diff options
Diffstat (limited to 'doc/rfc/rfc5592.txt')
-rw-r--r-- | doc/rfc/rfc5592.txt | 2019 |
1 files changed, 2019 insertions, 0 deletions
diff --git a/doc/rfc/rfc5592.txt b/doc/rfc/rfc5592.txt new file mode 100644 index 0000000..5228751 --- /dev/null +++ b/doc/rfc/rfc5592.txt @@ -0,0 +1,2019 @@ + + + + + + +Network Working Group D. Harrington +Request for Comments: 5592 Huawei Technologies (USA) +Category: Standards Track J. Salowey + Cisco Systems + W. Hardaker + Cobham Analytic Solutions + June 2009 + + + Secure Shell Transport Model for the + Simple Network Management Protocol (SNMP) + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (c) 2009 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents in effect on the date of + publication of this document (http://trustee.ietf.org/license-info). + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. + + This document may contain material from IETF Documents or IETF + Contributions published or made publicly available before November + 10, 2008. The person(s) controlling the copyright in some of this + material may not have granted the IETF Trust the right to allow + modifications of such material outside the IETF Standards Process. + Without obtaining an adequate license from the person(s) controlling + the copyright in such materials, this document may not be modified + outside the IETF Standards Process, and derivative works of it may + not be created outside the IETF Standards Process, except to format + it for publication as an RFC or to translate it into languages other + than English. + + + + + + + + + +Harrington, et al. Standards Track [Page 1] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + +Abstract + + This memo describes a Transport Model for the Simple Network + Management Protocol (SNMP), using the Secure Shell (SSH) protocol. + + This memo also defines a portion of the Management Information Base + (MIB) for use with network management protocols in TCP/IP-based + internets. In particular, it defines objects for monitoring and + managing the Secure Shell Transport Model for SNMP. + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. The Internet-Standard Management Framework .................3 + 1.2. Conventions ................................................3 + 1.3. Modularity .................................................5 + 1.4. Motivation .................................................5 + 1.5. Constraints ................................................6 + 2. The Secure Shell Protocol .......................................7 + 3. How SSHTM Fits into the Transport Subsystem .....................8 + 3.1. Security Capabilities of this Model ........................8 + 3.1.1. Threats .............................................8 + 3.1.2. Message Authentication ..............................9 + 3.1.3. Authentication Protocol Support ....................10 + 3.1.4. SSH Subsystem ......................................11 + 3.2. Security Parameter Passing ................................12 + 3.3. Notifications and Proxy ...................................12 + 4. Cached Information and References ..............................13 + 4.1. Secure Shell Transport Model Cached Information ...........13 + 4.1.1. tmSecurityName .....................................13 + 4.1.2. tmSessionID ........................................14 + 4.1.3. Session State ......................................14 + 5. Elements of Procedure ..........................................14 + 5.1. Procedures for an Incoming Message ........................15 + 5.2. Procedures for Sending an Outgoing Message ................17 + 5.3. Establishing a Session ....................................18 + 5.4. Closing a Session .........................................20 + 6. MIB Module Overview ............................................21 + 6.1. Structure of the MIB Module ...............................21 + 6.2. Textual Conventions .......................................21 + 6.3. Relationship to Other MIB Modules .........................21 + 6.3.1. MIB Modules Required for IMPORTS ...................21 + 7. MIB Module Definition ..........................................22 + 8. Operational Considerations .....................................29 + 9. Security Considerations ........................................30 + 9.1. Skipping Public Key Verification ..........................31 + 9.2. Notification Authorization Considerations .................31 + 9.3. SSH User and Key Selection ................................31 + + + +Harrington, et al. Standards Track [Page 2] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + 9.4. Conceptual Differences between USM and SSHTM ..............31 + 9.5. The 'none' MAC Algorithm ..................................32 + 9.6. Use with SNMPv1/v2c Messages ..............................32 + 9.7. MIB Module Security .......................................32 + 10. IANA Considerations ...........................................33 + 11. Acknowledgments ...............................................33 + 12. References ....................................................34 + 12.1. Normative References .....................................34 + 12.2. Informative References ...................................35 + +1. Introduction + + This memo describes a Transport Model for the Simple Network + Management Protocol, using the Secure Shell (SSH) protocol [RFC4251] + within a Transport Subsystem [RFC5590]. The Transport Model + specified in this memo is referred to as the Secure Shell Transport + Model (SSHTM). + + This memo also defines a portion of the Management Information Base + (MIB) for use with network management protocols in TCP/IP-based + internets. In particular, it defines objects for monitoring and + managing the Secure Shell Transport Model for SNMP. + + It is important to understand the SNMP architecture [RFC3411] and the + terminology of the architecture to understand where the Transport + Model described in this memo fits into the architecture and interacts + with other subsystems within the architecture. + +1.1. The Internet-Standard Management Framework + + For a detailed overview of the documents that describe the current + Internet-Standard Management Framework, please refer to section 7 of + RFC 3410 [RFC3410]. + + Managed objects are accessed via a virtual information store, termed + the Management Information Base or MIB. MIB objects are generally + accessed through the Simple Network Management Protocol (SNMP). + Objects in the MIB are defined using the mechanisms defined in the + Structure of Management Information (SMI). This memo specifies a MIB + module that is compliant to the SMIv2, which is described in STD 58, + RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 + [RFC2580]. + +1.2. Conventions + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + + +Harrington, et al. Standards Track [Page 3] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + Lowercase versions of the keywords should be read as in normal + English. They will usually, but not always, be used in a context + that relates to compatibility with the RFC 3411 architecture or the + subsystem defined here but that might have no impact on on-the-wire + compatibility. These terms are used as guidance for designers of + proposed IETF models to make the designs compatible with RFC 3411 + subsystems and Abstract Service Interfaces (ASIs). Implementers are + free to implement differently. Some usages of these lowercase terms + are simply normal English usage. + + For consistency with SNMP-related specifications, this document + favors terminology as defined in STD 62, rather than favoring + terminology that is consistent with non-SNMP specifications. This is + consistent with the IESG decision to not require the SNMPv3 + terminology be modified to match the usage of other non-SNMP + specifications when SNMPv3 was advanced to Full Standard. + + "Authentication" in this document typically refers to the English + meaning of "serving to prove the authenticity of" the message, not + data source authentication or peer identity authentication. + + The terms "manager" and "agent" are not used in this document + because, in the RFC 3411 architecture, all SNMP entities have the + capability of acting as manager, agent, or both depending on the SNMP + application types supported in the implementation. Where distinction + is required, the application names of command generator, command + responder, notification originator, notification receiver, and proxy + forwarder are used. See "SNMP Applications" [RFC3413] for further + information. + + The User-based Security Model (USM) [RFC3414] is a mandatory-to- + implement Security Model in STD 62. While the SSH and USM + specifications frequently refer to a user, the terminology preferred + in [RFC3411] and in this memo is "principal". A principal is the + "who" on whose behalf services are provided or processing takes + place. A principal can be, among other things, an individual acting + in a particular role, a set of individuals each acting in a + particular role, an application or a set of applications, or a + combination