SNMP v3
Simple Network Management Protocol
A N A L C AT E L E X E C U T I V E B R I E F
Februar y, 2003
SNMP v3
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
2. SNMP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
3. SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
3.1. User-based Security Model (USM) . . . . . . . . . . . . . . . . .4
3.2. View-based Access Control Model (VACM) . . . . . . . . . . .5
4. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Appendix A: Abbreviations and acronyms . . . . . . . . . . . . . . . .6
Appendix B: Sources for further information . . . . . . . . . . . . . . . .6
Copyright © 2003 Alcatel Internetworking.
The hyperlinks provided in this Executive Briefing are merely for the convenience of our Executive Briefing readers. Alcatel
Internetworking, Inc. has no interest in, responsibility for, or control over the linked-to sites. AII disclaims all warranties, expressed and
implied, including those of merchantability, fitness for a particular purpose and non-infringement, with respect to the information
contained herein, the hyperlinks provided, the information contained therein, and the use thereof. In no event shall AII be liable for any
damages resulting from the reader’s use of the information contained herein and/or the hyperlinks provided, even if AII has been
informed of the possibility of such damages.
P/N 031249-00 2/03
Alcatel Executive Briefing
> 1
SNMP v3
1.0 Introduction
Network managers need to be able to communicate with and control each
element in a network. With the large numbers of devices in networks today, it
would be difficult, if not impossible, to manage the network by configuring each
device manually. To add to the complexity, most networks contain a mixture of
network protocols.
Centralized management is the answer. The Simple Network Management Protocol
(SNMP) was initially designed as a stop-gap measure for network management
until a more sophisticated method could be developed. It was created to allow
simple yet effective network management. Despite being created as a temporary
solution, SNMP has continued to evolve. Today SNMP is supported by virtually
every enterprise network equipment manufacturer worldwide.
SNMPv1 (RFC 1157) was effective and easy to implement, but had problems.
SNMPv2 (RFC 1902) was developed to add new features and to correct the
limitations and bugs of the original. SNMPv2 improved the functionality of version
1, but still did not meet security requirements such as authentication and
encryption. SNMPv3 addresses these limitations with the addition of powerful
security features including access control, authentication, and privacy of
management information.
> 2 Alcatel
February, 2003
SNMP v3
2.0 SNMP Operation
Enhancements to SNMP are modular in nature to allow for gradual evolution of
the protocol. The architecture, structure, and framework of all three versions are
consistent.
The SNMP model consists of a network management station and the devices that
are managed, which are called agents. The management station uses User
Datagram Protocol (UDP) packets called protocol data units (PDUs) and the SNMP
protocol to communicate with devices running agent software.
Each network device agent maintains a database called a MIB that contains
configuration and traffic information about that network device. The MIB
(management information base) is a hierarchal database that the network
management software reads and modifies using SNMP commands sent in PDUs.
For example, a management station may send an SNMP PDU to an agent to
retrieve information about network statistics or to change a parameter in MIB.
SNMP offers the following basic functions:
Get – The get command retrieves specific information stored in the MIB. An
example of this command is, “Get 1.3.6.1.800.4.5.6.” The number that the
get command generates is similar to a file number. Every piece of MIB
information is identified this way.
Get next – Get next is almost identical to the get command, except it requests
the next incremental value. For example, one MIB file might show the current
number of packets received by a port, which is retrieved by a get. A get next
requests the next update.
Get reply – A get reply is sent with the information requested by a get or get
next command.
Set – Set is the command used to configure a device.
Trap (or event) – A trap is sent to the management station when a special
condition such as start up, shut down, an error, etc., occurs in the device.
A network management station uses the get, get reply, and set commands to
inspect, configure, and monitor a network device through the MIB. Unlike the
other SNMP functions, traps are unsolicited events, meaning that they come
directly from a device when it detects a problem. Trap PDUs are typically sent on
a well-known UDP port (162) so that any station that is set up to listen to that port
receives the traps.
