draft-thomas-snmpv3-kerbusm-00.txt   [plain text]

INTERNET-DRAFT   Kerberized USM Keying    M. Thomas
                                          Cisco Systems
                                          K. McCloghrie
                                          Cisco Systems
                                          July 13, 2000

                         Kerberized USM Keying


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at


   The KerbUSM MIB provides a means of leveraging a trusted third party
   authentication and authorization mechanism using Kerberos for SNMP V3
   USM users and their associated VACM views. The MIB encodes the normal
   Kerberos AP-REQ and AP-REP means of both authenticating and creating
   a shared secret between the SNMP V3 Manager and Agent.

The SNMP Management Framework

   The SNMP Management Framework presently consists of five major
   components:  An overall architecture, described in RFC 2571

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 1]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

   [RFC2571].  Mechanisms for describing and naming objects and events
   for the purpose of management.  The first version of this Structure
   of Management Information (SMI) is called SMIv1 and described in STD
   16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215
   [RFC1215].  The second version, called SMIv2, is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
   [RFC2580].  Message protocols for transferring management
   information.  The first version of the SNMP message protocol is
   called SNMPv1 and described in STD 15, RFC 1157 [RFC1157].  A second
   version of the SNMP message protocol, which is not an Internet
   standards track protocol, is called SNMPv2c and described in RFC 1901
   [RFC1901] and RFC 1906 [RFC1906].  The third version of the message
   protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC
   2572 [RFC2572] and RFC 2574 [RFC2574].  Protocol operations for
   accessing management information.  The first set of protocol
   operations and associated PDU formats is described in STD 15, RFC
   1157 [RFC1157].  A second set of protocol operations and associated
   PDU formats is described in RFC 1905 [RFC1905].  A set of fundamental
   applications described in RFC 2573 [RFC2573] and the view-based
   access control mechanism described in RFC 2575 [RFC2575].

   A more detailed introduction to the current SNMP Management Framework
   can be found in RFC 2570 [RFC2570].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the mechanisms defined in the SMI.

   This memo specifies a MIB module that is compliant to the SMIv2.  A
   MIB conforming to the SMIv1 can be produced through the appropriate
   translations.  The resulting translated MIB must be semantically
   equivalent, except where objects or events are omitted because no
   translation is possible (use of Counter64).  Some machine readable
   information in SMIv2 will be converted into textual descriptions in
   SMIv1 during the translation process.  However, this loss of machine
   readable information is not considered to change the semantics of the


   The User based Security Model of SNMP V3 (USM) [2] provides a means
   of associating different users with different access privileges of
   the various MIB's that an agent supports. In conjunction with the
   View based Access Control Model of SNMP V3 (VACM) [3], SNMP V3
   provides a means of providing resistance from various threats both
   from outside attacks such as spoofing, and inside attacks such as an
   user having, say, SET access to MIB variable for which they are not

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 2]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000


   SNMP V3, unfortunately, does not specify a means of doing key
   distribution between the managers and the agents. For small numbers
   of agents and managers, the O(n*m) manual keying is a cumbersome, but
   possibly tractable problem. For a large number of agents with
   distribution of managers, the key distribution quickly goes from
   cumbersome to unmanageable. Also: there is always the lingering
   concern of the security precautions taken for keys on either local
   management stations, or even directories.

   Kerberos [1] provides a means of centralizing key management into an
   authentication and authorization server known as a Key Distribution
   Center (KDC).  At a minimum, Kerberos changes the key distribution
   problem from a O(n*m) problem to a O(n) problem since keys are shared
   between the KDC and the Kerberos principals rather directly between
   each host pair. Kerberos also provides a means to use public key
   based authentication which can be used to further scale down the
   number of pre-shared secrets required. Furthermore, a KDC is intended
   and explicitly expected to be a standalone server which is managed
   with a much higher level of security concern than a management
   station or even a central directory which may host many services and
   thus be exposed to many more possible vectors of attack.