of these within an administrative domain. + + Throughout this document, the terms "client" and "server" are used to + refer to the two ends of the SSH transport connection. The client + actively opens the SSH connection, and the server passively listens + for the incoming SSH connection. Either SNMP entity may act as + client or as server, as discussed further below. + + + + + + +Harrington, et al. Standards Track [Page 4] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + +1.3. Modularity + + The reader is expected to have read and understood the description of + the SNMP architecture, as defined in [RFC3411], and the Transport + Subsystem architecture extension specified in "Transport Subsystem + for the Simple Network Management Protocol (SNMP)" [RFC5590]. + + This memo describes the Secure Shell Transport Model for SNMP, a + specific SNMP Transport Model to be used within the SNMP Transport + Subsystem to provide authentication, encryption, and integrity + checking of SNMP messages. + + In keeping with the RFC 3411 design decision to use self-contained + documents, this document defines the elements of procedure and + associated MIB module objects that are needed for processing the + Secure Shell Transport Model for SNMP. + + This modularity of specification is not meant to be interpreted as + imposing any specific requirements on implementation. + +1.4. Motivation + + Version 3 of the Simple Network Management Protocol (SNMPv3) added + security to the protocol. The User-based Security Model (USM) + [RFC3414] was designed to be independent of other existing security + infrastructures to ensure it could function when third-party + authentication services were not available, such as in a broken + network. As a result, USM utilizes a separate user and key- + management infrastructure. Operators have reported that having to + deploy another user and key-management infrastructure in order to use + SNMPv3 is a reason for not deploying SNMPv3. + + This memo describes a Transport Model that will make use of the + existing and commonly deployed Secure Shell security infrastructure. + This Transport Model is designed to meet the security and operational + needs of network administrators, maximize usability in operational + environments to achieve high deployment success, and at the same time + minimize implementation and deployment costs to minimize deployment + time. + + This document addresses the requirement for the SSH client to + authenticate the SSH server and for the SSH server to authenticate + the SSH client, and describes how SNMP can make use of the + authenticated identities in authorization policies for data access, + in a manner that is independent of any specific Access Control Model. + + + + + + +Harrington, et al. Standards Track [Page 5] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + This document addresses the requirement to utilize client- + authentication and key-exchange methods that support different + security infrastructures and provide different security properties. + This document describes how to use client authentication as described + in "The Secure Shell (SSH) Authentication Protocol" [RFC4252]. The + SSH Transport Model should work with any of the ssh-userauth methods, + including the "publickey", "password", "hostbased", "none", + "keyboard-interactive", "gssapi-with-mic", ."gssapi-keyex", "gssapi", + and "external-keyx" (see the SSH Protocol Parameters registry + maintained by IANA). The use of the "none" authentication method is + NOT RECOMMENDED, as described in this document's Security + Considerations. Local accounts may be supported through the use of + the publickey, hostbased, or password methods. The password method + allows for integration with a deployed password infrastructure, such + as Authentication, Authorization, and Accounting (AAA) servers using + the RADIUS protocol [RFC2865]. The SSH Transport Model SHOULD be + able to take advantage of future-defined ssh-userauth methods, such + as those that might make use of X.509 certificate credentials. + + It is desirable to use mechanisms that could unify the approach for + administrative security for SNMPv3 and command line interfaces (CLI) + and other management interfaces. The use of security services + provided by Secure Shell is the approach commonly used for the CLI + and is the approach being adopted for use with NETCONF [RFC4742]. + This memo describes a method for invoking and running the SNMP + protocol within a Secure Shell (SSH) session as an SSH Subsystem. + + This memo describes how SNMP can be used within a Secure Shell (SSH) + session, using the SSH connection protocol [RFC4254] over the SSH + transport protocol, and using ssh-userauth [RFC4252] for + authentication. + + There are a number of challenges to be addressed to map Secure Shell + authentication method parameters into the SNMP architecture so that + SNMP continues to work without any surprises. These are discussed in + detail below. + +1.5. Constraints + + The design of this SNMP Transport Model is influenced by the + following constraints: + + 1. In times of network stress, the transport protocol and its + underlying security mechanisms SHOULD NOT depend upon the ready + availability of other network services (e.g., Network Time + Protocol (NTP) or AAA protocols). + + + + + +Harrington, et al. Standards Track [Page 6] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + 2. When the network is not under stress, the Transport Model and its + underlying security mechanisms MAY depend upon the ready + availability of other network services. + + 3. It may not be possible for the Transport Model to determine when + the network is under stress. + + 4. A Transport Model SHOULD NOT require changes to the SNMP + architecture. + + 5. A Transport Model SHOULD NOT require changes to the underlying + security protocol. + +2. The Secure Shell Protocol + + SSH is a protocol for secure remote login and other secure network + services over an insecure network. It consists of three major + protocol components and add-on methods for user authentication: + + o The Transport Layer Protocol [RFC4253] provides server + authentication and message confidentiality and integrity. It may + optionally also provide compression. The transport layer will + typically be run over a TCP/IP connection but might also be used + on top of any other reliable data stream. + + o The User Authentication Protocol [RFC4252] authenticates the + client-side principal to the server. It runs over the Transport + Layer Protocol. + + o The Connection Protocol [RFC4254] multiplexes the encrypted tunnel + into several logical channels. It runs over the transport after + successfully authenticating the principal. + + o Generic Message Exchange Authentication [RFC4256] is a general + purpose authentication method for the SSH protocol, suitable for + interactive authentications where the authentication data should + be entered via a keyboard. + + o "Generic Security Service Application Program Interface (GSS-API) + Authentication and Key Exchange for the Secure Shell (SSH) + Protocol" [RFC4462] describes methods for using the GSS-API for + authentication and key exchange in SSH. It defines an SSH user- + authentication method that uses a specified GSS-API mechanism to + authenticate a user; it also defines a family of SSH key-exchange + methods that use GSS-API to authenticate a Diffie-Hellman key + exchange. + + + + + +Harrington, et al. Standards Track [Page 7] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + The client sends a service request once a secure, transport-layer + connection has been established. A second service request is sent + after client authentication is complete. This allows new protocols + to be defined and coexist with the protocols listed above. + + The connection protocol provides channels that can be used for a wide + range of purposes. Standard methods are provided for setting up + secure interactive shell sessions and for forwarding ("tunneling") + arbitrary TCP/IP ports and X11 connections. + +3. How SSHTM Fits into the Transport Subsystem + + A Transport Model is a component of the Transport Subsystem [RFC5590] + within the SNMP architecture. The SSH Transport Model thus fits + between the underlying SSH transport layer and the Message Dispatcher + [RFC3411]. + + The SSH Transport Model will establish a channel between itself and + the SSH Transport Model of another SNMP engine. The sending + Transport Model passes unencrypted messages from the Dispatcher to + SSH to be encrypted, and the receiving Transport Model accepts + decrypted incoming messages from SSH and passes them to the + Dispatcher. + + After an SSH Transport Model channel is established, then SNMP + messages can conceptually be sent through the channel from one SNMP + Message Dispatcher to another SNMP Message Dispatcher. Multiple SNMP + messages MAY be passed through the same channel. + + The SSH Transport Model of an SNMP engine will perform the + translation between SSH-specific security parameters and SNMP- + specific, model-independent parameters. + +3.1. Security Capabilities of this