TUT:SNMPv3 Options

From Net-SNMP Wiki

Contents 1 SNMPv3 Options 1.1 Introduction 1.2 Users 1.3 Examples 2 Tutorial Sections

SNMPv3 Options

Introduction

The 3rd version of the SNMP protocol introduced a whole slew of new security related features that have been missing from the previous versions. In SNMPv1 and SNMPv2c, a simple community string was put in clear text into the packet to authenticate the request. This is obviously highly insecure. (If it's not obvious, then just trust me).

SNMPv3 introduces advanced security which splits the authentication and the authorization into two pieces:

The USM is the default Security Module (and the only one we currently support). The U stands for User-based, as it is contains a list of users and their attributes. The USM is described by RFC 2574.

The VACM is the View-based Access Control Module and controls which users (and SNMPv1/v2c communities as well) are allowed to access and how they can access sections of the MIB tree. The VACM is described by RFC 2575.

This document will discuss how to use the net-snmp tools to get and set data from a remote host.

Users

A user's profile contains the following data:

 % snmptranslate -Tp -IR usmUserTable
 +--usmUserTable(2)
    |
    +--usmUserEntry(1)
       |
       +-- ---- String    usmUserEngineID(1)
       |        Textual Convention: SnmpEngineID
       |        Size: 5..32
       +-- ---- String    usmUserName(2)
       |        Textual Convention: SnmpAdminString
       |        Size: 1..32
       +-- -R-- String    usmUserSecurityName(3)
       |        Textual Convention: SnmpAdminString
       |        Size: 0..255
       +-- CR-- ObjID     usmUserCloneFrom(4)
       |        Textual Convention: RowPointer
       +-- CR-- ObjID     usmUserAuthProtocol(5)
       |        Textual Convention: AutonomousType
       +-- CR-- String    usmUserAuthKeyChange(6)
       |        Textual Convention: KeyChange
       +-- CR-- String    usmUserOwnAuthKeyChange(7)
       |        Textual Convention: KeyChange
       +-- CR-- ObjID     usmUserPrivProtocol(8)
       |        Textual Convention: AutonomousType
       +-- CR-- String    usmUserPrivKeyChange(9)
       |        Textual Convention: KeyChange
       +-- CR-- String    usmUserOwnPrivKeyChange(10)
       |        Textual Convention: KeyChange
       +-- CR-- String    usmUserPublic(11)
       |        Size: 0..32
       +-- CR-- EnumVal   usmUserStorageType(12)
       |        Textual Convention: StorageType
       |        Values: other(1), volatile(2), nonVolatile(3), permanent(4), readOnly(5)
       +-- CR-- EnumVal   usmUserStatus(13)
                Textual Convention: RowStatus
                Values: active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6)

Well, thats nice but what does it mean?

To summarize, most importantly each user has a name (called a securityName) an authentication type (authProtocol) and a privacy type (privProtocol) as well as associated keys for each of these (authKey and privKey).

Authentication is performed by using a user's authKey to sign the message being sent. The authProtocol can be either MD5 or SHA at this time. authKeys (and privKeys) are generated from a passphrase that must be at least 8 characters in length.

Authentication is performed by using a user's privKey to encrypt the data portion the message being sent. The privProtocol can be either AES or DES.

Messages can be be sent unauthenticated, authenticated, or authenticated and encrypted by setting the securityLevel to use.

All of this information is passed to commands using the command line arguments described in the table below. Additionally, you can put default values in your ~/.snmp/snmp.conf files using the tokens specified in the 3rd column.

Parameter	Command Line Flag	snmp.conf token
securityName	-u NAME	defSecurityName NAME
authProtocol	-a (MD5|SHA)	defAuthType (MD5|SHA)
privProtocol	-x (AES|DES)	defPrivType DES
authKey	-A PASSPHRASE	defAuthPassphrase PASSPHRASE
privKey	-X PASSPHRASE	defPrivPassphrase PASSPHRASE
securityLevel	-l (noAuthNoPriv|authNoPriv|authPriv)	defSecurityLevel (noAuthNoPriv|authNoPriv|authPriv)
context	-n CONTEXTNAME	defContext CONTEXTNAME

