MG-SOFT SNMPv3 engine

Reference SNMPv3 implementation since 1998


MG-SOFT started implementing an SNMPv3 engine in early 1998, while SNMPv3 draft specifications were still emerging from the IETF SNMPv3 working group. MG-SOFT published the first public beta release of the SNMPv3 engine implementation in November 1998. In May 1999, when IETF published RFC 257x documents, MG-SOFT published a conformant release of the SNMPv3 engine implementation.

In December 2002, when IETF published RFC 341x documents and with that advanced SNMPv3 specification to the Internet Standard level (STD 62), MG-SOFT has already been shipping a conformant SNMPv3 implementation. In consequence, all other MG-SOFT's network management products are also compliant with the current SNMPv3 protocol standard.

By providing a conformant implementation of the SNMPv3 protocol standard (and the whole SNMPv3 network management product line) even before the standard has been officially published, MG-SOFT again proved its high tech excellency and commitment to serve even the most demanding customers.

In 2003 MG-SOFT extended the SNMPv3 engine so that the USM module supports also the CFB-AES-128 privacy protocol (RFC 3826).

In 2011 we extended MG-SOFT's SNMPv3 engine with support for the TLS/DTLS transport layer security (RFC 6353). Interoperability tests were successfully passed with another two known implementations, Net-SNMP and SNMP Research, in order to support advancement of the feature standardization process:
draft-schoenw-isms-interoperability-report-02.txt
Our SNMP protocol implementation with this feature now serves as a reference implementation for other implementers.

In 2016 we extended MG-SOFT's SNMPv3 engine with support for HMAC-SHA-2 Authentication Protocols in User-Based Security Model (USM) implemented in our SNMPv3 protocol implementation (RFC 7860). The supported SHA-2 authentication protocols are HMAC-SHA-2-224, HMAC-SHA-2-256, HMAC-SHA-2-384 and HMAC-SHA-2-512.

In 2017 we extended MG-SOFT's SNMPv3 engine to support also CFB-AES-192, CFB-AES-256 and CBC-3DES Privacy Protocols in User-Based Security Model (USM). Note: There is currently no standard for using AES-192, AES-256 and 3DES privacy protocols in SNMPv3 USM. When using these privacy protocols with MD5 and SHA1 authentication protocols that do not provide long enough output to accommodate the 192-bit or 256-bit size keys for AES-192 and AES-256 or the 168-bit size key for 3DES, some mechanism needs to be employed to produce localized keys of an adequate size. MG-SOFT SNMPv3 engine employs the key extension mechanism used by Cisco and some other parties, which is described in the (Reeder 3DES Internet draft document).

Since November 1998, when MG-SOFT performed and successfully passed a number of interoperability tests with other SNMPv3 vendors and their SNMPv3 implementations, MG-SOFT has built a global reputation for trusted, conformant, high performance and highly reliable SNMPv3 implementation. MG-SOFT has tens of thousands of corporate, educational, governmental and individual users worldwide.

Today, MG-SOFT's SNMPv3 engine is a mature and market-proven product that is widely used with MG-SOFT's SNMPv3 manager and agent products, as well as with numerous products developed by third parties, who have licensed MG-SOFT's SNMPv3 technology. Even more, MG-SOFT's SNMPv3 engine is considered a de-facto reference SNMPv3 protocol implementation for other SNMPv3 protocol implementers.



MG-SOFT SNMPv3 implementation

MG-SOFT has implemented an SNMP engine supporting SNMPv1, SNMPv2c and SNMPv3 protocols including the complete User-Based Security Model (HMAC-MD5, HMAC-SHA1 authentication; CBC-DES, CFB-AES-128 privacy) and USM extensions (HMAC-SHA-2 authentication; CFB-AES-192, CFB-AES-256, CBC-3DES privacy; Diffie-Helman key ignition), and Transport Security Model with support for SNMPv3 over TLS and DTLS protocols (using X.509 digital certificates), which provide strong security on the transport layer.

The MG-SOFT SNMPv3 engine conforms to the most recent SNMPv3 specification documents:

