< Home

SNMPv3

SNMPv3 Packet Format

SNMPv3 defines a new packet format, as shown in Figure 1.

Figure 1 SNMPv3 packet format

The following describes the fields in an SNMPv3 packet:

  • Version: specifies the SNMP version. The value for SNMPv3 is 2.
  • Header: includes information such as the maximum message size that the transmitter supports and the security mode of messages.
  • Security parameters: includes the entity engine information, user name, authentication parameter, and encryption information.
  • Context EngineID: indicates the unique SNMP ID. The combination of this field and the PDU type determines to which application the PDUs are to be sent.
  • Context Name: determines the Context EngineID MIB view of the managed device.
  • SNMPv3 PDU: includes the PDU type, request ID, and binding variable list. The SNMPv3 PDU includes GetRequest PDU, GetNextRequest PDU, SetRequest PDU, Response PDU, Trap PDU, GetBulkRequest PDU, and InformRequest PDU.

SNMPv3 Architecture

SNMPv3 provides SNMPv3 entities through which all SNMP-enabled NMSs can manage SNMP-enabled network elements. An SNMPv3 entity consists of SNMPv3 engines and applications, which in turn consist of multiple modules.

The modular architecture of the SNMPv3 entity has the following advantages:
  • Strong adaptability: Adapts to both simple and complex networks.
  • Simple management: Consists of multiple independent sub-systems and applications. When a fault occurs in an SNMP system, it is easy to locate the sub-system where the fault originated according to the fault type.
  • Good expansibility: Supports addition of modules to extend an SNMP system. For example, a module can be added to the security subsystem to run a new security protocol.
SNMPv3 improves security through the User-based Security Model (USM) and view-based access control model (VACM):

  • USM: provides a shared key between the NMS and agents to authenticate user identities and encrypt data.

    • Identity authentication: a process in which an agent (or NMS) determines whether a received message is from an authorized NMS (or agent) and whether the message is modified during transmission. RFC 2104 defines Keyed-Hashing for Message Authentication Code (HMAC), which is a tool that uses the security hash function and key to generate message authentication codes and is widely used on the Internet. HMAC mechanisms that SNMP uses include HWAC-MD5-96 and HWAC-SHA-96. The hash function of HWAC-MD5-96 is MD5, which uses a 128-bit authKey to generate keys. The hash function of HWAC-SHA-96 is SHA-1, which uses a 160-bit authKey to generate keys.

    • Data encryption: Like identity authentication, data encryption also requires the network management station and the agent to use a shared key for encryption or decryption. ESP encrypts the IP packet contents to prevent them from being intercepted during transmission. Encryption algorithms are implemented using a symmetric key system, which uses the same key to encrypt and decrypt data. SNMP uses the following encryption algorithms:

      • Data Encryption Standard (DES): encrypts 64-bit plain text by using a 56-bit key.
      • Triple Data Encryption Standard (3DES): encrypts plain text by using three 56-bit DES keys (a 168-bit key).
      • Advanced Encryption Standard (AES): encrypts plain text by using a 128-bit, 192-bit, or 256-bit key.

      The following are the three encryption algorithms, listed from most to least secure: AES, 3DES, and DES. A more secure encryption algorithm requires more system resources, which slows down the computing speed. To ensure device security, it is advised to use the more secure encryption algorithms AES.

  • VACM: controls access of user groups or community names based on views. You must pre-configure a view and specify its authority. Then, when you configure a user, user group, or community, you must load this view to implement read/write restrictions or Inform/trap functions.

SNMPv3 Mechanism

SNMPv3 has a similar mechanism to SNMPv1 and SNMPv2c. The only difference is that SNMPv3 supports identity authentication and encryption. The following uses the Get operation as an example to describe the SNMPv3 mechanism.

As shown in Figure 2, an NMS intends to obtain the value of the sysContact object on a managed device in authentication and encryption mode.
Figure 2 Get operation of SNMPv3

  1. The NMS sends a GetRequest packet without security parameters to the agent and requests the values of Context EngineID, Context Name, and security parameter.

  2. The agent returns a response that contains the requested parameters.

  3. The NMS sends a GetRequest packet to the agent again. The fields in the packet are as follows:
    • Version: SNMPv3.
    • Header: authentication and encryption modes.
    • Security parameters: The NMS calculates the authentication and encryption parameters in accordance with the security parameters obtained from the agent. Then, the NMS fills the authentication, encryption, and security parameters in the corresponding fields.
    • PDU: The NMS fills the obtained Context EngineID and Context Name in the corresponding fields. The PDU type is set to Get, the MIB object name is sysContact, and the configured encryption algorithm is used to encrypt the PDU.

  4. The agent authenticates the GetRequest packet sent from the NMS. If authentication is successful, the agent decrypts the PDU. If decryption is successful, the agent obtains the value of sysContact and encapsulates it in the PDU of the response packet. The agent encrypts the PDU and sends the response packet to the NMS. If the query, authentication, or encryption operation fails, the agent sends an error message to the NMS.

Parent Topic: Understanding SNMP
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic