USM users
The SNMPv3 protocol supports a User based Security Model as defined in RFC-3414. USM provides authentication and privacy (encryption) functions and operates at the message level allowing for the following security level to be used with SNMPv3:
-
Communication without authentication and privacy (
noauth
) -
Communication with authentication and without privacy (
auth
) -
Communication with authentication and privacy (
priv
).
Within this document the three possible security levels are referred to as noauth
, auth
and priv
.
However, other forms are sometimes used within the NET-SNMP and the equivalents are:
Security level | Equivalents |
---|---|
|
|
|
|
|
|
Users can be added to the SNMP configuration with the createUser
directive, defining the security mechanisms to be used.
Both the SHA and AES passhrases have to be defined.
createUser [-e ENGINEID] {username [SHA authpassphrase] [AES privpassphrase]}
It would not normally be necessary to specify the engine ID, but if it is specified, ENGINEID
is defined as a hexadecimal string of octets starting with the 0x prefix.
The encoding of the engine ID is defined in the description of SnmpEngineID
from RFC3411.
The following recommendations should be followed when defining the security parameters for SNMPv3:
-
Select a 'Security Level' of Priv, (
authpriv
) or auth (authNoPriv
).-
Priv
is the preferred 'Security Level', since this will provide both data source authentication and confidentially protection for the SNMP messages. -
auth
is the minimum 'Security Level' that should be selected, since this will ensure that SNMP data sent/received has not been tampered with and has been sent from an authorised entity.
-
-
Define separate
authpassphrase
andprivpassphrase
.-
It is good security practice to have key separation.
-
-
Use randomly generated passphrases which contain upper and lower case characters, numbers and symbols (for example, ASCII characters 0x20 - 0x7E).
-
This should give an entropy per character of 6.57bits,
-
-
Use either 15 char for 96 bits of security strength keys and 20 char for 128 bits security strength keys.
-
The minimum length of both
Auth
andPriv
passphrases is eight characters. -
If a random passphrase is not used, consult NIST SP800-63-2 - Appendix A to determine the security strength of the password and the resultant keys. See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.
-
MD5 and DES are not supported or enabled in the nShield distribution of SNMP. Only SHA may be used for authentication, and only AES may be used for privacy (encryption). |
It is strongly recommended that createUser
directives be added to the persist/snmpd.conf
file, so that the passphrases are not available after the SNMP agent is installed.
The user can then be referenced in access control directives(s) after which it can be used.
You can use snmpwalk
to test that the user configuration is correct:
/opt/nfast/bin/snmpwalk -v3 -l authPriv -u {username} -x AES -X {privpassphrase} -a SHA -A {authpassphrase} localhost .1.3.6.1.4.1.7682