   The MIB defined in this memo describes a means of using the desirable
   properties of Kerberos within the context of SNMP V3. Kerberos
   defines a standardized means of communicating with the KDC as well as
   a standard format of Kerberos tickets which Kerberos principals
   exchange in order to authenticate to one another. The actual means of
   exchanging tickets, however, is left as application specific. This
   MIB defines the SNMP MIB designed to transport Kerberos tickets and
   by doing so set up SNMP V3 USM keys for authentication and privacy.

   It should be noted that using Kerberos does introduce reliance on a
   key network element, the KDC. This flies in the face of one of SNMP's
   dictums of working when the network is misbehaving. While this is a
   valid concern, the risk of reliance on the KDC can be significantly
   diminished with a few common sense actions. Since Kerberos tickets
   can have long life times (days, weeks) a manager of key network
   elements can and should maintain Kerberos tickets well ahead ticket
   expiration so that likelihood of not being able to rekey a session
   while the network is misbehaving is minimized. For non-critical, but
   high fanout elements such as user CPE, etc, requiring a pre-fetched
   ticket may not be practical, which puts the KDC into the critical
   path. However, if all KDC's are unreachable, the non-critical network
   elements are probably the least of the worries.

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 3]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000


   The normal Kerberos application ticket exchange is accomplished by  a
   client  first  fetching  a  service ticket from a KDC for the service
   principal and then sending an AP-REQ  to  a  server  to  authenticate
   itself  to  the  server. The server then sends a AP-REP to finish the
   exchange. This MIB maps Kerberos' concept of client and  server  into
   the  SNMP  V3  concept  of  Manager and Agent by designating that the
   Kerberos Client is the SNMP V3 Agent. Although  it  could  be  argued
   that an Agent is really a server, in practice there may be many, many
   agents and relatively few managers. Also: Kerberos clients  may  make
   use  of  public  key authentication as defined in [4], and it is very
   advantageous to take advantage of that capability for  Agents  rather
   than Managers.

   The MIB is intended to be stateless and map USM users to Kerberos
   principals. This mapping is explicitly done by putting a Kerberos
   principal name into the usmUserSecurityName in the usmUser MIB and
   instatiating the krbUsmMibEntry for the usmUserEntry. MIB variables
   are accessed with INFORM's or TRAP PDU's and SET's to perform a
   normal Kerberos AP-REQ/AP-REP exchange transaction which causes the
   keys for a USM user to be derived and installed. The basic structure
   of the MIB is a table which augements usmUserEntry's with a Kerberos
   principal name as well as the transaction varbinds. In the normal
   case, multiple varbinds should be sent in a single PDU which prevents
   various race conditions, as well as increasing efficiency.

   It should be noted that this MIB is silent on the subject of how the
   Agent and Manager find the KDC. In practice, this may be either
   statically provisioned or use either DNS SRV records (RFC 2782) or
   Service Location (RFC 2608). This MIB is does not provide for a means
   of doing cipher suite negotiation either. It is expected that the
   choices for ciphers in the USM MIB will reflect site specific choices
   for ciphers. This matches well with the general philosophy of
   centralized keying.

Keying Transactions

   The following shows an error free transaction:

   Note: optional steps or parameters are shown like [ ]

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 4]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

    Agent                       Manager                            KDC
 +--                                                               --+
 | 1) <-------------------------------                               |
 |     SET (krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx;      |
 |          [ krbUsmPrinTable[usmUserName].krbUsmMibTgt =            |
 |                                  TGT[usmUserSecurityName] ]);     |
 |                                                                   |
 | 2) ------------------------------->                               |
 |    Response                                                       |
 +--                     (optional)                                --+

   3) --------------------------------------------------------------->
        TGS-REQ (krbUsmPrinTable[usmUserName].krbUsmMibMgrPrinName
                 [, krbUsmPrinTable[usmUserName].krbUsmMibTgt]);

