Simple Network Management Protocol (SNMP) is an
Internet Standard
In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow ...
protocol for collecting and organizing information about managed devices on
IP networks and for modifying that information to change device behaviour. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.
SNMP is widely used in
network management
Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managemen ...
for
network monitoring
Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages or other trouble. Network monitorin ...
. SNMP exposes management data in the form of variables on the managed systems organized in a
management information base
A management information base (MIB) is a database used for managing the entities in a communication network. Most often associated with the Simple Network Management Protocol (SNMP), the term is also used more generically in contexts such as in ...
(MIB) which describe the system status and configuration. These variables can then be remotely queried (and, in some circumstances, manipulated) by managing applications.
Three significant versions of SNMP have been developed and deployed. SNMPv1 is the original version of the protocol. More recent versions, SNMPv2c and SNMPv3, feature improvements in performance, flexibility and security.
SNMP is a component of the
Internet Protocol Suite
The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
as defined by the
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
(IETF). It consists of a set of
standards Standard may refer to:
Symbols
* Colours, standards and guidons, kinds of military signs
* Standard (emblem), a type of a large symbol or emblem used for identification
Norms, conventions or requirements
* Standard (metrology), an object th ...
for network management, including an
application layer
An application layer is an abstraction layer that specifies the shared communications protocols and Interface (computing), interface methods used by Host (network), hosts in a communications network. An ''application layer'' abstraction is speci ...
protocol, a database
schema
The word schema comes from the Greek word ('), which means ''shape'', or more generally, ''plan''. The plural is ('). In English, both ''schemas'' and ''schemata'' are used as plural forms.
Schema may refer to:
Science and technology
* SCHEMA ...
, and a set of
data object
In computer science, an object can be a variable, a data structure, a function, or a method. As regions of memory, they contain value and are referenced by identifiers.
In the object-oriented programming paradigm, ''object'' can be a combinatio ...
s.
Overview and basic concepts
In typical uses of SNMP, one or more administrative computers called ''managers'' have the task of monitoring or managing a group of hosts or devices on a
computer network
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
. Each managed system executes a software component called an ''agent'' which reports information via SNMP to the manager.
An SNMP-managed network consists of three key components:
*Managed devices
*
Agent
Agent may refer to:
Espionage, investigation, and law
*, spies or intelligence officers
* Law of agency, laws involving a person authorized to act on behalf of another
** Agent of record, a person with a contractual agreement with an insuranc ...
software which runs on managed devices
*
Network management station
FCAPS is the International Organization for Standardization, ISO Telecommunications Management Network model and framework for network management. ''FCAPS'' is an acronym for fault, configuration, accounting, performance, security, the management ...
(NMS)software which runs on the manager
A ''managed device'' is a network node that implements an SNMP interface that allows unidirectional (read-only) or bidirectional (read and write) access to node-specific information. Managed devices exchange node-specific information with the NMSs. Sometimes called network elements, the managed devices can be any type of device, including, but not limited to,
routers,
access servers
A network access server (NAS) is a group of components that provides remote users with a point of access to a network.
Overview
A NAS concentrates dial-in and dial-out user communications. An access server may have a mixture of analog and digita ...
,
switches
In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...
,
cable modems
A cable modem is a type of network bridge that provides bi-directional data communication via radio frequency channels on a hybrid fibre-coaxial (HFC), radio frequency over glass (RFoG) and coaxial cable infrastructure. Cable modems are primari ...
,
bridge
A bridge is a structure built to span a physical obstacle (such as a body of water, valley, road, or rail) without blocking the way underneath. It is constructed for the purpose of providing passage over the obstacle, which is usually somethi ...
s,
hubs,
IP telephones,
IP video cameras, computer
host
A host is a person responsible for guests at an event or for providing hospitality during it.
Host may also refer to:
Places
* Host, Pennsylvania, a village in Berks County
People
*Jim Host (born 1937), American businessman
* Michel Host ...
s, and
printer
Printer may refer to:
Technology
* Printer (publishing), a person or a company
* Printer (computing), a hardware device
* Optical printer for motion picture films
People
* Nariman Printer (fl. c. 1940), Indian journalist and activist
* James ...
s.
