8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

SimpleNetworkManagementProtocol
FromWikipedia,thefreeencyclopedia

SimpleNetworkManagementProtocol
(SNMP)isan"Internetstandardprotocolfor
managingdevicesonIPnetworks".Devicesthat
typicallysupportSNMPincluderouters,switches,
servers,workstations,printers,modemracksand
more.[1]SNMPiswidelyusedinnetwork
managementsystemstomonitornetworkattached
devicesforconditionsthatwarrantadministrative
attention.SNMPisacomponentoftheInternet
ProtocolSuiteasdefinedbytheInternet
EngineeringTaskForce(IETF).Itconsistsofaset
ofstandardsfornetworkmanagement,includingan
applicationlayerprotocol,adatabaseschema,and
asetofdataobjects.[2]

SNMPv3STD0062
Communicationsprotocol
OSIlayer

Application

Port(s)

161,162(Trap)

RFC(s)

34113418

SecureSNMP
Communicationsprotocol
OSIlayer

Application

Port(s)

10161,10162(Trap)

RFC(s)

6353

SNMPexposesmanagementdataintheformof
variablesonthemanagedsystems,whichdescribe
thesystemconfiguration.Thesevariablescanthenbequeried(andsometimesset)bymanagingapplications.

Contents
1Overviewandbasicconcepts
2Managementinformationbase(MIB)
3Protocoldetails
4Developmentandusage
4.1Version1
4.2Version2
4.3SNMPv1&SNMPv2cinteroperability
4.3.1Proxyagents
4.3.2Bilingualnetworkmanagementsystem
4.4Version3
5Implementationissues
6Resourceindexing
7Securityimplications
7.1Autodiscovery
8RFCreferences
9Furtherreading
10Seealso
11References
12Externallinks

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

1/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

Overviewandbasicconcepts
IntypicalusesofSNMP
oneormoreadministrative
computers,called
managers,havethetask
ofmonitoringormanaging
agroupofhostsor
devicesonacomputer
network.Eachmanaged
systemexecutes,atall
times,asoftware
componentcalledan
agentwhichreports
informationviaSNMPto
themanager.

PrincipleofSNMPCommunication

SNMPagentsexpose
managementdataonthemanagedsystemsasvariables.Theprotocolalsopermitsactivemanagementtasks,such
asmodifyingandapplyinganewconfigurationthroughremotemodificationofthesevariables.Thevariables
accessibleviaSNMPareorganizedinhierarchies.Thesehierarchies,andothermetadata(suchastypeand
descriptionofthevariable),aredescribedbyManagementInformationBases(MIBs).
AnSNMPmanagednetworkconsistsofthreekeycomponents:
Manageddevice
Agentsoftwarewhichrunsonmanageddevices
Networkmanagementstation(NMS)softwarewhichrunsonthemanager
AmanageddeviceisanetworknodethatimplementsanSNMPinterfacethatallowsunidirectional(readonly)or
bidirectional(readandwrite)accesstonodespecificinformation.Manageddevicesexchangenodespecific
informationwiththeNMSs.Sometimescallednetworkelements,themanageddevicescanbeanytypeofdevice,
including,butnotlimitedto,routers,accessservers,switches,cablemodems,bridges,hubs,IPtelephones,IP
videocameras,computerhosts,andprinters.
Anagentisanetworkmanagementsoftwaremodulethatresidesonamanageddevice.Anagenthaslocal
knowledgeofmanagementinformationandtranslatesthatinformationtoorfromanSNMPspecificform.
Anetworkmanagementstation(NMS)executesapplicationsthatmonitorandcontrolmanageddevices.NMSs
providethebulkoftheprocessingandmemoryresourcesrequiredfornetworkmanagement.OneormoreNMSs
mayexistonanymanagednetwork.

Managementinformationbase(MIB)
Mainarticle:Managementinformationbase

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

2/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

SNMPitselfdoesnotdefinewhichinformation(whichvariables)amanagedsystemshouldoffer.Rather,SNMP
usesanextensibledesign,wheretheavailableinformationisdefinedbymanagementinformationbases(MIBs).
MIBsdescribethestructureofthemanagementdataofadevicesubsystemtheyuseahierarchicalnamespace
containingobjectidentifiers(OID).EachOIDidentifiesavariablethatcanbereadorsetviaSNMP.MIBsusethe
notationdefinedbyStructureofManagementInformationVersion2.0(SMIv2,RFC2578),asubsetofASN.1.

Protocoldetails
SNMPoperatesintheApplicationLayeroftheInternetProtocolSuite(Layer7oftheOSImodel).TheSNMP
agentreceivesrequestsonUDPport161.Themanagermaysendrequestsfromanyavailablesourceporttoport
161intheagent.Theagentresponsewillbesentbacktothesourceportonthemanager.Themanagerreceives
notifications(TrapsandInformRequests)onport162.Theagentmaygeneratenotificationsfromanyavailable
port.WhenusedwithTransportLayerSecurityorDatagramTransportLayerSecurityrequestsarereceivedon
port10161andtrapsaresenttoport10162.[3]
SNMPv1specifiesfivecoreprotocoldataunits(PDUs).TwootherPDUs,GetBulkRequestandInformRequest
wereaddedinSNMPv2andtheReportPDUwasaddedinSNMPv3.
AllSNMPPDUsareconstructedasfollows:
IPheader UDPheader version community PDUtype requestid errorstatus errorindex variablebindings
ThesevenSNMPprotocoldataunit(PDU)typesareasfollows:
GetRequest
Amanagertoagentrequesttoretrievethevalueofavariableorlistofvariables.Desiredvariablesare
specifiedinvariablebindings(valuesarenotused).Retrievalofthespecifiedvariablevaluesistobedoneas
anatomicoperationbytheagent.AResponsewithcurrentvaluesisreturned.
SetRequest
Amanagertoagentrequesttochangethevalueofavariableorlistofvariables.Variablebindingsare
specifiedinthebodyoftherequest.Changestoallspecifiedvariablesaretobemadeasanatomicoperation
bytheagent.AResponsewith(current)newvaluesforthevariablesisreturned.
GetNextRequest
Amanagertoagentrequesttodiscoveravailablevariablesandtheirvalues.ReturnsaResponsewith
variablebindingforthelexicographicallynextvariableintheMIB.TheentireMIBofanagentcanbewalked
byiterativeapplicationofGetNextRequeststartingatOID0.Rowsofatablecanbereadbyspecifying
columnOIDsinthevariablebindingsoftherequest.
GetBulkRequest
OptimizedversionofGetNextRequest.Amanagertoagentrequestformultipleiterationsof
GetNextRequest.ReturnsaResponsewithmultiplevariablebindingswalkedfromthevariablebindingor
bindingsintherequest.PDUspecificnonrepeatersandmaxrepetitionsfieldsareusedtocontrol
responsebehavior.GetBulkRequestwasintroducedinSNMPv2.
Response
ReturnsvariablebindingsandacknowledgementfromagenttomanagerforGetRequest,SetRequest,
GetNextRequest,GetBulkRequestandInformRequest.Errorreportingisprovidedbyerrorstatusand
errorindexfields.Althoughitwasusedasaresponsetobothgetsandsets,thisPDUwascalled
GetResponseinSNMPv1.
Trap
Asynchronousnotificationfromagenttomanager.SNMPtrapsenableanagenttonotifythemanagement
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

3/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

stationofsignificanteventsbywayofanunsolicitedSNMPmessage.IncludescurrentsysUpTimevalue,an
OIDidentifyingthetypeoftrapandoptionalvariablebindings.Destinationaddressingfortrapsisdetermined
inanapplicationspecificmannertypicallythroughtrapconfigurationvariablesintheMIB.Theformatofthe
trapmessagewaschangedinSNMPv2andthePDUwasrenamedSNMPv2Trap.Whileinclassic
communicationtheclientalwaysactivelyrequestsinformationfromtheserver,SNMPallowstheadditional
useofsocalled"traps".ThesearedatapackagesthataresentfromtheSNMPclienttotheserverwithout
beingexplicitlyrequested.
InformRequest
Acknowledgedasynchronousnotification.ThisPDUwasintroducedinSNMPv2andwasoriginallydefined
asmanagertomanagercommunication.[4]Laterimplementationshaveloosenedtheoriginaldefinitionto
allowagenttomanagercommunications.[5][6][7]Managertomanagernotificationswerealreadypossiblein
SNMPv1(usingaTrap),butasSNMPcommonlyrunsoverUDPwheredeliveryisnotassuredand
droppedpacketsarenotreported,deliveryofaTrapwasnotguaranteed.InformRequestfixesthisby
sendingbackanacknowledgementonreceipt.[6]

