SNMPv3 Support

Tue, 17 Jul 2012 02:25:01 -0700 

Hi all,

below you'll find a patch that adds basic SNMPv3 support to OpenBSD's
snmpd(8). When I say "basic" that's because of some limitations:

- Traps are still sent via SNMPv2 protocol. They can neither be
         authenticated nor encrypted.

- Transport mode is still UDP. Not additional transport subsystems
         were added.

- Only the User-based Security Model (USM, RFC3414) is supported.
         View-Based Access Control (VACM, RFC3415) is not included.


Just to provide you a little background, I'll explain some details
below.

Three security levels are defined in RFC3411:

1) noAuthNoPriv: no authentication, no encryption
2) authNoPriv: with authentication, without encryption
3) authPriv: with authentication, with encryption

There is a new keyword 'seclevel' in snmpd.conf(5) that allows to
define the minimum security level required by snmpd(8). Any requirement
higher than noAuthNoPriv will disable SNMPv2 support.


The USM offers:

- Verification of message contents and authentication of the sender

         USM adds a HMAC to the SNMP message. The HMAC is calculated over
         the whole message with the HMAC portion set to zeroes.
         According to RFC3414 the defined HMAC algorithms are HMAC-MD5-96
         and HMAC-SHA-96. The key is derived from an authentication
         passphrase.


- Encryption of the PDU

         USM encypts only a part of the message, the scoped PDU while the
         SNMP header remains plaintext. RFC3414 defines only CBC DES but
         RFC3826 adds CFB128 AES 128 encryption (although this is not
         part of STD62). The IV is derived from an encryption passphrase.


- Protection agains replay attacks

         The non-authoritative SNMP engines have to synchronize their
         clocks with the authoritative SNMP engine. RFC3414 demands
         to reject any SNMPv3 message that has a timestamp that differs
         more than 150 seconds from the local clock.


The USM users together with their HMAC and encryption passphrases
have to be defined in snmpd.conf(5). The code already supports multiple
users, though without VACM there's not much sense to it.


Gerhard

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of snmpv3.patch]

Reply via email to