Closed lunkwill42 closed 11 months ago
These seem to be the minimum options required to establish SNMPv3 communication using the User Security Model (names taken from NET-SNMP command line tool options):
Attribute | Description | Allowable values |
---|---|---|
secLevel |
Security level of the session | noAuthNoPriv(1) , authNoPriv(2) , authPriv(3) |
authProtocol |
Authentication protocol | NET-SNMP supports: MD5, SHA, SHA-512, SHA-384, SHA-256, SHA-224 |
secName |
A security/user name | Any string |
authPassword |
An authentication password for the secName |
Any string |
privProtocol |
Which kind of encryption to use for privacy | DES or AES are supported by NET-SNMP |
privPassword |
A privacy passphrase, which basically amounts to the key to use for DES or AES encryption | Any string |
Optionally, we might want to support setting authentication and encryption keys manually as hexadecimal values (rather than deriving them from passphrases), but is currently unclear how useful this would be. These options are supported by NET-SNMP: defAuthMasterKey
, defPrivMasterKey
, defAuthLocalizedKey
defPrivLocalizedKey
The following options are also supported by NET-SNMP commands, but it is currently unclear whether they would be useful to include them in NAV as session options:
Attribute | Description | Allowable values |
---|---|---|
contextName |
SNMPv3 messages supports the notion of "contexts". The default context value is just an empty string. Parts of NAV will probably want to manipulate the context name for individual requests, like exploring different VLAN or VRF contexts, but it is unclear if changing the default context name has any value to the end user | Any string |
engineID |
Set the authoritative (security) engineID used for SNMPv3 REQUEST messages, given as a hexadecimal string (optionally prefixed by "0x"). It is typically not necessary to specify this engine ID, as it will usually be discovered automatically. | |
contextEngineID |
Set the context engineID used for SNMPv3 REQUEST messages scopedPdu, given as a hexadecimal string. If not specified, this will default to the authoritative engineID. |
While we are waiting for the engineering team to actually set up some network devices to talk SNMPv3, I've added #2697 for testing locally. The initial part of the research phase seems to be done for now, so I'm closing this.
In principle, SNMPv3 is just a framework for authentication and privacy on top of the existing SNMP standards - i.e. all the protocol operations from SNMPv2c are unchanged, as are their PDU packet formats. The PDUs are wrapped in a new SNMPv3 packet format, though, which adds the authentication and privacy bits.
SNMPv3 was initially defined with only a single security model, the User Security Model (USM), defined by RFC 3414. A later RFC (5591) adds the Transport Security Model (TSM), which is basically a TLS layer for SNMP.
NET-SNMP appears to support both of these security models.
Deploying the TSM seems like a considerable effort unless an organization already has established an X.509 public key infrastructure. We deem it likely that for our own purposes (initially, at least) we will deploy using the USM.
I therefore suggest that NAV's initial implementation will only provide for configuring USM details in SNMPv3 profiles