Chapter 17: SNMPv3
202
Overview
The SNMPv3 protocol builds on the existing SNMPv1 and SNMPv2c
protocol implementation which is described in Chapter 16 on page 189. In
SNMPv3, User-based Security Model (USM) authentication is
implemented along with encryption, allowing you to configure a secure
SNMP environment.
The SNMPv3 protocol uses different terminology than the SNMPv1 and
SNMPv2c protocols. In the SNMPv1 and SNMPv2c protocols, the terms
agent and manager are used. An agent is the software within an SNMP
user while a manager is an SNMP host. In the SNMPv3 protocol, agents
and managers are called entities. In any SNMPv3 communication, there is
an authoritative entity and a non-authoritative entity. The authoritative
entity checks the authenticity of the non-authoritative entity. And, the non-
authoritative entity checks the authenticity of the authoritative entity.
With the SNMPv3 protocol, you create users, determine the protocol used
for message authentication and determine if data transmitted between two
SNMP entities is encrypted. In addition, you can restrict user privileges by
defining which portions of the Management Information Bases (MIB) that
can be viewed by specific users. In this way, you restrict which MIBs a
user can display and modify. In addition, you can restrict the types of
messages, or traps, the user can send. (A trap is a type of SNMP
message.) After you have created a user, you define SNMPv3 message
notification. This consists of determining where messages are sent and
what types of messages can be sent. This configuration is similar to the
SNMPv1 and SNMPv2c configurations because you configure IP
addresses of trap receivers, or hosts.
This section describes the features of the SNMPv3 protocol. The following
subsections are included:
“SNMPv3 Authentication Protocols”
“SNMPv3 Privacy Protocol” on page 203
“SNMPv3 MIB Views” on page 203
“SNMPv3 Configuration Process” on page 204
SNMPv3
Authentication
Protocols
The SNMPv3 protocol supports two authentication protocols— HMAC-
MD5-96 (MD5) and HMAC-SHA-96 (SHA). Both MD5 and SHA use an
algorithm to generate a message digest. Each authentication protocol
authenticates a user by checking the message digest. In addition, both
protocols use keys to perform authentication. The keys for both protocols
are generated locally using the Engine ID and the user password. You can
modify a key only by modifying the user password.
In addition, you have the option of assigning no user authentication. In this
case, no authentication is performed for this user. You may want to make