An ''agent'' is a network-management software module that resides on a managed device. An agent has local knowledge of management information and translates that information to or from an SNMP-specific form.
A ''network management station'' executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs may exist on any managed network.
Management information base
SNMP agents expose management data on the managed systems as variables. The protocol also permits active management tasks, such as configuration changes, through remote modification of these variables. The variables accessible via SNMP are organized in hierarchies. SNMP itself does not define which variables a managed system should offer. Rather, SNMP uses an extensible design that allows applications to define their own hierarchies. These hierarchies are described as a
management information base
A management information base (MIB) is a database used for managing the entities in a communication network. Most often associated with the Simple Network Management Protocol (SNMP), the term is also used more generically in contexts such as in ...
(MIB). MIBs describe the structure of the management data of a device subsystem; they use a
hierarchical namespace
In computing, a namespace is a set of signs (''names'') that are used to identify and refer to objects of various kinds. A namespace ensures that all of a given set of objects have unique names so that they can be easily Identifier, identified.
...
containing
object identifier
In computing, object identifiers or OIDs are an identifier mechanism standardized by the International Telecommunication Union (ITU) and ISO/IEC for naming any object, concept, or "thing" with a globally unambiguous persistent name.
Syntax and lex ...
s (OID). Each OID identifies a variable that can be read or set via SNMP. MIBs use the notation defined by
Structure of Management Information In computing, the Structure of Management Information (SMI), an adapted subset of ASN.1, operates in Simple Network Management Protocol (SNMP) to define sets ("modules") of related managed objects in a Management Information Base
A management inf ...
Version 2.0 (SMIv2, ), a subset of
ASN.1
Abstract Syntax Notation One (ASN.1) is a standard interface description language for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networking, and ...
.
Protocol details
SNMP operates in the
application layer
An application layer is an abstraction layer that specifies the shared communications protocols and Interface (computing), interface methods used by Host (network), hosts in a communications network. An ''application layer'' abstraction is speci ...
of the
Internet protocol suite
The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
. All SNMP messages are transported via
User Datagram Protocol
In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages (transported as datagrams in packets) to other hosts on an Internet Protocol (IP) network. ...
(UDP). The SNMP agent receives requests on
UDP port
This is a list of TCP and UDP port numbers used by protocols for operation of network applications.
The Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) only need one port for duplex, bidirectional traffic. They usually u ...
161. The manager may send requests from any available source port to port 161 in the agent. The agent response is sent back to the source port on the manager. The manager receives notifications (''
Traps'' and ''
InformRequests'') on port 162. The agent may generate notifications from any available port. When used with
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
or
Datagram Transport Layer Security
Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol i ...
, requests are received on port 10161 and notifications are sent to port 10162.
SNMPv1 specifies five core
protocol data unit
In telecommunications, a protocol data unit (PDU) is a single unit of information transmitted among peer entities of a computer network. It is composed of protocol-specific control information and user data. In the layered architectures of c ...
s (PDUs). Two other PDUs, ''GetBulkRequest'' and ''InformRequest'' were added in SNMPv2 and the ''Report'' PDU was added in SNMPv3. All SNMP PDUs are constructed as follows:
The seven SNMP PDU types as identified by the ''PDU-type'' field are as follows:
; GetRequest: A manager-to-agent request to retrieve the value of a variable or list of variables. Desired variables are specified in variable bindings (the value field is not used). Retrieval of the specified variable values is to be done as an
atomic operation
In concurrent programming, an operation (or set of operations) is linearizable if it consists of an ordered list of invocation and response events (event), that may be extended by adding response events such that:
# The extended list can be re-e ...
by the agent. A ''Response'' with current values is returned.
; SetRequest: A manager-to-agent request to change the value of a variable or list of variables. Variable bindings are specified in the body of the request. Changes to all specified variables are to be made as an atomic operation by the agent. A ''Response'' with (current) new values for the variables is returned.
