SNMPv3 is a more secure version of SNMP that addresses vulnerabilities in earlier versions. It provides features like authentication, encryption, and access control. The document discusses SNMPv3 concepts like views, groups, users and how to configure these security elements on an AT-8000S device using CLI commands to enable secure SNMP management.
2. Overview
• Simple Network Management Protocol Version (SNMPv3) is
an interperable standars-based protocol for network
mangement.
• SNMPv3 provides secure access to devices by a
combination of authentication and encrypting packets over
the network
Marvell Confidential
3. Overview
• The following security features are included in SNMPv3:
– Message integrity
– Authentication
– Encryption
• SNMPv3 also describes how to apply the access control
and the new sending traps mechanism on SNMPv1 and
SNMPv2 PDUs.
Marvell Confidential
4. Local Engine Information
• Each SNMP agent maintains some local information to be
used in SNMPV3 message exchanges.
• An SNMP agent is considered an authoritative SNMP
engine.
• In incoming messages (Get, GetNext, GetBulk, Set), the
agent receives, and in Trap messages, it sends to a
manager.
• The agent’s local information is encapsulated in message
fields.
Marvell Confidential
5. Security
• RFC 2574 defines the user-based security model (USM) for
SNMPv3.
• This specification includes:
– Authentication
– Privacy
– Timeliness
– Key management
Marvell Confidential
6. Authentication
• Provides data integrity and data origin authentication.
• Using authentication for an SNMPV3 message involves an
authentication code HMAC, with the hash function either
MD5 or SHA-1.
• This code is created by the originator of the SNMP message
and is written into the msgAuthenticationParameters field
of the message.
• The receiver then uses this code to validate the message’s
integrity and origin.
•
The agent supports both HMAC-MD5 and HMAC-SHA
protocols.
Marvell Confidential
7. Privacy
• Protects against disclosure of the message’s payload.
• The cipher block-chaining (CBC) mode of DES is used for
encryption.
• The user can either employ authentication on an SNMP
message, or both authentication and privacy, but not
privacy without authentication.
Marvell Confidential
8. Timeliness
• Protects against message delay or replay.
• The SNMP agent does timeliness check on an incoming
message by comparing the time information in the
message.
Marvell Confidential
9. Key management
• Defines procedures for key generation, update and use.
• The keys for authentication and privacy are not passed via
the SNMP protocol.
• The NMS shares the keys with each agent it works with.
• The RFC defines a procedure for producing the key the
NMS shares with a certain agent, by using an NMS
password and that agent’s engineID.
• Changing an authentication or privacy key is done by
changing the appropriate fields in the usmUserTable. The
new key is calculated by the agent according to the old key.
Marvell Confidential
10. Sending Traps
• Defined in RFC2573.
• The mechanism of sending traps defined in the SNMPv3
architecture includes the following phases:
– Identifying management targets for traps
– Filtering of a trap
– Choosing parameters to generate the trap message
– Access control checks
Marvell Confidential
11. Access Control
• RFC 2575 defines the View-Based Access Control Model
(VACM), which enables an SNMP agent to force a particular
set of access rights to MIB data.
• Determining access rights depends on the following
factors:
– The principal that initiates the access request. For
example, a manager responsible for a whole network
configuration may have wide authority to change
MIB values, while a manager with monitoring
responsibility may have read-only access or even no
access at all to certain MIB objects.
Marvell Confidential
12. Access Control (Cont.)
– The security level used for delivering the SNMP
request in the network. Usually, a manager will
obligate the use of authentication for set requests.
– The security model used for processing the SNMP
request. The agent can define different levels of
access for security models SNMPv1 and SNMPv2,
in which no security policy has been used for the
message, and the SNMPv3 User-Based Security
Model.
– The MIB context in the request. A context is a notion,
which can be defined as a named subgroup of MIB
object instances.
Marvell Confidential
13. Access Control (Cont.)
– An SNMP agent can maintain one or more contexts,
and a MIB object or object instance can belong to
one or more contexts.
– For example, an agent can maintain information of
multiple devices, with each of them represented by a
different context name.
– The originator of an SNMP request should fill the
name of the context of the MIB data it wants to
access in the contextName field of the message.
– The specific object instance for which access is
requested. Some objects contain information, which
is more sensitive than that of others.
Marvell Confidential
14. Access Control (Cont.)
– The type of access, which is requested: read, write
or notify.
