Overview
SNMP Research International, Inc.
Extended Security Options
for Standards-Based Network Management
Technical Brief
Table of Contents Overview (2)
Authentication (2)
Encryption (3)
References (5)
Overview
Security was initially not addressed in standards-based network management. The original Simple Network Management Protocol (SNMP) specifications included only a very simple “community string” mechanism for specifying access restrictions to management data. Because of this, the use of SNMP was frequently limited to read-only monitoring of network health and performance information.
The introduction of SNMP version 3 (SNMPv3) added authentication and privacy (encryption) features to the communication of management information to provide vastly improved security. SNMPv3 also includes a flexible and powerful administrative framework to implement the security infrastructure. This administrative framework contains configuration information for the usernames, access rights, and keys used to limit access to management data. Today, access to management information can be made much more secure, and the risk of malicious damage through the use of network management commands is reduced. The improved security provided by SNMPv3 has also facilitated the use of SNMP for configuration changes (write operations). SNMPv3 has become popular in government, military, and security-conscious commercial enterprises.
The SNMPv3 specification documents define standard implementations of two cryptography technologies for authentication (MD5 and SHA1), and one technology for encryption (56-bit DES in CBC mode). However, the specification documents define extensibility techniques for both authentication and encryption, so organizations may implement the cryptography technologies required for their environments. Several vendors have implemented stronger cryptography (in the prescribed manner) to meet the security needs of their customers.
This paper is a brief overview of the security mechanisms currently available for SNMPv3. Please reference the IETF specification documents (RFCs) and documents published by SNMP Research International for implementation details.
Authentication
Authentication is the process of reliably verifying the source and validity of a request or response. Agents and managers need to verify that the requests being made of them come from a known party, have not been corrupted or modified, and are not replays of requests sent earlier.
In the SNMPv3 framework, authentication protects against the following threats:?Masquerade, where the sender of a message is pretending to be another entity;?Modification of information, where the content of a message has been changed or corrupted;?Modification of the message stream, where a previous message is being sent again, or an intercepted message is sent at a later time.
For each packet where authentication is requested, the sender computes a message digest based on the contents of the request or response, and includes it in the request header. On receipt of the request or response, the receiver computes the message digest, and verifies that it matches the digest computed by the sender. The key used in the digest algorithm is known only to the sender and receiver, so third-party reproduction of the digest is not feasible. The User-based Security Model (USM) specifies that either the MD5 or the SHA1 digest algorithms may be used in computing the message digest.
A shared secret key (i.e. the same key for the manager and for the agent) is used when generating the digest. Each manager must know the authentication key for each agent for which it must communicate. Each user might have only one authentication pass-phrase that is used across an administrative domain, but a localized key for each agent is automatically generated from the user's pass-phrase. The key is localized for each agent, so for a well-implemented agent (i.e., an agent that does not store pass-phrases in plaintext) inadvertent disclosure of an agent's secrets will not breach security for the entire administrative domain.
The choice of digest algorithm is made when the SNMPv3 user used to send and receive messages is created. Since the digest algorithm is identified by name (object identifier), agents and managers can be extended to use other digest algorithms, though, to the knowledge of the authors of this document, there has been no market requirement to do so. The security provided by MD5 and SHA1 authentication is sufficient to address the needs of the network management community for the foreseeable future.
The User Security Model (USM) is the standard security and management framework for SNMPv3. USM specifies the use of shared symmetric secrets, and the use of a digest-base authentication mechanism. However, as the security model is specified in each packet, it is feasible to extend the security models, so that nonstandard models can be used in a standard way. This allows implementation of third-party authentication services such as RADIUS. In this model, an authentication service is consulted by the network management system to verify the validity of the message.
Privacy (Encryption)
In the SNMPv3 framework, privacy is protection from the unauthorized disclosure of data. In this case the data is the message being sent between SNMP entities (e.g., a routing table being retrieved from a networking element). Privacy is implemented by encrypting the payload of the SNMP message.
The User-based Security Model (USM) of the SNMPv3 standards specifies the use of the Data Encryption Standard (DES-CBC) with 56-bit keys as the encryption protocol. Each manager must know the privacy key for each agent for which it must communicate. Each user might have only one privacy pass-phrase that is used across an administrative domain, but a localized key for each agent is automatically generated from the user's pass-phrase. As previously explained for authentication, the key is localized for each agent, so for a well-implemented agent, inadvertent disclosure of an agent's secrets will not breach security for the entire administrative domain.
