SNMPv3 Support

Contents
casp1031
Contents
SNMPv3 standards require a unique engineID for each SNMP entity (or engine). The SNMP engine/application must have its own unique engineID whether it is a manager or an agent. RFC 3414 and RFC 3418 are the official SNMPv3 standards. See the IETF website (http://www.ietf.org/rfc.html) for more information.
SNMPv3 support includes the following:
  • Authentication
  • Privacy
  • 64-Bit Counters
CA Spectrum
models and concurrently manages devices that support SNMPv1, SNMPv2c, and SNMPv3.
Secure Domain option in the SNMP v3 profile creation
Spectrum 10.3.1 introduces support for a Secure Domain option in the SNMP v3 profile creation dialog. This feature will ensure privacy and security by restricting v3 profile to the particular SDC specified in secure Domain option and preventing users from viewing device profiles belonging to other users. Users have to specify the IP address and configure the secure domain for their devices. For more information about the enhanced support for SNMPV3 Profile, refer to the SNMP v3 Profiles Dialog page. 
SNMPv3 Authentication
Starting from 10.3, CA Spectrum allows '/' and ':' in the snmpv3 username, authentication password and privacy passwords.
SNMPv3 provides the following levels of security: non-authenticated, authenticated, and authenticated with privacy. Authentication in SNMPv3 uses an encryption algorithm to determine if a message is from a valid source.
CA Spectrum
supports the SNMPv3 standard for the authentication of messages. You specify an authentication password for a device model when you create it.
When an SNMP packet is converted to SNMPv3, security parameters are added to the SNMPv3 packet that is sent to the device. The SNMPv3 agent on the device checks the authenticity of the message to verify that the packet came from an authorized source.
SNMPv3 data sent from the device to
CA Spectrum
also uses similar security parameters.
CA Spectrum
receives the packet and verifies its authenticity.
CA Spectrum
supports the following encryption algorithms for authentication:
  • MD5 (Message Digest Algorithm): Produces a 128-bit (16 byte) message digest. This encryption algorithm is the default. You can model a device configured to use MD5, using ‘Authentication with no Privacy’ or ‘Authentication with Privacy.’
  • SHA (Secure Hash Algorithm): Produces a 160-bit (20 byte) message digest.
Enable SNMPv3 Privacy
Privacy in SNMPv3 uses an encryption algorithm to encode the contents of an SNMPv3 packet to verify that it cannot be viewed by unauthorized entities when routed over the network.
CA Spectrum
supports the SNMPv3 standard for the encryption of messages. You specify a privacy password for a device model when you create it.
If configured properly, the SNMPv3 message is sent by
CA Spectrum
using the password to encrypt the message before it goes out onto the network. The destination device decrypts the data when it receives it. The return data sent from the device to
CA Spectrum
is also encrypted.
CA Spectrum
supports the following encryption algorithms for privacy:
  • DES: Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data.
  • 3DES: Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data three times.
  • AES: Advanced Encryption Standard (AES) is a 128-bit standard, cryptographic algorithm that encrypts and decrypts data.
  • AES256: Advanced Encryption Standard (AES 256) is a 256-bit standard, cryptographic algorithm that encrypts and decrypts data.
Follow these steps:
  1. In the Topology tab of the Contents panel, click spec--createnewmodelbyIP--ICO (Creates a new model by IP).
    The Create Model by IP Address dialog opens.
  2. Complete the fields as appropriate.
    • Network Address
      Specifies the IPv4 or IPv6 address for the device you want to model.
    • DCM Timeout (ms)
      Specifies the timeout between retry attempts (in milliseconds).
      Default:
      3000 milliseconds (3 seconds)
    • DCM Retry Count
      Type the number of times that the DCM should attempt to send a request to a device that is not responding.
    • Agent Port
      Specifies the SNMP agent port.
      Default:
      161
  3. Select the SNMP v3 option in the SNMP Communications Options section.
    The SNMP Community String field becomes disabled.
  4. Click Profiles to create a new SNMPv3 security profile.
    The Edit SNMP v3 Profiles dialog opens.
The Edit SNMP v3 Profiles dialog is also accessible by clicking Profiles in the Configuration tab in the Discovery Console. For more information, refer to Edit SNMPv3 Profiles dialog.
64-Bit Counters
The SNMPv3 standard provides support for 64-bit counters.
CA Spectrum
can access 64-bit counter MIB variables for all SNMPv3 devices that comply with this standard.
SNMPv3 Support Issues
The following are some issues related to SNMPv3 support.
  • get-bulk Command
    CA Spectrum
    support of SNMPv3 does not include the get-bulk command.
  • View Access Control Model (VACM)
    CA Spectrum
    supports the VACM features of SNMPv3, however, VACM is not recommended.
    CA Spectrum
    has features that allow for secure access to devices. If you give
    CA Spectrum
    full view access to all device MIBs, you receive effective monitoring and management performance.
  • Performance and Capacity
    High processing resources are required for
    CA Spectrum
    to effectively manage SNMPv3 devices. More overhead is consumed using the Authentication and Privacy features due to the time it takes to decrypt and authenticate each message.
    This affects the number of device models that a
    can manage. 
  • SNMPv3 Security User Names on
    You cannot use the same user name more than once for the three levels of SNMPv3 (non-authenticated, authenticated, and authenticated with privacy). For example, if you are using the user name “user1” for SNMPv3 level 1 non-authenticated, you cannot use that same user name for SNMPv3 level 2 authenticated or for SNMPv3 level 3 authenticated with privacy.