Available Versions

The module runs multiple versions of the SNMP communications protocol:
  • SNMPv1: Version 1 of SNMP extends the capabilities of the protocol to address ministration and security issues. With this version, simple-text password is shared between a manager and an agent. SNMPv1 commands are simple request-and-response protocol commands (Get, Set, Trap).
    NOTE: This version offers minimal security among users with access to the same network.

  • SNMPv3: In terms of operations, SNMPv3 is functionally quite similar to SNMPv1. SNMPv3 does, however, offer enhanced security for a network that is accessed by multiple users through authentication and privacy controls. SNMPv3 re-brands the managers or agents in SNMPv1 as entities. Each entity in SNMPv3 is composed of an SNMP engine and at least one SNMP application. Such distinctions enable the protocol to implement security according to the relationships between these entities in a modular architecture. In addition, SNMPv3 facilitates the configuration of remote SNMP agents because each SNMP entity has a unique identifier (engineID) that corresponds to requests from a specific remote SNMP engine.

Security Level Summary

There is no native compatibility between SNMPv1 and SNMPv3 messages. Therefore, the SNMP agent provides these security levels:

  • standard mode: Support SNMPv1 and SNMPv3. In this mode, SNMPv3 uses NoAuthNoPriv; there is no authorization and no encryption for packets sent between the network management station and the SNMP manager.

  • secure mode: Support SNMPv3 in secure mode to enhance authentication and integrity (AuthNoPriv), and authentication, integrity, and confidentiality (AuthPriv).

SNMPv3 and HMAC

SNMPv3 authentication uses the Hash Message Authentication Code (HMAC) to authenticate each critical message by implementing a challenge-reply model.

Think of HMAC as a cryptographic checksum over the SNMP message that is combined with a secret key (derived from the user password). The HMAC and user name are transmitted within the packet. The device verifies the integrity and originator of the message by calculating a checksum over the received message with the secret key from its local user database. If the calculated HMAC and the one in the packet match, access is granted.

The the Hashed Message Authentication Code (HMAC) security algorithm is used to sign security messages to confirm that they were not tampered with. HMAC SHA-256 algorithms are more secure than HMAC SHA-1 algorithms, but they require more RTU processing. Algorithms with more bytes are more secure, but create the longer messages that require more bandwidth for critical messages.

SNMPv3 and USM

SNMPv3 supports the user-based security model (USM) to create and associate authorized users with a specific SNMPv3 agent to enhance the authentication of users and the privacy and integrity of message.

SNMPv3 Encryption Libraries

The SNMPv3 agent uses these encryption libraries for authentication and encryption:

  • encryption: CFB128-AES-128 (RFC3826)

  • authentication: HMAC-SHA1-96 (RFC-2104)