Previous section   Next section

Recipe 17.21 Enabling SNMPv3

17.21.1 Problem

You want to enable SNMPv3 on your router for security purposes.

17.21.2 Solution

SNMPv3 supports three modes of operation, each with different security features. These modes were summarized in Table 17-1 at the beginning of this chapter. The following configuration commands enable SNMPv3 with no authentication and no encryption services (noAuthNoPriv):

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group NOTSAFE v3 noauth read TESTV3
Router(config)#snmp-server user WEAK NOTSAFE v3
Router(config)#end
Router#

Use the following configuration commands to enable SNMPv3 with MD5 authentication and no encryption services (authNoPriv):

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user cking ORAROV3 v3 auth md5 daytona19y 
Router(config)#end
Router#

And you can enable SNMPv3 with MD5 authentication and DES encryption services (authPriv) as follows:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 
shortguy
Router(config)#end
Router#

17.21.3 Discussion

The IETF has recently approved SNMP Version 3 (SNMPv3) as a full standard and moved SNMPv1 and SNMPv2 to historic status. Essentially, SNMPv3 just acts like a set of security extensions to SNMPv2c, without providing much new core management functionality. All MIB objects and their associated OIDs remain the same from Versions 1 to 3 (with the small exception of the 64-bit counters that were introduced in Version 2). We will focus our attention on the new security features in Version 3.

Security has traditionally been the Achilles heel of SNMP. The security model for Versions 1 and 2c was little more than a simple password sent through the network as clear-text. SNMP required a security facelift to continue to be useful in the future.

SNMPv3 is standards-based network management protocol that is interoperable between vendors. It provides a secure access to devices by providing authentication and encryption of SNMP packets throughout the network. To do this, SNMPv3 needed to include the following security features: authentication, message integrity, and encryption

SNMPv3 provides three security levels: noAuthNoPriv, authNoPriv, and authPriv.

All three SNMPv3 security models require the same three-step process to configure them. First, you must define an SNMP view. Second, you need to create an SNMP group. Third, you create an SNMP user profile and assign it to a group.

Defining an SNMP view for SNMPv3 is no different that creating a view for SNMPv1 or SNMPv2c. In fact, if there are existing SNMP views on the router that were created for SNMPv1 or SNMPv2c, you can use them with SNMPv3 as well. For more information on creating SNMP views, please see Recipe 17.7.

For example, here is a simple SNMP view that allows full access to the MIBII tree:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#end
Router#

To define an SNMPv3 group, use the following command:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#end
Router#

In this example, we have created a group named ORAROV3, which we have configured as an SNMPv3 group (hence the v3). We have configured this group to require authentication and assigned it to SNMP view TESTV3. Note that we have not assigned a write view to this group, which means that all users assigned to this group will be limited to read-only access. However, the snmp-server group command will also allow you to define a read and a write view at the same time. For example:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTRO mib-2 include                           
Router(config)#snmp-server view TESTRW system include
Router(config)#snmp-server group TESTGRP v3 auth read TESTRO write TESTRW          
Router(config)#end
Router#

In this example, we defined two separate SNMP views (TESTRO and TESTRW) and assigned them to our group. Note, however, that you can assign the same SNMP view to both the read-only access and read-write groups.

To define an SNMPv3 user, use the following command:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56
shortguy
Router(config)#end
Router#

In this example, we have created a user named bpugsley and assigned that user to our group named ORAROV3. This user will inherit the qualities that we have configured for that group. We have also defined that our user will use the MD5 algorithm for authentication purposes and assigned an authentication password of hockeyrules. We have also configured our user to use the optional DES56 packet encryption with the password shortguy to provide maximum security. Note that this command, once entered, will not be viewable using the show running-config command. We suspect that this is for security purposes.

To view existing SNMP groups, use the show snmp group command:

Router#show snmp group
   
groupname: ORAROV3                      security model:v3 auth 
readview :TESTV3                        writeview: <no writeview specified> 
notifyview: <no notifyview specified>
row status: active
   
Router#

In this example, the group ORAROV3 is assigned to the security model v3 auth, the read-only view is TESTV3, and no read-write view exists.

To view the configured SNMPv3 users, use the following command:

Router#show snmp user
User name: bpugsley
Engine ID: 80000009030000019670B770
storage-type: nonvolatile        active
   
Router#

Unfortunately, this command provides very little useful information. Apart from confirming if a user exists or not, the output does not display which group the user belongs to, or if the user is configured to use authentication or encryption. When you consider that Cisco's IOS also hides the user SNMP commands from the running configuration, it becomes clear that managing SNMPv3 users is a difficult task. We hope that Cisco will change the output of this command in upcoming releases as SNMPv3 becomes more popular.