; GetNextRequest: A manager-to-agent request to discover available variables and their values. Returns a ''Response'' with variable binding for the
lexicographically next variable in the MIB. The entire MIB of an agent can be walked by iterative application of ''GetNextRequest'' starting at OID 0. Rows of a table can be read by specifying column OIDs in the variable bindings of the request.
; GetBulkRequest: A manager-to-agent request for multiple iterations of ''GetNextRequest''. An optimized version of ''GetNextRequest''. Returns a ''Response'' with multiple variable bindings walked from the variable binding or bindings in the request. PDU specific ''non-repeaters'' and ''max-repetitions'' fields are used to control response behavior. ''GetBulkRequest'' was introduced in SNMPv2.
; Response: Returns variable bindings and acknowledgement from agent to manager for ''GetRequest'', ''SetRequest'', ''GetNextRequest'', ''GetBulkRequest'' and ''InformRequest''. Error reporting is provided by ''error-status'' and ''error-index'' fields. Although it was used as a response to both gets and sets, this PDU was called ''GetResponse'' in SNMPv1.
; : Asynchronous notification from agent to manager. While in other SNMP communication, the manager actively requests information from the agent, these are PDUs that are sent from the agent to the manager without being explicitly requested. SNMP
traps enable an agent to notify the management station of significant events by way of an unsolicited SNMP message. Trap PDUs include current ''sysUpTime'' value, an OID identifying the type of trap and optional variable bindings. Destination addressing for traps is determined in an application-specific manner typically through trap configuration variables in the MIB. The format of the trap message was changed in SNMPv2 and the PDU was renamed ''SNMPv2-Trap''.
; : Acknowledged asynchronous notification. This PDU was introduced in SNMPv2 and was originally defined as ''manager to manager'' communication. Later implementations have loosened the original definition to allow ''agent to manager'' communications.
Manager-to-manager notifications were already possible in SNMPv1 using a ''Trap'', but as SNMP commonly runs over UDP where delivery is not assured and dropped packets are not reported, delivery of a ''Trap'' was not guaranteed. ''InformRequest'' fixes this as an acknowledgement is returned on receipt.
specifies that an SNMP implementation must accept a message of at least 484 bytes in length. In practice, SNMP implementations accept longer messages.
If implemented correctly, an SNMP message is discarded if the decoding of the message fails and thus malformed SNMP requests are ignored. A successfully decoded SNMP request is then authenticated using the community string. If the authentication fails, a trap is generated indicating an authentication failure and the message is dropped.
SNMPv1 and SNMPv2 use ''communities'' to establish trust between managers and agents. Most agents support three community names, one each for read-only, read-write and trap. These three community strings control different types of activities. The read-only community applies to ''get'' requests. The read-write community string applies to ''set'' requests. The trap community string applies to receipt of ''traps''. SNMPv3 also uses community strings, but allows for secure authentication and communication between SNMP manager and agent.
Protocol versions
In practice, SNMP implementations often support multiple versions: typically SNMPv1, SNMPv2c, and SNMPv3.
Version 1
SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. The design of SNMPv1 was done in the 1980s by a group of collaborators who viewed the officially sponsored OSI/IETF/NSF (National Science Foundation) effort (HEMS/CMIS/CMIP) as both unimplementable in the computing platforms of the time as well as potentially unworkable. SNMP was approved based on a belief that it was an interim protocol needed for taking steps towards large-scale deployment of the Internet and its commercialization.
The first
Request for Comments
A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...
(RFCs) for SNMP, now known as SNMPv1, appeared in 1988:
* — Structure and identification of management information for TCP/IP-based internets
* — Management information base for network management of TCP/IP-based internets
* — A simple network management protocol
In 1990, these documents were superseded by:
* — Structure and identification of management information for TCP/IP-based internets
* — Management information base for network management of TCP/IP-based internets
* — A simple network management protocol
In 1991, (MIB-1) was replaced by the more often used:
* — Version 2 of management information base (MIB-2) for network management of TCP/IP-based internets
SNMPv1 is widely used and is the
de facto
''De facto'' ( ; , "in fact") describes practices that exist in reality, whether or not they are officially recognized by laws or other formal norms. It is commonly used to refer to what happens in practice, in contrast with ''de jure'' ("by la ...
network management protocol in the Internet community.
