Integrated Security Model for SNMP (isms) Internet Drafts
| Secure Shell Transport Model for SNMP | |||||||||||||||||
|
This memo describes a Transport Model for the Simple Network Management Protocol, using the Secure Shell protocol (SSH). This memo also defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP based internets. In particular it defines objects for monitoring and managing the Secure Shell Transport Model for SNMP. | ||||||||||||||||
| Transport Subsystem for the Simple Network Management Protocol (SNMP) | |||||||||||||||||
|
This document defines a Transport Subsystem, extending the Simple Network Management Protocol (SNMP) architecture defined in RFC 3411. This document defines a subsystem to contain Transport Models, comparable to other subsystems in the RFC3411 architecture. As work is being done to expand the transport to include secure transport such as SSH and TLS, using a subsystem will enable consistent design and modularity of such Transport Models. This document identifies and describes some key aspects that need to be considered for any Transport Model for SNMP. | ||||||||||||||||
| Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models | |||||||||||||||||
|
This memo describes the use of a Remote Authentication Dial-In User Service (RADIUS) authentication and authorization service by Simple Network Management Protocol (SNMP) secure Transport Models to authenticate users and authorize creation of secure transport sessions. While the recommendations of this memo are generally applicable to a broad class of SNMP Transport Models, the examples focus on the Secure Shell Transport Model. | ||||||||||||||||
 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
Integrated Security Model for SNMP (isms)
Last Modified: 2008-03-17
Additional information is available at tools.ietf.org/wg/isms
Chair(s):
Security Area Director(s):
Security Area Advisor:
Mailing Lists:
General Discussion: isms@ietf.orgTo Subscribe: isms-request@ietf.org
In Body: in body: (un)subscribe
Archive: http://www.ietf.org/mail-archive/working-groups/isms/current/maillist.html
Description of Working Group:
The Simple Network Management Protocol version 3 (SNMPv3) providesmessage security services through the security subsystem, for which
there is one currently defined model - the User-based Security Model
(USM). However, the USM approach has seen limited deployment so far.
One frequently reported reasons is the lack of integration of USM
key and user management into deployed authentication infrastructures.
SSH is a widely deployed access protocol for remote devices
configuration. Many devices support the integration of SSH user
authentication with AAA systems via protocols such as RADIUS.
The goal of the ISMS working group is developing a new security model
for SNMP that integrates with widely deployed user and key management
systems, as a supplement to the USM security model.
For this integration the working group will define a standard method
for mapping from AAA-provisioned authorization parameter(s) to
corresponding SNMP parameters.
In order to leverage the authentication information already accessible
at managed devices, the new security model will use the SSH protocol
for message protection, and RADIUS for AAA-provisioned user
authentication and authorization. However, the integration of a
transport mapping security model into the SNMPv3 architecture should be
defined such that it is open to support potential alternative transport
mappings to protocols such as BEEP and TLS.
The new security model must not modify any other aspects of SNMPv3
protocol as defined in STD 62 (e.g., it must not create new PDU types).
Work on new access control models or centralized administration of
View-based Access Control Model (VACM) rules and mappings is outside
the scope of the working group.
The working group will cover the following work items:
- Specify an architectural extension that describes how transport
mapping security models (TMSMs) fit into the SNMPv3 architecture.
- Specify an architectural extension that describes how to perform a
mapping from AAA-provisioned user-authentication and authorization
parameter(s)to securityName and other corresponding SNMP parameters.
- Specify a mapping from RADIUS-provisioned authentication and
authorization parameter(s) to securityName and other corresponding
SNMP parameters. This item may be a RADEXT work item last-aclled
in both groups.
- Specify a mapping from locally-provisioned authentication and
authorization parameter(s) to securityName and other corresponding
SNMP parameters.
- Define how to use SSH between the two SNMP engines
- Specify the SSH security model for SNMP.
Goals and Milestones:
| Done | Cut-off date for internet-drafts to be submitted to the working group for consideration as a proposed solution | |
| Done | Decision about which architecture the WG will focus its efforts on | |
| Done | Initial version of a general transport mapping security models (TMSMs) document that specifies how TMSMs fit into the SNMPv3 architecture and that defines the requirements for transport mapping security models | |
| Done | Initial version of a document specifying the SSH security model for SNMP | |
| May 2007 | Initial version of a document specifying the RADIUS authentication and authorization mapping model for SNMP | |
| Aug 2007 | Submit document on Transport Security Model for SNMP to IESG | |
| Aug 2007 | Submit document on Transport Subsystem for SNMP to IESG | |
| Aug 2007 | Submit document on Secure Shell Transport Model for SNMP to IESG | |
| Aug 2007 | Submit RADIUS mapping model for SNMP to IESG |
Internet-Drafts:
Secure Shell Transport Model for SNMP (84211 bytes)Transport Subsystem for the Simple Network Management Protocol (SNMP) (85621 bytes)
Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models (35086 bytes)
No Request For Comments
IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.
Return to working group directory. 