   4) <--------------------------------------------------------------
        Tick[usmUserSecurityName] = TGS-REP ();

   5)  ------------------------------>
        INFORM (krbUsmPrinTable[usmUserName].krbUsmMibApReq =
                   [ krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx]);

   6)  <------------------------------
        SET (krbUsmPrinTable[usmUserName].krbUsmMibApRep = AP_REP[]);

   7)  ------------------------------>

   The above flow translates to:

   1)  This step is used when the Manager does not currently have a ses-
       sion with the Agent but wishes to start one. The Manager MAY
       place a ticket granting ticket into the krbUsmMibMgrTgt varbind
       in the same PDU as the krbUsmMibNonce if it does not share a
       secret with the KDC (as would be the case if the Manager used
       PKinit to do initial authentication with the KDC).

   2)  This step acknowledges the SET. There are no MIB specific errors
       which can happen here.

   3)  If the Agent is not already in possession of a service ticket for

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 5]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

       the Manager in its ticket cache, it MUST request a service ticket
       from the Agent's KDC for the service principal given by
       krbUsmMibMgrPrinName in the row that the krbUsmMibNonce was SET
       in, optionally adding a krbUsmMibMgrTgt.  If the TGT is speci-
       fied, the Manager's TGT must be placed in the additional-tickets
       field with the ENC-TKT-IN-SKEY option set in the TGS-REQ to
       obtain a service ticket (see section 3.3.3 of [1]).

       Note:   a Kerberos TGS-REQ is but one way to obtain a service
               ticket. An Agent may use any normal Kerberos means to
               obtain the service ticket. This flow has also elided ini-
               tial authentication (ie, AS-REQ) and any cross realm con-
               siderations, though those may be necessary prerequisites
               to obtaining the service ticket.

   4)  If step 3 was performed, this step receives the ticket or an
       error from the KDC.

   5)  This step sends a krbUsmMibApReq to the Manager via an INFORM or
       TRAP PDU.  If the message is the result of a request by the
       Manager, krbUsmMibNonce received from the Manager MUST be sent in
       the same PDU. If the Manager did not initiate the transaction,
       the Agent MUST NOT send a krbUsmMibNonce varbind. The Agent also
       MUST check krbUsmMibUnsolicitedNotify is not false, otherwise it
       MUST abort the transaction.  All krbUsmMibApReq's MUST contain a
       sequence nonce so that the resulting krbUsmMibApRep can provide a
       proof of the freshness of the message to prevent replay attacks.

       If the Agent encounters an error either generated by the KDC or
       internally, the Agent MUST send an INFORM or TRAP PDU indicating
       the error in the form of a KRB-ERROR placed in krbUsmMibApReq
       with the same rules applied to krbUsmMibNonce and krbUsmMibUnsol-
       icitedNotify above. If the Agent suspects that it is being
       attacked by a purported Manager which is generating many failed
       TGS-REQ's to the KDC, it SHOULD meter its TGS-REQ transactions
       for that Manager to the KDC using an exponential backoff mechan-
       ism truncated at 10 seconds.

   6)  Upon recepit of an INFORM or TRAP PDU with a krbUsmMibApReq, a
       Manager may accept the AP-REQ. If it is accompanied with a
       krbUsmMibNonce it MUST correlate it with any outstanding transac-
       tions using its stored nonce for the transaction. If it does not
       correlate with a current nonce, the request MUST be rejected as
       it may be a replay.

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 6]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

       If the Manager chooses to reject an unsolicited keying request,
       it SHOULD send a WrongValue Error to the Agent with the krbUsmMi-
       bApReq as the subject of the WrongValue. If an Agent receives a
       WrongValue Error from a Manager it MUST cease retransmission of
       the INFORM or TRAP PDU's so as to mitigate event avalanches by
       Agents. There is a possible denial of service attack here, but it
       must be weighed against the larger problem of network congestion,
       flapping, etc. Therefore, if the Agent finds that it cannot can-
       cel an unsolicited Notify (ie, it must be reliable), it MUST use
       a truncated exponential backoff mechanism with the maximum trun-
       cation interval set to 10 minutes.

