Network Working Group M. Rozenblit Internet-Draft Telcordia Technologies Expires: December 30, 2000 June 30, 2000 TLS-based security model for SNMP draft-rozenblit-snmpv3-tls-secmodel-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/iid-abstracts.txt This Internet-Draft will expire on December 30 2000. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract This memo defines a security model based on Transport Layer Security (TLS) [RFC 2246] for the Simple Network Management Protocol (SNMP). The security model can be used with any version of SNMP. When SNMPv3 [RFC 2571] is used this security model can be used with View-based Access Control Model (VACM) [RFC 2575]. This security model can be used only if TCP is used for transport. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. TLS-based security model . . . . . . . . . . . . . . . . . . . 2 3. Use of SNMP with TLS . . . . . . . . . . . . . . . . . . . . . 3 4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 4 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 4 Rozenblit Expires December 30, 2000 [Page 1] Internet-Draft TLS-based security model for SNMP June 2000 1. Introduction This memo defines a security model based on Transport Layer Security (TLS) [RFC 2246] for the Simple Network Management Protocol (SNMP). The security model can be used with any version of SNMP. When SNMPv3 [RFC 2571] is used this security model can be used with View-based Access Control Model (VACM) [RFC 2575]. This security model can be used only if TCP is used for transport. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC 2119]. 2. TLS-based security model This I-D proposes the optional use of TLS to secure SNMP transactions when TCP is used for transport. The mapping of SNMP to TCP is provided in J. Schoenwaelder: 'SNMP over TCP Transport Mapping', draft-irtf-nmrg-snmp-tcp-04.txt, April 27, 2000 [tcp-04]. The reasons for considering this option are provided in Section 3. RFC 2571 specifies that every security model to be used with SNMPv3 must have an INTEGER identifier, the securityModel. The securityModel is one of the parameters used to interface with VACM. The values 0 through 3 have been assigned in RFC 2571. This I-D proposes to assign the value 4 to SnmpSecurityModel for the TLS-based security model. NOTE: the values 0-255 can be assigned only by the Internet Assigned Number Authority (IANA). The value 4 in this I-D is a placeholder until an IANA-assigned standard-track number is provided or until an enterprise-specific number is provided. Another parameter needed to interface with VACM is securityName which identifies the principal who wants access to the target information. TLS is based on public key certificates. In particular, TLS authenticates the subject field in the public key certificate of the principal. Therefore that subject field, which is a distinguished name [RFC 2459] must be used as the securityName. In order to avoid any confusion the subjectAltName extension MUST be absent from the certificate while the subject field MUST be present and its value MUST be unique within the network management domain. If the optional subjectUniqueID field is present in the certificate then securityName is the concatenation of the subject and subjectUniqueID fields. All other parameters needed to interface with VACM are not affected when TLS is used. Rozenblit Expires December 30, 2000 [Page 2] Internet-Draft TLS-based security model for SNMP June 2000 3. Use of SNMP with TLS TLS cannot be used when UDP is used for transport. Therefore it MUST NOT be used for SNMP applications that may use both TCP and UDP. Furthermore, TLS does not offer any security advantages over User-based Security Model (USM) [RFC 2574]. Therefore the use of TLS for SNMP transactions SHOULD be limited to the cases where the following three circumstances are valid: 1. the SNMP applications are restricted to use only TCP for transport 2. TLS is readily available, with the desired ciphersuites, in all the relevant SNMP systems 3. SNMP is used along with one or more other network management protocols (for example, CORBA, CMIP) that ride over TLS/TCP within the same network management domain. 4. References [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC 2246] T. Dierks and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC 2571] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, May 1999. [RFC 2574] U. Blumenthal and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999. [RFC 2575] B. Wijnen, Presuhn, R. and K. McCloghrie "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999. [tcp-04] J. Schoenwaelder: "SNMP over TCP Transport Mapping", draft-irtf-nmrg-snmp-tcp-04.txt, April 27, 2000. Rozenblit Expires December 30, 2000 [Page 3] Internet-Draft TLS-based security model for SNMP June 2000 Author's Address Moshe Rozenblit Telcordia Technologies 1965 Broadway, Apt.14G New York, NY 10023 USA Phone: +1 212 835-8815 EMail: mrozenbl@telcordia.com Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society. Rozenblit Expires December 30, 2000 [Page 4]