Enabling SNMPv3
Problem
You want to enable SNMPv3 on your router for security purposes.
Solution
SNMPv3 supports three modes of operation, each with different security features. These modes are summarized in Table 17-1. The following configuration commands enable SNMPv3 with no authentication and no encryption services (noAuthNoPriv):
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group NOTSAFE v3 noauth read TESTV3
Router(config)#snmp-server user WEAK NOTSAFE v3
Router(config)#end
Router#
Use the following configuration commands to enable SNMPv3 with MD5 authentication and no encryption services (authNoPriv):
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user cking ORAROV3 v3 auth md5 daytona19y
Router(config)#end
Router#
And you can enable SNMPv3 with MD5 authentication and DES encryption services (authPriv) as follows:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy
Router(config)#end
Router#
Discussion
At the time of writing this book, the IETF had approved SNMP Version 3, SNMPv3, as a full standard and moved SNMPv1 and SNMPv2 to historic status. Essentially, SNMPv3 just acts like a set of security extensions to SNMPv2c, without providing much new core management functionality. All MIB objects and their associated OIDs remain the same from Versions 1 to 3 (with the small exception of 64 bits counters that were introduced in Version 2). So we will focus our attention on the new security features in Version 3.
Security has traditionally been the Achilles tendon of the legacy SNMP versions. The security model for Version 1 and 2c was little more than a simple password sent through the network as clear text. SNMP required a security facelift to continue to be useful into the future.
SNMPv3 is standards-based network management protocol that is interoperable between vendors. It provides a secure access to devices by providing authentication and encryption of SNMP packets throughout the network. To do this, SNMPv3 requires the following security features: authentication, message integrity, and encryption:
-
Authentication ensures that the messages originated from a valid source. It proves the authenticity of the packet's source.
-
Message Integrity ensures that a packet has not been tampered with during transmission.
-
Encryption encodes the contents of the packet to prevent unauthorized people from viewing them.
SNMPv3 provides three security levels: noAuthNoPriv, authNoPriv, and authPriv:
noAuthNoPriv
-
Uses a username for authentication and most closely emulates the SNMPv1 and SNMPv2c authentication scheme of transmitting credentials in clear text. We do not recommend this level of SNMPv3 because it provides no significant advantage over SNMPv2c. If the advanced security features of SNMPv3 are not required for your implementation, it would probably be easier to use SNMPv1 or SNMPv2c instead.
authNoPriv
-
Provides authentication based on the MD5 or SHA algorithms. This level of SNMPv3 provides packet authentication and message integrity, but no encryption services. Since SNMP packets are authenticated and cannot be altered in transit, this level of security is sufficient for most organizations.
authPriv
-
Provides the same MD5 or SHA authentication as authNoPriv. In addition, authPriv allows you to encrypt SNMP packets by using 56-bit DES; 168-bit 3DES; or AES 128-, 192-, or 256-bit encryption algorithms so packet contents cannot be viewed without authorization. This provides the maximum security available by combining authentication, messages integrity, and encryption. The authPriv level of security is suitable for implementations that need to send SNMP packets through the public Internet, for instance.
All three SNMPv3 security models require the same three-step process to configure them. First, you must define an SNMP view. Second, you must create an SNMP group. And third, you need to create an SNMP user profile and assign it to an existing group.
Defining an SNMP view for SNMPv3 is no different than creating a view for SNMPv1 or SNMPv2c. In fact, if there are existing SNMP views on the router that were created for SNMPv1 or SNMPv2c, you can use them with SNMPv3 as well. For more information on creating SNMP views, please see Recipe 17.8.
For example, here is a simple SNMP view that allows full access to the MIB-2 tree:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#end
Router#
To define an SNMPv3 group, use the following command:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#end
Router#
In this example, we have created a group named ORAROV3 that we have configured as an SNMPv3 group (hence the "v3"). We have configured this group to require authentication and assigned it to SNMP view TESTV3. Notice that we have not assigned a write view to this group, which means that all users assigned to this group will be limited to read-only access. However, the snmp-server group command will also allow you to define a read and a write view at the same time. For example:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTRO mib-2 include
Router(config)#snmp-server view TESTRW system include
Router(config)#snmp-server group TESTGRP v3 auth read TESTRO write TESTRW
Router(config)#end
Router#
In this example, we defined two separate SNMP views, TESTRO and TESTRW, respectively, and assigned them to our group. Note, however, that you can assign the same SNMP view to both the read-only access and read-write.
To define an SNMPv3 user, use the following command:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy
Router(config)#end
Router#
In this example, we have created a user named bpugsley, and assigned that user to our group named ORAROV3. This user will inherit the qualities that we have configured for that group. We have also defined that our user will use the MD5 algorithm for authentication purposes and assigned an authentication password of hockeyrules. We have also configured our user to use the optional DES56 packet encryption with the password shortguy to provide maximum security. Note that this command, once entered, will not be viewable using the show running-config command. We suspect that this is for security purposes.
