Hi all,
below you'll find a patch that adds basic SNMPv3 support to OpenBSD's
snmpd(8). When I say "basic" that's because of some limitations:
- Traps are still sent via SNMPv2 protocol. They can neither be
authenticated nor encrypted.
- Transport mode is still UDP. Not additional transport subsystems
were added.
- Only the User-based Security Model (USM, RFC3414) is supported.
View-Based Access Control (VACM, RFC3415) is not included.
Just to provide you a little background, I'll explain some details
below.
Three security levels are defined in RFC3411:
1) noAuthNoPriv: no authentication, no encryption
2) authNoPriv: with authentication, without encryption
3) authPriv: with authentication, with encryption
There is a new keyword 'seclevel' in snmpd.conf(5) that allows to
define the minimum security level required by snmpd(8). Any requirement
higher than noAuthNoPriv will disable SNMPv2 support.
The USM offers:
- Verification of message contents and authentication of the sender
USM adds a HMAC to the SNMP message. The HMAC is calculated over
the whole message with the HMAC portion set to zeroes.
According to RFC3414 the defined HMAC algorithms are HMAC-MD5-96
and HMAC-SHA-96. The key is derived from an authentication
passphrase.
- Encryption of the PDU
USM encypts only a part of the message, the scoped PDU while the
SNMP header remains plaintext. RFC3414 defines only CBC DES but
RFC3826 adds CFB128 AES 128 encryption (although this is not
part of STD62). The IV is derived from an encryption passphrase.
- Protection agains replay attacks
The non-authoritative SNMP engines have to synchronize their
clocks with the authoritative SNMP engine. RFC3414 demands
to reject any SNMPv3 message that has a timestamp that differs
more than 150 seconds from the local clock.
The USM users together with their HMAC and encryption passphrases
have to be defined in snmpd.conf(5). The code already supports multiple
users, though without VACM there's not much sense to it.
Gerhard
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of snmpv3.patch]