SNMPv1 may be carried by
transport layer
In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet protocol suite and the OSI model. The protocols of this layer provide end-to-end ...
protocols such as User Datagram Protocol (UDP), Internet Protocol (IP), OSI
Connectionless-mode Network Service
Connectionless-mode Network Service (CLNS) or simply Connectionless Network Service is an OSI network layer datagram service that does not require a circuit to be established before data is transmitted, and routes messages to their destinatio ...
(CLNS), AppleTalk
Datagram Delivery Protocol Datagram Delivery Protocol (DDP) is a member of the AppleTalk networking protocol suite. Its main responsibility is for socket-to-socket delivery of datagrams
A datagram is a basic transfer unit associated with a packet-switched network. Datagram ...
(DDP), and Novell
Internetwork Packet Exchange
Internetwork Packet Exchange (IPX) is the network layer protocol in the IPX/SPX protocol suite. IPX is derived from Xerox Network Systems' IDP. It also has the ability to act as a transport layer protocol.
The IPX/SPX protocol suite was very po ...
(IPX).
Version 1 has been criticized for its poor security.
The specification does, in fact, allow room for custom authentication to be used, but widely used implementations "support only a trivial authentication service that identifies all SNMP messages as authentic SNMP messages.". The security of the messages, therefore, becomes dependent on the security of the channels over which the messages are sent. For example, an organization may consider their internal network to be sufficiently secure that no encryption is necessary for its SNMP messages. In such cases, the "community name", which is transmitted in
cleartext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
, tends to be viewed as a de facto password, in spite of the original specification.
Version 2
SNMPv2, defined by and , revises version 1 and includes improvements in the areas of performance, security and manager-to-manager communications. It introduced ''GetBulkRequest'', an alternative to iterative GetNextRequests for retrieving large amounts of management data in a single request. The new party-based security system introduced in SNMPv2, viewed by many as overly complex, was not widely adopted.
This version of SNMP reached the Proposed Standard level of maturity, but was deemed obsolete by later versions.
''Community-Based Simple Network Management Protocol version 2'', or ''SNMPv2c'', is defined in –. SNMPv2c comprises SNMPv2 ''without'' the controversial new SNMP v2 security model, using instead the simple community-based security scheme of SNMPv1. This version is one of relatively few standards to meet the IETF's Draft Standard maturity level, and was widely considered the ''
de facto
''De facto'' ( ; , "in fact") describes practices that exist in reality, whether or not they are officially recognized by laws or other formal norms. It is commonly used to refer to what happens in practice, in contrast with ''de jure'' ("by la ...
'' SNMPv2 standard.
It was later restated as part of SNMPv3.
''User-Based Simple Network Management Protocol version 2'', or ''SNMPv2u'', is defined in –. This is a compromise that attempts to offer greater security than SNMPv1, but without incurring the high complexity of SNMPv2. A variant of this was commercialized as ''SNMP v2*'', and the mechanism was eventually adopted as one of two security frameworks in SNMP v3.
64-bit counters
SNMP version 2 introduces the option for 64-bit data counters. Version 1 was designed only with 32-bit counters which can store integer values from zero to 4.29 billion (precisely 4,294,967,295). A 32-bit version 1 counter cannot store the maximum speed of a 10 gigabit or larger interface, expressed in bits per second. Similarly, a 32-bit counter tracking statistics for a 10 gigabit or larger interface can roll over back to zero again in less than one minute, which may be a shorter time interval than a counter is polled to read its current state. This would result in lost or invalid data due to the undetected value rollover, and corruption of trend-tracking data.
The 64-bit version 2 counter can store values from zero to 18.4 quintillion (precisely 18,446,744,073,709,551,615) and so is currently unlikely to experience a counter rollover between polling events. For example, 1.6
terabit Ethernet
Terabit Ethernet or TbE is Ethernet with speeds above 100 Gigabit Ethernet. 400 Gigabit Ethernet (400G, 400GbE) and 200 Gigabit Ethernet (200G, 200GbE) standards developed by the IEEE P802.3bs Task Force using broadly similar technology ...
is predicted to become available by 2025. A 64-bit counter incrementing at a rate of 1.6 trillion bits per second would be able to retain information for such an interface without rolling over for 133 days.
