1.4. Module Organization

1.4. Module Organization

This section describes how the User-based Security Model is organized and documented.

Document Structure

The User-based Security Model (USM) is specified in this document according to the following organization:

1. Section 1 provides an introduction to the security model, including threats, goals, constraints, and security services.

2. Section 2 defines the elements of the model, including users, replay protection, time synchronization, message formats, and services.

3. Section 3 describes the procedures for processing messages, both for generating outgoing messages and processing incoming messages.

4. Section 4 describes the discovery mechanism for learning the authoritative SNMP engine's snmpEngineID.

5. Section 5 contains the complete MIB module definition (SNMP-USER-BASED-SM-MIB) using the SMIv2 syntax. This MIB module defines:

   • Objects for user configuration (usmUserTable)
   • Statistics objects (usmStats)
   • Conformance statements

6. Section 6 specifies the HMAC-MD5-96 authentication protocol.

7. Section 7 specifies the HMAC-SHA-96 authentication protocol.

8. Section 8 specifies the CBC-DES privacy protocol.

9. Section 9 discusses intellectual property considerations.

10. Section 10 provides acknowledgements.

11. Section 11 contains security considerations, including recommended practices, user definition guidance, conformance requirements, report usage, and MIB access controls.

12. Section 12 lists normative and informative references.

13. Appendix A provides detailed implementation guidance, including algorithms and examples.

14. Appendix B documents the changes from RFC 2574.

Relationship to Other SNMPv3 Documents

The User-based Security Model is part of the SNMPv3 architecture. It relates to other SNMPv3 documents as follows:

• RFC 3411 - "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks": Defines the overall architecture and the Security Model interface.

• RFC 3412 - "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)": Defines how the USM is invoked by the Message Processing Subsystem.

• RFC 3413 - "Simple Network Management Protocol (SNMP) Applications": Defines the applications that use USM for security.

• RFC 3415 - "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)": Works in conjunction with USM to provide complete security (USM provides authentication and privacy, VACM provides authorization).

• RFC 3416 - "Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)": Defines the PDU formats, including Report-PDU used by USM.

• RFC 3417 - "Transport Mappings for the Simple Network Management Protocol (SNMP)": Defines how SNMP messages secured by USM are transported.

• RFC 3418 - "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)": Defines the SNMP-FRAMEWORK-MIB and SNMP-MPD-MIB, which USM depends upon.

Layered Architecture

The USM fits into the SNMPv3 architecture as follows:

+------------------------------------------------------------+
|                    SNMP Applications                       |
|  (Command Generator, Command Responder, Notification      |
|   Originator, Notification Receiver, Proxy Forwarder)     |
+------------------------------------------------------------+
|                   Dispatcher                               |
|  (Message Processing, PDU Dispatching, Transport Mapping) |
+------------------------------------------------------------+
|                Security Subsystem                          |
|  +------------------------------------------------------+  |
|  |         User-based Security Model (USM)             |  |
|  |  - Authentication (HMAC-MD5-96, HMAC-SHA-96)        |  |
|  |  - Privacy (CBC-DES)                                |  |
|  |  - Time synchronization                             |  |
|  |  - Discovery                                        |  |
|  +------------------------------------------------------+  |
+------------------------------------------------------------+
|                Access Control Subsystem                    |
|  +------------------------------------------------------+  |
|  |      View-based Access Control Model (VACM)         |  |
|  +------------------------------------------------------+  |
+------------------------------------------------------------+

The USM is invoked by the Message Processing Subsystem to:

• Provide security services for outgoing messages
• Verify security services for incoming messages
• Report security-related errors

MIB Module Organization

The SNMP-USER-BASED-SM-MIB module is organized into several functional groups:

1. usmStats Group: Statistical counters for monitoring USM operations and detecting security issues.

2. usmUser Group: Configuration and management of users, including:

   • User identification
   • Authentication and privacy protocols
   • Key management

3. Conformance Group: Defines compliance requirements for USM implementations.

Protocol Organization

The authentication and privacy protocols are specified as separate sections (6, 7, and 8) to allow:

1. Clear specification of each protocol
2. Easy addition of new protocols in the future
3. Implementation of protocols as modular components
4. Independent review and analysis of each protocol

Each protocol section includes:

• Protocol description
• Algorithm specification
• Security considerations specific to that protocol