       Otherwise, the Manager MUST send a SET PDU to the Agent which
       contains a krbUsmMibApRep.

   7)  If the Agent detects an error (including detecting replays) in
       the final AP-REP, it MUST send a WrongValue error with a pointer
       to the krbUsmMibApRep varbind to indicate its inability to estab-
       lish the security association. Otherwise, receipt of the positive
       acknowledgement from the final SET indicates to the Manager that
       the proper keys have been installed on the Agent in the USM MIB.

Unsolicited Agent Keying Requests

   An Agent may find that it needs to set up a security association for
   a USM user in order to notify a Manager of some event. When the Agent
   engine receives a request for a notify, it SHOULD check to see if
   keying material has been established for the user and that the keying
   material is valid. If the keying material is not valid and the USM
   user has been tagged as being a Kerberos principal in a realm, the
   Agent SHOULD first try to instantiate a security association by
   obtaining a service ticket for the USM User and follow steps 3-7 of
   the flow above. This insures that the USM User will have proper key-
   ing material and providing a mechanism to allow for casual security
   associations to be built up and torn down. This is especially useful
   for Agents which may not normally need to be under constant Manager
   supervision, such as the case with high fan out user residential CPE
   and other SNMP managed "appliances". In all cases, the Agent MUST NOT
   send an unsolicited Notify if krbUsmUnsolicitedNotify is set to

   How the Agent obtains the Manager's address, how it determines
   whether a Manager, realm, and whether it can be keyed using this MIB
   is outside of the scope of this memo.

   Note:   Although the MIB allows for a Manager to set up a session
           using User-User mode of Kerberos by sending a TGT along with

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 7]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

           the nonce, this, is limited to Manager initiated sessions
           only since there is no easy way to store the Manager's ticket
           in the MIB since it is publicly writable and as such would be
           subject to denial of service attacks. Another method might be
           to have the Agent send a krbUsmMibNonce to the Manager which
           would tell it to instigate a session. Overall, it seems like
           a marginal feature to allow a PKinit authenticated user be
           the target of unsolicited informs and it would complicate the
           transactions. For this reason, this scenario has been omitted
           in favor of simplicity.


   Since this MIB defines not only variables, but transactions, discus-
   sion of the retransmission state machine is in order. There are two
   similar but different state machines for the Manager Solicited and
   Agent Unsolicited transactions.  There is one timer Timeout which
   SHOULD take into consideration round trip considerations and MUST
   implement a truncated exponential backoff mechanism. In addition, in
   the case where an Agent makes an unsolicited Agent keying request,
   the Agent SHOULD perform an initial random backoff if the keying
   request to the Manager may result in a restart avalanche. A suitable
   method is described in section 4.3.4 of [5].

Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 8]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

Manager Solicited Retransmission State Machine

                 |   |
                 |   V
              +-----------+ Set-Ack (2) +----------+
              |           |------------>|          |
              | Set-Nonce |             |  Ap-Req  |
              |   (1)     |<------------|   (5)    |
              +-----------+   Timeout   +----------+
                   ^                         |
                   |                         | Set-Ap-Rep
                   |      +----------+       |  (6)
                   +------|          |<------+
                  Timeout | Estab-wt |
                          |   (7)    |
                               |  Set-Ap-Rep-Ack (7)
                          |          |
                          |  Estab   |
                          |          |


Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 9]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

Agent Unsolicited Retransmission State Machine

                              |   |
                              |   V
                          |          |
                   +----> |  Ap-Req  |-------+
                   |      |   (5)    |       |
                   |      +----------+       |
                   |                         |
                   |                         | Set-Ap-Rep
                   |      +----------+       |  (6)
                   +------|          |<------+
                  Timeout | Estab-wt |
                          |   (7)    |
                               |  Set-Ap-Rep-Ack (7)
                          |          |
                          |  Estab   |
                          |          |

