Message Processing; Snmpv3 Security - Extreme Networks ExtremeWare XOS Guide Manual

Managing the Switch
The access control subsystem provides the ability to configure whether access to a managed object in a
local MIB is allowed for a remote principal. The access control scheme allows you to define access
policies based on MIB views, groups, and multiple security levels.
In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for the
generation and filtering of notifications.
SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage.
Objects defined as permanent cannot be deleted or modified.
NOTE
In SNMPv3, many objects can be identified by a human-readable string or by a string of hex octets. In
many commands, you can use either a character string, or a colon separated string of hex octets to
specify objects. This is indicated by the keyword used in the command.
hex

Message Processing

A particular network manager may require messages that conform to a particular version of SNMP. The
choice of the SNMPv1, SNMPv2, or SNMPv3 message processing model can be configured for each
network manager as its target address is configured. The selection of the message processing model is
configured with the keyword in the following command:
mp-model
configure snmpv3 add target-params {hex} <param_name> user {hex} <user_name> mp-model
[snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth |
authnopriv | priv]} {volatile}

SNMPv3 Security

In SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals with security
related aspects like authentication, encryption of SNMP messages and defining users and their various
access security levels. This standard also encompass protection against message delay and message
replay.
USM Timeliness Mechanisms
An Extreme switch has one SNMPv3 engine, identified by its snmpEngineID. The first four octets are
fixed to 80:00:07:7C, which represents the Extreme Networks Vendor ID. By default, the additional
octets for the snmpEngineID are generated from the device MAC address. Every SNMPv3 engine
necessarily maintains two objects: SNMPEngineBoots, which is the number of reboots the agent has
experienced and SNMPEngineTime, which is the engine local time since reboot. It has a local copy of
these objects and the latestReceivedEngineTime for every authoritative engine it wants to communicate
with. Comparing these objects with the values received in messages and then applying certain rules to
decide upon the message validity accomplish protection against message delay or message replay.
In a chassis, the will be generated using the MAC address of the MSM with which the
snmpEngineID
switch boots first.
The snmpEngineID can be configured from the command line, but once the is changed,
snmpEngineID
default users will be reverted back to their original passwords/keys, while non-default users will be
reset to the security level of no authorization, no privacy. To set the snmpEngineID, use the following
command:
configure snmpv3 engine-id <hex_engine_id>
42 ExtremeWare XOS 10.1 Concepts Guide