SNMPv1 and SNMPv2c interoperability
SNMPv2c is incompatible with SNMPv1 in two key areas: message formats and protocol operations. SNMPv2c messages use different header and protocol data unit (PDU) formats than SNMPv1 messages. SNMPv2c also uses two protocol operations that are not specified in SNMPv1. To overcome incompatibility, defines two SNMPv1/v2c coexistence strategies: proxy agents and bilingual network-management systems.
Proxy agents
An SNMPv2 agent can act as a proxy agent on behalf of SNMPv1 managed devices. When an SNMPv2 NMS issues a command intended for an SNMPv1 agent it sends it to the SNMPv2 proxy agent instead. The proxy agent forwards
Get
,
GetNext
, and
Set
messages to the SNMPv1 agent unchanged. GetBulk messages are converted by the proxy agent to
GetNext
messages and then are forwarded to the SNMPv1 agent. Additionally, the proxy agent receives and maps SNMPv1 trap messages to SNMPv2 trap messages and then forwards them to the NMS.
Bilingual network-management system
Bilingual SNMPv2 network-management systems support both SNMPv1 and SNMPv2. To support this dual-management environment, a management application examines information stored in a local database to determine whether the agent supports SNMPv1 or SNMPv2. Based on the information in the database, the NMS communicates with the agent using the appropriate version of SNMP.
Version 3
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks very different due to new textual conventions, concepts, and terminology.
The most visible change was to define a secure version of SNMP, by adding security and remote configuration enhancements to SNMP.
[In This Issue: SNMP Version 3The Simple Times]
The security aspect is addressed by offering both strong authentication and data encryption for privacy. For the administration aspect, SNMPv3 focuses on two parts, namely notification originators and proxy forwarders. The changes also facilitate remote configuration and administration of the SNMP entities, as well as addressing issues related to the large-scale deployment, accounting, and fault management.
Features and enhancements included:
* Identification of SNMP entities to facilitate communication only between known SNMP entities – Each SNMP entity has an identifier called the SNMPEngineID, and SNMP communication is possible only if an SNMP entity knows the identity of its peer. Traps and Notifications are exceptions to this rule.
* Support for security models – A security model may define the security policy within an administrative domain or an intranet. SNMPv3 contains the specifications for a user-based security model (USM).
* Definition of security goals where the goals of message authentication service include protection against the following:
** Modification of Information – Protection against some unauthorized SNMP entity altering
in-transit messages generated by an authorized principal.
** Masquerade – Protection against attempting management operations not authorized for some principal by assuming the identity of another principal that has the appropriate authorizations.
** Message stream modification – Protection against messages getting maliciously re-ordered, delayed, or replayed to affect unauthorized management operations.
** Disclosure – Protection against eavesdropping on the exchanges between SNMP engines.
*Specification for USM – USM consists of the general definition of the following communication mechanisms available:
** Communication without authentication and privacy (NoAuthNoPriv).
** Communication with authentication and without privacy (AuthNoPriv).
** Communication with authentication and privacy (AuthPriv).
* Definition of different authentication and privacy protocols – MD5, SHA and HMAC-SHA-2 authentication protocols and the CBC_DES and CFB_AES_128 privacy protocols are supported in the USM.
* Definition of a discovery procedure – To find the SNMPEngineID of an SNMP entity for a given transport address and transport endpoint address.
* Definition of the time synchronization procedure – To facilitate authenticated communication between the SNMP entities.
* Definition of the SNMP framework MIB – To facilitate remote configuration and administration of the SNMP entity.
* Definition of the USM MIBs – To facilitate remote configuration and administration of the security module.
* Definition of the view-based access control model (VACM) MIBs – To facilitate remote configuration and administration of the access control module.
Security was one of the biggest weakness of SNMP until v3. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent.
Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used. The security approach in v3 targets:
* Confidentiality –
Encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
of packets to prevent snooping by an unauthorized source.
