rfc3414

NetworkWorkingGroupU.BlumenthalRequestforComments:3414B.WijnenSTD:62LucentTechnologiesObsoletes:2574December2002Category:StandardsTrackUser-basedSecurityModel(USM)forversion3oftheSimpleNetworkManagementProtocol(SNMPv3)StatusofthisMemoThisdocumentspecifiesanInternetstandardstrackprotocolfortheInternetcommunity,andrequestsdiscussionandsuggestionsforimprovements.PleaserefertothecurrenteditionoftheInternetOfficialProtocolStandards(STD1)forthestandardizationstateandstatusofthisprotocol.Distributionofthismemoisunlimited.CopyrightNoticeCopyright(C)TheInternetSociety(2002).AllRightsReserved.AbstractThisdocumentdescribestheUser-basedSecurityModel(USM)forSimpleNetworkManagementProtocol(SNMP)version3foruseintheSNMParchitecture.ItdefinestheElementsofProcedureforprovidingSNMPmessagelevelsecurity.ThisdocumentalsoincludesaManagementInformationBase(MIB)forremotelymonitoring/managingtheconfigurationparametersforthisSecurityModel.ThisdocumentobsoletesRFC2574.TableofContents1.Introduction..........................................41.1.Threats...............................................41.2.GoalsandConstraints.................................61.3.SecurityServices.....................................61.4.ModuleOrganization...................................71.4.1.TimelinessModule.....................................81.4.2.AuthenticationProtocol...............................81.4.3.PrivacyProtocol......................................81.5.ProtectionagainstMessageReplay,DelayandRedirection.......................................91.5.1.AuthoritativeSNMPengine.............................91.5.2.Mechanisms............................................91.6.AbstractServiceInterfaces...........................11Blumenthal&WijnenStandardsTrack[Page1]RFC3414USMforSNMPv3December20021.6.1.User-basedSecurityModelPrimitivesforAuthentication....................................111.6.2.User-basedSecurityModelPrimitivesforPrivacy...........................................122.ElementsoftheModel.................................122.1.User-basedSecurityModelUsers.......................122.2.ReplayProtection.....................................132.2.1.msgAuthoritativeEngineID..............................142.2.2.msgAuthoritativeEngineBootsandmsgAuthoritativeEngineTime............................142.2.3.TimeWindow...........................................152.3.TimeSynchronization..................................152.4.SNMPMessagesUsingthisSecurityModel...............162.5.ServicesprovidedbytheUser-basedSecurityModel....172.5.1.ServicesforGeneratinganOutgoingSNMPMessage......172.5.2.ServicesforProcessinganIncomingSNMPMessage......202.6.KeyLocalizationAlgorithm............................223.ElementsofProcedure.................................223.1.GeneratinganOutgoingSNMPMessage...................223.2.ProcessinganIncomingSNMPMessage...................264.Discovery.............................................315.Definitions...........................................326.HMAC-MD5-96AuthenticationProtocol...................516.1.Mechanisms............................................516.1.1.DigestAuthenticationMechanism.......................516.2.ElementsoftheDigestAuthenticationProtocol........526.2.1.Users.................................................526.2.2.msgAuthoritativeEngineID..............................536.2.3.SNMPMessagesUsingthisAuthenticationProtocol......536.2.4.ServicesprovidedbytheHMAC-MD5-96AuthenticationModule.................................536.2.4.1.ServicesforGeneratinganOutgoingSNMPMessage......536.2.4.2.ServicesforProcessinganIncomingSNMPMessage......546.3.ElementsofProcedure.................................556.3.1.ProcessinganOutgoingMessage........................556.3.2.ProcessinganIncomingMessage........................567.HMAC-SHA-96AuthenticationProtocol...................577.1.Mechanisms............................................577.1.1.DigestAuthenticationMechanism.......................577.2.ElementsoftheHMAC-SHA-96AuthenticationProtocol...587.2.1.Users.................................................587.2.2.msgAuthoritativeEngineID..............................587.2.3.SNMPMessagesUsingthisAuthenticationProtocol......597.2.4.ServicesprovidedbytheHMAC-SHA-96AuthenticationModule.................................597.2.4.1.ServicesforGeneratinganOutgoingSNMPMessage......597.2.4.2.ServicesforProcessinganIncomingSNMPMessage......607.3.ElementsofProcedure.................................61Blumenthal&WijnenStandardsTrack[Page2]RFC3414USMforSNMPv3December20027.3.1.ProcessinganOutgoingMessage........................617.3.2.ProcessinganIncomingMessage........................618.CBC-DESSymmetricEncryptionProtocol.................638.1.Mechanisms............................................638.1.1.SymmetricEncryptionProtocol.........................638.1.1.1.DESkeyandInitializationVector.....................648.1.1.2.DataEncryption.......................................658.1.1.3.DataDecryption.......................................65