Support Center > Search Results > SecureKnowledge Details
SNMPv3 USM (User-based Security Model) User Technical Level
Solution

Introduction

The SNMPv3 message encapsulates a Protocol Data Unit (PDU) compatible with earlier versions of SNMP. The implementation allows administrator to generate user accounts that make use of the User-based Security Model (USM) in SNMPv3.

SNMPv3 defines a user-based security mechanism that enables per-message authentication and encryption. For more information, refer to RFC2574.

Any user account created created in IPSO Network Voyager / Gaia Portal / Clish with a password that has at least 8 characters long will be considered as a SNMP USM user. USM keys for SNMP will not be created, if the password is less than eight characters. USM user will have default permission of read-only (can be changed at a later time).

 

SNMPv3 Authentication and Privacy

There are three authentication and privacy combination that are supported in SNMPv3.

  • noAuthNoPriv: No authentication and no privacy (encryption) will be applied on the SNMP packets

  • authNoPriv: Authentication will be required, but the SNMP packets will not be encrypted.

  • authPriv: Authentication and privacy (encryption) will be applied on the SNMP packets.

When a SNMPv3 request is made from a Network Management Station (NMS) such as the UCD-SNMP/Net-SNMP management utility, a username and password (pass phrase) is required for authentication, and the same password must be provided again for encryption.

Notes about Gaia OS:

  • Gaia OS does not support security level 'noAuthNoPriv'. Any SNMPv3 request not properly authenticated will be dropped and the firewall will display an authentication error.
  • Gaia OS makes use of the user's password for both authentication, and for the shared secret of the DES/AES encryption. Gaia OS automatically creates the DES/AES encryption key from the user's password. There is no mechanism to manipulate the encyrption key, or to provide for separate authentication and encryption passwords.
  • Previously, Gaia OS supported only MD5 algorithm for authentication. From Jumbo Hotfix Accumulator for R77.30 Take 75, the SHA1 algorithm for authentication is also supported.
  • Gaia OS supports only DES protocol for encryption in R75.40 - R77.20 versions. Starting in R77.30, also AES protocol is supported.

Notes about IPSO OS:

  • IPSO OS does not support security level 'noAuthNoPriv'. Any SNMPv3 request not properly authenticated will be dropped and the firewall will display an authentication error.
  • IPSO OS makes use of the user's password for both authentication, and for the shared secret of the DES encryption. IPSO OS automatically creates the DES encryption key from the user's password. There is no mechanism to manipulate the encyrption key, or to provide for separate authentication and encryption passwords.
  • IPSO OS supports both MD5 and SHA algorithm (hash) for authentication. For encryption, only DES is supported.

 

Syntax for Net-SNMP utility to use SNMPv3

In this example, we are polling GW2 using the USM user account that was configured on GW2:

authNoPriv:

# snmpwalk -v3 -l authNoPriv -u USERNAME -a MD5 -A PASSWORD GW2_HostName_or_IP_Address OID

authPriv:

# snmpwalk -v3 -l authPriv -u USERNAME -a MD5 -A PASSWORD -x DES -X PASSWORD GW2_HostName_or_IP_Address OID

 

Related solutions:

Imported from Nokia support database
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment