No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Network Management and Monitoring

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R009

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SNMPv3

SNMPv3

SNMPv3 Packet Format

SNMPv3 defines a new packet format, as shown in Figure 1-6.

Figure 1-6  SNMPv3 packet format

The composition of an SNMPv3 packet is as follows:

  • Version: specifies the SNMP version. The value for SNMPv3 is 2.
  • Header: includes information such as the maximum message size that the transmitter supports and the security mode of messages.
  • Security parameters: includes the entity engine information, user name, authentication parameter, and encryption information.
  • Context EngineID: indicates the unique SNMP ID. This field and the PDU together determine to which application the PDUs are to be sent.
  • Context Name: determines the Context EngineID MIB view of the managed device.
  • SNMPv3 PDU: includes the PDU type, request ID, and binding variable list. The SNMPv3 PDU includes GetRequest PDU, GetNextRequest PDU, SetRequest PDU, Response PDU, Trap PDU, and GetBulkRequest PDU.

SNMPv3 Architecture

SNMPv3 provides SNMPv3 entities through which all SNMP-enabled NMSs can manage SNMP-enabled network elements. An SNMPv3 entity consists of SNMPv3 engines and applications, and each SNMPv3 engine or application has multiple modules.

The modular architecture of the SNMPv3 entity has the following advantages:
  • Strong adaptability: This architecture is adaptable for both simple and complex networks.
  • Simple management: This architecture consists of multiple independent sub-systems and applications. When a fault occurs in an SNMP system, it is easy to locate the sub-system where the fault originated based on the fault type.
  • Good expansibility: Modules can be added to an SNMP entity to extend an SNMP system. For example, a module can be added to the security subsystem to run a new security protocol.
SNMPv3 improves security through the user security model (USM) and view-based access control model (VACM):
  • USM: provides a shared key between the NMS and agents to authenticate user identities and encrypt data.

    • Identify authentication: a process in which an agent (or NMS) determines whether a received message is from an authorized NMS (or agent) and whether the message has been modified during transmission. Keyed-Hashing for Message Authentication Code (HMAC) uses the security hash function and key to generate message authentication codes. The HMAC tool is widely used on the Internet. HMAC mechanisms that SNMP uses include HWAC-MD5-96 and HWAC-SHA-96. The hash function of HWAC-MD5-96 is MD5, which uses a 128-bit authKey to generate keys. The hash function of HWAC-SHA-96 is SHA-1, which uses a 160-bit authKey to generate keys.

    • Data encryption: Like identity authentication, data encryption also requires the network management station and the agent to use a shared key for encryption or decryption. ESP encrypts the IP packet contents to prevent them from being intercepted during transmission. Encryption algorithms are implemented using a symmetric key system, which uses the same key to encrypt and decrypt data. SNMP uses the following encryption algorithms:

      • Data Encryption Standard (DES): encrypts 64-bit plain text by using a 56-bit key.
      • Advanced Encryption Standard (AES): encrypts plain text by using a key of 128 bits, 192 bits, or 256 bits.
  • VACM: controls access of user groups or community names based on views. You must pre-configure a view and specify its authority. Then, when you configure a user, user group, or community, you must load this view to implement read/write restrictions or trap functions.

SNMPv3 Mechanism

SNMPv3 has the same mechanism as SNMPv1 and SNMPv2c, except that SNMPv3 supports identity authentication and encryption. The following uses the Get operation as an example to describe the SNMPv3 mechanism.

As shown in Figure 1-7, an NMS intends to obtain the value of the sysContact object on a managed device in authentication and encryption mode.
Figure 1-7  Get operation of SNMPv3

  1. The NMS sends a GetRequest packet without security parameters to the agent and requests the values of Context EngineID, Context Name, and security parameter.

  2. The agent returns a response that contains the requested parameters.

  3. The NMS sends a GetRequest packet to the agent again. The fields in the packet are as follows:
    • Version: SNMPv3.
    • Header: authentication and encryption modes.
    • Security parameters: The NMS calculates the authentication and encryption parameters in accordance with the security parameters obtained from the agent, and fills the authentication, encryption, and security parameters in the corresponding fields.
    • PDU: The NMS fills the obtained Context EngineID and Context Name in the corresponding fields. The PDU type is set to Get, the MIB object name is sysContact, and the configured encryption algorithm is used to encrypt the PDU.
  4. The agent authenticates the GetRequest packet sent from the NMS. When authentication is successful, the agent decrypts the PDU. When encryption is successful, the agent obtains the value of sysContact and encapsulates it in the response packet to the PDU. The agent encrypts the PDU and sends the response packet to the NMS. If any of the query, authentication, or encryption operations fail, the agent sends an error message to the NMS.

Translation
Download
Updated: 2019-05-17

Document ID: EDOC1000174072

Views: 110540

Downloads: 348

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next