FW 08.01.00 McDATA E/OS SNMP Support Manual (620-000131-630, November 2005)
1
1-6
E/OS SNMP Support Manual
Introduction to SNMP
Authentication can be used to restrict communication between two
authorized entities. Users cannot save messages and replay them
with altered content. Only authorized users can change
configurations of network devices.
View-based Access Control Model (VACM)
The View-based Access Control Model defines a set of services that
an application can use for checking access rights. It determines the
access rights of a group.
A group defines the access rights afforded to all the security names
(user names) which belong to that group. The combination of a
security model and a security name maps to at most one group
identified by a group name. The access rights that can be given to a
group are read-view, write-view and notify-view.
E/OS SNMPv3 Configuration
The security and access features for SNMPV3 provided by the
User-based Security Model (USM) and View-based Access Control
Model (VACM) require using multiple tables: User Table, Access
Table, Security-to-Group Table, and Target Table. The following
sections describe how SNMPv3 has been implemented in the E/OS.
USM Message Processing
The following steps describe how SNMPv3 messages are processed
in the User-based Security Model:
1. User table contains information such as user name, authentication
protocol, authentication key, privacy protocol, and encryption
key. Based on the user name field in the received packet, the
SNMP engine finds out the user entry from the table.
2. Flags are checked to see if authentication or security is needed.
3. If authentication is needed, the hash value is calculated using the
authentication protocol and authentication key, and matched
against the header.