Filter
Top Products
8000-A2-GB30-10 November 2003 79
7.7.5 User-based Security Model (USM) RFC 3414
RFC 3414 discusses the “User-based security model” for SNMPv3. It defines the elements
of procedure for providing SNMP message-level security. The mechanisms to be
implemented related to this feature are Discovery and Timeliness, Authentication, Privacy
and Key management.
The product will support the HMAC-MD5-96 and the HMAC-SHA-96 protocols for
authentication and the CBC-DES Symmetric Encryption Protocol for Privacy.
7.7.5.1 Supporting MIBs.
The following statistics MIB objects will be supported:
7.7.5.1.1 Statistics.
usmStatsUnsuppportedSecLevels, usmStatsNonInTimeWindows,
usmStatsUnknownUserNames, usmStatsUnknownEngineIDs, usmStatsWrongDigests,
usmStatsDecryptionErrors.
7.7.5.1.2 SNMPv3 users.
7.7.5.1.2.1 usmUserTable.
Will be supported to maintain authentication and privacy information for each user. The
engineID and the userName index the table. For the GranDSLAM R3.2 product, all entries
will have the same local engineID.
Because new SNMPv3 users can be added to this table only by cloning it from an existing
entry, we need an initial entry to start with. The initial entry will be based on the password
of our default userID. This will be done only the first time SNMPv3 is turned on
(’snmpV3-encryption’ option is selected).
This initial user/password is run through an algorithm based on the HMAC-MD5-96
(default algorithm for authentication) and converted in what is called a localized key. This
procedure is stardarized in RFC 3414.
Remote entities (for example, EMS) must obtained the same value of the localized key to
start with.
Once the initial entry is created, clients (EMS, TL-1, Web, etc.) will used a standarized
procedure in RFC 3214 to clone new users from the existing entries in the usmUserTable.
No other mibs are involved in creating SNMPv3 users.
According to requirements, the SNMPv3 users to be configured will always have AuthPriv
as the securityLevel, that is both authentication and privacy (encryption) turn on.
SecurityLevel of NoAuthNoPriv or AuthNoPriv will not be supported for these users.
7.7.5.1.2.2 usmUserSpinLock.
This object will be supported to coordinate set operations to the usmUserTable.
7.7.6 View-based Access Control (VACM)
RFC 3415 discusses the “View-based Access Control Model” for SNMPv3. The
GranDSLAM R3.2 agent will create default entries in the neccesary tables to be commonly
used between v1/v2c/v3 SNMP users.
7.7.6.1 Supporting MIBs
RFC 3415 defines several tables to be used to determine if a SNMP operation (get, getnext,
getbulk, set or notification) is allowed to access certain managed objects.