Model + +3.1.1. Threats + + The Secure Shell Transport Model provides protection against the + threats identified by the RFC 3411 architecture [RFC3411]: + + 1. Modification of Information - SSH provides for verification that + the contents of each message have not been modified during its + transmission through the network by digitally signing each SSH + packet. + + 2. Masquerade - SSH provides for verification of the identity of the + SSH server and the identity of the SSH client. + + + + +Harrington, et al. Standards Track [Page 8] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + SSH provides for verification of the identity of the SSH server + through the SSH transport protocol server authentication + [RFC4253]. This allows an operator or management station to + ensure the authenticity of the SNMP engine that provides MIB + data. + + SSH provides a number of mechanisms for verification of the + identity of the SSH client-side principal using the Secure Shell + Authentication Protocol [RFC4252]. These include public key, + password, and host-based mechanisms. This allows the SNMP Access + Control Subsystem to ensure that only authorized principals have + access to potentially sensitive data. + + Verification of the client's principal identity is important for + use with the SNMP Access Control Subsystem to ensure that only + authorized principals have access to potentially sensitive data. + + The SSH user identity is provided to the Transport Model, so it + can be used to map to an SNMP model-independent securityName for + use with SNMP access control and notification configuration. + (The identity may undergo various transforms before it maps to + the securityName.) + + 3. Message Stream Modification - SSH protects against malicious re- + ordering or replaying of messages within a single SSH session by + using sequence numbers and integrity checks. SSH protects + against replay of messages across SSH sessions by ensuring that + the cryptographic keys used for encryption and integrity checks + are generated afresh for each session. + + 4. Disclosure - SSH provides protection against the disclosure of + information to unauthorized recipients or eavesdroppers by + allowing for encryption of all traffic between SNMP engines. + +3.1.2. Message Authentication + + The RFC 3411 architecture recognizes three levels of security: + + - without authentication and without privacy (noAuthNoPriv) + + - with authentication but without privacy (authNoPriv) + + - with authentication and with privacy (authPriv) + + The Secure Shell protocol provides support for encryption and data + integrity. While it is technically possible to support no + authentication and no encryption in SSH, it is NOT RECOMMENDED by + [RFC4253]. + + + +Harrington, et al. Standards Track [Page 9] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + The SSH Transport Model determines from SSH the identity of the + authenticated principal and the type and address associated with an + incoming message, and provides this information to SSH for an + outgoing message. The SSH transport-layer algorithms used to provide + authentication, data integrity, and encryption SHOULD NOT be exposed + to the SSH Transport Model layer. The SNMPv3 WG deliberately avoided + this and settled for an assertion by the Security Model that the + requirements of securityLevel were met. The SSH Transport Model has + no mechanisms by which it can test whether an underlying SSH + connection provides auth or priv, so the SSH Transport Model trusts + that the underlying SSH connection has been properly configured to + support authPriv security characteristics. + + An SSH Transport-Model-compliant implementation MUST use an SSH + connection that provides authentication, data integrity, and + encryption that meets the highest level of SNMP security (authPriv). + Outgoing messages specified with a securityLevel of noAuthNoPriv or + authNoPriv are actually sent by the SSH Transport Model with + authPriv-level protection. + + The security protocols used in the Secure Shell Authentication + Protocol [RFC4252] and the Secure Shell Transport Layer Protocol + [RFC4253] are considered acceptably secure at the time of writing. + However, the procedures allow for new authentication and privacy + methods to be specified at a future time if the need arises. + +3.1.3. Authentication Protocol Support + + The SSH Transport Model should support any server- or client- + authentication mechanism supported by SSH. This includes the three + authentication methods described in the SSH Authentication Protocol + document [RFC4252] (publickey, password, and host-based), keyboard + interactive, and others. + + The password-authentication mechanism allows for integration with + deployed password-based infrastructure. It is possible to hand a + password to a service such as RADIUS [RFC2865] or Diameter [RFC3588] + for validation. The validation could be done using the user name and + user password attributes. It is also possible to use a different + password-validation protocol such as the Challenge Handshake + Authentication Protocol (CHAP) [RFC1994] or digest authentication + [RFC5090] to integrate with RADIUS or Diameter. At some point in the + processing, these mechanisms require the password to be made + available as cleartext on the device that is authenticating the + password, which might introduce threats to the authentication + infrastructure. + + + + + +Harrington, et al. Standards Track [Page 10] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + GSS-API key exchange [RFC4462] provides a framework for the addition + of client-authentication mechanisms that support different security + infrastructures and provide different security properties. + Additional authentication mechanisms, such as one that supports X.509 + certificates, may be added to SSH in the future. + +3.1.4. SSH Subsystem + + This document describes the use of an SSH Subsystem for SNMP to make + SNMP usage distinct from other usages. + + An SSH Subsystem of type "snmp" is opened by the SSH Transport Model + during the elements of procedure for an outgoing SNMP message. Since + the sender of a message initiates the creation of an SSH session if + needed, the SSH session will already exist for an incoming message; + otherwise, the incoming message would never reach the SSH Transport + Model. + + Implementations may choose to instantiate SSH sessions in + anticipation of outgoing messages. This approach might be useful to + ensure that an SSH session to a given target can be established + before it becomes important to send a message over the SSH session. + Of course, there is no guarantee that a pre-established session will + still be valid when needed. + + SSH sessions are uniquely identified within the SSH Transport Model + by the combination of tmTransportAddress and tmSecurityName + associated with each session. + + Because naming policies might differ between administrative domains, + many SSH client software packages support a user@hostname:port + addressing syntax that operators can use to align non-equivalent + account names. The SnmpSSHAddress Textual Convention echos this + common SSH notation. + + When this notation is used in an SnmpSSHAddress, the SSH connection + should be established with an SSH user name matching the "user" + portion of the notation when establishing a session with the remote + SSH server. The user name must be encoded in UTF-8 (per [RFC4252]). + The "user" portion may or may not match the tmSecurityName parameter + passed from the Security Model. If no "user@" portion is specified + in the SnmpSSHAddress, then the SSH connection should be established + using the tmSecurityName as the SSH user name when establishing a + session with the remote SSH server. + + + + + + + +Harrington, et al. Standards Track [Page 11] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + The SnmpSSHAddress and tmSecurityName associated with an SSH session + MUST remain constant during the life of the session. Different + SnmpSSHAddress values (with different hostnames, "user@" prefix + names, and/or port numbers) will each result in individual SSH + sessions. + +3.2. Security Parameter Passing + + For incoming messages, SSH-specific security parameters are + translated by the Transport Model into security parameters + independent of the Transport and Security Models. The Transport + Model accepts messages from the SSH Subsystem, records the transport- + related and SSH-security-related information, including the + authenticated identity, in a cache referenced by tmStateReference, + and passes the WholeMsg and the tmStateReference to the Dispatcher + using the receiveMessage() ASI (Abstract Service Interface). + + For outgoing messages, the Transport Model takes input provided by + the Dispatcher in the sendMessage() ASI. The SSH Transport Model + converts that information into suitable security parameters for SSH, + establishes sessions as needed, and passes messages to the SSH + Subsystem for sending. + +3.3. Notifications and Proxy + + SSH connections may be initiated by command generators or by + notification