\RequirePackage{snapshot} % Needed by bundledoc %\documentclass[colorBG,slideColor,troispoints,pdf]{prosper} \documentclass[colorBG,total,slideColor,ps]{prosper} %\documentclass[colorBG,slideColor,ps]{prosper} \usepackage{alltt% ,rcs% ,meta% ,graphicx% ,xspace% ,tabularx% %,booktabs% ,multicol% ,textcomp% } %\usepackage[nolineno,noindent]{lgrind} %\definecolor{green}{rgb}{0,1,0} % Copyright (c) 2003 by Nick Urbanik . % This material may be distributed only subject to the terms and % conditions set forth in the Open Publication License, v1.0 or later % (the latest version is presently available at % http://www.opencontent.org/openpub/). \RCS $Revision: 1.4 $ \DeclareRobustCommand{\acro}[1]{\textsc{\lowercase{#1}}} \newcommand*{\bs}{\texttt{\char '134}} % Backslash `\' %\newcommand*{\labTitle}{LDAP Directories} \newcommand*{\subject}{Systems and Network Management} \newcommand*{\emphcolour}[1]{\emph{\red#1}} \providecommand*{\RFC}{\acro{RFC}\xspace} \providecommand*{\LAN}{\acro{LAN}\xspace} \providecommand*{\IP}{\acro{IP}\xspace} \providecommand*{\ICT}{\acro{ICT}\xspace} \providecommand*{\ISP}{\acro{ISP}\xspace} %\providecommand*{\IETF}{\acro{IETF}\xspace} \providecommand*{\OID}{\acro{OID}\xspace} \providecommand*{\VACM}{\acro{VACM}\xspace} \providecommand*{\SNMP}{\acro{SNMP}\xspace} \providecommand*{\USM}{\acro{USM}\xspace} \providecommand*{\MIB}{\acro{MIB}\xspace} \providecommand*{\IOS}{\acro{IOS}\xspace} \providecommand*{\DES}{\acro{DES}\xspace} % See page 49 of Graphics Companion % #1, #2 x and y coordinates of reference point of brace in pt % #3 rotation angle for large right brace in degrees: 90 faces down % -90 faces up, 180 faces to the right % #4 total height of brace in pt \newcommand{\Bpara}[4]{% \begin{picture}(0,0)% \setlength{\unitlength}{1pt}% \put(#1,#2){\rotatebox{#3}{\raisebox{0mm}[0mm][0mm]{% \makebox[0mm]{$\left.\rule{0mm}{#4pt}\right\}$}}}}% \end{picture}% } \title{\mbox{}\blue{}SNMP Version 3}% \subtitle{More about VACM and USM} \author{Nick Urbanik \texttt{ {\footnotesize\copyright{}} 2003}\\ \footnotesize{}Copyright Conditions: Open Publication License (see \url{http://www.opencontent.org/openpub/})}% \institution{A computing department}% \slideCaption{SNM --- SNMPv3 --- ver. \RCSRevision} %%%%%\Logo{\includegraphics[width=15mm]{ict-logo-smaller}} \begin{document} \maketitle \begin{slide}{Goals of SNMPv3 (RFC 3411)} \begin{itemize} \item Avoid reinventing the wheel---use existing work \item Support secure \texttt{set} operation \item Support forward and backward compatibility \item Support remote configuration \begin{itemize} \item \USM and \VACM configuration is through \SNMP tables and variables \end{itemize} \item {\mbox{}\blue{}Security} protection against: \begin{itemize} \item modification of information by unauthorised parties \item an unauthorised person masquerading as an authorised person \item message stream modification by reordering, delaying or replaying exchanges \item disclosure (eavesdropping) \end{itemize} \end{itemize} \end{slide} \begin{slide}{VACM} \begin{itemize} \item The \emphcolour{View-based Access Control Model} (\emphcolour{VACM}) \item \VACM has five main components, as we mentioned earlier: \begin{itemize} \item \emphcolour{groups} of users \item \emphcolour{security