Session Duration and Failures

   The KerbUsmMib uses the ticket lifetime to determine the life of the
   USM session. The Agent MUST keep track of whether the ticket which
   instigated the session is valid whenever it forms PDU's for that par-
   ticular user. If a session expires, or if it wasn't valid to begin
   with (from the Agent's perspective), the Agent MUST reject the PDU by
   sending a XXX Error [mat: help me here Keith... what does USM say
   about this?].

   Kerberos also inherently implies adding state to the Agent and
   Manager since they share not only a key, but a lifetime associated
   with that key. This is in some sense soft state because failure of an
   Agent will cause it to reject PDU's for Managers with whom it does
   not share a secret. The Manager can use the Error PDU's as an indica-
   tion that it needs to reauthenticate with the Agent, taking care not
   to loop. The Manager is even easier: when it reboots, it can either
   check its credential cache to reconstruct state or cause the Agent to
   reauthenticate to the Manager with its service ticket by initiating a
   authentication transaction with the manager.

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 10]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

Manager Collisions

   Managers may freely set up keys for different USM users using this
   MIB without problem since they access different rows in the krbUsm-
   PrinTable. However, multiple Managers trying to set up keys for the
   same USM user is possible but discouraged. The requirement for the
   Manager is that they MUST share the same service key with the KDC so
   that they can all decrypt the same service ticket. There are two race
   conditions, however, which are not well handled:

1)  At the end of a ticket lifetime, one manager may request the agent
    to refresh its service ticket causing a new session key to be
    installed for the USM user leaving the other managers with stale
    keys. The workaround here is that the Agent will reject the stale
    manager's PDU's which should inform them to do their own rekeying

2)  If multiple managers try to access the same row at the same time,
    the Agent SHOULD try to keep the transactions separate based on the
    nonce values. The Managers or the Agents SHOULD NOT break the
    krbUsmMibNonce and any other additional varbinds into separate PDU's
    as this may result in a meta stable state. Given normal MTU sizes,
    this should not be an issue in practice, and this should  at worst
    devolve into the case above.

   In all cases, the krbUsmMibNonce MUST be the last value to be
   transmitted, though its position within a PDU is unimportant.

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 11]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000


       snmpModules, Counter32, Unsigned32 FROM SNMPv2-SMI
       TruthValue, DisplayString          FROM SNMPv2-TC
       usmUserEntry                       FROM SNMP-USER-BASED-SM-MIB

           LAST-UPDATED "00071300Z"
           ORGANIZATION "IETF SNMP V3 Working Group"
             "Michael Thomas
              Cisco Systems
              375 E Tasman Drive
              San Jose, Ca 95134
              Phone: +1 408-525-5386
              Fax: +1 801-382-5284
              email: mat@cisco.com"
              "This MIB contains the MIB variables to
               exchange Kerberos credentials and a session
               key to be used to authenticate and set up
               USM keys"

           ::= { snmpModules nnn }   -- not sure what needs to be here.
   krbUsmMibObjects OBJECT INDENTIFIER ::= { krbUsmMib 1 }

               SYNTAX      Counter32
               MAX-ACCESS  read-only
               STATUS      current
                   "Counter of the number of Kerberos
                    authorization attempts as defined by
                    receipt of a PDU from a Manager with a
                     krbUsmMibNonce set in the principal table."
               ::= { krbUsmMibObjects 1 }

               SYNTAX      Counter32
               MAX-ACCESS  read-only
               STATUS      current

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 12]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