Alcatel Executive Briefing
> 3
SNMP v3
3.0 SNMPv3
SNMPv3, first defined in IETF RFCs 2271-2275 and again in 3410-3415, is
designed to be backward compatible with SNMP versions 1 and 2 and add
security in the form of access control, authentication, and encryption to existing
SNMP implementations. As such, version 3 is essentially version 2 with the
addition of security features and other enhancements. Two of the most significant
additions provided by SNMPv3 are the User-based Security Model (USM) and
View-based Access Control Model (VACM).
3.1 User-based Security Model (USM)
The User-based Security Model (USM) of SNMPv3 defines mechanisms for
providing message-level security for SNMP implementations. The USM is
designed to protect against threats such as:
• Modification of information – changing management information in transit
between the SNMP manager and agent
• Masquerade – a non-authorized user assuming the identity of a user
authorized to perform management operations
• Message stream modification – reordering or copying packets in a
management message stream for malicious purposes
• Disclosure – a non-authorized user accessing a message in transit to learn
information (e.g., passwords) contained in the stream
SNMPv3 provides authentication, ensures data integrity, and prevents
masquerading.
After a network manager logs on to a management station with a username
and password, SNMPv3 authentication consists of applying MD5 (Message
Digest 5) or SHA (Secure Hash Algorithm) to PDU packets using a key. The
algorithm produces an authentication value and places it in the message.
The receiver applies the same algorithm with the same key and checks if its
produced value is the same as the one in the message. The key used for the
authentication is associated to the network manager’s user name, which is
present within the SNMP message. The authentication functionality ensures
that each SNMP message comes from an authorized manager or agent and
that it was not tampered with in transit.
> 4 Alcatel
February, 2003
SNMP v3
SNMP messages are encrypted with DES (Data Encryption Standard) to
prevent eavesdropping and ensure privacy of management information. DES
uses a key system for encryption. When sending or receiving a message
encrypted with DES, both the sender and receiver of the message must have
the same private key. This means that data in transit cannot be deciphered
without the appropriate key.
The USM also has mechanisms for checking the timeliness of SNMP PDU
delivery using synchronization and time-window checking techniques. This
helps detect messages that have been delayed, which is important because
delay is often an indicator that packets have been altered.
3.2 View-based Access Control Model (VACM)
The SNMPv3 View-based Access Control Model (VACM) is designed to
control access to management information based on a user’s identity. The
VACM allows different access levels (read, write, notify) to be defined for
different users and for each piece of MIB information.
After a network manager authenticates as specified in the USM, all SNMP
commands generated carry his/her credentials. SNMP agents check the
user’s information against a pre-configured access control database before
allowing access to any MIB object. This gives network managers the ability
to define different access rights for different administrators.
4.0 Conclusion
One of the most significant deficiencies in earlier versions addressed with the
standardization of SNMPv3 is the addition of security features. Security including
authentication, privacy, and access control, which is of paramount importance in
today’s mission critical networks, and SNMPv3 allows network managers to take
advantage of SNMP management capabilities without compromising security.
Though SNMP was originally created as a stop-gap measure until a more robust
network management standard could be created, its simple, modular nature has
instead contributed to its longevity. With the edition of security features in
SNMPv3, the protocol continues to hold ground in the network management
community.
Alcatel Executive Briefing
> 5
SNMP v3
Appendix A: Abbreviations and acronyms
DES
Data Encryption Standard
IETF
Internet Engineering Task Force
MD5
Message Digest 5
MIB
management information base
PDU
protocol data unit
SHA
Secure Hash Algorithm
SNMP
Simple Network Management Protocol
UDP
User Datagram Protocol
USM
User-based Security Model
VACM
View-based Access Control Model
Appendix B: Sources for further information
IETF RFC Pages
http://www.ietf.org/rfc.html
Introduction to SNMPv3 – RFC
http://www.ietf.org/rfc/rfc3410.txt?number=3410
The Simple Times
http://www.simple-times.org/
SNMPv3 Documentation
http://www.ibr.cs.tu-bs.de/ietf/snmpv3/
Want to receive executive briefings like this one every
month, delivered directly to your email inbox?
Sign up for the Alcatel Information Resource Center today.
Visit us on the web at www.alcatel.com/enterprise,
call us at 800.995.2612, or email us at
end-enterprise-noram-solutions@ind.alcatel.com
ARCH ITECT S OF AN INTER NET WOR LD