Developmentandusage
Version1
SNMPversion1(SNMPv1)istheinitialimplementationoftheSNMPprotocol.SNMPv1operatesover
protocolssuchasUserDatagramProtocol(UDP),InternetProtocol(IP),OSIConnectionlessNetworkService
(CLNS),AppleTalkDatagramDeliveryProtocol(DDP),andNovellInternetPacketExchange(IPX).SNMPv1
iswidelyusedandisthedefactonetworkmanagementprotocolintheInternetcommunity.
ThefirstRFCsforSNMP,nowknownasSNMPv1,appearedin1988:
RFC1065StructureandidentificationofmanagementinformationforTCP/IPbasedinternets
RFC1066ManagementinformationbasefornetworkmanagementofTCP/IPbasedinternets
RFC1067Asimplenetworkmanagementprotocol
Theseprotocolswereobsoletedby:
RFC1155StructureandidentificationofmanagementinformationforTCP/IPbasedinternets
RFC1156ManagementinformationbasefornetworkmanagementofTCP/IPbasedinternets
RFC1157Asimplenetworkmanagementprotocol
Afterashorttime,RFC1156(MIB1)wasreplacedbythemoreoftenused:
RFC1213Version2ofmanagementinformationbase(MIB2)fornetworkmanagementofTCP/IP
basedinternets
Version1hasbeencriticizedforitspoorsecurity.[8]Authenticationofclientsisperformedonlybya"community
string",ineffectatypeofpassword,whichistransmittedincleartext.The'80sdesignofSNMPV1wasdonebya
groupofcollaboratorswhoviewedtheofficiallysponsoredOSI/IETF/NSF(NationalScienceFoundation)effort
(HEMS/CMIS/CMIP)asbothunimplementableinthecomputingplatformsofthetimeaswellaspotentially
unworkable.SNMPwasapprovedbasedonabeliefthatitwasaninterimprotocolneededfortakingsteps
towardslargescaledeploymentoftheInternetanditscommercialization.InthattimeperiodInternetstandard
authentication/securitywasbothadreamanddiscouragedbyfocusedprotocoldesigngroups.
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

4/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

Version2
SNMPv2(RFC1441RFC1452),revisesversion1andincludesimprovementsintheareasofperformance,
security,confidentiality,andmanagertomanagercommunications.ItintroducedGetBulkRequest,analternativeto
iterativeGetNextRequestsforretrievinglargeamountsofmanagementdatainasinglerequest.However,thenew
partybasedsecuritysysteminSNMPv2,viewedbymanyasoverlycomplex,wasnotwidelyaccepted.[8]This
versionofSNMPreachedtheProposedStandardlevelofmaturity,butwasdeemedobsoletedbylaterversions.[9]
CommunityBasedSimpleNetworkManagementProtocolversion2,orSNMPv2c,isdefinedinRFC
1901RFC1908.SNMPv2ccomprisesSNMPv2withoutthecontroversialnewSNMPv2securitymodel,using
insteadthesimplecommunitybasedsecurityschemeofSNMPv1.Thisversionisoneofrelativelyfewstandardsto
meettheIETF'sDraftStandardmaturitylevel,andwaswidelyconsideredthedefactoSNMPv2standard.[9]It
toowaslaterobsoleted,bySNMPv3.
UserBasedSimpleNetworkManagementProtocolversion2,orSNMPv2u,isdefinedinRFC1909RFC
1910.ThisisacompromisethatattemptstooffergreatersecuritythanSNMPv1,butwithoutincurringthehigh
complexityofSNMPv2.AvariantofthiswascommercializedasSNMPv2*,andthemechanismwaseventually
adoptedasoneoftwosecurityframeworksinSNMPv3.

SNMPv1&SNMPv2cinteroperability
Aspresentlyspecified,SNMPv2cisincompatiblewithSNMPv1intwokeyareas:messageformatsandprotocol
operations.SNMPv2cmessagesusedifferentheaderandprotocoldataunit(PDU)formatsfromSNMPv1
messages.SNMPv2calsousestwoprotocoloperationsthatarenotspecifiedinSNMPv1.Furthermore,RFC
2576definestwopossibleSNMPv1/v2ccoexistencestrategies:proxyagentsandbilingualnetworkmanagement
systems.
Proxyagents
AnSNMPv2agentcanactasaproxyagentonbehalfofSNMPv1manageddevices,asfollows:
AnSNMPv2NMSissuesacommandintendedforanSNMPv1agent.
TheNMSsendstheSNMPmessagetotheSNMPv2proxyagent.
TheproxyagentforwardsGet,GetNext,andSetmessagestotheSNMPv1agentunchanged.
GetBulkmessagesareconvertedbytheproxyagenttoGetNextmessagesandthenareforwardedtothe
SNMPv1agent.
TheproxyagentmapsSNMPv1trapmessagestoSNMPv2trapmessagesandthenforwardsthemtotheNMS.
Bilingualnetworkmanagementsystem
BilingualSNMPv2networkmanagementsystemssupportbothSNMPv1andSNMPv2.Tosupportthisdual
managementenvironment,amanagementapplicationinthebilingualNMSmustcontactanagent.TheNMSthen
examinesinformationstoredinalocaldatabasetodeterminewhethertheagentsupportsSNMPv1orSNMPv2.
Basedontheinformationinthedatabase,theNMScommunicateswiththeagentusingtheappropriateversionof
SNMP.

