1. MIB Reference Guide
  2. SNMP Configuration
  3. SNMPv3

SNMPv3

The Oracle Communications Session Border Controller supports SNMPv3 by default. To secure your SNMPv3 system, you must configure SNMP users and groups, SNMP managers, and view access to MIB trees. SNMPv3 provides the SNMP agent and SNMP Network Management System (NMS) with protocol security enhancements used to protect your system against a variety of attacks, such as increased authentication, privacy, MIB object access control and trap filtering capabilities.

SNMPv3 Users

An identity must be created for an SNMPv3 user to specify their name, security protocol choices, passwords for secure authentication and privacy, and the ability to receive secured traps. You configure SNMPv3 users to protect your SNMPv3 system from any unauthorized SNMP agent that uses message capture and replay or a network traffic source that uses an incorrect password or security level.

Configure an SNMPv3 User Identity

  1. Access the system configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)#
  2. Type snmp-user-entry and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters used to create an identity for an SNMPv3 user. 
    ORACLE(system)# snmp-user-entry
ORACLE(snmp-user-entry)#
  3. user-name—Enter the name of the user authorized for retrieving SNMPv3 traps.
    Values:
    • <user name string>—that is 1 to 24 characters.
  4. auth-protocol—Specify the authentication protocol.
    • sha256—HMAC-SHA2-256 authentication protocol.
    • sha512—(Default) HMAC-SHA2-512 authentication protocol.
  5. priv-protocol—Specify the privacy algorithm.
    • aes128—Authenticates using the AES128 algorithm.
  6. auth-password—Enter the authorization password for this user.
    Value:
    • <password-string>— that is 6 to 64 characters.
  7. priv-password—Enter the privilege password for this user.
    Value:
    • <password-string>— that is 6 to 64 characters.
  8. address-list—Enter the host IP address(es) that are associated with this user.
    • <address-string>— that is 1 to 24 characters. You can specify multiple address list names by enclosing them within brackets "()".
  9. Type done to save your configuration.

Note:

Repeat the previous steps if you need to add more SNMPv3 users.

SNMPv3 User Groups

A group of SNMPv3 users can be specified for easy management and access control.

Each SNMPv3 user can be configured to belong to a specific security model and security level. You can choose either the SNMPv1 and v2 model or the SNMPv3 model (which is selected for you by default). When you assign a security level to a group, this level is consistent for all users within this group and the security level can be used across multiple SBC devices. Also, these security levels determine how data is encrypted to prevent information leaks and stop an unauthorized user from scrambling the contents of an SNMP packet.

The following security levels can be assigned to an SNMPv3 group:
  • The default authPriv security level specifies that the user group is authenticated by using either the HMAC-SHA2-256 or HMAC-SHA2-512 authentication protocols and the privacy password is encrypted using the AES128 authentication protocol. Using this security level provides user authentication and ensures message privacy so that the trap is not tampered with during transit.
  • The noAuthNoPriv security level specifies that the user group is authenticated by a string match of the user name and requires no authorization and no privacy similar to SNMPv1 and SNMPv2.
  • The authNoPriv security level specifies that the user group is authenticated by using either the HMAC-SHA2-256 or HMAC-SHA2-512 authentication protocols to produce a key used to authenticate the trap and ensure the identity of the user.

You can also configure an SNMPv3 user group to allow the co-existence of multiple SNMP message version types at the same time, specify a list of users belonging to the group, and assign the group privilege to read, write, and add SNMP objects and receive trap notifications.

Configure SNMPv3 User Group

  1. Access the system configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)#
  2. Type snmp-group-entry and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters used to configure a group of users that belong to a particular security model who can read, write, and add SNMP objects and receive trap notifications. 
    ORACLE(system)# snmp-group-entry
ORACLE(snmp-group-entry)#
  3. name <group-name-string>—Specify a group name that is 1 to 24 characters for the SNMPv3 group name.
  4. mp-model—Specify the SNMP message processing model.
    Values:
    • v1v2—The SNMPv1 and SNMPv2 model.
    • v3—The SNMPv3 model (default).

    Note:

    If the mp-model parameter is specified with the v1v2 value, the community-string parameter (not configured) defines a coexistence configuration where SNMP version 2 messages with the community string from the hosts is indicated by the user-list parameter, and the corresponding snmp-user-entry and snmp-address-entry elements are accepted.
  5. security-level—Specify the security level of the SNMP group, which are consistent for the user and can be used across multiple SBC devices.
    • noAuthNoPriv—This value specifies that the user group is authenticated by a string match of the user name and requires no authorization and no privacy similar to SNMPv1 and SNMPv2. This value is specified with the mp-model parameter and its v1v2 value and can only be used with the community-string parameter not specified.
    • authNoPriv—This value specifies that the user group is authenticated by using either the HMAC-SHA2-256 or HMAC-SHA2-512 authentication protocols to produce a key used to authenticate the trap and ensure the identity of the user.
    • authPriv—This default value specifies that the user group is authenticated by using either the HMAC-SHA2-256 or HMAC-SHA2-512 authentication protocols and the privacy password is encrypted using the AES128 algorithm. Using this security level provides user authentication and ensures message privacy so that the trap is not tampered with during transit. This value is specified with the SNMP mp-model parameter and its v3 value.

