SNMP Research International, Inc.

Secure Your Network

• Products
  •  
  • Agents
  •  
  • Managers
  •  
  • Developer Tools
  •  
  • User-Ready Solutions
  •  
  • Products by RFC
  •  
  • List All
  •  
• Services
  •  
  • Technical Support
  •  
  • Professional Services
  •  
• Partners
  •  
  • Technology Partners
  •  
  • Channel Partners
  •  
  • Customers
  •  
  • What Our Customers Are Saying About Us
  •  
  • Success Stories
  •  
• Technology
  •  
  • SNMP Standards
  •  
  • Supported RFCs
  •  
  • White Papers
  •  
  • Glossary
  •  
  • FAQ
  •  
• About Us
  •  
  • Company
  •  
  • News and Events
  •  
  • Contact Us
  •  

Information about SNMP

• SNMP Protocol Information
• SNMP RFCs
• Supported RFCs
• SNMP Printed Literature
• SNMPv3 White Paper
• SNMP over TLS and DTLS
• SNMP Proxy Information

Technology Initiatives

• XML-Based Management
• Extended Security Options

SNMPv3 with Security and Administration

Table of Contents

• Introduction
• SNMPv3 Features
• Additional SNMPv3 Features (from v2)
• Security Threats and SNMPv3 Protection
• Security Mechanisms
• Configuration
• SNMPv3 Architecture
• Security and Administration Framework
• SNMPv3 RFCs
• Sources for More Information
• Contact Information

Introduction

Secure management is available with SNMPv3, the ``Full Standard,'' IETF-recommended version of the Internet-Standard Management Framework. This technology provides commercial-grade security and the ease of administration, which includes authentication, authorization, access control, and privacy.

The secure management of SNMPv3 is an important enabling technology for safe configuration and control operations. SNMPv3 provides security with authentication and privacy, and its administration offers logical contexts, view-based access control, and remote configuration. This technology is available for networks, systems, applications, manager-to-manager communications, and proxy management of legacy systems.

SNMPv3 is derived from and builds upon both the original Internet-Standard Management Framework (SNMPv1) and the second Internet-Standard Management Framework (SNMPv2c). All versions (SNMPv1, SNMPv2c, and SNMPv3) of the Internet-Standard Management Framework share the same basic structure and components. Furthermore, all versions of the specifications of the Internet-Standard Management Framework follow the same architecture.

SNMPv3 Features

Many SNMP products remain fundamentally the same under SNMPv3, but are enhanced by the following new features:

Security

• Authentication
• Privacy

Administration

• Authorization and access control
• Logical contexts
• Naming of entities, identities, and information
• People and policies
• Usernames and key management
• Notification destinations and proxy relationships
• Remote configuration via SNMP operations

Additional SNMPv3 Features (from v2)

The following features are incorporated from the SNMPv2 Framework by reference.

Security Threats and SNMPv3 Protection

Secure management with SNMPv3 protects against four threats:

Security Mechanisms

User-based Authentication Mechanism is based on the following:

• MD5 message digest algorithm in HMAC
  • Directly provides data integrity checks
  • Indirectly provides data origin authentication
  • Uses private key known by sender and receiver
  • 16-byte key
  • 128-bit digest (truncates to 96 bits)
• SHA, an optional alternative algorithm
• Loosely synchronized monotonically increasing time indicator values defend against certain message stream modification attacks

User-based Privacy Mechanism is based on the following:

• Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode
  • Provides data confidentiality
  • Uses encryption
  • Subject to export and use restrictions in many jurisdictions
• Uses 16-byte key (56-bit DES key, 8-byte DES initialization vector) known by sender and receiver
• Multiple levels of compliances with respect to DES due to problems associated with international use
• Triple Data Encryption Standard (Triple DES)
• Advanced Encryption Standard (128, 192, and 256, bit keys)

Configuration

SNMPv3 provides the following configuration possibilities. (Note: availability depends on export restrictions.)

• No authentication and no privacy (noAuthNoPriv) - usually for monitoring
• Authentication and no privacy (authNoPriv) - usually for control
• Authentication and privacy (authPriv) - usually for downloading secrets

The network administrator has the potential to configure the protection level on a transaction-by-transaction basis. Criteria to consider when choosing configuration options are system resources and level of protection.

