Enabling SNMPv3
Problem
You want to enable SNMPv3 on your router for security purposes.
Solution
SNMPv3 supports three modes of operation, each with different security features. These modes are summarized in Table 17-1. The following configuration commands enable SNMPv3 with no authentication and no encryption services (noAuthNoPriv):
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTV3 mib-2 include Router(config)#snmp-server group NOTSAFE v3 noauth read TESTV3 Router(config)#snmp-server user WEAK NOTSAFE v3 Router(config)#end Router#
Use the following configuration commands to enable SNMPv3 with MD5 authentication and no encryption services (authNoPriv):
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTV3 mib-2 include Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3 Router(config)#snmp-server user cking ORAROV3 v3 auth md5 daytona19y Router(config)#end Router#
And you can enable SNMPv3 with MD5 authentication and DES encryption services (authPriv) as follows:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTV3 mib-2 include Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3 Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy Router(config)#end Router#
Discussion
At the time of writing this book, the IETF had approved SNMP Version 3, SNMPv3, as a full standard and moved SNMPv1 and SNMPv2 to historic status. Essentially, SNMPv3 just acts like a set of security extensions to SNMPv2c, without providing much new core management functionality. All MIB objects and their associated OIDs remain the same from Versions 1 to 3 (with the small exception of 64 bits counters that were introduced in Version 2). So we will focus our attention on the new security features in Version 3.
Security has traditionally been the Achilles tendon of the legacy SNMP versions. The security model for Version 1 and 2c was little more than a simple password sent through the network as clear text. SNMP required a security facelift to continue to be useful into the future.
SNMPv3 is standards-based network management protocol that is interoperable between vendors. It provides a secure access to devices by providing authentication and encryption of SNMP packets throughout the network. To do this, SNMPv3 requires the following security features: authentication, message integrity, and encryption:
- Authentication ensures that the messages originated from a valid source. It proves the authenticity of the packet's source.
- Message Integrity ensures that a packet has not been tampered with during transmission.
- Encryption encodes the contents of the packet to prevent unauthorized people from viewing them.
SNMPv3 provides three security levels: noAuthNoPriv, authNoPriv, and authPriv:
noAuthNoPriv
Uses a username for authentication and most closely emulates the SNMPv1 and SNMPv2c authentication scheme of transmitting credentials in clear text. We do not recommend this level of SNMPv3 because it provides no significant advantage over SNMPv2c. If the advanced security features of SNMPv3 are not required for your implementation, it would probably be easier to use SNMPv1 or SNMPv2c instead.
authNoPriv
Provides authentication based on the MD5 or SHA algorithms. This level of SNMPv3 provides packet authentication and message integrity, but no encryption services. Since SNMP packets are authenticated and cannot be altered in transit, this level of security is sufficient for most organizations.
authPriv
Provides the same MD5 or SHA authentication as authNoPriv. In addition, authPriv allows you to encrypt SNMP packets by using 56-bit DES; 168-bit 3DES; or AES 128-, 192-, or 256-bit encryption algorithms so packet contents cannot be viewed without authorization. This provides the maximum security available by combining authentication, messages integrity, and encryption. The authPriv level of security is suitable for implementations that need to send SNMP packets through the public Internet, for instance.
All three SNMPv3 security models require the same three-step process to configure them. First, you must define an SNMP view. Second, you must create an SNMP group. And third, you need to create an SNMP user profile and assign it to an existing group.
Defining an SNMP view for SNMPv3 is no different than creating a view for SNMPv1 or SNMPv2c. In fact, if there are existing SNMP views on the router that were created for SNMPv1 or SNMPv2c, you can use them with SNMPv3 as well. For more information on creating SNMP views, please see Recipe 17.8.
For example, here is a simple SNMP view that allows full access to the MIB-2 tree:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTV3 mib-2 include Router(config)#end Router#
To define an SNMPv3 group, use the following command:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3 Router(config)#end Router#
In this example, we have created a group named ORAROV3 that we have configured as an SNMPv3 group (hence the "v3"). We have configured this group to require authentication and assigned it to SNMP view TESTV3. Notice that we have not assigned a write view to this group, which means that all users assigned to this group will be limited to read-only access. However, the snmp-server group command will also allow you to define a read and a write view at the same time. For example:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTRO mib-2 include Router(config)#snmp-server view TESTRW system include Router(config)#snmp-server group TESTGRP v3 auth read TESTRO write TESTRW Router(config)#end Router#
In this example, we defined two separate SNMP views, TESTRO and TESTRW, respectively, and assigned them to our group. Note, however, that you can assign the same SNMP view to both the read-only access and read-write.
To define an SNMPv3 user, use the following command:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy Router(config)#end Router#
In this example, we have created a user named bpugsley, and assigned that user to our group named ORAROV3. This user will inherit the qualities that we have configured for that group. We have also defined that our user will use the MD5 algorithm for authentication purposes and assigned an authentication password of hockeyrules. We have also configured our user to use the optional DES56 packet encryption with the password shortguy to provide maximum security. Note that this command, once entered, will not be viewable using the show running-config command. We suspect that this is for security purposes.