Examples

Here is a completely unauthenticated request (which still needs a user name, nonetheless):

 % snmpgetnext -v 3 -n "" -u noAuthUser -l noAuthNoPriv test.net-snmp.org sysUpTime
 system.sysUpTime.0 = Timeticks: (83467131) 9 days, 15:51:11.31

Here is a authenticated request:

 % snmpgetnext -v 3 -n "" -u MD5User -a MD5 -A "The Net-SNMP Demo Password" -l authNoPriv test.net-snmp.org sysUpTime
 system.sysUpTime.0 = Timeticks: (83491735) 9 days, 15:55:17.35

And finally, here is an authenticated and encrypted request:

 % snmpgetnext -v 3 -n "" -u MD5DESUser -a MD5 -A "The Net-SNMP Demo Password" -x DES -X "The Net-SNMP Demo Password" -l authPriv test.net-snmp.org system
 system.sysUpTime.0 = Timeticks: (83493111) 9 days, 15:55:31.11

Of course, they don't look much different since they all worked identically. But, the host above allows us to look at it using any level of authentication. Any hosts you set up should be more restricted than that and require at least a level of authNoPriv when you configure the VACM access control.

Finally, consider a snmp.conf file that looks like this:

 defContext none
 defSecurityName MD5User
 defAuthPassphrase The Net-SNMP Demo Password
 defVersion 3
 defAuthType MD5
 defSecurityLevel authNoPriv

This sets up the defaults for you so that your snmp commands can boil down to something as simple as:

 % snmpgetnext test.net-snmp.org sysUpTime
 system.sysUpTime.3.0 = Timeticks: (83517052) 9 days, 15:59:30.52

Or:

 % snmpset test.net-snmp.org ucdDemoPublicString.0 s "I changed  something"
 enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"

Then:

 % snmpget test.net-snmp.org ucdDemoPublicString.0
 enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"

Tutorial Sections

• Command Line Applications
  • snmptranslate: learning about the MIB tree.
  • snmpget: retrieving data from a host.
  • snmpgetnext: retrieving unknown indexed data.
  • snmpwalk: retrieving lots of data at once!
  • snmptable: displaying a table.
  • snmpset: peforming write operations.
  • snmpbulkget: communicates with a network entity using SNMP GETBULK request
  • snmpbulkwalk: retrieve a sub-tree of management values using SNMP GETBULK requests.
  • snmptrap: Sending and receiving traps, and acting upon them.
    • Traps/informs with SNMPv3: Sending and receiving SNMPv3 TRAPs and INFORMs
  • Common command line options:
    • Using and loading MIBS
    • SNMPv3 Options
    • Customized Output Formats
  • Writing mib2c config files
• SNMP Daemons
  • SNMP Agent (snmpd) Configuration
    • Configuration Basics
    • Access Control (VACM)
    • snmpconf
  • SNMP Notification Receiver (snmptrapd)
    • Configuring snmptrapd
    • Configuring SNMPv3 notifications
    • Configuring snmptrapd to understand vendor-specific MIBS (Cisco)
  • Agent Monitoring
    • DisMan Monitoring
    • Monitoring with MRTG
• Coding Tutorials
  • Client / Manager Coding Tutorials
    • Writing a simple application
    • Writing a simple asynchronous application
  • Agent Coding Tutorials
    • Writing a mib module to serve information described by an SNMP MIB, and how to compile it into the net-snmp snmpd agent.
    • Writing a Dynamically Loadable Object that can be loaded into the SNMP agent.
    • Writing a Subagent that can be run to attach to the snmpd master agent.
    • Writing a perl plugin to extend the agent using the NetSNMP::agent module.
    • Using mib2c to help write an agent code template for you
      • General mib2c Overview
      • Using the mib2c-update script to recode your code
      • mib2c.mfd.conf tutorial
  • Header files and autoconf
  • Building With Visual Studio 2005 Express
    • Using the command line and nmake
  • Debugging SNMP Applications and Agent's
    • Debugging output printed using the -D command line option
      • Putting DEBUGMSG tokens in your code
    • Using -Ddump to display packet breakdowns
    • Debugging using GDB