Goals of SNMPv3 (RFC 3411) I I I I SNMP Version 3 More about VACM and USM Nick Urbanik © 2003, 2005 Copyright Conditions: Open Publication License I (see http://www.opencontent.org/openpub/) Avoid reinventing the wheel—use existing work Support secure set operation Support forward and backward compatibility Support remote configuration N USM and VACM configuration is through SNMP tables and variables Security protection against: N modification of information by unauthorised parties N an unauthorised person masquerading as an authorised person N message stream modification by reordering, delaying or replaying exchanges N disclosure (eavesdropping) Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views View Mask View Mask and the ifTable VACM Examples User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 1/36 SNM — ver. 1.7 SNMP v3 - p. 2/36 VACM I I VACM Context Goals of SNMPv3 (RFC 3411) VACM VACM Context Context Example from RFC 3411 isAccessAllowed from RFC 3415 VACM on Net-SNMP VACM I I The View-based Access Control Model (VACM) has five main components, as we mentioned earlier: N groups of users N security level, i.e., v1, v2c, usm N contexts — see slide §4 N MIB views, view families — see slide §15 N access policy, i.e., read only, read-write, notify, no access. How do we set up SNMPv3 users on agents and network management software? How do we control access to a subset of MIB variables on an agent? I I I Views View Mask View Mask and the ifTable VACM Examples User-based Security Model References An SNMP context is a collection of management variables accessible by an SNMP entity. Gives a way to group variables into collections with different access policies. Example from RFC 3411: See slide §5 N The engine uses the bridge MIB defined in RFC 1493 N but the engine keeps management information for two separate bridges labeled bridge1 and bridge2 N Could be that neither bridge directly supports SNMP, so another device on the LAN collects data from the bridges using some other method N Makes this information available within the context Goals of SNMPv3 (RFC 3411) VACM VACM Context Context Example from RFC 3411 isAccessAllowed from RFC 3415 VACM on Net-SNMP VACM Views View Mask View Mask and the ifTable VACM Examples User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 3/36 SNM — ver. 1.7 SNMP v3 - p. 4/36 Context Example from RFC 3411 SNMP Entity (identified by snmpEngineID, for example: ’800002b804616263’H (enterprise 696, string "abc") SNMP Engine (Identified by snmpEngineID) Message Processing Subsystem Access Control Subsystem Goals of SNMPv3 (RFC 3411) VACM VACM Context Context Example from RFC 3411 isAccessAllowed from RFC 3415 VACM on Net-SNMP isAccessAllowed from RFC 3415 who   securityModel      securityName where Goals of SNMPv3 (RFC 3411) groupName VACM VACM Context Context Example from RFC Dispatcher Security Subsystem contextName   securityModel      securityLevel 3411 isAccessAllowed from RFC 3415 VACM on Net-SNMP Command Responder Application (contextEngineID, example: ’800002b804616263’H) Example contextNames: "bridge1" "bridge2" "" (default) VACM Views viewName VACM View Mask View Mask and the ifTable VACM how Views View Mask View Mask and the ifTable VACM Examples Examples MIB Instrumentation context bridge MIB context bridge MIB context some MIB other MIB User-based Security Model References why   viewType (read/write/  notify) object-type variableName (oid) yes/no decision User-based Security Model References what which objectinstance SNM — ver. 1.7 SNMP v3 - p. 5/36 SNM — ver. 1.7 SNMP v3 - p. 6/36 VACM on Net-SNMP I Net-SNMP VACM Goals of SNMPv3 (RFC 3411) VACM   Net-SNMP uses four keywords to set up /etc/snmp/snmpd.conf: N N VACM in Goals of SNMPv3 (RFC 3411) ¡ ¢ £ ¤ ¥   secName VACM on Net-SNMP VACM on Net-SNMP ipSource default community VACM VACM on Net-SNMP VACM on Net-SNMP Net-SNMP VACM The access Keyword access: Security Model, Security Level access: The prefix Parameter access with SNMPv1, v2c com2sec group N N view access Net-SNMP VACM The access Keyword access: Security Model, Security Level ¦ § ¡ ¨ © groupName access: The prefix Parameter access with SNMPv1, v2c I These set up access control to variables on the agent. N access and view determine what access is being controlled to. N group and com2sec determine who has this access. The com2sec keyword