originators. Command generators are frequently operated + by a human, but notification originators are usually unmanned + automated processes. As a result, it may be necessary to provision + authentication credentials on the SNMP engine containing the + notification originator or to use a third-party key provider, such as + Kerberos, so the engine can successfully authenticate to an engine + containing a notification receiver. + + The targets to whom notifications or proxy requests should be sent is + typically determined and configured by a network administrator. The + SNMP-NOTIFICATION-MIB contains a list of targets to which + notifications should be sent. The SNMP-TARGET-MIB module [RFC3413] + contains objects for defining these management targets, including + transport domains and addresses and security parameters, for + applications such as notification generators and proxy forwarders. + + For the SSH Transport Model, transport type and address are + configured in the snmpTargetAddrTable, and the securityName and + securityLevel parameters are configured in the snmpTargetParamsTable. + The default approach is for an administrator to statically + preconfigure this information to identify the targets authorized to + receive notifications or received proxied messages. Local access- + + + +Harrington, et al. Standards Track [Page 12] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + control processing needs to be performed by a notification originator + before notifications are actually sent, and this processing is done + using the configured securityName. An important characteristic of + this is that authorization is done prior to determining if the + connection can succeed. Thus, the locally configured securityName is + entirely trusted within the notification originator. + + The SNMP-TARGET-MIB and NOTIFICATION-MIB MIB modules may be + configured using SNMP or other implementation-dependent mechanisms, + such as CLI scripting or loading a configuration file. It may be + necessary to provide additional implementation-specific configuration + of SSH parameters. + +4. Cached Information and References + + When performing SNMP processing, there are two levels of state + information that may need to be retained: the immediate state linking + a request-response pair and a potentially longer-term state relating + to transport and security. "Transport Subsystem for the Simple + Network Management Protocol" [RFC5590] defines general requirements + for caches and references. + + This document defines additional cache requirements related to the + Secure Shell Transport Model. + +4.1. Secure Shell Transport Model Cached Information + + The Secure Shell Transport Model has specific responsibilities + regarding the cached information. See the Elements of Procedure in + Section 5 for detailed processing instructions on the use of the + tmStateReference fields by the SSH Transport Model. + +4.1.1. tmSecurityName + + The tmSecurityName MUST be a human-readable name (in snmpAdminString + format) representing the identity that has been set according to the + procedures in Section 5. The tmSecurityName MUST be constant for all + traffic passing through an SSHTM session. Messages MUST NOT be sent + through an existing SSH session that was established using a + different tmSecurityName. + + On the SSH server side of a connection: + + The tmSecurityName should be the SSH user name. How the SSH user + name is extracted from the SSH layer is implementation-dependent. + + + + + + +Harrington, et al. Standards Track [Page 13] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + The SSH protocol is not always clear on whether the user name + field must be filled in, so for some implementations, such as + those using GSSAPI authentication, it may be necessary to use a + mapping algorithm to transform an SSH identity to a tmSecurityName + or to transform a tmSecurityName to an SSH identity. + + In other cases, the user name may not be verified by the server, + so for these implementations, it may be necessary to obtain the + user name from other credentials exchanged during the SSH + exchange. + + On the SSH client side of a connection: + + The tmSecurityName is presented to the SSH Transport Model by the + application (possibly because of configuration specified in the + SNMP-TARGET-MIB). + + The securityName MAY be derived from the tmSecurityName by a Security + Model and MAY be used to configure notifications and access controls + in MIB modules. Transport Models SHOULD generate a predictable + tmSecurityName so operators will know what to use when configuring + MIB modules that use securityNames derived from tmSecurityNames. + +4.1.2. tmSessionID + + The tmSessionID MUST be recorded per message at the time of receipt. + When tmSameSecurity is set, the recorded tmSessionID can be used to + determine whether the SSH session available for sending a + corresponding outgoing message is the same SSH session as was used + when receiving the incoming message (e.g., a response to a request). + +4.1.3. Session State + + The per-session state that is referenced by tmStateReference may be + saved across multiple messages in a Local Configuration Datastore. + Additional session/connection state information might also be stored + in a Local Configuration Datastore. + +5. Elements of Procedure + + Abstract Service Interfaces have been defined by [RFC3411] and + further augmented by [RFC5590] to describe the conceptual data flows + between the various subsystems within an SNMP entity. The Secure + Shell Transport Model uses some of these conceptual data flows when + communicating between subsystems. + + + + + + +Harrington, et al. Standards Track [Page 14] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + To simplify the elements of procedure, the release of state + information is not always explicitly specified. As a general rule, + if state information is available when a message gets discarded, the + message-state information should also be released, and if state + information is available when a session is closed, the session-state + information should also be released. + + An error indication in statusInformation will typically include the + Object Identifier (OID) and value for an incremented error counter. + This may be accompanied by the requested securityLevel and the + tmStateReference. Per-message context information is not accessible + to Transport Models, so for the returned counter OID and value, + contextEngine would be set to the local value of snmpEngineID and + contextName to the default context for error counters. + +5.1. Procedures for an Incoming Message + + 1. The SSH Transport Model queries the SSH engine, in an + implementation-dependent manner, to determine the address the + message originated from, the user name authenticated by SSH, and + a session identifier. + + 2. Determine the tmTransportAddress to be associated with the + incoming message: + + A. If this is a client-side SSH session, then the + tmTransportAddress is set to the tmTransportAddress used to + establish the session. It MUST exactly include any "user@" + prefix associated with the address provided to the + openSession() ASI. + + B. If this is a server-side SSH session and this is the first + message received over the session, then the + tmTransportAddress is set to the address the message + originated from, determined in an implementation-dependent + way. This value MUST be constant for the entire SSH session, + and future messages received MUST result in the + tmTransportAddress being set to the same value. + + C. If this is a server-side SSH session and this is not the + first message received over the session, then the + tmTransportAddress is set to the previously established + tmTransportAddress for the session (the value from step B, + determined from a previous incoming message). + + + + + + + +Harrington, et al. Standards Track [Page 15] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + 3. Determine the tmSecurityName to be associated with the incoming + message: + + A. If this is a client-side SSH session, then the tmSecurityName + MUST be set to the tmSecurityName used to establish the + session. + + B. If this is a server-side SSH session and this is the first + message received over the session, then the tmSecurityName is + set to the SSH user name. How the SSH user name is extracted + from the SSH layer is implementation-dependent. This value + MUST be constant for the entire SSH session, and future + messages received MUST result in the tmSecurityName being set + to the same value. + + C. If this is a server-side SSH session and this is not the + first message received over the session, then the + tmSecurityName is set to the previously established + tmSecurityName for the session (the value from step B, + determined from a previous incoming message). + + 4. Create a tmStateReference cache for subsequent reference to the + information. + + tmTransportDomain = snmpSSHDomain + + tmTransportAddress = the derived tmTransportAddress from step + 2. + + tmSecurityName = the derived tmSecurityName from step 3. + + tmTransportSecurityLevel = "authPriv" (authentication and + confidentiality MUST be used to comply with this Transport + Model.) + + tmSessionID = an implementation-dependent value that can be + used to detect when a session has closed and been replaced by + another session. The value in tmStateReference MUST uniquely + identify the session over which the message was received. + This session identifier MUST NOT be reused until there are no + references to it remaining. + + Then the Transport Model passes the message to the Dispatcher using + the following ASI: + + + + + + + +Harrington, et al. Standards Track [Page 16] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + statusInformation = + receiveMessage( + IN transportDomain -- snmpSSHDomain + IN transportAddress -- the tmTransportAddress for the message + IN wholeMessage -- the whole SNMP message from SSH + IN wholeMessageLength -- the length of the SNMP message + IN tmStateReference -- (NEW) transport info + ) + +5.2. Procedures for Sending an Outgoing Message + + The Dispatcher passes the information to the Transport Model using + the ASI defined in the Transport Subsystem: + + statusInformation = + sendMessage( + IN destTransportDomain -- transport domain to be used + IN destTransportAddress -- transport address to be used + IN outgoingMessage -- the message to send + IN outgoingMessageLength -- its length + IN tmStateReference -- (NEW) transport info + ) + + The SSH Transport Model performs the following tasks. + + 1. If tmStateReference does not refer to a cache containing values + for tmTransportDomain, tmTransportAddress, tmSecurityName, + tmRequestedSecurityLevel, and tmSameSecurity, then increment the + snmpSshtmSessionInvalidCaches counter, discard the message, and + return the error indication in the statusInformation. Processing + of this message stops. + + 2. Extract the tmTransportDomain, tmTransportAddress, + tmSecurityName, tmRequestedSecurityLevel, tmSameSecurity, and + tmSessionID from the tmStateReference. + + 3. Identify an SSH session over which to send the messages: + + A. If tmSameSecurity is true and there is no existing session + with a matching tmSessionID, tmSecurityName, and + tmTransportAddress, then increment the + snmpSshtmSessionNoSessions counter, discard the message, and + return the error indication in the statusInformation. + Processing of this message stops. + + B. If there is a session with a matching tmSessionID, + tmTransportAddress, and tmSecurityName, then select that + session. + + + +Harrington, et al. Standards Track [Page 17] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + C. If there is a session that matches the tmTransportAddress and + tmSecurityName, then select that session. + + D. If the above steps failed to select a session to use, then + call openSession() with the tmStateReference as a parameter. + + + If openSession fails, then discard the message, release + tmStateReference, and pass the error indication returned + by openSession back to the calling module. Processing of + this message stops. + + + If openSession succeeds, then record the + destTransportDomain, destTransportAddress, tmSecurityname, + and tmSessionID in an implementation-dependent manner. + This will be needed when processing an incoming message. + + 4. Pass the wholeMessage to SSH for encapsulation as data in an SSH + message over the identified SSH session. Any necessary + additional SSH-specific parameters should be provided in an + implementation-dependent manner. + +5.3. Establishing a Session + + The Secure Shell Transport Model provides the following Abstract + Service Interface (ASI) to describe the data passed between the SSH + Transport Model and the SSH service. It is an implementation + decision how such data is passed. + + statusInformation = + openSession( + IN tmStateReference -- transport information to be used + OUT tmStateReference -- transport information to be used + IN maxMessageSize -- of the sending SNMP entity + ) + + The following describes the procedure to follow to establish a + session between a client and server to run SNMP over SSH. This + process is used by any SNMP engine establishing a session for + subsequent use. + + This will be done automatically for an SNMP application that + initiates a transaction, such as a command generator, a notification + originator, or a proxy forwarder. + + + + + + + + +Harrington, et al. Standards Track [Page 18] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + 1. Increment the snmpSshtmSessionOpens counter. + + 2. Using tmTransportAddress, the client will establish an SSH + transport connection using the SSH transport protocol, + authenticate the server, and exchange keys for message integrity + and encryption. The transportAddress associated with a session + MUST remain constant during the lifetime of the SSH session. + Implementations may need to cache the transportAddress passed to + the openSession API for later use when performing incoming + message processing (see Section 5.1). + + 1. To authenticate the server, the client usually stores pairs + (tmTransportAddress, server host public key) in an + implementation-dependent manner. + + 2. The other parameters of the transport connection are provided + in an implementation-dependent manner. + + 3. If the attempt to establish a connection is unsuccessful or + if server-authentication fails, then + snmpSshtmSessionOpenErrors is incremented, an openSession + error indication is returned, and openSession processing + stops. + + 3. The client will then invoke an SSH authentication service to + authenticate the principal, such as that described in the SSH + authentication protocol [RFC4252]. + + 1. If the tmTransportAddress field contains a user name followed + by an '@' character (US-ASCII 0x40), that user name string + should be presented to the SSH server as the "user name" for + user-authentication purposes. If there is no user name in + the tmTransportAddress, then the tmSecurityName should be + used as the user name. + + 2. The credentials used to authenticate the SSH principal are + determined in an implementation-dependent manner. + + 3. In an implementation-specific manner, invoke the SSH user- + authentication service using the calculated user name. + + 4. If the user authentication is unsuccessful, then the + transport connection is closed, the + snmpSshtmSessionUserAuthFailures counter is incremented, an + error indication is returned to the calling module, and + processing stops for this message. + + + + + +Harrington, et al. Standards Track [Page 19] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + 4. The client should invoke the "ssh-connection" service (also known + as the SSH connection protocol [RFC4254]), and request a channel + of type "session". If unsuccessful, the transport connection is + closed, the snmpSshtmSessionNoChannels counter is incremented, an + error indication is returned to the calling module, and + processing stops for this message. + + 5. The client invokes "snmp" as an SSH Subsystem, as indicated in + the "subsystem" parameter. If unsuccessful, the transport + connection is closed, the snmpSshtmSessionNoSubsystems counter is + incremented, an error indication is returned to the calling + module, and processing stops for this message. + + In order to allow SNMP traffic to be easily identified and + filtered by firewalls and other network devices, servers + associated with SNMP entities using the Secure Shell Transport + Model MUST default to providing access to the "snmp" SSH + Subsystem if the SSH session is established using the IANA- + assigned TCP ports (5161 and 5162). Servers SHOULD be + configurable to allow access to the SNMP SSH Subsystem over other + ports. + + 6. Set tmSessionID in the tmStateReference cache to an + implementation-dependent value to identify the session. + + 7. The tmSecurityName used to establish the SSH session must be the + only tmSecurityName used with the session. Incoming messages for + the session MUST be associated with this tmSecurityName value. + How this is accomplished is implementation-dependent. + +5.4. Closing a Session + + The Secure Shell Transport Model provides the following ASI to close + a session: + + statusInformation = + closeSession( + IN tmSessionID -- session ID of session to be closed + ) + + The following describes the procedure to follow to close a session + between a client and server. This process is followed by any SNMP + engine to close an SSH session. It is implementation-dependent when + a session should be closed. The calling code should release the + associated tmStateReference. + + + + + + +Harrington, et al. Standards Track [Page 20] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + 1. Increment the snmpSshtmSessionCloses counter. + + 2. If there is no session corresponding to tmSessionID, then + closeSession processing is complete. + + 3. Have SSH close the session associated with tmSessionID. + +6. MIB Module Overview + + This MIB module provides management of the Secure Shell Transport + Model. It defines an OID to identify the SNMP-over-SSH transport + domain, a Textual Convention for SSH Addresses, and several + statistics