level}, i.e., \texttt{v1}, \texttt{v2c}, \texttt{usm} \item \emphcolour{contexts} --- see slide~\S\pageref{sld:context} \item \emphcolour{MIB views, view families} --- see slide~\S\pageref{sld:view} \item \emphcolour{access policy}, i.e., read only, read-write, notify, no access. \end{itemize} \item How do we set up \SNMP{}v3 users on agents and network management software? \item How do we control access to a subset of \MIB variables on an agent? \end{itemize} \end{slide} \begin{slide}{Context} \label{sld:context} \begin{itemize} \item An \SNMP \emphcolour{context} is a collection of management variables accessible by an \SNMP entity. \item Gives a way to group variables into collections with different access policies. \item Example from \RFC 3411: See slide~\S\pageref{sld:context-example} \begin{itemize} \item The engine uses the bridge \MIB defined in \RFC 1493 \item but the engine keeps management information for two separate bridges labeled \texttt{bridge1} and \texttt{bridge2} \item Could be that neither bridge directly supports \SNMP, so another device on the \LAN collects data from the bridges using some other method \item Makes this information available within the \emphcolour{context} \end{itemize} \end{itemize} \end{slide} \begin{slide}{Context Example from RFC 3411} \label{sld:context-example} \vspace*{-0.05\slideWidth} \centering% \includegraphics[width=0.85\slideWidth]{snmp-context-example} \end{slide} \begin{slide}{\texttt{isAccessAllowed} from RFC 3415} \centering% \vspace*{-7mm}% % \hspace*{-5mm}% \includegraphics[width=0.95\slideWidth]{is-allowed} \end{slide} \begin{slide}{VACM on Net-SNMP} \begin{itemize} \item Net-SNMP uses {\green{}four keywords} to set up \VACM in \texttt{\blue/etc/snmp/snmpd.conf}: \begin{multicols}{2} \begin{itemize} \item \texttt{\textbf{\red{}com2sec}} \item \texttt{\textbf{\red{}group}} \item \texttt{\textbf{\red{}view}} \item \texttt{\textbf{\red{}access}} \end{itemize} \end{multicols} \item These set up access control to variables on the agent. \begin{itemize} \item \texttt{\red{}access} and \texttt{\red{}view} determine \emphcolour{what} access is being controlled to. \item \texttt{\red{}group} and \texttt{\red{}com2sec} determine \emphcolour{who} has this access. \end{itemize} \end{itemize} \end{slide} \begin{slide}{Net-SNMP VACM} \vspace*{4mm}% \hspace*{-5mm}% \includegraphics[width=1.1\slideWidth]{vacm-diagram} \end{slide} \begin{slide}{The \texttt{access} Keyword} \begin{itemize} \item Specifies which group has access to which parts of the \MIB tree \item Has 8 parameters. Syntax (all on one line): \end{itemize} \vspace*{-3.5ex} \hspace*{-0.1\slideWidth}% \begin{alltt}\tiny \mbox{}{\red{}access} \meta{group} \meta{context} \meta{secmodel} \meta{seclevel} \meta{prefix} \meta{readview} \meta{writeview} \meta{notifyview} \end{alltt} \vspace*{-1.7ex} \begin{itemize} \item Last three parameters \meta{readview} \meta{writeview} \meta{notifyview} are \emphcolour{views}, defined by \emphcolour{\texttt{view}} statements. \begin{itemize} \item Indicate which part of the \MIB tree has read access, which part of tree has write access, and which part has permission for access to send notifications (i.e., traps or inform requests) \end{itemize} \item The \meta{group} parameter is defined by a \emphcolour{\texttt{group}} statement \begin{itemize} \item Represents a group of users \end{itemize} \item Default \meta{context} is the empty string \texttt{""}. See slide~\S\pageref{sld:context}. \end{itemize} \end{slide} \begin{slide}{\texttt{access}: Security Model, Security Level} \begin{itemize} \item The parameter \meta{secmodel} is the \emphcolour{Security Model}. \begin{itemize} \item Can be one of: \texttt{any}, \texttt{v1}, \texttt{v2c} or \texttt{usm}. \item Should be set to match the \SNMP version of clients that will connect to this agent. \end{itemize} \item Parameter \meta{seclevel} \emphcolour{Security Level} tells whether we use authentication or encryption \begin{itemize} \item Can be one of \texttt{noauth}, \texttt{auth}, or \texttt{priv} \item Note that community strings are not counted as authentication, so for \SNMP{}v1 and \SNMP{}v2 we specify \texttt{noauth} \item \texttt{priv} (privacy) means that we use both strong authentication \emphcolour{and} encryption. \end{itemize} \end{itemize} \end{slide} \begin{slide}{\texttt{access}: The \meta{prefix} Parameter} \begin{itemize} \item The \meta{prefix} parameter to \texttt{access} can be either \texttt{exact} or \texttt{prefix}. \item Indicates whether context name needs to match exactly or whether only the first part of the context name needs to match. \item The default value is \texttt{exact}. \end{itemize} \end{slide} \begin{slide}{\texttt{access} with SNMPv1, v2c} \begin{itemize} \item For \SNMP{}v1 and \SNMP{}v2c clients \begin{itemize} \item Security Level will be \texttt{noauth}, and \item \texttt{context} will be empty (the empty string). \end{itemize} \end{itemize} \end{slide} \begin{slide}{The \texttt{com2sec} keyword} \begin{itemize} \item Maps a \emphcolour{community string} and a source \IP or network address to a \emphcolour{security name} (user name). \item Syntax: \begin{alltt} com2sec \meta{securityName} \meta{source} \meta{community} \end{alltt} \begin{itemize} \item The security name is used by the \texttt{group} keyword --- see \S\pageref{sld:group} \item Source can be a hostname, a subnet or the word ``\texttt{default}'' \begin{itemize} \item A subnet can be written as IP/mask or IP/BITS, e.g., our lab subnet can be written as 172.19.64.0/255.255.192.0 or 172.19.64.0/18. \end{itemize} \end{itemize} \item Only needed for access control with \SNMP{}v1 and v2c \begin{itemize} \item Not used with \SNMP{}v3 \end{itemize} \end{itemize} \end{slide} \begin{slide}{The \texttt{group} Keyword} \label{sld:group} \begin{itemize} \item maps pairs of \emphcolour{Security Model} and \emphcolour{Security Name} to a group name. \item Syntax: \begin{alltt}\footnotesize group \meta{groupName} \meta{securityModel} \meta{securityName} \end{alltt} \item A Security Model is one of \texttt{v1}, \texttt{v2c} or \texttt{usm}. \item The \emphcolour{Security Name} is the \emphcolour{user name}. \item All members of one group have the same access rights. \item A user cannot belong to more than one group for each of the three security models. \end{itemize} \end{slide} \begin{slide}{Views and the \texttt{view} Keyword} \label{sld:view} \begin{itemize} \item The view determines what part of the \MIB access is controlled to. \item Uses concept of a \emphcolour{subtree}. \begin{itemize} \item A \emphcolour{subtree} is a node in the \MIB tree and all the elements under that node. \item In other words, all the \MIB elements in a subtree have the same common prefix. \end{itemize} \item Syntax: \end{itemize} \begin{alltt}\footnotesize view \meta{viewName} \meta{incl/excl} \meta{subtree} \meta{mask(optional)} \end{alltt} \end{slide} \begin{slide}{The \texttt{view} Keyword --- 2} \label{sld:view-2} \begin{itemize} \item \meta{incl/excl} can be either ``\texttt{included}'' or ``\texttt{excluded}'' \begin{itemize} \item ``\texttt{included}'' means that the \MIB view includes all the elements of the subtree; \item ``\texttt{excluded}'' means that the \MIB view excludes all the elements of the subtree. \end{itemize} \end{itemize} \end{slide} \begin{slide}{The View Mask --- 1} \label{sld:view-mask-1} \begin{itemize} \item The optional view mask allows the access control to select individual rows in a table. \item \RFC 3415 calls this a \emphcolour{family of subtrees}, since a row of $n$ elements can be also represented by $n$ subtrees \item \RFC 3415 calls the mask the \emphcolour{family mask} \end{itemize} \end{slide} \begin{slide}{The Network Interface Table, \texttt{ifTable} } \begin{itemize} \item Under \texttt{mib-2} is the important \texttt{ifTable} \begin{itemize} \item Provides statistics on each network interface \item includes such things as network traffic, errors,\ldots \item {\mbox{}\blue{}One row in the table for each network interface} \end{itemize} \end{itemize} \end{slide} \begin{slide}{Walking \texttt{ifTable} --- 1} \begin{alltt}\tiny $ \textbf{snmpbulkwalk -v 2c -c public localhost ifTable} IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifType.1 = INTEGER: softwareLoopback(24) IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6) IF-MIB::ifMtu.1 = INTEGER: 16436 IF-MIB::ifMtu.2 = INTEGER: 1500 IF-MIB::ifSpeed.1 = Gauge32: 10000000 IF-MIB::ifSpeed.2 = Gauge32: 100000000 IF-MIB::ifPhysAddress.1 = STRING: IF-MIB::ifPhysAddress.2 = STRING: 0:1:3:45:99:12 IF-MIB::ifAdminStatus.1 = INTEGER: up(1) IF-MIB::ifAdminStatus.2 = INTEGER: up(1) IF-MIB::ifOperStatus.1 = INTEGER: up(1) IF-MIB::ifOperStatus.2 = INTEGER: up(1) IF-MIB::ifInOctets.1 = Counter32: 1073820735 IF-MIB::ifInOctets.2 = Counter32: 1620632733 \end{alltt}%$ \end{slide} \begin{slide}{Walking \texttt{ifTable} --- 2} \begin{alltt}\tiny IF-MIB::ifInUcastPkts.1 = Counter32: 2950449 IF-MIB::ifInUcastPkts.2 = Counter32: 105216646 IF-MIB::ifInDiscards.1 = Counter32: 0 IF-MIB::ifInDiscards.2 = Counter32: 0 IF-MIB::ifInErrors.1 = Counter32: 0 IF-MIB::ifInErrors.2 = Counter32: 0 IF-MIB::ifOutOctets.1 = Counter32: 1073821769 IF-MIB::ifOutOctets.2 = Counter32: 2594849796 IF-MIB::ifOutUcastPkts.1 = Counter32: 2950461 IF-MIB::ifOutUcastPkts.2 = Counter32: 81734428 IF-MIB::ifOutDiscards.1 = Counter32: 0 IF-MIB::ifOutDiscards.2 = Counter32: 0 IF-MIB::ifOutErrors.1 = Counter32: 0 IF-MIB::ifOutErrors.2 = Counter32: 0 IF-MIB::ifOutQLen.1 = Gauge32: 0 IF-MIB::ifOutQLen.2 = Gauge32: 0 IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero \end{alltt} \end{slide} \begin{slide}{\texttt{ifTable} in Numbers --- 1} \begin{alltt}\tiny $ \textbf{snmpbulkwalk -v 2c -On -c public localhost ifTable} .1.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1 .1.