User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
RFC 2264

Document Type RFC - Proposed Standard (January 1998; No errata)
Obsoleted by RFC 2274
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2264 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (System)
Send notices to (None)
Network Working Group                                      U. Blumenthal
Request for Comments: 2264                     IBM T. J. Watson Research
Category: Standards Track                                      B. Wijnen
                                               IBM T. J. Watson Research
                                                            January 1998

          User-based Security Model (USM) for version 3 of the
              Simple Network Management Protocol (SNMPv3)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1997).  All Rights Reserved.

Abstract

   This document describes the User-based Security Model (USM) for SNMP
   version 3 for use in the SNMP architecture [RFC2261].  It defines the
   Elements of Procedure for providing SNMP message level security.
   This document also includes a MIB for remotely monitoring/managing
   the configuration parameters for this Security Model.

Table of Contents

1.  Introduction                                                       3
1.1.  Threats                                                          4
1.2.  Goals and Constraints                                            5
1.3.  Security Services                                                6
1.4.  Module Organization                                              7
1.4.1.  Timeliness Module                                              7
1.4.2.  Authentication Protocol                                        8
1.4.3.  Privacy Protocol                                               8
1.5.  Protection against Message Replay, Delay and Redirection         8
1.5.1.  Authoritative SNMP engine                                      8
1.5.2.  Mechanisms                                                     8
1.6.  Abstract Service Interfaces.                                    10
1.6.1.  User-based Security Model Primitives for Authentication       11
1.6.2.  User-based Security Model Primitives for Privacy              11
2.  Elements of the Model                                             12
2.1.  User-based Security Model Users                                 12

Blumenthal & Wijnen         Standards Track                     [Page 1]
RFC 2264                     USM for SNMPv3                 January 1998

2.2.  Replay Protection                                               13
2.2.1.  msgAuthoritativeEngineID                                      13
2.2.2.  msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime    14
2.2.3.  Time Window                                                   15
2.3.  Time Synchronization                                            15
2.4.  SNMP Messages Using this Security Model                         16
2.5.  Services provided by the User-based Security Model              17
2.5.1.  Services for Generating an Outgoing SNMP Message              17
2.5.2.  Services for Processing an Incoming SNMP Message              19
2.6.  Key Localization Algorithm.                                     21
3.  Elements of Procedure                                             21
3.1.  Generating an Outgoing SNMP Message                             22
3.2.  Processing an Incoming SNMP Message                             25
4.  Discovery                                                         30
5.  Definitions                                                       31
6.  HMAC-MD5-96 Authentication Protocol                               45
6.1.  Mechanisms                                                      45
6.1.1.  Digest Authentication Mechanism                               46
6.2.  Elements of the Digest Authentication Protocol                  46
6.2.1.  Users                                                         46
6.2.2.  msgAuthoritativeEngineID                                      47
6.2.3.  SNMP Messages Using this Authentication Protocol              47
6.2.4.  Services provided by the HMAC-MD5-96 Authentication Module    47
6.2.4.1.  Services for Generating an Outgoing SNMP Message            47
6.2.4.2.  Services for Processing an Incoming SNMP Message            48
6.3.  Elements of Procedure                                           49
6.3.1.  Processing an Outgoing Message                                49
6.3.2.  Processing an Incoming Message                                50
7.  HMAC-SHA-96 Authentication Protocol                               51
7.1.  Mechanisms                                                      51
7.1.1.  Digest Authentication Mechanism                               51
7.2.  Elements of the HMAC-SHA-96 Authentication Protocol             52
7.2.1.  Users                                                         52
Show full document text