Advanced Network Management Introduction and Background

1
SNMPv3 View-based Access Control Model (VACM)
Mani Subramanian Network Management Principles
and practice, Addison-Wesley, 2000. William
Stallings, SNMP, SNMPv2, SNMPv3 and RMON 1 and
2 The Practical Guide to Network Management
Standards 3rd Edition, Addison-Wesley.
2
SNMPv3 VACM

• Determines whether access to the managed object
  by a remote manager should be allowed
• The elements of the VACM model are
• Groups
• Security level
• Contexts
• MIB views
• Access policy

3
SNMPv3 VCAM

• Groups
• A useful concept for categorizing managers with
  respect to access rights
• ltsecurityModel,securityNamegt
• securityName refers to a principal and access
  rights for all principals in a given group are
  identical.

Example top level managers may have one set of
access rights and intermediate level managers may
have different set of access rights. The
combination (securityModel, securityName) belongs
only to one group.
4
SNMPv3 VCAM

• Security Level
• Access rights may differ depending on the
  security level of the message containing the
  request.
• Example An agent may allow read-only access for
  a request communicated in an unauthenticated
  message but may require authentication fro write
  access
• The agent may also require privacy service for
  some sensitive objects/information

5
SNMPv3 VCAM

• Contexts
• A useful way for aggregating objects into
  collections with different access policies
• A context relates to access control and have the
  following characteristics
• SNMP engine is identified by contextEngineID and
  may maintain more than one context
• An object or an instance may appear in more than
  one context
• When multiple contexts exist, contextName,
  contextEngineID, object type and its instance
  are used to identify an object instance

6
SNMPv3 VCAM

• Contexts
• Example Consider a device (X) with multiple
  network interfaces. An object ifDescr provides
  textual information about the interface. To
  identify the devices first network interface
• contextEngineID of the SNMP entity provides
  access to the management information at the
  device, contextName (X), the managed object type
  ifDescr and the instance (1).
• MIB Views
• Define specific set of managed objects e,g, a
  subtree in the MIB

7
SNMPv3 VCAM

• Access Policy The following factors determine
  whether access is allowed
• Principal making the access request
• Security level
• Security model used
• MIB context for the request
• Specific object instance for which access is
  requested (some objects may have more critical or
  sensitive information)
• Type of access (read, write, etc.)

8
Access Control
MIB VIEW Allowed Operations Allowed managers Required Level of Security
Interface Table SET John Authentication, Encryption
Interface Table GET/GETNEXT John, Paul Authentication
Systems Group GET/GETNEXT Georges None





9
Access Control Decision
(read, write, or send notification)