USM users

The SNMPv3 protocol supports a User based Security Model as defined in RFC-3414. USM provides authentication and privacy (encryption) functions and operates at the message level allowing for the following security level to be used with SNMPv3:

  • Communication without authentication and privacy (noauth)

  • Communication with authentication and without privacy (auth)

  • Communication with authentication and privacy (priv).

Within this document the three possible security levels are referred to as noauth, auth and priv. However, other forms are sometimes used within the NET-SNMP and the equivalents are:

Security level Equivalents

noauth

noauthnopriv

auth

authnopriv

priv

authpriv

Users can be added to the SNMP configuration with the createUser directive, defining the security mechanisms to be used. Both the SHA and AES passhrases have to be defined.

createUser [-e ENGINEID] {username [SHA authpassphrase] [AES privpassphrase]}

It would not normally be necessary to specify the engine ID, but if it is specified, ENGINEID is defined as a hexadecimal string of octets starting with the 0x prefix. The encoding of the engine ID is defined in the description of SnmpEngineID from RFC3411.

The following recommendations should be followed when defining the security parameters for SNMPv3:

  • Select a 'Security Level' of Priv, (authpriv) or auth (authNoPriv).

    • Priv is the preferred 'Security Level', since this will provide both data source authentication and confidentially protection for the SNMP messages.

    • auth is the minimum 'Security Level' that should be selected, since this will ensure that SNMP data sent/received has not been tampered with and has been sent from an authorised entity.

  • Define separate authpassphrase and privpassphrase.

    • It is good security practice to have key separation.

  • Use randomly generated passphrases which contain upper and lower case characters, numbers and symbols (for example, ASCII characters 0x20 - 0x7E).

    • This should give an entropy per character of 6.57bits,

  • Use either 15 char for 96 bits of security strength keys and 20 char for 128 bits security strength keys.

MD5 and DES are not supported or enabled in the nShield distribution of SNMP. Only SHA may be used for authentication, and only AES may be used for privacy (encryption).

It is strongly recommended that createUser directives be added to the persist/snmpd.conf file, so that the passphrases are not available after the SNMP agent is installed. The user can then be referenced in access control directives(s) after which it can be used.

You can use snmpwalk to test that the user configuration is correct:

/opt/nfast/bin/snmpwalk -v3 -l authPriv -u {username} -x AES -X {privpassphrase} -a SHA -A {authpassphrase} localhost .1.3.6.1.4.1.7682