  • Structure and Identification of Management Information for TCP/IP-based Internets (SMIv1),
    (RFC 1155, May 1990).
  • A Simple Network Management Protocol (SNMPv1),
    (RFC 1157, May 1990).
  • Concise MIB Definitions (SMIv1),
    (RFC 1212, March 1991).
  • A Convention for Defining Traps for use with the SNMP (SMIv1),
    (RFC 1215, March 1991).
  • Introduction to Community-based SNMPv2 (SNMPv2c),
    (RFC 1901, Experimental, January 1996).
  • Structure of Management Information Version 2 (SMIv2),
    (RFC 2578, STD 58, April 1999).
  • Textual Conventions for SMIv2,
    (RFC 2579, STD 58, April 1999).
  • Conformance Statements for SMIv2,
    (RFC 2580, STD 58, April 1999).
  • Extension to the User-Based Security Model (USM) to Support Triple-DES EDE in "Outside" CBC Mode,
    (I-D, October 1999).
  • Diffie-Helman USM Key Management Information Base and Textual Convention,
    (RFC 2786, Experimental, March 2000).
  • Introduction and Applicability Statements for Internet Standard Management Framework,
    (RFC 3410, Informational, December 2002).
  • An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks,
    (RFC 3411, STD 62, December 2002).
  • Message Processing and Dispatching for the Simple Network Management Protocol (SNMP),
    (RFC 3412, STD 62, December 2002).
  • Simple Network Management Protocol (SNMP) Applications,
    (RFC 3413, STD 62, December 2002).
  • User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3),
    (RFC 3414, STD 62, December 2002).
  • View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP),
    (RFC 3415, STD 62, December 2002).
  • Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP),
    (RFC 3416, STD 62, December 2002).
  • Transport Mappings for the Simple Network Management Protocol (SNMP),
    (RFC 3417, STD 62, December 2002).
  • Management Information Base (MIB) for the Simple Network Management Protocol (SNMP),
    (RFC 3418, STD 62, December 2002).
  • Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework,
    (RFC 3584, BCP 74, August 2003).
  • The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model,
    (RFC 3826, Standards Track, June 2004).
  • Transport Subsystem for the Simple Network Management Protocol (SNMP),
    (RFC 5590, Standards Track, June 2009).
  • Transport Security Model for the Simple Network Management Protocol (SNMP),
    (RFC 5591, Standards Track, June 2009).
  • Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP),
    (RFC 6353, Standards Track, July 2011).
  • Translation of Structure of Management Information Version 2 (SMIv2) MIB Modules to YANG Modules,
    (RFC 6643, Standards Track, July 2012).
  • HMAC-SHA-2 Authentication Protocols in User-Based Security Model (USM) for SNMPv3,
    (RFC 7860, Standards Track, April 2016).



SNMPv3 protocol interoperability and conformance

An agent based on MG-SOFT SNMPv3 engine is available on the Internet for interoperability testing (note that SNMP-SET operation is disabled for security reasons). The following are the supported groups of SNMPv3 USM access parameters:

  1. Accessing the agent by using the SNMPv3 protocol without authentication and without privacy (security level: NoAuthNoPriv):

    IP Address: 212.30.73.70
    SNMP Port: 161
    ContextName: public
    UserName: noAuthUser

  2. Accessing the agent by using the SNMPv3 protocol with HMAC-MD5 authentication protocol and without CBC-DES privacy protocol (security level: AuthNoPriv):

    IP Address: 212.30.73.70
    SNMP Port: 161
    ContextName: public
    UserName: MD5_User
    Authentication Password: AuthPassword

  3. Accessing the agent by using the SNMPv3 protocol with HMAC-SHA authentication protocol and without CBC-DES privacy protocol (security level: AuthNoPriv):

    IP Address: 212.30.73.70
    SNMP Port: 161
    ContextName: public
    UserName: SHA_User
    Authentication Password: AuthPassword

  4. Accessing the agent by using the SNMPv3 protocol with HMAC-MD5 authentication protocol and with CBC-DES privacy protocol (security level: AuthPriv):

    IP Address: 212.30.73.70
    SNMP Port: 161
    ContextName: public
    UserName: MD5_DES_User
    Authentication Password: AuthPassword
    Privacy Password: PrivPassword

  5. Accessing the agent by using the SNMPv3 protocol with HMAC-SHA authentication protocol and with CBC-DES privacy protocol (security level: AuthPriv):

    IP Address: 212.30.73.70
    SNMP Port: 161
    ContextName: public
    UserName: SHA_DES_User
    Authentication Password: AuthPassword
    Privacy Password: PrivPassword

  6. Accessing the agent by using the SNMPv3 protocol with HMAC-MD5 authentication protocol and with CFB-AES-128 privacy protocol (security level: AuthPriv):

    IP Address: 212.30.73.70
    SNMP Port: 161
    ContextName: public
    UserName: MD5_AES128_User
    Authentication Password: AuthMD5-Password
    Privacy Password: PrivAES-Password

  7. Accessing the agent by using the SNMPv3 protocol with HMAC-SHA authentication protocol and with CFB-AES-128 privacy protocol (security level: AuthPriv):

    IP Address: 212.30.73.70
    SNMP Port: 161
    ContextName: public
    UserName: SHA_AES128_User
    Authentication Password: AuthSHA-Password
    Privacy Password: PrivAES-Password