* Integrity –
Message integrity
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism.
*
Authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
– to verify that the message is from a valid source.
v3 also defines the USM and VACM, which were later followed by a transport security model (TSM) that provided support for SNMPv3 over SSH and SNMPv3 over TLS and DTLS.
* USM (User-based Security Model) provides authentication and privacy (encryption) functions and operates at the message level.
* VACM (View-based Access Control Model) determines whether a given principal is allowed access to a particular MIB object to perform specific functions and operates at the PDU level.
* TSM (Transport Security Model) provides a method for authenticating and encrypting messages over external security channels. Two transports, SSH and TLS/DTLS, have been defined that make use of the TSM specification.
the
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
recognizes ''Simple Network Management Protocol version 3'' as defined by –
(also known as STD0062) as the current standard version of SNMP. The
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
has designated SNMPv3 a full
Internet standard
In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow ...
, the highest
maturity level for an RFC. It considers earlier versions to be obsolete (designating them variously "Historic" or "Obsolete").
Implementation issues
SNMP's powerful write capabilities, which would allow the configuration of network devices, are not being fully utilized by many vendors, partly because of a lack of security in SNMP versions before SNMPv3, and partly because many devices simply are not capable of being configured via individual MIB object changes.
Some SNMP values (especially tabular values) require specific knowledge of table indexing schemes, and these index values are not necessarily consistent across platforms. This can cause correlation issues when fetching information from multiple devices that may not employ the same table indexing scheme (for example fetching disk utilization metrics, where a specific disk identifier is different across platforms.)
Some major equipment vendors tend to over-extend their proprietary
command line interface
A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...
(CLI) centric configuration and control systems.
In February 2002 the
Carnegie Mellon Software Engineering Institute
The Software Engineering Institute (SEI) is an American research and development center headquartered in Pittsburgh, Pennsylvania. Its activities cover cybersecurity, software assurance, software engineering and acquisition, and component capabil ...
(CM-SEI) Computer Emergency Response Team Coordination Center (CERT-CC) issued an Advisory on SNMPv1, after the
Oulu University Secure Programming Group The Oulu University Secure Programming Group (OUSPG) is a research group at the University of Oulu that studies, evaluates and develops methods of implementing and testing application and system software in order to prevent, discover and eliminate ...
conducted a thorough analysis of SNMP message handling. Most SNMP implementations, regardless of which version of the protocol they support, use the same program code for decoding
protocol data units (PDU) and problems were identified in this code. Other problems were found with decoding SNMP trap messages received by the SNMP management station or requests received by the SNMP agent on the network device. Many vendors had to issue patches for their SNMP implementations.
Security implications
Using SNMP to attack a network
Because SNMP is designed to allow administrators to monitor and configure network devices remotely it can also be used to penetrate a network. A significant number of software tools can scan the entire network using SNMP, therefore mistakes in the configuration of the read-write mode can make a network susceptible to attacks.
In 2001,
Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
released information that indicated that, even in read-only mode, the SNMP implementation of
Cisco IOS
The Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internetworking, and ...
is vulnerable to certain
denial of service
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
attacks. These security issues can be fixed through an IOS upgrade.
If SNMP is not used in a network it should be disabled in network devices. When configuring SNMP read-only mode, close attention should be paid to the configuration of the
access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
and from which IP addresses SNMP messages are accepted. If the SNMP servers are identified by their IP, SNMP is only allowed to respond to these IPs and SNMP messages from other IP addresses would be denied. However,
IP address spoofing
In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.
Background
The basic protocol for sending ...
remains a security concern.
Authentication
SNMP is available in different versions, each has its own security issues. SNMP v1 sends passwords in clear-text over the network. Therefore, passwords can be read with
packet sniffing
A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or p ...
. SNMP v2 allows
password hashing
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a crypto ...
with
MD5, but this has to be configured. Virtually all
network management software
Network management software is software that is used to provision, discover, monitor and maintain computer networks.
