【标题】：浅析snmp v3的安全特性与实现
【关键字】：snmp,v3
【来源】：http://www.cublog.cn/u/28419/showart.php?id=231907

浅析snmp v3的安全特性与实现

snmp v3 user based security module.

snmp v3增加和增强了两个重要的功能模块， security subsystem 和 access control module。

security subsystem
1. v3定义security module目的 - 从以下方面, 增加snmp协议的安全性
   a. 防止消息在传输过程中，被修改内容。
   b. 防止snmp请求，被冒名调用。
   c. 加密消息，保障消息的私密性。
   d. 处理消息在传输过程中被延迟，乱序，重复发送的问题。

2. security module 在snmp v3协议中的位置。
   +------------------------------+
   |           Network            |
   +------------------------------+
      ^       ^              ^
      |       |              |
      v       v              v
   +-----+ +-----+       +-------+
   | UDP | | IPX | . . . | other |
   +-----+ +-----+       +-------+              (traditional SNMP agent)
   +-------------------------------------------------------------------+
   |              ^                                                    |
   |              |        +---------------------+  +----------------+ |
   |              |        | Message Processing  |  | Security       | |
   | Dispatcher   v        | Subsystem           |  | Subsystem      | |
   | +-------------------+ |     +------------+  |  |                | |
   | | Transport         | |  +->| v1MP     * |<--->| +------------+ | |
   | | Mapping           | |  |  +------------+  |  | | Other      | | |
   | | (e.g. RFC3417)    | |  |  +------------+  |  | | Security   | | |
   | |                   | |  +->| v2cMP    * |<--->| | Model      | | |
   | | Message           | |  |  +------------+  |  | +------------+ | |
   | | Dispatcher  <--------->|  +------------+  |  | +------------+ | |
   | |                   | |  +->| v3MP     * |<--->| | User-based | | |
   | |                   | |  |  +------------+  |  | | Security   | | |
   | | PDU Dispatcher    | |  |  +------------+  |  | | Model      | | |
   | +-------------------+ |  +->| otherMP  * |<--->| +------------+ | |
   |              ^        |     +------------+  |  |                | |
   |              |        +---------------------+  +----------------+ |
   |              v                                                    |
   |      +-------+-------------------------+---------------+          |
   |      ^                                 ^               ^          |
   |      |                                 |               |          |
   |      v                                 v               v          |
   | +-------------+   +---------+   +--------------+  +-------------+ |
   | |   COMMAND   |   | ACCESS  |   | NOTIFICATION |  |    PROXY  * | |
   | |  RESPONDER  |<->| CONTROL |<->|  ORIGINATOR  |  |  FORWARDER  | |
   | | application |   |         |   | applications |  | application | |
   | +-------------+   +---------+   +--------------+  +-------------+ |
   |      ^                                 ^                          |
   |      |                                 |                          |
   |      v                                 v                          |
   | +----------------------------------------------+                  |
   | |             MIB instrumentation              |      SNMP entity |
   +-------------------------------------------------------------------+

3. usm(user-based security module)的组成。
    a. Timeliness Module
        处理消息在传输过程中被延迟，乱序，重复发送的问题。
    b. Authentication Protocol
        防止消息在传输过程中，被修改内容, 防止snmp请求，被冒名调用
支持SHA和MD5协议
    c. Privacy Protocol
                加密消息，保障消息的私密性
          支持DES协议

4. snmp usm相关的mib定义。
   参见RFC 3414
   snmp v3中维护的UsmUserEntry的结构定义如下，对应OID节点为(1.3.6.1.6.3.15.1.2.2.1)
   UsmUserEntry ::= SEQUENCE
   {
usmUserEngineID SnmpEngineID,
usmUserName SnmpAdminString,
        usmUserSecurityName     SnmpAdminString,
        usmUserCloneFrom        RowPointer,
usmUserAuthProtocol     AutonomousType,
        usmUserAuthKeyChange    KeyChange,
        usmUserOwnAuthKeyChange KeyChange,
        usmUserPrivProtocol     AutonomousType,
        usmUserPrivKeyChange    KeyChange,    usmUserOwnPrivKeyChange KeyChange,
        usmUserPublic           OCTET STRING,
        usmUserStorageType      StorageType,
        usmUserStatus           RowStatus
    }
    snmp security module通过usmusertable中存储的信息, 来验证authenticate和解密消息。
    UsmUserEntry 在SNMP-USER-BASED-SM-MIB定义, snmp v3 Agent需要实现对应的MIB对象管理,
    通过snmpV3的客户端,可以访问和管理这些对象.
    snmp V3 Agent安装启动后需要配置一个初始的用户和相关密码，作为snmp客户端访问时的最初的参数。
    用户相关的配置:
username: 用户名
security level: 安全级别
     1. no auth, no priv(无验证,无加密),
     2. auth, no priv(有验证,无加密),
            3.auth, priv(有验证,y有加密)
        auth protocol: 有验证情况下, 验证使用的协议,支持MD5和SHA
        auth protocol password: 验证所用key的生成参数
        priv protocol: 加密/解密协议, 支持DES
        priv protocol password: 加密/解密协议所用key的生成参数
context name: snmp agent管理对象的上下文名称