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

5/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

Version3
AlthoughSNMPv3makesnochangestotheprotocolasidefromtheadditionofcryptographicsecurity,itlooks
muchdifferentduetonewtextualconventions,concepts,andterminology.[1]
SNMPv3primarilyaddedsecurityandremoteconfigurationenhancementstoSNMP.[10]Duetolackofsecurity
withtheuseofSNMP,networkadministratorswereusingothermeans,suchastelnetforconfiguration,accounting,
andfaultmanagement.
SNMPv3addressesissuesrelatedtothelargescaledeploymentofSNMP,accounting,andfaultmanagement.
Currently,SNMPispredominantlyusedformonitoringandperformancemanagement.
SNMPv3definesasecureversionofSNMPandalsofacilitatesremoteconfigurationoftheSNMPentities.
SNMPv3providesasecureenvironmentforthemanagementofsystemscoveringthefollowing:
IdentificationofSNMPentitiestofacilitatecommunicationonlybetweenknownSNMPentitiesEach
SNMPentityhasanidentifiercalledtheSNMPEngineID,andSNMPcommunicationispossibleonlyifan
SNMPentityknowstheidentityofitspeer.TrapsandNotificationsareexceptionstothisrule.
SupportforsecuritymodelsAsecuritymodelmaydefinethesecuritypolicywithinanadministrative
domainoranintranet.SNMPv3containsthespecificationsforUSM(UserbasedSecurityModel).
Definitionofsecuritygoalswherethegoalsofmessageauthenticationserviceincludeprotectionagainstthe
following:
ModificationofInformationProtectionagainstsomeunauthorizedSNMPentityalteringintransit
messagesgeneratedbyanauthorizedprincipal.
MasqueradeProtectionagainstattemptingmanagementoperationsnotauthorizedforsomeprincipal
byassumingtheidentityofanotherprincipalthathastheappropriateauthorizations.
MessageStreamModificationProtectionagainstmessagesgettingmaliciouslyreordered,delayed,
orreplayedtoeffectunauthorizedmanagementoperations.
DisclosureProtectionagainsteavesdroppingontheexchangesbetweenSNMPengines.
SpecificationforUSMUSM(UserbasedSecurityModel)consistsofthegeneraldefinitionofthe
followingcommunicationmechanismsavailable:
Communicationwithoutauthenticationandprivacy(NoAuthNoPriv).
Communicationwithauthenticationandwithoutprivacy(AuthNoPriv).
Communicationwithauthenticationandprivacy(AuthPriv).
DefinitionofdifferentauthenticationandprivacyprotocolsCurrently,theMD5andSHAauthentication
protocolsandtheCBC_DESandCFB_AES_128privacyprotocolsaresupportedintheUSM.Operations
andManagementAreaWorkingGroup(OpsAWG)(https://datatracker.ietf.org/wg/opsawg/charter/)of
IETFiscurrently(March2015)advancingHMACSHA2authenticationprotocols
(https://datatracker.ietf.org/doc/draftietfopsawghmacsha2usmsnmp/)forUSM.
DefinitionofadiscoveryprocedureTofindtheSNMPEngineIDofanSNMPentityforagiventransport
addressandtransportendpointaddress.
DefinitionofthetimesynchronizationprocedureTofacilitateauthenticatedcommunicationbetweenthe
SNMPentities.
DefinitionoftheSNMPframeworkMIBTofacilitateremoteconfigurationandadministrationofthe
SNMPentity.
DefinitionoftheUSMMIBsTofacilitateremoteconfigurationandadministrationofthesecuritymodule.
DefinitionoftheVACMMIBsTofacilitateremoteconfigurationandadministrationoftheaccesscontrol
module.
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

