HI, Before you get too far along.... Please describe your plans for authentication flow and then authorization flow. That is, describe using the messages for, say, an SNMP GET operation. With SNMPv3 with USM, a simple description is that the sender decides the "level of security" - one of noAuth/noPriv, auth/noPriv, auth/priv. The sender must choose a user identity to use, and must have the authKey and the privacyKey to use. A message is constructed with (and I'm not going to provide the details here). On receiving the a SNMPv3 USM message, a local configuration store is used to verify that the user specified in the request exists, and retrieves the authKey and privacyKey (if needed). If the security level is auth/noPriv or auth/priv, then the message is check for integrity and the PDU is decrypted following (I'm not going to provide the details here). If this succeeds, the VACM configuration and proceedure is followed to determine if the request is authorized. And so forth.
You really need to figure out how authentication and authorization is to work in your proposal, and where in the processing of messages, what information you need. Hint: I went through the above analysis and determined that it was not a simple task of just tacking on Radius as a "back end" to SNMPv3/USM. Instead it required a new security model to use Radius. Wes and I have worked on this and have a proposal, called session based security model (SBSM). Check out the proceedings from the fall 2003 IETF. At 10:08 AM 7/7/2004 +0200, jeff x wrote: >Hello, > > I'm trying to modify net-snmp to a radius client, >so that, all the vacm system and user checking will be >done thanks to a radius server (using RBAC model). > > In fact, I'm about to start all the UML analysis >and conception, so, that's why I ask for some UML >documents on net-snmd(especially "snmpd") if someone >have some. > > Moreover, if someone have some advice to help me, >don't be shy! :) > I think I will use a LDAP server to store all >USER/password and rights in an RBAC-like style. >I will use freeradius and openldap, but I also would >like to have a 'portable' implemantation independant >from the type of RADIUS&LDAP server. So if you have >any tips on this, I'm waiting for it. > >Bye, > Jeff Regards, /david t. perkins ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Net-snmp-coders mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