The group Keyword VACM model v1 v2c usm secName The com2sec keyword The group Keyword Views      ¥ ¤ ¤ groupName context "" model v1 v2c usm any oidSubtree level noauth auth priv prefix exact prefix readScope viewName none writeScope viewName none notifyScope viewName none VACM Views View Mask View Mask and the ifTable VACM View Mask View Mask and the ifTable VACM Examples Examples User-based Security Model   ¥  viewName References type included excluded [mask] User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 7/36 SNM — ver. 1.7 SNMP v3 - p. 8/36 The access Keyword I access: Security Model, Security Level Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM on Net-SNMP Net-SNMP VACM The access Keyword access: Security Model, Security Level access: The prefix Parameter access with SNMPv1, v2c I Specifies which group has access to which parts of the tree Has 8 parameters. Syntax (all on one line): group context secmodel seclevel prefix readview writeview MIB I access I I I Last three parameters readview writeview notifyview are views, defined by view statements. N Indicate which part of the MIB tree has read access, which part of tree has write access, and which part has permission for access to send notifications (i.e., traps or inform requests) The group parameter is defined by a group statement N Represents a group of users Default context is the empty string "". See slide §4. notifyview I The com2sec keyword The group Keyword VACM Views View Mask View Mask and the ifTable VACM Examples User-based Security Model References The parameter secmodel is the Security Model. N Can be one of: any, v1, v2c or usm. N Should be set to match the SNMP version of clients that will connect to this agent. Parameter seclevel Security Level tells whether we use authentication or encryption N Can be one of noauth, auth, or priv N Note that community strings are not counted as authentication, so for SNMPv1 and SNMPv2 we specify noauth N priv (privacy) means that we use both strong authentication and encryption. Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM on Net-SNMP Net-SNMP VACM The access Keyword access: Security Model, Security Level access: The prefix Parameter access with SNMPv1, v2c The com2sec keyword The group Keyword VACM Views View Mask View Mask and the ifTable VACM Examples User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 9/36 SNM — ver. 1.7 SNMP v3 - p. 10/36 access: The prefix Parameter I access with SNMPv1, v2c Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM on Net-SNMP Net-SNMP VACM The access Keyword access: Security Model, Security Level access: The prefix Parameter access with SNMPv1, v2c I I The prefix parameter to access can be either exact or prefix. Indicates whether context name needs to match exactly or whether only the first part of the context name needs to match. The default value is exact. I For SNMPv1 and SNMPv2c clients N Security Level will be noauth, and N context will be empty (the empty string). Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM on Net-SNMP Net-SNMP VACM The access Keyword access: Security Model, Security Level access: The prefix Parameter access with SNMPv1, v2c The com2sec keyword The group Keyword VACM The com2sec keyword The group Keyword VACM Views Views View Mask View Mask and the ifTable VACM View Mask View Mask and the ifTable VACM Examples Examples User-based Security Model References User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 11/36 SNM — ver. 1.7 SNMP v3 - p. 12/36 The com2sec keyword I The group Keyword Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM on Net-SNMP Net-SNMP VACM The access Keyword access: Security Model, Security Level access: The prefix Parameter access with SNMPv1, v2c I I Maps a community string and a source IP or network address to a security name (user name). Syntax: com2sec securityName source community N The security name is used by the group keyword — see §14 N Source can be a hostname, a subnet or the word “default” I A subnet can be written as IP/mask or IP/BITS, e.g., our lab subnet can be written as 172.19.64.0/255.255.192.0 or 172.19.64.0/18. Only needed for access control with SNMPv1 and v2c N Not used with SNMPv3 I I I I I I The com2sec keyword The group Keyword VACM Views View Mask View Mask and the ifTable VACM maps pairs of Security Model and Security Name to a group name. Syntax: group groupName securityModel securityName A Security Model is one of v1, v2c or usm. The Security Name is the user name. All members of one group have the same access rights. A user cannot belong to more than one group for each of the three security models. Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM on Net-SNMP Net-SNMP VACM The access Keyword access: Security Model, Security Level access: The prefix Parameter access with SNMPv1, v2c The com2sec keyword The group Keyword VACM Views View Mask View Mask and the ifTable VACM Examples Examples User-based Security Model References User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 13/36 SNM — ver. 1.7 SNMP v3 - p. 14/36 Views and the view Keyword The view determines what part of the MIB access is controlled to. I Uses concept of a subtree. N A subtree is a node in the MIB tree and all the elements under that node. N In other words, all the MIB elements in a subtree have the same common prefix. I Syntax: view viewName incl/excl subtree mask(optional) I Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM The view Keyword — 2 I incl/excl N N Views Views and the view Keyword The view Keyword — 2 View Mask View Mask and the ifTable VACM can be either “included” or “excluded” “included” means that the MIB view includes all the elements of the subtree; “excluded” means that the MIB view excludes all the elements of the subtree. Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views Views and the view Keyword The view Keyword — 2 View Mask View Mask and the ifTable VACM Examples Examples User-based Security Model References User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 15/36 SNM — ver. 1.7 SNMP v3 - p. 16/36 The View Mask — 1 I The Network Interface Table, ifTable Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM I I The optional view mask allows the access control to select individual rows in a table. RFC 3415 calls this a family of subtrees, since a row of n elements can be also represented by n subtrees RFC 3415 calls the mask the family mask I Views Under mib-2 is the important ifTable N Provides statistics on each network interface N includes such things as network traffic, errors,. . . N One row in the table for each network interface Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views View Mask The View Mask — 1 The Network Interface Table, ifTable View Mask and the ifTable VACM View Mask The View Mask — 1 The Network Interface Table, ifTable View Mask and the ifTable VACM Examples Examples User-based Security Model References User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 17/36 SNM — ver. 1.7 SNMP v3 - p. 18/36 Walking ifTable — 1 $ snmpbulkwalk -v 2c -c public localhost ifTable IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifType.1 = INTEGER: softwareLoopback(24) IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6) IF-MIB::ifMtu.1 = INTEGER: 16436 IF-MIB::ifMtu.2 = INTEGER: 1500 IF-MIB::ifSpeed.1 = Gauge32: 10000000 IF-MIB::ifSpeed.2 = Gauge32: 100000000 IF-MIB::ifPhysAddress.1 = STRING: IF-MIB::ifPhysAddress.2 = STRING: 0:1:3:45:99:12 IF-MIB::ifAdminStatus.1 = INTEGER: up(1) IF-MIB::ifAdminStatus.2 = INTEGER: up(1) IF-MIB::ifOperStatus.1 = INTEGER: up(1) IF-MIB::ifOperStatus.2 = INTEGER: up(1) IF-MIB::ifInOctets.1 = Counter32: 1073820735 IF-MIB::ifInOctets.2 = Counter32: 1620632733 Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Walking ifTable — 2 IF-MIB::ifInUcastPkts.1 = Counter32: 2950449 IF-MIB::ifInUcastPkts.2 = Counter32: 105216646 IF-MIB::ifInDiscards.1 = Counter32: 0 IF-MIB::ifInDiscards.2 = Counter32: 0 IF-MIB::ifInErrors.1 = Counter32: 0 IF-MIB::ifInErrors.2 = Counter32: 0 IF-MIB::ifOutOctets.1 = Counter32: 1073821769 IF-MIB::ifOutOctets.2 = Counter32: 2594849796 IF-MIB::ifOutUcastPkts.1 = Counter32: 2950461 IF-MIB::ifOutUcastPkts.2 = Counter32: 81734428 IF-MIB::ifOutDiscards.1 = Counter32: 0 IF-MIB::ifOutDiscards.2 = Counter32: 0 IF-MIB::ifOutErrors.1 = Counter32: 0 IF-MIB::ifOutErrors.2 = Counter32: 0 IF-MIB::ifOutQLen.1 = Gauge32: 0 IF-MIB::ifOutQLen.2 = Gauge32: 0 IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views Views View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM Examples Examples User-based Security Model References User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 19/36 SNM — ver. 1.7 SNMP v3 - p. 20/36 ifTable in Numbers — 1 $ snmpbulkwalk -v 2c -On -c public localhost ifTable .1.