As in the user of authentication digest algorithms, the choice of the privacy protocol is made when the SNMPv3 user is created in the agent and in the manager. Since the encryption algorithm is identified by name (object identifier), agents and managers can be extended to use other encryption algorithms in an interoperable manner. There is much interest in adding additional security protocols to SNMPv3, as there is concern about the viability of 56-bit DES as an encryption algorithm. As 56-bit DES is theoretically breakable in a reasonable amount of time using current computing technology, some network operators require stronger cryptography. Two encryption algorithms have drawn interest as additional SNMPv3 encryption protocols. The Advanced Encryption Standard (AES) has been adopted by the United States National Institute of Standards and Technology (NIST) for both government and business use
(https://www.360docs.net/doc/b35942601.html,/aes). Work is in progress in the Internet Engineering Task Force (IETF) to adopt the AES algorithm as an alternative SNMPv3 encryption protocol
(https://www.360docs.net/doc/b35942601.html,/eso). While AES is defined with three possible key lengths (128, 192 and 256 bit), at this point only the 128 bit version is being considered for SNMPv3, as it is likely to be sufficiently strong for many years. Triple-DES using a 168 bit key (abbreviated 3DES or TDEA) is currently a popular algorithm in government and business, and has been implemented by SNMP Research and others as an encryption protocol for SNMPv3. 3DES is identified in Federal Information Processing Standard (FIPS) 46-3 as the FIPS-recognized encryption algorithm of choice, and therefore is used by U.S. government entities that need to comply with FIPS 140-1 and FIPS 140-2. 3DES has a proven track record in field deployments, but the algorithm takes more computing time than any of the AES protocols.
Several networking equipment and management technology vendors have already implemented the extended security options of 3DES and AES in their SNMPv3 implementations. Known implementers of 3DES include Juniper, Marconi, and SNMP Research. Known implementers of AES include Juniper, SNMP Research, MGSoft, and the NetSNMP open software project. Other encryption technologies may be used with SNMPv3, but none are known to the authors to be in wide use.
References
?The User-based Security Model is defined in the IETF RFC3414. See https://www.360docs.net/doc/b35942601.html, for information on receiving the freely available IETF standards.
?The AES and 3DES security protocol definition documents are available at the Enhanced Security Consortium web site (https://www.360docs.net/doc/b35942601.html,).
If you have additional questions, please contact SNMP Research.
SNMP Research International, Inc.
3001 Kimberlin Heights Rd.
Knoxville, TN 37920
U.S.A.
Tel: +1 865 579 3311
Fax: +1 865 579 6565
E-mail: info@https://www.360docs.net/doc/b35942601.html,
雅思写作---小作文overview应该这样写
雅思写作---小作文overview应该这样写 雅思小作文除了第一句话复述题目外,接下来要写的就是overview了,也就是对图表的最明显的,有概括性的特征的描述。Overview的具体位置可以是跟在复述题目的句子之后,作为开头段,也可以单独成段,或者有些范文中将这一概括放在结尾作为conclusion,这些形式都可以。 但是如何找准主要特征呢?下面将结合具体的例子总结overview应该怎么写才能拿高分,希望对雅思考生能够有所帮助。 首先,overview应该从三个角度展开: 1. overall trend整体趋势 2. biggest rise/ fall/ change最大变化项目 3. comparison对比 其次,overview具体内容应该这样写: 1. 写1-2个总体的特征 2. 不用带具体数值 3. 对比和最大值,或整体趋势往往需要结合起来写 4. 可以加一些功能性语言:总体看来overall; 最明显的是… It is obvious that…等 最后,咱们结合例子来看是如何体现的: 1. 找最大值 The British were the biggest spenders in all six categories among the nations compared in the bar chart while the lowest spending levels were attributed to the residents of Belgium
2. 总体数量比较 Overall, there were more male research students than females in 2005. 3. 总体趋势比较 Overall, the consumption of margarine and butter decreased over period given while for low fat and reduced spreads, it rose. 4. 总体占比对比+总体趋势变化
雅思写作overview应该这样写
雅思写作overview应该这样写 新东方在线刘美娟雅思小作文除了第一句话复述题目外,接下来要写的就是overview了,也就是对图表的最明显的,有概括性的特征的描述。Overview的具体位置可以是跟在复述题目的句子之后,作为开头段,也可以单独成段,或者有些范文中将这一概括放在结尾作为conclusion,这些形式都可以。 但是如何找准主要特征呢?下面新东方在线刘美娟老师就将结合具体的例子总结overview应该怎么写才能拿高分,希望对雅思考生能够有所帮助。 首先,overview应该从三个角度展开: 1. overall trend整体趋势 2. biggest rise/ fall/ change最大变化项目 3. comparison对比 其次,overview具体内容应该这样写: 1. 写1-2个总体的特征 2. 不用带具体数值 3. 对比和最大值,或整体趋势往往需要结合起来写 3. 可以加一些功能性语言:总体看来overall; 最明显的是… It is obvious that…等 最后,咱们结合例子来看是如何体现的:
1. 找最大值 The British were the biggest spenders in all six categories among the nations compared in the bar chart while the lowest spending levels were attributed to the residents of Belgium 2. 总体数量比较 Overall, there were more male research students than females in 2005. 3. 总体趋势比较
Letter of Recommendation Overview
Letter of Recommendation Overview 2019-01-01 Contributed by Resume Edge - ResumeEdge: Certified Professional Resume Writers edit and write your resumes and cover letters. Get an Edge. Click Here! I. Letter of Recommendation for Job-Searching Letters of recommendation are convenient substitutes for work references: they neatly sum up a previous or current employer's perspective and allow prospective employers to avoid the sometimes awkward and vague conversations that result from interrogating references over the phone about your strengths and weaknesses. In addition, such letters help prospective employers to skirt the difficulties of reaching a reference. Finally, they are also a great advantage for the job-seeker, because they offer concrete, credible, and readily available evidence of past accomplishments and abilities. If you have been laid off but left the company on good terms, a letter of recommendation will provide prospective employers with a credible, thorough account of why you had to leave the company -- for instance, if the layoff was part of a general downsizing II. Letters of Recommendation for Applications Most undergraduate and graduate school applications require two or three letters of recommendation. Depending on whether you are applying to an academic program or professional degree-- for instance, business or law school -- these letters should come from former or current professors, employers, or supervisors who are familiar with your work and performance. For academic applications, letters from teachers or professors are generally preferable to letters from employers. Admissions officers are looking to supplement their knowledge of your academic performance and aptitude -- gleaned from your transcript and standardized scores -- with concrete evidence that you are a dedicated and enthusiastic learner. Remember: most schools nowadays recognize the value of a dynamic, diverse student body and are thus eager to fill their spots with candidates who have been actively engaged in both academic and extracurricular activities. These letters should reflect not only your participation and performance in the classroom, but also your initiative (for instance, through research projects undertaken with the professor, through leadership in group activities, and through active contribution to classroom discussions). If you are applying to a PhD program, make sure that at least two out of the three recommendations come from people within your field (or from a field that is closely related to the one you are about to enter. for instance, you might have a letter from a political scientist for an application to a PhD in Sociology, but you better have a real
LTE_Overview
LTE 空中接口技术与性能
系统概述
田韬
Confidential Information
About LTE
> LTE: Long Term Evolution
? LTE is a 3GPP project name for the evolution of UMTS, LTE project aims to ensure the continued competitiveness of the 3GPP technologies for the future. ? It is now linked with the development of a new air interface ? Existed together the evolution of UMTS via HSDPA and HSUPA
> Formal names :
? Evolved UTRA (E-UTRA) / Evolved UTRAN (E-UTRAN) ? Evolved UMTS Terrestrial Radio Access ? Evolved UMTS Terrestrial Radio Access Network
> SAE: System Architecture Evolution
? It refers to the evolved core network.
Confidential Information
LTE性能设计目标
> TR25.913 > 峰值速率
? 下行100Mbps(20MHz,MIMO2x2) ? 上行50Mbps(20MHz, 1x antenna)
> 时延
? C-plan ? U-plan: 5ms (unload, small IP packet), RTT<10ms
> 容量
? <5MHz: 200 subs 激活 ? >5MHz: >400 subs
> Throughput
? 3-4 times better than release 6 (DL ) ? 2-3 times better than release 6 (UL )
> Spectrum Efficiency
? 3-4 times better than release 6 (DL ) ? 2-3 times better than release 6 (UL )
> Increase the support of QoS for the various types of services (e.g. Voice over IP)
Confidential Information