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2 .1.3.6.1.2.1.2.2.1.2.1 = STRING: lo .1.3.6.1.2.1.2.2.1.2.2 = STRING: eth0 .1.3.6.1.2.1.2.2.1.3.1 = INTEGER: softwareLoopback(24) .1.3.6.1.2.1.2.2.1.3.2 = INTEGER: ethernetCsmacd(6) .1.3.6.1.2.1.2.2.1.4.1 = INTEGER: 16436 .1.3.6.1.2.1.2.2.1.4.2 = INTEGER: 1500 .1.3.6.1.2.1.2.2.1.5.1 = Gauge32: 10000000 .1.3.6.1.2.1.2.2.1.5.2 = Gauge32: 100000000 .1.3.6.1.2.1.2.2.1.6.1 = STRING: .1.3.6.1.2.1.2.2.1.6.2 = STRING: 0:1:3:45:99:12 .1.3.6.1.2.1.2.2.1.7.1 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.7.2 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.8.1 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.8.2 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.10.1 = Counter32: 1073820735 .1.3.6.1.2.1.2.2.1.10.2 = Counter32: 1620632733 \end{alltt}%$ \end{slide} \begin{slide}{\texttt{ifTable} in Numbers --- 2} \begin{alltt}\tiny .1.3.6.1.2.1.2.2.1.11.1 = Counter32: 2950449 .1.3.6.1.2.1.2.2.1.11.2 = Counter32: 105216646 .1.3.6.1.2.1.2.2.1.13.1 = Counter32: 0 .1.3.6.1.2.1.2.2.1.13.2 = Counter32: 0 .1.3.6.1.2.1.2.2.1.14.1 = Counter32: 0 .1.3.6.1.2.1.2.2.1.14.2 = Counter32: 0 .1.3.6.1.2.1.2.2.1.16.1 = Counter32: 1073821769 .1.3.6.1.2.1.2.2.1.16.2 = Counter32: 2594849796 .1.3.6.1.2.1.2.2.1.17.1 = Counter32: 2950461 .1.3.6.1.2.1.2.2.1.17.2 = Counter32: 81734428 .1.3.6.1.2.1.2.2.1.19.1 = Counter32: 0 .1.3.6.1.2.1.2.2.1.19.2 = Counter32: 0 .1.3.6.1.2.1.2.2.1.20.1 = Counter32: 0 .1.3.6.1.2.1.2.2.1.20.2 = Counter32: 0 .1.3.6.1.2.1.2.2.1.21.1 = Gauge32: 0 .1.3.6.1.2.1.2.2.1.21.2 = Gauge32: 0 .1.3.6.1.2.1.2.2.1.22.1 = OID: SNMPv2-SMI::zeroDotZero .1.3.6.1.2.1.2.2.1.22.2 = OID: SNMPv2-SMI::zeroDotZero \end{alltt} \end{slide} \begin{slide}{Instance Number} \begin{itemize} \item Notice that the index is the number at the end of the \OID \item Called an \emphcolour{instance number}. Index starts from 1 \item Suppose we are an \ISP, want to allow customer A to view their own network interface, but not that of customer B, their competitor. \item Note that as we go along a row, the {\blue{}\OID element just before the instance number changes} \item Suppose customer A has a network interface with the index 5. \begin{alltt} $ \textbf{snmptranslate -On IF-MIB::ifOutOctets.5} .1.3.6.1.2.1.2.2.1.16.5 \end{alltt}%$ \item So want to allow access for customer A to .1.3.6.1.2.1.2.2.1.*.5 \end{itemize} \end{slide} %% \begin{slide}{The View Mask --- 2} %% \label{sld:view-mask-2-table} %% \begin{itemize} %% \item We can provide a view mask to specify this: %% \smallskip% %% {\footnotesize %% \setlength{\extrarowheight}{0pt}% %% \newcommand*{\WD}{\hspace*{3ex}} %% %% \begin{tabular}[t]{@{}cccc@{\hspace*{3ex}}cccc% %% %% @{\hspace*{3ex}}cccc@{\hspace*{3ex}}cccc@{}} %% \begin{tabular}[t]{@{}cccc@{}l@{}cccc@{}l@{}ccc|c@{}l@{}cccc@{}} %% 1 & 3 & 6 & 1 &\WD & 2 & 1 & 2 & 2 &\WD & 1 & * & 5 & * &\WD & * & * & * & * \\ %% 1 & 1 & 1 & 1 &\ & 1 & 1 & 1 & 1 &\ & 1 & 0 & 1 & 0 &\ & 0 & 0 & 0 & 0 \\ %% \cline{1-4} \cline{6-9} \cline{11-14} \cline{16-19} %% \multicolumn{4}{@{}c}{f} && \multicolumn{4}{c}{f} && %% \multicolumn{4}{c}{a} && \multicolumn{4}{c}{0} %% \end{tabular}% %% } %% \item A \emphcolour{zero in the bit mask} is like a wildcard or %% ``don't care'' specifier %% \item A mask of all 1's is the same as a single view subtree %% specified by the family name (it's the same as not specifying