access control module
access control module用于判断snmp请求是否有操作的权限, 判断的方式如下图所示.
  +--------------------------------------------------------------------+
  |                                                                    |
  |      +-> securityModel -+                                          |
  |      |   (a)            |                                          |
  | who -+                  +-> groupName ----+                        |
  | (1)  |                  |   (x)           |                        |
  |      +-> securityName --+                 |                        |
  |          (b)                              |                        |
  |                                           |                        |
  | where -> contextName ---------------------+                        |
  | (2)      (e)                              |                        |
  |                                           |                        |
  |                                           |                        |
  |      +-> securityModel -------------------+                        |
  |      |   (a)                              |                        |
  | how -+                                    +-> viewName -+          |
  | (3)  |                                    |   (y)       |          |
  |      +-> securityLevel -------------------+             |          |
  |          (c)                              |             +-> yes/no |
  |                                           |             | decision |
  | why ---> viewType (read/write/notify) ----+             | (z)      |
  | (4)      (d)                                            |          |
  |                                                         |          |
  | what --> object-type ------+                            |          |
  | (5)      (m)               |                            |          |
  |                            +-> variableName (OID) ------+          |
  |                            |   (f)                                 |
  | which -> object-instance --+                                       |
  | (6)      (n)                                                       |
  |                                                                    |
  +--------------------------------------------------------------------+
securityModel: security subsystem type
        snmpv1 model
        snmpv2c model
        USM model(for snmp v3)
        other model

securityname: 对v1, v2c的agent来说, 是community name, 对USM来说, 是用户名称.

securityLevel: 消息在传输过程中采用的security级别, 1.(auth, priv); 2.(auth, no priv); 3.(no auth, no priv);

contextName: 一个snmp engine 实体, 可能 有多个上下文环境, 上下文环境的定义, 使一个snmp实体,
可以管理多个不同的context,如下图:
   +-----------------------------------------------------------------+
   |  SNMP entity (identified by snmpEngineID, for example:          |
   |  '800002b804616263'H (enterpise 696, string "abc")              |
   |                                                                 |
   |  +------------------------------------------------------------+ |
   |  | SNMP engine (identified by snmpEngineID)                   | |
   |  |                                                            | |
   |  | +-------------+ +------------+ +-----------+ +-----------+ | |
   |  | |             | |            | |           | |           | | |
   |  | | Dispatcher  | | Message    | | Security  | | Access    | | |
   |  | |             | | Processing | | Subsystem | | Control   | | |
   |  | |             | | Subsystem  | |           | | Subsystem | | |
   |  | |             | |            | |           | |           | | |
   |  | +-------------+ +------------+ +-----------+ +-----------+ | |
   |  |                                                            | |
   |  +------------------------------------------------------------+ |
   |                                                                 |
   |  +------------------------------------------------------------+ |
   |  |  Command Responder Application                             | |
   |  |  (contextEngineID, example: '800002b804616263'H)           | |
   |  |                                                            | |
   |  |  example contextNames:                                     | |
   |  |                                                            | |
   |  |  "bridge1"          "bridge2"            "" (default)      | |
   |  |  ---------          ---------            ------------      | |
   |  |      |                  |                   |              | |
   |  +------|------------------|-------------------|--------------+ |
   |         |                  |                   |                |
   |  +------|------------------|-------------------|--------------+ |
   |  |  MIB | instrumentation  |                   |              | |
   |  |  +---v------------+ +---v------------+ +----v-----------+  | |
   |  |  | context        | | context        | | context        |  | |
   |  |  |                | |                | |                |  | |
   |  |  | +------------+ | | +------------+ | | +------------+ |  | |
   |  |  | | bridge MIB | | | | bridge MIB | | | | some  MIB  | |  | |
   |  |  | +------------+ | | +------------+ | | +------------+ |  | |
   |  |  |                | |                | |                |  | |
   |  |  |                | |                | | +------------+ |  | |
   |  |  |                | |                | | | other MIB  | |  | |
   |  |  |                | |                | | +------------+ |  | |
   |  |  |                | |                | |                |  | |
   +-----------------------------------------------------------------+