counters. + +6.1. Structure of the MIB Module + + Objects in this MIB module are arranged into subtrees. Each subtree + is organized as a set of related objects. The overall structure and + assignment of objects to their subtrees, and the intended purpose of + each subtree, is shown below. + +6.2. Textual Conventions + + Generic and Common Textual Conventions used in this document can be + found summarized at http://www.ops.ietf.org/mib-common-tcs.html + +6.3. Relationship to Other MIB Modules + + Some management objects defined in other MIB modules are applicable + to an entity implementing the SSH Transport Model. In particular, it + is assumed that an entity implementing the SNMP-SSH-TM-MIB will + implement the SNMPv2-MIB [RFC3418] and the SNMP-FRAMEWORK-MIB + [RFC3411]. It is expected that an entity implementing this MIB will + also support the Transport Security Model [RFC5591] and, therefore, + implement the SNMP-TSM-MIB. + + This MIB module is for monitoring SSH Transport Model information. + +6.3.1. MIB Modules Required for IMPORTS + + The following MIB module imports items from [RFC2578], [RFC2579], and + [RFC2580]. + + This MIB module also references [RFC1033], [RFC4252], [RFC3490], and + [RFC3986]. + + + + + + +Harrington, et al. Standards Track [Page 21] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + This document uses TDomain Textual Conventions for the SNMP-internal + MIB modules defined here for compatibility with the RFC 3413 MIB + modules and the RFC 3411 Abstract Service Interfaces. + +7. MIB Module Definition + +SNMP-SSH-TM-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + OBJECT-IDENTITY, mib-2, snmpDomains, + Counter32 + FROM SNMPv2-SMI -- RFC 2578 + TEXTUAL-CONVENTION + FROM SNMPv2-TC -- RFC 2579 + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF -- RFC 2580 + ; + +snmpSshtmMIB MODULE-IDENTITY + LAST-UPDATED "200906090000Z" + ORGANIZATION "ISMS Working Group" + CONTACT-INFO "WG-EMail: isms@lists.ietf.org + Subscribe: isms-request@lists.ietf.org + + Chairs: + Juergen Quittek + NEC Europe Ltd. + Network Laboratories + Kurfuersten-Anlage 36 + 69115 Heidelberg + Germany + +49 6221 90511-15 + quittek@netlab.nec.de + + Juergen Schoenwaelder + Jacobs University Bremen + Campus Ring 1 + 28725 Bremen + Germany + +49 421 200-3587 + j.schoenwaelder@jacobs-university.de + + Co-editors: + David Harrington + Huawei Technologies USA + 1700 Alma Drive + Plano Texas 75075 + + + +Harrington, et al. Standards Track [Page 22] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + USA + +1 603-436-8634 + ietfdbh@comcast.net + + Joseph Salowey + Cisco Systems + 2901 3rd Ave + Seattle, WA 98121 + USA + jsalowey@cisco.com + + Wes Hardaker + Cobham Analytic Solutions + P.O. Box 382 + Davis, CA 95617 + USA + +1 530 792 1913 + ietf@hardakers.net + " + DESCRIPTION + "The Secure Shell Transport Model MIB. + + Copyright (c) 2009 IETF Trust and the persons + identified as authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, are permitted provided that the + following conditions are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + - Neither the name of Internet Society, IETF or IETF Trust, + nor the names of specific contributors, may be used to endorse + or promote products derived from this software without + specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + + + +Harrington, et al. Standards Track [Page 23] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + This version of this MIB module is part of RFC 5592; + see the RFC itself for full legal notices." + + REVISION "200906090000Z" + DESCRIPTION "The initial version, published in RFC 5592." + + ::= { mib-2 189 } + +-- ---------------------------------------------------------- -- +-- subtrees in the SNMP-SSH-TM-MIB +-- ---------------------------------------------------------- -- + +snmpSshtmNotifications OBJECT IDENTIFIER ::= { snmpSshtmMIB 0 } +snmpSshtmObjects OBJECT IDENTIFIER ::= { snmpSshtmMIB 1 } +snmpSshtmConformance OBJECT IDENTIFIER ::= { snmpSshtmMIB 2 } + +-- ------------------------------------------------------------- +-- Objects +-- ------------------------------------------------------------- + +snmpSSHDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP-over-SSH transport domain. The corresponding + transport address is of type SnmpSSHAddress. + + When an SNMP entity uses the snmpSSHDomain Transport + Model, it must be capable of accepting messages up to + and including 8192 octets in size. Implementation of + larger values is encouraged whenever possible. + + The securityName prefix to be associated with the + snmpSSHDomain is 'ssh'. This prefix may be used by Security + Models or other components to identify which secure transport + infrastructure authenticated a securityName." + ::= { snmpDomains 7 } + +SnmpSSHAddress ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1a" + STATUS current + + + +Harrington, et al. Standards Track [Page 24] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + DESCRIPTION + "Represents either a hostname or IP address, along with a port + number and an optional user name. + + The beginning of the address specification may contain a + user name followed by an '@' (US-ASCII character 0x40). This + portion of the address will indicate the user name that should + be used when authenticating to an SSH server. The user name + must be encoded in UTF-8 (per [RFC4252]). If missing, the + SNMP securityName should be used. After the optional user + name field and '@' character comes the hostname or IP + address. + + The hostname is always in US-ASCII (as per RFC1033); + internationalized hostnames are encoded in US-ASCII as + specified in RFC 3490. The hostname is followed by a colon + ':' (US-ASCII character 0x3A) and a decimal port number in + US-ASCII. The name SHOULD be fully qualified whenever + possible. + + An IPv4 address must be in dotted decimal format followed + by a colon ':' (US-ASCII character 0x3A) and a decimal port + number in US-ASCII. + + An IPv6 address must be in colon-separated format, surrounded + by square brackets ('[', US-ASCII character 0x5B, and ']', + US-ASCII character 0x5D), followed by a colon ':' (US-ASCII + character 0x3A) and a decimal port number in US-ASCII. + + Values of this Textual Convention might not be directly usable + as transport-layer addressing information and may require + runtime resolution. As such, applications that write them + must be prepared for handling errors if such values are + not supported or cannot be resolved (if resolution occurs + at the time of the management operation). + + The DESCRIPTION clause of TransportAddress objects that may + have snmpSSHAddress values must fully describe how (and + when) such names are to be resolved to IP addresses and vice + versa. + + This Textual Convention SHOULD NOT be used directly in + object definitions since it restricts addresses to a + specific format. However, if it is used, it MAY be used + either on its own or in conjunction with + TransportAddressType or TransportDomain as a pair. + + + + + +Harrington, et al. Standards Track [Page 25] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + When this Textual Convention is used as a syntax of an + index object, there may be issues with the limit of 128 + sub-identifiers, which is specified in SMIv2 (STD 58). It + is RECOMMENDED that all MIB documents using this Textual + Convention make explicit any limitations on index + component lengths that management software must observe. + This may be done either by including SIZE constraints on + the index components or by specifying applicable + constraints in the conceptual row DESCRIPTION clause or + in the surrounding documentation. + " + REFERENCE + "RFC 1033: DOMAIN ADMINISTRATORS OPERATIONS GUIDE + RFC 3490: Internationalizing Domain Names in Applications + RFC 3986: Uniform Resource Identifier (URI): Generic Syntax + RFC 4252: The Secure Shell (SSH) Authentication Protocol" + SYNTAX OCTET STRING (SIZE (1..255)) + +-- The snmpSshtmSession Group + +snmpSshtmSession OBJECT IDENTIFIER ::= { snmpSshtmObjects 1 } + +snmpSshtmSessionOpens OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times an openSession() request has been + executed as an SSH client, whether it succeeded or + failed. + " + ::= { snmpSshtmSession 1 } + +snmpSshtmSessionCloses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times a closeSession() request has been + executed as an SSH client, whether it succeeded or + failed. + " + ::= { snmpSshtmSession 2 } + +snmpSshtmSessionOpenErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + + + + + +Harrington, et al. Standards Track [Page 26] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + DESCRIPTION "The number of times an openSession() request + failed to open a transport connection or failed to + authenticate the server. + " + ::= { snmpSshtmSession 3 } + +snmpSshtmSessionUserAuthFailures OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times an openSession() request + failed to open a session as an SSH client due to + user-authentication failures. + " + ::= { snmpSshtmSession 4 } + +snmpSshtmSessionNoChannels OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times