a mask) %% \item Here the {\blue{}mask is specified as ff.a0} %% \item For Net-SNMP, {\green{}the mask is specified as a list of %% hexadecimal \emphcolour{bytes}\green{} separated with `.' or %% `:'}. %% \end{itemize} %% \end{slide} \begin{slide}{The View Mask --- 2} \label{sld:view-mask-2-table} \begin{itemize} \item We can provide a view mask to specify this: \smallskip% {\footnotesize \setlength{\extrarowheight}{0pt}% \newcommand*{\WD}{\hspace*{3ex}} %% \begin{tabular}[t]{@{}cccc@{\hspace*{3ex}}cccc% %% @{\hspace*{3ex}}cccc@{\hspace*{3ex}}cccc@{}} \begin{tabular}[t]{@{}cccc@{}l@{}cccc@{}l@{}ccc|c@{}l@{}cccc@{}} 1 & 3 & 6 & 1 &\WD & 2 & 1 & 2 & 2 &\WD & 1 & * & 5 & * &\WD & * & * & * & * \\ 1 & 1 & 1 & 1 &\ & 1 & 1 & 1 & 1 &\ & 1 & 0 & 1 & 0 &\ & 0 & 0 & 0 & 0 \\[1ex] %\cline{1-4} \cline{6-9} \cline{11-14} \cline{16-19} \multicolumn{4}{@{}c}{f\Bpara{-1}{16}{-90}{33}} && \multicolumn{4}{c}{f\Bpara{-4}{16}{-90}{33}} && \multicolumn{4}{c}{a\Bpara{-4}{16}{-90}{33}} && \multicolumn{4}{c}{0\Bpara{-5}{16}{-90}{33}} \end{tabular}% } \item A \emphcolour{zero in the bit mask} is like a wildcard or ``don't care'' specifier \item A mask of all 1's is the same as a single view subtree specified by the family name (it's the same as not specifying a mask) \item Here the {\blue{}mask is specified as ff.a0} \item For Net-SNMP, {\green{}the mask is specified as a list of hexadecimal \emphcolour{bytes}\green{} separated with `.' or `:'}. \end{itemize} \end{slide} \begin{slide}{The View Mask --- 3} \begin{itemize} \item Note that in creating a view mask, we start from the left, writing hexadecimal digits. \item We don't care about the bits representing non-existent elements after the end of the subtree parent. \begin{itemize} \item I mean the bits to the right of the vertical line in slide~\S\pageref{sld:view-mask-2-table} \item These bits could be one or zero; I chose zero, since zero means ``don't care; you can use any value here'' \end{itemize} \item We can specify this \emphcolour{family of view subtrees} like this: \begin{alltt}\tiny \textbf{view custA included interfaces.ifTable.ifEntry.ifIndex.5 {\red{}ff.a0}} \end{alltt} \item This view can then be used in an \texttt{access} statement \begin{itemize} \item see the example in slide \S\pageref{sld:net-snmp-vacm-example-2} \end{itemize} \end{itemize} \end{slide} \begin{slide}{The View Mask --- 4} \begin{itemize} \item One bit in the view mask determines access to one element in the \OID \begin{itemize} \item It doesn't matter how big or small the numerical component of the \OID is \item one bit controls whether different values for that component are included in the family of view subtrees or not \end{itemize} \item \RFC 3415 says that any bit mask is extended with 1's to the same length in bits as the number of identifiers in the \OID if it is shorter. \item As a consequence, a family mask of zero length corresponds to a single view subtree. \end{itemize} \end{slide} \begin{slide}{Net-SNMP VACM Example 1} \label{sld:net-snmp-vacm-example-1} \tiny \begin{verbatim} # sec.name source community com2sec local localhost mypP?rC32 com2sec ictnetwork 172.19.64.0/18 public # group.name sec.model sec.name group MyRWGroup v1 local group MyRWGroup v2c local group MyROGroup v1 ictnetwork group MyROGroup v2c ictnetwork