blank.gif (43 bytes)

Church Of The
Swimming Elephant

Search:
4.2. Secure Minimal Agent Configuration Connected: An Internet Encyclopedia
4.2. Secure Minimal Agent Configuration

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1445
Up: 4. Application of the Model
Prev: 4.1. Non-Secure Minimal Agent Configuration
Next: 4.3. MIB View Configurations

4.2. Secure Minimal Agent Configuration

4.2. Secure Minimal Agent Configuration

This section presents an example configuration for a secure, minimal SNMPv2 agent that interacts with a single SNMPv2 management station. Table 4 presents information about SNMPv2 parties that is known both to the minimal agent and to the manager, while Table 5 presents similarly common information about the local access policy.

The interaction of manager and agent in this configuration is very similar to that sketched above for the non-secure minimal agent - except that all protocol messages are authenticated as to origin and integrity and protected from disclosure. This example requires encryption in order to support distribution of secret keys via the SNMPv2 itself. A more elaborate example comprising an additional pair of SNMPv2 parties could support the exchange of non-secret information in authenticated messages without incurring the cost of encryption.

An actual secure agent configuration may require SNMPv2 parties for which the authentication and privacy protocols are noAuth and noPriv, respectively, in order to support clock synchronization (see [6]). For clarity, these additional parties are not represented in this example.

        Identity          ollie                stan
                          (agent)              (manager)
        Domain            snmpUDPDomain        snmpUDPDomain
        Address           1.2.3.4, 161         1.2.3.5, 2001
        Auth Prot         v2md5AuthProtocol    v2md5AuthProtocol
        Auth Priv Key     "0123456789ABCDEF"   "GHIJKL0123456789"
        Auth Pub Key      ""                   ""
        Auth Clock        0                    0
        Auth Lifetime     300                  300
        Priv Prot         desPrivProtocol     desPrivProtocol
        Priv Priv Key     "MNOPQR0123456789"   "STUVWX0123456789"
        Priv Pub Key      ""                   ""

        Table 4: Party Information for Secure Minimal Agent

   Target    Subject    Context    Privileges
   ollie     stan       local       35 (Get, GetNext & GetBulk)
   stan      ollie      local      132 (Response & SNMPv2-Trap)

        Table 5: Access Information for Secure Minimal Agent

As represented in Table 4, the example agent party operates at UDP port 161 at IP address 1.2.3.4 using the party identity ollie; the example manager operates at UDP port 2001 at IP address 1.2.3.5 using the identity stan. At minimum, a secure SNMPv2 agent implementation must provide for administrative configuration (and non-volatile storage) of relevant information about two SNMPv2 parties: itself and a remote peer. Both ollie and stan authenticate all messages that they generate by using the SNMPv2 authentication protocol v2md5AuthProtocol and their distinct, private authentication keys. Although these private authentication key values ("0123456789ABCDEF" and "GHIJKL0123456789") are presented here for expository purposes, knowledge of private authentication keys is not normally afforded to human beings and is confined to those portions of the protocol implementation that require it.

When using the v2md5AuthProtocol, the public authentication key for each SNMPv2 party is never used in authentication and verification of SNMPv2 exchanges. Also, because the v2md5AuthProtocol is symmetric in character, the private authentication key for each party must be known to another SNMPv2 party with which authenticated communication is desired. In contrast, asymmetric (public key) authentication protocols would not depend upon sharing of a private key for their operation.

All protocol messages generated for transmission to the party stan are encrypted using the desPrivProtocol privacy protocol and the private key "STUVWX0123456789"; they are decrypted upon reception according to the same protocol and key. Similarly, all messages generated for transmission to the party ollie are encrypted using the desPrivProtocol protocol and private privacy key "MNOPQR0123456789"; they are correspondingly decrypted on reception. As with authentication keys, knowledge of private privacy keys is not normally afforded to human beings and is confined to those portions of the protocol implementation that require it.


Next: 4.3. MIB View Configurations

Connected: An Internet Encyclopedia
4.2. Secure Minimal Agent Configuration

Cotse.Net

Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

 
.
www.cotse.com
Have you gone to church today?
.
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 Cotse.com.
Cotse.com is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609