Purpose
With the expansion of the World Wide Web and the Internet, computer networks have become very large and complex, making ...
support SNMP v1, but not necessarily SNMP v2 or v3. SNMP v2 was specifically developed to provide
data security
Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.
Technologies
Disk encryption
Disk encryption refe ...
, that is
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
,
privacy
Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.
The domain of privacy partially overlaps with security, which can include the concepts of a ...
and
authorization
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
, but only SNMP version 2c gained the endorsement of the
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
(IETF), while versions 2u and 2* failed to gain IETF approval due to security issues. SNMP v3 uses MD5,
Secure Hash Algorithm
The Secure Hash Algorithms are a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS), including:
*SHA-0: A retronym applied to the ...
(SHA) and keyed algorithms to offer protection against unauthorized data modification and
spoofing attack
In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
Internet Spoofing and ...
s. If a higher level of security is needed the
Data Encryption Standard
The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cry ...
(DES) can be optionally used in the
cipher block chaining
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.
A block cipher by itself is only suitable for the secure cryptographic transforma ...
mode. SNMP v3 is implemented on Cisco IOS since release 12.0(3)T.
SNMPv3 may be subject to
brute force and
dictionary attack
In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or ...
s for guessing the authentication keys, or encryption keys, if these keys are generated from short (weak) passwords or passwords that can be found in a dictionary. SNMPv3 allows both providing random uniformly distributed cryptographic keys and generating cryptographic keys from a password supplied by the user. The risk of guessing authentication strings from hash values transmitted over the network depends on the
cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
used and the length of the hash value. SNMPv3 uses the
HMAC
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
-
SHA-2
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
authentication protocol
An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity ...
for the User-based Security Model (USM).
SNMP does not use a more secure
challenge-handshake authentication protocol In computing, the Challenge-Handshake Authentication Protocol (CHAP) is an authentication protocol originally used by Point-to-Point Protocol (PPP) to validate users. CHAP is also carried in other authentication protocols such as RADIUS and Diamete ...
. SNMPv3 (like other SNMP protocol versions) is a
stateless protocol
A stateless protocol is a communication protocol in which the receiver must not retain session state from previous requests. The sender transfers relevant session state to the receiver in such a way that every request can be understood in isolatio ...
, and it has been designed with a minimal amount of interactions between the agent and the manager. Thus introducing a challenge-response handshake for each command would impose a burden on the agent (and possibly on the network itself) that the protocol designers deemed excessive and unacceptable.
The security deficiencies of all SNMP versions can be mitigated by
IPsec
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
authentication and confidentiality mechanisms. SNMP also may be carried securely over
Datagram Transport Layer Security
Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol i ...
(DTLS).
Many SNMP implementations include a type of automatic discovery where a new network component, such as a switch or router, is discovered and polled automatically. In SNMPv1 and SNMPv2c this is done through a ''community string'' that is transmitted in clear-text to other devices.
Clear-text passwords are a significant security risk. Once the community string is known outside the organization it could become the target for an attack. To alert administrators of other attempts to glean community strings, SNMP can be configured to pass community-name authentication failure traps.
If SNMPv2 is used, the issue can be avoided by enabling password encryption on the SNMP agents of network devices.
The common default configuration for community strings are "public" for read-only access and "private" for read-write.
Because of the well-known defaults, SNMP topped the list of the
SANS Institute
The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for tr ...
's Common Default Configuration Issues and was number ten on the SANS Top 10 Most Critical Internet Security Threats for the year 2000.
System and network administrators frequently do not change these configurations.
Whether it runs over TCP or UDP, SNMPv1 and v2 are vulnerable to
IP spoofing
In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.
Background
The basic protocol for sending ...
attacks. With spoofing, attackers may bypass device access lists in agents that are implemented to restrict SNMP access. SNMPv3 security mechanisms such as USM or TSM prevent a successful spoofing attack.