    所有判断参数和OID之间的关联来确定当前的请求是否允许被执行, 所有的关联策略在SNMP-VIEW-BASED-ACM-MIB中定义。
    1. 上下文环境名称集合的定义
    VacmContextEntry ::= SEQUENCE
    {
        vacmContextName SnmpAdminString
    }
    2. group和securityname, securitymodel之间的关联
    VacmSecurityToGroupEntry ::= SEQUENCE
    {
        vacmSecurityModel               SnmpSecurityModel,
        vacmSecurityName                SnmpAdminString,
        vacmGroupName                   SnmpAdminString,
        vacmSecurityToGroupStorageType StorageType,
        vacmSecurityToGroupStatus       RowStatus
    }
    3. view tree family定义，mib树的一个子集
    VacmViewTreeFamilyEntry ::= SEQUENCE
    {
        vacmViewTreeFamilyViewName     SnmpAdminString,
        vacmViewTreeFamilySubtree      OBJECT IDENTIFIER,
        vacmViewTreeFamilyMask         OCTET STRING,
        vacmViewTreeFamilyType         INTEGER,
        vacmViewTreeFamilyStorageType StorageType,
        vacmViewTreeFamilyStatus       RowStatus
    }
    4. view和security model之间的关联，通过groupname, securitymodel和三种类型view，把三个表关联起来。
    VacmAccessEntry ::= SEQUENCE
    {
        vacmAccessContextPrefix    SnmpAdminString,
        vacmAccessSecurityModel    SnmpSecurityModel,
        vacmAccessSecurityLevel    SnmpSecurityLevel,
        vacmAccessContextMatch     INTEGER,
        vacmAccessReadViewName     SnmpAdminString,
        vacmAccessWriteViewName    SnmpAdminString,
        vacmAccessNotifyViewName   SnmpAdminString,
        vacmAccessStorageType      StorageType,
        vacmAccessStatus           RowStatus
    }

    鉴权的方式(消息中获取securityname, sercuritymodel, security level, msg type(get,getnext...), oid list(name-value
binding))
    1. 在VacmSecurityToGroupEntry中通过消息中的vacmSecurityName，SecurityModel找到对应的groupname.
    2. 在VacmAccessEntry中通过groupname, securitymodel, securitylevel, msg type找到对应的viewname(readviewname/
writeviewname/notifyviewname).
    3. 在VacmViewTreeFamilyEntry中根据treefamily viewname 找到对应的子树集合，在子树集合中找到对应的OID，和oid
list中的oid比对，看是否具有权限。
    vacmAccessEntry OBJECT-TYPE
    SYNTAX       VacmAccessEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "An access right configured in the Local Configuration
   Datastore (LCD) authorizing access to an SNMP context.
                 Entries in this table can use an instance value for
                 object vacmGroupName even if no entry in table
                 vacmAccessSecurityToGroupTable has a corresponding
                 value for object vacmGroupName."
        INDEX    {
     vacmGroupName,
                   vacmAccessContextPrefix,
                   vacmAccessSecurityModel,
                   vacmAccessSecurityLevel
                 }
        ::= { vacmAccessTable 1 }

snmp v3 Agent需要实现对应的MIB对象管理, 通过snmp v3的客户端,可以访问和管理access control相关的对象.

参见
RFC 3411 - An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks
RFC 3414 - User-based Security Model
RFC 3415 - View-based Access Control Model (VACM) for the Simple Network Management Protocol

Linux下架设代理服务器：【上一篇】
飞鸽传书(局域网应用软件)：【下一篇】

【相关文章】

NBearV3教程——MVP（Model/View/Presenter）篇

SNMP的工作原理

关于SNMPV3协议开发

Enterprise Library v3中的新成员：Application Block Software Factory

SNMP学习的一点心得

SNMP学习札记