SNMPv3 The most striking new feature is: getBulk operation, 64-bit counter, enhanced set command, and a unique ID number assigned to each SNMP engine. These new features are adapted to the advancement of network technology and expand some limitations of the old agreement. For example, the 64-bit counter adapted to the Negate Network. Moreover, SNMPv3 improves some of the operations of the protocol. When the query agent is in a large amount of data in the agent, the getBulk operation can connect multiple GET and GetNext operations to a packet, which can reduce the collision effect during transmission. SNMPv3 After performing the SET operation, the SNMPV3 tests whether the SET operation is successful, thereby ensuring its validity.
This latest SNMP version also improves some of the SNMP management framework itself. For example, increasing the ability to change the SNMP proxy configuration parameters so that the SNMP device can be fully managed. Finally, SNMPv3 adds a SNMPENGINEID to locate a variety of contexts on other devices from one management device.
These new features enable managers to track various relationships in a network topology to help identify and locate more complex network base parts in a management device. For example, in SNMPv3, each port of the switch can be defined as a logic bridge in the exchange object.
Old version of the defect
Previous SNMP versions have many disadvantages: First, SNMP lacks effective security modules, and this is just the most basic functional requirements in various important network services. Second, although SNMP allows managers to remotely use GET and SET operation MIB variables, there is no standard way to manage the SNMP agent itself through the SNMP, so that the SNMP agent has fallen into a contradictory embarrassment.
There is another problem with SNMP: The network management platform must manage the MIB (management information library) extension of hundreds of manufacturers one by one. Many MIB standards, such as MIB, MIB2, RMON, RMON2, are attempting to standardize normal data types, but the network management platform faces great pressure - correctly explaining and sets a lot of information related to equipment.
In-depth SNMPv3
There are two goals of SNMPv3: First, the SNMPv2 * and SNMPv2U proposed by the SNMPv2 Working Group as much as possible; second, a program that effectively solves security issues.
SNMPv3 improves the standards of many protocol levels. For example, improved MIB, introduced a getBulk operation. SNMPv3 is trying to implement the modular and manageability of SNMP.
1. SNMP security
Although SNMP is a powerful network management agreement, the weakest link of the old agreement is its safety. Some protocol content potentially provide convenience for those tenacious hackers. Today, in today's rapid development, the protocol analyzer is generally used, allowing hackers to rely on SNMP to get the details of the network topology and configuration. What is more uneasy is that when the SET operation is executed, if the communication string is intercepted during transmission, the management right to remote SNMP devices can be controlled.
SNMPv3 not only encrypts the transmitted information, but also allows the recipient to verify the user's application, which is complex and detailed access control check for each application, and use digital signatures to ensure information integrity. It also allows managers to customize different combinations of some protection methods, for example, completely do not perform security checks, authenticate or encrypt authentication. You can also add any more access control rules on the SNMP proxy or management station.
All of these levels of security check measures do not meet the hardware conditions at the time 10 years ago, and the current network management infrastructure has enough memory and enough CPU, not only meets the various security requirements of SNMP, but also support Full-featured network management service.
Since the SNMPv3 specification requires the standard components of authentication and access control, RFC2274 (Internet draft draft), RFC 2275 recommends using USM (user-based security mode) and VACM (based on viewing access control mode) as a reference. This allows manufacturers to support today's security SNMP, but also leave backmen (such as public key systems, etc.) for future new security standards, thereby protecting investments, uncommitting current agreements. 2. USM (based on user security mode)
USM is proposed in the SNMPv3 specification, which provides a full range of secure authentication and confidential frameworks for the network management system, replacing the practice of depends on a single text string to verify the identity, and the way of selecting access to access from one SNMP query. USM adds familiar authentication methods based on user names, passwords, just as most network operating systems.
However, unlike a security service based on the network operating system, USM does not specify a central security server, it requires a user name list (with the correct key), then release it to each SNMP agent in the entire network and management station. This means that the network administrator needs to log in to the management workstation using his username and password. Then, all authenticated SNMP packs have the just username and trust certificate (key to password operation), so that a single SNMP agent can verify the user's identity; at the same time, support based on username application access control The rules can access a single MIB object.
It should be noted that USM only defines authentication identity and encryption, and the access control rule is in another independent module VACM. In USM, the personal identity of the user who performs any SNMP query is performed since the initialization, and the sensitive device can record the audit log, and the configured change is associated with the username. Although this is a very common function in many network operating systems, there is no way to establish a valid audit record table in the previous SNMP protocol.
After the login is successful, USM can encrypt information to be transmitted using the DES standard. This encryption package ensures the identity of the user. SNMPv3 also defines a privatatic time synchronization security protocol.
New standard future
SNMPv3 standards depict a charming blueprint for new generation network management, which has become proposal standards in IETF and has been strongly supported from network equipment manufacturers. Many Agents and Management Station software prototypes that support SNMPv3 have appeared on the network product exhibition last year. SNMP research has demonstrated the SNMPv3 engine, which can be embedded as a plug-in to HP's NetWork Node Manager 5.0. In addition, many SNMPv3 proxy development tools and management station origin based on security policies are also present on the network exhibition. Many manufacturers, such as BMC, Cisco, HP, Liebert, Tivoli also showed its latest product prototype based on SNMPv3.