6/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

SNMPv3focusesontwomainaspects,namelysecurityandadministration.Thesecurityaspectisaddressedby
offeringbothstrongauthenticationanddataencryptionforprivacy.Theadministrationaspectisfocusedontwo
parts,namelynotificationoriginatorsandproxyforwarders.
SNMPv3definesanumberofsecurityrelatedcapabilities.TheinitialspecificationsdefinedtheUSMandVACM,
whichwerelaterfollowedbyatransportsecuritymodelthatprovidedsupportforSNMPv3overSSHand
SNMPv3overTLSandDTLS.
USM(UserbasedSecurityModel)providesauthenticationandprivacy(encryption)functionsandoperates
atthemessagelevel.
VACM(ViewbasedAccessControlModel)determineswhetheragivenprincipalisallowedaccesstoa
particularMIBobjecttoperformspecificfunctionsandoperatesatthePDUlevel.
TSM(TransportSecurityMode)providesamethodforauthenticatingandencryptingmessagesover
externalsecuritychannels.Twotransports,SSHandTLS/DTLS,havebeendefinedthatmakeuseofthe
TSMspecification.
SecurityhasbeenthebiggestweaknessofSNMPsincethebeginning.AuthenticationinSNMPVersions1and2
amountstonothingmorethanapassword(communitystring)sentincleartextbetweenamanagerandagent.[1]
EachSNMPv3messagecontainssecurityparameterswhichareencodedasanoctetstring.Themeaningofthese
securityparametersdependsonthesecuritymodelbeingused.[11]
SNMPv3providesimportantsecurityfeatures:[12]
ConfidentialityEncryptionofpacketstopreventsnoopingbyanunauthorizedsource.
IntegrityMessageintegritytoensurethatapackethasnotbeentamperedwhileintransitincludingan
optionalpacketreplayprotectionmechanism.
Authenticationtoverifythatthemessageisfromavalidsource.
Asof2004theIETFrecognizesSimpleNetworkManagementProtocolversion3asdefinedbyRFC
3411RFC3418[13](alsoknownasSTD0062)asthecurrentstandardversionofSNMP.TheIETFhas
designatedSNMPv3afullInternetstandard,[14]thehighestmaturitylevelforanRFC.Itconsidersearlierversions
tobeobsolete(designatingthemvariously"Historic"or"Obsolete").[9]
Inpractice,SNMPimplementationsoftensupportmultipleversions:typicallySNMPv1,SNMPv2c,andSNMPv3.
[15]

Implementationissues
SNMPimplementationsvaryacrossplatformvendors.Insomecases,SNMPisanaddedfeature,andisnottaken
seriouslyenoughtobeanelementofthecoredesign.Somemajorequipmentvendorstendtooverextendtheir
proprietarycommandlineinterface(CLI)centricconfigurationandcontrolsystems.[16]
SNMP'sseeminglysimpletreestructureandlinearindexingmaynotalwaysbeunderstoodwellenoughwithinthe
internaldatastructuresthatareelementsofaplatform'sbasicdesign.Consequently,processingSNMPquerieson
certaindatasetsmayresultinhigherCPUutilizationthannecessary.Oneexampleofthiswouldbelargerouting
tables,suchasBGPorIGP.
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

7/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

SomeSNMPvalues(especiallytabularvalues)requirespecificknowledgeoftableindexingschemes,andthese
indexvaluesarenotnecessarilyconsistentacrossplatforms.Thiscancausecorrelationissueswhenfetching
informationfrommultipledevicesthatmaynotemploythesametableindexingscheme(forexamplefetchingdisk
utilizationmetrics,whereaspecificdiskidentifierisdifferentacrossplatforms.)[17]

Resourceindexing
ModulardevicesmaydynamicallyincreaseordecreasetheirSNMPindices(a.k.a.instances)wheneverslotted
hardwareisaddedorremoved.Althoughthisismostcommonwithhardware,virtualinterfaceshavethesame
effect.Indexvaluesaretypicallyassignedatboottimeandremainfixeduntilthenextreboot.Hardwareorvirtual
entitiesaddedwhilethedeviceis'live'mayhavetheirindicesassignedattheendoftheexistingrangeandpossibly
reassignedatthenextreboot.Networkinventoryandmonitoringtoolsneedtohavethedeviceupdatecapabilityby
properlyreactingtothecoldstarttrapfromthedevicerebootinordertoavoidcorruptionandmismatchofpolled
data.
IndexassignmentsforanSNMPdeviceinstancemaychangefrompolltopollmostlyasaresultofchangesinitiated
bythesystemadministrator.Ifinformationisneededforaparticularinterface,itisimperativetodeterminethe
SNMPindexbeforeretrievingthedataneeded.Generally,adescriptiontablelikeifDescrwillmapauserfriendly
namelikeSerial0/1(Blade0,port1)toanSNMPindex.However,thisisnotnecessarilythecaseforaspecific
SNMPvalue,andcanbearbitraryforanSNMPimplementation.