    Note:

    If there is a switchover on a high-availability SBC device, the SNMPEngineID varies and your network management system (NMS) should be updated with the SNMPEngineID of the standby SBC device.
  6. community-string <community-string>—Specify the community name that is 1 to 24 characters to allow the co-existence of multiple SNMP message version types at the same time for this security group.
  7. user-list <user-name string>—Specify a name for the user list that is 1 to 24 characters and must match the name of the user-name parameter of the snmp-user-entry element to configure user host names.
  8. read-view <group-read-view-string>—Specify the name of the SNMP group's read view for a collection of MIB subtrees that can be 1 to 24 characters.
  9. write-view <group-write-view-string>—Specify the name of the SNMP group's write view for a collection of MIB subtrees that can be 1 to 24 characters.
  10. notify-view <group-notify-view-string>—Specify the name of the SNMP group's trap notification view for a collection of MIB subtrees that can be 1 to 24 characters.
  11. Type done to save your configuration.

Note:

Repeat the previous steps if you need to add more groups.

SNMPv3 Manager Access

You identify an SNMPv3 manager by adding its name and IP address to authenticate and interpret traffic, such as secure traps that it receives from the SNMP agent device (SBC). This traffic is kept private during transit by using time stamps and boot counts to protect against delayed packets.

Configure SNMPv3 Manager Access

  1. Access the system configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)#
  2. Type snmp-address-entry and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters used to identify the SNMP manager. 
    ORACLE(system-config)# snmp-address-entry
ORACLE(snmp-address-entry)#
  3. name—Specify a name to be referenced when operating with this manager.
    Value:
    • <management-hostname-string>—that is 1 to 24 characters and is used to specify the name for the SNMPv3 target IP address.
  4. address—Specify the IP address of the manager. The parameter requires an IP address followed by either the mask, in number of bits, or the port number. 
    ORACLE(snmp-address-entry)# <ip-address> [/<num-bits>][:port]
    Values:
    • <ip-address>—IP address in IPv4 or IPv6 standard format.
    • /<num-bits>—specifies the mask, in number of bits, used to route to the address.
    • <:port>—this optional parameter to enter a subnetwork (subnet) mask. The default subnet mask is 255.255.255.255. Set this value if the manager is a trap-receiver. Do not set this value if the manager is performing queries.
  5. trap-filter-level— Set this value if the manager is a trap-receiver. Select a priority level that is equal to or lower than the value of the filter-level. Do not set this value if the manager is performing queries.
    Values:
    • "" (Default)—The field's setting is blank. The user is not configured to receive any trap.
    • ALL—A user can view all trap conditions.
    • Minor—A user can view trap error conditions that exist on a device.
    • Major—A user can view trap critical conditions that exist on a device.
    • Critical—A user can view trap conditions that require an immediate action for a device.
  6. Type done to save your configuration.

Note:

Repeat the previous steps if you need to add more SNMPv3 target IP addresses.

SNMPv3 Views

SNMPv3 utilizes a view-access-control model (VACM) for checking whether a specific type of access to a specific managed object is allowed through the SNMPv3. You can configure individual parameters used to include or exclude view access to single or multiple MIB OID nodes for an SNMPv3 view name.

Specify SNMPv3 View Access to a MIB

  1. Access the system configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)#
  2. Type snmp-view-entry and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters used to include or exclude view access. 
    ORACLE(system)# snmp-view-entry
ORACLE(snmp-view-entry)#
  3. name Specify the SNMPv3 view name.
    Valid value:
    • <SNMP-view-name-string>—that is 1 to 24 characters.
  4. included-list— Use this parameter to include view access to a MIB OID subtree or multiple OID subtrees for this SNMPv3 view name.
    Valid value:
    • <OID(s)>—Object Identifier number separated by a dot (.), in which each subsequent number is a sub-identifier. Each subtree OID starts with the prefix 1.3.6.1.

      For example:

      • 1.3.6.1.6
      • (1.3.6.1.2 1.3.6.1.4.1.9148) - You can enter multiple values enclosed in parenthesis and separated by space or comma.
  5. Repeat the previous step if you need to include or exclude additional views.
  6. excluded-list—Use this parameter to exclude view access to a MIB OID node for this SNMPv3 view name.
    Valid value:
    • <OID(s)>— Object Identifier number separated by a dot (.), in which each subsequent number is a sub-identifier. Each subtree OID starts with the prefix 1.3.6.1.

      For example:

      • 1.3.6.1.4.1.9148.3.3
      • (1.3.6.1.4.1.9148.3.3 1.3.6.1.4.1.9148.3.5) - You can enter multiple values enclosed in parenthesis and separated by space or comma.
  7. Type done to save your configuration.

Note:

Repeat the previous steps if you need to add more SNMPv3 views.