SNMPv3 Architecture

The specifications of the Internet-Standard Management Framework are based on a modular architecture. This framework is more than just a protocol for moving data. The framework consists of

• A data definition language,
• Definitions of management information (the Management Information Base, or MIB),
• A protocol definition, and
• Security and administration.

The framework was structured with a protocol-independent data definition language and Management Information Base, along with a MIB-independent protocol. The SNMPv3 Framework builds and extends these architectural principles by

• Building on these four basic architectural components, in some cases incorporating them from the SNMPv2 Framework by reference, and by
• Using these same layering principles in the definition of new capabilities in the security and administration portion of the architecture.

Those who are familiar with the architecture of the SNMPv1 Management Framework and the SNMPv2 Management Framework find many familiar concepts in the architecture of the SNMPv3 Management Framework. However, in some cases, the terminology may be somewhat different.

Security and Administration Framework

SNMP entities contain a security subsystem (and possibly an access control subsystem) to prevent unauthorized users from accessing a MIB or parts of a MIB. SNMP entities also possess these subsystems to ensure that authorized users retrieve and update information from only the parts of the MIB that they are allowed to view. Only a user who has the necessary access privileges will be able to obtain the desired level of service from a properly configured SNMP entity.

A Security Administration Framework defines the mechanisms, which control the level of service provided by an SNMP entity. The mechanisms discriminate each message based on who is sending the message, what operation is requested, where the operation takes place within the MIB, and how the request is being sent (security protocol in use).

Who? Authentication discriminates a request based on the sender of the message. An authentication identifier includes some type of shared secret, which is used to verify the identity of the sender.

What? Authorization discriminates a request based on the operation being requested. An authorization identifier defines a set of operations that are permitted (e.g., Get, Set, Trap, etc.).

Where? Access Control discriminates a request based on the MIB objects where a requested operation would be performed. An access control identifier, or MIB View, defines a set of objects in the MIB where operations may be performed.

How? Security Level discriminates a request based on the security protocols used for a request. Security level options include privacy protocols and alternative authentication algorithms.

SNMPv3 RFCs

The SNMPv3 Request for Comments (RFCs) provide further detail about SNMPv3. A complete list of RFCs can be found at http://www.snmp.com/snmpv3/.

• RFC 3410. Introduction to SNMPv3
• RFC 3410. Introduction and Applicability Statements for Internet Standard Management Framework
• RFC 3411. An Architecture for Describing SNMP Management Frameworks
• RFC 3412. Message Processing and Dispatching
• RFC 3413. SNMP Applications
• RFC 3414. User-based Security Model
• RFC 3415. View-based Access Control Model
• RFC 3416. Version 2 of SNMP Protocol Operations
• RFC 3417. Transport Mappings
• RFC 3584. Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework
• RFC 3826. The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model

Sources for More Information

• SNMPv3 Specifications
  http://www.snmp.com/snmpv3/.
• Internet Engineering Task Force (IETF)
  The User-based Security Model is defined in the IETF RFC 3414. Refer to http://www.ietf.org for information on receiving the freely available IETF standards.
• AES and 3DES Specifications
  The AES and 3DES security protocol definition documents are available at the Extended Security Consortium web site (http://www.snmp.com/) at the following page: http://www.snmp.com/protocol/eso.shtml.
• AES-256 Specifications
  http://www.snmp.com/snmpv3_aes256.shtml.

Contact Information

For further information about SNMPv3 or SNMP Research's products, please contact SNMP Research, Inc.

SNMP Research Incorporated
3001 Kimberlin Heights Rd.
Knoxville, TN 37920
U.S.A.
Tel: +1 865 573 1434
Fax: +1 865 579 6565
E-mail: info@snmp.com
www.snmp.com

Home | Company | Contact Us | Products & Services
News | Partners & Customers | Protocol | Site Map | Sales Query

Copyright © 2024 SNMP Research International, Inc.
Questions? Please let us know.
SNMP Research: www.snmp.com