Professional Documents
Culture Documents
Topics:
Introduction Differences
SNMPv3
SNMPv3
SNMPv2*
SNMPv2
SNMPv2c
SNMPv2u
data types: 64-bit counters Improved efficiency and performance: get-bulk operator Confirmed event notifications: inform operator Richer error handling: errors and exceptions Improved sets: especially row creation/deletion Transport independence: IP, Appletalk, IPX, ... Etc.
Expanded data types: 64-bit counters Improved efficiency and performance: get-bulk operator Confirmed event notifications: inform operator Richer error handling: errors and exceptions Improved sets: especially row creation/deletion Transport independence: IP, AppleTalk, IPX, ... Etc.
Plus
...
7
authentication privacy
Administration
Authorization and view-based access control Logical contexts Naming of entities, identities, and information People and policies Usernames and key management Notification destinations and proxy relationships Remotely configurable via SNMP operations
8
1. Masquerade/data origin authentication: interloper assumes the identity of a sender to gain its privileges. 2. Modification of information/data integrity: alteration of in-transit messages. 3. Message stream modification: messages are reordered, delayed, or replayed 4. Disclosure/data confidentiality: privileged information is obtained via eavesdropping on messages.
Security Mechanisms
SNMPv3
uses MD5 and DES as symmetric, i.e., private key mechanisms (MD5 = Message Digest Algorithm 5, RFC 1321) (DES = Data Encryption Standard)
10
on:
SHA an optional alternative algorithm Loosely synchronized monotonically increasing time indicator values
on:
Symmetric encryption used Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode
provides privacy / protection against disclosure uses encryption subject to export and use restrictions in many jurisdictions
16 byte key (8 bytes DES key, 8 byte DES initialization vector) Multiple levels of compliance with respect to DES due to problems associated with international use
12
Advantages of SNMPv3
So What? Who Cares?
Configuration / Control / Provisioning No longer mere monitoring Able to augment or replace proprietary CLI over Telnet Via standards-based solutions providing
Commercial-grade industrial strength security Authentication and Privacy
14
15
Notifications:
Traps
Spray and pray The only option in SNMPv1
Informs
Send, wait for acknowledgement Retry count and retry interval Added in SNMPv2c but with problems Problems fixed in SNMPv3
Too many resources spent on uninteresting notification messages, e.g., unwanted traps and informs
Notification generation Notification transmission and delivery Notification logging Notification filtering
SNMPv3 allows you to use a standard MIB and standards-based tools to turn unwanted notifications off at the source You will really like this
17
performance
Counter64
New
error handling:
19
Disadvantages of SNMPv3
Security
is expensive
More overhead
Message headers longer and more complex Cryptographic calculations can increase CPU load approximately 20-ish percent It will run slower, it will run much slower if softwarebased DES is used, especially if implemented in Java
Some machines do not have the hardware assets, but almost all do: NO EXCUSES
20
21
version of the Internet-standard Management Framework What SNMPv2 should have been - builds on the good Compatible with the SMI and MIB you use now Important enabling technology for configuration and control: adds security and administration for safe sets Security: authentication and privacy Administration: logical contexts, view-based access control, remote configuration Available now
22