Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks 8600 manual SNMPv3 Overview, SNMPv3 USM

Models: 8600

1 41
Download 41 pages 17.31 Kb
Page 6
Image 6
1. SNMPv3 Overview

Technical Configuration Guide for SNMP

v2.0

December 2006

1. SNMPv3 Overview

SNMPv3 is the third version of the Internet-Standard Management Framework and is derived from and builds upon both the original Internet-Standard Management Framework (SNMPv1) and the second Internet-Standard Management Framework (SNMPv2). SNMPv3 is not a stand-alone replacement for SNMPv1 and/or SNMv2. It defines security capabilities to be used in conjunction with SNMPv2 (preferred) or SNMPv1. As shown in the Figure 1 below, SNMPv3 specifies a User Security Model (USM) that uses a payload of either a SNMPv1 or a SNMPv2 protocol data unit (PDU).

PDU Processing

(SNMPv1 or SNMPv2)

Message Processing

(SNMPv3 USM)

 

UDP

 

 

 

 

 

IP

 

 

 

 

PDU

= Protocol Data Unit

USM

= User Based Security

 

 

 

SNMP PDU

 

 

 

 

 

 

 

 

 

 

V3-MH

SNMP PDU

 

 

 

 

 

 

 

 

 

UDP-H

V3-MH

SNMP PDU

 

 

 

 

 

 

 

 

IP-H

UDP-H

V3-MH

SNMP PDU

 

 

 

 

IP-H = IP header

UDP-H = UDP header

V3-MH = SNMPv3 message header

Figure 1: SNMPv3 USM

Authentication within the User-based Security Model (USM) allows the recipient of the message to verify whom the message is from and whether the message has been altered. As per RFC 2574, if authentication is used, the entire message is checked for the integrity. Authentication uses a secret key to produce a fingerprint of the message, which is included in the message. The receiving entity uses the same secret key to validate the fingerprint. Currently there are 2 authentication protocols defined, HMAC-MD5 and HMAC-SHA-96 for use with USM.

While the USM provides the user-name/password authentication and privacy services, control access to management information (MIB) must be defined. The View-based Access Control Module (VACM) is used to define a set of services that an application can use for checking access rights (read, write, notify) to a particular object. VACM uses the ASN.1 notation (3.6.1.4) or the name of the SNMP MIB branch, i.e. Org.Dod.Internet.Private. The administrator can define a MIB group view for a user to allow access to an appropriate portion of the MIB matched to an approved security level. The three security levels are:

NoAuthNoPriv-Communication without authentication and privacy

AuthNoPriv-Communication with authentication (MD5 or SHA) and without privacy

AuthPriv-Communication with authentication (MD5 or SHA) and privacy (DES or AES)

NOTE: Please refer to the Ethernet Routing Switch 8600 4.1 release notes (Part number 317177- D Rev 01) regarding important information regarding SNMPv3. Special considerations need to be considered regarding hidden and encrypted that contains community table information.

______________________________________________________________________________________________________

NORTEL

External Distribution

5

Page 5 Page 7
Page 6
Image 6
Nortel Networks 8600 manual SNMPv3 Overview, SNMPv3 USM
Page 5 Page 7