SNMP v3 Security Notes

Starting from SNMPv3, an instance of a software implementation of SNMP has come to be known as an SNMP entity, where an SNMP entity consists of a single SNMP engine and one or more associated applications.

Applications may be any or all of the following:

  • Command Responder (a.k.a. Agent and is usually the host of one or more management information base)
  • Command Generator (a.k.a. Manager)
  • Notification Originator
  • Notification Receiver.

 

The engine is responsible for dispatching requests and responses as well as authorizing and encrypting / decrypting those messages. SNMPv3 requires that an application be able to identify the remote SNMP engine of the remote SNMP entity uniquely, in order to retrieve or manipulate objects maintained on that entity.

The SNMP Engine ID (stored as "snmpEngineID") is a unique identifier of an engine and also of an entity. An SNMP context is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context and an SNMP entity potentially has access to many contexts. A context is identified by the EngineID value of the entity hosting the management information (contextEngineID) and a context name that identifies the specific context (contextName).

The User-based Security Model (USM) is the most widely used security model in SNMPv3. A USM SNMP packet reserves two fields for the identification of SNMP entities. One field identifies the authoritative entity. The second field identifies the entity hosting the context to which the data belongs. Since EngineID is well defined as an entity unique identifier, it is used by USM. The USM entity's identification fields are further explained here:

  • authoritativeEngineID
    The rules for designating the authoritative engine are as follows: if the SNMP message requires a response (get, getnext, getbulk, set, or inform), the receiver of these messages is authoritative. If the message does not require a response (trap or report), the sender of the message is authoritative. Generally, an SNMP agent is authoritative, and a manager is nonauthoritative. A nonauthoritative engine must discover the snmpEngineId of the authoritative engine with which it communicates. USM describes a mechanism for authoritative EngineID discovery in RFC3414.
  • contextEngineID:
    This is the EngineID of the entity that hosts the context to which the data belongs. For simplicity and for most practical purposes authoritativeEngineID and contextEngineID are the same.

 

VTScada has a single SNMP engine in every application and the corresponding EngineID is unique for every application + workstation combination. This engine serves the single SNMP Agent as well as all the SNMP driver tags running in the application. VTScada’s SNMP engine supports and services the USM authoritative engineID discovery mechanism.