                   "Counter of the number of unsolicited Kerberos
                    authorization attempts as defined by
                    an Agent sending an INFORM or TRAP PDU with a
                    krbUsmMibApRep but without krbUsmApMibNonce
               ::= { krbUsmMibObjects 2 }
               SYNTAX      Counter32
               MAX-ACCESS  read-only
               STATUS      current
                   "Counter of the number of Kerberos
                    authorization failures as defined by
                    a Manager setting the krbUsmMibNonce
                    in the principal table which results
                    in some sort of failure to install keys
                    in the requested USM user entry."
               ::= { krbUsmMibObjects 3 }

               SYNTAX      Counter32
               MAX-ACCESS  read-only
               STATUS      current
                   "Counter of the number of unsolicited Kerberos
                    authorization failures as defined by
                    an Agent sending an INFORM or TRAP PDU with a
                    krbUsmMibApRep but without a krbUsmMibNonce
                    varbind which does not result in keys being
                    installed for that USM user entry."
               ::= { krbUsmMibObjects 4 }

   krbUsmMibPrinTable OBJECT-TYPE
               SYNTAX      SEQUENCE OF krbUsmMibEntry
               MAX-ACCESS  not-accessible
               STATUS      current
                   "Table which maps Kerberos principals with USM
                    users as well as the per user variables to key
                    up sessions"
               ::= { krbUsmMibObjects 5 }

   krbUsmMibPrinEntry OBJECT-TYPE
               SYNTAX     KrbUsmMibPrinEntry
               MAX-ACCESS  not-accessible
               STATUS      current

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 13]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

                   "an entry into the krbMibPrinTable which is a
                    parallel table to UsmUserEntry table"
               AUGMENTS { usmUserEntry }
               ::= { krbUsmMibPrinTable 1 }

   KrbUsmMibPrinEntry SEQUENCE
                   krbUsmMibApReq                  OCTET STRING,
                   krbUsmMibApRep                  OCTET STRING,
                   krbUsmMibNonce                  OCTET STRING,
                   krbUsmMibMgrTGT                 OCTET STRING,
                   krbUsmMibUnsolicitedNotify      TruthValue,

   krbUsmMibApReq OBJECT-TYPE
               SYNTAX      OCTET STRING
               MAX-ACCESS  accessible-for-notify
               STATUS      current
                   "This variable contains a DER encoded Kerberos
                    AP-REQ or KRB-ERROR for the USM user which is
                    to be keyed. This is sent from the Agent to
                    the Manager in an INFORM or TRAP request.
                    KRB-ERROR MUST only be sent to the Manager
                    if it is in response to a keying request from
                    the Manager.
               ::= { krbUsmMibPrinEntry 1 }

   krbUsmMibApRep OBJECT-TYPE
               SYNTAX      OCTET STRING
               MAX-ACCESS  read-write
               STATUS      current
                   "This variable contains the DER encoded response
                    to an AP-REQ. This variable is SET by the
                    Manager to acknowledge receipt of an AP-REQ. If
                    krbUsmMibApRep contains a Kerberos AP-REP, the
                    Agent must derive keys from the session key
                    of the Kerberos ticket in the AP-REQ and place
                    them in the USM database in a manner specified
                    by [RFC2574]. If the Manager detects an error,
                    it will instead place a KRB-ERROR in this
                    variable to inform the Agent of the error.

                    This variable is in effect a write-only variable.
                    attempts to read this variable will result in a

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 14]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

                    null octet string being returned"
               ::= { krbUsmMibPrinEntry 2 }

   krbUsmMibNonce OBJECT-TYPE
               SYNTAX      OCTET STRING
               MAX-ACCESS  read-write
               STATUS      current
                   "SET'ing a krbUsmMibnonce allows a Manager to
                    determine whether an INFORM or TRAP from an
                    Agent is an outstanding keying request, or
                    unsolicited from the Agent. The Manager
                    initiates keying for a particular USM user
                    by writing a nonce into the row for which
                    desires to establish a security association.
                    The nonce is an ASCII string of the form
                    ``host:port?nonce'' where:

                    host:  is either an FQDN, or valid ipv4 or ipv6
                           numerical notation of the Manager which
                           desires to initiate keying
                    port:  is the destination port at which that the
                           Manager may be contacted
                    nonce: is a number generated by the Manager to
                           correlate the transaction

                    The same nonce MUST be sent to the Manager in a
                    subsequent INFORM or TRAP with a krbUsmApReq.
                    The Agent MUST use the host address and port
                    supplied in the nonce as the destination of a
                    subsequent INFORM or TRAP. Unsolicited keying
                    requests MUST NOT contain a nonce, and should
                    instead use the destination stored Notifies of
                    this type.

