Manualshelf

User's Manual

ManualsBrandsNortel Networks ManualsSwitchNortel Networks Switch 8600
12345678910
Technical Configuration Guide for SNMP v2.0 December 2006
______________________________________________________________________________________________________
NORTEL External Distribution
5
1. SNMPv3 Overview
SNMPv3 is the third version of the Internet-Standard Management Framework and is derived
from and builds upon both the original Internet-Standard Management Framework (SNMPv1) and
the second Internet-Standard Management Framework (SNMPv2). SNMPv3 is not a stand-alone
replacement for SNMPv1 and/or SNMv2. It defines security capabilities to be used in conjunction
with SNMPv2 (preferred) or SNMPv1. As shown in the Figure 1 below, SNMPv3 specifies a User
Security Model (USM) that uses a payload of either a SNMPv1 or a SNMPv2 protocol data unit
(PDU).
Figure 1: SNMPv3 USM
Authentication within the User-based Security Model (USM) allows the recipient of the message
to verify whom the message is from and whether the message has been altered. As per RFC
2574, if authentication is used, the entire message is checked for the integrity. Authentication
uses a secret key to produce a fingerprint of the message, which is included in the message. The
receiving entity uses the same secret key to validate the fingerprint. Currently there are 2
authentication protocols defined, HMAC-MD5 and HMAC-SHA-96 for use with USM.
While the USM provides the user-name/password authentication and privacy services, control
access to management information (MIB) must be defined. The View-based Access Control
Module (VACM) is used to define a set of services that an application can use for checking
access rights (read, write, notify) to a particular object. VACM uses the ASN.1 notation (3.6.1.4)
or the name of the SNMP MIB branch, i.e. Org.Dod.Internet.Private. The administrator can define
a MIB group view for a user to allow access to an appropriate portion of the MIB matched to an
approved security level. The three security levels are:
NoAuthNoPriv-Communication without authentication and privacy
AuthNoPriv-Communication with authentication (MD5 or SHA) and without privacy
AuthPriv-Communication with authentication (MD5 or SHA) and privacy (DES or AES)
NOTE: Please refer to the Ethernet Routing Switch 8600 4.1 release notes (Part number 317177-
D Rev 01) regarding important information regarding SNMPv3. Special considerations need to be
considered regarding hidden and encrypted that contains community table information.
PDU Processing
(SNMPv1 or SNMPv2)
Message Processing
(SNMPv3 USM)
UDP
IP
SNMP PDU
V3-MH
UDP-H
IP-H
SNMP PDU
V3-MH
UDP-H
SNMP PDU
V3-MH
SNMP PDU
IP-H = IP header
UDP-H = UDP header
V3-MH = SNMPv3 message header
PDU = Protocol Data Unit
USM = User Based Security