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1 .1.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2 .1.3.6.1.2.1.2.2.1.2.1 = STRING: lo .1.3.6.1.2.1.2.2.1.2.2 = STRING: eth0 .1.3.6.1.2.1.2.2.1.3.1 = INTEGER: softwareLoopback(24) .1.3.6.1.2.1.2.2.1.3.2 = INTEGER: ethernetCsmacd(6) .1.3.6.1.2.1.2.2.1.4.1 = INTEGER: 16436 .1.3.6.1.2.1.2.2.1.4.2 = INTEGER: 1500 .1.3.6.1.2.1.2.2.1.5.1 = Gauge32: 10000000 .1.3.6.1.2.1.2.2.1.5.2 = Gauge32: 100000000 .1.3.6.1.2.1.2.2.1.6.1 = STRING: .1.3.6.1.2.1.2.2.1.6.2 = STRING: 0:1:3:45:99:12 .1.3.6.1.2.1.2.2.1.7.1 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.7.2 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.8.1 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.8.2 = INTEGER: up(1) .1.3.6.1.2.1.2.2.1.10.1 = Counter32: 1073820735 .1.3.6.1.2.1.2.2.1.10.2 = Counter32: 1620632733 Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM ifTable in Numbers — 2 .1.3.6.1.2.1.2.2.1.11.1 .1.3.6.1.2.1.2.2.1.11.2 .1.3.6.1.2.1.2.2.1.13.1 .1.3.6.1.2.1.2.2.1.13.2 .1.3.6.1.2.1.2.2.1.14.1 .1.3.6.1.2.1.2.2.1.14.2 .1.3.6.1.2.1.2.2.1.16.1 .1.3.6.1.2.1.2.2.1.16.2 .1.3.6.1.2.1.2.2.1.17.1 .1.3.6.1.2.1.2.2.1.17.2 .1.3.6.1.2.1.2.2.1.19.1 .1.3.6.1.2.1.2.2.1.19.2 .1.3.6.1.2.1.2.2.1.20.1 .1.3.6.1.2.1.2.2.1.20.2 .1.3.6.1.2.1.2.2.1.21.1 .1.3.6.1.2.1.2.2.1.21.2 .1.3.6.1.2.1.2.2.1.22.1 .1.3.6.1.2.1.2.2.1.22.2 = = = = = = = = = = = = = = = = = = Counter32: 2950449 Counter32: 105216646 Counter32: 0 Counter32: 0 Counter32: 0 Counter32: 0 Counter32: 1073821769 Counter32: 2594849796 Counter32: 2950461 Counter32: 81734428 Counter32: 0 Counter32: 0 Counter32: 0 Counter32: 0 Gauge32: 0 Gauge32: 0 OID: SNMPv2-SMI::zeroDotZero OID: SNMPv2-SMI::zeroDotZero Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views Views View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM Examples Examples User-based Security Model References User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 21/36 SNM — ver. 1.7 SNMP v3 - p. 22/36 Instance Number I I I The View Mask — 2 Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM I I I Notice that the index is the number at the end of the OID Called an instance number. Index starts from 1 Suppose we are an ISP, want to allow customer A to view their own network interface, but not that of customer B, their competitor. Note that as we go along a row, the OID element just before the instance number changes Suppose customer A has a network interface with the index 5. $ snmptranslate -On IF-MIB::ifOutOctets.5 .1.3.6.1.2.1.2.2.1.16.5 So want to allow access for customer A to .1.3.6.1.2.1.2.2.1.*.5 I We can provide a view mask to specify this: 1 1 3 1 f 6 1 1 1 2 1 1 1 f 2 1 2 1 1 1 * 0 a 5 1 * 0 * 0 * 0 0 * 0 * 0 Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM > > > > > > ; 9 > > > > > > = > > > > > > ; 9 > > > > > > = > > > > > > ; 9 > > > > > > = > > > > > > ; 9 > > > > > > = Views Views View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 I Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM I Examples I I User-based Security Model References A zero in the bit mask is like a wildcard or “don’t care” specifier A mask of all 1’s is the same as a single view subtree specified by the family name (it’s the same as not specifying a mask) Here the mask is specified as ff.a0 For Net-SNMP, the mask is specified as a list of hexadecimal bytes separated with ‘.’ or ‘:’. Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM Examples User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 23/36 SNM — ver. 1.7 SNMP v3 - p. 24/36 The View Mask — 3 I The View Mask — 4 Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM I I I view custA included interfaces.ifTable.ifEntry.ifIndex.5 ff.a0 Note that in creating a view mask, we start from the left, writing hexadecimal digits. We don’t care about the bits representing non-existent elements after the end of the subtree parent. N I mean the bits to the right of the vertical line in slide §24 N These bits could be one or zero; I chose zero, since zero means “don’t care; you can use any value here” We can specify this family of view subtrees like this: I Views View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM I This view can then be used in an access statement N see the example in slide §29 Examples I User-based Security Model References One bit in the view mask determines access to one element in the OID N It doesn’t matter how big or small the numerical component of the OID is N one bit controls whether different values for that component are included in the family of view subtrees or not RFC 3415 says that any bit mask is extended with 1’s to the same length in bits as the number of identifiers in the OID if it is shorter. As a consequence, a family mask of zero length corresponds to a single view subtree. Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views View Mask View Mask and the ifTable Walking ifTable — 1 Walking ifTable — 2 ifTable in Numbers — 1 ifTable in Numbers — 2 Instance Number The View Mask — 2 The View Mask — 3 The View Mask — 4 VACM Examples User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 25/36 SNM — ver. 1.7 SNMP v3 - p. 26/36 Net-SNMP VACM Example 1 # sec.name source com2sec local localhost com2sec ictnetwork 172.19.64.0/18 # group group group group group.name MyRWGroup MyRWGroup MyROGroup MyROGroup sec.model v1 v2c v1 v2c community mypP?rC32 public Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Net-SNMP VACM Example 1 I sec.name local local ictnetwork ictnetwork Views I View Mask View Mask and the ifTable VACM Examples VACM Net-SNMP Example 1 I Net-SNMP VACM Example 1 In the example in §27, read-write access using the community string “mypP?rC32” is allowed from the same machine only (localhost). read only access is allowed from any machine in the ICT laboratory subnet using the (badly chosen) community string “public”. No traps or inform requests can be sent by the agent. Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views View Mask View Mask and the ifTable VACM Examples VACM Net-SNMP Example 1 Net-SNMP VACM Example 1 Net-SNMP VACM Example 2 Cisco VACM Configuration User-based Security Model References # viewname incl/excl subtree view all included .1 # group.name context sec.model sec.level match access MyROGroup "" any noauth exact access MyRWGroup "" any noauth exact Net-SNMP VACM Example 2 Cisco VACM Configuration User-based Security Model read write notif References all none none all all none SNM — ver. 1.7 SNMP v3 - p. 27/36 SNM — ver. 1.7 SNMP v3 - p. 28/36 Net-SNMP VACM Example 2 group companyA usm companyAManager group companyB usm companyBManager view viewA included IF-MIB::ifIndex.5 ff.a0 view viewB included IF-MIB::ifIndex.2 ff.a0 access companyA "" usm priv exact viewA none access companyB "" usm priv exact viewB none I Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Cisco VACM Configuration I Views I View Mask View Mask and the ifTable VACM I companyAManager is a USM user that has read-only access to the ifTable row that corresponds to the company A’s own network interface, and no other access. companyBManager is a USM user that has read-only access to the ifTable row that corresponds to the company B’s own network interface, and no other access. none none I Examples VACM Net-SNMP Example 1 Net-SNMP VACM Example 1 Net-SNMP VACM Example 2 Cisco VACM Configuration User-based Security Model References I Cisco IOS specifies a view with the following syntax: snmp-server view viewA ifEntry.*.5 included snmp-server view viewB ifEntry.*.2 included Can specify a group with: snmp-server group groupA v3 auth read viewA Cisco uses the snmp-server user command to specify users and group membership See also pages 284–285 of Essential SNMP. Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views View Mask View Mask and the ifTable VACM Examples VACM Net-SNMP Example 1 Net-SNMP VACM Example 1 Net-SNMP VACM Example 2 Cisco VACM Configuration User-based Security Model References SNM — ver. 1.7 SNMP v3 - p. 29/36 SNM — ver. 1.7 SNMP v3 - p. 30/36 User-based Security Model I USM I Configuring USM Users — 1 Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM I I I allows remote configuration of users Securely supports strong authentication using MD5 or SHA1 and encryption using DES Remotely create new users by cloning existing users Can only clone a user once Each user must be given access using VACM or that user account cannot be used N Add the user to a group N provide access to that group through views I USM I Views View Mask View Mask and the ifTable VACM Examples I I User-based Security Model User-based Security Model Configuring USM Users — 1 Configuring USM Users — 2 Remotely Creating USM Users References I users can be created with the net-snmp-config program: Stop the agent first, then create the initial user: $ sudo service snmpd stop $ sudo net-snmp-config --create-snmpv3-user \ -a "my_password" myuser SNMPv3 pass phrases must be at least 8 characters long. We have created a user “myuser” with a password of “my_password” and using MD5 for authentication and DES for encryption. Very simple access control has been added to /usr/share/snmp/snmpd.conf allowing the user write access to entire tree Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Views View Mask View Mask and the ifTable VACM Examples User-based Security Model User-based Security Model Configuring USM Users — 1 Configuring USM Users — 2 Remotely Creating USM Users References SNM — ver. 1.7 SNMP v3 - p. 31/36 SNM — ver. 1.7 SNMP v3 - p. 32/36 Configuring USM Users — 2 I Remotely Creating USM Users Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM Now start the agent, and test the user. First we test without encryption, then with encryption: $ sudo service $ snmpget -v 3 -A my_password $ snmpget -v 3 -A my_password I We clone the first user we created: Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM snmpd start -u myuser -l authNoPriv -a MD5 \ localhost sysUpTime.0 -u myuser -l authPriv -a MD5 \ -x DES -X my_password localhost sysUpTime.0 $ snmpusm -v 3 -u myuser -l authNoPriv -a MD5 \ -A my_password localhost create nicku myuser Views I View Mask View Mask and the ifTable VACM I I I Can create as many users as you like in this way. Better to improve access control using VACM over the default of write access everywhere Examples User-based Security Model User-based Security Model Configuring USM Users — 1 Configuring USM Users — 2 Remotely Creating USM Users References $ snmpusm -v 3 -u nicku -l authNoPriv -a MD5 \ -A my_password localhost passwd my_password \ new_passphrase N I We now have created user nicku with the same password as the “myuser” user. Now change the password: Views View Mask View Mask and the ifTable VACM Examples User-based Security Model User-based Security Model Configuring USM Users — 1 Configuring USM Users — 2 Remotely Creating USM Users References See man snmpusm and man snmpcmd Can put account information into a local ∼/.snmp/snmp.conf that is readable only by you N See man snmp.conf SNM — ver. 1.7 SNMP v3 - p. 33/36 SNM — ver. 1.7 SNMP v3 - p. 34/36 SNMP Standards and RFCs I References Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM The standards were updated in December 2002 N Most (all?) text books are out of date SNMPv1 SMIv1 Concise MIB definitions SNMPv1 traps SNMPv2c Old SNMPv3 overview SMIv2 SMIv2 textual conventions SMIv2 conformance RFC 3411 RFC 3412 RFC 3413 RFC 3414 RFC 3415 RFC 3416 RFC 3417 RFC 3418 RFC 3512 RFC 3584 SNMPv3 architecture SNMPv3 message processing SNMPv3 applications SNMPv3 USM SNMPv3 VACM SNMPv2 protocol operations SNMPv2 transport mappings SNMPv2 MIB SNMP configuring networks info SNMP coexistence v1 v2 v3 best practice I RFCs 3411–3415. Available from many sites, including Goals of SNMPv3 (RFC 3411) VACM VACM on Net-SNMP VACM http://www.rfc-editor.org. I See the Net-SNMP FAQ, in /usr/share/doc/net-snmp-5.2.1/FAQ. RFC 1155 RFC 1157 RFC 1212 RFC 1215 RFC 1901 RFC 2570 RFC 2578 RFC 2579 RFC 2580 Views Also see /usr/share/doc/net-snmp-5.2.1/README.snmpv3. Views View Mask View Mask and the ifTable VACM I William Stallings, SNMP, SNMPv2, SNMPv3, and RMON 1 and 2, Third View Mask View Mask and the ifTable VACM Examples User-based Security Model References SNMP Standards and RFCs References edition, Addison-Wesley, 1999, 0-201-48534-6. N Pages 526, 527 explain the context example from RFC 2271 well. Actually, the example is changed slightly in RFC 3411 Management, Prentice Hall, 1999, 0-13-021453-1. Examples User-based Security Model References SNMP Standards and RFCs References I David Zeltersman, A Practical Guide to SNMPv3 and Network I Stephen B. Morris, Network Management, MIBs and MPLs: Principles, Design and Implementation, Prentice Hall, 2003, 0-13-101113-8. 1-56592-942-X. I James Boney, Cisco IOS In a Nutshell, O’Reilly, January 2002, I Douglas R. Mauro and Kevin J. Schmidt, Essential SNMP, O’Reilly, July 2001, 0-596-00020-0. SNM — ver. 1.7 SNMP v3 - p. 35/36 SNM — ver. 1.7 SNMP v3 - p. 36/36