Securityimplications
SNMPversions1and2caresubjecttopacketsniffingofthecleartextcommunitystringfromthenetwork
traffic,orguessingthecommunitystrings.
SNMPversion3maybesubjecttobruteforceanddictionaryattacksforguessingtheauthenticationkeys,
orencryptionkeys,ifthesekeysaregeneratedfromshort(weak)passwords,orpasswordsthatcanbe
foundinadictionary.SNMPv3allowsbothprovidingrandomuniformlydistributedcryptographickeys,and
generatingcryptographickeysfrompasswordsuppliedbyuser,inwhichcasecautionisadvised,andthe
risksarehigher.Theriskofguessingauthenticationstringsisnegligible,consideringthatforMD5and
SHA1basedauthenticationprotocolsthelengthofsuchastringis96bits,thereforetheprobabilityto
successfullyforgeanauthenticatorisvanishinglysmall(beinghitbylightningislikelier).Probabilityoffinding
twomessageswiththesameauthenticatorisgreater,butitstillrequiresapoolof248validmessagesto
choosefrom,soisitnotoverlyconcerning,giventheusagemodel(hardtoaccumulatethatmanymessages
forthesamedestinationwithinthemessagelifetimeof5minutes).WiththeacceptanceoftheHMACSHA
2AuthenticationProtocolforUSM,risksareevenlower.Theriskofguessingencryptedstringsistoolow
toconsider.
ApersonwhoisunfamiliarwiththeSNMPdesignrationaleand/orcryptography,mayaskwhyachallenge
responsehandshakewasnotusedtoimprovesecurity.Thereasonsare:
1. SNMPv3(likeotherSNMPprotocolversions)isastatelessprotocol,andithasbeendesignedwithminimal
amountofinteractionsbetweentheagentandthemanager.Thusintroducingachallengeresponsehandshake
foreachcommandwouldimposeaburdenontheagent(andpossiblyonthenetworkitself)thattheprotocol
designersdeemedexcessiveandunacceptable.ThereaderisreferredheretotheoriginalSNMPbookby
MarshallRosefortheSNMPdesigncriteriaandrationale.
2. JustlikeintheapproachchosenbytheSNMPv3USMauthenticationprotocol,achallengeresponse
approachwouldrequiresharedsecrets.Ifthosesecretsarecryptographicallystrongthenbothapproaches
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

8/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

arelikelytowithstandanattack.Andifthosesecretsarederivedfromshort,guessable,orbruteforceable
strings(suchasweakpasswords),anadversarythatmonitorstheexchangecanmountanofflineattackand
breakthesecuritydeterminethegeneratingshortsecret.Thereisnodifferenceinvulnerabilitybetween
SNMPv3USMauthenticationandahypotheticalchallengeresponse:whenshortsecretsareusedboth
canbebroken.Acryptographysavvyreaderwillnoticesomesimilaritiesbetweenchallengeresponse
approachesthatusekeyedcryptographiconewayfunctions,andUSMauthenticationprotocol.Aparting
advicetotheuseravoidusingshortguessablepasswords,particularlythosethatcanbefoundina
dictionary.Itisworthtokeepinmindthatmostpasswordcrackerscontaindictionariesinmanylanguages
thushopingthat"yourword"won'tbeguessedbecauseitisinalanguagelesscommonthan,say,English,
wouldbeimprudent.
AlthoughSNMPworksoverTCPandotherprotocols,itismostcommonlyusedoverUDPthatis
connectionlessbothforperformancereasons,andtominimizetheadditionalloadonapotentiallytroubled
networkthatprotocolslikeTCPimpose.RememberthatthedesignoftheSimpleNetworkManagement
Protocolwasoptimizedforrepairingsicknetworks,ratherthandoingheavythingswithperfectlyhealthy
ones.Regardless,anyprotocolthatdoesnotusesecuritysuchasSNMPv1andSNMPv2cisvulnerable
toIPspoofingattacks,whetheritrunsoverTCPorUDP,andisasubjecttobypassingdeviceaccesslists
thatmighthavebeenimplementedtorestrictSNMPaccess.SNMPv3securitymechanismssuchasUSMor
TSMpreventasuccessfulattack.ItisworthmentioningthatitwouldbepointlesstoemploySNMPv3
VACM(ViewbasedAccessControl)withoutsecuringmessageswithUSMorTSM,forthereasonsgiven
above.
SNMP'spowerfulconfiguration(write)capabilitiesarenotbeingfullyutilizedbymanyvendors,partly
becauseofalackofsecurityinSNMPversionsbeforeSNMPv3,andpartlybecausemanydevicessimply
arenotcapableofbeingconfiguredviaindividualMIBobjectchanges.RequirementsofSNMPSet
operationarenoteasytoimplementcorrectly,andmanyvendorschosetoomitsupportforSetprobably
tolowertheirdevelopmentcostandreducethecodesize,amongotherreasons.Lackofsecurityin
SNMPv1andv2cwasaperfectexcusetodoso.
SNMPtopsthelistoftheSANSInstitute'sCommonDefaultConfigurationIssueswiththeissueofdefault
SNMPcommunitystringssettopublicandprivateandwasnumbertenontheSANSTop10Most
CriticalInternetSecurityThreats(http://www.sans.org/top20/2000/)fortheyear2000.