– A different access control policy may be applied for
each one of these management operations.
Marvell Confidential
16. SNMPv3 in AT-8000S
• MD5 keys and passwords are saved in the configuration
file.
• Some checks are made on user entries, to facilitate correct
configuration of SNMPv3 (and help the user avoid
mistakes).
• Definition of a username and community are contingent
upon definition of a group name.
Marvell Confidential
17. User controls
The user can configure the following per SNMP
manager and trap receiver:
• Mode of operation (version of SNMP to use).
• Authentication and encryption facilities used.
• MIB access rights (read, write, notify).
The user can configure the following per system:
• SNMPv3 Engine ID.
Marvell Confidential
19. Enabling SNMP community
• Use the following global configuration command
to set up the community access string to permit
access to the SNMP command.
snmp-server community community [ro | rw | su] [ip-address] [view
view-name]
snmp-server community-group community group-name [ip-address]
community Community string that acts like a password
and permits access to the SNMP protocol(up
to 20 chars).
Marvell Confidential
20. Enabling SNMP community (Cont.)
• To remove a specified community string use:
no snmp-server community community [ip-address]
Marvell Confidential
21. Creating/updating a View Entry
• Use the following global configuration command to create or
update a view entry. To remove the specified SNMP server view
entry, use the “no” form of this command.
snmp-server view view-name oid-tree {included | excluded}
no snmp-server view view-name [oid-tree]
view-name Label for the view record that you are updating or
creating. The name is used to reference the record.
oid-tree Object identifier of the ASN.1 subtree to be included or
excluded from the view.
Included The view type is included.
excluded The view type is excluded.
Marvell Confidential
22. Creating/updating a View Entry (Cont.)
Example:
console(config)# snmp-server view user-view system included
console(config)# snmp-server view user-view system.7 excluded
console(config)# snmp-server view user-view ifEntry.*.1 included
Marvell Confidential
23. Mapping SNMP Users to SNMP Views
• Use the following global configuration command to
configure a new SNMP group, or a table that maps SNMP
users to SNMP views. To remove a specified SNMP group,
use the no form of this command.
snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv}}
[notify notifyview ] [read readview] [write writeview]
no snmp-server group groupname [v1 | v2 | v3 [noauth | auth | priv]
Console (config)# snmp-server group user-group v3 priv read
user-view
Marvell Confidential
24. SNMP engineID
• Use the following Global Configuration mode command to
specifies the SNMP engineID on the local device. To
remove the configured engine ID, use the no form of this
command.
snmp-server engineID local { engineid-string | default}
no snmp-server engineID local
engineid-string—Specifies a character string that identifies the
engine ID. (Range: 9-64 hexa characters)
default—The engine ID is created automatically based on the
device MAC address.
console(config)# snmp-server engineid local default
Marvell Confidential
25. Configure SNMPv3 User
• Use the following global configuration command to configure a new SNMP
Version 3 user. To remove a user, use the no form of the command.
snmp-server user username groupname [remote engineid-string] [ auth-md5
password |auth-sha password | auth-md5-key md5-des-keys | auth-sha-key
sha-des-keys ]
no snmp-server user username
username The name of the user on the host that connects to the
agent.
groupname The previously-defined name of the group to which the
user belongs.
engineid-string—Specifies the engine ID of the remote SNMP entity to which
the user belongs.
Marvell Confidential
26. Configure SNMPv3 User (Cont.)
• If auth-md5 or auth-sha is specified, both
authentication and privacy are enabled for the
user.
• When you enter a “show running-config”
command, you will not see a line for this user.
• To see if this user has been added to the
configuration, type the “show snmp user”
command.
• An SNMP EnginID has to be defined to add SNMP
users to the device
Marvell Confidential
27. Enable Sending Traps
• Use the following Global Configuration command to enable
the device to send SNMP traps. To disable SNMP traps, use
the no form of the command.
snmp-server enable traps
no snmp-server enable traps
Marvell Confidential
28. Enable Authentication Traps
• Use the following Global Configuration command to enable
the device to send SNMP traps when authentication fails.
