Manuals / Paradyne / Computer Equipment / Network Hardware

Paradyne 8820 User-based Security Model USM RFC, Supporting MIBs, Statistics, usmUserSpinLock

Models: 8620 8820

1 108
Download 108 pages 7.87 Kb
Page 84
Image 84
7.7.5User-based Security Model (USM) RFC 3414

1. Network Management Specification

7.7.5User-based Security Model (USM) RFC 3414

RFC 3414 discusses the “User-based security model” for SNMPv3. It defines the elements of procedure for providing SNMP message-level security. The mechanisms to be implemented related to this feature are Discovery and Timeliness, Authentication, Privacy and Key management.

The product will support the HMAC-MD5-96 and the HMAC-SHA-96 protocols for authentication and the CBC-DES Symmetric Encryption Protocol for Privacy.

7.7.5.1Supporting MIBs.

The following statistics MIB objects will be supported:

7.7.5.1.1Statistics.

usmStatsUnsuppportedSecLevels, usmStatsNonInTimeWindows, usmStatsUnknownUserNames, usmStatsUnknownEngineIDs, usmStatsWrongDigests, usmStatsDecryptionErrors.

7.7.5.1.2SNMPv3 users.

7.7.5.1.2.1usmUserTable.

Will be supported to maintain authentication and privacy information for each user. The engineID and the userName index the table. For the GranDSLAM 3.0 product, all entries will have the same local engineID.

Because new SNMPv3 users can be added to this table only by cloning it from an existing entry, we need an initial entry to start with. The initial entry will be based on the password of our default userID. This will be done only the first time SNMPv3 is turned on (’snmpV3-encryption’ option is selected).

This initial user/password is run through an algorithm based on the HMAC-MD5-96 (default algorithm for authentication) and converted in what is called a localized key. This procedure is stardarized in RFC 3414.

Remote entities (for example, EMS) must obtained the same value of the localized key to start with.

Once the initial entry is created, clients (EMS, TL-1, Web, etc.) will used a standarized procedure in RFC 3214 to clone new users from the existing entries in the usmUserTable. No other mibs are involved in creating SNMPv3 users.

According to requirements, the SNMPv3 users to be configured will always have AuthPriv as the securityLevel, that is both authentication and privacy (encryption) turn on. SecurityLevel of NoAuthNoPriv or AuthNoPriv will not be supported for these users.

7.7.5.1.2.2usmUserSpinLock.

This object will be supported to coordinate set operations to the usmUserTable.

7.7.6View-based Access Control (VACM)

RFC 3415 discusses the “View-based Access Control Model” for SNMPv3. The GranDSLAM 3.0 agent will create default entries in the neccesary tables to be commonly used between v1/v2c/v3 SNMP users.

7.7.6.1Supporting MIBs

RFC 3415 defines several tables to be used to determine if a SNMP operation (get, getnext, getbulk, set or notification) is allowed to access certain managed objects.

78

June 2003

8000-A2-GB30-00

Page 83 Page 85
Page 84
Image 84
Paradyne 8820, 8620 User-based Security Model USM RFC, Supporting MIBs, Statistics, SNMPv3 users 7.7.5.1.2.1 usmUserTable
Page 83 Page 85