SNMP Version 3 Concepts

SNMP version 3 gives you three major new security improvements when compared with previous versions of the protocol. These are:

  1. Timeliness
  2. Authentication
  3. Privacy

Before getting into what these things are, there is one term that needs to be understood. Authoritative SNMP engine is the engine that controls the information used for timeliness, authentication and privacy operations. In most cases authoritative SNMP engine is the agent containing the information that managers query. The only exception is when agent is sending an Inform notification in which case manager is the authoritative engine and “controls” the SNMP information used to perform above listed security operations.

Timeliness is a feature that allows the authoritative SNMP engine to check if information is arriving in timely way and is not being intercepted, stored and then retransmitted outside the acceptable time window from the time it was sent.

While this might sound like a complex feature, it really isn’t. How this is done is using 2 values in the SNMP version 3 packet called engine boots and engine time.

Engine boots value is the number of times authoritative SNMP engine has been started, booted, executed, initialized, or assumed any other state that can be called “booted”. Engine time is the number of seconds since the last time authoritative SNMP engine has been ” booted”. These two values, together, are used for timeliness check.

Timeliness check is performed by verifying that engine boots value is identical between the arriving packet and the stored value on the authoritative SNMP engine and that engine time is within 150 seconds of the value on the authoritative SNMP engine. In other words, if engine boots in the incoming packet is not equal to the local value and time is outside the 150 second window when compared with the local value, authoritative SNMP engine will discard the packet.

Authentication is a verification method that allows a receiver that confirm that packet was not modified in transit. This is done by performing a hashing operation on the entire packet and, through use of a secret password shared by the agent and manager involved in the exchange, ensures that only authorized SNMP entities can modify the packet.

Privacy is encryption of the data portion of the SNMP packet. Data portion is the Protocol Data Unit in the SNMP packet. Encryption is performed using a secret (password) that is shared between the agent and manager.

Because authoritative SNMP engine originates information used for timeliness, authentication and privacy operations, there has to be a way for the non-authoritative engine to retrieve required values. This process is called Discovery process.

Prior to making any SNMP request from an authoritative SNMP engine, you will need to send it a discovery packet, basically an empty SNMP version 3 packet and wait for the REPORT message agent will send you. REPORT that you will receive includes authoritative SNMP engine ID, SNMP engine boots and SNMP engine time values that you need to use in subsequent requests.

Once you have retrieved authoritative SNMP engine information, you can start making requests using authentication and privacy settings specific for the agent you are querying.

Now a little more detail about the SnmpSharpNet implementation of SNMP version 3. All functionality is grouped in the SnmpV3Packet class. This class lets you select what level of security you wish to use, authentication digest and secret value, privacy protocol and secret value, security name (user name), etc. To see which authentication digests are supported in the library version you are using, check out SecurityDigests enumeration which enumerates supported digests. To find supported privacy protocols, see PrivacyProtocols enumeration.

For examples of how to use SNMPv3, check out project web site