Technical data

System Administration

303561-A Rev 00

8-53

Managing SNMP Secure Mode

Bay Networks implements an optional security mechanism for all SNMP

set

requests. This proprietary mechanism is an interim solution to solve some SNMP

security problems until a stable, widely accepted industry-standard security

solution is available.

Our security system uses counters to synchronize management operations

between manager and agent. In secure mode, when Site Manager sends a

set

request to the router, the request includes the encrypted value of a counter plus 1

as the first variable binding in the PDU.

When the agent on the router receives the

set

request, it compares the decrypted

value with the value of its own counter plus 1. If the two values match, the agent

considers the

set

request to be authentic and increments the counter by 2. The

agent stores the new value of the counter in an encrypted form in the MIB and

sends it back to Site Manager as the first variable binding in the response.

The manager receiving the response validates that the received counter matches

the manager’s counter plus 2. If the two values match, the response is declared

authentic.

The use of counters guards against masquerade security violations because an

intruder would have to know the encryption key and the correct counter to send as

the first variable binding. The security mechanism also guards against message

stream modification; an intruder cannot reorder a sequence of

set

requests

because the requests’ counters would not match the next sequence expected by the

agent.

The following sections describe the Technician Interface commands you use to

manage the security feature.