RFC references
* (STD 16) — ''Structure and Identification of Management Information for the TCP/IP-based Internets''
* (Historic) — ''Management Information Base for Network Management of TCP/IP-based internets''
* (Historic) — ''A Simple Network Management Protocol (SNMP)''
* (STD 17) — ''Management Information Base for Network Management of TCP/IP-based internets: MIB-II''
* (Informational) — ''Coexistence between version 1 and version 2 of the Internet-standard Network Management Framework'' (Obsoleted by )
* (Experimental) — ''Introduction to Community-based SNMPv2''
* (Draft Standard) — ''Structure of Management Information for SNMPv2'' (Obsoleted by )
* (Standards Track) — ''Coexistence between Version 1 and Version 2 of the Internet-standard Network Management Framework''
* (Informational) — ''Introduction to Version 3 of the Internet-standard Network Management Framework '' (Obsoleted by )
* (STD 58) — ''Structure of Management Information Version 2 (SMIv2)''
* (Informational) — ''Introduction and Applicability Statements for Internet Standard Management Framework''
STD 62contains the following RFCs:
** — ''An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks''
** — ''Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)''
** — ''Simple Network Management Protocol (SNMP) Applications''
** — ''User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)''
** — ''View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)''
** — ''Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)''
** — ''Transport Mappings for the Simple Network Management Protocol (SNMP)''
** — ''Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)''
* (Experimental) — ''Simple Network Management Protocol (SNMP) over Transmission Control Protocol (TCP) Transport Mapping''
* (BCP 74) — ''Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework''
* (Proposed) — ''The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model''
* (Proposed) — ''Simple Network Management Protocol (SNMP) over IEEE 802 Networks''
* (STD 78) — ''Simple Network Management Protocol (SNMP) Context EngineID Discovery''
* (STD 78) — ''Transport Subsystem for the Simple Network Management Protocol (SNMP)''
* (STD 78) — ''Transport Security Model for the Simple Network Management Protocol (SNMP)''
* (Proposed) — ''Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)''
* (Proposed) — '' Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models.''
* (STD 78) — ''Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)''
* (Proposed) — ''HMAC-SHA-2 Authentication Protocols in the User-based Security Model (USM) for SNMPv3''
See also
*
Agent Extensibility Protocol The Agent Extensibility Protocol or AgentX is a computer networking protocol that allows management of Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing ...
(AgentX) – Subagent protocol for SNMP
*
Common Management Information Protocol
The Common Management Information Protocol (CMIP) is the OSI specified network management protocol.
Defined iITU-T Recommendation X.711, ISO/IEC International Standard 9596-1 It provides an implementation for the services defined by the Common ...
(CMIP) – Management protocol by ISO/OSI used by telecommunications devices
*
Common Management Information Service
The Common Management Information Service (CMIS) is the service interface specified iITU-T Recommendation X.710, ISO/IEC International Standard 9595that is employed by OSI network elements for network management. It defines the service interface th ...
(CMIS)
*
Comparison of network monitoring systems
The following tables compare general and technical information for a number of notable network monitoring systems. Please see the individual products' articles for further information.
Features
Legend
; Product Name : The name ...
*
*
Net-SNMP
Net-SNMP is a suite of software for using and deploying the SNMP protocol (v1, v2c and v3 and the AgentX subagent protocol). It supports IPv4, IPv6, IPX, AAL5, Unix domain sockets and other transports. It contains a generic client library, a ...
– Open source reference implementation of SNMP
*
NETCONF
The Network Configuration Protocol (NETCONF) is a network management protocol developed and standardized by the IETF. It was developed in the NETCONF working group and published in December 2006 as RFC 4741 and later revised in June 2011 and pub ...
– Protocol which is an XML-based configuration protocol for network equipment
*
Remote Network Monitoring
The Remote Network Monitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of LANs. The original version (sometimes referred to as RMON1) focused on OSI layer 1 and layer 2 information in Ethernet and Token ...
(RMON)
*
Simple Gateway Monitoring Protocol Simple Gateway Monitoring Protocol (SGMP) defined i allows commands to be issued to application protocol entities to set or retrieve values (integer or octet string types) for use in monitoring the gateways on which the application protocol entities ...
(SGMP) – Obsolete protocol replaced by SNMP
*
References
Further reading
*
*
*
External links
*
{{Authority control
Application layer protocols
Internet protocols
Internet Standards
Multi-agent systems
Network management
System administration