[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: limit for number of objects in notifications

To: Juergen Quittek <quittek@netlab.nec.de>
Subject: Re: limit for number of objects in notifications
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
Date: Tue, 28 Dec 2004 11:26:42 +0100
Cc: ietfmibs@ops.ietf.org
In-reply-to: <2147483647.1104200095@dialin-145-254-220-243.arcor-ip.net>
Mail-followup-to: Juergen Quittek <quittek@netlab.nec.de>, ietfmibs@ops.ietf.org
References: <2147483647.1103547538@[10.1.1.171]> <20041224114435.GB3079@james> <2147483647.1104200095@dialin-145-254-220-243.arcor-ip.net>
Reply-to: j.schoenwaelder@iu-bremen.de
User-agent: Mutt/1.5.6+20040907i

On Tue, Dec 28, 2004 at 02:14:56AM +0100, Juergen Quittek wrote:

> Our module assumes SNMPv3 security.  Does there also exist a worst case
> calculation for USM authentication?  How to consider encryption?

I think the SNMPv3 header is actually well bounded. Here are the ASN.1
pieces taken from RFC 3412 and RFC 3414 and annotated with the size
restrictions as I see them:

  SNMPv3Message ::= SEQUENCE {
      msgVersion INTEGER (0 .. 2147483647),
      msgGlobalData HeaderData,
      msgSecurityParameters OCTET STRING,	-- UsmSecurityParameters
      msgData  ScopedPduData
  }

  HeaderData ::= SEQUENCE {
      msgID      INTEGER (0..2147483647),
      msgMaxSize INTEGER (484..2147483647),
      msgFlags   OCTET STRING (SIZE(1)),
      msgSecurityModel INTEGER (1..2147483647)
  }

  ScopedPduData ::= CHOICE {
      plaintext    ScopedPDU,
      encryptedPDU OCTET STRING	-- encrypted scopedPDU value
  }

  ScopedPDU ::= SEQUENCE {
      contextEngineID  OCTET STRING, -- (SIZE (5..32))
      contextName      OCTET STRING, -- (SIZE(0..32))
      data             ANY	     -- smidump -f sizes
  }

  UsmSecurityParameters ::= SEQUENCE {
      msgAuthoritativeEngineID     OCTET STRING, -- (SIZE (5..32))
      msgAuthoritativeEngineBoots  INTEGER (0..2147483647),
      msgAuthoritativeEngineTime   INTEGER (0..2147483647),
      msgUserName                  OCTET STRING (SIZE(0..32)),
      msgAuthenticationParameters  OCTET STRING, -- (SIZE (0|12))
      msgPrivacyParameters         OCTET STRING  -- (SIZE (0|8))
  }

The engineIDs are restricted in MIB space to (SIZE(5..32)) and the
context name is restricted in the VACM MIB to (SIZE(0..32)). With
AES/DES and USM, the msgPrivacyParameters contains an 8 octet value.
With USM, the msgAuthenticationParameters field contains 12 octets.
So everything has a well defined boundaries and it is a matter of
doing some BER math to get the minimum and maximum header sizes.
Assuming an empty context name and values in the middle of the 
ranges, it should be possible to calculate the likely size of an
SNMPv3 header.

I do not have the time right now to do the math myself. But it should
be straight forward. (And perhaps I should add the computation to the
smidump code or someone should write all this up and post an ID so 
that people can check and validate the math.)

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

Follow-Ups:
- Re: limit for number of objects in notifications
  - From: Wes Hardaker <wes@hardakers.net>

References:
- limit for number of objects in notifications
  - From: Juergen Quittek <quittek@netlab.nec.de>
- Re: limit for number of objects in notifications
  - From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
- Re: limit for number of objects in notifications
  - From: Juergen Quittek <quittek@netlab.nec.de>

Prev by Date: Re: limit for number of objects in notifications
Next by Date: Re: limit for number of objects in notifications
Previous by thread: Re: limit for number of objects in notifications
Next by thread: Re: limit for number of objects in notifications
Index(es):
- Date
- Thread