an openSession() request + failed to open a session as an SSH client due to + channel-open failures. + " + ::= { snmpSshtmSession 5 } + +snmpSshtmSessionNoSubsystems OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times an openSession() request + failed to open a session as an SSH client due to + inability to connect to the requested subsystem. + " + ::= { snmpSshtmSession 6 } + +snmpSshtmSessionNoSessions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times an outgoing message was + dropped because the same session was no longer + available. + " + ::= { snmpSshtmSession 7 } + +snmpSshtmSessionInvalidCaches OBJECT-TYPE + SYNTAX Counter32 + + + +Harrington, et al. Standards Track [Page 27] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of outgoing messages dropped because the + tmStateReference referred to an invalid cache. + " + ::= { snmpSshtmSession 8 } + +-- ************************************************ +-- snmpSshtmMIB - Conformance Information +-- ************************************************ + +snmpSshtmCompliances OBJECT IDENTIFIER ::= { snmpSshtmConformance 1 } + +snmpSshtmGroups OBJECT IDENTIFIER ::= { snmpSshtmConformance 2 } + +-- ************************************************ +-- Compliance statements +-- ************************************************ + +snmpSshtmCompliance MODULE-COMPLIANCE + STATUS current + + DESCRIPTION "The compliance statement for SNMP engines that + support the SNMP-SSH-TM-MIB." + MODULE + MANDATORY-GROUPS { snmpSshtmGroup } + ::= { snmpSshtmCompliances 1 } + +-- ************************************************ +-- Units of conformance +-- ************************************************ + +snmpSshtmGroup OBJECT-GROUP + OBJECTS { + snmpSshtmSessionOpens, + snmpSshtmSessionCloses, + snmpSshtmSessionOpenErrors, + snmpSshtmSessionUserAuthFailures, + snmpSshtmSessionNoChannels, + snmpSshtmSessionNoSubsystems, + snmpSshtmSessionNoSessions, + snmpSshtmSessionInvalidCaches + } + STATUS current + DESCRIPTION "A collection of objects for maintaining information + of an SNMP engine that implements the SNMP Secure + Shell Transport Model. + " + + + +Harrington, et al. Standards Track [Page 28] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + ::= { snmpSshtmGroups 2 } + +END + +8. Operational Considerations + + The SSH Transport Model will likely not work in conditions where + remote access to the CLI has stopped working. The SSH Transport + Model assumes that TCP and IP continue to operate correctly between + the communicating nodes. Failures in either node, death of the + deamon serving the communication, routing problems in the network + between, firewalls that block the traffic, and other problems can + prevent the SSH Transport Model from working. In situations where + management access has to be very reliable, operators should consider + mitigating measures. These measures may include dedicated + management-only networks, point-to-point links, and the ability to + use alternate protocols and transports. + + To have SNMP properly utilize the security services provided by SSH, + the SSH Transport Model MUST be used with a Security Model that knows + how to process a tmStateReference, such as the Transport Security + Model for SNMP [RFC5591]. + + If the SSH Transport Model is configured to utilize AAA services, + operators should consider configuring support for local + authentication mechanisms, such as local passwords, so SNMP can + continue operating during times of network stress. + + The SSH protocol has its own window mechanism, defined in RFC 4254. + The SSH specifications leave it open when window adjustment messages + should be created, and some implementations send these whenever + received data has been passed to the application. There are + noticeable bandwidth and processing overheads to handling such window + adjustment messages, which can be avoided by sending them less + frequently. + + The SSH protocol requires the execution of CPU-intensive calculations + to establish a session key during session establishment. This means + that short-lived sessions become computationally expensive compared + to USM, which does not have a notion of a session key. Other + transport security protocols such as TLS support a session-resumption + feature that allows reusing a cached session key. Such a mechanism + does not exist for SSH and thus SNMP applications should keep SSH + sessions for longer time periods. + + To initiate SSH connections, an entity must be configured with SSH + client credentials plus information to authenticate the server. + While hosts are often configured to be SSH clients, most + + + +Harrington, et al. Standards Track [Page 29] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + internetworking devices are not. To send notifications over SSHTM, + the internetworking device will need to be configured as an SSH + client. How this credential configuration is done is implementation- + and deployment-specific. + +9. Security Considerations + + This memo describes a Transport Model that permits SNMP to utilize + SSH security services. The security threats and how the SSH + Transport Model mitigates those threats is covered in detail + throughout this memo. + + The SSH Transport Model relies on SSH mutual authentication, binding + of keys, confidentiality, and integrity. Any authentication method + that meets the requirements of the SSH architecture will provide the + properties of mutual authentication and binding of keys. + + SSHv2 provides perfect forward secrecy (PFS) for encryption keys. + PFS is a major design goal of SSH, and any well-designed key-exchange + algorithm will provide it. + + The security implications of using SSH are covered in [RFC4251]. + + The SSH Transport Model has no way to verify that server + authentication was performed, to learn the host's public key in + advance, or to verify that the correct key is being used. The SSH + Transport Model simply trusts that these are properly configured by + the implementer and deployer. + + SSH provides the "none" userauth method. The SSH Transport Model + MUST NOT be used with an SSH connection with the "none" userauth + method. While SSH does support turning off confidentiality and + integrity, they MUST NOT be turned off when used with the SSH + Transport Model. + + The SSH protocol is not always clear on whether the user name field + must be filled in, so for some implementations, such as those using + GSSAPI authentication, it may be necessary to use a mapping algorithm + to transform an SSH identity to a tmSecurityName or to transform a + tmSecurityName to an SSH identity. + + In other cases, the user name may not be verified by the server, so + for these implementations, it may be necessary to obtain the user + name from other credentials exchanged during the SSH exchange. + + + + + + + +Harrington, et al. Standards Track [Page 30] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + +9.1. Skipping Public Key Verification + + Most key-exchange algorithms are able to authenticate the SSH + server's identity to the client. However, for the common case of + Diffie-Hellman (DH) signed by public keys, this requires the client + to know the host's public key a priori and to verify that the correct + key is being used. If this step is skipped, then authentication of + the SSH server to the SSH client is not done. Data confidentiality + and data integrity protection to the server still exist, but these + are of dubious value when an attacker can insert himself between the + client and the real SSH server. Note that some userauth methods may + defend against this situation, but many of the common ones (including + password and keyboard-interactive) do not and, in fact, depend on the + fact that the server's identity has been verified (so passwords are + not disclosed to an attacker). + + SSH MUST NOT be configured to skip public-key verification for use + with the SSH Transport Model. + +9.2. Notification Authorization Considerations + + SNMP Notifications are authorized to be sent to a receiver based on + the securityName used by the notification originator's SNMP engine. + This authorization is performed before the message is actually sent + and before the credentials of the remote receiver have been verified. + Thus, the credentials presented by a notification receiver MUST match + the expected value(s) for a given transport address, and ownership of + the credentials MUST be properly cryptographically verified. + +9.3. SSH User and Key Selection + + If a "user@" prefix is used within an SnmpSSHAddress value to specify + an SSH user name to use for authentication, then the key presented to + the remote entity MUST be the key expected by the server for the + "user". This may be different than a locally cached key identified + by the securityName value. + +9.4. Conceptual Differences between USM and SSHTM + + The User-based Security Model [RFC3414] employed symmetric + cryptography and user-naming conventions. SSH employs an asymmetric + cryptography and naming model. Unlike USM, cryptographic keys will + be different on both sides of the SSH connection. Both