To view existing SNMP groups, use the show snmp group command:
Router#show snmp group groupname: ORAROV3 security model:v3 auth readview :TESTV3 writeview: notifyview: row status: active Router#
Notice that the group ORAROV3 is assigned to the security model v3 auth. Also notice that the read-only view is TESTV3, and that no read-write view exists.
To view the configured SNMPv3 users, use the following command:
Router#show snmp user User name: bpugsley Engine ID: 80000009030000019670B770 storage-type: nonvolatile active Router#
Unfortunately, this command provides very little useful information. Apart from confirming if a user exists or not, the output does not display to which group the user belongs or if the user is configured to use authentication or encryption. When you consider that Cisco's IOS also hides the user SNMP commands from the running configuration, it becomes clear that managing SNMPv3 users is a difficult task. We hope that Cisco will change the output of this command in upcoming releases as SNMPv3 becomes more popular.
Starting with IOS Version 12.3(2)T, Cisco did enhance the output of the show snmp user command to include the authentication protocol, the privacy protocol, and the SNMP group name:
Router2#show snmp user User name: bpugsley Engine ID: 800000090300000DBCEFF638 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: DES Group-name: ORAROV3 Router2
Using the SNMPv3 security levels
We will now demonstrate how to extract SNMP information from the router using each of the three SNMPv3 security levels. We will use NET-SNMP's snmpget command, which has full SNMPv3 support.
In our first example (noAuthNoPriv), we will poll the router for its system name by using a standard MIB-II object, sysName:
Freebsd% snmpget -v3 -u WEAK -l noAuthNoPriv Router sysName.0 system.sysName.0 = Router.oreilly.com Freebsd%
Notice no user password was supplied, so the router simply accepted the user ID WEAK for authentication purposes. This userid was sent through the network in clear text. This command has also introduced two new attributes for the snmpget command, -u and -l. The -u attribute allows you to specify the security name, and the -l defines the security level.
The next example uses the authNoPriv security model. We will poll the exact same MIB object using MD5 authentication:
Freebsd% snmpget -v3 -u cking -l authNoPriv -a MD5 -A daytona19y Router sysName.0 system.sysName.0 = Router.oreilly.com Freebsd%
Notice in this example we specify a user password daytona19y using the -A option, and an authentication protocol MD5 using the - a option. SNMPv3 uses the authentication protocol to authenticate users without sending the password in clear text. It is important to notice that the result of this SNMP Get is the same as our first example. However, we gathered the information in a much more secure manner. In fact, the same MIB object, sysName, can be retrieved using SNMPv1 if the router were configured to accept the request. But this would be considerably less secure.
The final example illustrates how to poll a MIB object by using the authentication and encryption services of the authPriv security model:
Freebsd% snmpget -v3 -u bpugsley -l authPriv -a MD5 -A hockeyrules -x DES -X shortguy Router sysName.0 system.sysName.0 = Router.oreilly.com Freebsd%
In this example, we added two new variables, privacy protocol type DES using -x DES and a privacy protocol pass phrase with -x shortguy. These variables enable SNMPv3 packet encryption and specify the pass phrase to use. This ensures that prying eyes cannot view the packet contents in transit. To illustrate the effectiveness of SNMPv3's encryption service, we provide a captured SNMPv3 packet. The packet was captured using the Ethereal protocol analyzer (for more information on Ethereal, please see Appendix A):
Simple Network Management Protocol Version: 3 Message Global Header Message Global Header Length: 16 Message ID: 1608369049 Message Max Size: 1480 Flags: 0x03 .... .0.. = Reportable: Not set .... ..1. = Encrypted: Set .... ...1 = Authenticated: Set Message Security Model: USM Message Security Parameters Message Security Parameters Length: 58 Authoritative Engine ID: 80000009030000019670B780 Engine Boots: 2 Engine Time: 1469970 User Name: bpugsley Authentication Parameter: B53EFA21230735541B207A39 Privacy Parameter: 00000002C483B016 Encrypted PDU (74 bytes)
Notice that the packet response from the router contains some useful SNMP information, such as current version, encryption enabled, authentication enabled, and username (bpugsley), but is unable to decipher the payload (Encrypted PDU). This is significant, since the other versions of SNMP, including the other security models within SNMPv3, transport payload information in clear text. At last, SNMP has evolved into a secure protocol.
Of course, SNMPv3 also provides full support for traps and informs, including authentication, messages integrity, and encryption. SNMPv3 traps and informs support the same three models of security as inbound services do. However, the noAuthNoPriv model provides no tangible advantage over SNMPv1 or SNMPv2c, and the authPriv model tends to be overkill, since few networks will require encrypted traps.
To enable SNMPv3 trap support using authentication and message integrity, use the following command:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server host 172.25.1.1 version 3 auth ijbrown snmp envmon Router(config)#end Router#
The process of enabling SNMPv3 traps, or informs, is similar to the SNMPv2c process, but with a few minor twists. First, you must define a SNMPv3 group and user, as in the previous examples. Second, you must include the keyword auth, which enables authentication. And third, you must include a valid SNMPv3 user (ijbrown, in this case). The router is then capable of forwarding SNMv3 traps with full SNMPv3 authentication and message integrity enabled. For more information on enabling SNMP traps in general, please see Recipe 17.14.
See Also
Recipe 17.1; Recipe 17.8; Recipe 17.14