Designed to take
care of threats from
SNMPv1 and SNMPv2
data modification
masquerade
massage stream modification
reorder
replay
delay
eavesdropping
adopted security services
data integrity + origin authentication
Uses HMAC
HMAC generates a cryptographic
fingerprint of the message to be protected
and that fingerprint is sent with the message
shared key (K2) derived from
snmpEngineID of
authoritative entity + network
admin passphrase
protects against
data modification
protects against
message stream
modification (reorder)
data confidentiality
DES in cipher block chaining
shared key (K1) derived
from snmpEngineID of
authoritative entity +
network admin passphrase
protects against
eavesdropping
Both entities must know
keys to encrypt / decrypt
Encryption must be used with
HMAC othewise an attacker
could alter the encryptes PDU
message timelines
(limited replay protection)
protects against message
message recording and replay
each entity needs a clock to achieve this
150 second window for
communication exchanges
When sending a Get PDU the reciever is authoritive
so the sender must fiirst retrieve the time , confirm
the value and mainatain synchronised clocks
Console usually sends and receives all requests
where most devices only receive requests so
console usually maintains the clocks
general setup
each NW manager now
has unique username
Each entity has a
unique username in NW
cryptography is used to enable NW
devices to authenticate each other and
provide confidentiality for SNMP PDU's
introduced the idea of
"authoritative entitys"
When sending GET, SET SNMP PDU
receiver is authoritative entity
When sending TRAP, REPORT,
RESPONSE SNMP PDU
sender is the
authoritative entity
AE is the entity who's crypto keys are used
to provide authenticity and confidentiality for
a PDU and who's timeliness indicators will be
used to prove that message is fresh
Security Management
tasks introduced with V3
Creation and storage of keys
Non- authoritive devices must
manage synchronised clocks