User-based security agent available
"glenn (g.) waters" <gwaters@bnr.ca> Thu, 06 July 1995 04:34 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa05352; 6 Jul 95 0:34 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa05348; 6 Jul 95 0:34 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa24406; 6 Jul 95 0:34 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa10538; 6 Jul 95 0:06 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa10534; 5 Jul 95 23:57 EDT
Received: from x400gate.bnr.ca(192.58.194.73) by relay.tis.com via smap (g3.0.1) id xma003415; Wed, 5 Jul 95 23:57:31 -0400
X400-Received: by mta bnr.ca in /PRMD=BNR/ADMD=TELECOM.CANADA/C=CA/; Relayed; Thu, 6 Jul 1995 00:02:33 -0400
X400-Received: by /PRMD=BNR/ADMD=TELECOM.CANADA/C=CA/; Relayed; Thu, 6 Jul 1995 00:02:11 -0400
X400-Received: by /PRMD=bnr/ADMD=telecom.canada/C=ca/; Relayed; Thu, 6 Jul 1995 00:02:09 -0400
Date: Thu, 06 Jul 1995 04:02:09 +0000
X400-Originator: /dd.id=psd52384/g=usenet/i=u/s=support/@bnr.ca
X400-MTS-Identifier: [/PRMD=BNR/ADMD=TELECOM.CANADA/C=CA/; <3tfn81$qcc@bcarh8ab.bnr.ca>]
X400-Content-Type: P2-1984 (2)
Content-Identifier: User-based se...
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: "glenn (g.) waters" <gwaters@bnr.ca>
Message-ID: <3tfn81$qcc@bcarh8ab.bnr.ca>
To: snmpv2@tis.com
Subject: User-based security agent available
Reply-To: " (Glenn Waters)" <gwaters@bnr.ca>
Path: not-for-mail
Newsgroups: bnr.list.snmpv2
Organization: Bell-Northern Research Ltd.
Lines: 131
Nntp-Posting-Host: bcarhf15.bnr.ca
An implementation of a SNMPv2 agent based on the new USEC security model is available from: ftp://ftp.cisco.com/ftp/kzm/cmusnmp-1.1b-v2usec.tar.gz The file README.usec, included in the distribution, describes how to build, install and use the agent and applications. The implementation notes for the agent follow. /gww ---- User-based Security Model Implementation Notes 1.0 Introduction The CMU SNMP package, cmusnmp-1.1b, is a set of SNMPv1 manager applications and a SNMPv1 agent. This package was used as the basis for implementing the USEC proposal. In addition, a number of files from the cmusnmp-2.1.2 package were merged in with the cmusnmp-1.1b package. These files were to implement SNMPv2 protocol operations and SNMPv2 SMI. This work is not specifically discussed here. *Aside* I started with the CMU 1.1 code because I had previously implemented a security model similar to the USEC model. The previous work was based on the CMU 1.1 agent and did not have any SNMPv2 features. It was thought to be easier to continue using my modified code and retrofit the SNMPv2 protocol and SMI features back into the SNMPv1 agent as opposed to retrofitting my existing security model changes into the CMU 2.1.2 code. *End Aside* The goals of my effort were to make this package compliant with the SNMPv2 User-Based security model and the rest of the SNMPv2 documents as modified for supporting security models (see <draft-kzm-snmpv2-*alt-*.txt>). The modifications consisted of changing the API layer to support both managers and agents and then modifying the agent to be compliant. Very few changes were required to the manager applications. My primary interest in this work was timely completion of the work while remaining compliant to the specifications. As such, the APIs could have been reworked substantially to better support this work. 2.0 API Changes The major change to the API layer was the addition of the USEC security parameters to the "session" structure. The routines to implement encoding and decoding of the parameters field total about 200 lines of code. There is nothing complex in the code, just some precision in catching errors in the correct order. The authentication algorithm (timeliness, checking agentID, etc) was trivial to implement. The API is written such that both the agent and applications may make use of it. As such, the session structure originally intended for applications was used by the agent. Given more time, the session structure would have to split into two separate structures. A session structure, for applications that really have sessions, and a parameters structure that contains the security model parameters. 2.1 Agent changes Implementing the usecAgent objects was trivial. The agentTime requires taking a snapshot of the system clock at agent boot time. All agentTime references were relative to the initial agent start time. The agentBoots took six lines of code to implement. Read a file containing the agentBoots object, increment the value, then write it back out. AgentID is fixed based on the private enterprise number bnr(35) and the IP address of the agent host. I picked a value of 1450 for MMS. One line of code dealt with checking the MMS that should be used on a response -- based on the minimum of the received MMS and my local MMS. The routines that build and parse the parameters field were in the API; the routines just had to be called from the agent. The SNMP version number was used to select when the USEC model authentication routines were to be invoked. When a communication was received, the userName had to be parsed out of the parameters before passing the parameters to the API for full authentication checking. This was required to setup the session structure with the correct userName, key, and qoS. It also required doing some trivial checking on the correct encoding of the parameters field. The configuration file processing took 300 lines of code. Nothing complex here. 2.2 Manager changes The goal was to not change a line of code in the applications. This was accomplished for the most part. The security model did not necessitate any change in the applications. The SNMPv2 features did. snmpwalk was modified to understand the Report-PDU and error codes in the varbinds. The other applications were modified to indicate that a report was received. This change could have been left out, but was performed to give clearer output from the applications. The snmpget application was cloned to produce the snmpbulk application. About 10 lines of code were added to deal with new parameters for selecting the non-repeaters and repetitions counts. One other line of code was changed to change the PDU type from get to getbulk. The session open API call was modified to parse the community string, select the correct SNMP version, and synchronize the usecAgent objects if appropriate. This is all hidden from the application. The only downside to the approach I used is that the first character of the "community" name was used to indicate whether this was a v1 or a v2 communication. 3.0 Summary The USEC model code took about two days to write. I did not find any parts there were difficult to implement. The most complex part of the task was getting to know the CMU SNMP code. This was my first exposure to it. Overall the task was very easy. -- /Glenn Waters, gwaters@bnr.ca, Bell-Northern Research Ltd., +1 613 763 3933
- User-based security agent available glenn (g.) waters