SNMP Security and SNMPv3

This section describes briefly the security aspects for SNMP requests specifically about authentication and authorization. The authentication mechanism is built into Net-SNMP

  • Authentication in SNMP Versions 1 and 2c is provided by a password (community string) sent in clear text between a manager and agent.

  • SNMP v3 defines a number of security-related capabilities. The initial specifications defined the USM and VACM, which were later followed by a transport security model that provided support for SNMPv3 over SSH and SNMPv3 over TLS and DTLS.

netconfd-pro implements NACM (NETCONF Access Control Model) to manage and control the access to YANG objects supported by the device. Since NACM already provides the authorization, VACM has to be disabled when processing SNMP v3 requests. More information about the configuration and management of Net-SNMP authentication is available on-line as part of Net-SNMP documentation.

Security Configuration Files

Net-SNMP makes use of 2 configuration files to control its operation and the management information provided.

  1. /var/net-snmp/snmpd.conf

    • This file contains the SNMP v3 specific configuration related to allowed user names and passwords.

  2. /usr/local/share/snmp/snmpd.conf

    • This file contains generic configuration information including SNMP v1 and v2c related community strings that perform basic authentication. If not found in the path specified before, the configuration file may be found in the /etc/yumapro/snmpd.conf.

Adding an SNMPv3 User

Adding a new SNMP v3 user can be performed by using the scripts available as part of Net-SNMP as below. The command below adds a user “admin” with authentication and privacy. Authentication makes use of SHA and the password for authentication is “password1”. Similarly for privacy, DES is used and the associated password for privacy is “password2”.

> sudo net-snmp-config --create-snmpv3-user -ro -a SHA -A 'password1' -x DES -X 'password2' admin

Note

The netconfd-pro server must be stopped before running the above command. Once the command above is run, then the netconfd-pro can be run again which will make use of this updated configuration file.

Adding an SNMPv1/v2c User

SNMP v1 and v2c make use of community strings for authentication. The allowed community strings along with the access permissions is configured in the 'snmpd.conf' file. The tokens that control these parameters are “rocommunity” for read only access and “rwcommunity” for read-write access.