Autodiscovery
SNMPbyitselfissimplyaprotocolforcollectingandorganizinginformationaboutmanageddevices(networkand
devicemonitoring),andmodifyingthatinformationonthesedevices,causingchangeintheirbehavior(network
management).MosttoolsetsimplementingSNMPoffersomeformofdiscoverymechanism,astandardized
collectionofdatacommontomostplatformsanddevices,togetanewuserorimplementorstarted.Oneofthese
featuresisoftenaformofautomaticdiscovery,wherenewdevicesdiscoveredinthenetworkarepolled
automatically.ForSNMPv1andSNMPv2c,thispresentsasecurityrisk,inthatyourSNMPreadcommunitieswill
bebroadcastincleartexttothetargetdevice.SNMPv3mitigatesthisrisk,howeveritdoesnotprotectagainst
trafficanalysisandpotentialnetworktopologydiscoverybytheadversary.Whilesecurityrequirementsandrisk
profilesvaryfromorganizationtoorganization,careshouldbetakenwhenusingafeaturelikethis,withspecial
regardtocommonenvironmentssuchasmixedtenantdatacenters,serverhostingandcolocationfacilities,and
similarenvironments.

RFCreferences
RFC1155(STD16)StructureandIdentificationofManagementInformationfortheTCP/IP
basedInternets
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

9/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

RFC1156(Historic)ManagementInformationBaseforNetworkManagementofTCP/IPbased
internets
RFC1157(Historic)ASimpleNetworkManagementProtocol(SNMP)
RFC1213(STD17)ManagementInformationBaseforNetworkManagementofTCP/IPbased
internets:MIBII
RFC1452(Informational)Coexistencebetweenversion1andversion2oftheInternetstandard
NetworkManagementFramework(ObsoletedbyRFC1908)
RFC1901(Experimental)IntroductiontoCommunitybasedSNMPv2
RFC1902(DraftStandard)StructureofManagementInformationforSNMPv2(ObsoletedbyRFC
2578)
RFC1908(StandardsTrack)CoexistencebetweenVersion1andVersion2oftheInternet
standardNetworkManagementFramework
RFC2570(Informational)IntroductiontoVersion3oftheInternetstandardNetworkManagement
Framework(ObsoletedbyRFC3410)
RFC2578(STD58)StructureofManagementInformationVersion2(SMIv2)
RFC3410(Informational)IntroductionandApplicabilityStatementsforInternetStandard
ManagementFramework
STD62
RFC3411AnArchitectureforDescribingSimpleNetworkManagementProtocol(SNMP)
ManagementFrameworks
RFC3412MessageProcessingandDispatchingfortheSimpleNetworkManagement
Protocol(SNMP)
RFC3413SimpleNetworkManagementProtocol(SNMP)Applications
RFC3414UserbasedSecurityModel(USM)forversion3oftheSimpleNetwork
ManagementProtocol(SNMPv3)
RFC3415ViewbasedAccessControlModel(VACM)fortheSimpleNetworkManagement
Protocol(SNMP)
RFC3416Version2oftheProtocolOperationsfortheSimpleNetworkManagement
Protocol(SNMP)
RFC3417TransportMappingsfortheSimpleNetworkManagementProtocol(SNMP)
RFC3418ManagementInformationBase(MIB)fortheSimpleNetworkManagement
Protocol(SNMP)
RFC3430(Experimental)SimpleNetworkManagementProtocol(SNMP)overTransmission
ControlProtocol(TCP)TransportMapping
RFC3584(BCP74)CoexistencebetweenVersion1,Version2,andVersion3oftheInternet
standardNetworkManagementFramework
RFC3826(Proposed)TheAdvancedEncryptionStandard(AES)CipherAlgorithmintheSNMP
UserbasedSecurityModel
RFC5343(Proposed)SimpleNetworkManagementProtocol(SNMP)ContextEngineID
Discovery
RFC5590(STD78)TransportSubsystemfortheSimpleNetworkManagementProtocol(SNMP)
RFC5591(STD78)TransportSecurityModelfortheSimpleNetworkManagementProtocol
(SNMP)
RFC5592(Proposed)SecureShellTransportModelfortheSimpleNetworkManagement
Protocol(SNMP)
RFC5608(Proposed)RemoteAuthenticationDialInUserService(RADIUS)UsageforSimple
NetworkManagementProtocol(SNMP)TransportModels.
RFC6353(STD78)TransportLayerSecurity(TLS)TransportModelfortheSimpleNetwork
ManagementProtocol(SNMP)

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

10/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

Furtherreading
DouglasMauro,KevinSchmidt(2005).EssentialSNMP,SecondEdition.O'ReillyMedia.p.462.
ISBN0596008406.
WilliamStallings(1999).SNMP,SNMPv2,SNMPv3,andRMON1and2.AddisonWesleyLongman,
Inc.p.619.ISBN0201485346.