17.21.4 Using the SNMPv3 Security Levels

You can extract SNMP information from the router using each of the three SNMPv3 security levels. We will use NET-SNMP's snmpget command, which has full SNMPv3 support.

In our first example (noAuthNoPriv), we will poll the router for its system name using a standard MIB-II object, sysName.

Freebsd% snmpget -v3 -u WEAK -l noAuthNoPriv  Router  sysName.0
system.sysName.0 = Router.oreilly.com
Freebsd%

Note that no user password was supplied, so the router simply accepted the user ID WEAK for authentication purposes. This user ID was sent through the network in clear-text. This command has also introduced two new attributes for the snmpget command: -u and -l. The -u attribute allows you to specify the security name, while -l defines the security level.

The next example uses the authNoPriv security model. We will poll the exact same MIB object using MD5 authentication:

Freebsd% snmpget -v3 -u cking -l authNoPriv -a MD5 -A daytona19y Router sysName.0
system.sysName.0 = Router.oreilly.com
Freebsd%

In this example, we specify a user password daytona19y using the -A option and an the authentication protocol MD5 with the -a option. SNMPv3 uses the authentication protocol to authenticate users without sending the password in clear-text. It is important to notice that the result of this SNMP Get is the same as our first example. However, we gathered the information in a much more secure manner. In fact, the same MIB object (sysName) could be retrieved using SNMPv1 if the router was configured to accept the request. However, this method would be considerably less secure.

The final example illustrates how to poll an MIB object using the authentication and encryption services of the authPriv security model:

Freebsd% snmpget -v3 -u bpugsley -l authPriv -a MD5 -A hockeyrules -x DES -X shortguy
Router sysName.0
system.sysName.0 = Router.oreilly.com
Freebsd%

In this example, we added two new variables, privacy protocol type DES using -x DES and a privacy protocol pass phrase with -X shortguy. These variables enable SNMPv3 packet encryption and specify the pass phrase to use. This ensures that prying eyes cannot view the packet contents in transit. To illustrate the effectiveness of SNMPv3's encryption service, we provide a captured SNMPv3 packet. The packet was captured using the Ethereal protocol analyzer (for more information on Ethereal please see Appendix A):

Simple Network Management Protocol
    Version: 3
    Message Global Header
        Message Global Header Length: 16
        Message ID: 1608369049
        Message Max Size: 1480
        Flags: 0x03
            .... .0.. = Reportable: Not set
            .... ..1. = Encrypted: Set
            .... ...1 = Authenticated: Set
        Message Security Model: USM
    Message Security Parameters
        Message Security Parameters Length: 58
        Authoritative Engine ID: 80000009030000019670B780
        Engine Boots: 2
        Engine Time: 1469970
        User Name: bpugsley
        Authentication Parameter: B53EFA21230735541B207A39
        Privacy Parameter: 00000002C483B016
    Encrypted PDU (74 bytes)

The packet response from the router contains some useful SNMP information, such as current version, encryption enabled, authentication enabled, and username (bpugsley), but Ethereal is unable to decipher the payload (Encrypted PDU). This is significant because the other versions of SNMP—including the other security models within SNMPv3—transport payload information in clear-text. At last, SNMP has evolved into a secure protocol.

Of course, SNMPv3 also provides full support for traps and informs including authentication, message integrity, and encryption. SNMPv3 traps and informs support the same three models of security as inbound services do. However, the noAuthNoPriv model provides no tangible advantage over SNMPv1 or SNMPv2c, and the authPriv model tends to be overkill since few networks will require encrypted traps.

To enable SNMPv3 trap support using authentication and message integrity, use the following command:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server host 172.25.1.1 version 3 auth ijbrown snmp envmon 
Router(config)#end
Router#

The process of enabling SNMPv3 traps or informs is similar to the process for SNMPv2c, but with a few minor twists. First, you must define a SNMPv3 group and user, as in the previous examples. Second, you must include the keyword auth, which enables authentication. Third, you must include a valid SNMPv3 user (ijbrown, in this case). The router is then capable of forwarding SNMPv3 traps with full SNMPv3 authentication and message integrity enabled. For more information on enabling SNMP traps in general, see Recipe 17.13.

17.21.5 See Also

Recipe 17.1; Recipe 17.13; Recipe 17.7


  Previous section   Next section
Top