SNMP v2 coverTable of Contents1.0 Introduction2.0 SNMP Operation3.0 SNMP v33.1 USM3.2 VACM4.0 ConclusionAppendicesSNMPv3Simple Network Management ProtocolAN ALCATEL EXECUTIVE BRIEFFebruary, 2003> 1Alcatel Executive Briefing1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22. SNMP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33. SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43.1. User-based Security Model (USM) . . . . . . . . . . . . . . . . .43.2. View-based Access Control Model (VACM) . . . . . . . . . . .54. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Appendix A: Abbreviations and acronyms . . . . . . . . . . . . . . . .6Appendix B: Sources for further information . . . . . . . . . . . . . . . .6SNMPv3Copyright © 2003 Alcatel Internetworking.The hyperlinks provided in this Executive Briefing are merely for the convenience of our Executive Briefing readers. AlcatelInternetworking, Inc. has no interest in, responsibility for, or control over the linked-to sites. AII disclaims all warranties, expressed andimplied, including those of merchantability, fitness for a particular purpose and non-infringement, with respect to the informationcontained herein, the hyperlinks provided, the information contained therein, and the use thereof. In no event shall AII be liable for anydamages resulting from the reader’s use of the information contained herein and/or the hyperlinks provided, even if AII has beeninformed of the possibility of such damages.P/N 031249-00 2/03> 2 Alcatel1.0 IntroductionNetwork managers need to be able to communicate with and control eachelement in a network. With the large numbers of devices in networks today, itwould be difficult, if not impossible, to manage the network by configuring eachdevice manually. To add to the complexity, most networks contain a mixture ofnetwork protocols. Centralized management is the answer. The Simple Network Management Protocol(SNMP) was initially designed as a stop-gap measure for network managementuntil a more sophisticated method could be developed. It was created to allowsimple yet effective network management. Despite being created as a temporarysolution, SNMP has continued to evolve. Today SNMP is supported by virtuallyevery enterprise network equipment manufacturer worldwide.SNMPv1 (RFC 1157) was effective and easy to implement, but had problems.SNMPv2 (RFC 1902) was developed to add new features and to correct thelimitations and bugs of the original. SNMPv2 improved the functionality of version1, but still did not meet security requirements such as authentication andencryption. SNMPv3 addresses these limitations with the addition of powerfulsecurity features including access control, authentication, and privacy ofmanagement information.SNMPv3February, 20032.0 SNMP OperationEnhancements to SNMP are modular in nature to allow for gradual evolution ofthe protocol. The architecture, structure, and framework of all three versions areconsistent. The SNMP model consists of a network management station and the devices thatare managed, which are called agents. The management station uses UserDatagram Protocol (UDP) packets called protocol data units (PDUs) and the SNMPprotocol to communicate with devices running agent software. Each network device agent maintains a database called a MIB that containsconfiguration and traffic information about that network device. The MIB(management information base) is a hierarchal database that the networkmanagement software reads and modifies using SNMP commands sent in PDUs.For example, a management station may send an SNMP PDU to an agent toretrieve information about network statistics or to change a parameter in MIB.SNMP offers the following basic functions:Get – The get command retrieves specific information stored in the MIB. Anexample of this command is, “Get 1.3.6.1.800.4.5.6.” The number that theget command generates is similar to a file number. Every piece of MIBinformation is identified this way.Get next – Get next is almost identical to the get command, except it requeststhe next incremental value. For example, one MIB file might show the currentnumber of packets received by a port, which is retrieved by a get. A get nextrequests the next update.Get reply – A get reply is sent with the information requested by a get or getnext command. Set – Set is the command used to configure a device. Trap (or event) – A trap is sent to the management station when a specialcondition such as start up, shut down, an error, etc., occurs in the device. A network management station uses the get, get reply, and set commands toinspect, configure, and monitor a network device through the MIB. Unlike theother SNMP functions, traps are unsolicited events, meaning that they comedirectly from a device when it detects a problem. Trap PDUs are typically sent ona well-known UDP port (162) so that any station that is set up to listen to that portreceives the traps. SNMPv3> 3Alcatel Executive Briefing> 4 Alcatel3.0 SNMPv3SNMPv3, first defined in IETF RFCs 2271-2275 and again in 3410-3415, isdesigned to be backward compatible with SNMP versions 1 and 2 and addsecurity in the form of access control, authentication, and encryption to existingSNMP implementations. As such, version 3 is essentially version 2 with theaddition of security features and other enhancements. Two of the most significantadditions provided by SNMPv3 are the User-based Security Model (USM) andView-based Access Control Model (VACM).3.1 User-based Security Model (USM)The User-based Security Model (USM) of SNMPv3 defines mechanisms forproviding message-level security for SNMP implementations. The USM isdesigned to protect against threats such as: • Modification of information – changing management information in transitbetween the SNMP manager and agent• Masquerade – a non-authorized user assuming the identity of a userauthorized to perform management operations• Message stream modification – reordering or copying packets in amanagement message stream for malicious purposes• Disclosure – a non-authorized user accessing a message in transit to learninformation (e.g., passwords) contained in the streamSNMPv3 provides authentication, ensures data integrity, and preventsmasquerading. After a network manager logs on to a management station with a usernameand password, SNMPv3