Networking / Beginners

SNMP Versions and Security

MIB data are encoded for transmission using the Basic Encoding Rules (BER) from the ASN.1 specification in the international standard ISO 8825. This is a compact way of representing data and data types on the wire. For consistency, BER is also used for encoding SNMP messages, with the added advantage that the messages can be specified using the ASN.1 text notation.

SNMP messages are built from an SNMP header and an SNMP protocol data unit (PDU). The header is quite short and contains a protocol version number. The PDU contains the request and any data.

There are three versions of SNMP. The original version of SNMP was produced at the end of the 1980s. SNMPv1 turned out to be too simple in many respects, not having sufficiently powerful requests and using the limited SMIv1 to build its PDUs. After several abortive attempts, the IETF produced SNMPv2 and documented it in RFC 1901 as an experimental protocol. At the same time, work began on SMIv2, which was finally documented as RFC 2578, and SNMPv2 messages may carry only PDUs built using SMIv2.

SNMPv1 and SNMPv2 have considerable security concerns. Even on networks in which the data exchange is secured (e.g., by using the facilities of IPsec) there is no control within these versions of SNMP as to who on the secure network is allowed to perform SNMP operations and access the objects in a MIB module. That is, any user on the network who can exchange UDP packets with the managed device will be able to examine and modify the MIB objects. This is clearly undesirable, so SNMPv3 includes application-level cryptographic authentication to enable individual users to be authenticated. SNMPv3 differs from SNMPv2 in the message header only-the PDUs are the same and both use SMIv2.

The IETF recommends strongly that deployment of SNMPv1 and SNMPv2 should be avoided, and that SNMPv3 be used instead. Further, they recommend that cryptographic authentication be implemented and enabled so that it is a matter for the network operator to manage the legitimacy of access to the management information on each device.

[Previous] [Contents] [Next]