viewname incl/excl subtree view all included .1 # group.name context sec.model sec.level match read write notif access MyROGroup "" any noauth exact all none none access MyRWGroup "" any noauth exact all all none \end{verbatim} \end{slide} \begin{slide}{Net-SNMP VACM Example 1} \begin{itemize} \item In the example in \S\pageref{sld:net-snmp-vacm-example-1}, read-write access using the community string ``mypP?rC32'' is allowed from the same machine only (localhost). \item read only access is allowed from any machine in the \ICT laboratory subnet using the (badly chosen) community string ``public''. \item No traps or inform requests can be sent by the agent. \end{itemize} \end{slide} \begin{slide}{Net-SNMP VACM Example 2} \label{sld:net-snmp-vacm-example-2} {\tiny \begin{verbatim} group companyA usm companyAManager group companyB usm companyBManager view custA included interfaces.ifTable.ifEntry.ifIndex.5 ff.a0 view custB included interfaces.ifTable.ifEntry.ifIndex.2 ff.a0 access companyA "" usm priv exact custA none none access companyB "" usm priv exact custB none none \end{verbatim}% } \begin{itemize} \item \texttt{companyAManager} is a \USM user that has read-only access to the \texttt{ifTable} row that corresponds to the company A's own network interface, and no other access. \item \texttt{companyBManager} is a \USM user that has read-only access to the \texttt{ifTable} row that corresponds to the company B's own network interface, and no other access. \end{itemize} \end{slide} \begin{slide}{Cisco VACM Configuration} \begin{itemize} \item Cisco \IOS specifies a view with the following syntax: \begin{verbatim} snmp-server view custA ifEntry.*.5 included snmp-server view custB ifEntry.*.2 included \end{verbatim} \item Cisco uses the \texttt{snmp-server user} command to specify users and group membership \end{itemize} \end{slide} \begin{slide}{User-based Security Model} \begin{itemize} \item \USM allows remote configuration of users \item Securely supports strong authentication using \acro{MD}5 or \acro{SHA}1 and encryption using \DES \item Remotely create new users by \emphcolour{cloning} existing users \item Can only clone a user once \item Each user {\green{}must be given access using \VACM or that user account cannot be used} \begin{itemize} \item Add the user to a \emphcolour{group} \item provide \emphcolour{access} to that group through \emphcolour{views} \end{itemize} \end{itemize} \end{slide} \begin{slide}{Configuring \USM Users --- 1} \begin{itemize} \item \USM users can be created with the \texttt{net-snmp-config} program: \item Stop the agent first, then create the initial user: \begin{alltt} $ \textbf{sudo service snmpd stop} $ \textbf{sudo net-snmp-config --create-snmpv3-user \bs -a "my_password" myuser} \end{alltt} \item SNMPv3 pass phrases must be at least 8 characters long. \item We have created a user ``\texttt{myuser}'' with a password of ``\texttt{my\_password}'' and using \acro{MD}5 for authentication and \DES for encryption. \item Very simple access control has been added to \path{/etc/snmp/snmp.conf} allowing the user write access to entire tree \end{itemize} \end{slide} \begin{slide}{Configuring \USM Users --- 2} \begin{itemize} \item Now start the agent, and test the user. First we test without encryption, then with