Skip to content

TUT:SNMPv3_Options

Jump to bottom Edit New page
Bill Fenner edited this page Aug 30, 2018 · 1 revision

SNMPv3 Options

Introduction

The 3rd version of the SNMP protocol introduced a whole slew of new security related features that have been missing from the previous versions. In SNMPv1 and SNMPv2c, a simple community string was put in clear text into the packet to authenticate the request. This is obviously highly insecure. (If it's not obvious, then just trust me).

SNMPv3 and Security Components

=

SNMPv3 introduces advanced security which splits the authentication and the authorization into two pieces:

User-Based Security

The USM is the default Security Module for SNMPv3. The U stands for User-based, as it contains a list of users and their attributes. The USM is described by RFC 2574.

TLS and DTLS Based Security

A newer security model is also available called the "Transport Security Model" (TSM), defined in RFC 5591 which is designed to work with secure transports like TLS or DTLS and its usage is documented in the Using TLS tutorial.

Authorization: Who can do what?

The VACM is the default Access Control Module and determines which users (and SNMPv1/v2c communities) are allowed to access MIB information. The V stands for View-based, and allows different levels of access for different sections of the MIB tree. The VACM is described by RFC 2575.

This document will discuss how to use the net-snmp tools to get and set data from a remote host.

Users

A user's profile contains the following data:

 % snmptranslate`` ``-Tp`` ``-IR`` ``usmUserTable  +--usmUserTable(2)     |     +--usmUserEntry(1)        |        +-- ---- String    usmUserEngineID(1)        |        Textual Convention: SnmpEngineID        |        Size: 5..32        +-- ---- String    usmUserName(2)        |        Textual Convention: SnmpAdminString        |        Size: 1..32        +-- -R-- String    usmUserSecurityName(3)        |        Textual Convention: SnmpAdminString        |        Size: 0..255        +-- CR-- ObjID     usmUserCloneFrom(4)        |        Textual Convention: RowPointer        +-- CR-- ObjID     usmUserAuthProtocol(5)        |        Textual Convention: AutonomousType        +-- CR-- String    usmUserAuthKeyChange(6)        |        Textual Convention: KeyChange        +-- CR-- String    usmUserOwnAuthKeyChange(7)        |        Textual Convention: KeyChange        +-- CR-- ObjID     usmUserPrivProtocol(8)        |        Textual Convention: AutonomousType        +-- CR-- String    usmUserPrivKeyChange(9)        |        Textual Convention: KeyChange        +-- CR-- String    usmUserOwnPrivKeyChange(10)        |        Textual Convention: KeyChange        +-- CR-- String    usmUserPublic(11)        |        Size: 0..32        +-- CR-- EnumVal   usmUserStorageType(12)        |        Textual Convention: StorageType        |        Values: other(1), volatile(2), nonVolatile(3), permanent(4), readOnly(5)        +-- CR-- EnumVal   usmUserStatus(13)                 Textual Convention: RowStatus                 Values: active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6)

Well, that's nice but what does it mean?

To summarize, most importantly each user has a name (called a securityName) an authentication type (authProtocol) and a privacy type (privProtocol) as well as associated keys for each of these (authKey and privKey).

Authentication is performed by using a user's authKey to sign the message being sent. The authProtocol can be either MD5 or SHA at this time. authKeys (and privKeys) are generated from a passphrase that must be at least 8 characters in length.

Encryption is performed by using a user's privKey to encrypt the data portion of the message being sent. The privProtocol can be either AES or DES.

Messages can be sent unauthenticated and unencrypted (noAuthNoPriv), authenticated but unencrypted (authNoPriv), or authenticated and encrypted (authPriv) by setting the securityLevel to use.

All of this information is passed to commands using the command line arguments described in the table below. Additionally, you can put default values in your ~/.snmp/snmp.conf files using the tokens specified in the 3rd column.

Parameter Command Line Flag snmp.conf token
securityName -u NAME defSecurityName NAME
authProtocol -a (MD5 SHA)
privProtocol -x (AES DES)
authKey -A PASSPHRASE defAuthPassphrase PASSPHRASE
privKey -X PASSPHRASE defPrivPassphrase PASSPHRASE
securityLevel -l (noAuthNoPriv authNoPriv
context -n CONTEXTNAME defContext CONTEXTNAME

Examples

Configuration

The following examples use the Net-SNMP test agent. If you would like to test against your local machine, you can configure the same SNMPv3 users on your machine.

  • edit your snmpd.conf and add

rouser noAuthUser rouser MD5User rwuser MD5DESUser

  • stop snmpd and edit your persistent snmpd.conf and add

createUser NoAuthUser createUser MD5User MD5 "The Net-SNMP Demo Password" createUser MD5DESUser MD5 "The Net-SNMP Demo Password" DES

  • start snmpd again.

Commands

Here is a completely unauthenticated request (which still needs a user name, nonetheless):

 % snmpgetnext`` ``-v`` ``3`` ``-n`` ``""`` ``-u`` ``noAuthUser`` ``-l`` ``noAuthNoPriv`` ``test.net-snmp.org`` ``sysUpTime  system.sysUpTime.0 = Timeticks: (83467131) 9 days, 15:51:11.31

Here is an authenticated request:

 % snmpgetnext`` ``-v`` ``3`` ``-n`` ``""`` ``-u`` ``MD5User`` ``-a`` ``MD5`` ``-A`` ``"The`` ``Net-SNMP`` ``Demo`` ``Password"`` ``-l`` ``authNoPriv`` ``test.net-snmp.org`` ``sysUpTime  system.sysUpTime.0 = Timeticks: (83491735) 9 days, 15:55:17.35

And finally, here is an authenticated and encrypted request:

 % snmpgetnext`` ``-v`` ``3`` ``-n`` ``""`` ``-u`` ``MD5DESUser`` ``-a`` ``MD5`` ``-A`` ``"The`` ``Net-SNMP`` ``Demo`` ``Password"`` ``-x`` ``DES`` ``-X`` ``"The`` ``Net-SNMP`` ``Demo`` ``Password"`` ``-l`` ``authPriv`` ``test.net-snmp.org`` ``system  system.sysUpTime.0 = Timeticks: (83493111) 9 days, 15:55:31.11

Of course, they don't look much different since they all worked identically. But, the host above allows us to look at it using any level of authentication. Any hosts you set up should be more restricted than that and require at least a level of authNoPriv when you configure the VACM access control.

Finally, consider a snmp.conf file that looks like this:

 defContext none  defSecurityName MD5User  defAuthPassphrase The Net-SNMP Demo Password  defVersion 3  defAuthType MD5  defSecurityLevel authNoPriv

This sets up the defaults for you so that your snmp commands can boil down to something as simple as:

 % snmpgetnext`` ``test.net-snmp.org`` ``sysUpTime  system.sysUpTime.3.0 = Timeticks: (83517052) 9 days, 15:59:30.52

Or:

 % snmpset`` ``test.net-snmp.org`` ``ucdDemoPublicString.0`` ``s`` ``"I`` ``changed`` ``something"  enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"

Then:

 % snmpget`` ``test.net-snmp.org`` ``ucdDemoPublicString.0  enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"

Add a custom footer
Add a custom sidebar
Clone this wiki locally