                    Nonces MUST be highly collision resistant either
                    using a time based method or a suitable random
                    number generator. Managers MUST never create
                    nonces which are 0.

                    This variable is in effect a write-only variable.
                    Attempts to read this variable will result in a
                    nonce of value 0 being returned"

               ::= { krbUsmMibPrinEntry 3 }

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 15]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

   krbUsmMibMgrTgt OBJECT-TYPE
               SYNTAX      OCTET STRING
               MAX-ACCESS  read-write
               STATUS      current
                   "If the Manager does not possess a symmetric
                    key with the KDC as would be the case with
                    a Manager using PKinit for authentication,
                    the Manager MUST SET its DER encoded ticket
                    granting ticket into KrbUsmMgrTgt along
                    with krbUsmMibNonce.

                    The agent will then attach the Manager's TGT
                    into the additional tickets field of the
                    TGS-REQ message to the KDC to get a User-User
                    service ticket.

                    This variable is in effect a write-only variable.
                    Attempts to read this variable will result in a
                    null octet string being returned"
               ::= { krbUsmMibPrinEntry 4 }

   krbUsmMibUnsolicitedNotify OBJECT-TYPE
               SYNTAX      TruthValue
               MAX-ACCESS  read-write
               STATUS      current
                   "If this variable is false, the Agent MUST NOT
                    send unsolicited INFORM or TRAP PDU's to the

                    Attempts to SET this variable by the no-auth
                    no-priv user MUST be rejected."
               ::= { krbUsmMibPrinEntry 5 }

   -- Conformance section... nothing optional.

   krbUsmMibCompliences MODULE-COMPLIANCE
               STATUS       current
               DESCRIPTION "The compliance statement for SNMP
                            engines whichimplement the KRB-USM-MIB
               MODULE       -- this module
                       MANDATORY-GROUPS { krbUsmMib }
       ::= { krbUsmMibCompliances 1 }

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 16]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000


Key Derivation

   The session key provides the basis for the keying material for the
   USM user specified in the AP-REQ.  The actual keys for use for the
   authentication and privacy are produced using the cryptographic hash-
   ing function used to protect the ticket itself.  The keying material
   is derived using this function, F(key, salt), using successive
   interations of F over the salt string "SNMPV3RULZ%d", where %d is a
   monotonic counter starting at zero. The bits are taken directly from
   the successive interations to produce two keys of appropriate size
   (as specified in the USM user row) for the authentication transform
   first, and the privacy transform second. If the authentication
   transform is null, the first bits of the derived key are used for the
   privacy transform.

Security Considerations

   Various elements of this MIB must be readable and writable as the
   no-auth, no-priv user. Unless specifically necessary for the key
   negotiation, elements of this MIB SHOULD be protected by VACM views
   which limit access. In particular, there is no reason anything in
   this MIB should be visible to a no-auth, no-priv user with the excep-
   tion of KrbUsmMibApReq, KrbUsmMibApRep, KrbUsmMibNonce, and
   KrbUsmMibMgrTgt, and then only with the restrictions placed on them
   in the MIB. As such, probing attacks are still possible, but should
   not be profitable: all of the writable variables with interesting
   information in them are defined in such a way as to be write only.

   There are some interesting denial of service attacks which are possi-
   ble by attackers spoofing managers and putting load on the KDC to
   generate unnecessary tickets. For large numbers or agents this could
   be problematic. This can probably be mitigated by the KDC prioritiz-
   ing TGS-REQ's though.