To view existing SNMP groups, use the show snmp group command:
Router#show snmp group
groupname: ORAROV3 security model:v3 auth
readview :TESTV3 writeview:
notifyview:
row status: active
Router#
Notice that the group ORAROV3 is assigned to the security model v3 auth. Also notice that the read-only view is TESTV3, and that no read-write view exists.
To view the configured SNMPv3 users, use the following command:
Router#show snmp user
User name: bpugsley
Engine ID: 80000009030000019670B770
storage-type: nonvolatile active
Router#
Unfortunately, this command provides very little useful information. Apart from confirming if a user exists or not, the output does not display to which group the user belongs or if the user is configured to use authentication or encryption. When you consider that Cisco's IOS also hides the user SNMP commands from the running configuration, it becomes clear that managing SNMPv3 users is a difficult task. We hope that Cisco will change the output of this command in upcoming releases as SNMPv3 becomes more popular.
Starting with IOS Version 12.3(2)T, Cisco did enhance the output of the show snmp user command to include the authentication protocol, the privacy protocol, and the SNMP group name:
Router2#show snmp user
User name: bpugsley
Engine ID: 800000090300000DBCEFF638
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: ORAROV3
Router2
Using the SNMPv3 security levels
We will now demonstrate how to extract SNMP information from the router using each of the three SNMPv3 security levels. We will use NET-SNMP's snmpget command, which has full SNMPv3 support.
In our first example (noAuthNoPriv), we will poll the router for its system name by using a standard MIB-II object, sysName:
Freebsd% snmpget -v3 -u WEAK -l noAuthNoPriv Router sysName.0
system.sysName.0 = Router.oreilly.com
Freebsd%
Notice no user password was supplied, so the router simply accepted the user ID WEAK for authentication purposes. This userid was sent through the network in clear text. This command has also introduced two new attributes for the snmpget command, -u and -l. The -u attribute allows you to specify the security name, and the -l defines the security level.
The next example uses the authNoPriv security model. We will poll the exact same MIB object using MD5 authentication:
Freebsd% snmpget -v3 -u cking -l authNoPriv -a MD5 -A daytona19y Router sysName.0
system.sysName.0 = Router.oreilly.com
Freebsd%
Notice in this example we specify a user password daytona19y using the -A option, and an authentication protocol MD5 using the - a option. SNMPv3 uses the authentication protocol to authenticate users without sending the password in clear text. It is important to notice that the result of this SNMP Get is the same as our first example. However, we gathered the information in a much more secure manner. In fact, the same MIB object, sysName, can be retrieved using SNMPv1 if the router were configured to accept the request. But this would be considerably less secure.
The final example illustrates how to poll a MIB object by using the authentication and encryption services of the authPriv security model:
Freebsd% snmpget -v3 -u bpugsley -l authPriv -a MD5 -A hockeyrules -x DES -X shortguy Router sysName.0
system.sysName.0 = Router.oreilly.com
Freebsd%
In this example, we added two new variables, privacy protocol type DES using -x DES and a privacy protocol pass phrase with -x shortguy. These variables enable SNMPv3 packet encryption and specify the pass phrase to use. This ensures that prying eyes cannot view the packet contents in transit. To illustrate the effectiveness of SNMPv3's encryption service, we provide a captured SNMPv3 packet. The packet was captured using the Ethereal protocol analyzer (for more information on Ethereal, please see Appendix A):
Simple Network Management Protocol
Version: 3
Message Global Header
Message Global Header Length: 16
Message ID: 1608369049
Message Max Size: 1480
Flags: 0x03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
Message Security Model: USM
Message Security Parameters
Message Security Parameters Length: 58
Authoritative Engine ID: 80000009030000019670B780
Engine Boots: 2
Engine Time: 1469970
User Name: bpugsley
Authentication Parameter: B53EFA21230735541B207A39
Privacy Parameter: 00000002C483B016
Encrypted PDU (74 bytes)
Notice that the packet response from the router contains some useful SNMP information, such as current version, encryption enabled, authentication enabled, and username (bpugsley), but is unable to decipher the payload (Encrypted PDU). This is significant, since the other versions of SNMP, including the other security models within SNMPv3, transport payload information in clear text. At last, SNMP has evolved into a secure protocol.
Of course, SNMPv3 also provides full support for traps and informs, including authentication, messages integrity, and encryption. SNMPv3 traps and informs support the same three models of security as inbound services do. However, the noAuthNoPriv model provides no tangible advantage over SNMPv1 or SNMPv2c, and the authPriv model tends to be overkill, since few networks will require encrypted traps.
To enable SNMPv3 trap support using authentication and message integrity, use the following command:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server host 172.25.1.1 version 3 auth ijbrown snmp envmon
Router(config)#end
Router#
The process of enabling SNMPv3 traps, or informs, is similar to the SNMPv2c process, but with a few minor twists. First, you must define a SNMPv3 group and user, as in the previous examples. Second, you must include the keyword auth, which enables authentication. And third, you must include a valid SNMPv3 user (ijbrown, in this case). The router is then capable of forwarding SNMv3 traps with full SNMPv3 authentication and message integrity enabled. For more information on enabling SNMP traps in general, please see Recipe 17.14.