encryption: {\tiny \begin{alltt} $ \textbf{sudo service snmpd start} $ \textbf{snmpget -v 3 -u myuser -l authNoPriv -a MD5 \bs -A my_password localhost sysUpTime.0} $ \textbf{snmpget -v 3 -u myuser -l authPriv -a MD5 \bs -A my_password -x DES -X my_password localhost sysUpTime.0} \end{alltt}%$ } \item Can create as many users as you like in this way. \item Better to {\green{}improve access control} using \VACM over the default of write access everywhere \end{itemize} \end{slide} \begin{slide}{Remotely Creating \USM Users} \begin{itemize} \item We clone the first user we created: \begin{alltt}\scriptsize $ \textbf{snmpusm -v 3 -u myuser -l authNoPriv -a MD5 \bs -A my_password localhost create nicku myuser} \end{alltt}%$ \item We now have created user \texttt{nicku} with the same password as the ``\texttt{myuser}'' user. \item Now change the password: \begin{alltt}\scriptsize $ \textbf{snmpusm -v 3 -u nicku -l authNoPriv -a MD5 \bs -A my_password localhost passwd my_password \bs new_passphrase} \end{alltt}%$ \begin{itemize} \item See \texttt{man snmpusm} and \texttt{man snmpcmd} \end{itemize} \item Can put account information into a local $\sim$\texttt{/.snmp/snmp.conf} that is readable only by you \begin{itemize} \item See \texttt{man snmp.conf} \end{itemize} \end{itemize} \end{slide} \begin{slide}{SNMP Standards and RFCs} \begin{itemize} \item The standards were updated in December 2002 \begin{itemize} \item Most (all?) text books are out of date \item My notes were out of date. \end{itemize} {\tiny \setlength{\extrarowheight}{0pt}% \begin{tabular}[t]{@{}ll@{}} RFC 1155 & SNMPv1 \\ RFC 1157 & SMIv1 \\ RFC 1212 & Concise MIB definitions \\ RFC 1215 & SNMPv1 traps \\ RFC 1901 & SNMPv2c \\ RFC 2570 & Old SNMPv3 overview \\ RFC 2578 & SMIv2 \\ RFC 2579 & SMIv2 textual conventions \\ RFC 2580 & SMIv2 conformance \\ \end{tabular}% \hspace*{2ex}% \begin{tabularx}{0.5\slideWidth}[t]{@{}lX@{}} RFC 3411 & SNMPv3 architecture \\ RFC 3412 & SNMPv3 message processing \\ RFC 3413 & SNMPv3 applications \\ RFC 3414 & SNMPv3 USM \\ RFC 3415 & SNMPv3 VACM \\ RFC 3416 & SNMPv2 protocol operations \\ RFC 3417 & SNMPv2 transport mappings \\ RFC 3418 & SNMPv2 MIB \\ RFC 3512 & SNMP configuring networks info \\ RFC 3584 & SNMP coexistence v1 v2 v3 best practice \\ \end{tabularx} } \end{itemize} \end{slide} \begin{slide}{References} \label{sld:reference-books}% \tiny \begin{itemize} \item \RFC{}s 3411--3415. Available from many sites, including \url{http://www.rfc-editor.org}. \item See the Net-SNMP FAQ, in \texttt{/usr/share/doc/net-snmp-5.0.9/FAQ}. Also see \texttt{/usr/share/doc/net-snmp-5.0.9/README.snmpv3}. \item William Stallings, \emph{SNMP, SNMPv2, SNMPv3, and RMON 1 and 2}, Third edition, Addison-Wesley, 1999, 0-201-48534-6. \begin{itemize} \item Pages 526, 527 explain the context example from \RFC 2271 well. Actually, the example is changed slightly in \RFC 3411 \end{itemize} \item David Zeltersman, \emph{A Practical Guide to SNMPv3 and Network Management}, Prentice Hall, 1999, 0-13-021453-1. \item Stephen B. Morris, \emph{Network Management, MIBs and MPLs: Principles, Design and Implementation}, Prentice Hall, 2003, 0-13-101113-8. \item James Boney, \emph{Cisco IOS In a Nutshell}, O'Reilly, January 2002, 1-56592-942-X. \end{itemize} \end{slide} \end{document}