The 3rd version of the SNMP protocol introduced a whole slew of new security related features that have been missing from the previous versions. In SNMPv1 and SNMPv2c, a simple community string was put in clear text into the packet to authenticate the request. This is obviously highly insecure. (If it's not obvious, then just trust me).
SNMPv3 and Security Components =
SNMPv3 introduces advanced security which splits the authentication and the authorization into two pieces:
The USM is the default Security Module for SNMPv3. The U stands for User-based, as it contains a list of users and their attributes. The USM is described by RFC 2574.
TLS and DTLS Based Security
A newer security model is also available called the "Transport Security Model" (TSM), defined in RFC 5591 which is designed to work with secure transports like TLS or DTLS and its usage is documented in the Using TLS tutorial.
Authorization: Who can do what?
The VACM is the default Access Control Module and determines which users (and SNMPv1/v2c communities) are allowed to access MIB information. The V stands for View-based, and allows different levels of access for different sections of the MIB tree. The VACM is described by RFC 2575.
This document will discuss how to use the net-snmp tools to get and set data from a remote host.
A user's profile contains the following data:
% snmptranslate -Tp -IR usmUserTable +--usmUserTable(2) | +--usmUserEntry(1) | +-- ---- String usmUserEngineID(1) | Textual Convention: SnmpEngineID | Size: 5..32 +-- ---- String usmUserName(2) | Textual Convention: SnmpAdminString | Size: 1..32 +-- -R-- String usmUserSecurityName(3) | Textual Convention: SnmpAdminString | Size: 0..255 +-- CR-- ObjID usmUserCloneFrom(4) | Textual Convention: RowPointer +-- CR-- ObjID usmUserAuthProtocol(5) | Textual Convention: AutonomousType +-- CR-- String usmUserAuthKeyChange(6) | Textual Convention: KeyChange +-- CR-- String usmUserOwnAuthKeyChange(7) | Textual Convention: KeyChange +-- CR-- ObjID usmUserPrivProtocol(8) | Textual Convention: AutonomousType +-- CR-- String usmUserPrivKeyChange(9) | Textual Convention: KeyChange +-- CR-- String usmUserOwnPrivKeyChange(10) | Textual Convention: KeyChange +-- CR-- String usmUserPublic(11) | Size: 0..32 +-- CR-- EnumVal usmUserStorageType(12) | Textual Convention: StorageType | Values: other(1), volatile(2), nonVolatile(3), permanent(4), readOnly(5) +-- CR-- EnumVal usmUserStatus(13) Textual Convention: RowStatus Values: active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6)
Well, that's nice but what does it mean?
To summarize, most importantly each user has a name (called a securityName) an authentication type (authProtocol) and a privacy type (privProtocol) as well as associated keys for each of these (authKey and privKey).
Authentication is performed by using a user's authKey to sign the message being sent. The authProtocol can be either MD5 or SHA at this time. authKeys (and privKeys) are generated from a passphrase that must be at least 8 characters in length.
Encryption is performed by using a user's privKey to encrypt the data portion of the message being sent. The privProtocol can be either AES or DES.
Messages can be sent unauthenticated and unencrypted (noAuthNoPriv), authenticated but unencrypted (authNoPriv), or authenticated and encrypted (authPriv) by setting the securityLevel to use.
All of this information is passed to commands using the command line arguments described in the table below. Additionally, you can put default values in your ~/.snmp/snmp.conf files using the tokens specified in the 3rd column.
|Parameter||Command Line Flag||snmp.conf token|
|securityName||-u NAME||defSecurityName NAME|
|authProtocol||-a (MD5|SHA)||defAuthType (MD5|SHA)|
|privProtocol||-x (AES|DES)||defPrivType DES|
|authKey||-A PASSPHRASE||defAuthPassphrase PASSPHRASE|
|privKey||-X PASSPHRASE||defPrivPassphrase PASSPHRASE|
|securityLevel||-l (noAuthNoPriv|authNoPriv|authPriv)||defSecurityLevel (noAuthNoPriv|authNoPriv|authPriv)|
|context||-n CONTEXTNAME||defContext CONTEXTNAME|
The following examples use the Net-SNMP test agent. If you would like to test against your local machine, you can configure the same SNMPv3 users on your machine.
- edit your snmpd.conf and add
rouser noAuthUser rouser MD5User rwuser MD5DESUser
- stop snmpd and edit your persistent snmpd.conf and add
createUser NoAuthUser createUser MD5User MD5 "The Net-SNMP Demo Password" createUser MD5DESUser MD5 "The Net-SNMP Demo Password" DES
- start snmpd again.
