SNMPv3 support question

Discussion:

Spiro Philopoulos

2001-10-22 02:42:30 UTC

I want my agent to be able to support SNMPv3 but I don't need any of its
security features (i.e. no authentication and no encryption. The reason
for this is another story). I assume I still have to use the 'engineID'
directive in snmpd.conf. Is this true? Also regarding access control for
v3, is rocommunity & rwcommunity that I use for v1 and v2c enough or do
I have to use rouser & rwuser and if yes how can I do that since without
any security I assume I do not use 'createUser' to have a username? Any
info would be greatly appreciated.
Thanks.

Ayers, Mike

2001-10-22 14:52:02 UTC

Permalink

Sent: Sunday, October 21, 2001 09:41 PM
I want my agent to be able to support SNMPv3 but I don't need
any of its
security features (i.e. no authentication and no encryption.

Your bad, but good judgement can't be forced.

The reason
for this is another story). I assume I still have to use the
'engineID'
directive in snmpd.conf. Is this true?

Correct - the engineID is used even for insecure communication.

Also regarding access
control for
v3, is rocommunity & rwcommunity that I use for v1 and v2c
enough or do
I have to use rouser & rwuser and if yes how can I do that
since without
any security I assume I do not use 'createUser' to have a
username? Any

Wrong. SNMPv3 does not permit anonymous access - even insecure
communication must be *somebody's* insecure communication. You must create
a user who "has the key to the joint".

In the hopes that you might use security, I'll show you how to do
both setups:

<Insecure_snmpd.conf>

rwuser spiro
createUser spiro

</Insecure_snmpd.conf>

<Insecure_command>

$ snmpwalk -v3 -u spiro -l noAuthNoPriv spirosbox.umanitoba.ca .1.3

</Insecure_command>

<Secure_snmpd.conf>

rwuser spiro
createUser spiro MD5 authorizeMe DES goodPrivacy

</Secure_snmpd.conf>

<Secure_command>

$ snmpwalk -v3 -u spiro -A authorizeMe -X goodPrivacy -l authPriv
spirosbox.umanitoba.ca .1.3

</Secure_command>

Notice how little extra work is needed to get security - this is a
feature of SNMPv3 (although I should point out that Wes, Dave, & co. have
done a lot of work to make it as easy to use as possible). Please consider
taking advantage of all this and protecting yourself and your organization
in the process.

/|/|ike

Wes Hardaker

2001-10-23 15:08:02 UTC

Permalink

Post by Spiro Philopoulos
I want my agent to be able to support SNMPv3 but I don't need any
of its security features (i.e. no authentication and no encryption.

Mike> Your bad, but good judgement can't be forced.

There are places where authenticated requests may not be needed, such
as in a location where the request is going across a physically
separate, non-sniffable device (I've personally consulted on a project
that wanted to do just this and the bus in question was built into the
device so authentication over it wouldn't buy you much but a delay).
In 99% of the cases, however, authentication should be a minimum.

--
Wes Hardaker
NAI Labs
Network Associates