Seealso
AgentX,asubagentprotocolforSNMP
CMIPoverTCP/IP(CMOT)
Commonmanagementinformationprotocol(CMIP),amanagementprotocolbyISO/OSIusedby
telecommunicationsdevices
Commonmanagementinformationservice(CMIS)
IEC62379
Managementinformationbase(MIB)
NetSNMP,anopensourcereferenceimplementationofSNMP
Netconf,aprotocolwhichisanXMLbasedconfigurationprotocolfornetworkequipment
Networkmonitoringcomparison
Objectidentifier(OID)
Remotemonitoring(RMON)
SimpleGatewayMonitoringProtocol(SGMP),anobsoleteprotocolreplacedbySNMP
SNMPsimulator

References
1. DouglasR.Mauro&KevinJ.Schmidt.(2001).EssentialSNMP(1sted.).Sebastopol,CA:OReilly&Associates.
2. RFC3411AnArchitectureforDescribingSimpleNetworkManagementProtocol(SNMP)Management
Frameworks
3. RFC6353Section10
4. J.CaseK.McCloghrieM.RoseS.Waldbusser(April1993)."RFC1448ProtocolOperationsforversion2of
theSimpleNetworkManagementProtocol(SNMPv2)"(https://tools.ietf.org/html/rfc1448#page27).Internet
EngineeringTaskForce."AnInformRequestPDUisgeneratedandtransmittedattherequestanapplicationina
SNMPv2entityactinginamanagerrole,thatwishestonotifyanotherapplication(inaSNMPv2entityalsoacting
inamanagerrole)ofinformationintheMIBViewofapartylocaltothesendingapplication."
5. D.LeviP.MeyerB.Stewart(April1999)."RFC2573SNMPApplications"
(https://tools.ietf.org/html/rfc2573#section3.3).InternetEngineeringTaskForce.
6. "SNMPInformRequests"(http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/snmpinfm.html).Cisco.
Retrieved20111209.
7. "UnderstandingtheSNMPImplementationinJUNOSSoftware"
(https://www.juniper.net/techpubs/software/junossecurity/junossecurity10.2/mibsrx5600srx5800service
gateway/topic21511.html).JuniperNetworks.Retrieved20130211.
8. "SecurityinSNMPv3versusSNMPv1orv2c"
(http://www.aethis.com/solutions/snmp_research/snmpv3_vs_wp.pdf)(PDF).Retrieved20101129.
9. "RFCSearchDetail:StandardsTracksnmpv2RFCs"(http://www.rfceditor.org/search/rfc_search_detail.php?
pubstatus%5b%5d=Standards+Track&std_trk=Any&pub_date_type=any&wg_acronym=snmpv2).TheRFC
Editor.Retrieved20140224.
10. InThisIssue:SNMPVersion3(http://www.simpletimes.org/pub/simpletimes/issues/51.html)TheSimpleTimes
(http://www.simpletimes.org/)ISSN10606080
11. DavidZeltserman(1999).APracticalGuidetoSNMPv3andNetworkManagement.UpperSaddleRiver,NJ:
PrenticeHallPTR.
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
11/12

8/20/2015

Simple Network Management Protocol - Wikipedia, the free encyclopedia

PrenticeHallPTR.
12. "SNMPv3"(http://www.webcitation.org/60I4lHgQR).CiscoSystems.Archivedfromtheoriginal
(http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html)on20110719.
13. "SNMPVersion3"(http://www.ibr.cs.tubs.de/projects/snmpv3/).InstituteofOperatingSystemsandComputer
Networks.Retrieved20100507.
14. RFCEditor(http://www.rfceditor.org/categories/rfcstandard.html)ListofcurrentInternetStandards(STDs)
15. RFC3584"CoexistencebetweenVersion1,Version2,andVersion3oftheInternetstandardNetwork
ManagementFramework"
16. "SNMPResearchpresentationsinfavorofstandardsbasedmanagementoverproprietaryCLIs"
(http://www.snmp.com/conferences/).SNMPResearch.Retrieved20101012.
17. http://www.cisco.com/c/en/us/support/docs/ip/simplenetworkmanagementprotocolsnmp/40700snmp
ifIndex40700.html

Externallinks
SimpleNetworkManagementProtocol
(https://www.dmoz.org//Computers/Internet/Protocols/SNMP)at
DMOZ

Wikiversityhaslearning
materialsaboutSimple
NetworkManagement
Protocol

Retrievedfrom"https://en.wikipedia.org/w/index.php?
title=Simple_Network_Management_Protocol&oldid=676103710"
Categories: Applicationlayerprotocols Internetprotocols InternetStandards Multiagentsystems
Networkmanagement Systemadministration
Thispagewaslastmodifiedon14August2015,at18:22.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.
Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisaregisteredtrademark
oftheWikimediaFoundation,Inc.,anonprofitorganization.

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

12/12