).
+
+ [10] Special Publication 500-20, "Validating the Correctness of
+ Hardware Implementations of the NBS Data Encryption Standard",
+ National Institute of Standards and Technology.
+
+ [11] Special Publication 500-61, "Maintenance Testing for the Data
+ Encryption Standard", National Institute of Standards and
+
+
+
+Galvin, McCloghrie, & Davin [Page 40]
+
+RFC 1352 SNMP Security Protocols July 1992
+
+
+ Technology, August 1980.
+
+ [12] Information Processing -- Open Systems Interconnection --
+ Specification of Basic Encoding Rules for Abstract Syntax
+ Notation One (ASN.1), International Organization for
+ Standardization/International Electrotechnical Institute, 1987,
+ International Standard 8825.
+
+10. Authors' Addresses
+
+ James M. Galvin
+ Trusted Information Systems, Inc.
+ 3060 Washington Road, Route 97
+ Glenwood, MD 21738
+
+ Phone: (301) 854-6889
+ EMail: galvin@tis.com
+
+
+ Keith McCloghrie
+ Hughes LAN Systems, Inc.
+ 1225 Charleston Road
+ Mountain View, CA 94043
+
+ Phone: (415) 966-7934
+ EMail: kzm@hls.com
+
+
+ James R. Davin
+ MIT Laboratory for Computer Science
+ 545 Technology Square
+ Cambridge, MA 02139
+
+ Phone: (617) 253-6020
+ EMail: jrd@ptt.lcs.mit.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Galvin, McCloghrie, & Davin [Page 41]
+ \ No newline at end of file