Snmpv3 Overview; Message Processing - Extreme Networks ExtremeWare 7.2e Installation And User Manual

• RFC 3415, View-based Access Control Model (V ACM) for the Simple Network Management Protocol
(SNMP), talks about VACM as a way to access the MIB.

SNMPv3 Overview

The SNMPv3 standards for network management were primarily driven the need for greater security
and access control. The new standards use a modular design and model management information by
cleanly defining a message processing subsystem, a security subsystem, and an access control
subsystem.
The message processing (MP) subsystem helps identify the MP model to be used when processing a
received Protocol Data Unit (PDU), the packets used by SNMP for communication. This layer helps in
implementing a multi-lingual agent, so that various versions of SNMP can coexist simultaneously in the
same network.
The security subsystem features the use of various authentication and privacy protocols with various
timeliness checking and engine clock synchronization schemes. SNMPv3 is designed to be secure
against:
• Modification of information, where an in-transit message is altered.
• Masquerades, where an unauthorized entity assumes the identity of an authorized entity.
• Message stream modification, where packets are delayed and/or replayed.
• Disclosure, where packet exchanges are sniffed (examined) and information is learned about the
contents.
The access control subsystem provides the ability to configure whether access to a managed object in a
local MIB is allowed for a remote principal. The access control scheme allows you to define access
policies based on MIB views, groups, and multiple security levels.
In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for the
generation and filtering of notifications.
SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage.
Objects defined as permanent cannot be deleted or modified.
NOTE
In SNMPv3, many objects can be identified by a human-readable string or by a string of hex octets. In
many commands, you can use either a character string, or a colon separated string of hex octets to
specify objects. This is indicated by the keyword

Message Processing

A particular network manager may require messages that conform to a particular version of SNMP. The
choice of the SNMPv1, SNMPv2, or SNMPv3 message processing model can be configured for each
network manager as its target address is configured. The selection of the message processing model is
configured with the
configure snmpv3 add target-params {hex} <param name> user {hex} <user name> mp-model
[snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth |
authnopriv | priv]} {volatile}
ExtremeWare 7.2e Installation and User Guide
keyword in the following command:
mp-model
used in the command.
hex
Using SNMP
57