Here is a completely unauthenticated request (which still needs a user name, nonetheless):
% snmpgetnext -v 3 -n "" -u noAuthUser -l noAuthNoPriv test.net-snmp.org sysUpTime system.sysUpTime.0 = Timeticks: (83467131) 9 days, 15:51:11.31
Here is an authenticated request:
% snmpgetnext -v 3 -n "" -u MD5User -a MD5 -A "The Net-SNMP Demo Password" -l authNoPriv test.net-snmp.org sysUpTime system.sysUpTime.0 = Timeticks: (83491735) 9 days, 15:55:17.35
And finally, here is an authenticated and encrypted request:
% snmpgetnext -v 3 -n "" -u MD5DESUser -a MD5 -A "The Net-SNMP Demo Password" -x DES -X "The Net-SNMP Demo Password" -l authPriv test.net-snmp.org system system.sysUpTime.0 = Timeticks: (83493111) 9 days, 15:55:31.11
Of course, they don't look much different since they all worked identically. But, the host above allows us to look at it using any level of authentication. Any hosts you set up should be more restricted than that and require at least a level of authNoPriv when you configure the VACM access control.
Finally, consider a snmp.conf file that looks like this:
defContext none defSecurityName MD5User defAuthPassphrase The Net-SNMP Demo Password defVersion 3 defAuthType MD5 defSecurityLevel authNoPriv
This sets up the defaults for you so that your snmp commands can boil down to something as simple as:
% snmpgetnext test.net-snmp.org sysUpTime system.sysUpTime.3.0 = Timeticks: (83517052) 9 days, 15:59:30.52
% snmpset test.net-snmp.org ucdDemoPublicString.0 s "I changed something" enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"
% snmpget test.net-snmp.org ucdDemoPublicString.0 enterprises.ucdavis.ucdDemoMIB.ucdDemoMIBObjects.ucdDemoPublic.ucdDemoPublicString.2.0 = "I changed something"
About the SNMP Protocol
These tutorial links talk about SNMP generically and how the protocol itself works. They are good introductory reading material and the concepts are important to understand before diving into the later tutorials about Net-SNMP itself.
- How SNMP Works: About the protocol itself (GETs, GETNEXTs, etc)
- What data is in SNMP: All about SNMP Management Information Bases (MIBs)
- Securing SNMP: How to use the SNMP protocol securely
Net-SNMP Command Line Applications
These tutorial pages discuss the command line tools provided in the Net-SNMP suite of tools. Nearly all the example commands in these tutorials works if you try it yourself, as they're all examples that talk to our online Net-SNMP test agent. Given them a shot!
- snmptranslate: learning about the MIB tree.
- snmpget: retrieving data from a host.
- snmpgetnext: retrieving unknown indexed data.
- snmpwalk: retrieving lots of data at once!
- snmptable: displaying a table.
- snmpset: peforming write operations.
- snmpbulkget: communicates with a network entity using SNMP GETBULK request
- snmpbulkwalk: retrieve a sub-tree of management values using SNMP GETBULK requests.
- snmptrap: Sending and receiving traps, and acting upon them.
- Common command line options:
- Writing mib2c config files
All of our applications support configuration to allow you to customize how they behave.
- SNMP Agent (snmpd) Configuration
- SNMP Notification Receiver (snmptrapd)
- Agent Monitoring
Net-SNMP comes with a highly flexible and extensible API. The API allows you to create your own commands, add extensions to the agent to support your own MIBs and perform specialized processing of notifications.
- Client / Manager Coding Tutorials
- Agent Coding Tutorials
- The Agent Architecture page might be worth reading before or after the agent coding tutorials, and describes how the Agent Helpers work under the hood.
- Writing a mib module to serve information described by an SNMP MIB, and how to compile it into the net-snmp snmpd agent.
- Writing a Dynamically Loadable Object that can be loaded into the SNMP agent.
- Writing a Subagent that can be run to attach to the snmpd master agent.
- Writing a perl plugin to extend the agent using the NetSNMP::agent module.
- Writing shell scripts to extend the agent
- Using mib2c to help write an agent code template for you
- Header files and autoconf
Debugging SNMP Applications and Agents
All our tools and applications have extensive debugging output. These tutorials talk about how the debugging system works and how you can add your own debugging statements to you code:
- Debugging output printed using the -D command line option
- Using -Ddump to display packet breakdowns
- Debugging using GDB