Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Show Page Sections

SNMPv3

SNMPv3 adds security features to address the security shortcomings of SNMPv1 and SNMPv2. For information standards for SNMPv3 that are supported on the vRouter, see Supported standards.

The SNMPv3 architecture uses a modular approach to allow the protocol to be adapted in the future, if and when other types of features are added. The architecture supports the simultaneous use of different security, access control, and message processing models.

The SNMPv3 architecture provides the following security-related models:

  • User-based Security Model (USM)—Used for message security. This model is defined in RFC 3414.
  • Transport Security Model (TSM)—Used for message security. This model is defined in RFC 5591.
  • View-based Access Control Model (VACM)—Used for access control. This model is defined in RFC 2275.

The vRouter currently supports all three models.

The SNMPv3 architecture supports the following security features through USM and TSM:

  • Data integrity—Ensures that packets have not been altered or destroyed in transit.
  • Data-origin authentication—Verifies that the received packets come from a valid source.
  • Data confidentiality— Encrypts packets to prevent data from being disclosed to unauthorized sources.
  • Message timeliness and replay protection— Ensures a packet whose generation time is outside of a specified time window is not accepted.

USM

The User-based Security Model (USM) provides SNMP message-level security and is the default security model for SNMPv3. It also uses the traditional concept of a user (identified by a username) with which to associate security information. This model uses UDP to send the SNMP packets.

The following table lists the security protocols and modules used in the USM model to provide the SNMP message-level security.

Table 1. Security protocols and modules used in the USM model

Module

Function

Notes

Authentication

Provides for data integrity and data-origin authentication

The following authentication protocols are supported:

  • HMAC-MD5-96
  • HMAC-SHA-96

The entire message is checked for integrity.

For a message to be authenticated, it needs to pass the authentication check and the timeliness check.

Privacy

Provides data confidentiality

The following encryption protocols are supported to encrypt messages:

  • Advanced Encryption Standard (AES)
  • Data Encryption Standard (DES)

Note: If privacy is used, then the message also requires authentication.

Timeliness

Provides message timeliness and replay protection

The timeliness values in an SNMP message are used to do timeliness checking. This checking is performed only if authentication is applied to the message.

To authenticate or encrypt, or authenticate and encrypt the messages between an SNMP manager and an SNMP agent, the SNMP pair must share secret keys—an authentication secret key for authentication and an encryption secret key for encryption. Before using SNMPv3, you must first configure the secret keys so that they are added to the databases of the SNMP managers and agents that are to share the keys.

TSM

The Transport Security Model (TSM) within the SNMPv3 architecture is designed for use with secure transport protocols, such as SNMP over Secure Shell (SSH), Transport Layer Security (TLS), or Datagram Transport Layer Security (DTLS) to send SNMPv3 packets through secure tunnels. vRouter supports TLS and DTLS in its SNMPv3 implementation.

Note: The current implementation of TSM does not support SNMP over SSH.

TLS and DTLS use X.509 certificates to authenticate both the client and server of the secure tunnel connections. A public key infrastructure (PKI) is required to generate these certificates. To employ TLS and DTLS, you are required to generate X.509 security keys and certificates and install them on both the SNMP manager and the SNMP agent. The generation and distribution of certificates and keys using PKI involves numerous complex security issues, which are outside the scope of this document. Consult your particular PKI deployment documentation for the necessary procedures to generate and distribute these certificates and keys.

VACM

The View-based Access Control Model (VACM) is used for access control. In this model, access control is determined based on V3 groups and community. A group defines the access policy or the read-and-write access privileges for a set of SNMPv3 users. A group also defines the type of MIB view provided to a set of users. A group defines the following:

  • Which users are allowed to access which view (a MIB or MIB object within a MIB)
  • What type of access privileges are allowed into a view
Note: The vRouter supports the access privilege types of read-only (ro) and read-write (rw) for groups.

Choosing USM or TSM

With two security models available, how do you determine which model to use in your network environment?

The main advantage of using TSM is the ability to integrate SNMP management into the existing X.509 public key security infrastructure of an organization.

Consider implementing TSM if you already have an X.509 public key infrastructure, need to deploy an X.509 public key infrastructure, or do not have a system for managing USM private keys in SNMPv3.

Consider implementing USM if you do not need to deploy an X.509 public key infrastructure or you already have a system for managing USM private keys for use in SNMPv3.