sides are + responsible for verifying that the remote entity presents the right + key. The optional "user@" prefix component of the SnmpSSHAddress + Textual Convention allows the client SNMP stack to associate the + connection with a securityName that may be different than the SSH + user name presented to the SSH server. + + + +Harrington, et al. Standards Track [Page 31] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + +9.5. The 'none' MAC Algorithm + + SSH provides the "none" Message Authentication Code (MAC) algorithm, + which would allow you to turn off data integrity while maintaining + confidentiality. However, if you do this, then an attacker may be + able to modify the data in flight, which means you effectively have + no authentication. + + SSH MUST NOT be configured using the "none" MAC algorithm for use + with the SSH Transport Model. + +9.6. Use with SNMPv1/v2c Messages + + The SNMPv1 and SNMPv2c message processing described in [RFC3584] (BCP + 74) always selects the SNMPv1 or SNMPv2c Security Models, + respectively. Both of these and the User-based Security Model + typically used with SNMPv3 derive the securityName and securityLevel + from the SNMP message received, even when the message was received + over a secure transport. Access control decisions are therefore made + based on the contents of the SNMP message, rather than using the + authenticated identity and securityLevel provided by the SSH + Transport Model. + +9.7. MIB Module Security + + There are no management objects defined in this MIB module that have + a MAX-ACCESS clause of read-write and/or read-create. So, if this + MIB module is implemented correctly, then there is no risk that an + intruder can alter or create any management objects of this MIB + module via direct SNMP SET operations. + + Some of the readable objects in this MIB module (i.e., objects with a + MAX-ACCESS other than not-accessible) may be considered sensitive or + vulnerable in some network environments. It is thus important to + control even GET and/or NOTIFY access to these objects and possibly + to even encrypt the values of these objects when sending them over + the network via SNMP. These are the tables and objects and their + sensitivity/vulnerability: + + o The information in the snmpSshtmSession group is generated locally + when a client session is being opened or closed. This information + can reflect the configured capabilities of a remote SSH server, + which could be helpful to an attacker for focusing an attack. + + + + + + + + +Harrington, et al. Standards Track [Page 32] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + SNMP versions prior to SNMPv3 did not include adequate security. + Even if the network itself is secure (for example by using IPSec or + SSH), even then, there is no control as to who on the secure network + is allowed to access and GET/SET (read/change/create/delete) the + objects in this MIB module. + + It is RECOMMENDED that implementers consider the security features as + provided by the SNMPv3 framework (see [RFC3410], Section 8), + including full support for cryptographic mechanisms for + authentication and privacy, such as those found in the User-based + Security Model [RFC3414], the Transport Security Model [RFC5591], and + the SSH Transport Model described in this document. + + Further, deployment of SNMP versions prior to SNMPv3 is NOT + RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to + enable cryptographic security. It is then a customer/operator + responsibility to ensure that the SNMP entity giving access to an + instance of this MIB module is properly configured to give access to + the objects only to those principals (users) that have legitimate + rights to indeed GET or SET (change/create/delete) them. + +10. IANA Considerations + + IANA has assigned: + + 1. Two TCP port numbers in the Port Numbers registry that will be + the default ports for the SNMP-over-SSH Transport Model as + defined in this document, and the SNMP-over-SSH Transport Model + for notifications as defined in this document. The assigned + keywords and port numbers are "snmpssh" (5161) and "snmpssh-trap" + (5162). + + 2. An SMI number (189) under mib-2, for the MIB module in this + document. + + 3. An SMI number (7) under snmpDomains, for the snmpSSHDomain. + + 4. "ssh" as the corresponding prefix for the snmpSSHDomain in the + SNMP Transport Domains registry; defined in [RFC5590]. + + 5. "snmp" as a Connection Protocol Subsystem Name in the SSH + Protocol Parameters registry. + +11. Acknowledgments + + The editors would like to thank Jeffrey Hutzelman for sharing his SSH + insights, and Dave Shield for an outstanding job wordsmithing the + existing document to improve organization and clarity. + + + +Harrington, et al. Standards Track [Page 33] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + Additionally, helpful document reviews were received from Juergen + Schoenwaelder. + +12. References + +12.1. Normative References + + [RFC1033] Lottor, M., "Domain administrators operations guide", + RFC 1033, November 1987. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Structure of Management Information + Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. + + [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Textual Conventions for SMIv2", + STD 58, RFC 2579, April 1999. + + [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Conformance Statements for SMIv2", STD 58, RFC 2580, + April 1999. + + [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network Management + Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, + December 2002. + + [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network + Management Protocol (SNMP) Applications", STD 62, + RFC 3413, December 2002. + + [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model + (USM) for version 3 of the Simple Network Management + Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. + + [RFC3418] Presuhn, R., "Management Information Base (MIB) for the + Simple Network Management Protocol (SNMP)", STD 62, + RFC 3418, December 2002. + + [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, + "Internationalizing Domain Names in Applications (IDNA)", + RFC 3490, March 2003. + + + + + + +Harrington, et al. Standards Track [Page 34] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, + "Coexistence between Version 1, Version 2, and Version 3 + of the Internet-standard Network Management Framework", + BCP 74, RFC 3584, August 2003. + + [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) + Protocol Architecture", RFC 4251, January 2006. + + [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) + Authentication Protocol", RFC 4252, January 2006. + + [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) + Transport Layer Protocol", RFC 4253, January 2006. + + [RFC4254] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) + Connection Protocol", RFC 4254, January 2006. + + [RFC5590] Harrington, D. and J. Schoenwaelder, "Transport Subsystem + for the Simple Network Management Protocol (SNMP)", + RFC 5590, June 2009. + +12.2. Informative References + + [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication + Protocol (CHAP)", RFC 1994, August 1996. + + [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, + "Remote Authentication Dial In User Service (RADIUS)", + RFC 2865, June 2000. + + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, + "Introduction and Applicability Statements for Internet- + Standard Management Framework", RFC 3410, December 2002. + + [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. + Arkko, "Diameter Base Protocol", RFC 3588, September 2003. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, + RFC 3986, January 2005. + + [RFC4256] Cusack, F. and M. Forssen, "Generic Message Exchange + Authentication for the Secure Shell Protocol (SSH)", + RFC 4256, January 2006. + + + + + + + +Harrington, et al. Standards Track [Page 35] + +RFC 5592 Secure Shell Transport Model for SNMP June 2009 + + + [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, + "Generic Security Service Application Program Interface + (GSS-API) Authentication and Key Exchange for the Secure + Shell (SSH) Protocol", RFC 4462, May 2006. + + [RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF + Configuration Protocol over Secure SHell (SSH)", RFC 4742, + December 2006. + + [RFC5090] Sterman, B., Sadolevsky, D., Schwartz, D., Williams, D., + and W. Beck, "RADIUS Extension for Digest Authentication", + RFC 5090, February 2008. + + [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model + for the Simple Network Management Protocol (SNMP)", + RFC 5591, June 2009. + +Authors' Addresses + + David Harrington + Huawei Technologies (USA) + 1700 Alma Dr. Suite 100 + Plano, TX 75075 + USA + + Phone: +1 603 436 8634 + EMail: ietfdbh@comcast.net + + + Joseph Salowey + Cisco Systems + 2901 3rd Ave + Seattle, WA 98121 + USA + + EMail: jsalowey@cisco.com + + + Wes Hardaker + Cobham Analytic Solutions + P.O. Box 382 + Davis, CA 95617 + US + + Phone: +1 530 792 1913 + EMail: ietf@hardakers.net + + + + + +Harrington, et al. Standards Track [Page 36] + |