Integrated Security Model for SNMP (isms) ----------------------------------------- Charter Last Modified: 2010-05-24 Current Status: Active Working Group Chair(s): Juergen Schoenwaelder Russ Mundy Security Area Director(s): Stephen Farrell Sean Turner Security Area Advisor: Sean Turner Mailing Lists: General Discussion:isms@ietf.org To Subscribe: isms-request@ietf.org In Body: in body: (un)subscribe Archive: http://www.ietf.org/mail-archive/web/isms/current/maillist.html Description of Working Group: The Simple Network Management Protocol version 3 (SNMPv3) provides message security services through the security subsystem. Previously the ISMS Working Group defined a Transport Subsystem definition, a new Transport Security Model, and a Secure Shell Transport Model and a method for authenticating SNMPv3 users via the Remote Authentication Dial-In User Service (RADIUS). The initial body of work to be tackled by the working group involved only these pieces. Additional work on other transport models and other security extensions were to wait until the initial transport architecture and defining documents were completed. It is now possible to authenticate SNMPv3 messages via a RADIUS when those messages are sent over the newly defined SSH transport. However, it still remains impossible to centrally authorize a given SNMP transaction as on-device pre-existing authorization configuration is still required. In order to leverage a centralized RADIUS service to its full extent, the access control decision in the Access Control Subsystem needs to be based on authorization information received from RADIUS as well. The result will be an extension to obtain authorization information for an authenticated principal from RADIUS. The authorization information will be limited to mapping the authenticated principal to existing named access control policies, defining session timeouts, and similar session parameters. This mechanism will not provision the detailed access control rules. Additionally, new work will be undertaken to define TLS and DTLS-based transports that can offer support for environments that prefer certificate authentication. Certificate based authentication is desirable for many environments with a centralized authentication service. DTLS also provides datagram-based transmissions which may be desired for environments where TCP performance suffers because of network anomalies (e.g. high packet loss rates). A combination of TLS and DTLS-based transports offers solutions that addresses both the need for certificate-based authentication and for datagram-based delivery. Operators will be able to chose the transport solution that best meets their needs. The current goal of the ISMS working group is two-fold: to develop a method for allowing for access control decisions to be based on information provide by an AAA provisioning service and to develop TLS-based and DTLS-based Transport Models. The new work must not modify any other aspects of SNMPv3 protocol as defined in STD 62 (e.g., it must not create new PDU types). The working group will cover the following work items: - Specify a mechanism to support centralization of SNMPv3 Access Control decisions by means of a RADIUS-provisioned policy name bound to a username, which the VACM extension will use to dynamically populate the securityToGroupname table. Additionally, specify a time limit for access decisions, and such a time limit should be used to garbage collect expired dynamic securityToGroup mappings. - Specify TLS and DTLS transport models for SNMP. Goals and Milestones: Done Cut-off date for internet-drafts to be submitted to the working group for consideration as a proposed solution Done Decision about which architecture the WG will focus its efforts on Done Initial version of a general transport mapping security models (TMSMs) document that specifies how TMSMs fit into the SNMPv3 architecture and that defines the requirements for transport mapping security models Done Initial version of a document specifying the SSH security model for SNMP Done Publish initial documentation for the centralized access control Done Publish initial documentation on the (D)TLS transports for SNMP Jan 2010 Submit documentation for the centralized access control to IESG Done Submit documentation on the (D)TLS transports for SNMP to IESG Internet-Drafts: No Current Internet-Drafts. Request For Comments: RFC Stat Published Title ------- -- ----------- ------------------------------------ RFC5592 PS Jun 2009 Secure Shell Transport Model for the Simple Network Management Protocol (SNMP) RFC5591 DS Jun 2009 Transport Security Model for the Simple Network Management Protocol (SNMP) RFC5590 DS Jun 2009 Transport Subsystem for the Simple Network Management Protocol (SNMP) RFC5608 PS Aug 2009 Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models RFC5953 PS Aug 2010 Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP) RFC6065 PS Dec 2010 Using Authentication, Authorization, and Accounting Services to Dynamically Provision View-based Access Control Model User-to-Group Mappings