To disable these SNMP traps, use the no form of the
command.
snmp-server traps authentication
no snmp-server traps authentication
Marvell Confidential
29. SNMP Filter Entry
• Use the following global configuration command to create
or update a filter entry. To remove the specified SNMP server
filter entry, use the no form of this command:
snmp-server filter filter-name oid-tree {included | excluded}
no snmp-server filter filter-name [oid-tree]
console(config)# snmp-server filter filter-name system included
console(config)# snmp-server filter filter-name system.7 excluded
console(config)# snmp-server filter filter-name ifEntry.*.1 included
Marvell Confidential
30. Recipient of SNMPv3 Notification
• Use the following global configuration command to specify
the recipient of SNMP V3 notification operation:
snmp-server v3-host {ipaddr|hostname} username [traps | informs]
{noauth | auth | priv} [udp-port port] [filter filtername] [timeout
seconds] [retries retries]
To delete the recipient use:
no snmp-server v3-host host-addr [traps | informs] [username]
Marvell Confidential
31. Recipient of SNMPv3 Notification
(Cont.)
• If a trap and inform are defined on the same target, and an
inform was sent, the trap would not be sent.
• A user and notification view are not automatically created.
Use the snmp-server user, snmpserver group and snmp-
server view Global Configuration mode commands to
generate a user, group and notify group, respectively.
Marvell Confidential
33. Snmp Server Host
• Use the following global configuration command to specify
the recipient of Simple Network Management Protocol
Version 1 or Version 2 notifications.
• snmp-server host {ip-address | hostname} community-string
[traps | informs] [1 | 2] [udp-port port] [filter filtername]
[timeout seconds] [retries retries]
To remove the specified host, use the no form of this
command.
• no snmp-server host {ip-address | hostname} [traps |
informs]
Marvell Confidential
34. Snmp Server contact
• Use the following global configuration command to
configure the system contact (sysContact) string.
• snmp-server contact text
To remove system contact information, use the no form of the
command.
no snmp-server contact
Marvell Confidential
35. Snmp Server Location
• Use the following global configuration command to
configure the system location string.
snmp-server location text
To remove system contact information, use the no form of the
command.
no snmp-server location
Marvell Confidential
36. Snmp Server Set
• Use the following global configuration command to define
the SNMP MIB value.
snmp-server set variable-name name1 value1 [ name2 value2 …]
• Although the CLI can set any required configuration, there
might be a situation where a SNMP user sets a MIB variable
that does not have an equivalent command. In order to
generate configuration files that support those situations,
the snmp-server set command is used.
Marvell Confidential
38. SNMPv3
View #1: MIB X included
MIB Y excluded
…
User_ID Group_ID …
…
View #n: MIB X included
MIB Y excluded
…
Marvell Confidential
39. View configuration
• Configuring 3 views: a1, a2, a3:
console(config)# snmp-server view a1 ip included
console(config)# snmp-server view a1 ipForwarding excluded
console(config)# snmp-server view a2 internet included
console(config)# snmp-server view a3 ipDefaultTTL included
console(config)# exit
console# show snmp views
Name OID Tree Type
------------------- ------------------------- --------
a1 ip included
a1 ipForwarding excluded
a2 internet included
a3 ipDefaultTTL included
Default iso included
Default snmpVacmMIB excluded
Default usmUser excluded
Default snmpCommunityTable excluded
Default rndCommunityTable excluded
DefaultSuper iso included
Marvell Confidential
40. Group configuration
• Configuring 3 groups: b1, b2, b3:
console(config)# snmp-server group b1 v3 auth read Default write a1
console(config)# snmp-server group b2 v3 noauth read a2 write a2
console(config)# snmp-server group b3 v3 priv read a3
console(config)# exit
console# show snmp groups
Name Security Views
Model Level Read Write Notify
------------------ ------ ---------- -------- --------- -----------
b1 V3 auth Default a1 -
b2 V3 noauth a2 a2 -
b3 V3 priv a3 - -
Marvell Confidential
41. Engine ID
• Specifies SNMP engine ID on the local device, automatically
created EngineID based on the device MAC
console(config)# snmp-server engineid local default
Marvell Confidential
42. Defining users
• Configuring 3 users:c1, c2, c3
console(config)# snmp-server user c1 b1 auth-md5 password1
console(config)# snmp-server user c2 b2
console(config)# snmp-server user c3 b3 auth-sha password3
console# show snmp users
Name Group name Auth Remote
Method
------------------- ----------------------- ------- -----------------------
c1 b1 MD5
c2 b2 noAuth
c3 b3 SHA
Marvell Confidential