SysMan Mall

SNMPv3 in Sun MC agent

The secure access to agent data was always there except that we used SNMPv2usec as the security model, a model that didn't catch much steam in the outside world; SunMC implemented it and perhaps it has been one of the very few implementation of rfc1910 I have known besides the experimental ones that evaporated in time. So while the world was struggling to get the story correct with SNMPv3 SunMC was already on cruise with SNMPv2usec. SNMPv3 however got introduced a little late in SunMC product for various reason, one being that we always had the integrity, authentication, replay protection and privacy (optional) in the agent available via v2usec and therefore were not very motivated. The push to include SNMPv3 was really fueled by the availability of tools and utilities that talk the latest SNMP protocol.

The difference between SNMPv2usec and SNMPv3usm is primarily the way the security header gets encoded/ decoded, in plain simple terms v2usec headers are encoded as OCTET STRING, whereas in v3usm the header is given a well defined structure, various fields are represented using ASN.1 transfer syntax - type/length/value etc. The v3 protocol adds more structure to the payload or introduces the notion of scoped PDU all with the intent of making the entire PDU well structured.

SunMC agents install supported MIB files in /opt/SUNWsymon/util/cfg directory along with a lot of standard MIBs, these MIBs can be parsed inside 3rd party MIB browsers and can then be used for communicating with the agent. The agents require user configuration, primarily entering proper credentials for a user so that the user's localized key is populated inside the USM table. This is done using the es-config utility. The user in addition also require correct ACL settings to access relevant portion of MIB tree (security can get very fine grained without impacting performance, contrary to what happens with VACM).

This opens up a great source of information for users running Sun Management Center agents in their environment are who are also well conversant with SNMP tools and utilities.

Posted at 10:29PM Oct 02, 2006 by adikhit in SNMP  |  Comments[0]