[1]         The CAT Working Group,  J.  Kohl,  C.Neuman,  "The  Kerberos
            Network  Authentication  Service  (V5)", RFC 1510, September

[2]         The SNMPV3 Working Group, U.  Blumenthal,  B.  Wijnen,  "The
            User-based Security Model of SNMP V3", RFC 2574, April 1999

[3]         The SNMPV3 Working Group, B. Wijnen, R. Presuhn,

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 17]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

            K.McCloghrie, "The View-based Access Control Model of SNMP
            V3", RFC 2575, April 1999

[4]         The CAT Working Group, Tung, et al, "Public Key Cryptography
            for Initial Authentication in Kerberos", draft-ietf-cat-pk-
            init-11, November 1999

[5]         Arango, et al, "Media Gateway Control Protocl (MGCP)", RFC
            2705, October 1999

[RFC2571]   Harrington, D., Presuhn, R., and B. Wijnen, An Architecture
            for Describing SNMP Management Frameworks, RFC 2571, April

[RFC1155]   Rose, M., and K. McCloghrie, Structure and Identification of
            Management Information for TCP/IP-based Internets, STD 16,
            RFC 1155, May 1990.

[RFC1212]   Rose, M., and K. McCloghrie, Concise MIB Definitions, STD
            16, RFC 1212, March 1991.

[RFC1215]   M. Rose, A Convention for Defining Traps for use with the
            SNMP, RFC 1215, March 1991.

[RFC2578]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
            Rose, M., and S. Waldbusser, Structure of Management Infor-
            mation Version 2 (SMIv2), STD 58, RFC 2578, April 1999.

[RFC2579]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
            Rose, M., and S. Waldbusser, Textual Conventions for SMIv2,
            STD 58, RFC 2579, April 1999.

[RFC2580]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
            Rose, M., and S. Waldbusser, Conformance Statements for
            SMIv2, STD 58, RFC 2580, April 1999.

[RFC1157]   Case, J., Fedor, M., Schoffstall, M., and J. Davin, Simple
            Network Management Protocol, STD 15, RFC 1157, May 1990.

[RFC1901]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
            Introduction to Community-based SNMPv2, RFC 1901, January

[RFC1906]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Tran-
            sport Mappings for Version 2 of the Simple Network Manage-
            ment Protocol (SNMPv2), RFC 1906, January 1996.

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 18]
INTERNET-DRAFT           Kerberized USM Keying              13 July 2000

[RFC2572]   Case, J., Harrington D., Presuhn R., and B. Wijnen, Message
            Processing and Dispatching for the Simple Network Management
            Protocol (SNMP), RFC 2572, April 1999.

[RFC2574]   Blumenthal, U., and B. Wijnen, User-based Security Model
            (USM) for version 3 of the Simple Network Management Proto-
            col (SNMPv3), RFC 2574, April 1999.

[RFC1905]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Pro-
            tocol Operations for Version 2 of the Simple Network Manage-
            ment Protocol (SNMPv2), RFC 1905, January 1996.

[RFC2573]   Levi, D., Meyer, P., and B. Stewart, SNMPv3 Applications,
            RFC 2573, April 1999.

[RFC2575]   Wijnen, B., Presuhn, R., and K. McCloghrie, View-based
            Access Control Model (VACM) for the Simple Network Manage-
            ment Protocol (SNMP), RFC 2575, April 1999.

[RFC2570]   Case, J., Mundy, R., Partain, D., and B. Stewart, Introduc-
            tion to Version 3 of the Internet-standard Network Manage-
            ment Framework, RFC 2570, April 1999.

Author's Address

          Michael Thomas
          Cisco Systems
          375 E Tasman Rd
          San Jose, Ca, 95134, USA
          Tel: +1 408-525-5386
          email: mat@cisco.com

Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 19]